This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hazard139370
Explorer
‎2026-03-11 04:10 PM

Migration from old firewall to new firewall

I have sms with two firewalls added in a cluster they are already expired. recently my company bought two new firewalls.
My current infrastrucuture is based on 81.10 

Please tell me step by step process to migrate

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2026-03-11 04:49 PM

We need more information such as:

  • Current gateway type
  • New gateway type
  • What is the SMS on currently?
  • Is there new hardware for this also?
0 Kudos
Hazard139370
Explorer
‎2026-03-11 08:31 PM
In response to PhoneBoy

gateways are  used as internet firewall and appliance modelel is 15000 and my company bought two new 9400 appliance.
i have sms on vm . both sms and old firewalls are on version 81.10

i want to keep the same sms and add new firewall cluster to it

0 Kudos
PhoneBoy
Admin
Admin
‎2026-03-12 06:38 AM
In response to Hazard139370

The minimum software release for the 9400 is R81.20, though they are probably shipping with R82 (the current recommended release).
This and the fact R81.10 is End of Life suggests you should upgrade your SMS to R82 before doing anything else.
I agree with @the_rock that using the advanced migration process should be used.

The security policy is on the SMS.
Adding new gateways to it and pushing that same policy is relatively straightforward.
The basic Gaia configuration can be copied from one appliance to another. 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-03-11 05:42 PM

Here is what I had done few times with customers and this worked well.

I would build brand new mgmt and use below process to move all the policies and config over.

https://support.checkpoint.com/results/sk/sk135172

Then, once thats done, use below to replace the cluster:

https://community.checkpoint.com/t5/Firewall-and-Security-Management/Replace-Upgrade-Cluster/td-p/69...

Now, if you want to keep same mgmt server, as long as its powerful enough to run new version (preferable at least R82), then upgrade it, so no need to run migrate server. Now, here is important part. As Heiko mentioned in replacing cluster post, its mandatory to ensure that interfaces on new firewalls are configured correctly to reflect topology in smart console cluster object. One way to make sure of that is to copy show configuration from clish off existing firewalls and the copy "bits and pieces" to new fw clish config.

Hope that helps.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Martijn
MVP
MVP
‎2026-03-12 10:01 AM

Hi,

Because new hardware is on a newer version, you must upgrade the SmartCenter first.
I agree @the_rock and would perform a advanced migration to a new SMS. I would then create the new cluster (if possible) in parallel on the new SMS.

When using this procedure, you can create the cluster using the new physical ports on the appliance and not worry they are different from the old hardware.

During a maintenance window, just switch over to the new cluster by switching the network cables of by disabling and enabling switch port.

Important note is you always have a roll-back option beacuse you leave the old setup untouched.

Good luck!!

Martijn

the_rock
MVP Diamond
MVP Diamond
‎2026-03-12 10:34 AM
In response to Martijn

That also works @Martijn . Mind you, just need to be careful about any possible IP address conflict, thats all.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Martijn
MVP
MVP
‎2026-03-12 11:05 AM
In response to Martijn

Another important tip.

If you decide to create two cluster objects (old and new) within the same SmartCenter, it is OK to give those clusters the same IP-addresses as long as only one cluster is connected to the network. For management (policy installs) I usally take two new IP-addresses in the management IP range (if possible) and make that interface Private instead of a Cluster interface. During migration you can disconnect old cluster and configure a VIP on the new cluster for that interface.

You can push policy to both cluster so a freeze is not needed. But...do NOT configure IPSec on both clusters. Pushing policy to two clusters with the same topology and IPSec enabled will break VPN tunnels. Perform that action during a service window.

Martijn

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events