Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Contributor

Migrating policies from standalone gateway to new management server

Jump to solution

Hi all, 

 

 

I'm hoping you will be able to point me in the correct direction here, a lot of the documentation i have seen and read so far seems ambiguous or is not specific the version or scenario i have. 

 

We are replacing our management servers (HA pair) of Smart-1 50 with a pair of 5150's. Now the interesting part of this, that I am still trying to understand is that the new servers will be using a new hostname and IP address. 

 

Does anyone have any links or articles they know of that would outline the required steps?

 

So far my plan is something along the lines of

 

1. Take migrate export from the existing management server 

2. Import the export into the new primary appliance

3. Log into the console and update references of the old manager with new IP addresses 

4. Migrate firewalls individually to the new appliances (reset sic and push policy) 

 

I have been out of touch with CheckPoint equipment for the best part of a year so any help is appreciated. 

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Collaborator

Yes, I think it's better to perform the sic_reset first so that you can ensure everything is working properly with the changed name. This takes 1 variable out of the equation when migrating to the new appliance. The Certificate Authority reset has the potential for high impact but if you don't have many gateways should be workable. I would involve TAC before beginning as R80x can add some complexity to the process.

View solution in original post

0 Kudos
3 Replies
Highlighted
Collaborator

Will the target machines be on the same version as the source Smart-1 50s? As the hostname is tied with the Certificate Authority if you change it communication needs to be re established to all gateways. VPN tunnels may also be impacted. I'd probably complete steps in following order:

1. Create plain host nodes with new target IPs. Put them in any rules that the management servers are currently in.

2. Change hostname of source appliances to target name, perform fwm sic_reset (sk14532). Initialize CA in cpconfig, establish communication to all gateways (sk86521). Install policy to all gateways.

3. Perform migrate export using target version of tools (no need to use other tools if going to same version)

4. Migrate import, remove host node objects created in step 1. On secondary management server object, change name and reset SIC. Establish SIC to new server using new IP.

 

You referenced a standalone gateway however the Smart-1 50 is only a management server as far as I know.

0 Kudos
Highlighted
Contributor

Hi 

 

Thanks for the response. 

 

The management servers are currently on R80.10 and will be getting migrated to the same version with a view to upgrading to R80.20 when fully migrated. 

You are correct i mentioned standalone gateway, that was a mistake on my part. apologies, the title should have been something along the lines of "Migrating policies from distributed management HA to new hardware". 

I see, so you believe it would be easier to migrate with the hostname changed on the current management server before performing the export/import?

Thanks in advance.

0 Kudos
Highlighted
Collaborator

Yes, I think it's better to perform the sic_reset first so that you can ensure everything is working properly with the changed name. This takes 1 variable out of the equation when migrating to the new appliance. The Certificate Authority reset has the potential for high impact but if you don't have many gateways should be workable. I would involve TAC before beginning as R80x can add some complexity to the process.

View solution in original post

0 Kudos