cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Export CMA's from Multi-domain and import into a new SMS

I have a client that is moving away from a managed service provider that manages two of their gateway clusters (R77.30) via Multi Domain(Provider-1). The client wishes to build an internal SMS and manage the gateways themselves going forward. I am having trouble finding a Check Point SK for exporting CMA's from Multi-domain and importing into a single SMS sever, if this is even a supported path.  Looking for a supported option if there is one, or would the customer need to purchase an MDSM license and import the CMA's directly into that? Thank you.

10 Replies
Employee+
Employee+

Re: Export CMA's from Multi-domain and import into a new SMS

I will recommend Check Point PS :Professional Services | Check Point Software 

High level to "export" Domain (CMA) to SMS

1. Install secondary SMS - same fixes and etc..

2. Synchronize databases

3. Promote the SMS

0 Kudos

Re: Export CMA's from Multi-domain and import into a new SMS

Wow, that is a long time ago that I heard this one being a solution. 

Regards, Maarten

Re: Export CMA's from Multi-domain and import into a new SMS

I like the idea, however there is no connectivity between where the new SMS is being built (Azure) and the current MSSP. They will not provide connectivity directly as its a managed service, will only provide an export.  Layer 8 (political) partly in play here

0 Kudos

Re: Export CMA's from Multi-domain and import into a new SMS

Bob,

Talked about this with a colleague of mine, he said, ok so you just build a secondary SMS, next to the MDS, in your environment. you sync it all make the SMS the master and do the migrate export from there.

Regards, Maarten
0 Kudos

Re: Export CMA's from Multi-domain and import into a new SMS

Thanks for the suggestion Maarten. I have used the secondary SMS as a method to export and bring over the database from the MDSM in the past. In this case, the MSSP would only provide the export of the CSA, could not get a secondary SMS stood up.  What we ended up doing was taking the CSA export, build a new SMS VM in ESX, and was then able to Migrate Import the data after matching all add-ons (R77.30 + add on). The sticking point was the licensing and Re-IP of the SMS which others have mentioned in past posts and not being able to log in with Smart Conssole, but it is possible to remove all the MDSM related licenses, add an eval license locally, then Re-IP the SMS following  sk40993, then applying a new permanent SMS license. Then reset SIC on the gateways, install policy and good to go.

0 Kudos

Re: Export CMA's from Multi-domain and import into a new SMS

Bob,

You should have built a MDSM in ESX and and SMS next to it, the MDSM to import the |CMA and the Secondary SMS to move the CMA to a SMS.

There are a lot of problems, these can happen lets say 2 weeks after running all ok and then all the sudden it breaks.

So please do rethink your way forward.

Regards, Maarten.

Regards, Maarten

Re: Export CMA's from Multi-domain and import into a new SMS

Maarten Sjouw

Maarten,

in the Check Point KB it is mentioned, that a migration from MDSM to SMS is officially not supported (sk33067). 

Can you please tell me, if you tried this also on R80.10 / R80.20 ? 

Thanks

Sören

0 Kudos

Re: Export CMA's from Multi-domain and import into a new SMS

We did not have a need for this yet. But as you might have seen there is work ongoing at Check Point development in regarding the export and import tools for these possible directions:

  1. SMS to DMS
  2. DMS to SMS
  3. DMS to DMS
  4. SMS to SMS

That should cover all possibilities. See Eran Habad's answer in this thread

Regards, Maarten
0 Kudos

Re: Export CMA's from Multi-domain and import into a new SMS

I've written a complete step-by-step guide on how to migrate a Provider-1 cma to a single SMS. Although it is several years old and based on R75.40VS, most of it ist still valid for R77.30.

You can get it here

0 Kudos

Re: Export CMA's from Multi-domain and import into a new SMS

Hi Peter, 

thank you very much, but it doesn't work for R80.xx 

Regards,

Sören

0 Kudos