Solved

How can I move Checkpoint Objects and Rulebase from NG to NGX?

Posted on 2007-11-19
5
2,718 Views
Last Modified: 2013-11-16
My Checkpoint NG installation will not allow me to login to the Policy Editor.  It seems there is something wrong with the Management Server.  Since it's in the live environment I didn't want to do too much troubleshooting on it.  I have a cold spare that is installed with NGX.  I want to move the rulebase and objects from the NG install to the NGX install.  Can anyone tell me how to do this?  I've tried the backup and restore features, but it didn't seem to work.  I also tried moving the .c files to the new machine and the NGX Smart Dashboard just kept crashing.

Thanks so much.
0
Comment
Question by:dnaughton
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 14

Accepted Solution

by:
grimkin earned 500 total points
ID: 20314784
hiya, you need to run upgrade_export from the NGX cd on your NG installation - this will export it in the format you need to import it into a new NGX installation.

Once you have the upgrade_export.tgz file, ftp it into your new ngx box and run upgrade_import from the $FWDIR/upgrade_tools directory.

Hope this helps with the export but if you want a hand troubleshooting the policy editor then post up the errors you're seeing when trying to log in.
0
 

Author Comment

by:dnaughton
ID: 20315505
I found the upgrade_tools directory located at /opt/CPsuite-R60/bin/upgrade_tools in the NGX (cold spare) box.  I've never used this utility before.  Should I just be able to run it at a command prompt?  NGX is installed on IPSO 3.6.  It's a Nokia IP530 appliance.  I tried just typing upgrade_export at the command prompt, but get an error.  See below:

pwd
/opt/CPsuite-R60/bin/upgrade_tools
njp530-fw[admin]# upgrade_export
upgrade_export: Command not found.

What am I missing?
0
 
LVL 14

Expert Comment

by:grimkin
ID: 20318741
hiya, try putting ./ in front if you're running it from that directory, otherwise execute it with the full path: e.g. /opt/CPsuite-R60/bin/upgrade_tools/upgrade_export

Note: You need to run the upgrade_export from your NGX R60 box on your NG installation so you will need to ftp it or copy it somehow from your cold spare to your live box and run it there. This will export your configuration in a format that your NGX can import. You then take the resulting file from the NG and put it on your NGX box and run upgrade_import from that same directory.
0
 

Author Comment

by:dnaughton
ID: 20321491
Hi Again,

Well your advice definitely got me further than before.  I was able to use the upgrade_export from the NG box and take the package to the NGX box (cold spare).  I was able to upgrade_import the package onto the cold spare NGX.  However, there is now some sort of licensing issue.  It seems like when I imported the information it also imported the license from the NG box.  It gave me messages asking me to do a License_upgrade on the license.  I didn't want to upgrade the license because I still need it on the NG box.  So instead I tried to delete the one it brought in and replace it with the evalauation license Checkpoint gave me to use.  The eval license is already for NGX.  That didn't seem to work either.  It is now giving me the following message:

The connection has been refused due to one of following SmartCenter Server certificate problems:
1.  The SmartCenter Server's clock is not setup properly.
2.  The certificate's issue date is later than the date of the SmartCenter Server's clock.
3.  The GuI Client's clock and the SmartCenter Server's clock are not synchronized.
4.  The certificate has expired.
5.  The certificate is invalid.

OK button appears

I'm not sure where to go from here.  I don't mind using only the evaluation license because we are in the process of ordering new firewalls and I expect we'll have them here within the next month.  It's just that at this point I can't get into the policy editor of the existing NG and if we need to make a change we're in trouble.  

Here's something else I found interesting.  I read somewhere on EE that the certificates for checkpoint expire after 5 years by default.  I believe we last configured the existing firewall back in 2002.  Do you think it's possible that the certifcates are expired on the objects and that the problem that I currently have on the NG firewall actually exported out of the NG firewall and imported into the NGX firewall just by nature of the objects having expired certificates?  Is it possible that the NGX version gives this error message and the NG version just doesn't let me log in?  It's just a thought.  I really don't know if it's a stretch or possible.

Thanks so much.
0
 

Author Comment

by:dnaughton
ID: 20323282
Hi again...

I was able to get past the last message I posted on the NGX (cold spare) box.  I used the following commands:

fwm sic_reset
cpconfig

within cpconfig I choose certificate authority and defined a new one.
Then when I logged into the Policy Editor it gave me the new fingerprint which I was able to compare to the old.

Now I'm just having a problem with the spoofing.  Despite the fact that I turned anti-spoofing off on both of the interfaces (internal and external) I'm still dropping all my traffic on rule 0 with a message:  local interface spoofing error.

Do I need to start a new thread to solve the spoofing error?

Thanks so much
0

Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question