Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
GuilletB
Participant

R80.10 management server with r77.30 log servers

Hi, 

I have for the moment two Appliances ST-150-00 Under r77.30 who are used for Network Policy manager/endpoint Policy manager/logging.

I have already build 2 new open server Under r80.10 as our new manager servers only and enable the High availability. Pre-Upragde_verification is fine.

My wish is to import my database from r77.30 to r80.10 but keep logs under our old Appliance. The goal is during the upgrade process to keep our old server running for production with all gateways connected on it. and after the import of the db, under new management server connect only one Gateway,  for test.

1, Is it possible to have a different version Under the log server and the network Policy manager?

2, which steps should be done?

Many thanks for your support.

0 Kudos
12 Replies
Alejandro_Mont1
Collaborator

I think you're out of luck, not supported as stated in sk42080.

0 Kudos
mdjmcnally
Advisor

As already stated then your Log Server and Management Servers need to be on the same version for Support.

 

If I understand you correctly however what you are looking to do is

 

1.) Export the existing R77.30 Management to the new R80.10 Management

2.) Attach 1 Gateway to the R80.10 for testing

3.) Leave other Gateways on R77.30 whilst testing

4.) Move other Gateway to R80.10 once testing complete

 

My question would be if the Gateways are having Site to Site VPN between them.   I ask this as they will need to be able to verify the Certificates and wouldn't want to guarantee that if move management over that they will be able to verify the Certificate properly for the gateway that migrated to the new Management,

 

If there aren't then you could do this though the Gateway that migrated the management would also need to log to the R80.10 Log Server.   

Just make sure that the Gateways connected to the R77.30 Management if make any policy changes that update the R80.10 Management as well as would not be showing on the R80.10 Management.

As R80.10 will be new IP then just make sure that when try and connect the R77.30 Gateways to it that have a rule permitting the new Management to connect installed on the Gateways but that is not in the export.

0 Kudos
PhoneBoy
Admin
Admin

Why are you upgrading to R80.10 and not R80.30, which is the widely recommended release?
In any case, as others have stated, log servers must be on the same version as your management.
0 Kudos
GuilletB
Participant

Hi Thanks for your answer. R80.10 version has been choosed by our manager.

We do not used SITE to SITE vpn.

My main consern in this project is to be able to keep my production environnement during all tests Under R77.30.

so when I made my import Under my new server manager :

1, Can I keep my old Appliance as a server manager or should I remove the role "Network Policy management" Under the old Appliance directly after the import?

2, Gateways Under r77.30 are directly connected to the new management server and if yes are they able to receive Policy from old and new server manager ? (even if we have two distincts Policy db  )

3, it seems to be not possible to keep my old Appliance under r77.30 to manage logs is that correct, but in this case in have no other choice than to upgrade my production environnement to r80.10 is it correct?

4, licences. I don't have a lot information for this part, should I move them udner my new network management server ? if yes how can I do it?

 

Many thanks for your help.

Ben.

 

 

0 Kudos
mdjmcnally
Advisor

1.)  Once connected a Gateway to the New R80.10 Management then the R77.30 will not be part of the environment for that Gateway.   You cannot be connected to two Management Servers of different versions.   You can only do Management HA between two servers of the same software release.   Can keep on the Network but it will not be talking to Gateways.  You can leave as a rollback point but would need to then reconnect the Gateways to the Old management server

2.) No won't be able to recieve policy from an R80.10 and an R77.30.    Would need to perform a rollback in that disconnecting the Gateway from the R80.10 and connecting to the R77.30

3.) Correct - Management Servers and Log Servers must be of the same version so the R80.10 Management Server requires R80.10 Log Server.   So you will need to deploy R80.10 Log Server alongside the R77.30

4.) Check Point UserCentre is where do License Management

https://accounts.checkpoint.com/#/login/-SM-http%3A%2F%2Fusercenter.checkpoint.com%2Fusercenter%2Fin...

 

What I would strongly recommend is that keep the R80.10 on the same IP as the R77.30 for the Management Server.

That way you won't need to worry about the IP address changing, or relicensing.

You do the migrate export from the 77.30 and then import to an offline R80.10.   Will pull the licenses, ICA, admins across.

Then simply disconnect the R77.30 Management from the Network and Plug in the R80.10

Install Policy to the Gateways.

 

If Issues then can rollback simply by disconnect the R80.10 from Network, connect in the R77.30 and install policy.

 

No need to worry about re-licensing and rollback is extremely simply.

 

Only downside is that ALL gateways would have to move over, however if you not familiar with the migration/rollback process then this will keep the process MUCH SIMPLER for you.

0 Kudos
PhoneBoy
Admin
Admin

I would question your manager's decision to go to R80.10, which is nearly 3 years old at this point.
R80.30 is our widely recommended release.
If your organization is fairly conservative, even R80.20 would be a significant improvement over R80.10.
0 Kudos
GuilletB
Participant

Morning Sorry for the dealy, we had to postponed this project to next week...
R80.10 has been chosed regarding the lacke of memory Under our Gateways ( only 4 Gb ) and no budget right now to upgrade them before the next quarter. But as we need a support available from checkpoint I would like to upgrade our exisiting environnement to R80.10.

as I said :
2 appliances SMART-1 3150 (64 Mb )
Network Policy manager / enpoint policy management / logging and status / monitoring / maanagament portal / samartevent server / smart event correlation Unit
3 Theart emulation TE 250X
29 Gateway cluster

What I already did:
1, Backup of my smart-13150
2, snapshot of my smart-1 3150
3, backup of logs of smart-1 3150
4, save configuration of smart-1 3150
5, pre-upgrade verification done
6, export Database
7, download and verify of "R80.10 fresh install and Upgrade from r7X" under all equipment.
8, install smartdash under r80.10 under a new server

My next steps for the upgrade will be :

1, disconnect SIC from smart-1 3150 cluster XL
2, upgrade "Standby" node, check if i'm still able to have access to the gui of the appliance and add it under smart dash.
the goal is to keep my master under r77.30 in case of issue during the upgrade.
3, if ok upgrade of the second smart-1 3150 appliance
4, add second applaince under smartdashboard
5, enable again sic between bothn appliances.
6, push policy to connect all gateways.
7, upgrade Theart emulation boxes
8, upgrade one Gateway cluster for test.

Thanks to confirm if my process looks good !

Many thanks for your support

Ben.

0 Kudos
PhoneBoy
Admin
Admin

You still could have upgraded the management to a later release and upgraded the gateways only to R80.10 and gained some benefits.

In terms of the upgrade, I think you have to take the migrate export from the primary.
You can't upgrade a secondary management, it needs to be installed fresh.
Once you re-establish Management HA and sync occurs, it should be ready to go.
0 Kudos
GuilletB
Participant

Hi Phone Boy, 

Thanks for your comments,

After reading a lots of you comments I'm wondering if a fresh reinstall should be done more than  CPUSE upgrade under both of my old appliances. but as I don't have enough knowledge on checkpoint product i'm a littel bit Under pressure 😉

What i tried is to install a new sms server r80.10 ( with a new ip ) Under a VM and performed the import of the db Under this VM. When I did it I lost access to the gui of the open server ( wondering if it's related to this articale https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...) and when I try to have access to it under mydashboard I received a licence error. I'm still able to have ssh access to my test open server and when I had a look on licences with the cplic print command all licences are linked with the old IP of my SMS.

the goal was to be sure that I have no trouble during the import if I make a fresh install of the SMS server.

Could you please confirm that it should be working even if the ntest server does not use the same IP than the old one? I have attached the migration report

+ in case of a fresh install how can I keep my logs who are sending by gateways ( old one ). What I did for the moment is a copy of all files that i have Under   /opt/CPsuite-r77/fw1/log ( 4.5 tb ). I saw that I just have to move them back Under the new /opt/CPsuite-r80/fw1/log and that the index should be recreadted automatically. is it correct ? I had a look Under the export Tools but looks to be used only if you have a 3e party.

Regards, 

Ben.

0 Kudos
GuilletB
Participant

FYI, 

GUI access issue is solved now just.

0 Kudos
PhoneBoy
Admin
Admin

If you change IP, you will need to change the license to match.
Please work with Account Services on this.

As for importing old logs and having them show up in SmartView, you will need to perform the following procedure after doing so: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos
Maarten_Sjouw
Champion
Champion

Let me tell you AGAIN, from my experience, I would choose R80.30 any day above R80.10 for management to migrate a R77.30 management server.
The migration tools have been proven to be much, much better for R80.30 then they have ever been for R80.10.
Next to that you will get the benefits of the new filesystem and the 3.10 kernel.
Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events