Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion
Champion

R80.10 - VPN traditional mode to simplified mode

Jump to solution

We have the following problem. We have a SMS with version R80.10. Now, we have add a new 1490 SMB Appliance Cluster to the policy. If we install the SMB cluster policy, we become the following error: "VPN configuration in traditional mode is not supported on Check PointSmall Office Appliances."

 

 

Under R77.30 I can use the wizard to convert the traditional mode policy to simplified mode policy.

With R80.10 I can no longer found this wizard.

 

Now my question:

 

Is it possible to convert the traditional mode VPN policy to simplified mode?

 

What do I have to do under R80.10.

 

Regards

Heiko

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

I know new Traditional Mode VPNs cannot be created in R80.x.

I presume we did not port the relevant wizard to R80.x since Simplified Mode VPNs have been the default since R5x.

My guess: you'll have to do it manually.

View solution in original post

22 Replies
PhoneBoy
Admin
Admin

I know new Traditional Mode VPNs cannot be created in R80.x.

I presume we did not port the relevant wizard to R80.x since Simplified Mode VPNs have been the default since R5x.

My guess: you'll have to do it manually.

View solution in original post

HeikoAnkenbrand
Champion
Champion

Hi Dameon,

THX for the fast answer.

The problem with historical Traditional Mode VPN features.
(migration path over the years R5x > R6x> R7x >R80.10)
Small suggestion for improvement:
Maybe you should get a warning when executing "migrate export" or "pre upgrade verifier" here.
Regards
PhoneBoy
Admin
Admin

I'm surprised you don't get such a warning (especially if we don't include the conversion wizard).

Tomer Sole‌, think we might be able to suggest this get added?

_Val_
Admin
Admin

Second that. 

0 Kudos
Reply
Mia_Stephanson
Explorer

when you run the upgrader verification service you get a warning.

Thank you for using the Check Point R80.10 upgrade verification service.
The upgrade verification service has simulated your upgrade to R80.10

Firewall policies with Traditional VPN mode

Description:

Traditional mode refers to legacy VPN policy, which was replaced by Simplified VPN (first introduced at 2002 in version NG FP3). Please change the below policies by using one of the methods:
1. Convert your Firewall policies: In SmartConsole, go to Policy > Convert To > Simplified VPN, and follow the wizard instructions.
2. In your Firewall policy, delete rules that contain the actions Encrypt or Client Encrypt.
If you have a specific case in which you have to use Traditional VPN mode, please contact Check Point support.
These are the Traditional VPN policies or rules that must be converted or deleted:

PhoneBoy
Admin
Admin

Wonder if it shows when you run pre_upgrade_verifier on the CLI or if that shows only on the online one.

0 Kudos
Reply
HeikoAnkenbrand
Champion
Champion

Thanks Mia for your answer.

This is SMS R80.10.  Unfortunately this is no longer available.

This works for older versions R77.30 and lower:-) 

Regards

Heiko

Myo_Min_Zaw
Contributor

Hi,

What will happen to VPN configuration after convert to simplified VPN rules?

Need to create for IPsec VPN communities manually after conversion? 

Based-on my conversion, need to setup for VPN communities configuration after conversion.

Thanks.

0 Kudos
Reply
James_Hawkins
Participant

We have the same issue.

😞

0 Kudos
Reply
Maarten_Sjouw
Champion
Champion

A few weeks back I was trying to add an Inline Layer for APCL/URLF o a policy and it would not let me due to the fact it was a Traditional Mode VPN policy.

Thing was there was No VPN at all, IPSEC was turned off on the gateway, but still it was nagging about it.

In this case there was nothing to convert but just copy to a new policy and all done, but still...

Regards, Maarten
0 Kudos
Reply
Ilya_Yusupov
Employee
Employee

can you please share the builds you are using of R80.10?

0 Kudos
Reply
net-harry
Contributor

Hi,

We also have a few security gateways that are using a Traditional Mode VPN Policy.

They do not have any VPN configuration and we would like to convert them to simplified mode to be able to create Inline Layer for APCL/URLF.

I just noticed sk171035 where it seems we could disable the Traditional Mode with the following command:

Disable Traditional VPN mode
# mgmt_cli -r true -d DOMAIN_NAME set package name "POLICY_PACKAGE_NAME" vpn-traditional-mode false --format json


Could anyone confirm if this would change the policy to be a "fully" Simplified VPN Policy?

Please note that the article title is "How to convert a Simplified VPN Policy to a Traditional VPN Policy in R80.X", but I think the title should be "How to convert a Traditional VPN Policy to a Simplified VPN Policy in R80.X"

We are running version R80.20, take 183.

Thanks for your help!

Best regards,

Harry

PhoneBoy
Admin
Admin

That SK was created…yesterday.
The way I read it is that command merely flips the bit in the policy layer so that it will be marked as a simplified VPN mode instead of traditional VPN mode.
It won’t actually convert any traditional VPN rules to simplified VPN rules, but if you don’t have any VPN rules in that layer…it should do the trick.

0 Kudos
Reply
net-harry
Contributor

Thanks @PhoneBoy, this is how I also understood the article. Do you know why this information was not released earlier, since this looks like a simple fix? We were considering manually recreating the whole policy, but hesitated since it would require a lot of effort. @Maarten_Sjouw mentioned that he copied to a new policy to solve it, but at least when I try to clone the policy it still shows up as VPN Traditional mode.

0 Kudos
Reply
_Val_
Admin
Admin

No, it is not a simple fix. Traditional has phase 2 parameters defined per rule, and dropping this info is something that can backfire. 
The technique in the mentioned SK has had to be verified and proven to be safe, before publishing.

0 Kudos
Reply
net-harry
Contributor

Thank you @_Val_. I fully understand that the fix would be difficult if VPN is used, but in our case we do not have VPN configured on those gateways.

Could you confirm if changing the package parameter (vpn-traditional-mode to false) on the policy would be the same as creating a new policy in simplified mode?

Thanks for your help!

0 Kudos
Reply
_Val_
Admin
Admin

Then you are good to go. Technically, it is not the "same", but it will work for you.

0 Kudos
Reply
net-harry
Contributor

Thanks for the information @_Val_. Would you be able to explain in which way it would be technically different? I would like to avoid facing an issue in the future due to using this method to change to simplified mode instead of creating a new policy as simplified mode.

Also, please note that the article title still says "How to convert a Simplified VPN Policy to a Traditional VPN Policy in R80.X", but I think it should be "How to convert a Traditional VPN Policy to a Simplified VPN Policy in R80.X" 

0 Kudos
Reply
_Val_
Admin
Admin

Without VPN rules defined, it is practically the same. Otherwise, there are quite a few places where local definitions should be flipped/ignored/overwritten. 

As already mentioned above, if you did not have any VPN, and just the policy was marked "Traditional", there is no risk, AFAIK

0 Kudos
Reply
_Val_
Admin
Admin

On the second issue, yes, the title is incorrect, we are fixing that. Thanks for noticing.

0 Kudos
Reply
Tomer_Noy
Employee
Employee

On new Management installations, all policies are created with the Simplified VPN mode. There is a setting in Global Properties that enables a choice when creating new policies.

Older environments that were upgraded, can still have policies with the traditional mode.

Unfortunately, switching between modes is not simple and requires various subsequent changes. The VPN mode is set when creating the policy and changing the checkbox is disabled in the UI. It is not recommended to change the VPN mode on a policy that actually uses VPN communities. 

The SK describes a way to bypass the limitation and modify the field using API. This should only be used on a policy that didn't actually use VPN and by mistake was created using traditional mode. We will make sure that disclaimers and clarifications are added to the SK.

The correct way to switch between a policy using traditional mode and simplified mode is to create a new policy with the correct mode.

net-harry
Contributor

Thanks @_Val_ and @Tomer_Noy for the information and your help with this!

One of our security gateways has more then 2000 rules, so creating a new policy will be quite cumbersome and we want to avoid that.

This firewall cluster does not have the VPN blade enabled, so I assume I could safely use this method.

Thanks again for your help!

Best regards,

Harry

0 Kudos
Reply