Upgrading from r55 to ngx doesnt work

[Zulan]

Hi!

I have an r55 server and the hardware is getting a little outdated, the operating system is redhat. Since I am in the process of upgrading to NGX I might as well move to a new server and I want to ditch redhat and use the checkpoint OS. I have read up on the process and as far as I can see I need to run the upgrade_export tool. I have exported my config using the tool that’s on the NGX CD in order to get the latest version.

Then I have booted the new server with the NGX CD in the drive. The installation seems to be working fine. Then I choose the advanced upgrade, gave the new server the config file through tftp. Installed the licenses. Everything seems to be fine and dandy. I then open the server through the smart dashboard and sent it my configuration since it says it has the default config installed. After that nothing works network wise, the firewall seems to block everything and I’m totally stuck.

I can agree with typing all my rules in manually, but the vpn users is a lot more work. Can I somehow just transfer the vpn users and hope that that will work?

Any help is greatly appreciated.

[jobroco]

Zulan,
I am assuming that sic is established between the Smartcenter server and the gateway, yes? Be sure to get the network topology of the new gateway for the gateway object you have defined in SmartDashboard. As long as you see all users/network objects in SmartDashboard you can then install the policy. Hope this helps.
-jj

[Zulan]

I'm not sure what sic is, I have seen it mentioned on the checkpoint site too, can you explain?

The topology you say. I have tried so many things and reinstalled the server without exagerating atleast 20 times so I'm not exactly sure what things I have tried. Do you mean that the new server needs to have exactly the same IP adresses as the old server? If so I can't really configure it within my network since there will be IP conflicts, but I that can ofcourse be fixed by building a temp network. I can see all the users/network objects in smartdashboard, everything seems to be just fine. But when I install it, the server just starts blocking everything as mentioned.

[jobroco]

Zulan,
SIC is the "Secure Internal Communications" methodology that Checkpoint uses to ensure that the SmartCenter Server is securely communicating with the gateways that it's managing. You can check on the General Properties of the Checkpoint Gateway object in SmartDashboard to see this option. You can test it and reset it by clicking the Communication button. If you click on Communication the Test it will let you know if SIC is set. Reset it if necessary. Next, to make sure the topology is set properly you need to look under the Topology settings for the gateway object (just under General Properties on the left). Click on the Get button to retrieve the Interfaces with topology. You can then edit each network interface to define anti-spoofing. By changing the OS of your gateway the naming convention and MAC addresses of your nics has changed. So having the new gateway's ip's set to the same as the existing isn't mandatory (but could ease with limiting changes in your rulebase). It's more necessary to ensure that the Smartcenter server understands which hardware address (MAC) for SIC and topology to bind to. Good luck.
-jj

[Zulan]

One main problem I have with this is that I have to reinstall the computer each time I need to go in to the smartdashboard. This is quite frustrating and makes this thing take forever. So I took some time to try and get to the computer without reinstalling. As of now I have a newly installed server that blocked me last time I tried to upload a policy as described. I then typed cpstop and after that I can reach the server through it's web interface but I can't reach it through the smartdashboard. Is there a way to enable me to access the server through this dashboard, maybe I need to start something. But if I type cpstart it will for sure block me. The error message is:

Connection cannot be initiated.
Please make sure that the server 172.31.31.1 is up and running and that you are defined as a GUI client.

[chillyjim]

From the command line of the "new firewall" enter the command "fw unloadlocal" and see if that brings back your conectivity.

As for the rest, are you running a single system (FW and Management on the same box) or a distributed system?

As jobroco said, this type of problem tends to be do to anti-spoofing and can be fixed in the topology tab of the firewall object. To get started, you might want to disable the anti-spoofing on the interface you are connecting too untill you get everything else set.

[Zulan]

YES! Fw unloadlocal worked! I have my connectivity back. It will be so much easier to troubleshoot from here!

I have to go home now but I will continue tomorow trying everything jobroco said. I will report back here.

I really want to thank you guys for helping me out!

[Zulan]

Just wanted to say that after using your recomendations, my firewall started to work! I am the happiest camper alive right now!

Thanks again!