This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sagar_Manandhar
Advisor
‎2017-08-15 06:15 AM
Jump to solution

policy migration from standalone to distributed

Hi,

sk61681 and sk85900 gives the solution which is quite different from each other. Does anyone has use these solution? 

I need to migrate the policy from standalone to distributed. If so please suggest me the best way to do so.

Thank You

Sagar Manandhar

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2017-08-15 10:57 PM
Jump to solution

These SKs solve different problems:

Which approach you take will largely depend on what you want to use the current Standalone hardware for when it's all said and done.

View solution in original post

18 Replies
Dor_Marcovitch
Advisor
‎2017-08-15 06:30 AM
Jump to solution

you should use this : sk61681

Sagar_Manandhar
Advisor
‎2017-08-15 06:36 AM
In response to Dor_Marcovitch
Jump to solution

Any specific reason?

0 Kudos
Dor_Marcovitch
Advisor
‎2017-08-15 10:08 AM
Jump to solution

If you only want the policy than i think you might be able to use the cpmerge util but i belive you want to keep all you managment server data ..( user db , internal ca...) The sk i pointed you to will provide it to you 

0 Kudos
Sagar_Manandhar
Advisor
‎2017-08-15 08:42 PM
In response to Dor_Marcovitch
Jump to solution

I only need the object and policy. We don't need to restore the server data.

0 Kudos
Dor_Marcovitch
Advisor
‎2017-08-15 10:40 PM
Jump to solution

Than read about cpmerge utility you can export policy package and import it and the object.c for the object from the othe managment server

PhoneBoy
Admin
Admin
‎2017-08-15 10:57 PM
Jump to solution

These SKs solve different problems:

Which approach you take will largely depend on what you want to use the current Standalone hardware for when it's all said and done.

Sagar_Manandhar
Advisor
‎2017-08-16 08:48 PM
In response to PhoneBoy
Jump to solution

i am importing the configuration between standalone machine and management only machine . Thanks.. i will follow this SK

0 Kudos
Arun_Malipatil1
Participant
‎2018-08-01 04:56 AM
Jump to solution

What is the procedure for R80.10 version? Both the SKs say's it's not applicable to R80.xx version.

PhoneBoy
Admin
Admin
‎2018-08-01 09:15 AM
In response to Arun_Malipatil1
Jump to solution

I think you should still be able to do a migrate export of the management piece, import into a new standalone management system, then do a clean install of the gateway.

You can easily test this without affecting your existing gateway (except for the cpstop required to take the migrate export).

Arun_Malipatil1
Participant
‎2018-08-04 07:25 AM
In response to PhoneBoy
Jump to solution

Not clear with the answer. Let me reiterate the query:

I have R80.10 Standalone machine. Would like to migrate it to distributed setup(separate Mgmt server and GW).

Both sk61681 and sk85900 doesn't applicable to R80.xx

What do you suggest on this?

Pablo_Suarez1
Explorer
‎2018-08-11 10:21 PM
In response to Arun_Malipatil1
Jump to solution

I used the ExportImportPolicyPackage method and it worked for me.
  1. Download the files from here:
Download and Copy these files to the cp-mgmt-api blank folder you downloaded earlier.
 
 
  1. Run this cmd :    api start
    1. Make sue API status is running, run this cmd:
                              api status
  1. Create a directory
  • mkdir APIpython
  • scp all files to that directory
  • Run the python script CMD:
/opt/CPsuite-R80/fw1/Python/bin/python2.7  /home/admin/APIpython/ExportImportPolicyPackage-master/import_export_package.py
Ex:   [Expert@gw-bd57f0:0]# /opt/CPsuite-R80/fw1/Python/bin/python2.7 /home/admin/APIpython/ExportImportPolicyPackage-master/import_export_package.py 
 
Welcome to the Policy Package Import/Export Tool.
What would you like to do?
1. Import a package
2. Export a package
99. Exit
2
 
 
Please enter a Policy Package name to export:
Standard
 
Please select a login method:
1. Enter user credentials manually
2. Login as Root
3. Use an existing session file
4. Use an existing session UID
99. Back
1
 
 
The script will run with the following parameters:
Export Access-Control layers = True
Export Threat-Prevention layers = False
Output-file name = None
Management Server IP = 127.0.0.1
Management Server Port = 443
Management Server Domain = None
1. Change Settings
2. Run
99. Back
1
Please select a setting to change:
1. Disable export of Access-Control Rulebases
2. Enable export of Threat-Prevention Rulebases
3. Output file name
4. Change Management Server IP
5. Change Management Server Port
6. Change the domain name
99. Back
2
Exporting of Threat-Prevention layers enabled
 
The script will run with the following parameters:
Export Access-Control layers = True
Export Threat-Prevention layers = True
Output-file name = None
Management Server IP = 127.0.0.1
Management Server Port = 443
Management Server Domain = None
1. Change Settings
2. Run
99. Back
2
 
 
Please enter your username:
admin
 
Please enter your password:  *******
 
Exporting Access Control layers
Exporting Access Layer [Network]
Retrieved 50 out of 87 rules (57%)
Retrieved 87 out of 87 rules (100%)
Processing rules and sections
Exporting access-roles from layer [Network]
Exporting services-udp from layer [Network]
Exporting groups from layer [Network]
Exporting hosts from group [Static.IPs]
Exporting hosts from group [Static.Limited.Internet]
Exporting networks from group [Static.Limited.Internet]
Exporting networks from layer [Network]
Exporting simple-gateways from layer [Network]
Exporting services-tcp from layer [Network]
Exporting hosts from layer [Network]
Exporting access rules from layer [Network]
Exporting access sections from layer [Network]
Exporting placeholders for unexportable objects from layer [Network]
Exporting layer settings of layer [Network]
Done exporting layer 'Network'.
Exporting Access Layer [Application]
Retrieved 17 out of 17 rules (100%)
Processing rules and sections
Exporting access-roles from layer [Application]
Exporting services-udp from layer [Application]
Exporting networks from layer [Application]
Exporting application-site-groups from layer [Application]
Exporting applications-sites from group [FaceBook_Group]
Exporting services-tcp from layer [Application]
Exporting hosts from layer [Application]
Exporting applications-sites from layer [Application]
Exporting application-site-categories from layer [Application]
Exporting access rules from layer [Application]
Exporting access sections from layer [Application]
Exporting placeholders for unexportable objects from layer [Application]
Exporting layer settings of layer [Application]
Done exporting layer 'Application'.
Exporting NAT policy
Getting information from show-nat-rulebase
Retrieved 50 out of 94 rules (53%)
Retrieved 94 out of 94 rules (100%)
Processing rules and sections
Exporting hosts
Exporting networks
Exporting NAT rules
Exporting placeholders for unexportable objects from NAT rulebase
Done exporting NAT rulebase.
Exporting Threat-Prevention layers
Exporting Threat Layer [IPS]
Retrieved 1 out of 1 rules (100%)
Processing rules and exceptions
Exporting Exception-Rulebase from Threat-Rule #1 in Threat-Layer[IPS]
Retrieved 10 out of 10 rules (100%)
Processing exceptions
Exporting hosts from layer [IPS]
Exporting groups from layer [IPS]
Exporting networks from group [VPNDomain]
Exporting networks from layer [IPS]
Exporting simple-gateways from layer [IPS]
Exporting threat exceptions from layer [IPS]
Exporting placeholders for unexportable objects from layer [IPS]
Exporting layer settings of layer [IPS]
Done exporting layer 'IPS'.
Exporting simple-gateways from layer [IPS]
Exporting threat-profiles from layer [IPS]
Exporting threat rules from layer [IPS]
Exporting Exception-Groups used in layer [IPS]
Exporting placeholders for unexportable objects from layer [IPS]
Exporting layer settings of layer [IPS]
Done exporting layer 'IPS'.
Exporting Threat Layer [Standard Threat Prevention]
Retrieved 1 out of 1 rules (100%)
Processing rules and exceptions
Exporting Exception-Rulebase from Threat-Rule #1 in Threat-Layer[Standard Threat Prevention
Retrieved 3 out of 3 rules (100%)
Processing exceptions
Exporting hosts from layer [Standard Threat Prevention]
Exporting networks from layer [Standard Threat Prevention]
Exporting threat exceptions from layer [Standard Threat Prevention]
Exporting placeholders for unexportable objects from layer [Standard Threat Prevention]
Exporting layer settings of layer [Standard Threat Prevention]
Done exporting layer 'Standard Threat Prevention'.
Exporting threat-profiles from layer [Standard Threat Prevention]
Exporting threat rules from layer [Standard Threat Prevention]
Exporting Exception-Groups used in layer [Standard Threat Prevention]
Exporting placeholders for unexportable objects from layer [Standard Threat Prevention]
Exporting layer settings of layer [Standard Threat Prevention]
Done exporting layer 'Standard Threat Prevention'.
 
 
Created Filename:
exported__package__Standard__2018_07_23_13_41.tar.gz 
 
  1. To import, copy the file to the new server and follow the same process from the menu based & choose option #1
 
Pablo Suarez | Senior Security Analyst | The Teneo Group
Daniel_Dobson
Employee
Employee
‎2018-09-22 06:41 PM
In response to Pablo_Suarez1
Jump to solution

Tried this with a system that has VPN's configured. Seems the python script doesn't like Interoperable Devices and VPN communities as it failed to import;

Adding vpn-communities-star

 

Failed to import vpn-community-star with name [Corp_Carrollton_VPN]. Error: Invalid parameter for [shared-secrets]. Invalid value

 

Failed to import vpn-community-star with name [Corp_COLO_VPN]. Error: Invalid parameter for [shared-secrets]. Invalid value

red_tomato
Participant
‎2020-10-25 02:01 AM
In response to Daniel_Dobson
Jump to solution

👍

0 Kudos
PhoneBoy
Admin
Admin
‎2018-08-13 07:56 PM
In response to Arun_Malipatil1
Jump to solution

To describe what I said a little more verbosely:

  1. Run a migrate export on your existing standalone gateway. This will create a copy of your management configuration.
  2. Install your new management (only) server and use migrate import to import the configuration to your new management server.
  3. Do a fresh install of your existing standalone system as Security Gateway only, which will include creating a new gateway object, establishing SIC, etc.

Refer to the Installation and Upgrade Guide R80.10 for more details.

anstelios
Collaborator
‎2020-04-08 01:28 AM
In response to PhoneBoy
Jump to solution

Are you sure that you can export a standalone configuration and import it to a mgmt only just like that on R80.30??

And if that succeeds, what about the gw object after the import? We ll need to "revert" this object to mgmt only in order to  create a new gateway, is this possible??

 

Or should we just use the python method ??

0 Kudos
Garrett_DirSec
Advisor
‎2020-10-20 05:30 PM
In response to PhoneBoy
Jump to solution

Hello @PhoneBoy .   while I appreciate the interest in doing it ourselves, I assume that support has ways to purge an "all-in-one" migrate export file of SIC and local gateway refernce(s)?    I send them a "migrate export <>" from all-in-one export and they send back file without local gateway reference (and SIC reset)?

Because support has done numerous voodoo operations in past, I like this method instead of jumping through endless hoops that only burn time for everyone (customer, reseller, etc).

 

thoughts? 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-10-20 05:39 PM
In response to Garrett_DirSec
Jump to solution

If TAC had such a tool, it'd most likely be formally documented in an SK, even internally.
I haven't seen that. 

0 Kudos
Garrett_DirSec
Advisor
‎2020-10-26 03:24 PM
In response to PhoneBoy
Jump to solution

Hello -- I can confirm that SK154033 does work for Standalone migration to Distributed for R80.40.      However, there are various clean-up aspects that are missing and we have SR open on topics.

In addition, the source standalone server was a CP-badged appliance running R77.30 with JHA.    The R80.40-based standalone instance is temporary.

We used HyperV as virtual platform and took "snapshot/checkpoint" after initial GAIA install -- before wizard -- so we could clone into the other instances we needed (permanent and temporary).

Note:   HyperV is supported for R80.40 in production with specific JHA/HFA take installed.   See HCL for specifics (virtual machines tab).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events