How To: Automate Conversion of Firewall Rules from Checkpoint to OCI Network Firewall

Oracle Cloud Infrastructure Network Firewall is a next-generation managed network firewall and intrusion detection and prevention service for Oracle Cloud Infrastructure (OCI) virtual cloud network (VCN), powered by Palo Alto Networks®.

Customers may choose to migrate to OCI network firewall from Checkpoint for various reasons, of course, and this tool will help in migrating their checkpoint firewall rules to OCI firewall.

Migration could mean replacing a Checkpoint Firewall that is already deployed in OCI, or migrating on-prem checkpoint firewall rules.

Prerequisites to use this tool:

1. Web Visualization dump generated from Checkpoint: This exports the configuration of the Security Management Server to a readable format and allows security administrators or executives to audit the Security Management Server configuration. For more, go here.

2. Python needs to be installed to run this code. Refer to this link for installing python on your workstation.

3. (Optional) If OCI CLI is installed in your machine you may create a firewall policy and push that policy to your OCI tenancy. To learn more, refer here.

Note: If OCI CLI is not installed the JSON files created by the tool can be copied to OCI Web CLI (Available in your OCI console), then execute OCI CLI commands to update the firewall policies.

OCI’s Cloud Shell is a web-based CLI

Below are the commands to update the IP-Address list followed by the application list and security rules.

oci network-firewall network-firewall-policy update --network-firewall-policy-id <ocid1.networkfirewallpolicy.oc1.ap-mumbai-1.xxxx> --ip-address-lists file://IPaddress-list.json
oci network-firewall network-firewall-policy update --network-firewall-policy-id <ocid1.networkfirewallpolicy.oc1.ap-mumbai-1.xxxx> --application-lists file://application-list.json
oci network-firewall network-firewall-policy update --network-firewall-policy-id <ocid1.networkfirewallpolicy.oc1.ap-mumbai-1.xxxx> --security-rules file://security_rules_v2.json 

Usage:

To convert the Checkpoint Firewall Policies you can open the terminal or command prompt on your Mac or Windows computer and type “python3” followed by the script file name “Checkpoint-Migration-v1.py” (run this from the path were , checkpoint files are extracted).

Python3 Checkpoint-Migration-v1.py

When the script is executed successfully you should see:

Checkpoint IP Address objects to OCI IP-Address-List Conversion - Done!
Checkpoint Service objects to OCI Application-List Conversion - Done!
Checkpoint Network Security Rules to OCI Security-Rules Conversion - Done!
Cleanup - Done!
WOULD YOU LIKE TO GET THE FIREWALL RULES DEPLOYED
Choose one of the below Options.
Option 1 : Create a New Firewall Policy
Option 2: Update an Existing Firewall policy
Option 3: Exit

What we see here: the IP-Address-List, Applications-List, and Security-Rules Conversion is successfully completed. This is followed by an option to either create a policy or update the existing policy.

Here is a video demo:

You can download the script from here.

IMPORTANT NOTE :

As of mid-January 2023, the OCI Network Firewall’s GUI (Graphical user interface) restricts you from creating more than 25 objects (IP address-List, Applications -List, URL-List, and so on). However, the OCI Firewall product team is working hard to remove this restriction.

This script uses an API to create the additional objects required to migrate your rules.

I was able to migrate rules that had up to 300 security rules and 600 objects (these included IP address + Application). If your rule base is bigger than that converting them will not be a problem. However, there is a good chance that you may face errors while installing them on OCI firewall.

What to expect from this tool:

1. This script uses JSON files from the checkpoint visualization as input. If checkpoint decides to change their JSON format, that means some part of this code needs to change.

2. This version of code focuses on firewall access rules. Threat prevention rules are not exported as part of this code.

Note: Checkpoint allows you to write threat prevention rules and access the rules separately in their respective blades. Whereas OCI firewall combines these and could be written in a single rule. This means that changing your allowed rule in OCI to “Intrusion Detection / Intrusion Prevention” action would be enough. These changes you may review and perform manually.

3. You may also want to review the features used in Checkpoint & OCI Network Firewall. The native firewall of OCI is pretty lean. It isn’t expected to behave as a NAT, VPN, or a routing device. Such capabilities, when you choose to use OCI Network Firewall, will be delegated to other native services. So those rules do not have to be part of this migration.

4. “Nested-groups” — An IP or Service object-group is called inside an object-group, and this script can handle such configurations. But, if you have multiple levels of nested groups, then please fix it before using this script. Otherwise, refer to the code design section below. The code that sorts nested groups must be run in a loop as many times as required. This is not tested yet!

5. Once the rules have been migrated successfully, it is recommend that you review the “removed_uids.txt” and “removed_objects_log.txt” log files generated in the same path where the script is run. The code is expected to remove unknown objects / stale entries that Checkpoints visualization tool captures. Please make sure these removed objects are indeed not required.

Code-Design Section:

This Section explains in detail how Checkpoint JSON files are converted to OCI Firewall JSON.

Code-Design-Flow-Diagram

1. Web-Visualization’s “standard_objects.json” file is used as input.
2. Name Sanitize function validates if the checkpoint object names are complying to rules of OCI firewall naming conventions. It corrects them accordingly.

Steps 1 and 2 : Creates an intermediate file that has an extract of all required fields from checkpoint JSON files. These will be used to create IP-Address-List & Application-List.json.

3. IP-Address range objects are converted to Network range address with the same object name.

4. “Nested-Groups” member ‘uid’ (identifiers) are consolidated to one group. OCI Network firewall currently does not support Object-groups that hold IP address / Services inside another object-group.

5. IP-Address objects and Network-Address objects are added to an intermediate JSON file. Unknown ‘uid’ are removed and logged.

6. “Nested-Groups” ‘uid’s’ are mapped to IP-Address or Network-Range objects. These are written to the same intermediate file as in step 5.

7. Steps 3–6 will create another intermediate JSON file with different IP Address objects (IP range, Host, Subnet/mask) and Application-objects (Service-tcp, service-udp, service-icmp, service-groups) all are collated.

8. IP-Address-List JSON is created using the intermediate JSON file from step 7.

9. Application-List JSON is created using the intermediate JSON file from step 7.

10. Web-Visualization “Network Management-Objects.json” file is used as an input. Required fields to build security_rules of OCI firewall are extracted in this step.

11. Use Name Sanitize function to make sure object names in the extracted file are converted for use in OCI-Firewall.

12. ‘UID’ to ‘name’ map is created using the standard_objects.json.

13. Name Sanitize function is once again called to convert the names as per requirement for the map created.

14. This map is used to replace the ‘UID’ values with ‘name’ values in the file created in step 11. So security-rules, with source — destination — application — action fields are created at this step.

15. The Action field for the action is modified with Checkpoint’s action “Accept” is changed to “ALLOW”. “Drop” is changed to “DROP”. This is then written over the previously created file.

16. Security Rules are converted to OCI-Firewall’s JSON format.

17. IP-Address & Application objects ‘UID” are mapped with the ‘Name’ Value.

18. Compare the map created in above step with ones available in security rules. Any unknown objects are removed and logged.

19. Any rules that have ICMP objects in Security_Rules are identified and these rules are converted to two rules. One has ICMP applications, the other without ICMP applications.

20. If OCI CLI is configured on your machine the script allows you to Create and Install the converted policies to the OCI Firewall in your tenancy.

The firewall rules migration is usually the most time-consuming step when we are preparing to replace an existing firewall. This tool intends to fast track that phase.

Still, a firewall migration on a production network must be planned carefully. I will try to cover a high level approach in another blog!

Want to talk about this or other OCI tools? Join us on the Oracle Developers public Slack channel!

Also, you can try OCI’s Free Tier by signing up here.