PDA

View Full Version : R65 P1 to R75 smart-1 standalone?



jmcgrady
2011-03-22, 03:03
We have a client leaving our management. They have asked for an export of their rulesets and objects from our Provider-1 R65 environment which they wish to import into a standalone R75 Smart-1 (non Provider-1). I cant see any instructions on the checkpoint site as to how this can be accomplished.

Thorpuse
2011-03-22, 03:50
That's because there isn't really one. Options :

1. Use the migrate scripts from R75 to dump their CMA. Potential risk of information leakage depending on how independent your CMA and rules really are. Not even sure this would actually work, even.
2. Use odumper or confwiz to extract the objects and rules, and pass that on in a .csv or .xml format. This leaves the customer more effort to reconstruct, but less effort than starting from scratch.

PM me if you need some additional ideas.

msjouw
2011-03-22, 03:58
With option 1 do keep in mind that if you have a Global policy on it you need to remove that first before exporting as this is not exportable and can certainly not be imported. And make sure you get the upgrade_export tools from the R75 ISO

jmcgrady
2011-03-22, 04:36
Thanks for the prompt reply. It was my understanding that upgrade_export under R65 isnt supported by Checkpoint. There is a thread on this forum describing a way of hacking upgrade_export under p-1. But it wasnt clear whether the output would require a P-1 destination or not.

Thankfully the customers rules and objects are independent of other clients. We have exported their CMA. However, cp_merge version mismatch was an issue. The policies and objects are large, so we are trying to avoid a manual rebuild. The archive produced by the CMA export has everything as held under the directory /opt/CPmds-R65/customers/CMA_CUSTOMER/CPsuite-R65/fw1/conf.
The conf directory holds files such as the customer-wide objects_5_0.C, rulebases_5_0.fws, and individual policy .W and .pf files. In addition, there is a subdirectory for each policy which holds its own files such as objects_5_0.C and rulebases_5_0.fws.

The R75 Smart-1 which will be managing their gateways is currently empty. I do not know how to take the CMA exported files and import them into Smart-1.

Thorpuse
2011-03-22, 04:43
This is why using odumper and/or confwiz might be better in this case. It won't copy everything, but it should be enough so that the customer can have most of the heavy lifting of policy reconstruction done for them. Ultimately, it'll be a cleaner install as well.

jmcgrady
2011-03-22, 23:12
I'm trying an intermediate machine. I've built an R65 smartcenter and copied the CMA export across. Using cp_merge ive managed to import the objects. Now i'm trying to work out how to pull in individual policies. Once this process is complete i'll do an upgrade_export and see if upgrade_import on the R75 Smart-1 accepts it.

jmcgrady
2011-03-24, 01:44
Using an intermediate machine is going well. I built an R65 manager and copied the objects_5_0.C and rulebases_5_0.fws to it. After a reboot it lists the original policies and objects. I'm now migrating this to R75.