Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


How can I move Checkpoint Objects and Rulebase from NG to NGX?

Posted on 2007-11-19
Medium Priority
Last Modified: 2013-11-16
My Checkpoint NG installation will not allow me to login to the Policy Editor.  It seems there is something wrong with the Management Server.  Since it's in the live environment I didn't want to do too much troubleshooting on it.  I have a cold spare that is installed with NGX.  I want to move the rulebase and objects from the NG install to the NGX install.  Can anyone tell me how to do this?  I've tried the backup and restore features, but it didn't seem to work.  I also tried moving the .c files to the new machine and the NGX Smart Dashboard just kept crashing.

Thanks so much.
Question by:dnaughton
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 14

Accepted Solution

grimkin earned 2000 total points
ID: 20314784
hiya, you need to run upgrade_export from the NGX cd on your NG installation - this will export it in the format you need to import it into a new NGX installation.

Once you have the upgrade_export.tgz file, ftp it into your new ngx box and run upgrade_import from the $FWDIR/upgrade_tools directory.

Hope this helps with the export but if you want a hand troubleshooting the policy editor then post up the errors you're seeing when trying to log in.

Author Comment

ID: 20315505
I found the upgrade_tools directory located at /opt/CPsuite-R60/bin/upgrade_tools in the NGX (cold spare) box.  I've never used this utility before.  Should I just be able to run it at a command prompt?  NGX is installed on IPSO 3.6.  It's a Nokia IP530 appliance.  I tried just typing upgrade_export at the command prompt, but get an error.  See below:

njp530-fw[admin]# upgrade_export
upgrade_export: Command not found.

What am I missing?
LVL 14

Expert Comment

ID: 20318741
hiya, try putting ./ in front if you're running it from that directory, otherwise execute it with the full path: e.g. /opt/CPsuite-R60/bin/upgrade_tools/upgrade_export

Note: You need to run the upgrade_export from your NGX R60 box on your NG installation so you will need to ftp it or copy it somehow from your cold spare to your live box and run it there. This will export your configuration in a format that your NGX can import. You then take the resulting file from the NG and put it on your NGX box and run upgrade_import from that same directory.

Author Comment

ID: 20321491
Hi Again,

Well your advice definitely got me further than before.  I was able to use the upgrade_export from the NG box and take the package to the NGX box (cold spare).  I was able to upgrade_import the package onto the cold spare NGX.  However, there is now some sort of licensing issue.  It seems like when I imported the information it also imported the license from the NG box.  It gave me messages asking me to do a License_upgrade on the license.  I didn't want to upgrade the license because I still need it on the NG box.  So instead I tried to delete the one it brought in and replace it with the evalauation license Checkpoint gave me to use.  The eval license is already for NGX.  That didn't seem to work either.  It is now giving me the following message:

The connection has been refused due to one of following SmartCenter Server certificate problems:
1.  The SmartCenter Server's clock is not setup properly.
2.  The certificate's issue date is later than the date of the SmartCenter Server's clock.
3.  The GuI Client's clock and the SmartCenter Server's clock are not synchronized.
4.  The certificate has expired.
5.  The certificate is invalid.

OK button appears

I'm not sure where to go from here.  I don't mind using only the evaluation license because we are in the process of ordering new firewalls and I expect we'll have them here within the next month.  It's just that at this point I can't get into the policy editor of the existing NG and if we need to make a change we're in trouble.  

Here's something else I found interesting.  I read somewhere on EE that the certificates for checkpoint expire after 5 years by default.  I believe we last configured the existing firewall back in 2002.  Do you think it's possible that the certifcates are expired on the objects and that the problem that I currently have on the NG firewall actually exported out of the NG firewall and imported into the NGX firewall just by nature of the objects having expired certificates?  Is it possible that the NGX version gives this error message and the NG version just doesn't let me log in?  It's just a thought.  I really don't know if it's a stretch or possible.

Thanks so much.

Author Comment

ID: 20323282
Hi again...

I was able to get past the last message I posted on the NGX (cold spare) box.  I used the following commands:

fwm sic_reset

within cpconfig I choose certificate authority and defined a new one.
Then when I logged into the Policy Editor it gave me the new fingerprint which I was able to compare to the old.

Now I'm just having a problem with the spoofing.  Despite the fact that I turned anti-spoofing off on both of the interfaces (internal and external) I'm still dropping all my traffic on rule 0 with a message:  local interface spoofing error.

Do I need to start a new thread to solve the spoofing error?

Thanks so much

Featured Post

Enroll in October's Free Course of the Month

Do you work with and analyze data? Enroll in October's Course of the Month for 7+ hours of SQL training, allowing you to quickly and efficiently store or retrieve data. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question