Thursday, November 8, 2018

Migrating policies from a standalone Checkpoint gateway to a new management server

I was recently faced with an interesting scenario.  A customer had a standalone Checkpoint gateway running R80.10 and wanted to migrate to a distributed configuration, with separate management.  I researched how to do this and was surprised with the lack of clear answers.

A lot of the online solutions here either refer to KB's which explicitly state that the KB does not apply to R80.10 that a migrate export should suffice.  In my experience it doesn't, it errors out explicitly stating that: "Database migration between Standalone and Management only machines is not supported".

Below is then the process I used to migrate my policies (firewall, NAT and Threat Prevention).

Requirements:

We'll need the CheckPoint API Python Development Kit:
https://github.com/CheckPointSW/cp_mgmt_api_python_sdk
And the CheckPoint Policy Import and Export tool

Lastly, make sure that your gateway and management servers are on the latest GA Jumbo Hotfix Accumulator.  This will ensure that there are no Python compatibility issues.

Download and Extract both on your Computer, using the d:\CP_Python folder for this example I then end up with this structure:
D:\CP_PYTHON
├───cp_mgmt_api_python_sdk-master
│ ├───examples_python2
│ ├───examples_python3

Now we need to move all files and folders under the d:\CP_PYTHON\cp_mgmt_api_python_sdk-master folder to the d:\CP_PYTHON\cp_mgmt_api_python_sdk folder.

Our folder structure then looks like this:
D:\CP_PYTHON
├───cp_mgmt_api_python_sdk-master
└───ExportImportPolicyPackage-master
├───cp_mgmt_api_python_sdk
│ ├───examples_python2
│ ├───examples_p
│ └───lib
└───ExportImportPolicyPackage-master
├───cp_mgmt_api_python_sdk
├───exporting
└───importing
python3
│ └───lib
├───exporting
└───importing

The next step is to transfer the ExportImportPolicyPackage-master folder to both our source and destination CheckPoints. In this case I've transferred to the /tmp folder on each.

[Expert@source1:0]# pwd
/tmp/ExportImportPolicyPackage-master

Now we execute the actual script, like so:

[Expert@source1:0]#/opt/CPsuite-R80/fw1/Python/bin/python2.7 /tmp/ExportImportPolicyPackage-master/import_export_package.py

An interactive menu system will appear, from here make sure to specify:
- Output filename
- Layer to be exported
- Whether you want to export Threat-Prevention Layers

If you just specified a filename, your export can be found under the /tmp/ExportImportPolicyPackage-master/ folder. Now transfer this file to your destination management server.

In this instance I've transferred it to my /tmp folder.  If this is a new management server, I always delete the built-in Standard Layer, as I've found that the NAT rules import is a bit all over the show otherwise.

This you do under Security Policies -> Manage Policies -> Manage policies and Layers. Delete and publish your changes.

On the destination gateway we now execute the script, just like we did on the source:

[Expert@dest1:0]#/opt/CPsuite-R80/fw1/Python/bin/python2.7 /tmp/ExportImportPolicyPackage-master/import_export_package.py

Once again, an interactive menu system will appear, from here make sure to specify:
- Import a Package
- Enter user credentials manually
- Specify custom name for imported package (I use Standard, remember to delete the built-in as per above)
- Run

The script will now:
- Create a Policy Package
- Import services
- Import objects
- Import access-layers
- Import access-rules
- Import NAT rules
- Import threat-layers
- Import network
- Import hosts
- Import threat-profiles
- Import groups

If you connect to the management server with SmartConsole, you should see all the above reflected.

No comments:

Post a Comment