Issues migrating multiple Check Point VSYS into a single Panorama managed Virtual System

L1 Bithead

Issues migrating multiple Check Point VSYS into a single Panorama managed Virtual System

 

HI there,

 

Having some issues with the above migration using the latest version of the migration tool. Everything seems to work OK until we try and push to the panorama via the API calls.

 

We've mapped both Check Point virtual systems loaded into the migration tool into the base device group and template configuration. Obviously we're dumping two rulesets here but assume the tool will just combine them into the destination and i can clean that up later in the final configuration by loading it back into the migration tool. Is that correct ? 

 

Pushing the change via atomic api calls i get failures for rules as per the below:

 

<response status="error" code="12"><msg><line><![CDATA[ pre-rulebase -> security -> rules -> Rule 1 'Rule 1' is already in use]]></line><line><![CDATA[ pre-rulebase -> security -> rules is invalid]]></line></msg></response>

 

Is this something to be concerned with or should i just push this out by subAtomic and hope for the best ?

 

Thanks

L7 Applicator

Re: Issues migrating multiple Check Point VSYS into a single Panorama managed Virtual System

The error message is saying you already have a rule called Rule 1 in your candidate configuration... Or you remove it before you send the api calls or rename the ones you have into your MT...

You can add to your rule names a prefix to diffetenciate them like fw1_ ...

Hope that helps

L1 Bithead

Re: Issues migrating multiple Check Point VSYS into a single Panorama managed Virtual System

Thanks for the quick response . The Panorama device group i am trying to install into is empty apart from the default rules. Just to confirm :

 

Is it failing because i am trying to combine two rule bases (the source) and they have the same rule numbers or names etc ?  If so you are saying i need to prefix all the rules in one source rule base with a new name so they dont overlap ? 

 

Also as these rules are going into a device group does this mean i need to convert them  in the source policy to pre or shared rules before i export or does this happen automatically, or do i need to do this post export  ?   If i manual try and change some of the rules in the source policy to shared or pre-rules via the buttons at the bottom of the page nothing happens.

 

Can you please confirm the above thanks.

 

 

L7 Applicator

Re: Issues migrating multiple Check Point VSYS into a single Panorama managed Virtual System

You can checj from the dashboard (main view inside the project) if there are or not duplicated rules. There are some ways to fix the duplicated rule names from the security policy (right-click) and Rule Name -> Fix duplicated for instance. And there is in the same place an option if you want to add prefix to the rule names as well.

 

By default all the rules are pre-rules if you want you can convert them as post-rules as well by using the buttons in the bottom bar under your security policy/nat.

 

documentation is here : Doc

 

Hope that helps !

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!