Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ruan_Kotze
Advisor

Migrating policies from standalone gateway to new management server

Was recently faced with an interesting scenario.  A customer had a standalone gateway running R80.10 and wanted to migrate to a distributed configuration, with separate management.  I researched how to do this and was surprised with the lack of clear answers both here and in the KB. 

A lot of the answers here either refer to KB's which explicitly state that the KB does not apply to R80.10 <or> that a migrate export should suffice.  In my experience it doesn't, it errors out explicitly stating that: "Database migration between Standalone and Management only machines is not supported".

Below is then the process I used to migrate my policies (firewall, NAT and Threat Prevention).

Requirements:

We'll need the CheckPoint API Python Development Kit:
https://github.com/CheckPointSW/cp_mgmt_api_python_sdk

And the CheckPoint Policy Import and Export tool

https://github.com/CheckPointSW/ExportImportPolicyPackage

Lastly, make sure that your gateway and management servers are on the latest GA Jumbo Hotfix Accumulator.  This will ensure that there are no Python compatibility issues.

Download and Extract both on your Computer, using the d:\CP_Python folder for this example I then end up with this structure:

D:\CP_PYTHON
├───cp_mgmt_api_python_sdk-master
│ ├───examples_python2
│ ├───examples_python3

Now we need to move all files and folders under the d:\CP_PYTHON\cp_mgmt_api_python_sdk-master folder to the d:\CP_PYTHON\cp_mgmt_api_python_sdk folder.

Our folder structure then looks like this:

D:\CP_PYTHON
├───cp_mgmt_api_python_sdk-master
└───ExportImportPolicyPackage-master
├───cp_mgmt_api_python_sdk
│ ├───examples_python2
│ ├───examples_p
│ └───lib
└───ExportImportPolicyPackage-master
├───cp_mgmt_api_python_sdk
├───exporting
└───importing
python3
│ └───lib
├───exporting
└───importing

The next step is to transfer the ExportImportPolicyPackage-master folder to both our source and destination CheckPoints. In this case I've transferred to the /tmp folder on each.

[Expert@source1:0]# pwd
/tmp/ExportImportPolicyPackage-master

Now we execute the actual script, like so:

[Expert@source1:0]#/opt/CPsuite-R80/fw1/Python/bin/python2.7 /tmp/ExportImportPolicyPackage-master/import_export_package.py

An interactive menu system will appear, from here make sure to specify:
- Output filename
- Layer to be exported
- Whether you want to export Threat-Prevention Layers

If you just specified a filename, your export can be found under the /tmp/ExportImportPolicyPackage-master/ folder. Now transfer this file to your destination management server.

In this instance I've transferred it to my /tmp folder.  If this is a new management server, I always delete the built-in Standard Layer, as I've found that the NAT rules import is a bit all over the show otherwise.

This you do under Security Policies -> Manage Policies -> Manage policies and Layers. Delete and publish your changes.

On the destination gateway we now execute the script, just like we did on the source:

[Expert@dest1:0]#/opt/CPsuite-R80/fw1/Python/bin/python2.7 /tmp/ExportImportPolicyPackage-master/import_export_package.py

Once again, an interactive menu system will appear, from here make sure to specify:
- Import a Package

- Enter user credentials manually

- Specify custom name for imported package (I use Standard, remember to delete the built-in as per above)

- Run

The script will now:

- Create a Policy Package

- Import services

- Import objects

- Import access-layers

- Import access-rules

- Import NAT rules

- Import threat-layers

- Import network

- Import hosts

- Import threat-profiles

- Import groups

If you connect to the management server with SmartConsole, you should see all the above reflected.

I've gotten a lot of free advice from this community - I hope this is also valuable to someone.  Let me know in the reply's if anything is unclear.

5 Replies
Benoit_Verove
Contributor

Hi Ruan,

Very Valuable !

I was also wondering how to split a standalone architecture en R80.x since editing Object files is not possible anymore

Thanks

Chckpnt_Charlie
Explorer

it looks to be possible to use migrate export and migrate import to go from a standalone fw/management to management only instance:

How to migrate Full HA environment to Distributed environment 

from the above:

Note: If the 'upgrade_import' / 'migrate import' process fails with "Database migration between standalone and management only machines is not supported" error, then follow these steps (per sk85900😞

  1. Unzip and untar the exported TGZ file and modify the 'configuration2' file in Vi editor:

    1. Change every instance of :is_firewall_module (yes) 
      to: :is_firewall_module (no) 

    2. Change every instance of :installed_products_registry_string ("FWManagement,FireWall,Primary")
      to: :installed_products_registry_string ("FWManagement,Primary")

    Alternatively, move the 'configuration2' file to your PC, make changes there and transfer the files back to teh server.

  2. Save the changes and repack the exported TGZ file (fisrt tar it and then zip).
    The whole process should be: 
    migrate.tgz -> migrate.tar -> change the configuration2 file -> save -> migrate.tar -> migrate.tgz

  3. Import the exported database again.
0 Kudos
PhoneBoy
Admin
Admin

The SK you mention explicitly states the procedure does not apply to R80+

The original poster was running R80.10, thus a different method is required.

Python tool for exporting/importing a policy package or parts of it

0 Kudos
Chckpnt_Charlie
Explorer

Well, the SK says: "Migration of Full HA environment to Distributed environment is not supported in R80.x", which lead me to believe this only covers that particular scenario.

What I need to do in my r80.10 environment is to split the management server from currently co-running on 12200 appliance alongside the firewall to a separate management only VM.

So, I stood up a new VM, installed matching build of the r80.10 management, followed the migrate export/import w/fixing the 'configuration2' file steps and the import was successful. The management server on the VM came up, I can ssh/webgui/smart console into it just fine and it seems to have all the objects there.

Could anyone recommend any other steps of making sure the new Management server is healthy before I try to place it in production?

0 Kudos
_Val_
Admin
Admin

Dameon Welch-Abernathy, although we do not have on official supported migration path from Full HA to distributed on R80.x, this workaround seems applicable. There is a non-zero share of cases where customers already moved to R80.10 on their Full HA system, and are now stuck with it. 

Any tool that would allow unblocking migration in their case is welcome, with due diligence: tests, backups, revert points ad proper planning.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events