Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dirk_Fusswinkel
Explorer
Jump to solution

Unify Policy Migration from R77.30

Hi,

we have mirgrated from Checkpoint 77.30 Server Firewall to a 5000 Appliance with R80.10. We want use the new Unify Policys. After we activated the new Layer at the Access Control Policy and install the Policy at the Blades we get the Error Message: Layer "Network": Rule XX has "Legacy User Access" in the Source Column which can be configured on layer with Firewall only" We have 14 rules with this error.

What can we do to activate the Unify Policy?

0 Kudos
1 Solution

Accepted Solutions
Declan__McGill
Contributor

something like that? 

D

View solution in original post

13 Replies
Dor_Marcovitch
Advisor

Try using access role in this rule 

0 Kudos
Tomer_Sole
Mentor
Mentor

if you are able to replace your Legacy User Access objects with Access Role objects then the unify policy will work for you.

0 Kudos
PhoneBoy
Admin
Admin

Unified policies cannot be used with certain legacy features.

Based on what you're describing, you are likely using rules with an action of User Auth or Client Auth.

The only way to use unified policies is to stop using these legacy features and use their more modern equivalents instead (e.g. Access Roles). 

More info here: Install policy on R80.10 Security Gateway fails with verification error messages 

0 Kudos
Dor_Marcovitch
Advisor

Legacy User is also being used for rules that control access of Secure Client Connections

0 Kudos
PhoneBoy
Admin
Admin

I figured there were other instances that I forgot about Smiley Happy

That's why I linked to the SK which covers most of them.

0 Kudos
Dirk_Fusswinkel
Explorer

Hi Guys,

thanks for your replies. We use the legacy User for the Secure Client Connections like Endpoint VPN. Exist a way to migrate from Legacy User Access to the modern equivalents?

Thanks

0 Kudos
PhoneBoy
Admin
Admin

If you're using Client Encrypt rules (i.e. where the action is Client Encrypt), you should be using VPN Communities instead, which were introduced more than 15 years ago.

The legacy User Groups should be replaced with Access Roles.

Refer to: Remote Access VPN R80.10 (Part of Check Point Infinity) 

0 Kudos
Dirk_Fusswinkel
Explorer

This is one of our VPN Policys

VPN Policy

And this is my new VPN Policys:

New Policy

And this is my Access Role:

Access Role

The Group is a Cehckpoint Internal Group

But after the remove of the Legacy User Group, my Test user cannot use the VPN anymore. I doens´t get any connections.

0 Kudos
PhoneBoy
Admin
Admin

It's been probably since Secure Client days since I configured a Remote Access VPN, so no shock I got that wrong Smiley Happy

You don't even need an Access Role--remove that from the rule.

You define what groups are permitted in the VPN community itself. 

0 Kudos
Dirk_Fusswinkel
Explorer

If i use this for the groups can i use my granularity for my VPN Connections?

I have a lot of external vpn users and they should only access certain system

0 Kudos
Declan__McGill
Contributor

Simplest  option (which I used when migrating a customer from ASA, ACS, Radius etc to CP R80.10 ) is just create a role for each 3rd party user and make a rule with:

source (eg Role_3rd_party_user_1) |

dest (wherever he should be able to go) | 

svc (whatever he should be able to do) |

accept |

log

Easy.

You might want to make an AllUsers Role and make that the entry to a layer containing the 3rd party rules.

D

Dirk_Fusswinkel
Explorer

Have you an example like Sreenshot for this rule?

0 Kudos
Declan__McGill
Contributor

something like that? 

D

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events