R80.10 Best Practices – Migrating from R77.30

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello and a warm welcome to this video from checkpoint professional services in this video we are going to look at some of the best practices and procedures for migration from our 70 7.32 our 80 10 this video is going to cover the optimization of the source database the upgrade of the management station upgrade of one of the Gateway members of a cluster to our a d-10 conversion of the security policy to a layered policy and then lastly the demonstration of the API available from our ad and our ab10 to make this video as useful and relevant as possible we took a real-world r70 7.30 data base this had many gateways in it but has been anonymized and has been left with a single cluster object for simplicity the Rubies is 1200 rules there are about 3000 objects and like a regular checkpoint policy it is not just access control but it has additional blades in the form of IPS application control URL filtering and threat protection here in smart dashboard we can see this is a real policy it is not a sample policy and it has approximately give or take 200 rules there are also a large number of objects some 3,000 of them IPS is also in use with one profile assigned to the Gateway and this will also be migrated as part of the process application control and URL filtering are also configured enabled in running on the source database please note this policy looks very simple because we had to delete a number of rules to anonymize the database lastly threat prevention is also configured with antivirus anti-bot and threat emulation configured and enabled this therefore represents a real-world database before we import the policy we need to make sure that the database is clean correct and accurate many databases have years worth of unused objects duplicate objects or erroneous configuration that is related to legacy applications and these can be removed to reduce the size of the policy to make policy management much easier and doing this without compromising the security checkpoint professional services provide the smart up to my service to customers given a CP info from the target environment we can analyze make recommendations and identify potential weaknesses in the security policy these include unused objects rules that can be merged and unused rules not only can we identify them we can also use the internal tools to generate DB added commands to automatically clean up the source database here we can see the output DB edit scripts from the smart optimize process which we can then run against the database to clean up the objects the policies the rules and so on considering the amount of work required this could take some time however this optimisation process is incredibly valuable to customers and partners in keeping on top of their security as we can see from the policy there are now fewer rules because some rules have been merged with others the objects database is also smaller and has been optimized however exactly the same security rules will be inspected as we optimize not changed anything that was there for more information on smart optimize please visit the checkpoint website or contact us using the email address shown throughout this video with the source database optimized we can now move on to the upgrade to our 8210 to do this we are going to run the pre upgrade verifiers we have chosen to do a fresh installation of our 8210 on new hardware then we will import the optimized our 7730 configuration into our ad 10 finally we are going to install the policy from our 82 10 to the our 7730 cluster and verify that that is functional and operational for the purposes of the video we are keeping the IP addresses the same between the old manager and the our 8210 manager for several versions now checkpoint has provided free upgrade verification tools to give customers confidence that the upgrade is going to be successful it identifies potential conflicts naming issues strange character issues corruptions and so on and these can be rectified before the upgrade thus saving a lot of time the tools are downloaded from the checkpoint website or they are part of the r82 10ga installation package the syntax of the commands is fully document but is similar to what you are used to if you have used these tools before generating the report from the pre upgrade verifier may take some time but please let it finish the information that gives you is invaluable it also saves the information in the text file HTML as well as echoing it to the screen as you might expect from a real-world database we did hit some issues there were database corruptions there was a cluster member without a pair of cluster objects and there were also some unicode characters as the source database might have come from a country that did not have english as its native language so therefore there were lots of accents and other types of characters that needed to be resolved it is highly important to follow these errors and warnings through fully errors will block the migration warnings will allow the migration to continue but do not accept any of the warnings unless you fully understand the implications of proceeding without considering that particular warning more information is available in secure knowledge articles or from your checkpoint contacts once all the issues identified by the pre upgrade verifier have been resolved rerun the tool and make sure that it finishes without any errors or ideally any warnings you are strongly recommended to resolve any warnings before doing the real upgrade or fully understand the consequences of ignoring that warning once we have the pre upgrade verifier going through perfectly clean then we can proceed as usual to do the migrate export again this is using the AR 8210 migration tools downloadable from the checkpoint website it will copy all of the files to a tgz file this can then be copied to a the Machine ready for the import to the our 8210 management with the management exported we are now in a position where we can start to build a new or 8210 management for the purpose of this video we are assuming that we are installing on clean hardware firstly to get updated hardware and secondly the rollback scenario is going to be to disconnect the new manager and plugging the old manager back into the network so we are reusing the same IP address the installation wizard is the same familiar wizard but this time it is installing our a t10 with the installation done the Box reboots and we can use the Gaia web UI to go through the first time wizard yes it has a new look and feel but it has essentially the same functionality and features that you would expect from the checkpoint first time wizard this is being built as a standalone security management no Gateway components and as a primary manager this machine has been built as a clean manager it has an empty default database and has the same IP address as the old manager this makes it perfect for importing to our 7730 configuration into it you can use the tool of your choice to copy the exported file over to the new manager store it in a sensible location so you can find it again the are 80 10 GA installation contains the import scripts necessary to start the import process the import process may take some time so it is important that you reset the automatic timeout so that you don't get locked out halfway through the import process so unset upper case TM o UT will prevent odd issues like that happening the import may take some time the migration wizard is the same one as before that we're all familiar with however it's not migrating from our 77032 our 77.4 tea or something it is making a major change to the schema so it will take some time this can be monitored using top and by looking at the CPU utilization or you can look at the migration tool log file which will give you a detailed update as to what stage the process is that there is plenty going on and you should let it finish with the management upgraded we can then move on to installing the policy on the Gateway with the management server started we're going to start our 80 10 smart console application and connected as you can see we have two cluster objects and for sanity checking purposes it's a good idea to go through and familiarize yourselves with the new layout but also check that the number of rules is the same number of objects is the same and so on we do have complete confidence in our migration scripts but it is nice to reaffirm that when you actually migrated you can see the number of rules is the same the application control policy looks the same and in that rules well this configuration didn't have any address translation but address translation is completely unmodified between our 7730 and our ad 210 so there's nothing to worry about there in our ad 10 IPS has been merged into threat prevention however our 77 or 30 gateways do not yet support this so the migration tool has created two threat prevention profiles one with IPS only and the other with threat prevention enabled but no IPs this allows for installation to our 7730 gateways when the last are 70 7.30 gateway has been migrated to our 80 10 then the threat prevention profiles can be merged an IPS can become part of the single threat prevention profile installing the security policy to our 77.36 f ed prevention policy at the same time it is not until you have upgraded all the gateways to our 82 10 that you have the granularity of being able to separately push the threat prevention and the access control policies here the policy is being installed from the our 8210 manager to the our 70 7.30 cluster this is the first time the policy has been installed this process should be non disruptive for the users despite the fact that it is coming from a new manager it is using the same ip address service should be completely uninterrupted if you look at the blade's configuration we can see that the same blades were enabled as before upgrading the manager from our 77 to 32 re D 210 and installing a policy to the security gateway is quite some milestone however we are going to take it further we are going to upgrade one of the cluster members to our 82 10 for this video we have selected two CPUs in-place upgrade method we are using the gaya CPUs engine to download the upgrade package from either the checkpoint website from a local download or from a private thread cloud appliance and is storing it in the local repository on the clients with the verifier happy we can then proceed and carry out the upgrade of this module this is in the cluster so during the upgrade this member will be down and the other member will be the one handling the traffic using CPUs if the upgrade fails for any reason then it will roll back to the last known good version here we can see the upgrade was successful and we are running an EA build of our ad 10 as usual when upgrading checkpoint gateways you need to open smart console edit the cluster object and make sure that the version is modified to that which we just upgraded to we added the cluster object and we set the version as our ad 10 the change can then be published and we are ready to install policy because one of the cluster members is of a different version r70 7.30 and not our ad 10 the installation will fail on one member so you must unselect the install on both gateway cluster members with one member upgraded to our 8210 we can then failover the traffic and start upgrading the second cluster member now we have an hour 8210 gateway or cluster we can start to apply some of the new re design features this includes the inline layers there are many uses of inline layers you can organize your policy based on applications based on network zones or subnets or on administrative restrictions that need to be applied to the policy there are many ways in which inline layers can improve the operation of your policy checkpoint professional services are developing tools to help guide customers in creating and utilizing inline layers only traffic flows that match the header rule will be passed down to the sub rules for detailed inspection secondly we can now look at unifying a threat prevention policy moving the IPS blade from its own separate layer into the main threat prevention layer to do this we enable IPS in the relevant profiles in the case of the HTTP profile we are going to add a few more protections relevant to the particular scope that we are trying to protect here here you can see we are activating or possibly deactivating certain protections based on tags or properties of the individual protections that we have written this allows administrators to very easily customize and tune their IPs profile configurations as per network requirements one benefit of having already de 10 on the gateway is the ability to apply a protection scope to an IPS policy this means that you can apply threat prevention including IPS only to specific traffic based on security zones or other parameters this gives true flexibility in terms of how your IPS is applied and it is no longer a 1 IPS profile per Gateway scenario it is now possible to install a security policy separately for the access control layer and the threat prevention layer here we are installing them together and we can see the installation is being successful for threat prevention on one of the cluster members access control has been successful the other member has been unsuccessful because it is not yet upgraded to our ADA 10 we have just installed in our 82 10 merged threat prevention profile there are many benefits to upgrading to our 80 10 you get concurrent administrators you get the inline layers you get the merged 3rd prevention profile however the our ad API is something that has captured a lot of interest this is useful for importing large numbers of objects merging databases but also automation features from enterprise scale applications the API is easier to use and much better than the DB edit scripts you may have been used to in the past in this example we are going to create a number of objects related to a particular project or application we create a spreadsheet with the names IP addresses and various properties these are all going to be added to a group called API tests as well creating a few hundred of these objects is very straightforward we can setup the CSV file then we can import the objects using the API into the our ad 10 database this execute in publishers and when the process is finished we can see that the objects are visible in smart console with the correct IP addresses name's colors and all tips as well so it is very straightforward to use the API to set up large numbers of objects in an automated fashion for the second API demonstration we have chosen a very likely scenario where we are going to be merging an R 77 or 30 domain or policy into an existing our ADA 10 management station we expect this to be quite popular as customers gradually migrate their environments to our ad 10 this requires professional services assistance but by providing us with a CP info we can run a smart optimize on the database for you and then run it through a number of tools to set up the API commands to migrate a database into our ad 210 here we can see the output from checkpoint professional services with all the API commands ready for import into the our ad data management please note that anything can generate these API commands including your own scripts your own infrastructure or your own orchestration tools depending on the size of the database this may take some time but we can see published operations we can see success criteria and any errors will be displayed correctly with the import successful we can go into the our ad ten smart console and we can look at the new policy that we just migrated we can open it in the usual way and we can examine the rules and the objects that were created as necessary in this way we can prove to ourselves that the import has been done successfully there is comprehensive reference information about the API this can be found on the checkpoint website you can also browse to your local management station and view the same information alternatively you can go to the checkmates forum on the internet and ask for assistance we hope this video has shown you that migrating to our 8210 is achievable and that you have the support of checkpoint to achieve this thank you I will look forward to hearing from you soon you

Info

Channel: Check Point Software Technologies, Ltd.

Views: 56,076

Rating: undefined out of 5

Keywords: r80.10, check point software, security technology, r77, r77.30, r80, security, cyber, technology, r80.10 best practices, r77.30 to r80.10 upgrade, checkpoint r80 training, checkpoint upgrade r77.30 to r80.10, checkpoint r80.10 migration, checkpoint r77.30 to r80.10, checkpoint r80.10 upgrade, how to upgrade checkpoint r77.20 to r77.30, checkpoint upgrade from r77.30 to r80.10

Id: egAIQqMUOPE

Channel Id: undefined

Length: 23min 9sec (1389 seconds)

Published: Thu Jun 15 2017