Blog

A10 CGN MSISDN IMEI and IMSI Insertion in NAT logging for user tracking

Posted by: Javier Castillo

Migrating security policies between different firewall platforms can be a daunting task, especially when dealing with complex configurations. A common example is the migration from Check Point to Juniper, as these platforms have different approaches to security policies, NAT policies, and application controls. These differences add complexity to the migration process.

Currently, no dedicated tool exists for migrating configurations from Check Point to Juniper. This use case presents a practical method to overcome this challenge. In this article, we will explore the key variables to consider during the migration and outline an approach to automate the process.

Having successfully automated the migration of 15 perimeter firewalls in a large enterprise network, I will share the methodology I developed. By leveraging Python scripts and Jinja2 templates, we can simplify the extraction, processing, and conversion of policy configurations, ensuring a smooth and accurate transition from Check Point to Juniper.

Differences Between Juniper and Check Point

When undertaking a project of this nature, the following variables must be considered.

To automate the configuration extraction and build, it is essential to study and understand specific variables. Since the configuration logic and functions differ between vendors, the automation process must address several challenges. Successfully addressing these challenges while building the automation framework is key to success. Below are some key challenges to consider:

  • When dealing with application or Layer 7 policies, Juniper and Check Point use different application names and, therefore, different associated signatures. As a result, manual identification, mapping, and adjustment are necessary during migration.
  • Similarly, web categories such as gambling and adult content have different names in Check Point, requiring manual mapping to ensure proper alignment.
  • In a Check Point environment, policies can be configured using both applications and web categories within the same rule, as they are considered application or Layer 7 policies. However, in Juniper, these policies cannot coexist within the same rule. It is necessary to separate them into application policies and web category policies, even though both are considered part of a unified approach.
  • Regarding policy order, a notable difference is that Check Point analyzes application policies first, whereas Juniper processes them last. This requires reordering policies accordingly during migration.
  • Another major difference lies in NAT handling. Check Point applies NAT before the packet enters the security policy flow, whereas Juniper applies NAT afterward. This fundamental difference must be accounted for in the migration process.

Next, we will outline how this process and framework can be built to effectively tackle these challenges and ensure a smooth, automated migration.

Automation Framework and Process

To automate policy and security object migration from Check Point to Juniper, we can follow a structured process using Python scripts and Jinja2 templates as a framework. The process is divided into three main phases.

The starting point of this process is the standardized description of all Check Point objects in JSON format. This data can be obtained using the Tufin tool.

Phase 1: Obtaining and Exporting Objects

This phase is essential for extracting and interpreting all necessary objects from the Check Point configuration. Configuration objects, such as networks, hosts, and TCP/UDP services, are retrieved from Check Point JSON files.

To abstract the configuration syntax and focus solely on the essential objects, the extracted data is structured and saved in a standardized format such as YAML. This ensures a more flexible and programmatic approach when generating configurations for Juniper vSRX later in the process.

Phase 2: Collecting Policies

This phase is crucial for extracting and interpreting all necessary policies from the Check Point configuration. Security, unified, and threat policies are retrieved from Check Point JSON files.

By storing policies in YAML format, the configuration structure is separated from the specific syntax, allowing for easier processing and automation. This abstraction makes it possible to programmatically translate policies into Juniper vSRX configurations while ensuring consistency and adaptability.

Phase 3: Rendering with Jinja2

Jinja2 is a powerful templating engine widely used for dynamically generating configurations, such as those for Juniper vSRX. In this phase, Jinja2 templates are defined to correspond to the required vSRX configurations, and YAML files are processed with these templates to generate the final configurations.

By leveraging placeholders, loops, conditionals, and variable substitutions, Jinja2 enables flexible and reusable templates that dynamically adjust policies and settings based on YAML-defined parameters. This approach simplifies configuration management, reduces errors, and enhances scalability.

Policy Order

    1. Specific deny rules
    2. Global policies
    3. Local policies
    4. Application policies
    5. Wide open (less specific) rules
    6. Deny all rule (clean-up)

In the case of NAT, the order must also consider the following:

  • In Check Point, NAT is evaluated before the security policy flow.
  • In Juniper, security policies are evaluated before NAT processing.

This means that if a Check Point security policy allows connectivity associated with a NAT rule, manual adjustments will be necessary in the Juniper environment to maintain consistent functionality.

Conclusion

Migrating security policies from Check Point to Juniper requires careful consideration of differences in policy handling, NAT processing, and policy order. By automating the migration process using Python scripts and Jinja2 templates, we can simplify the task and minimize errors.

The outlined phases provide a structured approach to extracting, processing, and rendering configuration data, ensuring a smooth transition between platforms. Although some manual adjustments may be necessary, particularly in mapping application names and web categories, the overall process can be made significantly more efficient through automation.

This approach can also be applied to Ansible or other automation environments, providing flexibility in automating configurations across different platforms.

- Author

Javier Castillo