Copy security policy from R62 to R70

[Devon_Custard]

Hi all,

I have built an R70.20 SPLAT server and I want to move my policies from my old R62 server. Originally I was advised that it would be possible to simply TFTP the policy over from the old one using the restore process. Can someone confirm this?

Has anyone done something similar?

[lammbo]

This is an upgrade to a new version on a new box and is probably the safest and easiest path to SCS upgrades.

in a nutshell:
1) new box needs same IP and FQDN (can connect to cheap stand alone switch temporarily because NIC must be connected or CP services will not start)
2) upgrade_export old SCS from R62 server
3) upgrade_import to new server
4) turn off old server and move ethernet cable to new server
5) SIC, licenses and all that happy and fun stuff should be good to go

I suggest RTFM. Upgrade procedures are in the docs.

[Devon_Custard]

lammbo,

Thanks for the heads up. Page 229 of the "Install and Upgrade Guide" if anyone else is interested. I have also found that if ASCII mode is used for a tftp transfer, then the import doesnt work. Binary has to be used in both directions.

I now have a different problem that I have logged with reseller/Checkpoint, but I am putting here in case someone else can comment.

When I log into the SmartDashboard, edit the policy ( which I recognise from the old firewall), I get the following error:

Firewall and Address Translation Policy Verification:
put_asm_data_excluding_cpmad: Error >> can't convert dynamic attacks to kernel props by type.
Verifier warnings: The Converter failed to convert policy. Possibly wrong policy name. "Policy Name"


I have searched elsewhere and note that Solution ID: sk31864 is suggested. I have tried this, but no luck.

Any help greatly appreciated.

D

[lammbo]

Never heard of that one, support should be able to figure that one out. No errors during the import though?

Well, the beauty of this is that you can still use your old SCS and continue to make daily changes while support figures out your issue. Just put the new one back on that standalone net to work on it. When they find your issue and provide a fix, re-import from your old box again to reflect changes made in the meantime, do the fix and try again.

This is exactly the reason I said it's the safest upgrade path, you can still use your old SCS because you didn't re-use the old hardware.

[Routerkid1]

Quote:

Originally Posted by lammbo

Never heard of that one, support should be able to figure that one out. No errors during the import though?

Well, the beauty of this is that you can still use your old SCS and continue to make daily changes while support figures out your issue. Just put the new one back on that standalone net to work on it. When they find your issue and provide a fix, re-import from your old box again to reflect changes made in the meantime, do the fix and try again.

This is exactly the reason I said it's the safest upgrade path, you can still use your old SCS because you didn't re-use the old hardware.

That is correct must always use bin mode.

[Routerkid1]

Quote:

Originally Posted by Devon_Custard

Hi all,

I have built an R70.20 SPLAT server and I want to move my policies from my old R62 server. Originally I was advised that it would be possible to simply TFTP the policy over from the old one using the restore process. Can someone confirm this?

Has anyone done something similar?

Sounds like Smart Defense is giving you a fit. I would do the following:

I would go R62>R65>R70>R70.20


Make sure you update all of the SD/IPS protections along the way. I would even build a quck test firewall in which you can push policy to if you can not get a maint window to test the new smartcenter.

I have found in my experience that CP likes the version by version upgrade path. I know the upgrade guide says *It should work but I have been burned way too many times on upgrades. Also setup vmware workstation/server and do all of your testing in it. Really easy and you can make a cpbackup or upgrade_export to FTP off the machine before each upgrade test.

[Devon_Custard]

I tried the following:

1. Install a clean R70 or R70.1.

2. Perform “Online Update” from the IPS view -> Download Updates tab and save.

3. Run the cpstop command on the Security Managemet server.

4. Backup the following files from the $FWDIR/conf directory:

asm.C
ips_attribute_extensions.C
ips_classes.C
ips_contexts.C
ips_db_cfg.C
ips_exceptions_table.C
ips_protections_override_table.C
ips_signatures.C
profiles.C
ips_tables.sqlite

5. Import database from the previous version by using the upgrade_import tool.

6. Run the cpstart command on the Security Managemet server and log in to the SmartDashboard.

7. Go to IPS view -> Enforcing Gateways tab and select 'Default_Protection' for all Security gateways.

8. Go to IPS view -> Profiles tab and delete all Custom protections. Only the default and recommended should remain.

9. Run the cpstop command on the Security Managemet server.

10. Backup and delete the following files from the $FWDIR/conf directory, including any ".backup" files for these files that exist:

asm.C*
ips_attribute_extensions.C*
ips_classes.C*
ips_contexts.C*
ips_db_cfg.C*
ips_exceptions_table.C*
ips_protections_override_table.C*
ips_signatures.C*
profiles.C*
ips_tables.sqlite*
applications.C*
CPMILinksMgr.db*

11. Copy the files from Step #4 to the $FWDIR/conf directory.

12. Run the cpstart command.

13. Perform “Online Update” from the IPS view -> Download Updates tab and save again.
Make sure that the update version is the same as in step 2.


Note: the above procedure resets all default IPS settings.

It does resolve the "put_asm_data_excluding_cpmad: Error >> can't convert dynamic attacks to kernel props by type" error I was getting.

Now on install I get errors shown on the attached file.

I am going to clear the logs as per previous post, if that fails I'm going to try and do an upgrade_import to vanilla R70 before upgrading to R70.20

[Devon_Custard]

OK, that didnt work either.

Stuck between a rock and a hard place at the mo. I can have either a working firewall with no rules or my rules but no ability to make changes.

I am not interested in any previous files from the old firewall except the security, nodes and NAT rules.

I have given the company that supports me on Checkpoint a kick so I look forward to hearing from them soon.

Correct me if I am wrong but it seems to me that it might be best just to input each rule, node, NAT object one by one..... yuk

[Devon_Custard]

Is there any mileage in copying the R70 upgrade_export file to R62 and running it?

[rubber_chicken]

Quote:

Originally Posted by Devon_Custard

Is there any mileage in copying the R70 upgrade_export file to R62 and running it?

I would not think that this would work. The R70 export will have a bunch of stuff in it that R62 will simply go WTF??? and fail.

[lammbo]

Quote:

Originally Posted by rubber_chicken

I would not think that this would work. The R70 export will have a bunch of stuff in it that R62 will simply go WTF??? and fail.

I think he meant use the upgrade_export tool from R70 to do the export on R62, since the tool version is newer. I think there is merit in trying it.

[rubber_chicken]

Quote:

Originally Posted by lammbo

I think he meant use the upgrade_export tool from R70 to do the export on R62, since the tool version is newer. I think there is merit in trying it.

Kerplunk.....kersplosh (penny dropping)

Oh, definitely do that then! Yup, agree wholeheartedly. I've got a funny feeling I've even read a CP KB article or doc in the past that even discusses that as a recommendation. (Don't ask me to prove it, it might take a while....)

[Devon_Custard]

Indeed, I was proposing using the "newer" upgrade_export on the R62 server.

OK, update time. It didn't work. BUT.....I do get a different error now. Instead I get "Database conversion failed".

Will do some research.

[ShadowPeak.com]

Quote:

Originally Posted by Devon_Custard

Indeed, I was proposing using the "newer" upgrade_export on the R62 server.

OK, update time. It didn't work. BUT.....I do get a different error now. Instead I get "Database conversion failed".

Will do some research.

Here is a method I've used successfully in the past when a direct upgrade_export/upgrade_import would not work. Note that this technique brings over objects and policies ONLY, and does not include Global Properties, SIC/Certs, Users/User groups or SmartDefense/IPS settings (which might be a good thing in your case):

1) Take upgrade_export from R62 SmartCenter
2) Scratch-load a new temporary R70 SmartCenter in VmWare or on some old hardware (no need to patch it to R70.20)
3) upgrade_import the R62 config on your temporary SmartCenter
4) Perform a cp_merge export_policy for each policy package you want to take on the temporary SmartCenter
5) Take copies of $FWDIR/conf/objects_5_0.C and all exported policy files from the temporary SmartCenter
6) Load R70 on your new permanent SmartCenter and patch it to R70.20
7) Using objects_5_0.C from temporary SmartCenter, do a cp_merge merge_objects
8) Bring exported policy packages in from your temporary SmartCenter with a cp_merge import_policy

Examine all aspects of your Firewall-1 configuration carefully (especially Global Properties) as only objects and policies are brought over using this technique. cp_merge cannot migrate objects/policies between different versions of Firewall-1 like upgrade_import can, hence the need for a temporary intermediate SmartCenter.

edit: fixed spelling

[Devon_Custard]

ShadowPeak.com,

Thanks for taking the time to respond. Can you expand a little on steps 4 and 5, especially on the use of cp_merge?

D

[ShadowPeak.com]

Quote:

Originally Posted by Devon_Custard

ShadowPeak.com,

Thanks for taking the time to respond. Can you expand a little on steps 4 and 5, especially on the use of cp_merge?

D

cp_merge is a built in utility to merge objects and rules into an existing SmartCenter; it is included with the standard distribution. For step #4, in the SmartDashboard you have one or more "policy packages" which is a collection of rules; the default one is called "Standard". So suppose you had 2 firewalls under management, each with its own policy package; the policy packages are called "Peak" & "Shadow". The cp_merge commands to run on your temporary SmartCenter would look like:

cp_merge export_policy -n Peak -f Peak_backup.pol
cp_merge export_policy -n Shadow -f Shadow_backup.pol

This exports the polices in a way suitable for import on your new SmartCenter and will be used during the cp_merge import_policy operation on the new SmartCenter; the objects definitions are already in the objects_5_0.C file and that will be used for the cp_merge merge_objects operation. So you'll need to copy the objects_5_0.C, Peak_backup.pol & Shadow_backup.pol files off your temporary SmartCenter onto the permanent SmartCenter. Once on the new permanent SmartCenter do this from a directory with the three copied files present:

cp_merge merge_objects -d .
cp_merge import_policy -f Peak_backup.pol -n Peak
cp_merge import_policy -f Shadow_backup.pol -n Shadow

You'll need to enter your GUI/SmartDashboard credentials for the new SmartCenter when you run each of these commands; the server name can be localhost/127.0.0.1.

Check out sk33751 and sk41599 for more information about cp_merge; the command is most typically used to merge the configuration of two or more SmartCenters but can be used when you want to bring in policies and objects but want to leave everything else as default.

edit: fixed typo in cp_merge command

[Devon_Custard]

Thought I would give you all an update.

I decided that as the project was slipping it might just be best to suck it up and insert everything manually. Yup, manually.

Fresh build, ipod and a couple of days and I now have a working R70.20 server with all of my rules.

Thanks for all your effort

D