{"id":18303478,"url":"https://github.com/gosecure/cisco2checkpoint","last_synced_at":"2025-07-10T06:34:27.441Z","repository":{"id":56394743,"uuid":"48055708","full_name":"GoSecure/Cisco2Checkpoint","owner":"GoSecure","description":"Tool that assists in migrating firewall rules from Cisco to Checkpoint. Will optimize rules for you (rationalization, reuse merging, etc.).","archived":false,"fork":false,"pushed_at":"2020-11-10T13:35:23.000Z","size":281,"stargazers_count":21,"open_issues_count":10,"forks_count":11,"subscribers_count":19,"default_branch":"master","last_synced_at":"2025-04-05T15:35:28.504Z","etag":null,"topics":["checkpoint","cisco","ciscoconfparse","firewall-rules"],"latest_commit_sha":null,"homepage":"http://gosecure.net/2017/01/30/cisco2checkpoint-cisco-checkpoint-conversion-tool/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/GoSecure.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-12-15T16:34:02.000Z","updated_at":"2023-02-10T22:50:27.000Z","dependencies_parsed_at":"2022-08-15T18:00:15.842Z","dependency_job_id":null,"html_url":"https://github.com/GoSecure/Cisco2Checkpoint","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/GoSecure/Cisco2Checkpoint","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoSecure%2FCisco2Checkpoint","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoSecure%2FCisco2Checkpoint/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoSecure%2FCisco2Checkpoint/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoSecure%2FCisco2Checkpoint/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/GoSecure","download_url":"https://codeload.github.com/GoSecure/Cisco2Checkpoint/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoSecure%2FCisco2Checkpoint/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264538581,"owners_count":23624436,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["checkpoint","cisco","ciscoconfparse","firewall-rules"],"created_at":"2024-11-05T15:25:47.760Z","updated_at":"2025-07-10T06:34:27.401Z","avatar_url":"https://github.com/GoSecure.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# cisco2checkpoint Migration Tool\n\nCisco to Checkpoint is a conversion tool developed by GoSecure to help during migration projects. The tool has the ability to convert objects such as networks, services, groups and even firewall rules.\n\nThe tool requires python 2.7 and a forked version of [ciscoconfparse](https://pypi.python.org/pypi/ciscoconfparse) (included).\n\nSupported input syntax is currently IOS and ASA. The script output a file in dbedit syntax.\n\nThe script was run on nearly 10 different configurations and leads to many success stories but the tool is still experimental. Use it at your own risk.\n\n\n## Install\n\n```\ngit clone --recursive https://github.com/gosecure/cisco2checkpoint c2c\ncd c2c\n```\n\n## Simple use case: Fresh Install\n\nThe easiest and most basic way to convert a cisco configuration file, exported with `show run`, as follows.\n\n```\npython2.7 c2c.py --export \\\n    --ciscoFile 'some_cisco_conf.txt' \\\n    --syntax asa \\\n    --policy My_Policy \\\n    --installOn My_Firewall \\\n    --output 'network_script.txt' \\\n```\n\nAs a result, the file `network_script.txt` is created and contains the converted policy. Upload the file on the SmartCenter server. Note that you will need a user with a bash shell to upload using SSH. To do so, run `chsh -s /bin/bash` and then logout to apply the change.\n\nBefore import, make sure that no \"write mode\" session is open with SmartDashboard. Also make sure that there is **no empty lines** and that the return characters are **\\n** (not \\r\\n). Don't forget to **take a backup or a DRC (Database Revision Control)**.\n\nTo perform the import, run:\n\n```\ndbedit -local -f network_script.txt -ignore_script_failure -continue_updating\n```\n\n## Advanced use case: Adding FW to existing policy\n\nIf a Checkpoint policy already exists on the SmartCenter server, the script must be aware of the existing objects. It is possible to export those objects in xml format and specify them using a new argument.\n\nFirst run the following on the SmartCenter.\n\n```\necho \"printxml network_objects\" \u003e printxml_netobj.txt\necho \"printxml services\" \u003e printxml_services.txt\necho '\u003ca\u003e' \u003e customer_network_objects.xml\ndbedit -local -f printxml_netobj.txt \u003e\u003e customer_network_objects.xml\necho '\u003c/a\u003e' \u003e\u003e customer_network_objects.xml\necho '\u003ca\u003e' \u003e customer_service_objects.xml\ndbedit -local -f printxml_services.txt \u003e\u003e customer_service_objects.xml\necho '\u003c/a\u003e' \u003e\u003e customer_service_objects.xml\n```\n\nThen copy both xml files in the root of the repository and run as follows.\n\n```\npython2.7 c2c.py --export \\\n    --ciscoFile 'some_cisco_conf.txt' \\\n    --cpPortsFile 'customer_service_objects.xml' \\\n    --cpNetObjFile 'customer_network_objects.xml' \\\n    --syntax asa \\\n    --policy My_Policy \\\n    --installOn My_Firewall \\\n    --output 'network_script.txt' \n```\n\nAs a result, the file `network_script.txt` is created and contains the converted policy. Upload the file on the SmartCenter server. Note that you will need a user with a bash shell to upload using SSH. To do so, run `chsh -s /bin/bash` and then logout to apply the change.\n\nBefore import, make sure that no \"write mode\" session is open with SmartDashboard. Also make sure that there is **no empty lines** and that the return characters are **\\n** (not \\r\\n). Don't forget to **take a backup or a DRC (Database Revision Control)**.\n\nTo perform the import, run:\n\n```\ndbedit -local -f network_script.txt -ignore_script_failure -continue_updating\n```\n\n## Verify the conversion\n\nSimply replace the `--export` argument by `--verify` and add `--format text` to generate the configuration into a human-readable format. For example:\n\n```\npython2.7 c2c.py --verify \\\n    --format text \\\n    --ciscoFile 'some_cisco_conf.txt' \\\n    --syntax asa \\\n    --policy My_Policy \\\n    --installOn My_Firewall \\\n    --output 'network_script_verify.txt' \\\n```\n\nIn the example below, the last three lines show three `access-list` that were used to generate a single checkpoint rule:\n\n```\nACLRule(name=acl_inside,src=N-Prod-Wks-10.12.160.0_19;N-LAN-Wks-10.16.160.0_24;N-Prod-Wks-10.21.60.0_22,dst=G-xmpp-Internet,port=any,action=permit,pol=FW-Temp,inst=,disabled=False,desc=Access to X)\n Desc:Access to X\n Src: CiscoNet(name=N-Prod-Wks-10.12.160.0_19,ipAddr=10.12.160.0/255.255.224.0,desc=,alias=)\n Src: CiscoNet(name=N-LAN-Wks-10.16.160.0_24,ipAddr=10.16.160.0/255.255.255.0,desc=,alias=)\n Src: CiscoNet(name=N-Prod-Wks-10.21.60.0_22,ipAddr=10.21.60.0/255.255.252.0,desc=,alias=N-Prod-Wkstn-10.21.60.0_22)\n Dst: CiscoNetGroup(name=G-xmpp-Internet,desc= description Routes de xmpp via Internet,nbMembers=6,alias=)\n   CiscoNet(name=N-xmpp-Int-160.43.250.0_24,ipAddr=160.43.250.0/255.255.255.0,desc=,alias=)\n   CiscoNet(name=N-xmpp-Int-206.156.53.0_24,ipAddr=206.156.53.0/255.255.255.0,desc=,alias=)\n Port: CiscoAnyPort(name=any,port=0,desc=,alias=)\n Verify: \u003cASAAclLine # 2531 'access-list acl_inside extended permit ip object N-Prod-Wks-10.12.160.0_19 object-group G-xmpp-Internet log'\u003e\n Verify: \u003cASAAclLine # 2532 'access-list acl_inside extended permit ip object N-LAN-Wks-10.16.160.0_24 object-group G-xmpp-Internet log'\u003e\n Verify: \u003cASAAclLine # 2534 'access-list acl_inside extended permit ip object N-Prod-Wkstn-10.21.60.0_22 object-group G-xmpp-Internet log'\u003e\n```\n\n\n## Implicit Behaviors\n\n**Firewall rationalization**\n\nBy default, firewall rules are merged together if it doesn't affect the security of the policy. For two rules to be merged, all fields except one must be identical. Fewer firewall rules result in better performance and ease of management, which often increase security.\n\n**Objects Reuse**\n\nWhen two objects with the same properties are found, they are merged. For example, if two hosts are defined with the same IP address, the first name is taken.\n\n**Dynamic Object Generation**\n\nWhen a host is defined in a group or an access-list without a name, it is automatically created. The reason is that in Checkpoint everything needs to be a defined object.\n\n\n## Modifiers\n\nThose modifiers can be used for specific needs, such as specifying color on objects and enable logging on every rule.\n\n\n    --color COLOR         The color to use for new objects.\n    --force-log           Force track=Log on all firewall rules\n    --startIndex INDEX    Index to start importing firewall rules. Default: 0\n    --disableRules        Disable all firewall rules.\n    --flattenInlineNetGroups\n                          Flatten groups with prefix DM_INLINE_NETWORK_ so\n                          members are added to firewall rules instead of the\n                          group.\n    --flattenInlineSvcGroups\n                          Flatten groups with prefix DM_INLINE_SERVICE_ so\n                          members are added to firewall rules instead of the\n                          group.\n\n\n## Customization\n\nA config file is located in `./config.py`. Most users shouldn't need to modify it. However, it is worth knowing the existence of this file. Users will find object prefixes for dynamically created objects, excluded checkpoint services, illegal expression replacements and association tables for ports and protocols.\n\n\n## Warning\n\n**Layer 2 vs Layer 3 :** As some of you may know, Checkpoint policy is layer-3 based, meaning that firewall interfaces are completely abstracted from the policy. In fact, it is not possible to assign a rule to an interface like on Cisco. For this reason, you will find many *Drop All* rules within the policy and other rules that make no sense in the context of a layer-3 stateful firewall. Thus, a review must **always** be performed after the import.\n\n**Cisco syntax :** Cisco tends to be very flexible when it's time to write a line. Some keywords are optional and it is not required to define everything as an object. It also allows one to define an object in multiple ways. Unfortunately, this lead to little hacks in the code.\n\n\n## License\n\ncisco2checkpoint is licensed GPLv3; Copyright [GoSecure](https://gosecure.net), 2015-2017.\n\n\n## Author and Thanks\n\ncisco2checkpoint was developed by Martin Dubé (mdube at gosecure.ca)\n\nSpecial thanks:\n - David Michael Pennington for his awesome work on [ciscoconfparse](https://github.com/mpenning/ciscoconfparse)\n - Olivier Bilodeau for helping me rebase the project and follow good practices\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgosecure%2Fcisco2checkpoint","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgosecure%2Fcisco2checkpoint","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgosecure%2Fcisco2checkpoint/lists"}