This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
hcampuza
Participant
‎2026-02-20 06:56 PM

Move from MDS to Smart-1 Cloud

How can I move a firewall cluster from MDS to Smart1-cloud with zero down time?

The policy package has been migrated already; I just need to change the management plane with no disruption. 

4 Replies
PhoneBoy
Admin
Admin
‎2026-02-23 08:56 AM

Forked this to a new thread.

There is a procedure to reset SIC without downtime for on-premise managed gateways: https://support.checkpoint.com/results/sk/sk86521 
Having said that, I'm not sure if activating the MaaS tunnel (used for Smart-1 Cloud management) requires a restart or not.

the_rock
MVP Diamond
MVP Diamond
‎2026-02-23 06:51 PM

Might be worth TAC case to confirm.

Best,
Andy
"Have a great day and if its not, change it"
Duane_Toler
MVP Silver
MVP Silver
‎2026-02-28 02:53 PM

You can't do it with zero downtime, unfortunately.  Moving to the MaaS tunnel is a new management path, especially since MDS-to-Smart-1 Cloud migration is somewhat unique process, and so it requires a re-SIC of the gateway.  You can do it with minimal downtime, however.  It's a very fast change that you should be able to schedule; you just might not be able to schedule it "soon", depending on your organization.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
Martijn
MVP
MVP
‎2026-03-02 12:11 AM

Hi,

I have done the same a couple of month ago. I have done the following.

1. With the Import/Export API exported the policy to Smart-1 Cloud.
2. Created new gateway and cluster objects in Smart-1 Cloud with the same setting as in MDS.

During a maintenance window we migrated the management to Smart-1 Cloud.

1. On the standby member performed a SIC reset without restarting the services.
2. Generated the MAAS tunnel key for the standby member.
3. Connected the standby member to Smart-1 Cloud with the SIC key from step 1.
4. Install policy in standby member. Uncheck the option to install even if it fails on one member.

Repeated the steps above for the active member.

The backup plan was a SIC reset via cpconfig which will restart the services. This is also an option if you do it on the standby member first and perform a fail over once the standby member has a policy and is managed by Smart-1 Cloud.

We had a maintenance window, but I cannot recall any major outage when performing the procedure above. I am not sure this is a supported procure, but it worked for our scenario.

Didn't notice the restart of services when setting up the MAAS tunnel, but did not monitor that too closely.

Just make sure you have a maintenance window and a good test-plan. Also make sure you have control over the gateways all time via console access.


Good luck,

Martijn

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events