Solved: Re: Unify Policy Migration from R77.30

Dirk_Fusswinkel · ‎2017-08-15

Hi,

we have mirgrated from Checkpoint 77.30 Server Firewall to a 5000 Appliance with R80.10. We want use the new Unify Policys. After we activated the new Layer at the Access Control Policy and install the Policy at the Blades we get the Error Message: Layer "Network": Rule XX has "Legacy User Access" in the Source Column which can be configured on layer with Firewall only" We have 14 rules with this error.

What can we do to activate the Unify Policy?

Declan__McGill · ‎2017-08-24

something like that?

D

View solution in original post

Dor_Marcovitch · ‎2017-08-15

Try using access role in this rule

Tomer_Sole · ‎2017-08-15

if you are able to replace your Legacy User Access objects with Access Role objects then the unify policy will work for you.

PhoneBoy · ‎2017-08-15

Unified policies cannot be used with certain legacy features.

Based on what you're describing, you are likely using rules with an action of User Auth or Client Auth.

The only way to use unified policies is to stop using these legacy features and use their more modern equivalents instead (e.g. Access Roles).

More info here: Install policy on R80.10 Security Gateway fails with verification error messages

Dor_Marcovitch · ‎2017-08-15

Legacy User is also being used for rules that control access of Secure Client Connections

PhoneBoy · ‎2017-08-15

I figured there were other instances that I forgot about

That's why I linked to the SK which covers most of them.

Dirk_Fusswinkel · ‎2017-08-15

Hi Guys,

thanks for your replies. We use the legacy User for the Secure Client Connections like Endpoint VPN. Exist a way to migrate from Legacy User Access to the modern equivalents?

Thanks

PhoneBoy · ‎2017-08-16

If you're using Client Encrypt rules (i.e. where the action is Client Encrypt), you should be using VPN Communities instead, which were introduced more than 15 years ago.

The legacy User Groups should be replaced with Access Roles.

Refer to: Remote Access VPN R80.10 (Part of Check Point Infinity)

Dirk_Fusswinkel · ‎2017-08-16

This is one of our VPN Policys

And this is my new VPN Policys:

And this is my Access Role:

The Group is a Cehckpoint Internal Group

But after the remove of the Legacy User Group, my Test user cannot use the VPN anymore. I doens´t get any connections.

PhoneBoy · ‎2017-08-16

It's been probably since Secure Client days since I configured a Remote Access VPN, so no shock I got that wrong

You don't even need an Access Role--remove that from the rule.

You define what groups are permitted in the VPN community itself.

Dirk_Fusswinkel · ‎2017-08-17

If i use this for the groups can i use my granularity for my VPN Connections?

I have a lot of external vpn users and they should only access certain system

Declan__McGill · ‎2017-08-17

Simplest option (which I used when migrating a customer from ASA, ACS, Radius etc to CP R80.10 ) is just create a role for each 3rd party user and make a rule with:

source (eg Role_3rd_party_user_1) |

dest (wherever he should be able to go) |

svc (whatever he should be able to do) |

accept |

log

Easy.

You might want to make an AllUsers Role and make that the entry to a layer containing the 3rd party rules.

D

Dirk_Fusswinkel · ‎2017-08-24

Have you an example like Sreenshot for this rule?

Declan__McGill · ‎2017-08-24

something like that?

D

Are you a member of CheckMates?

Unify Policy Migration from R77.30