topic Re: Calling VSX experts in Firewall and Security Management

Calling VSX experts

peter2020 — Mon, 07 Dec 2020 03:13:15 GMT

I have migrated our security manager over to a new server (different IP address) as it is a different location and now in the process of migrating our gateways over to this new server. We have some physical firewalls and some VSX firewalls. All the physical firewalls have now been migrated over which was quite simple by reconfiguring sic on both the firewall and new manger. However VSX ones seem to be a challenge. There doesn’t seem a great deal of documents on how to do this for VSX and what I have read you shouldn’t do the same ie cpconfig etc. Any advice on best way to do this for migration for VSX?

thanks

Re: Calling VSX experts

Kaspars_Zibarts — Tue, 08 Dec 2020 10:43:24 GMT

It's not a straight forward process and I would suggest to get professional services help if you have never done it before. There are multiple ways to migrate VSX, all depends on your actual environment. If you do want to try, check VSX provisioning tool in VSX admin guide.

first build the "non-VSX" part of the gateway, configure physical interfaces, DNS, NTP, mgmt routing, backups, users etc. Just as you did with the regular gateway
Create VSX cluster / VS-0 manually in the new mgmt (instead of regular cluster)
then you can use VSX provisioning tool to dump VSX config from old mgmt and then re-create them in the new using the same tool.

You will need to take care of any physical interface name changes in the scripts btw

That's in nutshell.

Re: Calling VSX experts

_Val_ — Tue, 08 Dec 2020 13:27:33 GMT

Migrating MGMT server to a new IP address is usually trivial with migtrate_server tool, and it does not require much to do on GW side, VSX or otherwise (other than ensuring implied rules cover the new MGMT object as well).

Could you please elaborate on why you are doing migration in several stages?

Re: Calling VSX experts

peter2020 — Tue, 08 Dec 2020 18:51:28 GMT

Hi Val - I have migrated the whole database to the new server ok using the migrate_server tool and that is fine. I have also established the gateways to connect to the new management server IP address by re-establishing sic on both the firewall and then the manager . All I have to do is get the VSX gateways to establish sic from the old manager to the new manager and what is the correct way/steps of doing this without breaking anything. There doesn't seem to be any documentation out there to do this and people don't seem to know how to do it correctly. Any knowledge you have on this would be very grateful? Many Thanks

Re: Calling VSX experts

peter2020 — Tue, 08 Dec 2020 18:56:08 GMT

Thanks for you message. The new manager has all the DB migrated from the old manager so has the firewalls and the contexts etc. The only issue I have is disconnecting the VSX gateways from the old management server to the new management server. VSX seems to be very temperamental and seems you cannot use cpconfig with the sic on gateways like a non vsx gateway. Doesn't seem to be any documents regarding VSX on how to this and the people I have spoken to so far don't seem to know the proper way of doing this

Re: Calling VSX experts

Maarten_Sjouw — Tue, 08 Dec 2020 23:54:48 GMT

Then I have a couple of questions for you:

Did you add a rule in the old situation to allow full access from the new IP to the gateways?
- if the answer is yes:
Did you try to push policy from the new server without resetting SIC to any of the normal gateways?
Did you try to push policy to the VSX gateways?

If the answer to the first question was No, please add that to the rules for the VSX Gateways and push policy from the old management to the VSX gateways and then try to push policy from the new management to the VSX gateways. Once this has succeeded, push the policy to the VSs.

Re: Calling VSX experts

_Val_ — Wed, 09 Dec 2020 08:17:55 GMT

That is exactly my point. SIC should work out of the box, no additional hustle, if everything is done correctly.

You do not need to re-establish SIC.

On old management you should add a dummy object as a secondary MGMT server, with IP address of the new MGMT server. After pushing policies on all FWs, shut down the old MGMT server and check SIC from the new one. It should work. If it does not, something in the middle is interfering.

All that under assumption you did not disable control connections in implied rules. If you did, on old MGMT you should also add an early explicit rule allowing control connections to/from FW & new MGMT IP.

Re: Calling VSX experts

Kaspars_Zibarts — Wed, 09 Dec 2020 10:29:10 GMT

I this scenario I would run vsx_util_reconfigure from new mgmt and re-build VSX to avoid any issues with certs and SIC. You would need to do reset_gw first.

Depends how much downtime can you have. But start with standby and once done fail over and re-build other one