topic Re: Move S1C to On-prem in Firewall and Security Management

Move S1C to On-prem

kaka — Tue, 10 Dec 2024 04:40:42 GMT

Hello guy!

As the user experience with S1C we decided to move from cloud to on-prem. I have 2 gateway run as clusterxl. Currently SIC version R82 and the new mgmt run R81.20 latest HF.

May I know the best practices for preparation during move gw to new mgmt?

Note: The new mgmt setup completely with import database from SIC and object and policies was synced.

Regard,

Re: Move S1C to On-prem

Lesley — Tue, 10 Dec 2024 06:11:41 GMT

Hi,

To be sure syc is already active between new onprem mgmt and all gateways? If you have done import and policies are in place you are good to go. Did you already installed policy with new mgmt?

Re: Move S1C to On-prem

kaka — Tue, 10 Dec 2024 06:31:35 GMT

Hi @Lesley ,

Install policy from new mgmt not yet do, due to gateway connected to SIC through tunnel interfaces.

Regard,

Re: Move S1C to On-prem

Martijn — Thu, 12 Dec 2024 12:44:52 GMT

Hi,

I assume the on-prem SmartCenter has a new IP?

When you import the database, SIC is already OK. But gateways have the old IP-address in the database.
- On old SmartCenter, create a dummy object for the new SmartCenter IP.
- On old SmartCenter, include the dummy object in rules between SmartCenter and gateways
- On old SmartCenter, push policy to gateways.
- Traffic between gateways and new SmartCenter IP is allowed now.

- On the new SmartCenter, make sure traffic between new SmartCenter IP and gateways is allowed.
- On the new SmartCenter push policy.

You can also follow sk86521- How to reset SIC without restarting the Check Point services
But make sure traffic between new SmartCenter IP and gateways is allowed by adding a dummy object.

Good luck.

Martijn

Re: Move S1C to On-prem

the_rock — Thu, 12 Dec 2024 13:56:19 GMT

Personally, I would not move from S1C to on-prem, but if thats decision user made, o well : - ). Anyway, what both @Martijn and @Lesley had said is valid and I would follow those steps.

Andy

Re: Move S1C to On-prem

G_W_Albrecht — Thu, 12 Dec 2024 15:46:04 GMT

Why not contact TAC ? They could give you hints and be prepared for RAS during the maintenance window when switching over to resolve any unforseen issues !

Re: Move S1C to On-prem

D_TK — Thu, 12 Dec 2024 17:05:26 GMT

We're thinking of going the other way: prem -> cloud for logging and management (10 gw clusters). Can you expand on the reasons why you're going back to prem? Thanks.

Re: Move S1C to On-prem

kaka — Fri, 13 Dec 2024 02:17:45 GMT

Hi mate,

The main reason's latency and user experience. cloud is a bit slow then on-prem.

Regard, thanks

Re: Move S1C to On-prem

the_rock — Fri, 13 Dec 2024 02:41:01 GMT

I found and this is just my personal opinion, back in 2020, when I initially started working with S1C, it was not that great, I will admit. But now, I find its great and has gotten way better since then. All customers are already upgraded to R82 version in the cloud and I find the portal is actually even more responsive than before.

Again, my honest feedback about it.

Andy

Re: Move S1C to On-prem

kaka — Fri, 13 Dec 2024 03:03:36 GMT

yes, obsoletely R82 better then oldest for SIC. but it's customer choice.

Re: Move S1C to On-prem

kaka — Fri, 13 Dec 2024 03:05:16 GMT

Hi @Martijn

Thanks you for your advises. let me include the mention step with my plan.

Regard,

Re: Move S1C to On-prem

the_rock — Fri, 13 Dec 2024 03:18:26 GMT

I think the fact you can make rulebase change from literally any computer with Internet access from anywhere in the world, is a biggest advantage, in my opinion.

Andy

Re: Move S1C to On-prem

kaka — Wed, 18 Dec 2024 03:48:56 GMT

Hi guys,

The success migration step with below detail:

Checkpoint Firewall Management migration plan

1. Change firewall IP address that connect to existing management

- Go to New mgmt on-prem via SmartConsole --> GATEWAYS & SERVERS

- Double click on gateway properties, On IPv4 Address: change from MaaS tunnel IP to MGMT IP.

2. Turn off the management tunnel where connected to existing management

- SSH to Gateways perform command:maas off

- Disable/Delete the maas_tunnel interface from topology: [Option]

3. Reset SIC on Firewall

- SSH to Gateway with export mode (without restart services)

cp_conf sic init [OTP] norestart

cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"

cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"

4. Rejoin checkpoint gateways to new management

- Gateway Properies >

- Secure Internal Communication > Communication > Reset > Fill One-time password: [OTP]

- Install policy on gateways

6. Verification step

- Checkpoint firewall status on Dashboard.

- No alert on smartconsole dashboard

- Testing all blad are working fine.

7. Troubleshooting

- TAC involve

Thanks you for your help!!

Re: Move S1C to On-prem

the_rock — Wed, 18 Dec 2024 03:59:36 GMT

Awesome job!