cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

policy migration from standalone to distributed

Jump to solution

Hi,

sk61681 and sk85900 gives the solution which is quite different from each other. Does anyone has use these solution? 

I need to migrate the policy from standalone to distributed. If so please suggest me the best way to do so.

Thank You

Sagar Manandhar

1 Solution

Accepted Solutions
Admin
Admin

Re: policy migration from standalone to distributed

Jump to solution

These SKs solve different problems:

Which approach you take will largely depend on what you want to use the current Standalone hardware for when it's all said and done.

13 Replies

Re: policy migration from standalone to distributed

Jump to solution

you should use this : sk61681

Re: policy migration from standalone to distributed

Jump to solution

Any specific reason?

0 Kudos

Re: policy migration from standalone to distributed

Jump to solution

If you only want the policy than i think you might be able to use the cpmerge util but i belive you want to keep all you managment server data ..( user db , internal ca...) The sk i pointed you to will provide it to you 

0 Kudos

Re: policy migration from standalone to distributed

Jump to solution

I only need the object and policy. We don't need to restore the server data.

0 Kudos

Re: policy migration from standalone to distributed

Jump to solution

Than read about cpmerge utility you can export policy package and import it and the object.c for the object from the othe managment server

0 Kudos
Admin
Admin

Re: policy migration from standalone to distributed

Jump to solution

These SKs solve different problems:

Which approach you take will largely depend on what you want to use the current Standalone hardware for when it's all said and done.

Re: policy migration from standalone to distributed

Jump to solution

i am importing the configuration between standalone machine and management only machine . Thanks.. i will follow this SK

0 Kudos

Re: policy migration from standalone to distributed

Jump to solution

What is the procedure for R80.10 version? Both the SKs say's it's not applicable to R80.xx version.

0 Kudos
Admin
Admin

Re: policy migration from standalone to distributed

Jump to solution

I think you should still be able to do a migrate export of the management piece, import into a new standalone management system, then do a clean install of the gateway.

You can easily test this without affecting your existing gateway (except for the cpstop required to take the migrate export).

Re: policy migration from standalone to distributed

Jump to solution

Not clear with the answer. Let me reiterate the query:

I have R80.10 Standalone machine. Would like to migrate it to distributed setup(separate Mgmt server and GW).

Both sk61681 and sk85900 doesn't applicable to R80.xx

What do you suggest on this?

Highlighted

Re: policy migration from standalone to distributed

Jump to solution
I used the ExportImportPolicyPackage method and it worked for me.
  1. Download the files from here:
Download and Copy these files to the cp-mgmt-api blank folder you downloaded earlier.
 
 
  1. Run this cmd :    api start
    1. Make sue API status is running, run this cmd:
                              api status
  1. Create a directory
  • mkdir APIpython
  • scp all files to that directory
  • Run the python script CMD:
/opt/CPsuite-R80/fw1/Python/bin/python2.7  /home/admin/APIpython/ExportImportPolicyPackage-master/import_export_package.py
Ex:   [Expert@gw-bd57f0:0]# /opt/CPsuite-R80/fw1/Python/bin/python2.7 /home/admin/APIpython/ExportImportPolicyPackage-master/import_export_package.py 
 
Welcome to the Policy Package Import/Export Tool.
What would you like to do?
1. Import a package
2. Export a package
99. Exit
2
 
 
Please enter a Policy Package name to export:
Standard
 
Please select a login method:
1. Enter user credentials manually
2. Login as Root
3. Use an existing session file
4. Use an existing session UID
99. Back
1
 
 
The script will run with the following parameters:
Export Access-Control layers = True
Export Threat-Prevention layers = False
Output-file name = None
Management Server IP = 127.0.0.1
Management Server Port = 443
Management Server Domain = None
1. Change Settings
2. Run
99. Back
1
Please select a setting to change:
1. Disable export of Access-Control Rulebases
2. Enable export of Threat-Prevention Rulebases
3. Output file name
4. Change Management Server IP
5. Change Management Server Port
6. Change the domain name
99. Back
2
Exporting of Threat-Prevention layers enabled
 
The script will run with the following parameters:
Export Access-Control layers = True
Export Threat-Prevention layers = True
Output-file name = None
Management Server IP = 127.0.0.1
Management Server Port = 443
Management Server Domain = None
1. Change Settings
2. Run
99. Back
2
 
 
Please enter your username:
admin
 
Please enter your password:  *******
 
Exporting Access Control layers
Exporting Access Layer [Network]
Retrieved 50 out of 87 rules (57%)
Retrieved 87 out of 87 rules (100%)
Processing rules and sections
Exporting access-roles from layer [Network]
Exporting services-udp from layer [Network]
Exporting groups from layer [Network]
Exporting hosts from group [Static.IPs]
Exporting hosts from group [Static.Limited.Internet]
Exporting networks from group [Static.Limited.Internet]
Exporting networks from layer [Network]
Exporting simple-gateways from layer [Network]
Exporting services-tcp from layer [Network]
Exporting hosts from layer [Network]
Exporting access rules from layer [Network]
Exporting access sections from layer [Network]
Exporting placeholders for unexportable objects from layer [Network]
Exporting layer settings of layer [Network]
Done exporting layer 'Network'.
Exporting Access Layer [Application]
Retrieved 17 out of 17 rules (100%)
Processing rules and sections
Exporting access-roles from layer [Application]
Exporting services-udp from layer [Application]
Exporting networks from layer [Application]
Exporting application-site-groups from layer [Application]
Exporting applications-sites from group [FaceBook_Group]
Exporting services-tcp from layer [Application]
Exporting hosts from layer [Application]
Exporting applications-sites from layer [Application]
Exporting application-site-categories from layer [Application]
Exporting access rules from layer [Application]
Exporting access sections from layer [Application]
Exporting placeholders for unexportable objects from layer [Application]
Exporting layer settings of layer [Application]
Done exporting layer 'Application'.
Exporting NAT policy
Getting information from show-nat-rulebase
Retrieved 50 out of 94 rules (53%)
Retrieved 94 out of 94 rules (100%)
Processing rules and sections
Exporting hosts
Exporting networks
Exporting NAT rules
Exporting placeholders for unexportable objects from NAT rulebase
Done exporting NAT rulebase.
Exporting Threat-Prevention layers
Exporting Threat Layer [IPS]
Retrieved 1 out of 1 rules (100%)
Processing rules and exceptions
Exporting Exception-Rulebase from Threat-Rule #1 in Threat-Layer[IPS]
Retrieved 10 out of 10 rules (100%)
Processing exceptions
Exporting hosts from layer [IPS]
Exporting groups from layer [IPS]
Exporting networks from group [VPNDomain]
Exporting networks from layer [IPS]
Exporting simple-gateways from layer [IPS]
Exporting threat exceptions from layer [IPS]
Exporting placeholders for unexportable objects from layer [IPS]
Exporting layer settings of layer [IPS]
Done exporting layer 'IPS'.
Exporting simple-gateways from layer [IPS]
Exporting threat-profiles from layer [IPS]
Exporting threat rules from layer [IPS]
Exporting Exception-Groups used in layer [IPS]
Exporting placeholders for unexportable objects from layer [IPS]
Exporting layer settings of layer [IPS]
Done exporting layer 'IPS'.
Exporting Threat Layer [Standard Threat Prevention]
Retrieved 1 out of 1 rules (100%)
Processing rules and exceptions
Exporting Exception-Rulebase from Threat-Rule #1 in Threat-Layer[Standard Threat Prevention
Retrieved 3 out of 3 rules (100%)
Processing exceptions
Exporting hosts from layer [Standard Threat Prevention]
Exporting networks from layer [Standard Threat Prevention]
Exporting threat exceptions from layer [Standard Threat Prevention]
Exporting placeholders for unexportable objects from layer [Standard Threat Prevention]
Exporting layer settings of layer [Standard Threat Prevention]
Done exporting layer 'Standard Threat Prevention'.
Exporting threat-profiles from layer [Standard Threat Prevention]
Exporting threat rules from layer [Standard Threat Prevention]
Exporting Exception-Groups used in layer [Standard Threat Prevention]
Exporting placeholders for unexportable objects from layer [Standard Threat Prevention]
Exporting layer settings of layer [Standard Threat Prevention]
Done exporting layer 'Standard Threat Prevention'.
 
 
Created Filename:
exported__package__Standard__2018_07_23_13_41.tar.gz 
 
  1. To import, copy the file to the new server and follow the same process from the menu based & choose option #1
 
Pablo Suarez | Senior Security Analyst | The Teneo Group
Employee
Employee

Re: policy migration from standalone to distributed

Jump to solution

Tried this with a system that has VPN's configured. Seems the python script doesn't like Interoperable Devices and VPN communities as it failed to import;

Adding vpn-communities-star

 

Failed to import vpn-community-star with name [Corp_Carrollton_VPN]. Error: Invalid parameter for [shared-secrets]. Invalid value

 

Failed to import vpn-community-star with name [Corp_COLO_VPN]. Error: Invalid parameter for [shared-secrets]. Invalid value

0 Kudos
Admin
Admin

Re: policy migration from standalone to distributed

Jump to solution

To describe what I said a little more verbosely:

  1. Run a migrate export on your existing standalone gateway. This will create a copy of your management configuration.
  2. Install your new management (only) server and use migrate import to import the configuration to your new management server.
  3. Do a fresh install of your existing standalone system as Security Gateway only, which will include creating a new gateway object, establishing SIC, etc.

Refer to the Installation and Upgrade Guide R80.10 for more details.