Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2732
  • Last Modified:

How can I move Checkpoint Objects and Rulebase from NG to NGX?

My Checkpoint NG installation will not allow me to login to the Policy Editor.  It seems there is something wrong with the Management Server.  Since it's in the live environment I didn't want to do too much troubleshooting on it.  I have a cold spare that is installed with NGX.  I want to move the rulebase and objects from the NG install to the NGX install.  Can anyone tell me how to do this?  I've tried the backup and restore features, but it didn't seem to work.  I also tried moving the .c files to the new machine and the NGX Smart Dashboard just kept crashing.

Thanks so much.
0
dnaughton
Asked:
dnaughton
  • 3
  • 2
1 Solution
 
grimkinCommented:
hiya, you need to run upgrade_export from the NGX cd on your NG installation - this will export it in the format you need to import it into a new NGX installation.

Once you have the upgrade_export.tgz file, ftp it into your new ngx box and run upgrade_import from the $FWDIR/upgrade_tools directory.

Hope this helps with the export but if you want a hand troubleshooting the policy editor then post up the errors you're seeing when trying to log in.
0
 
dnaughtonAuthor Commented:
I found the upgrade_tools directory located at /opt/CPsuite-R60/bin/upgrade_tools in the NGX (cold spare) box.  I've never used this utility before.  Should I just be able to run it at a command prompt?  NGX is installed on IPSO 3.6.  It's a Nokia IP530 appliance.  I tried just typing upgrade_export at the command prompt, but get an error.  See below:

pwd
/opt/CPsuite-R60/bin/upgrade_tools
njp530-fw[admin]# upgrade_export
upgrade_export: Command not found.

What am I missing?
0
 
grimkinCommented:
hiya, try putting ./ in front if you're running it from that directory, otherwise execute it with the full path: e.g. /opt/CPsuite-R60/bin/upgrade_tools/upgrade_export

Note: You need to run the upgrade_export from your NGX R60 box on your NG installation so you will need to ftp it or copy it somehow from your cold spare to your live box and run it there. This will export your configuration in a format that your NGX can import. You then take the resulting file from the NG and put it on your NGX box and run upgrade_import from that same directory.
0
 
dnaughtonAuthor Commented:
Hi Again,

Well your advice definitely got me further than before.  I was able to use the upgrade_export from the NG box and take the package to the NGX box (cold spare).  I was able to upgrade_import the package onto the cold spare NGX.  However, there is now some sort of licensing issue.  It seems like when I imported the information it also imported the license from the NG box.  It gave me messages asking me to do a License_upgrade on the license.  I didn't want to upgrade the license because I still need it on the NG box.  So instead I tried to delete the one it brought in and replace it with the evalauation license Checkpoint gave me to use.  The eval license is already for NGX.  That didn't seem to work either.  It is now giving me the following message:

The connection has been refused due to one of following SmartCenter Server certificate problems:
1.  The SmartCenter Server's clock is not setup properly.
2.  The certificate's issue date is later than the date of the SmartCenter Server's clock.
3.  The GuI Client's clock and the SmartCenter Server's clock are not synchronized.
4.  The certificate has expired.
5.  The certificate is invalid.

OK button appears

I'm not sure where to go from here.  I don't mind using only the evaluation license because we are in the process of ordering new firewalls and I expect we'll have them here within the next month.  It's just that at this point I can't get into the policy editor of the existing NG and if we need to make a change we're in trouble.  

Here's something else I found interesting.  I read somewhere on EE that the certificates for checkpoint expire after 5 years by default.  I believe we last configured the existing firewall back in 2002.  Do you think it's possible that the certifcates are expired on the objects and that the problem that I currently have on the NG firewall actually exported out of the NG firewall and imported into the NGX firewall just by nature of the objects having expired certificates?  Is it possible that the NGX version gives this error message and the NG version just doesn't let me log in?  It's just a thought.  I really don't know if it's a stretch or possible.

Thanks so much.
0
 
dnaughtonAuthor Commented:
Hi again...

I was able to get past the last message I posted on the NGX (cold spare) box.  I used the following commands:

fwm sic_reset
cpconfig

within cpconfig I choose certificate authority and defined a new one.
Then when I logged into the Policy Editor it gave me the new fingerprint which I was able to compare to the old.

Now I'm just having a problem with the spoofing.  Despite the fact that I turned anti-spoofing off on both of the interfaces (internal and external) I'm still dropping all my traffic on rule 0 with a message:  local interface spoofing error.

Do I need to start a new thread to solve the spoofing error?

Thanks so much
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now