cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Unify Policy Migration from R77.30

Jump to solution

Hi,

we have mirgrated from Checkpoint 77.30 Server Firewall to a 5000 Appliance with R80.10. We want use the new Unify Policys. After we activated the new Layer at the Access Control Policy and install the Policy at the Blades we get the Error Message: Layer "Network": Rule XX has "Legacy User Access" in the Source Column which can be configured on layer with Firewall only" We have 14 rules with this error.

What can we do to activate the Unify Policy?

Labels (1)
0 Kudos
1 Solution

Accepted Solutions

Re: Unify Policy Migration from R77.30

Jump to solution

something like that? 

D

View solution in original post

13 Replies

Re: Unify Policy Migration from R77.30

Jump to solution

Try using access role in this rule 

0 Kudos

Re: Unify Policy Migration from R77.30

Jump to solution

if you are able to replace your Legacy User Access objects with Access Role objects then the unify policy will work for you.

0 Kudos
Admin
Admin

Re: Unify Policy Migration from R77.30

Jump to solution

Unified policies cannot be used with certain legacy features.

Based on what you're describing, you are likely using rules with an action of User Auth or Client Auth.

The only way to use unified policies is to stop using these legacy features and use their more modern equivalents instead (e.g. Access Roles). 

More info here: Install policy on R80.10 Security Gateway fails with verification error messages 

0 Kudos

Re: Unify Policy Migration from R77.30

Jump to solution

Legacy User is also being used for rules that control access of Secure Client Connections

0 Kudos
Admin
Admin

Re: Unify Policy Migration from R77.30

Jump to solution

I figured there were other instances that I forgot about Smiley Happy

That's why I linked to the SK which covers most of them.

0 Kudos

Re: Unify Policy Migration from R77.30

Jump to solution

Hi Guys,

thanks for your replies. We use the legacy User for the Secure Client Connections like Endpoint VPN. Exist a way to migrate from Legacy User Access to the modern equivalents?

Thanks

0 Kudos
Admin
Admin

Re: Unify Policy Migration from R77.30

Jump to solution

If you're using Client Encrypt rules (i.e. where the action is Client Encrypt), you should be using VPN Communities instead, which were introduced more than 15 years ago.

The legacy User Groups should be replaced with Access Roles.

Refer to: Remote Access VPN R80.10 (Part of Check Point Infinity) 

0 Kudos

Re: Unify Policy Migration from R77.30

Jump to solution

This is one of our VPN Policys

VPN Policy

And this is my new VPN Policys:

New Policy

And this is my Access Role:

Access Role

The Group is a Cehckpoint Internal Group

But after the remove of the Legacy User Group, my Test user cannot use the VPN anymore. I doens´t get any connections.

0 Kudos
Admin
Admin

Re: Unify Policy Migration from R77.30

Jump to solution

It's been probably since Secure Client days since I configured a Remote Access VPN, so no shock I got that wrong Smiley Happy

You don't even need an Access Role--remove that from the rule.

You define what groups are permitted in the VPN community itself. 

0 Kudos

Re: Unify Policy Migration from R77.30

Jump to solution

If i use this for the groups can i use my granularity for my VPN Connections?

I have a lot of external vpn users and they should only access certain system

0 Kudos
Highlighted

Re: Unify Policy Migration from R77.30

Jump to solution

Simplest  option (which I used when migrating a customer from ASA, ACS, Radius etc to CP R80.10 ) is just create a role for each 3rd party user and make a rule with:

source (eg Role_3rd_party_user_1) |

dest (wherever he should be able to go) | 

svc (whatever he should be able to do) |

accept |

log

Easy.

You might want to make an AllUsers Role and make that the entry to a layer containing the 3rd party rules.

D

Re: Unify Policy Migration from R77.30

Jump to solution

Have you an example like Sreenshot for this rule?

0 Kudos

Re: Unify Policy Migration from R77.30

Jump to solution

something like that? 

D

View solution in original post