Check Point Start options
This table lists the start settings.
Setting | Description |
---|---|
Profile | |
Description | Enter a description of the configuration. |
Output Options | |
Output Format | Select the appropriate output for your target Fortinet device. |
FOS Version | The configuration syntax is slightly different among FortiOS 6.4, 7.0, 7.2, and 7.4. Select the version that corresponds to the FortiOS version on the target. |
Smart Center and VSX Input | |
Before R80.10 | Select this option if the configuration is from a SmartCenter device with version before R80.10. |
R80.10 or later |
Select this option if the configuration is from a SmartCenter with version R80.10 or later device. |
JSON Export |
Select this option if the configuration is an archived JSON file exported from the Check Point “ShowPolicyPackage” tool. |
Object Definition File (objects_5_0.C) |
Select the object definition file. This file should include the definition of firewalls, interfaces and firewall objects. |
Policy Information File (Standard.W or rulebases_5_0.fws) |
Select the policy information file. This file should include the policy informations and manual NAT rules in each policy package. This is only needed for devices with SmartCenter version before R80. |
Policy File (CSV Format) (R80.10 or later) |
Select the policy file in CSV format. This is only needed when "R80.10 or later" is selected. |
NAT File (CSV Format) (R80.10 or later) |
Select the NAT rule file in CSV format. This is only needed when "R80.10 or later" is selected. |
[Optional] User & User Group File(fwauth.NDB) | Select the user and user group file. |
[Optional] Identity Role File (identity_roles.C) |
Select the identity role file. |
[Optional] ifconfig File (For vlan id consistency) |
Select the result text file from linux command "ifconfig" output. The file would help to determine the vlan-id of interfaces if provided. (Smart Center only) |
[Optional]DHCP relay File (BOOTP) |
Select the file which contains the DHCP relay information of interfaces. (Smart Center only) |
Provider-1 Input | |
MDS Definition File (mdss.c) | Select the MDS definition file. This file should include the MDS hierarchy. |
MDS Object File (objects_5_0.c) | Select the MDS object definition file. |
Global Policy Object File (objects_5_0.c) | Select the global object definition file. This file should include the definition of global objects. |
Global Policy Rulebase File (rulebases_5_0.fws) | Select the global policy information file. This file should include the information of policies and manual NAT rules in each global policy package. |
Global Policy Assignment(customer.C) | Select the global policy assignment file. |
Target device (Optional) |
|
Target device |
Select the model of the target device, or select a device connected to FortiConverter. |
Conversion Options | |
Discard unreferenced firewall objects |
This option can be useful if your target device has table size limitations. You can view the unreferenced objects that FortiConverter removed on the Tuning page. |
Automatically generate policy interfaces | Specifies whether FortiConverter generates policy interfaces using a Check Point route file. (For example, a file you obtained using the netstat -nr command.) You select the route file on the Policy package page. Check Point policies define rules for network-to-network communication. When you migrate a Check Point configuration to FortiGate, which uses policies that define rules for interface-to-interface communication, you can use the Check Point router information to determine which interface a policy uses. If you disable this option, or router information isn’t available, FortiConverter uses the "any" interface. This option is disabled in Provider-1 conversion. |
Increase Address and Service Table Sizes for High-End Models | You can customize the maximum table sizes that FortiConverter uses when Adjust table sizes is selected. For more information, see Adjusting table sizes. |
Route-based IPSec | Specifies whether Route-based IPSec is used for this conversion. |
Generate global objects in a separate file |
FortiConverter can distinguish global objects in the configuration and output the converted global objects into a separated file. |
Remove self-traffic addresses and polices |
Self-traffic polices should be configured in Check Point, but they are not necessary in FortiOS. FortiConverter comments out the self-traffics policies or remove self-traffic addresses from policies when this option is enabled. |
Number of year-long schedules from day in month schedules | Specifies how many years of one-time schedules to generate. The wizard converts Check Point "day in month" schedules into equivalent one-time FortiGate schedules. |
Policy index start from 1 instead of 10000 |
When selected, the serial number of firewall policies will start from 1 instead of 10000. |
Split Address group From VPN Phase2 selector |
If the remote side of VPN is not a FortiGate but a device of other vendor, setting an address group in the VPN phase2 quick selector does not work. When this option is enabled, a VPN phase2 object with an address group in the selector would be split into multiple objects with subnet or a range in selector. |
Get routing info from source configuration file |
Fet the routing information from the source configuration file instead from nstats command |
Add prefix to the address objects which will trigger VIP/DNAT |
Adds "v-" prefix to the name if an address would be referenced in a VIP. |
NGFW policy-based mode |
When selected, the conversion will be in NGFW policy-based mode. " |
Enable merging of parent inner layer policy to child policies |
When a policy has action "inner layer", and its child has src/dst address as "any", the policy’s address will apply to the child’s. |
Disable arp-reply for all ippools and vips |
Add "set arp-reply disable" for all IPPool and VIPs |
Generate configurations with all VDOMs merged |
Select this option if a merged config folder of all the converted VDOMs is required in the output config folder. When you migrate a Check Point configuration to FortiManager. You can use this option to get a merged folder including policies and firewall objects. (SmartCenter and Povider-1 only) |
Comment Options | |
Interface Comment | Specifies whether FortiConverter copies the interface comment from the source configuration to the mapped FortiGate interface. |
Address Comment | Specifies whether FortiConverter copies the address comment from source configuration to the converted FortiGate address. |
Service Comment | Specifies whether FortiConverter copies the service comment from the source configuration to converted FortiGate service. |
Policy comment - Add policy package name and rule number | Include policy package name, policy number and NAT rule number in the comment of output policy. |
Policy comment - Preserve the original comment | Include the original comment in source file in the comment of the output policy. |
Policy comment - Preserve UUID from the original rule |
Append the policy UUID given in the Check Point source config as part of policy comments to make it easier to correlate source and converted policies . |
Separate multiple comments into different lines |
When a policy is merged from multiple firewall or NAT rules, the original comments of the rules would be concatenated directly as the comment of the new policy. Enable this option to separate the original comments into different lines inside the new comment. |
NAT Merge Options | |
Enable Central NAT merge | Specifies whether FortiConverter converts NATs to FortiGate central NATs instead of policy-based NATs. |
Ignore firewall policies with all or any addresses when processing NAT rules | Specifies whether FortiConverter ignores firewall policies with an "all" or "any" address when it merges a NAT rule and a firewall policy to create a FortiGate NAT policy. FortiConverter creates new policies in the output configuration based on where NAT rules to firewall policies intersect. Because firewall policies that use "all" or "any" as the address create many intersections, Fortinet recommends that you ignore them. |
Convert Static NATs into VIP/source NAT pairs |
When this option is enabled (in policy NAT mode only), a static NAT rule would be converted into a central SNAT rule and an unidirectional VIP object. Otherwise it would be converted into a bidirectional VIP object |
Enable identity match of NAT policy | Specifies whether FortiConverter converts or ignores any identity NAT rules in the source configuration. The "range" and "network" address objects in a Check point configuration can include hide NAT and static NAT. Check Point performs NAT only when a host in the IP range of the address object communicates with a host outside that range. To disable NAT for traffic with both source and destination inside the address range, Check Point generates an automatic rule called an "identity NAT rule". By default, FortiConverter excludes this type of rule from the conversion because it performs no NAT after it is converted and generates redundant policies. You can enable this option to generate policies based on the identity NAT rules. |
NAT Merge Depth | |
Hide NAT Static NAT Rule NAT |
Specifies which types of NAT FortiConverter merges with the output firewall policies, or whether FortiConverter performs NAT merge based on object names or values.
Because it can take FortiConverter several hours to complete a conversion that include a large number of NAT rules, Fortinet recommends that you turn off or limit NAT merge for your initial conversion. Then, resolve any issues with the conversion before you run it again with NAT merge enabled. For more information, including example matches, see NAT merge options. |