topic Re: sk156072 - Domain migration - SMS to DMS in Firewall and Security Management

sk156072 - Domain migration - SMS to DMS

Alex- — Mon, 27 Apr 2026 08:03:51 GMT

I'm going to lab this up but I'm looking at moving an SMS to a brand new MDS that's just been staged to R82 T91 and has no other configuration for now.

The process seems straightforward:

- Export the SMS with the documented API call

- Import the TGZ in the MDS withe the documented API call, in our scenario the IP remains the same

- Connect to the imported domain and start from there

A few questions for anyone familiar with this:

- Is this as straightforward as the SK implies, considering we keep the IP?

- Is SIC and so on maintained?

- Are there gotchas like using the same name for the domain than the SMS or anything else?

Re: sk156072 - Domain migration - SMS to DMS

Peter_Lyndley — Mon, 27 Apr 2026 08:12:58 GMT

hi Alex,

Yes the procedure is pretty slick these days. As long as you have the latest versions of the upgrade tools then it works well in pretty much all scenarios.

Yes SIC is maintained, even if you do change the IP (in your case you are not)

You can use the same name for the domain, or call it something different.

If you do need to change IP of the domain (in future migrations) - just add a rule on the gateways affected, so you do not cut yourself off from them (but then again you can always connect to them from the previous management server)

Re: sk156072 - Domain migration - SMS to DMS

S_E_ — Mon, 27 Apr 2026 13:46:24 GMT

hi,

we did that exercise a while ago with multiple SMS. At least I remember that an outdated IPS on the Source SMS stopped the import process on MDS side. I would have a look that the versions (IPS db, ) are more or less identical.

Regards

Re: sk156072 - Domain migration - SMS to DMS

Alex- — Wed, 29 Apr 2026 17:04:54 GMT

The lab went succesfully, which presages well for the production part. It was also a reminder of how long I stayed without using an MDS. Here's how it went.

Install VMWare Workstation Pro on a spare laptop, create a RH8 image with sufficient disk space for partitioning in a segment with the same IP subnet than production
FTW R82, install CPUSE, T91, upgrade tools
Install a lab/eval MDS license - without this, the domain won't start
Use the API call to import the TGZ and wait completion.
Connect to the MDS and assign the domain to the user(s), without this, a misleading "Your IP is not authorized" message is displayed when trying to connect to the domain
Using the FTW "admin" account, I got a loop constantly asking to confirm the fingerprint, it was solved by creating another with mdsconfig and log with it
After this, connecting to the MDS and starting the imported domain showed all systems on the current SMS

Re: sk156072 - Domain migration - SMS to DMS

Alex- — Fri, 01 May 2026 14:42:07 GMT

It worked perfectly in production. A pleasure to have an SK so clear to follow.

The transition from the 600 to the 7000 manager series with bonded 10G series is impressive, the performance is on another level.