Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
the_rock
Legend
Legend

Copying rules from R80.30 mgmt server to R80.40 mgmt server for IPS layer

Hey guys,

 

Anyone has any idea if its even possible to do this? So, to make a long story short, customer has R80.30 mgmt server and they did not wish to do migrate export and then import into newly built R80.40 server, so we helped them copy bunch of rules and layers over manually, but problem now is (literally the last obstacle) is there is a layer called IPS under threat prevention in R80.30, but does not seem naming convention allows same name be created for threat prevention layer in R80.40 server (photos attached). I was able to do the same rule copy for app control layer, but probably because it had non convention name (something like customername_appcontrol_layer), so when I created same layer in R80.40 and made sure it was shared, all 106 rules copied over 30 seconds later.

 

I hope someone can tell me if this is doable for ips or not. I had TAC try export ips layer rules, but we did not see an option to import them anywhere in R80.40 ips layer. I attached couple screenshots.

 

Thanks in advance for the help!

 

Andyips_error.pngips_layer_R80.30.png

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

The Threat Prevention layer named "IPS" only comes about when you upgrade from R77.30 and earlier and is necessary for pushing a Threat Prevention policy to these gateways.
If none of your gateways are R77.30 or earlier, then you should not have a Threat Prevention layer named IPS.
I believe if this policy previously existed and all pre-R80 gateway objects are removed, this layer will get removed.
This is likely why the name "IPS" for a Threat Prevention policy is blocked by the UI. 

Then the question comes: how do you migrate the rules?
First of all, you can't call the layer IPS, but any other valid name should work. 
You should be able to export/import the policy rules via the API.

0 Kudos
the_rock
Legend
Legend

Yes, that makes sense. BUT...though TAC suggested API, I tried that, but couod not figure out the right command to do it.

0 Kudos
PhoneBoy
Admin
Admin

Probably something like show threat-rulebase name "IPS" 
Obviously you'd have to parse the results and add them with something like add threat-rule

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events