CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: Migrating from third-party

  1. #1
    Join Date
    2017-01-16
    Posts
    2
    Rep Power
    0

    Default Migrating from third-party

    Hi

    I'm migrating a client from an outsourced provider and currently at the planning stage

    I think the steps are as follows:

    Ensure access to firewalls/clusters from our addresses on Checkpoint ports
    Export policy from current MDSM
    Import to our MDSM (test)
    Ensure everything is brought across correctly
    License
    Final export from current MDSM
    Final import to our MDSM

    Does that look about right?

    I believe SIC is independent of IP, but not hostname - is that right? So, provided I don't change the hostname when building the new MDSM, SIC should be OK?

    Thanks, in advance

  2. #2
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: Migrating from third-party

    Quote Originally Posted by Cruff View Post
    Hi

    I'm migrating a client from an outsourced provider and currently at the planning stage

    I think the steps are as follows:

    Ensure access to firewalls/clusters from our addresses on Checkpoint ports
    Export policy from current MDSM
    Import to our MDSM (test)
    Ensure everything is brought across correctly
    License
    Final export from current MDSM
    Final import to our MDSM

    Does that look about right?

    I believe SIC is independent of IP, but not hostname - is that right? So, provided I don't change the hostname when building the new MDSM, SIC should be OK?

    Thanks, in advance
    More or less okay. Some notes:

    1. test in the lab first, some imports may be problematic
    2. before exporting, make sure there are no global policies. If there are, you will have to migrate them as well.
    3. MDS object name is used to sign root certificate on each of CMAs. If this is a problem for you, it is best to reset CMA CA as part of the migration and then re-establish SIC with GWs.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  3. #3
    Join Date
    2007-06-04
    Posts
    3,313
    Rep Power
    17

    Default Re: Migrating from third-party

    Quote Originally Posted by Cruff View Post
    Hi

    I'm migrating a client from an outsourced provider and currently at the planning stage

    I think the steps are as follows:

    Ensure access to firewalls/clusters from our addresses on Checkpoint ports
    Export policy from current MDSM
    Import to our MDSM (test)
    Ensure everything is brought across correctly
    License
    Final export from current MDSM
    Final import to our MDSM

    Does that look about right?

    I believe SIC is independent of IP, but not hostname - is that right? So, provided I don't change the hostname when building the new MDSM, SIC should be OK?

    Thanks, in advance
    Slight Modification

    At current Provider

    1.) Create Host Object with the IP of your DMN on your MDS
    2.) Create Rules allowing your DMN IP Addresses access to the Check Point Gateways with the Check Point Services - easiest way is to simply allow All Services
    3.) Create Host Object with the IP that you will be seen as in terms of Platform Management, ie SSH, HTTPS
    4.) Create Rules allowing your IP Addresses access to the Check Point Gateways with the Check Point Services - easiest way is to simply allow All Services
    5.) Install Policy to the Gateways
    6.) Delete the new Rule and Host Object you created in Steps 1 - 2
    7.) Implement Change Freeze and no further Changes to the Gateway Policies
    8.) Use the Migrate Export command to export the existing DMN/SMS
    9.) Transfer File to YOU securely

    At your end

    1.) Build a new DMN, doesn't have to use the same name as before, It must use the same IP as you provided to current provider. Do NOT Start the DMN
    2.) migrate import the file provided from the current provider
    3.) Start the DMN
    4.) Relicense the Gateways Licenses and attach to the Gateways
    5.) Install Policy to the Gateways
    6.) Have Customer Test Services

    SIC is independent of Hostname and IP address. It relies on the ICA from the Management Server which generates the Certificates used within Check Point. As is the same ICA then is accepted. Whilst the current Supplier needs to add an object with your DMN IP that is to allow the Policy access through the Firewall ( the gateway doesn't see your DMN as a Management Server at this stage ) itself, after the install then they delete this as otherwise the IP conflicts with the DMN Object as the Management Server IP will change to that during the Import and will cause issues. This is why they have to implement a change freeze once the rule with your DMN is installed and then removed from the Management.

    You can only import once into a DMN, and should be done BEFORE you start the first time. If you start before import then delete the DMN and start again.

  4. #4
    Join Date
    2017-01-16
    Posts
    2
    Rep Power
    0

    Default Re: Migrating from third-party

    That's brilliant information, thanks folks

Similar Threads

  1. Installing a 3rd party SSL certificate
    By jrabbit in forum SNX - SSL Network Extender
    Replies: 12
    Last Post: 2017-06-22, 06:50
  2. SmartEvent with Third-Party
    By rgbfilho in forum Check Point on Third-Party Platforms
    Replies: 0
    Last Post: 2015-11-25, 12:09
  3. Third-party vendors welcome!
    By EricAnderson in forum General instruction and forum requests
    Replies: 0
    Last Post: 2015-07-16, 22:53
  4. Star VPN with 3rd party FW
    By crosspopz in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 8
    Last Post: 2014-11-17, 13:27
  5. 3rd party certificate
    By avdonzzz in forum Authentication
    Replies: 0
    Last Post: 2013-12-09, 23:21

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •