Migrate R80.40 Full HA to distributed Management

K1ngb0rA — Tue, 10 Jan 2023 15:51:44 GMT

Hello Community,

today I would like to share my experience of a customer project where we need to migrate a Full HA cluster of two 4400 appliances to new 6200 appliances with distributed management.
Due to the lack of an official solution, I will explain the necessary steps we did to achieve this goal:

Replicate the installation and config from 4400 Full HA cluster to 6200 Full HA cluster

output of “show configuration“ to quickly restore basic interface settings and so on
“migrate export” and “migrate import” to restore database and configuration

Install new secondary security management server using the same version and Jumbo HF as the primary appliance node A
Configure a secondary security management server in SmartConsole by following the instructions in the R80.x Security Management Administration Guide in the chapter "Configuring a Secondary Server in SmartConsole"
Make sure that the management servers are synchronized (View High Availibility Status)
Execute the following commands on the primary management server appliance node A

cp_conf fullha del_peer
cp_conf fullha disable

Remove secondary appliance node B from the cluster and perform a fresh installation using the same version and Jumbo HF
- Run First Time Wizard without management
- restore basic interface settings from output of “show configuration“
- Add node B to the existing cluster again
- Install security policy
Change the former installed new secondary security management server to active
- “cpprod_util FwSetActiveManagement 0” on appliance node A
- “cpprod_util FwSetActiveManagement 1” on new management server
Restart SmartConsole and log in to new management server and make sure that the management servers are synchronized (View High Availibility Status)
Remove primary appliance node A from the cluster and perform a fresh installation using the same version and Jumbo HF
- Run First Time Wizard without management
- restore basic interface settings from output of “show configuration“
Promote the active management server to primary
- "$FWDIR/bin/promote_util"
- "cpstop"
- Remove the $FWDIR/conf/mgha* files
- "cpstart"
Create a new cluster with a different name
- Add appliance node A to the new cluster
- Configure the new cluster in the same way as the original old cluster (open a second SmartConsole session in read-only)
- Install security policy
Remove appliance node B from the old cluster, re-add it to the new cluster and install the security policy
Delete the old cluster
- Only after the steps 11. til 13. the old peers of the initial Full HA configuration disappears in the “View High Availibility Status”

for reference purpose the following knowledgebase and checkmates articles were used and point us in the right direction:

sk154033 - How to migrate R80.x standalone management environment to a distributed environment https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk154033

sk114933 - How to migrate Full HA environment to Distributed environment https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk44201

sk34495 - Changing the HA status of the Management station from command line https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk34495

sk114933 - How to promote the Secondary Management server to become the Primary server https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk114933

sk108902 - Best Practices - Backup on Gaia OS
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108902

CP_R80.40_SecurityManagement_AdminGuide
https://downloads.checkpoint.com/fileserver/SOURCE/direct/ID/96090/FILE/CP_R80.40_SecurityManagement_AdminGuide.pdf

How to migrate Full HA R80.30 environment to Distributed R81.10 environment
https://community.checkpoint.com/t5/General-Topics/How-to-migrate-Full-HA-R80-30-environment-to-Distributed-R81-10/m-p/161379#M26974

Re: Migrate R80.40 Full HA to distributed Management

_Val_ — Tue, 10 Jan 2023 16:56:25 GMT

Thanks for sharing

Re: Migrate R80.40 Full HA to distributed Management

PhoneBoy — Tue, 10 Jan 2023 19:14:59 GMT

I'm confused, are you migrating one Full HA cluster to another Full HA cluster (different hardware) or are you migrating a Full HA cluster to a new cluster with management on separate hardware?
The steps seem to suggest a Full HA cluster on new hardware.

Re: Migrate R80.40 Full HA to distributed Management

the_rock — Tue, 10 Jan 2023 19:31:40 GMT

Much appreciated for taking time to list all the steps, but Im with @PhoneBoy , also slightly confused, as your steps seem to insinuate migration to another full HA config, not distributed environment.

Re: Migrate R80.40 Full HA to distributed Management

K1ngb0rA — Wed, 11 Jan 2023 07:07:56 GMT

see steps 6. and 9. - the nodes were reinstalled without management.

and step 2. - Install new secondary security management - that is changed to active in step 7. and promoted to primary in step 10.

so at the end it is a cluster of two 6200 appliances with a virtual security management server.

step 1. was done for the case that the migration/conversation should not be successful - due to the mentioned lack of an official solution - to simply migrate the existing Full HA config to the new hardware.

topic Migrate R80.40 Full HA to distributed Management in General Topics

Migrate R80.40 Full HA to distributed Management

Re: Migrate R80.40 Full HA to distributed Management

Re: Migrate R80.40 Full HA to distributed Management

Re: Migrate R80.40 Full HA to distributed Management

Re: Migrate R80.40 Full HA to distributed Management