Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Copper

Can anyone tell me the correct method to copy over vpn rules from one policy to another policy?

So we just finished out data migration process yesterday night and there are some vpn rules that have not been copied over to the new policy (its a different firewall from the one in the old policy) and wondering how to go about copying them over since vpn communities is setup for the old firewall for this particular vpn rule set that im trying to copy over, now do i just delete the vpn communities on the old one and add it to the new one?since all the ips are stll the same even after the change so changing ips shouldnt be a thing, also the nat rules for those vpns should also be copied over right?

Thanks and Regards.

0 Kudos
3 Replies
Highlighted
Admin
Admin

What was the precise process you followed here?
Because if you used the standard migration tools (e.g. migrate export, migrate_server), everything should have transferred over.
If you did it via some other mechanism, then you'll probably have to recreate the rules and configuration if it didn't transfer over automatically.
0 Kudos
Highlighted
Copper

so thats something that my colleague did so im not exactly sure what method he used (i think he just cloned the policy) either way there are some rules missing, can you share a guide that explains the export process for a policy? or basicaly creating an exact copy of a policy and installing it on another gateway?
0 Kudos
Highlighted
Admin
Admin

You can't clone a policy to a different management station unless you use a tool like the following: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Python-tool-for-exporting-importi...
However, this script has some limitations and some parts of the configuration will have to be migrated manually.
You could also "write your own" program (using the API) to do this.

Again, without knowing precisely how the migration occurred, its difficult to provide specific advice.
In general, anything around gateway objects (which includes some aspects of VPN configuration) cannot be exported/imported via the API using supported calls.
Most likely that configuration would have to be recreated manually.
That could also impact NAT rules depending on exactly how they were created (automatic ones can be tied to a gateway and should be double-checked, manual NAT rules should migrate).
0 Kudos