SecureArmors

Pre-Migration Preparation

1. We collect exiting configuration file from juniper firewall.
2. Now we must separate hosts, Network Groups, Services objects, services group and policies from configuration files. as shown below screenshots.
3. Our goal is we need to convert our text file to CSV file using a custom python automation script. This is a very crucial part of the migration. (Because there is no standard tool to convert from checkpoint vendors). Here I show one of a python script.
4. Once we convert to CSV files, We need to push those CSV data into the checkpoint. For this process, we take advantage of checkpoint API’s by using mgmt._cli.exe and window custom batch scripts. Here I show one of the batch scripts.
5. Once we push all CSV data into checkpoint management server, check Network hosts, Network group, Network Range, services, Service groups, disabled policies, enabled policies are installed correctly or not.
6. Once pushed policies into checkpoint management server (smart console), verify policies. If there any duplicate removes according to the environment. However, Checkpoint doesn’t allow duplicate policies because we can’t able to install policies into new firewalls.
7. If you find any issue/error while performing in these above steps, I will discuss later some of the common troubleshot techniques.

Basic configuration for New checkpoint firewall

1. We have to collect DHCP Relay, Static routes, DHCP Servers list, Network Interfaces, trunk port(VLAN) from existing Juniper firewall. It may vary in every environment.
2. Set up management interface as per for existing Network.
3. Static Routes.
4. If DHCP Relay existing in the existing Network, we must create below rules.
   • Create a Global Broadcast host object
   • Create below policy in into every new firewall.
5. If you need a cluster to follow this: Setup Sync firewall.
   • Take two appropriate ethernet cables.
   • Connect the Firewall-1 “Sync” port to Firewall-2 “Sync” port.
   • Connect Firewall-1 any available port(eth1-8) to Firewall-2 port (eth1-8).
6. Set up static routes, DCHP policies. Set up an appropriate setting for an existing network and review the setting.
7. We run command “fw unloadlocal” on new checkpoint firewall, It will remove all policies from the Security Gateway (Cluster Member).
8. Once the basic setup finished, We will need to take backup and Snapshot of every individual new checkpoint firewalls.

On the Migration day.

1. Before start Migration Note down basic command for Troubleshooting:

Tcpdump: tcpdump -i eth1 port 49

2. Once swapping of wired connections from the old firewall to the new firewall is completed, we have check network connectivity test from the checkpoint management server to deployed new firewalls(checkpoint).
3. Once the connectivity test passed for both new firewalls servers, change Firewall Objects into DHCP Rules. Then We are good to create a cluster.
4. Please follow the below steps for creation of the cluster. Ref: “https://checkpointengineer.com/checkpoint-r80-20-cluster-configuration/”
5. Once set up Cluster done, We must monitor traffic for a few minutes and verify block traffic if there interrupt legitimate traffic.
6. Execute Multicast command: “cphaconf set_ccp multicast” in new checkpoint firewalls.
7. Now attach License. Please follow below reference link.
8. Ref: https://sc1.checkpoint.com/documents/R80/CP_R80_Gaia_IUG/html_frameset.htm?topic=documents/R80/CP_R80_Gaia_IUG/128324
9. Login to Gaia web portal(https://firewall_ip/) and verify “License and activation “status. If not activated in Gaia Follow Below Steps:
   • Login to FW1 via SSH
   • run cpconfig
   • choose 1 (Licenses and contracts)
   • Next, choose 2 (Manage contracts) and Next choose 3 (Fetch contracts Information from management server)
   • Verify again the License if now activated in Gaia
10. ** This is important step **: Go to Smart Console – Manage policies and layers è Edit the Site you are trying to migrate and change it to the Cluster name. EX: All Platform to – change to cluster name which created before.
11. Once the Policy Target is changed, click Install Policy
12. Perform user acceptance test (UAT)
13. If everything okay. Firewall Migration Completed.

Please feel free to post a comment if you have any questions.