Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Thomas_Eichelbu
Advisor

Based on the question, Migrating Traditional Mode to Simplified Mode VPN policy ...

Hello CheckMates, 

based on the question, Migrating Traditional Mode to Simplified Mode VPN policy ... which was raised a few times here on CheckMates but never fully answered ...
What would do you really do when you have to convert a grown Traditional Mode policy to Simplified Mode policy?
What options do you really have?

Since the conversation wizzard is no longer present.
Since you cannot do a copy paste of policy elements.

What would you do?
Recreating everything from scratch manually?
Trying to find an old R77.30 backup or migrate export and try to run the conversion wizzard on the old enviroment?
Would you export policy lines with fancy API scripts?
I never tried migrate export  -> migrate import from NEW to OLD versions??? will this work?

Maybe you can be more precise on the steps which are requiered to achive this.

 

best regards
Thomas.

 

 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

If you're already on R80.x, your only option is to recreate the VPN manually.
You can't migrate export/import to an earlier version.
Some of the VPN stuff doesn't have supported APIs so even trying to take an old R77.30 backup and running the conversion script there means a bunch of manual work.
0 Kudos
Martin_Hofbauer
Contributor

I think there is not a full understanding at Check Point of the challenge we are facing in this context.
It seems that CheckPoint has missed to migrate/convert(automatically) or block this situation during upgrade from R77.xx to R80.xx ! (if a Traditional Policy is still there) !

it is not only that we need to convert VPN stuff (rules and properties)  from Trad. VPN  Policy to Simpl. VPN Policy .

Example: I have one customer with a rulebase of about 4000 rules - They never used VPN on this FW. This policy exists since before 2002 ( since Simpl. VPN Policy was introduced). They never had an idea of a difference betw. Simpl. and Trad. VPN
Now after about 1,5 yours with R80 ( now on R80.20 ) we came to this situation:

He introduced a sub-layer - and wanted to move a lot of these 4000 rules to the sub-layer. But during "copy & paste)" he got this strange error:2020-06-08 16_34_14-Posteingang - m.hofbauer@bacher.at - Outlook.png

 Now we recognised, that the original policy is still in Trad. VPN mode, but never noticed this anywhere (btw: "VPN" column is hidden by default in a Simpl. VPN policy, too)

( This error says exact the opposite, but is definitly wrong , I tested the other way too- try it!!)

The situation is now as follow:

Main Policy is Trad. VPN and, Sub-layer in Simpl. VPN Mode  !!

 

So , again - I ask as well: what todo next ? - You can try to migrate now this rulebase with 4000 rules, with the complex, slow and tnever working  (all my tries with other policys from other customers failed) Python toolkit ?

maybe ...
Any other ideas?

Thanks, Martin

0 Kudos
PhoneBoy
Admin
Admin

You are correct that we do not block this on upgrade because, officially, you can still run in Traditional Mode.
The pre-upgrade verifier should warn on this when you upgrade from R77.x to R80.x.

Specifically, what we've blocked is creating new policies in Traditional Mode.
Existing policies can be modified and used as before.

There's a few things Traditional Mode allowed that aren't as easy to do in Simplified Mode, which probably motivated a handful of customers to not make the change:

  1. Allow multiple encryption algorithms per community. The workaround for this limitation is splitting up VPN communities.
  2. Exclude some traffic from VPN.
  3. Allow for a different encryption domain per community (something we addressed in R80.40).

In light of the above, even the existing conversion wizard we had in R77.x and earlier didn't always produce a satisfying result.
The original intention, as I understand it, was to address the above limitations and then develop a new conversion wizard that would address these points and have less limitations.
Whether this is still the plan or not, I can't say for sure.

PhoneBoy
Admin
Admin

Assuming the above situation is still relevant: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
This allows you to disable traditional mode VPN in a given policy package assuming no VPN rules exist there.

0 Kudos
Thomas_Eichelbu
Advisor

Hello, 

this task with converting the policy to simplified mode came back to me ...

i will try this link ... but since all VPN communities has to be rebuilt by hand... this is more troublesome then to rebuilt the normal policy piece by piece ... 
but what else can i do in this manner ... so i will give it a try!

best regards

0 Kudos