This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HeikoAnkenbrand
Champion Champion
Champion
‎2018-08-22 12:49 PM
Jump to solution

R80.10 - VPN traditional mode to simplified mode

We have the following problem. We have a SMS with version R80.10. Now, we have add a new 1490 SMB Appliance Cluster to the policy. If we install the SMB cluster policy, we become the following error: "VPN configuration in traditional mode is not supported on Check PointSmall Office Appliances."

 

 

Under R77.30 I can use the wizard to convert the traditional mode policy to simplified mode policy.

With R80.10 I can no longer found this wizard.

 

Now my question:

 

Is it possible to convert the traditional mode VPN policy to simplified mode?

 

What do I have to do under R80.10.

 

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2018-08-22 06:14 PM
Jump to solution

I know new Traditional Mode VPNs cannot be created in R80.x.

I presume we did not port the relevant wizard to R80.x since Simplified Mode VPNs have been the default since R5x.

My guess: you'll have to do it manually.

View solution in original post

22 Replies
PhoneBoy
Admin
Admin
‎2018-08-22 06:14 PM
Jump to solution

I know new Traditional Mode VPNs cannot be created in R80.x.

I presume we did not port the relevant wizard to R80.x since Simplified Mode VPNs have been the default since R5x.

My guess: you'll have to do it manually.

HeikoAnkenbrand
Champion Champion
Champion
‎2018-08-22 11:28 PM
In response to PhoneBoy
Jump to solution

Hi Dameon,

THX for the fast answer.

The problem with historical Traditional Mode VPN features.
(migration path over the years R5x > R6x> R7x >R80.10)
Small suggestion for improvement:
Maybe you should get a warning when executing "migrate export" or "pre upgrade verifier" here.
Regards
➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
PhoneBoy
Admin
Admin
‎2018-08-23 06:45 AM
In response to HeikoAnkenbrand
Jump to solution

I'm surprised you don't get such a warning (especially if we don't include the conversion wizard).

Tomer Sole‌, think we might be able to suggest this get added?

_Val_
Admin
Admin
‎2018-08-24 04:45 AM
In response to PhoneBoy
Jump to solution

Second that. 

0 Kudos
Mia_Stephanson
Explorer
‎2018-08-24 06:37 AM
In response to PhoneBoy
Jump to solution

when you run the upgrader verification service you get a warning.

Thank you for using the Check Point R80.10 upgrade verification service.
The upgrade verification service has simulated your upgrade to R80.10

Firewall policies with Traditional VPN mode

Description:

Traditional mode refers to legacy VPN policy, which was replaced by Simplified VPN (first introduced at 2002 in version NG FP3). Please change the below policies by using one of the methods:
1. Convert your Firewall policies: In SmartConsole, go to Policy > Convert To > Simplified VPN, and follow the wizard instructions.
2. In your Firewall policy, delete rules that contain the actions Encrypt or Client Encrypt.
If you have a specific case in which you have to use Traditional VPN mode, please contact Check Point support.
These are the Traditional VPN policies or rules that must be converted or deleted:

PhoneBoy
Admin
Admin
‎2018-08-24 09:49 AM
In response to Mia_Stephanson
Jump to solution

Wonder if it shows when you run pre_upgrade_verifier on the CLI or if that shows only on the online one.

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2018-08-24 10:23 AM
In response to Mia_Stephanson
Jump to solution

Thanks Mia for your answer.

This is SMS R80.10.  Unfortunately this is no longer available.

This works for older versions R77.30 and lower:-) 

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Myo_Min_Zaw
Contributor
‎2018-10-31 05:57 AM
Jump to solution

Hi,

What will happen to VPN configuration after convert to simplified VPN rules?

Need to create for IPsec VPN communities manually after conversion? 

Based-on my conversion, need to setup for VPN communities configuration after conversion.

Thanks.

0 Kudos
James_Hawkins
Participant
‎2018-11-01 03:08 AM
Jump to solution

We have the same issue.

😞

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-11-01 08:48 AM
Jump to solution

A few weeks back I was trying to add an Inline Layer for APCL/URLF o a policy and it would not let me due to the fact it was a Traditional Mode VPN policy.

Thing was there was No VPN at all, IPSEC was turned off on the gateway, but still it was nagging about it.

In this case there was nothing to convert but just copy to a new policy and all done, but still...

Regards, Maarten
0 Kudos
Ilya_Yusupov
Employee
Employee
‎2018-11-06 02:49 AM
Jump to solution

can you please share the builds you are using of R80.10?

0 Kudos
net-harry
Collaborator
‎2021-01-09 01:55 AM
In response to Ilya_Yusupov
Jump to solution

Hi,

We also have a few security gateways that are using a Traditional Mode VPN Policy.

They do not have any VPN configuration and we would like to convert them to simplified mode to be able to create Inline Layer for APCL/URLF.

I just noticed sk171035 where it seems we could disable the Traditional Mode with the following command:

Disable Traditional VPN mode
# mgmt_cli -r true -d DOMAIN_NAME set package name "POLICY_PACKAGE_NAME" vpn-traditional-mode false --format json


Could anyone confirm if this would change the policy to be a "fully" Simplified VPN Policy?

Please note that the article title is "How to convert a Simplified VPN Policy to a Traditional VPN Policy in R80.X", but I think the title should be "How to convert a Traditional VPN Policy to a Simplified VPN Policy in R80.X"

We are running version R80.20, take 183.

Thanks for your help!

Best regards,

Harry

PhoneBoy
Admin
Admin
‎2021-01-09 10:15 AM
In response to net-harry
Jump to solution

That SK was created…yesterday.
The way I read it is that command merely flips the bit in the policy layer so that it will be marked as a simplified VPN mode instead of traditional VPN mode.
It won’t actually convert any traditional VPN rules to simplified VPN rules, but if you don’t have any VPN rules in that layer…it should do the trick.

0 Kudos
net-harry
Collaborator
‎2021-01-09 12:55 PM
In response to PhoneBoy
Jump to solution

Thanks @PhoneBoy, this is how I also understood the article. Do you know why this information was not released earlier, since this looks like a simple fix? We were considering manually recreating the whole policy, but hesitated since it would require a lot of effort. @Maarten_Sjouw mentioned that he copied to a new policy to solve it, but at least when I try to clone the policy it still shows up as VPN Traditional mode.

0 Kudos
_Val_
Admin
Admin
‎2021-01-10 10:56 PM
In response to net-harry
Jump to solution

No, it is not a simple fix. Traditional has phase 2 parameters defined per rule, and dropping this info is something that can backfire. 
The technique in the mentioned SK has had to be verified and proven to be safe, before publishing.

0 Kudos
net-harry
Collaborator
‎2021-01-11 01:31 AM
Jump to solution

Thank you @_Val_. I fully understand that the fix would be difficult if VPN is used, but in our case we do not have VPN configured on those gateways.

Could you confirm if changing the package parameter (vpn-traditional-mode to false) on the policy would be the same as creating a new policy in simplified mode?

Thanks for your help!

0 Kudos
_Val_
Admin
Admin
‎2021-01-11 01:54 AM
In response to net-harry
Jump to solution

Then you are good to go. Technically, it is not the "same", but it will work for you.

0 Kudos
net-harry
Collaborator
‎2021-01-11 03:02 AM
Jump to solution

Thanks for the information @_Val_. Would you be able to explain in which way it would be technically different? I would like to avoid facing an issue in the future due to using this method to change to simplified mode instead of creating a new policy as simplified mode.

Also, please note that the article title still says "How to convert a Simplified VPN Policy to a Traditional VPN Policy in R80.X", but I think it should be "How to convert a Traditional VPN Policy to a Simplified VPN Policy in R80.X" 

0 Kudos
_Val_
Admin
Admin
‎2021-01-12 12:49 AM
In response to net-harry
Jump to solution

Without VPN rules defined, it is practically the same. Otherwise, there are quite a few places where local definitions should be flipped/ignored/overwritten. 

As already mentioned above, if you did not have any VPN, and just the policy was marked "Traditional", there is no risk, AFAIK

0 Kudos
_Val_
Admin
Admin
‎2021-01-12 12:57 AM
In response to net-harry
Jump to solution

On the second issue, yes, the title is incorrect, we are fixing that. Thanks for noticing.

0 Kudos
Tomer_Noy
Employee
Employee
‎2021-01-12 03:28 AM
Jump to solution

On new Management installations, all policies are created with the Simplified VPN mode. There is a setting in Global Properties that enables a choice when creating new policies.

Older environments that were upgraded, can still have policies with the traditional mode.

Unfortunately, switching between modes is not simple and requires various subsequent changes. The VPN mode is set when creating the policy and changing the checkbox is disabled in the UI. It is not recommended to change the VPN mode on a policy that actually uses VPN communities. 

The SK describes a way to bypass the limitation and modify the field using API. This should only be used on a policy that didn't actually use VPN and by mistake was created using traditional mode. We will make sure that disclaimers and clarifications are added to the SK.

The correct way to switch between a policy using traditional mode and simplified mode is to create a new policy with the correct mode.

net-harry
Collaborator
‎2021-01-12 03:41 AM
In response to Tomer_Noy
Jump to solution

Thanks @_Val_ and @Tomer_Noy for the information and your help with this!

One of our security gateways has more then 2000 rules, so creating a new policy will be quite cumbersome and we want to avoid that.

This firewall cluster does not have the VPN blade enabled, so I assume I could safely use this method.

Thanks again for your help!

Best regards,

Harry

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events