topic Re: Migration to new GW with new Mgmt server in General Topics

Migration to new GW with new Mgmt server

jegan_s — Fri, 25 May 2018 09:18:25 GMT

Currently a cluster of Nokia GW is running with a Management server, we would like to migrate from Nokia to Checkpoint GW but with different mgmt. server. new mgmt. server has already many gateway integrated.

Steps that I am thinking to do,

1.Configuring the new GW.

2.creating a checkpoint object in the new mgmt. server.

3.replicating the policy.

4.establishing SIC on both GW

5.On the new mgmt server, establishing SIC from the cluster member of the new checkpoint object.

6.modifying the topology in the checkpoint object.

7.updating the antispoofing folder.

8.pushing the policy.

can any one assist me if I have missed anything.

Re: Migration to new GW with new Mgmt server

XavierBens — Sat, 26 May 2018 13:26:13 GMT

Well, this is an ideal situation

Prepare your new Security Gateways : configure/update O.S., configure network and all needed local little things (could be CoreXL, kernel values, files for RemoteAccess, ...) ; I propose you to even set up false IP addresses so that you can test all the setup in parallel of the actual Production environment you're replacing
Creating all your target rules and objects on the target Security Management Server ; BTW: do you know how to proceed? how many objects/rules you'll have to create? What is the actual version of SMS: pre-R80 or R80x?

At this step: you should have all configured, maybe using false IP address so that you can test new functionalities/inspection engines, maybe new blades, ... My advise is: take your time to test all of that especially if there is a big gap between actual version running on Nokia and your target version.

Then, when you'll be ready: just have to change interfaces' IP address and pushing policy.

Again, this is still ideal situation because if anything goes wrong and if you have a short period for cut-over: "unplug new SGs / plug old ones"

Some things should be also prepared before cut-over:

ISP/providers availability for assistance just in case ; for ARP issues: just force failover between nodes of your cluster so that Gratuitous ARP Requests will be sent
If you change/add new blades, prepare yourself to test such new functionalities (surely with other application owners or system owners)

Re: Migration to new GW with new Mgmt server

jegan_s — Thu, 07 Jun 2018 15:24:21 GMT

Hello Xavier,

Thank you for your response and Advice !

The new GW was used for some other services, so I have wiped out all network management configuration (Route, Interface and host entry).

both Nokia IP690 (Old FW) and Checkpoint 12200 (New FW) image is R77.30 Gaia

New Gateway is prepared with false IP address.

Policy has been replicated to new management server (There are other firewalls integrated with this mgmt server).

SIC established and I am able to push the policy to the new gateway.

but we are facing issues in configuring ClusterXL and VRRP in the new mgmt server cluster object, it is throwing error "Different members cannot have interfaces with the same IP address and Net Mask".

both members are using different ip address and Net Mask.

In Old Nokia firewall, we are using VRRP, So HA has been set in the 3rd Party configuration tab on the cluster properties.

Thanks

Jegan

Re: Migration to new GW with new Mgmt server

jegan_s — Wed, 13 Jun 2018 13:45:23 GMT

Hello All,

I forgot to remove Checkpoint mgmt IP address from the topology. after remove, I am able to change the cluster settings to VRRP.

Thanks

Jegan