topic Re: Management server relocation in Firewall and Security Management

Management server relocation

Michael_Horne — Thu, 11 Jul 2019 13:50:38 GMT

Hello,

We need to relocate the management server from a DC that is closing to a new DC environment. We are running the management server as a virtual machine. Currently we have a single management server.

I was wondering if anyone following scenario is possible or if anyone has experience with such a task:

Set up new management server in the new DC using a temporary license.
Configure the management server as a secondary management server.
Failover the to make the new management server the active server.
Move the license to the new management server.
Remove old management server.

I have concerns about this process as with a temporary license.

Normally you cannot download and upgrade the new management server to the same version as the old management server. Is it possible to manually import the jumbo Hot fix packages and install them when using a temporary license?

Can I form the management HA when using a temporary license?

Many thanks,

Michael

Re: Management server relocation

G_W_Albrecht — Thu, 11 Jul 2019 14:22:16 GMT

I would assume that just moving the SMS without changing the IP does not need any secondary SMS as step in between - a short maintenance window should be sufficient as long as the managed gateways are still running...

If you just copy the SMS VM, transfer it to the new DC, switch the old one off and the new one on all you will loose is the logs during transfer time (although it is possible to get them, too).

Re: Management server relocation

Michael_Horne — Thu, 11 Jul 2019 14:51:12 GMT

Hello,

I am not sure if it possible to just transfer the VM to the new location, as the VM environments are completely separated. I will check this. We would still need to change IPs after the migration.

Thanks,

Michael

Re: Management server relocation

Vladimir — Thu, 11 Jul 2019 17:18:15 GMT

If you have to change the IP of the management server anyway, consider creating new VM with the new loopback interface located in /32 network and declaring it as your management interface and two additional interfaces, with IPs in each of your DC networks.

Re-license your management server to this new IP.

If you can route to this IP from either location, you should be able to either move the VM into new DC or migrate export/import without further IP changes.

Re: Management server relocation

Maarten_Sjouw — Thu, 11 Jul 2019 21:46:18 GMT

Which version are you running at this moment in the old data center?
With R80.x there are no official migration tools like there were with R77.30 and there it was very well possible to export a SMS and import it to another newly installed machine with R77.30

Re: Management server relocation

Michael_Horne — Thu, 11 Jul 2019 22:03:09 GMT

Hello,

We are currently running R80.20. Interesting to know there are no official migration tools for this version.

Thanks,

Re: Management server relocation

Vladimir — Thu, 11 Jul 2019 22:33:42 GMT

Migration tools are where they always were:

$FWDIR/bin/upgrade_tools

use ./migrate export /var/log/nameofthefilewithoutextension

to produce a tgz

download it using SCP

create new VM with new IPs, upload the tgz to it and import the database on it.

Licenses must be re-issued for new IP address and re-applied.

If your ICA must be accessible from the outside, the routing to and from new SMS and the rules on the gateways pertaining to your management server must be adjusted.

See Migrating Database Between R80.20 Security Management Servers