topic Unify Policy Migration from R77.30 in Firewall and Security Management

Unify Policy Migration from R77.30

Dirk_Fusswinkel — Tue, 15 Aug 2017 10:24:58 GMT

Hi,

we have mirgrated from Checkpoint 77.30 Server Firewall to a 5000 Appliance with R80.10. We want use the new Unify Policys. After we activated the new Layer at the Access Control Policy and install the Policy at the Blades we get the Error Message: Layer "Network": Rule XX has "Legacy User Access" in the Source Column which can be configured on layer with Firewall only" We have 14 rules with this error.

What can we do to activate the Unify Policy?

Re: Unify Policy Migration from R77.30

Dor_Marcovitch — Tue, 15 Aug 2017 17:04:59 GMT

Try using access role in this rule

Re: Unify Policy Migration from R77.30

Tomer_Sole — Tue, 15 Aug 2017 17:13:45 GMT

if you are able to replace your Legacy User Access objects with Access Role objects then the unify policy will work for you.

Re: Unify Policy Migration from R77.30

PhoneBoy — Wed, 16 Aug 2017 05:22:47 GMT

Unified policies cannot be used with certain legacy features.

Based on what you're describing, you are likely using rules with an action of User Auth or Client Auth.

The only way to use unified policies is to stop using these legacy features and use their more modern equivalents instead (e.g. Access Roles).

More info here: Install policy on R80.10 Security Gateway fails with verification error messages

Re: Unify Policy Migration from R77.30

Dor_Marcovitch — Wed, 16 Aug 2017 06:01:23 GMT

Legacy User is also being used for rules that control access of Secure Client Connections

Re: Unify Policy Migration from R77.30

PhoneBoy — Wed, 16 Aug 2017 06:16:33 GMT

I figured there were other instances that I forgot about

That's why I linked to the SK which covers most of them.

Re: Unify Policy Migration from R77.30

Dirk_Fusswinkel — Wed, 16 Aug 2017 06:49:38 GMT

Hi Guys,

thanks for your replies. We use the legacy User for the Secure Client Connections like Endpoint VPN. Exist a way to migrate from Legacy User Access to the modern equivalents?

Thanks

Re: Unify Policy Migration from R77.30

PhoneBoy — Wed, 16 Aug 2017 07:07:06 GMT

If you're using Client Encrypt rules (i.e. where the action is Client Encrypt), you should be using VPN Communities instead, which were introduced more than 15 years ago.

The legacy User Groups should be replaced with Access Roles.

Refer to: Remote Access VPN R80.10 (Part of Check Point Infinity)

Re: Unify Policy Migration from R77.30

Dirk_Fusswinkel — Wed, 16 Aug 2017 13:50:33 GMT

This is one of our VPN Policys

And this is my new VPN Policys:

And this is my Access Role:

The Group is a Cehckpoint Internal Group

But after the remove of the Legacy User Group, my Test user cannot use the VPN anymore. I doens´t get any connections.

Re: Unify Policy Migration from R77.30

PhoneBoy — Wed, 16 Aug 2017 15:08:27 GMT

It's been probably since Secure Client days since I configured a Remote Access VPN, so no shock I got that wrong

You don't even need an Access Role--remove that from the rule.

You define what groups are permitted in the VPN community itself.

Re: Unify Policy Migration from R77.30

Dirk_Fusswinkel — Thu, 17 Aug 2017 09:16:38 GMT

If i use this for the groups can i use my granularity for my VPN Connections?

I have a lot of external vpn users and they should only access certain system

Re: Unify Policy Migration from R77.30

Declan__McGill — Thu, 17 Aug 2017 13:23:12 GMT

Simplest option (which I used when migrating a customer from ASA, ACS, Radius etc to CP R80.10 ) is just create a role for each 3rd party user and make a rule with:

source (eg Role_3rd_party_user_1) |

dest (wherever he should be able to go) |

svc (whatever he should be able to do) |

accept |

log

Easy.

You might want to make an AllUsers Role and make that the entry to a layer containing the 3rd party rules.

Re: Unify Policy Migration from R77.30

Dirk_Fusswinkel — Thu, 24 Aug 2017 14:43:33 GMT

Have you an example like Sreenshot for this rule?

Re: Unify Policy Migration from R77.30

Declan__McGill — Thu, 24 Aug 2017 15:56:22 GMT

something like that?