Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Upgrade from 4.1 to NG

To: [email protected]
Subject: Re: [FW-1] Upgrade from 4.1 to NG
From: Crist Clark <[email protected]>
Date: Wed, 19 Feb 2003 10:24:26 -0800
Organization: Globalstar Communications
References: <DBDE9E79E22FD411BF8500D0B73E93343956D4@DLEMSG02>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

> "Fritze, Stefan" wrote:
>
> hi,
>
> i donßt want to use the upgrade function of checkpoint to upgrade the productive system to the new version. I prefer to build up a new management server and rebuild the configuration manual. The i install NG as second package on our nokia that i can easy reboot the old config if we have some trouble.

I've had to do this a number of times. I wrote a custom script
based on the various Check Point scripts that everyone will point
you to.

The attached script was actually for upgrading from 4.0 to NG FP2
on Solaris. The idea is to take the $FWDIR/conf from the old machine and
dump it to some arbitrary location on the new machine. The attached script,
fwmerge, is run from that directory. The "DIST" variable should be set to a
directory with the unpacked Check Point package. In the script, it grabs
parts from the Solaris packages. I assume the Nokia distribution is packaged
differently. The cleanup script, cleanup.awk, was another script that
manually made a bunch of changes that the Check Point tools couldn't handle
and some other changes that I'd rather automate (it dropped a bunch of
objects I didn't want anymore). A skeletal one is attached.

This worked brilliantly for me, because I built it to work for my rulesets.
No guarantees it will be of any use to anyone else. You will definately need
to make changes for it to work on a Nokia platform, but it might be something
to help you start. Definately make backups before you try it. It will probably
take some trial and error to get the cleanup.awk script to handle all of the
things the Check Point scripts say you have to do manually. The whole point
of the script is that you can run it over and over without doing any manual
clean ups in between runs. Each time you run it, you make incremental
refinements until everything works correctly.

I'm upgrading my last set of firewalls on Monday. Now that I am an expert
on doing this, I'll probably never need to do it again, or if I do, Check
Point will have changed everything enough that anything I do manage to
remember or still have on hand will be useless.
--
Crist J. Clark                               [email protected]
Globalstar CommunicationsThe information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or
copying of this communication is strictly prohibited.  If you have
received this e-mail in error, please contact [email protected]

#!/bin/ksh -p

# Set this to location of cleanup script and packages.
DIST=/var/tmp
CLEANUP=$DIST/cleanup.awk
debug_stop () {
        echo '--- break ---'
        #echo '--- break ---\c'
        #read DUM
}

cp objects.C $FWDIR/conf/prev_objects.C
cp fwauth.NDB $FWDIR/conf
cp `nawk '/:rule-base/ { split($2, pol, /[#"]+/); print pol[2] ".W" }' rulebases.fws` $FWDIR/conf
cp rulebases.fws $FWDIR/conf

cd $FWDIR/conf

if ! expr $PATH : $FWDIR/bin >/dev/null; then
        export PATH=${PATH}:$FWDIR/bin
fi

rm -f objects_5_0.C rulebases_5_0.fws ../database/* *.pf
cp $DIST/CPFWSP500002-01/CPfw1-50/reloc/\$VARDIR/conf/objects.C objects.C.dist
cp $DIST/CPFWSP500002-01/CPfw1-50/reloc/\$VARDIR/conf/default_objects.C default_objects.C_sp2

fwm confmerge_41 prev_objects.C objects.C_41 > objects.C_41.merged
debug_stop
fwm checkobj_41 objects.C_41.merged
debug_stop
fwm confmerge objects.C_41.merged objects.C.dist > objects.C
debug_stop
for F in objects.C rulebases.fws *.W; do
        nawk -f $CLEANUP $F > $F.new &&
        mv $F.new $F
done
debug_stop

fwm checkobj
debug_stop
cp objects.C ../database
fwm checkobj
debug_stop

fwm cpmi_upgrade
debug_stop

cp default_objects.C_sp1 default_objects.C
fwm upgrade sp1
debug_stop

cp default_objects.C_sp2 default_objects.C
fwm upgrade sp2

function rmobj() {
        level = 1;
        do {
                getline;
                if ($0 ~ /\(/) {
                        level++;
                }
                if ($0 ~ /\)/) {
                        level--;
                }
        } while (level > 0);
}

# Change in expression syntax
/exp \(\"/ && /(tc|ud)p/ {
        if ($0 ~ /tcp/) {
                print "\t\t\t:protocol (6)";
        } else {
                print "\t\t\t:protocol (17)";
        }
        sub(/(tc|ud)p,? */, "");
        sub(/, *"/, "\"");
        print;
        next;
}

# CP demands this be removed manually
/: \(VDO-Live/ {
        rmobj();
        next;
}

# Use the built-in StoneBeat
/: \(Stonebeat-Control_Daemon/ {
        rmobj();
        next;
}
/Stonebeat-Control_Daemon/ {
        sub(/Stonebeat-Control_Daemon/, "StoneBeat");
        print;
        next;
}

# Timeobj names must be < 11 characters
/business_hours/ {
        sub(/business_hours/, "work_hrs");
        print;
        next;
}
/Month_End_Proc/ {
        sub(/Month_End_Proc/, "month_end");
        print;
        next;
}

#
# Insert more of your own stuff here.
#

{
        print;
}

References:
- Re: [FW-1] Upgrade from 4.1 to NG
  - From: "Fritze, Stefan" <[email protected]>

Prev by Date: [FW-1] aler.sh script
Next by Date: Re: [FW-1] SecurePlatform memory
Previous by thread: Re: [FW-1] Upgrade from 4.1 to NG
Next by thread: Re: [FW-1] Upgrade from 4.1 to NG
Index(es):
- Date
- Thread