This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Simon_Macpherso
Advisor
‎2020-02-26 11:55 PM

Convert Traditional Mode Policy to Simplified Policy MGMT R80.30

Hello Community,

 

We are about to start converting a traditional mode policy to simplified mode.

Our MGMT server has already been upgraded to R80.30 so the conversion tool is no longer available (Simplified Mode VPNs have been the default since R5x.), so my understanding at this point is that we have to perform the conversion manually.

We have 100+ S2S L2L IPSEC VPNs with Checkpoint and 3rd party gateways using a mixture of cert-based and PSK auth we will need to create communities for. 

There are about 300 ACLs with 'Encrypt' action configured which will need to be changed. 

 

Questions:

1. What is the recommend process to complete this task i.e. step-by-step? 

2. a. Can we use the existing traditional mode policy and change the action value to accept and create the communities, or does the policy need to be recreated? 

b. If the latter, would the best way be to export the existing objects out of the existing policy and re-importing the objects, with the exception of the Action field value  in to a new (simplified mode) policy? 

3. Based on experience and knowledge are you aware of any caveats to be aware of with this type of conversion?

 

Thanks in advance for your guidance.

Regards,

Simon

 

 

 

 

0 Kudos
4 Replies
G_W_Albrecht
Legend Legend
Legend
‎2020-02-27 02:40 AM

It would have been much better to convert before the R80.x30 upgrade... So i would suggest to involve TAC or even CP Professional Services to do that smoothly !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
oriehl
Explorer
‎2020-02-28 05:58 AM

Hi,

 

I would be interested of the Tac's answer.

I need the same for a 80.30 client with a big policy base.

 

0 Kudos
_Val_
Admin
Admin
‎2020-02-29 02:57 AM
In response to oriehl

Sorry, but I do not see here a TAC case. PS, sure, but not support. 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-28 08:47 AM

First, yes, this should have been done prior to upgrading to R80.x.
I did find an SK that suggests you can do this with cp_merge, which is NOT supported in R80.x (so don't do this!): https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

What it does imply is that, yes, you should be able to "copy paste" rules and change the action to Accept.
In addition to manually creating the VPN communities of course.
What I would do is create a new Policy layer.
Selecting rules in the existing rulebase (do a few at a time), use the standard shortcuts for copy and paste to bring the rules to the new rulebase.
Not sure how this will work when you encounter rules with an Encrypt action, so it's possible these rules might require manual recreation.

In any case, I second the recommendation to get Professional Services involved here.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events