Check Point Start options
This table lists the start settings.
Setting | Description |
Profile | |
Description | Enter a description of the configuration. |
Output Options | |
Output Format | Select the appropriate output for your target Fortinet device. |
FOS Version | FortiOS 6.0 and 6.2 have different configuration syntaxes. Select the version that corresponds to the FortiOS version on the target. |
SmartCenter Input | |
Object Definition File (objects_5_0.C) |
Select the object definition file. This file should include the definition of firewalls, interfaces and firewall objects. |
Policy Information File (Standard.W or rulebases_5_0.fws) |
Select the policy information file. This file should include the information of policies and manual NAT rules in each policy package. |
[Optional] User & User Group File(fwauth.NDB) | Select the user and user group file. |
Provider-1 Input | |
MDS Definition File (mdss.c) | Select the MDS definition file. This file should include the MDS hierarchy. |
MDS Object File (objects_5_0.c) | Select the MDS object definition file. |
Global Policy Object File (objects_5_0.c) | Select the global object definition file. This file should include the definition of global objects. |
Global Policy Rulebase File (rulebases_5_0.fws) | Select the global policy information file. This file should include the information of policies and manual NAT rules in each global policy package. |
Global Policy Assignment(customer.C) | Select the global policy assignment file. |
Target device (Optional) |
|
Target device |
Select the model of the target device, or select a device connected to FortiConverter. |
Conversion Options | |
Discard unreferenced firewall objects |
This option can be useful if your target device has table size limitations. You can view the unreferenced objects that FortiConverter removed on the Tuning page. |
Automatically generate policy interfaces | Specifies whether FortiConverter generates policy interfaces using a Check Point route file. (For example, a file you obtained using the netstat -nr command.) You select the route file on the Policy package page. Check Point policies define rules for network-to-network communication. When you migrate a Check Point configuration to FortiGate, which uses policies that define rules for interface-to-interface communication, you can use the Check Point router information to determine which interface a policy uses. If you disable this option, or router information isn’t available, FortiConverter uses the "any" interface. This option is disabled in Provider-1 conversion, because interfaces and routes aren't converted in Provider-1 conversion. |
Increase Address and Service Table Sizes for High-End Models | You can customize the maximum table sizes that FortiConverter uses when Adjust table sizes is selected. For more information, see Adjusting table sizes. |
Route-based IPSec | Specifies whether Route-based IPSec is used for this conversion. |
Number of year-long schedules from day in month schedules | Specifies how many years of one-time schedules to generate. The wizard converts Check Point "day in month" schedules into equivalent one-time FortiGate schedules. |
Comment Options | |
Interface Comment | Specifies whether FortiConverter copies the interface comment from the source configuration to the mapped FortiGate interface. |
Address Comment | Specifies whether FortiConverter copies the address comment from source configuration to the converted FortiGate address. |
Service Comment | Specifies whether FortiConverter copies the service comment from the source configuration to converted FortiGate service. |
Policy comment - Add policy package name and rule number | Include policy package name, policy number and NAT rule number in the comment of output policy. |
Policy comment - Preserve the original comment | Include the original comment in source file in the comment of the output policy. |
Generate global objects in a separate file |
FortiConverter can distinguish global objects in the configuration and output the converted global objects into a separated file. |
Remove self-traffic addresses and polices |
Self-traffic polices should be configured in Check Point, but they are not necessary in FortiOS. FortiConverter comments out the self-traffics policies or remove self-traffic addresses from policies when this option is enabled. |
NAT Merge Options | |
Ignore firewall policies with all or any addresses when processing NAT rules | Specifies whether FortiConverter ignores firewall policies with an "all" or "any" address when it merges a NAT rule and a firewall policy to create a FortiGate NAT policy. FortiConverter creates new policies in the output configuration based on where NAT rules to firewall policies intersect. Because firewall policies that use "all" or "any" as the address create many intersections, Fortinet recommends that you ignore them. |
Enable Central NAT merge | Specifies whether FortiConverter converts NATs to FortiGate central NATs instead of policy-based NATs. |
Enable identity match of NAT policy | Specifies whether FortiConverter converts or ignores any identity NAT rules in the source configuration. The "range" and "network" address objects in a Check point configuration can include hide NAT and static NAT. Check Point performs NAT only when a host in the IP range of the address object communicates with a host outside that range. To disable NAT for traffic with both source and destination inside the address range, Check Point generates an automatic rule called an "identity NAT rule". By default, FortiConverter excludes this type of rule from the conversion because it performs no NAT after it is converted and generates redundant policies. You can enable this option to generate policies based on the identity NAT rules. |
NAT Merge Depth | |
Hide NAT Static NAT Rule NAT |
Specifies which types of NAT FortiConverter merges with the output firewall policies, or whether FortiConverter performs NAT merge based on object names or values.
Because it can take FortiConverter several hours to complete a conversion that include a large number of NAT rules, Fortinet recommends that you turn off or limit NAT merge for your initial conversion. Then, resolve any issues with the conversion before you run it again with NAT merge enabled. For more information, including example matches, see NAT merge options. |