Check point firewall migration india: a Mumbai cooperative bank’s Sunday cutover
A 320-person Mumbai cooperative bank’s Sunday cutover from a tired Sophos XG to Check Point Quantum. The RBI auditor was the reason. The Pune branch leased line was the surprise.
The DPDP Act, Section 33 penalty cap is Rs 250 crore. RBI’s Master Direction on Cyber Resilience for cooperative banks does not wait either. Auditors do not wait.
If you read only one line of this story: the hardest part of a check point firewall migration india project is not the rule conversion. It is the branch that does not reconnect by Monday morning.
05:30 AM · Head Office datacenter, VashiThe cabinet that smelled of warm metal
This is a check point firewall migration india story, told from the cutover floor. Sanjay was already at the cabinet when I reached the bank’s head office. He had unlocked the rack at 5:14 AM. I know because the badge log told me later.
The Sophos XG had been in slot 14 for four years. The cooling fan ran a little louder every quarter. Nobody had said anything. Sanjay handed me a cup of chai from the tea-walla downstairs. He pointed at the Check Point Quantum 6200 he had racked the previous Friday in slot 16. Two units, side by side. One tired. One waiting.
I had told Sanjay two months ago that the Sophos was fine for one more renewal cycle. I had read the threat signal wrong. The RBI notification came in April. The auditor’s pre-letter came in May. By the time the calendar said 28 days to cutover, the conversation had moved past whether and into how fast.
“Arre yaar, you said one more renewal.”
“I was wrong. Bas, let’s do this.”
Vendor SE was already on Teams from Bengaluru. SmartConsole was loaded on the staging laptop. The 312 firewall rules from the Sophos export had been pre-staged in the Quantum policy. Three weeks of rehearsal. Sunday was supposed to be boring.
07:15 AM · Engineering floor, second cupThe audit ghost
The bank has 11 branches in Maharashtra. Four sit in RBI’s tier-1 bucket for cooperative banks. The other seven report under the same Master Direction on IT Governance and Cyber Resilience. Every cooperative IT head has a calendar reminder for April.
Sanjay’s previous auditor finding had been a single line. “Perimeter firewall logs not retained for 180 days as required.” The Sophos box had a 90-day rolling window. He had carried that gap for two cycles.
“If the auditor opens SmartLog and sees 180 days clean, that finding closes.”
“Pakka. And every Threat Prevention block ships to your SIEM the same minute it lands. CERT-In also wants that pipe live.”
I checked the CERT-In incident reporting directions on my phone again. Six hours to report a reportable event. SmartEvent had to forward to the bank’s SIEM, and the SIEM had to ping Sanjay before 06:00 hours. We rehearsed that loop on Thursday. It worked then. It had to work today. The Check Point R81.20 logging guide was bookmarked on Meera’s laptop.
Get a free 4-hour Check Point sizing review
Tell us your branch count, user count, and audit deadline. Our Vashi engineering team replies within 8 hours with a sized Quantum or Maestro proposal. No card, no contract, no sales call.
200+ Indian businesses. Response within 8 hours.
09:40 AM · SmartConsole, staging laptopThe rule list that had been waiting four years
The Sophos policy had 312 rules. The Check Point staging had 187. Sanjay’s junior engineer, Meera, had spent ten days on this. She read every rule, asked application owners what each one was for, and quietly deleted any-any leftovers from 2022. Achha cleanup. The number that goes to the auditor is 187, and every one maps to a business owner with a name.
“Sir, 41 rules came from the Bandra-branch refresh in 2022. The branch manager said the cabinet they served was decommissioned last December.”
Threat Prevention had to be flipped on for the SWIFT and NEFT pipes first. The treasury team had a reconciliation window before noon. If we broke that path, the chairman would hear about it before he finished breakfast. Sanjay had used the rehearsal week to dry-run every critical flow.
| Pipe | Sophos handling | Quantum handling |
|---|---|---|
| SWIFT GPI to Mumbai data centre | NAT rule + ACL | Identity-aware rule + IPS profile pinned to SWIFT signature set |
| NEFT RTGS leg | Static IP allow | Same, plus Threat Emulation off the file path |
| Branch leased lines (11) | Site-to-site VPN, single tunnel | SD-WAN failover, two tunnels per branch, leased line primary |
| Internet egress for staff | URL filter, basic | URL filter, Anti-Bot, plus DPDP-aligned data-leak inspection |
The treasury reconciliation began at 09:55. Three transfers cleared. The IPS log was clean. Sanjay exhaled.
12:20 PM · The branch that did not come backThe leased line that was not the firewall
At 12:18, the Pune branch stopped responding. Not the firewall side. The branch side. Sanjay’s SD-WAN dashboard showed the secondary tunnel was up but the primary leased line was down. Branch manager not picking up.
I have seen this twice in twelve months. The branch leased line is the part nobody rehearses on Sunday because the telecom NOC is half-staffed.
“Madam, the secondary is carrying traffic. Latency is double. Nothing is dropped.”
“That is the SD-WAN doing its job. We need the primary back before Monday 09:00. Get me the Airtel NOC engineer.”
It took twenty-three minutes to get a human on the line. He read the circuit ID. A scheduled maintenance window had been published two weeks ago. Sanjay had it in his inbox. Nobody had read past the first line. The primary line came back at 14:02. The Quantum failed back cleanly. No user in Pune noticed.
I will say what I should have said in March. I had assumed branch telecom was Sanjay’s problem, not mine. It was not. It belonged on the cutover checklist on Wednesday, not in a missed inbox on Sunday.
15:50 PM · The compliance officer’s WhatsAppTwo screenshots and a question
Asha was the bank’s compliance officer. She had been at the firm longer than the chairman. Her WhatsApp arrived at 15:48 with two screenshots and a single line. “Are we good for points 4 and 9?”
Point 4 was the IPS log retention question. Point 9 was the data-leak control on customer-folder uploads to personal cloud.
“Asha-ji, Threat Prevention is logging to SmartLog and shipping to the SIEM. 180 days minimum. Point 4 closes.”
“Point 9 needs the URL-filter category for personal cloud blocked at the egress rule. That is configured. The DLP plug-in inspects customer-folder uploads. Test passed Friday.”
“Achha. Then I am sending the pre-evidence pack to the auditor tonight, not next week.”
That is the moment a Sunday cutover earns its weekend. Asha did not ask if the firewall was fast. She asked if the evidence held. The control was the product. The product was the control. A BFSI DPDP audit Monday we wrote about earlier this year hinged on the same two questions.
Get a free 4-hour Check Point sizing review
Bring your branch count, user count, audit deadline, and existing firewall make. We size Quantum or Maestro on a Teams call within the same week.
200+ Indian businesses. Response within 8 hours. No card.
18:30 PM · The chairman’s WhatsAppThe quiet network
The chairman’s message arrived at 18:27. One line. “Sunday went well?” Sanjay replied with one word. “Yes.”
The Sophos box was powered down at 18:34. The Pune primary leased line had been up since 14:02. SmartLog had nine hours of clean Threat Prevention events. Asha’s pre-evidence pack went out at 19:00. We finished the dal-roti the bank’s pantry sent up and walked to the gate at 19:40.
The amber alert I should have caught two months earlier was not on the Sophos dashboard. It was in the RBI circular published the week before. Security is reading the regulator, not just the console. Security is a verb.
Check point firewall migration india: what this Sunday taught me
- A check point firewall migration india project is a regulator project first, a vendor project second. The RBI window decides your cutover date, not your SE’s availability.
- Rehearse the branch leased lines on Wednesday, not Sunday. Telecom NOCs are half-staffed on weekends. Half-staffed is also half-answered.
- Use rule cleanup as the migration prize. 312 rules becoming 187 is the kind of number an auditor likes to see.
- Ship Threat Prevention logs to your SIEM the same day you flip the blade. 180-day retention only counts if the pipe started the day the rule did.
- The compliance officer is the second customer. Asha’s screenshots tell you whether your cutover is a tech event or an audit answer.
Quick questions teams ask before the cutover
How long does a Check Point Quantum migration take for a mid-sized Indian bank?
Plan 6 to 8 weeks end to end for a 10 to 15 branch cooperative bank. Three weeks for policy export, mapping, and SmartConsole staging. Two weeks for SD-WAN tunnel rehearsal across branches. One weekend for cutover. One week for post-cutover stabilisation and auditor pre-evidence.
What does a Quantum 6200 actually cost in India?
The list price depends on the blade bundle and the 1, 3, or 5-year subscription term. We share an indicative range only after we size the throughput, IPS load, and SD-WAN tunnel count for the actual branch list. Two firms with the same branch count rarely buy the same SKU.
Is Check Point a fit if we currently run Fortinet or Palo Alto?
Fortinet rule sets convert cleanly into Check Point policy with the right discovery week. Palo Alto rule sets need more attention on App-ID equivalence, because Check Point uses Application Control objects rather than App-ID. Neither is a blocker. Both are a planning question.
How do you keep the SWIFT and NEFT pipes safe during cutover?
Pin those flows to a dedicated rule with identity-aware policy and a tested IPS profile before cutover Sunday. Run a treasury dry-run the Friday before. If the dry-run breaks, you have two days to fix it, not two hours.
What goes on the auditor’s pre-evidence list the week after cutover?
SmartLog retention proof, SIEM forwarding evidence, IPS block samples mapped to MITRE tactics, the 11-branch SD-WAN tunnel uptime report, the Threat Prevention coverage report, and the new policy rule count with named business owners.
Get a free 4-hour Check Point sizing review
Reply on WhatsApp with your branch count, user count, and audit deadline. Our Vashi engineering team comes back within 8 hours with a sized Quantum or Maestro proposal. Audit slots free until end of month.
200+ Indian businesses. 30+ in BFSI. Response within 8 hours.
P.S. Priya here. We shipped a similar Sophos-to-Quantum cutover for a Pune cooperative bank last quarter. They asked the same question Sanjay did, in the same tone. Two months later their auditor closed three findings in one paragraph. The console did not do that. The Wednesday rehearsal did. Reply on WhatsApp if your auditor letter has already landed.