Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

policy migration from standalone to distributed

Jump to solution

Hi,

sk61681 and sk85900 gives the solution which is quite different from each other. Does anyone has use these solution? 

I need to migrate the policy from standalone to distributed. If so please suggest me the best way to do so.

Thank You

Sagar Manandhar

1 Solution

Accepted Solutions
Highlighted
Admin
Admin

These SKs solve different problems:

Which approach you take will largely depend on what you want to use the current Standalone hardware for when it's all said and done.

View solution in original post

18 Replies
Highlighted

you should use this : sk61681

Highlighted

Any specific reason?

0 Kudos
Reply
Highlighted

If you only want the policy than i think you might be able to use the cpmerge util but i belive you want to keep all you managment server data ..( user db , internal ca...) The sk i pointed you to will provide it to you 

0 Kudos
Reply
Highlighted

I only need the object and policy. We don't need to restore the server data.

0 Kudos
Reply
Highlighted

Than read about cpmerge utility you can export policy package and import it and the object.c for the object from the othe managment server

Highlighted
Admin
Admin

These SKs solve different problems:

Which approach you take will largely depend on what you want to use the current Standalone hardware for when it's all said and done.

View solution in original post

Highlighted

i am importing the configuration between standalone machine and management only machine . Thanks.. i will follow this SK

0 Kudos
Reply
Highlighted
Participant

What is the procedure for R80.10 version? Both the SKs say's it's not applicable to R80.xx version.

Highlighted
Admin
Admin

I think you should still be able to do a migrate export of the management piece, import into a new standalone management system, then do a clean install of the gateway.

You can easily test this without affecting your existing gateway (except for the cpstop required to take the migrate export).

Highlighted
Participant

Not clear with the answer. Let me reiterate the query:

I have R80.10 Standalone machine. Would like to migrate it to distributed setup(separate Mgmt server and GW).

Both sk61681 and sk85900 doesn't applicable to R80.xx

What do you suggest on this?

Highlighted
Explorer
I used the ExportImportPolicyPackage method and it worked for me.
  1. Download the files from here:
Download and Copy these files to the cp-mgmt-api blank folder you downloaded earlier.
 
 
  1. Run this cmd :    api start
    1. Make sue API status is running, run this cmd:
                              api status
  1. Create a directory
  • mkdir APIpython
  • scp all files to that directory
  • Run the python script CMD:
/opt/CPsuite-R80/fw1/Python/bin/python2.7  /home/admin/APIpython/ExportImportPolicyPackage-master/import_export_package.py
Ex:   [Expert@gw-bd57f0:0]# /opt/CPsuite-R80/fw1/Python/bin/python2.7 /home/admin/APIpython/ExportImportPolicyPackage-master/import_export_package.py 
 
Welcome to the Policy Package Import/Export Tool.
What would you like to do?
1. Import a package
2. Export a package
99. Exit
2
 
 
Please enter a Policy Package name to export:
Standard
 
Please select a login method:
1. Enter user credentials manually
2. Login as Root
3. Use an existing session file
4. Use an existing session UID
99. Back
1
 
 
The script will run with the following parameters:
Export Access-Control layers = True
Export Threat-Prevention layers = False
Output-file name = None
Management Server IP = 127.0.0.1
Management Server Port = 443
Management Server Domain = None
1. Change Settings
2. Run
99. Back
1
Please select a setting to change:
1. Disable export of Access-Control Rulebases
2. Enable export of Threat-Prevention Rulebases
3. Output file name
4. Change Management Server IP
5. Change Management Server Port
6. Change the domain name
99. Back
2
Exporting of Threat-Prevention layers enabled
 
The script will run with the following parameters:
Export Access-Control layers = True
Export Threat-Prevention layers = True
Output-file name = None
Management Server IP = 127.0.0.1
Management Server Port = 443
Management Server Domain = None
1. Change Settings
2. Run
99. Back
2
 
 
Please enter your username:
admin
 
Please enter your password:  *******
 
Exporting Access Control layers
Exporting Access Layer [Network]
Retrieved 50 out of 87 rules (57%)
Retrieved 87 out of 87 rules (100%)
Processing rules and sections
Exporting access-roles from layer [Network]
Exporting services-udp from layer [Network]
Exporting groups from layer [Network]
Exporting hosts from group [Static.IPs]
Exporting hosts from group [Static.Limited.Internet]
Exporting networks from group [Static.Limited.Internet]
Exporting networks from layer [Network]
Exporting simple-gateways from layer [Network]
Exporting services-tcp from layer [Network]
Exporting hosts from layer [Network]
Exporting access rules from layer [Network]
Exporting access sections from layer [Network]
Exporting placeholders for unexportable objects from layer [Network]
Exporting layer settings of layer [Network]
Done exporting layer 'Network'.
Exporting Access Layer [Application]
Retrieved 17 out of 17 rules (100%)
Processing rules and sections
Exporting access-roles from layer [Application]
Exporting services-udp from layer [Application]
Exporting networks from layer [Application]
Exporting application-site-groups from layer [Application]
Exporting applications-sites from group [FaceBook_Group]
Exporting services-tcp from layer [Application]
Exporting hosts from layer [Application]
Exporting applications-sites from layer [Application]
Exporting application-site-categories from layer [Application]
Exporting access rules from layer [Application]
Exporting access sections from layer [Application]
Exporting placeholders for unexportable objects from layer [Application]
Exporting layer settings of layer [Application]
Done exporting layer 'Application'.
Exporting NAT policy
Getting information from show-nat-rulebase
Retrieved 50 out of 94 rules (53%)
Retrieved 94 out of 94 rules (100%)
Processing rules and sections
Exporting hosts
Exporting networks
Exporting NAT rules
Exporting placeholders for unexportable objects from NAT rulebase
Done exporting NAT rulebase.
Exporting Threat-Prevention layers
Exporting Threat Layer [IPS]
Retrieved 1 out of 1 rules (100%)
Processing rules and exceptions
Exporting Exception-Rulebase from Threat-Rule #1 in Threat-Layer[IPS]
Retrieved 10 out of 10 rules (100%)
Processing exceptions
Exporting hosts from layer [IPS]
Exporting groups from layer [IPS]
Exporting networks from group [VPNDomain]
Exporting networks from layer [IPS]
Exporting simple-gateways from layer [IPS]
Exporting threat exceptions from layer [IPS]
Exporting placeholders for unexportable objects from layer [IPS]
Exporting layer settings of layer [IPS]
Done exporting layer 'IPS'.
Exporting simple-gateways from layer [IPS]
Exporting threat-profiles from layer [IPS]
Exporting threat rules from layer [IPS]
Exporting Exception-Groups used in layer [IPS]
Exporting placeholders for unexportable objects from layer [IPS]
Exporting layer settings of layer [IPS]
Done exporting layer 'IPS'.
Exporting Threat Layer [Standard Threat Prevention]
Retrieved 1 out of 1 rules (100%)
Processing rules and exceptions
Exporting Exception-Rulebase from Threat-Rule #1 in Threat-Layer[Standard Threat Prevention
Retrieved 3 out of 3 rules (100%)
Processing exceptions
Exporting hosts from layer [Standard Threat Prevention]
Exporting networks from layer [Standard Threat Prevention]
Exporting threat exceptions from layer [Standard Threat Prevention]
Exporting placeholders for unexportable objects from layer [Standard Threat Prevention]
Exporting layer settings of layer [Standard Threat Prevention]
Done exporting layer 'Standard Threat Prevention'.
Exporting threat-profiles from layer [Standard Threat Prevention]
Exporting threat rules from layer [Standard Threat Prevention]
Exporting Exception-Groups used in layer [Standard Threat Prevention]
Exporting placeholders for unexportable objects from layer [Standard Threat Prevention]
Exporting layer settings of layer [Standard Threat Prevention]
Done exporting layer 'Standard Threat Prevention'.
 
 
Created Filename:
exported__package__Standard__2018_07_23_13_41.tar.gz 
 
  1. To import, copy the file to the new server and follow the same process from the menu based & choose option #1
 
Pablo Suarez | Senior Security Analyst | The Teneo Group
Highlighted
Employee
Employee

Tried this with a system that has VPN's configured. Seems the python script doesn't like Interoperable Devices and VPN communities as it failed to import;

Adding vpn-communities-star

 

Failed to import vpn-community-star with name [Corp_Carrollton_VPN]. Error: Invalid parameter for [shared-secrets]. Invalid value

 

Failed to import vpn-community-star with name [Corp_COLO_VPN]. Error: Invalid parameter for [shared-secrets]. Invalid value

Highlighted
Participant

👍

0 Kudos
Reply
Highlighted
Admin
Admin

To describe what I said a little more verbosely:

  1. Run a migrate export on your existing standalone gateway. This will create a copy of your management configuration.
  2. Install your new management (only) server and use migrate import to import the configuration to your new management server.
  3. Do a fresh install of your existing standalone system as Security Gateway only, which will include creating a new gateway object, establishing SIC, etc.

Refer to the Installation and Upgrade Guide R80.10 for more details.

Highlighted
Contributor

Are you sure that you can export a standalone configuration and import it to a mgmt only just like that on R80.30??

And if that succeeds, what about the gw object after the import? We ll need to "revert" this object to mgmt only in order to  create a new gateway, is this possible??

 

Or should we just use the python method ??

0 Kudos
Reply

Hello @PhoneBoy .   while I appreciate the interest in doing it ourselves, I assume that support has ways to purge an "all-in-one" migrate export file of SIC and local gateway refernce(s)?    I send them a "migrate export <>" from all-in-one export and they send back file without local gateway reference (and SIC reset)?

Because support has done numerous voodoo operations in past, I like this method instead of jumping through endless hoops that only burn time for everyone (customer, reseller, etc).

 

thoughts? 

0 Kudos
Reply
Highlighted
Admin
Admin

If TAC had such a tool, it'd most likely be formally documented in an SK, even internally.
I haven't seen that. 

0 Kudos
Reply
Highlighted

Hello -- I can confirm that SK154033 does work for Standalone migration to Distributed for R80.40.      However, there are various clean-up aspects that are missing and we have SR open on topics.

In addition, the source standalone server was a CP-badged appliance running R77.30 with JHA.    The R80.40-based standalone instance is temporary.

We used HyperV as virtual platform and took "snapshot/checkpoint" after initial GAIA install -- before wizard -- so we could clone into the other instances we needed (permanent and temporary).

Note:   HyperV is supported for R80.40 in production with specific JHA/HFA take installed.   See HCL for specifics (virtual machines tab).

0 Kudos
Reply