How can I move Checkpoint Objects and Rulebase from NG to NGX?

Posted on 2007-11-19
Last Modified: 2013-11-16
My Checkpoint NG installation will not allow me to login to the Policy Editor.  It seems there is something wrong with the Management Server.  Since it's in the live environment I didn't want to do too much troubleshooting on it.  I have a cold spare that is installed with NGX.  I want to move the rulebase and objects from the NG install to the NGX install.  Can anyone tell me how to do this?  I've tried the backup and restore features, but it didn't seem to work.  I also tried moving the .c files to the new machine and the NGX Smart Dashboard just kept crashing.

Thanks so much.
Question by:dnaughton
  • 3
  • 2
LVL 14

Accepted Solution

grimkin earned 500 total points
ID: 20314784
hiya, you need to run upgrade_export from the NGX cd on your NG installation - this will export it in the format you need to import it into a new NGX installation.

Once you have the upgrade_export.tgz file, ftp it into your new ngx box and run upgrade_import from the $FWDIR/upgrade_tools directory.

Hope this helps with the export but if you want a hand troubleshooting the policy editor then post up the errors you're seeing when trying to log in.

Author Comment

ID: 20315505
I found the upgrade_tools directory located at /opt/CPsuite-R60/bin/upgrade_tools in the NGX (cold spare) box.  I've never used this utility before.  Should I just be able to run it at a command prompt?  NGX is installed on IPSO 3.6.  It's a Nokia IP530 appliance.  I tried just typing upgrade_export at the command prompt, but get an error.  See below:

njp530-fw[admin]# upgrade_export
upgrade_export: Command not found.

What am I missing?
LVL 14

Expert Comment

ID: 20318741
hiya, try putting ./ in front if you're running it from that directory, otherwise execute it with the full path: e.g. /opt/CPsuite-R60/bin/upgrade_tools/upgrade_export

Note: You need to run the upgrade_export from your NGX R60 box on your NG installation so you will need to ftp it or copy it somehow from your cold spare to your live box and run it there. This will export your configuration in a format that your NGX can import. You then take the resulting file from the NG and put it on your NGX box and run upgrade_import from that same directory.

Author Comment

ID: 20321491
Hi Again,

Well your advice definitely got me further than before.  I was able to use the upgrade_export from the NG box and take the package to the NGX box (cold spare).  I was able to upgrade_import the package onto the cold spare NGX.  However, there is now some sort of licensing issue.  It seems like when I imported the information it also imported the license from the NG box.  It gave me messages asking me to do a License_upgrade on the license.  I didn't want to upgrade the license because I still need it on the NG box.  So instead I tried to delete the one it brought in and replace it with the evalauation license Checkpoint gave me to use.  The eval license is already for NGX.  That didn't seem to work either.  It is now giving me the following message:

The connection has been refused due to one of following SmartCenter Server certificate problems:
1.  The SmartCenter Server's clock is not setup properly.
2.  The certificate's issue date is later than the date of the SmartCenter Server's clock.
3.  The GuI Client's clock and the SmartCenter Server's clock are not synchronized.
4.  The certificate has expired.
5.  The certificate is invalid.

OK button appears

I'm not sure where to go from here.  I don't mind using only the evaluation license because we are in the process of ordering new firewalls and I expect we'll have them here within the next month.  It's just that at this point I can't get into the policy editor of the existing NG and if we need to make a change we're in trouble.  

Here's something else I found interesting.  I read somewhere on EE that the certificates for checkpoint expire after 5 years by default.  I believe we last configured the existing firewall back in 2002.  Do you think it's possible that the certifcates are expired on the objects and that the problem that I currently have on the NG firewall actually exported out of the NG firewall and imported into the NGX firewall just by nature of the objects having expired certificates?  Is it possible that the NGX version gives this error message and the NG version just doesn't let me log in?  It's just a thought.  I really don't know if it's a stretch or possible.

Thanks so much.

Author Comment

ID: 20323282
Hi again...

I was able to get past the last message I posted on the NGX (cold spare) box.  I used the following commands:

fwm sic_reset

within cpconfig I choose certificate authority and defined a new one.
Then when I logged into the Policy Editor it gave me the new fingerprint which I was able to compare to the old.

Now I'm just having a problem with the spoofing.  Despite the fact that I turned anti-spoofing off on both of the interfaces (internal and external) I'm still dropping all my traffic on rule 0 with a message:  local interface spoofing error.

Do I need to start a new thread to solve the spoofing error?

Thanks so much

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Rule Iptables 1 60
Netgear WMS5316 Guest SSiD 1 73
PCI Compliance and Open SQL ports 8 72
penetration testing -- metasploit / etc ? 2 52
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
I designed this idea while studying technology in the classroom.  This is a semester long project.  Students are asked to take photographs on a specific topic which they find meaningful, it can be a place or situation such as travel or homelessness.…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now