Rules Conversion



  • Hello,

    I'm in the process of migrating our firewall/routing solution to pfsense 2.0.
    Our current setup is a Checkpoint FW 1 NG-55 (6 years old) with about 150 rules in it. The new setup is almost ready (running beta 4 on a Dell R610 with 4 ports Intel Pro Nic), it just needs the rules to be imported from the old setup. So far I've been lurking around fwdoc (http://www.wyae.de/software/fwdoc/), but before I try the export process I want to be sure that I will be able to export the J-son's formatted rules into pfs.
    So here I am: does anyone has done this sort of thing ?

    Thx



  • Hi

    I have exactly the same task. Migrating from Checkpoint R55 to Pfsense, also been looking at FWdoc http://www.wyae.de/software/fwdoc/ and curious if you've tried this and it works or if anyone else has any ideas?


  • Rebel Alliance Developer Netgate

    Odds are if you have 150+ rules, it could be dramatically reduced by proper use of aliases.

    I would resist the urge to just convert the ruleset as-is and take the time to revisit the entire ruleset and looks for ways to simplify.



  • I've used both pfSense and Check Point R55 for a long while and as far as I can tell, you can't have a single rule to apply to multiple hosts or multiple networks and multiple ports with pfSense the same way as you can in Check Point with use of groups ( I realize aliases can group hosts or networks but not both). Not saying pfSense in inferior because it certainly is not, but it means that one rule in Check Point will often translate to 2 or more rules on the pfSense to accomplish the same thing. So don't be surprised if your 150 rules in the Check Point to 300+ in your pfSense. It definitely might be beneficial to create a fresh ruleset rather than convert directly.


  • Rebel Alliance Developer Netgate

    You can group hosts and networks, and even moreso in 2.0

    A host in a networks alias just has a /32 subnet mask. You can have port aliases as well.

    In 2.0 you can even nest aliases within other aliases, use hostnames, pull an alias' content from a URL…


Locked