This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Perry_McGrew
Collaborator
yesterday

Export / Import Configuration of existing GWs to new appliances

I have read sk98166 and seen several posts here that aren't giving me much hope.  We are replacing our EoL CP Gateways.   Since we are Healthcare, any extended downtime needs to be avoided.   

We are replacing several 3200's with 3920s at our remote sites.   Our lone 1470 is being replaced by 1575. Our Corporate 5800 ClusterXL HA are being replaced by 9200. 

All our current CP GW devices and MGT are R82 JHF 39. 

I have not had to do Hardware replacement upgrade since 2017-2018 when these current devices were released.   I have done the "show configuration" and saved the output on all the current GW devices.   I recall the last time I did the Import Configuration <file name> on the new hardware, several statements errored.  I also recall that certain statements that errored were in fact valid, but just needed to be entered in a specific order.  I don't know if the Import Configuration has improved since then.  

Anyway, I was hoping that there was a Tool / script like the Migrate-Export process the Management server has for a these centrally managed GWs that would handle the Config import on the new appliances.  I've seen the suggestions on using Blink.  I have never tried Blink and manually creating the xml answer file seems to be a lot of work and potentially error prone.  

The new devices will show up shortly and I will need to do the setup in my office before bringing them out to remote sites, reset SIC and install the policy.  I am not concerned on the SMB 1470 -> 1575 as it has a very specific and limited purpose and I know the 1470 runs the old R77.20 code.     

TIA - Perry

Labels
0 Kudos
4 Replies
Paul_Hagyard
Advisor
yesterday

Make a list of the important configuration items and go through them one-by-one and replicate. You may not necessarily have the same interface names on the target hardware anyway, in which case you would need to change both the clish configuration and the GUI interface configuration anyway.

Clish items like, but not limited to:

  1. Authentication (grub, admin, other users, expert)
  2. Allowed clients
  3. NTP and DNS
  4. Interfaces and routes, DHCP relay
  5. Syslog and SNMP

OS items like:

  1. fwkern.conf
  2. /web/conf server key and cert
  3. Custom scripts

Check Point team: it would be nice to have such a tool as suggested, one which covers both the on-device and GUI configuration to move to a new platform.

0 Kudos
Perry_McGrew
Collaborator
yesterday
In response to Paul_Hagyard

Paul,

That is basically what I have done back in 2017-2018.  I take the original config, edit what I need and then have copy & paste into new appliance - section by section.   Noting what statements failed and adjust.   After done, I dump the new device configuration and run it along with the old device config thru an app  called Beyond Compare to double check.   

Its a tedious process that I will need to do for each of the remote sites.   I was just hoping that there had been something developed like the Management's Migrate-Export for Gateways. 😞

 

0 Kudos
Bob_Zimmerman
Authority
Authority
yesterday
In response to Perry_McGrew

This is pretty much the idea behind using Ansible with the Gaia API (OS-level, not management-level). You can specify most of the configuration in Ansible, then have Ansible apply it to a new box. It's complicated to port the config to an Ansible playbook in the first place, but once you're done it's easy to back it up, track changes across all managed firewalls in version control, and so on.

0 Kudos
rrbranco
Collaborator
Collaborator
yesterday

Take a look at this thread:

 

https://community.checkpoint.com/t5/General-Topics/Config-Files-Backup/td-p/210488


0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events