From the Desktop to the Data Center...and everything in between!
Thursday, November 8, 2018
Migrating policies from a standalone Checkpoint gateway to a new management server
I was recently faced with an interesting scenario. A customer had a standalone Checkpoint gateway running R80.10 and wanted to migrate to a distributed configuration, with separate management. I researched how to do this and was surprised with the lack of clear answers.
A lot of the online solutions here either refer to KB's which explicitly state that the KB does not apply to R80.10 that a migrate export should suffice. In my experience it doesn't, it errors out explicitly stating that: "Database migration between Standalone and Management only machines is not supported".
Below is then the process I used to migrate my policies (firewall, NAT and Threat Prevention).
An interactive menu system will appear, from here make sure to specify:
- Output filename
- Layer to be exported
- Whether you want to export Threat-Prevention Layers
If you just specified a filename, your export can be found under the /tmp/ExportImportPolicyPackage-master/ folder. Now transfer this file to your destination management server.
In this instance I've transferred it to my /tmp folder. If this is a new management server, I always delete the built-in Standard Layer, as I've found that the NAT rules import is a bit all over the show otherwise.
This you do under Security Policies -> Manage Policies -> Manage policies and Layers. Delete and publish your changes.
On the destination gateway we now execute the script, just like we did on the source: