topic Re: Migration from 5200 appliance to 9100 appliance - Standalone in Firewall and Security Management

Migration from 5200 appliance to 9100 appliance - Standalone

Mk_83 — Tue, 09 Jul 2024 07:56:42 GMT

Hello everyone,

Currently, we are preparing a plan to replace three 5200 devices on three office sites with three 9100 devices, all of which will run standalone.

Current product: 5200 appliance, standalone, R81.20 hotfix take 65
New replacement product: 9100 appliance
Blade uses:

Network Security: Firewall, Application, URL Filtering, Threat Prevention, IPSec VPN (Site-to-Site VPN, Remote Access VPN)
Management: Network Security Management, Logging & Status

We plan to do so according to the following document: Migrating Database Between R81.20 Security Management Servers (checkpoint.com)

But we have a few concerns:

Following the above document, "./migrate_server" will be used. Does someone know which configurations below will be migrated:
- Gateway: Interfaces, VLANs, and Routes
- Management: Security Policy, VPN, Object (especially about 100 local users on the checkpoint we created, using a cert for authentication. If the users and certs cannot be migrated, it will take a lot of time to create and give a cert file for each employee.)
Based on your experience, are there any issues we need to pay attention to to avoid problems?

Or is there another best-practice way to migrate standalone configurations?

Please help me the answer.

Thank you so much,

Best Regards.

Re: Migration from 5200 appliance to 9100 appliance - Standalone

G_W_Albrecht — Tue, 09 Jul 2024 08:16:01 GMT

Best option is not to use StandAlone deployment at all ! If the GW is under heavy load you will not be able to manually fight this situation.

migrate_server: This command is used to migrate the management database from R80.20.M1, R80.20, R80.20.M2, R80.30, and higher versions.

For more information, see:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuide/Content/Topics-SECMG/CLI/migrate_server.htm

For gateway migration see https://support.checkpoint.com/results/sk/sk108902

Re: Migration from 5200 appliance to 9100 appliance - Standalone

Mk_83 — Tue, 09 Jul 2024 10:12:50 GMT

Hi G_W_Albrecht,

Thanks for your advice and information.
Currently, we are being asked by customers to configure a standalone configuration because their system is already operating familiarly. Changing to a distributed configuration may be implemented in the future.

Sorry, but at the two links you give me, I can't see the confirmation of which configurations will be migrated using the command "./migrate_server". I'm very sorry if I missed anything. I also searched for this but couldn't find anything related.

Thanks & Best Regard.

Re: Migration from 5200 appliance to 9100 appliance - Standalone

G_W_Albrecht — Tue, 09 Jul 2024 10:18:25 GMT

migrate_server does not save any GAiA configuration ! This is found in the second link, chapter

8. Comparison of Backup Methods

	Snapshot Management	System Backup	"show configuration"	"migrate export"
How much time does it take?	30 - 60 minutes	5 - 30 minutes	Few seconds	Depends on configuration
Size of output file on Security Gateway	5-100 GB	Depends on configuration	Few KB	N/A
Size of output file on Management Server	5-100 GB	5-100 GB	Few KB	Depends on configuration
Does it back up Gaia OS configuration?	Yes	Yes	Yes	No
Does it back up Products configuration?	Yes	Yes	No	Yes
Does it back up Hotfixes?	Yes	No (does not apply to "`mds_backup`")	No	No
Does it back up Check Point logs?	No	No	No	Not by default. Use the flag "-l" in the syntax to back up the SmartView Tracker logs as well.

Re: Migration from 5200 appliance to 9100 appliance - Standalone

Mk_83 — Tue, 09 Jul 2024 11:18:20 GMT

Hi G_W_Albrecht,

Thank you so much. I have seen it will not migrate GAiA configuration.

But there are still a few points at Management: "./migrate_server" is it possible to migrate VPN configuration (S2S, C2S), Object?
Especially for local users, after migrating to the 9100 appliance, can employees still use the certificate previously issued on the 5200 appliance to connect to remote access VPN?

Thanks & Best Regard.

Re: Migration from 5200 appliance to 9100 appliance - Standalone

Bob_Zimmerman — Tue, 09 Jul 2024 17:41:45 GMT

If it's defined through SmartConsole, migrate_server covers it.

If it's defined on the command line or in a web interface of some kind, migrate_server does not cover it.

Re: Migration from 5200 appliance to 9100 appliance - Standalone

Mk_83 — Wed, 10 Jul 2024 08:40:40 GMT

Thanks for your information. I really appreciate it.

Best Regards.