How can I move Checkpoint Objects and Rulebase from NG to NGX?

Posted on 2007-11-19
Last Modified: 2013-11-16
My Checkpoint NG installation will not allow me to login to the Policy Editor.  It seems there is something wrong with the Management Server.  Since it's in the live environment I didn't want to do too much troubleshooting on it.  I have a cold spare that is installed with NGX.  I want to move the rulebase and objects from the NG install to the NGX install.  Can anyone tell me how to do this?  I've tried the backup and restore features, but it didn't seem to work.  I also tried moving the .c files to the new machine and the NGX Smart Dashboard just kept crashing.

Thanks so much.
Question by:dnaughton
  • 3
  • 2
LVL 14

Accepted Solution

grimkin earned 500 total points
ID: 20314784
hiya, you need to run upgrade_export from the NGX cd on your NG installation - this will export it in the format you need to import it into a new NGX installation.

Once you have the upgrade_export.tgz file, ftp it into your new ngx box and run upgrade_import from the $FWDIR/upgrade_tools directory.

Hope this helps with the export but if you want a hand troubleshooting the policy editor then post up the errors you're seeing when trying to log in.

Author Comment

ID: 20315505
I found the upgrade_tools directory located at /opt/CPsuite-R60/bin/upgrade_tools in the NGX (cold spare) box.  I've never used this utility before.  Should I just be able to run it at a command prompt?  NGX is installed on IPSO 3.6.  It's a Nokia IP530 appliance.  I tried just typing upgrade_export at the command prompt, but get an error.  See below:

njp530-fw[admin]# upgrade_export
upgrade_export: Command not found.

What am I missing?
LVL 14

Expert Comment

ID: 20318741
hiya, try putting ./ in front if you're running it from that directory, otherwise execute it with the full path: e.g. /opt/CPsuite-R60/bin/upgrade_tools/upgrade_export

Note: You need to run the upgrade_export from your NGX R60 box on your NG installation so you will need to ftp it or copy it somehow from your cold spare to your live box and run it there. This will export your configuration in a format that your NGX can import. You then take the resulting file from the NG and put it on your NGX box and run upgrade_import from that same directory.

Author Comment

ID: 20321491
Hi Again,

Well your advice definitely got me further than before.  I was able to use the upgrade_export from the NG box and take the package to the NGX box (cold spare).  I was able to upgrade_import the package onto the cold spare NGX.  However, there is now some sort of licensing issue.  It seems like when I imported the information it also imported the license from the NG box.  It gave me messages asking me to do a License_upgrade on the license.  I didn't want to upgrade the license because I still need it on the NG box.  So instead I tried to delete the one it brought in and replace it with the evalauation license Checkpoint gave me to use.  The eval license is already for NGX.  That didn't seem to work either.  It is now giving me the following message:

The connection has been refused due to one of following SmartCenter Server certificate problems:
1.  The SmartCenter Server's clock is not setup properly.
2.  The certificate's issue date is later than the date of the SmartCenter Server's clock.
3.  The GuI Client's clock and the SmartCenter Server's clock are not synchronized.
4.  The certificate has expired.
5.  The certificate is invalid.

OK button appears

I'm not sure where to go from here.  I don't mind using only the evaluation license because we are in the process of ordering new firewalls and I expect we'll have them here within the next month.  It's just that at this point I can't get into the policy editor of the existing NG and if we need to make a change we're in trouble.  

Here's something else I found interesting.  I read somewhere on EE that the certificates for checkpoint expire after 5 years by default.  I believe we last configured the existing firewall back in 2002.  Do you think it's possible that the certifcates are expired on the objects and that the problem that I currently have on the NG firewall actually exported out of the NG firewall and imported into the NGX firewall just by nature of the objects having expired certificates?  Is it possible that the NGX version gives this error message and the NG version just doesn't let me log in?  It's just a thought.  I really don't know if it's a stretch or possible.

Thanks so much.

Author Comment

ID: 20323282
Hi again...

I was able to get past the last message I posted on the NGX (cold spare) box.  I used the following commands:

fwm sic_reset

within cpconfig I choose certificate authority and defined a new one.
Then when I logged into the Policy Editor it gave me the new fingerprint which I was able to compare to the old.

Now I'm just having a problem with the spoofing.  Despite the fact that I turned anti-spoofing off on both of the interfaces (internal and external) I'm still dropping all my traffic on rule 0 with a message:  local interface spoofing error.

Do I need to start a new thread to solve the spoofing error?

Thanks so much

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now