topic Convert Traditional Mode Policy to Simplified Policy MGMT R80.30 in Firewall and Security Management

Convert Traditional Mode Policy to Simplified Policy MGMT R80.30

Simon_Macpherso — Thu, 27 Feb 2020 07:55:19 GMT

Hello Community,

We are about to start converting a traditional mode policy to simplified mode.

Our MGMT server has already been upgraded to R80.30 so the conversion tool is no longer available (Simplified Mode VPNs have been the default since R5x.), so my understanding at this point is that we have to perform the conversion manually.

We have 100+ S2S L2L IPSEC VPNs with Checkpoint and 3rd party gateways using a mixture of cert-based and PSK auth we will need to create communities for.

There are about 300 ACLs with 'Encrypt' action configured which will need to be changed.

Questions:

1. What is the recommend process to complete this task i.e. step-by-step?

2. a. Can we use the existing traditional mode policy and change the action value to accept and create the communities, or does the policy need to be recreated?

b. If the latter, would the best way be to export the existing objects out of the existing policy and re-importing the objects, with the exception of the Action field value in to a new (simplified mode) policy?

3. Based on experience and knowledge are you aware of any caveats to be aware of with this type of conversion?

Thanks in advance for your guidance.

Regards,

Simon

Re: Convert Traditional Mode Policy to Simplified Policy MGMT R80.30

G_W_Albrecht — Thu, 27 Feb 2020 10:40:47 GMT

It would have been much better to convert before the R80.x30 upgrade... So i would suggest to involve TAC or even CP Professional Services to do that smoothly !

Re: Convert Traditional Mode Policy to Simplified Policy MGMT R80.30

oriehl — Fri, 28 Feb 2020 13:58:26 GMT

Hi,

I would be interested of the Tac's answer.

I need the same for a 80.30 client with a big policy base.

Re: Convert Traditional Mode Policy to Simplified Policy MGMT R80.30

PhoneBoy — Fri, 28 Feb 2020 16:48:12 GMT

First, yes, this should have been done prior to upgrading to R80.x.
I did find an SK that suggests you can do this with cp_merge, which is NOT supported in R80.x (so don't do this!): https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk104778

What it does imply is that, yes, you should be able to "copy paste" rules and change the action to Accept.
In addition to manually creating the VPN communities of course.
What I would do is create a new Policy layer.
Selecting rules in the existing rulebase (do a few at a time), use the standard shortcuts for copy and paste to bring the rules to the new rulebase.
Not sure how this will work when you encounter rules with an Encrypt action, so it's possible these rules might require manual recreation.

In any case, I second the recommendation to get Professional Services involved here.

Re: Convert Traditional Mode Policy to Simplified Policy MGMT R80.30

_Val_ — Sat, 29 Feb 2020 10:57:41 GMT

Sorry, but I do not see here a TAC case. PS, sure, but not support.