Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Is it possible to test the traditional to simplified VPN conversion process?

In anticipation of installing new R80.30 management servers for our R77.30 gateways, we plan to convert from traditional to simplified VPN while still on R77.30 management, but would like to do a test run of the conversion process.  Would the following process would work and would it have any implications for the existing traditional mode policy?

1. Copy the existing production traditional mode policy package to a new test policy package.
2. In the new test policy package, create a star community object for each site that we VPN with.
3. Run the conversion wizard on the test policy to add the devices to the appropriate communities (each VPN community will contain the Checkpoint cluster object and the remote device object) and to convert the access rules from "encrypt" rules to access rules. The new test policy package now contains a simplified VPN policy.
4. Examine the resulting rules to determine if additional rules need to be added to permit or deny traffic that might now be unintentionally dropped or permitted as a result of the conversion.

Will any of these steps adversely affect the existing production traditional mode policy when it is next installed? We noticed that when you create a VPN community and then add the local Checkpoint object and remote interoperable device object to it, the IPSEC VPN tab of the Checkpoint cluster object and the remote interoperable device object show that the security gateway now participates in a VPN community. Since the Checkpoint and interoperable device objects are common to all policy packages, if we install the production traditional mode policy again, will these VPN community participations adversely affect the installation or operation of the existing traditional mode VPNs?

Additionally, if we install the new simplified policy and encounter problems, can we simply reinstall the prior traditional mode policy?

0 Kudos
0 Replies