Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

Export VPNPreshareKeys, SSLCerts, SSL Pvt/Pub Keys from Old Mgmt Server to New Management Server

Hi All,

I have a special requirement to migrate huge number of S2S VPN Tunnel configs from old Checkpoint Management server to New Management Server. However, I shouldn't export the complete configuration, so I can't use the supported options like snapshot backup or migrate export.

Requirement:

Currently multiple gateways integrated with and reporting to an Old Checkpoint Management Server.

As part of the migration project, we need to migrate most of these gateways to a new Checkpoint Management Server.

But, we shouldn't export the complete configuration from the old management server to the new management server.

So, we have manually fetched the objects, policies from the old management server using api mgmt_cli and imported to new management server after necessary filtering and tweaking using the same api.

Only challenge for us in this approach is, VPN Preshared keys for the existing tunnels - as a security practice we didn't record/document the preshared keys during deployment or later phases.

Also, it's not feasible to change the preshared key because we have more number of tunnels and not easy to coordinate with multiple third parties.

So, please suggest an option to fetch the SSL Crts, key files from the old management server and import it to the new management server in an easy method and also the considerations involved in this approach.

0 Kudos
3 Replies
Highlighted
Admin
Admin

Unfortunately, this information does not have supported API endpoints.
Even outside of that, I'm not sure how you'd get the necessary information.
0 Kudos
Highlighted

i think the best solution to use MGMT HA, have a look at sk39345 & sk54160.

Then swap to new MGMT server. this should be works but Must have identical Check Point versions and identical hotfixes installed.

 

0 Kudos
Highlighted

Hi,

But, we are not allowed to use existing configuration as such in any form of standard features supports importing of full DB. In HA it is going to sync complete Config/full DB as similar to other options like migration export or snapshot.

It is agreed by all stake holders to create Config from the scratch to fix many issues and compliance purpose as per the project requirement.

Normally, in other security appliances like F5 ADCs we can export the private keys from one appliance to other. So, I am looking for similar feature in Checkpoint, if available.

 

0 Kudos