cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Migrate R77.30 standalone system to R80.10 Distributed system

Anyone can advice what is the best approach to migrate R77.30 standalone system to R80.10 Distributed system

I have few firewalls running on R77.30 with hundreds of rule in it(some enabled with application filtering some not) and installed as standalone.

Now there is a requirement to upgrade all the firewalls to R80.10 and move all to the newly purchased Smart-1.

Your valuable advice is very much appreciated.

12 Replies
Danny
Pearl

Re: Migrate R77.30 standalone system to R80.10 Distributed system

I would migrate export the R77.30 firewall management config and follow this procedure in order to properly import it to the Smart-1 Appliances (you may need to import to R77.30 first and then upgrade to R80.10). Then I would do a fresh install of R80.10 on the gateways.

0 Kudos

Re: Migrate R77.30 standalone system to R80.10 Distributed system

It seems that sk61681 (it is written there in bold) as well as sk85900 (as the last change was two years ago) do NOT apply to R80.x. So the procedure would be to go for distributed R77.30, upgrade the SMS to R80.10 and then change the GW(s). I hope a way to go from R80.10 StandAlone to distibuted will be provided soon...

0 Kudos

Re: Migrate R77.30 standalone system to R80.10 Distributed system

The big issue is that he wrote, that there are more than one standalone boxes. 

Your approaches are fine for the first migration but others are manual work, if the destination is not a MDM environment.

0 Kudos
Highlighted

Re: Migrate R77.30 standalone system to R80.10 Distributed system

Yes, he will need to get several rulebases together to one Smart-1 using cp_merge utility.

0 Kudos

Re: Migrate R77.30 standalone system to R80.10 Distributed system

Appreciate all your valuable advice.

From the above comments and what I understood so far, here is how I am planning to proceed:

> Take a snapshot/backup of the current Security Gateway R77.30
> Export all the current configuration(Policies, firewall & NAT rules, Objects and services) from Security management server using Confwiz
> Do a clean installation of R80.10 as distributed and import the snapshot/backup taken earlier
> Use sk113078 to import the Security Management Server configurations to the new SMART-1 appliance

Current Setup:
1. R77.30
2. Standalone installation
3. hotfix - 286
4. Logserver within management gateway

=============
New setup:
1. R80.10
2. Distributed installation
3. Log server in Smart-1

==============

Let me know if anything wrong with this approach.

0 Kudos

Re: Migrate R77.30 standalone system to R80.10 Distributed system

Confwiz?! 

First you should do a snapshot and a backup, as you said. And preferably transfer them from the device. But you cannot import snapshot/backup created for R77.30 version into R80.10.

Then, it seems you need to create a temporary R77.30 management server (distributed deployment). It could be a virtual machine with a clean install. It is not clear if you have several standalone devices, each with its own local management server, or only one standalone device to which several firewalls are connected.

There is sk61681 which explains how to migrate from standalone device to separate management server on R77.30. You need also to collect cpinfo, as it is written in the SK (although, I am not sure why).

To export the security management part (Policies, Firewall and NAT rules, Objects and services) you should use R77.30 migration tools (migrate export command). Then do some manipulations with text files and import it to the temporary R77.30 machine with migrate import.

 

Then you use R80.10 migration tools to export database from temporary R77.30 machine and import it to the newly installed Smart-1. Don't forget to install the latest Jumbo Hotfix on it too.

There is a simpler way if you need to save only rules and objects (without certificates, users, some specific global settings). Use cp_merge export_policy to export only firewall and NAT rules (sk33751), copy $FWDIR/conf/objects_5_0.C file containing all objects and services from the old R77.30 device. Then use a temporary R77.30 installation configured as only a management server to import objects with cp_merge merge_objects and then import cp_merge import_policy. Delete an object of old standalone device and create new firewalls objects. Then use R80.10 migration tools to export database from temporary R77.30 machine and import it to the newly installed Smart-1.

Re: Migrate R77.30 standalone system to R80.10 Distributed system

Tried the last option you have suggested to import only rules and objects. It worked fine however didn't serve my purpose as my SMART-1 is not clean. It has other gateways/clusters added and policy files installed. When I import the new Object/Policy package, old ones are getting removed. Not sure if there is anyway to add-on rather than overwriting the existing DB.

0 Kudos

Re: Migrate R77.30 standalone system to R80.10 Distributed system

Usually that happens when I just replace $FWDIR/conf/objects_5_0.C file. But with cp_merge merge_objects command everything should be fine, it adds new objects from the copied file to the current database and shouldn't delete old objects. Basically, you should copy old $FWDIR/conf/objects_5_0.C file to some temp folder (/var/log/tmp), go there (cd /var/log/tmp) and run cp_merge merge_objects command there.

I was referring to this part of sk33751 :

Procedure: Import on target Security Management server

  1. Go to the target (merging) machine and create a temporary import directory, for example /home/admin/import. 
  2. Transfer all files that were exported from the source machine to the import directory. 
  3. Run the following from the import directory:
    • To merge the object files, run:

      [Expert@HostName]# cp_merge merge_objects 
    • To import Security policy, run:

      [Expert@HostName]# cp_merge import_policy -f <policy_name>.pol -n <new_policy_name>

      Each Security policy should be installed separately and named accordingly. 
      Repeat the previous step until all Security policies will be installed.

  • The merge operation uses the object name as a key. Objects with the same names in both the source and destination databases will not be merged, even if other properties (like IP address) are different. It is up to the administrator to resolve any issues with name collisions (this is best done by editing the source or destination databases before export / import).
  • cp_merge does not overwrite ANY duplicated entry - it will not enter any duplicate entry that already exists. (An entry is considered to be a duplicate if both the name and IP address are identical, no other values will be considered (NAT settings, object color etc.)).
0 Kudos

Re: Migrate R77.30 standalone system to R80.10 Distributed system

I am referring to this remark :- 'Then use R80.10 migration tools to export database from temporary R77.30 machine and import it to the newly installed Smart-1' . In this scenario, my Smart-1 is not clean, it has few clusters and policy packages. When I import the new database to it, existing policies and other configurations are removed.

0 Kudos

Re: Migrate R77.30 standalone system to R80.10 Distributed system

I have a same problem.

I am planning to do all configurations by manually. But we have too much network objects.

Is it possible to export hosts and networks to csv? 

Current stand-alone appliance running on R77.20 and new distributed appliances are R80.10.

0 Kudos

Re: Migrate R77.30 standalone system to R80.10 Distributed system

Possible, refer to the below link:

 

0 Kudos

Re: Migrate R77.30 standalone system to R80.10 Distributed system

Thanks for all your feedback, really appreciate it.

Considering the complexity and lesser downtime allowed to me, below are the method I followed:

> Configure all the policies in existing R80.10 management server(MDM) and kept it ready before my activity

> During the downtime, i reset Firewall 2 into default R77.30 image

> Brought up the Firewall 2 and configured it as Gateway only (distributed)

> Upgraded the Firewall 2 from CPUSE (from R77.30 to R80.10)

> Configured basic settings such as interface and all from GUI/CLI

> Did the same to Firewall 1

> Created a cluster object and added both Firewall 1 and Firewall 2 into it (by initializing SIC)

> Marked the pre-configured policy file to the cluster and pushed the policy

Manual work is a lot for policy creation in the new R80.10 management server however this method worked.. Smiley Happy

0 Kudos