moving to NGX : two questions

[joris]

Hi,

I'am fairly new to NGX en checkpoint installations, I only have experience in administrating checkpoint. But now I have to do my first installation.

We're moving from CP NG on Nokia to NGX SPLAT.
So maybe someone can help me with these questions:

1) How can I export the rulebase from the Nokia and import in the new NGX installation.

2) What is an easy way to upgrade the NG license to NGX

Cheers,

[Lackie]

Look for the upgrade_export command on your management station. This can be used to save all of your checkpoint information.

As for the license, you can get that upgraded at the CheckPoint usercenter (usercenter.checkpoint.com) or I belive there may be a utility that can do that as well but I would go to the usercenter to get the NGX license.

[joris]

So upgrade_export must be run on the management stations not on the NOKIA ??

I allready found how to upgrade the license on the usercenter, thx for that.

cheers,

[Lackie]

Right, upgrade_export is only needed to run on the management station. If you are still keeping the same management station and only changing the gateways, then there isn't a backup that you need to do on the gateways. Just be sure that you do the upgrade_export before you upgrade the management station.

[Peter]

Just one thing to know - il would be better to use NGX version of upgrade_export. Maybe it works with the NG version but CheckPoint recommends to use the NGX one. You can download it from usercenter.checkpoint.com or use the one from your NGX CD.

[Lackie]

If you are upgrading to NGX, then I would use the NGX version of upgrade_export.

[joris]

So since everythings now runs on the nokia I've downloaded
upgrade_checker_B591000034_1.tgz.

- So I copy this file through tftp to the Nokia
- run upgrade_export
- copy the config-file received from the upgrade_export script to the tftp-server.
- Install SPLAT
- copy the config-file from the tftp-server to the SPLAT
- run the upgrade_export command with the config file
--- DONE ---

Are those steps correct or am I missing something?

Cheers,

[Westy]

we just upgraded from SPLAT R54 to SPLAT R60 (NGX) with the help of a consultant. the first thing he did was to upgrade our license at the user center. according to him it should always be the first step in the install routine. he did use the NGX version of the export tool.
Steps.
backup existing install.
export objects
ftp file that contains exported objects to a couple of different laptops.

run the verify upgrade routine.
upgrade the license at the user center.
install ngx
import exported objects.
backup new install
export objects from the new install
ftp them to the laptops again

[joris]

damn, can't get upgrade_export to run on the nokia box.
first got a permission denied, did a chmod 777 on the file
and now I receive 'bad address'

[joris]

OK, so the upgrade_export version I've downloaded from the checkpoint site for NGX did not work.
So I used the one allready on the nokia box (R55) and the export worked.
Imported on the new NGX SPLAT also went like a charm.

Upgrading the license on the site -> could not add the license through the web-interface, this only worked in the console with the 'cplic put' command.

logging in with smartdashboard -> everything seems fine
No I need to wait untill everyone is out off the office to switch the cables.

-> some odd thing : when I use 'shutdown' in the console the screen stays on 'Halting System' but the server doesn't shutdown.
When I use reboot I noticed no problem at all.

Cheers,

[joris]

OK, migration is almost done except one problem that's need to be fixed.

For some reason a static nat on the nodes does not function.
I need to NAT a mailrelay to one of our public ip adressen, but that does not work.
Only hide behind gateway seems to work to access the internet.

Do I need to configure something more to get static and/or hide NAT to work?

cheers,

[chillyjim]

Quote:

Originally Posted by joris

OK, migration is almost done except one problem that's need to be fixed.

For some reason a static nat on the nodes does not function.
I need to NAT a mailrelay to one of our public ip adressen, but that does not work.
Only hide behind gateway seems to work to access the internet.

Do I need to configure something more to get static and/or hide NAT to work?

cheers,

Are you trying to do a manual NAT rule (NAT Tab) or an automatic rule (In the host object)?

Automatic rules do all of the ARP and routing magic for you. If you add manual NAT rules, you need to add the ARP entries and may need to add a host route.

-jlh

[joris]

chillyjim,

I'am using automatic NAT rule.
I can only access the internet if I put the ip adress of the firewall in the Static Nat.
All other ip addressen in the range does not work.
Since I imported the config from the Nokia and everythings stills work fine on the Nokia, thats kinda strange to me.

[chillyjim]

Yeah that is strange, SPLAT handles NAT better than IPSO in general....

Have you opened a call with support yet?

-jlh

[Lackie]

Put a proxy arp on the Nokia for the other IP's and you should be set. I never trust the autoarp in CheckPoint to work properly.

[joris]

Ok, found the solution.
I had to do NAT like on previous version of splat/linux

First I actived proxy arp on the interfaces
Edit /etc/sysctl.conf with a text editor (such as vi).
Add the following:
net.ipv4.conf.all.proxy_arp = 1
net.ipv4.conf.default.proxy_arp = 1
reboot

and then I added a route for the static nat
route add -host "Static_nat_ip" gateway "internal_ip"
-> do this with sysconfig to add a persistent route !!

I thought NGX did all the arp/route magic for you if you used automatic nat rules ??

Maybe this is a consequence of the export_upgrade I did on the Nokia, I don't know.

Anyone other had static/hide NAT problems with NGX ?

cheers,

-> thx for all the replies guys !!