This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
VikingsFan
Collaborator
‎2024-06-17 08:18 AM

Migrate Two Clusters to One Question

Looking to see if I'm thinking about this properly but we're collapsing two HA clusters into a single HA cluster with a new management.  The two existing clusters have been upgraded from R77 (or older) over the years and are now running R81.20.  Also going from Open Servers to Check Point appliances.

We're trying to keep the new cluster as clean as possible without bringing over a lot of the garbage from the old ones so I setup the new HA cluster and management server and now am trying to get just the objects imported into the cluster and then we're going to build out the rules by hand, etc.

I'm trying to use this script and following what Danny did at the end and for the most part it seems to be working but none of my service or network groups have members so trying to figure that out.  https://community.checkpoint.com/t5/API-CLI-Discussion/CLI-API-Example-for-exporting-importing-and-d...

Besides any advice on the group membership issue, any gotchas I should be looking for when migrating to a new management/cluster?  IPS rules is another place I'll want to review and found this script and am going to run it to compare the defaults to what we're using in production: https://support.checkpoint.com/results/sk/sk178646

We have over 3,000 additional objects so trying to limit the heavy lifting of object creation but still keeping the new policy clean by building out the rules manually.  Is there a checklist or things to check that Check Point has which would assist in determining all the areas I need to review?  ACL Policy, NAT, IPS, HTTPS Inspection, LDAP Object, Global Properties, Identity Awareness, etc.

Thank you!

0 Kudos
6 Replies
Lesley
Advisor
Advisor
‎2024-06-17 12:09 PM

I would start maybe to open object explorer and filter out all unused objects (there is an option for this).

Maybe mosts of them are not in use and can be cleaned. That would give you a more clear new setup. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
VikingsFan
Collaborator
‎2024-06-17 12:16 PM
In response to Lesley

Thanks, good idea.  Looks like we have a little over 200 unused.  Things like IPS settings, etc are what I'm trying to avoid bringing over old data.  We had an instance where we were troubleshooting an issue with an IPS event and the default/recommended configuration in R81 was different than the setting we were using which was probably the default back in R77 or earlier.  So trying to use the latest best practice/defaults while still maintaining a working config on the new cluster.

0 Kudos
Lesley
Advisor
Advisor
‎2024-06-17 01:05 PM
In response to VikingsFan

For IPS I would also start clean. Don't copy and export current IPS policy's. You could even consider to not take the exceptions (or atleast reevulatae them). 

You can copy the optimized profile and start from there. Maybe first day in detect mode to see what happens on new cluster. 

IF you really want to do full export import, there are ways to 'reset' the IPS profile. 

1

In the IPS Protections page, go to Actions and select Profile Cleanup.

The Profile Cleanup window opens.

2

In the Action area, select Remove all user modified, Clear all staging, or both.

3

In the Select Profiles area, select the profiles on which to operate these actions.

4

Click OK.

5

Install the Threat Prevention Policy.
-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
VikingsFan
Collaborator
‎2024-06-17 03:17 PM

So digging into the logs, it looks like my issue is that any of the CSV files that have group members... services, network, etc have an error that says "Object XXXXXXX does NOT support SET [UPDATE]".  The export function extracted the information successfully so I have to think there's a way to import the group members?  My group member file has over 3,000 rows so not something I want to do by hand.

The initial command I was using was from Danny's example: ./cli_api_import_objects_from_csv.sh -v -r --NOWAIT --RESULTS -i "/var/log/__customer/devops.my_data/2024-06-17-1435EDT.export_objects_to_csv/csv"

0 Kudos
VikingsFan
Collaborator
‎2024-06-17 03:51 PM
In response to VikingsFan

Update on this.  Poked around the forums more and came across running mgmt_cli set group --batch CSVFILE and that seems to be working.  Not sure if I missed that as part of Eric's instructions or why his script wouldn't just run that as part of the other commands?  I'm not a scripter or user of APIs much so still figuring everything out.

0 Kudos
the_rock
Legend
Legend
‎2024-06-17 04:04 PM

I agree with @Lesley , object explored would be a real good place to start.

Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events