SecurePlatform to Gaia

Checkpoint switched the platform for their security products from SecurePlatform to Gaia. Sooner or later, a switch to Gaia will be necessary… Well, there are plenty of documents about this topic out there. Rejoice, people, one follows right here – valid for small installations (standalone boxes, really).

First of all, you want to get the current configuration from your box. You need to understand that this consists of 2 parts: the OS level configuration (interfaces, routing table) and the CP database (rulebase, CP settings). Checkpoint provides tools for the latter, but not for the latter.

On the OLD firewall
Preperation:
1) Download this script
2) Get the target migration tools from Checkpoint. Either from a box with the target software installed, or from their download center
3) Copy both over to the box, by any method that works for you (TFTP, FTP, USB, magic)
4) Extract the CP upgrade_tools
5) Spread some execute permissions if necessary! “chmod +x splat2gaia.sh” and “chmod +x migrate”

For the OS level configuration
1) Execute “splat2gaia.sh”
2) Copy the output somewhere safe

For the CP database
1) Execute “migrate export”
2) Copy the resulting TGZ file somewhere safe

On the NEW firewall
Preparation
1) Install a fresh Gaia image, if not already installed
2) Follow CP’s guide and finish the first time configuration wizard

Restore the OS level config
1) Get console access to the box
2) Copy the output of splat2gaia.sh over line by line, or copy it into a bash script

Restore the rule database
1) Copy the TGZ over to $FWDIR/bin/upgrade_tools
2) Execute “migrate import”

Almost done! Now, connect to the box via your newly installed SmartDashboard, and install the rule database. Only after that step will the rules be enforced!

Note: depending on how you perform the switch over to the new platform, you might get a ton of “TCP packet out of state” errors. In that case, you might want to go to general options -> stateful inspection, and disable the “drop out of state packets” for the first couple of hours of operation.

Leave a Reply

Your email address will not be published. Required fields are marked *