cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Nbto
Iron

Question about license - Two MGMTs

Jump to solution

Hello,

 

I'm starting to migrate form Gaia R77.30 to R80 and I'm wondering how the situation looks with license. 

I would like to add new MGMT server with R80 (new IP) and keep the R77.30 as a backup if R80 will be problemathic. 

The question is, did I can have the same licenses on both machines but with different IP ?

 

Best Wishes

 

 

0 Kudos
2 Solutions

Accepted Solutions
mdjmcnally
Silver

Re: Question about license - Two MGMTs

Jump to solution

OK NO that will not work.

You won't be able to use two Management Servers in the same environment like that at the same time with the same license.

What I would suggest for you is that you move to an R80 Management with the same IP/Hostname as the existing R77.30 system.  Unless you particularly need to change the IP.

That way if you do need to rollback to the R77.30 then simply a case of disconnecting the R80 from the Network and then connecting the R77.30.

Obviously any Changes you make on the R80 will NOT be in the R77.30.

Management HA ie two Management Servers requires that

A) On the same version

B) Seperate Licenses

 

View solution in original post

mdjmcnally
Silver

Re: Question about license - Two MGMTs

Jump to solution

Not a problem, very few people are totally comfortable with licensing.

 

OK your R77.30 Management Server would continue to operate with the license that is attached and will continue to work.

IF you use a seperate IP address then yes you would need to generate a new license for the R80, however the license installed on the R77.30 would still work.

Obviously you will also need to relicense the Gateway licenses to the new IP as well.

 

To fail back then would need to repeat the process in that tell the gateways about the R77.30 IP and allow connectivity and then install policy to the gateways.

Then disconnect the R80 Management and then connect the R77.30 Management, relicense the gateways back to the R77.30 and then push policy from the R77.30 to the Gateways.

Unless you NEED to change the IP of the Management Server then would simply build the R80 offline and then import the management.

That way won't need to relicense the gateways and won't need to worry about the management ip changing.

View solution in original post

0 Kudos
10 Replies
mdjmcnally
Silver

Re: Question about license - Two MGMTs

Jump to solution

Short answer is YES, is a separate Management Environment that won't see the other.

Longer Answer

If migrating to a new Management Server with new IP address then you simply need to ensure that you re-license in UserCentre the Management License to the new IP address and install to the new Management Server.

Obviously have to re-license the Gateways to the new Management IP as well as part of the migration.

You then go live with the new Management Server and test everything, make sure is working.

 

Your R77.30 Server can then be a rollback position if having issues with the R80 and cannot troubleshoot the issues.   As the two cannot see each other at the Check Point level then there is no issue with them being the same license

Obviously any changes however that made won't be reflected in the R77.30 and once start getting the R80 Gateway upgrades done then the R77.30 is no longer relevant.

0 Kudos

Re: Question about license - Two MGMTs

Jump to solution

This is very short-term thing - because what about the GWs and the services ? What you can do is:

- keep the current license on R77.30 as backup

- do generate fresh licenses to the new SMS IP (you will have to do the same for the GW licenses !)

 

0 Kudos
Nbto
Iron

Re: Question about license - Two MGMTs

Jump to solution
Thank you for response !


Yes, but I mean two working MGMTs server:
* Like one main with R80 - different IP, .
* Backup with R77.30 - different IP.
Both working in same enviroment. I would like to manage GWs with R80 one, but if will appear some issues use the R77.30.
Both on same license.

Best Wishes!
mdjmcnally
Silver

Re: Question about license - Two MGMTs

Jump to solution

OK NO that will not work.

You won't be able to use two Management Servers in the same environment like that at the same time with the same license.

What I would suggest for you is that you move to an R80 Management with the same IP/Hostname as the existing R77.30 system.  Unless you particularly need to change the IP.

That way if you do need to rollback to the R77.30 then simply a case of disconnecting the R80 from the Network and then connecting the R77.30.

Obviously any Changes you make on the R80 will NOT be in the R77.30.

Management HA ie two Management Servers requires that

A) On the same version

B) Seperate Licenses

 

View solution in original post

Nbto
Iron

Re: Question about license - Two MGMTs

Jump to solution
Okay so one last question.
If I generate new license on ChP site for R80 for different IP and after migration something will go wrong and I would like to go back to my R77.30 (for some time to keep network stable). Then I should generate another license ? Or just download the previous one ?
* sorry, I'm still fresh with ChP licensing

Thanks !
0 Kudos
Nbto
Iron

Re: Question about license - Two MGMTs

Jump to solution
I mean - if I back to previous version which has an license on different IP did I should generate another license for old IP?
(To somehow actualise CHP database)
0 Kudos
mdjmcnally
Silver

Re: Question about license - Two MGMTs

Jump to solution

Not a problem, very few people are totally comfortable with licensing.

 

OK your R77.30 Management Server would continue to operate with the license that is attached and will continue to work.

IF you use a seperate IP address then yes you would need to generate a new license for the R80, however the license installed on the R77.30 would still work.

Obviously you will also need to relicense the Gateway licenses to the new IP as well.

 

To fail back then would need to repeat the process in that tell the gateways about the R77.30 IP and allow connectivity and then install policy to the gateways.

Then disconnect the R80 Management and then connect the R77.30 Management, relicense the gateways back to the R77.30 and then push policy from the R77.30 to the Gateways.

Unless you NEED to change the IP of the Management Server then would simply build the R80 offline and then import the management.

That way won't need to relicense the gateways and won't need to worry about the management ip changing.

View solution in original post

0 Kudos
Nbto
Iron

Re: Question about license - Two MGMTs

Jump to solution
Okay, Thank you very much !
0 Kudos

Re: Question about license - Two MGMTs

Jump to solution
If you have 2 different MGMT servers with 2 different IP's then you'd have to re-SIC each gateway to connect to a given MGMT server.
0 Kudos
mdjmcnally
Silver

Re: Question about license - Two MGMTs

Jump to solution

No you wouldn't because SIC is at the Certificate Authority NOT the IP address level.

 

So if you migrate your R77.30 SmartCentre to an R80 SmartCentre on a different IP address you also move the Certificate Authority over with the export/import process.

Before Export what you do is

Define a Node object with the IP of new Smartcentre.

Place a rule in policy allowing Node to talk to the Gateway with Any Service

Install the Security Policy

Delete the rule and node

Export the Management Database

Import to the R80 Database

Sort out the IP address in the SmartCentre Object if not auto updated during process.

SIC is still established and you relicense the Gateways to new SmartCentre IP and attach to the Gateways

Install Policy from R80 SmartCentre which removes the Node and Rule from the Gateway however the Gateway see's the Object of the SmartCentre with the updated IP and that then replaces the R77 IP so the implied rules allows the traffic through the Security Policy so next connections are done by Implied Rules from management server to gateway.

The R80 SmartCentre however has the same ICA as the origional one so you do not need to reset SIC if do the migration properly.

 

Only way would need to do the SIC is if don't have the Rule and Node prior to export and that is down to the fact that the Management Server Object is old ip so fails at the Firewall connection level not the CA/SIC level.

Or if you created a completely new Management Server rather then migrating

Is why SIC is IP independent but if you change the IP of Management Server you need that Node and Rule first.

 

Thread Starter is migrating so providing does the migration process properly then really shouldn't have to reset SIC.

Certainly following it then not had to reset SIC when doing Management Migrations in over 10 years.

0 Kudos