This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Serhii_Yaholnyt
Contributor
‎2018-10-30 01:12 AM

How to migrate Full HA Cluster(r77.30 to r80.10)?

We have Full HA Cluster(as described in sk60443) on 4600 appliances R77.30. We want to migrate all configuration from it to 5400 appliances R80.10. How to make it correctly?

14 Replies
Serhii_Yaholnyt
Contributor
‎2018-10-30 04:05 AM
In response to PhoneBoy

Thank you for response. So, if I uderstood correctly, we have to upgrade on 4600 cluster and after that run migrate export/import and save/load configuration commands on respective appliances? Will this be enough to move completely from one to another appliance?

0 Kudos
Olga_Kuts
Advisor
‎2018-10-30 05:25 AM
In response to PhoneBoy

Hi Dameon,

As I understand we can use migration tools from R77.30 to R80.10. Will this be enough? I want to note that we need no only upgrade, but move configuration for another appliance.

0 Kudos
Vladimir
Champion
Champion
‎2018-10-30 05:36 AM
In response to Olga_Kuts

What are your target appliances models?

0 Kudos
Olga_Kuts
Advisor
‎2018-10-30 05:38 AM
In response to Vladimir

From 4600 to 5400, as Serhii described above. Full HA Cluster configuration.

0 Kudos
Vladimir
Champion
Champion
‎2018-10-30 05:55 AM
In response to Olga_Kuts

Sorry, didn't register first time around.

I've never done a full HA upgrades myself, but this looks to be the safe approach:

1. "Migrate Export" using old version of migration tools on old active cluster member

2. "Migrate Import" on the same version in intermediate VM environment

3. Install R80.10 migration tools in VM

4. Run pre-upgrade verifier

5. Remedy all conflicts discovered by verifier

6. Perform migrate export

7. configure the new cluster for full-HA in isolated environment (you can use offline CPUSE packages to get the version up to date)

8. Perform migrate import

9. Swap the units in production environment 

0 Kudos
Oliver_Fink
Advisor
Advisor
‎2018-11-04 11:58 PM
In response to Vladimir

I am not too familiar with Full HA Cluster, but some of our customers have one. My 2 cents are that I would run "migrate export" on the primary security management server. I would make it the active cluster member before.

Maybe this is not necessary, but I like to be on the safe side.   

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-11-05 12:55 AM
In response to Oliver_Fink

Runing migrate export is certainly good practise, but why when it is active node ? That is a thing i would never recommend to anyone !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Oliver_Fink
Advisor
Advisor
‎2018-11-05 01:03 AM
In response to G_W_Albrecht

After thinking about it for a moment I am quite sure that you are right: No need to use the active member. But I still would look for the primary SMS for migrate export.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-11-05 01:05 AM
In response to Oliver_Fink

According to documentation, this is the ONLY way to do it - all you can save from sec SMS node is the GAiA config, as the SMS part is installed by the first sync !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Danny
Champion Champion
Champion
‎2018-10-30 06:06 AM

Keep in mind that R80.10 management requires significantly more memory than R77.x management does. So your 5400 appliances should have at least 16GB RAM, 32GB would be better.

In your case I'd recommend:

  1. perform a fresh install of R80.10 (or R80.20) on the new 5400 appliances using the latest ISO build
  2. run the 1st time installation wizard and complete your basic OS configuration (Hostname, DNS, NTP, Routes, ..)
  3. use Check Point's R80.10 Upgrade Verification and Environment Simulation service
  4. download the latest Management Server Migration Tool and scp it to your primary 4600 appliance
  5. run the included pre-upgrade verification tool and check for any warnings or errors -> resolve them
  6. migrate export your R77.30 configuration with the downloaded Migration Tool and scp it over to your 5400 appliances
  7. migrate import your configuration, install database and policy, verify and test your migrated Full-HA cluster
  8. switch cables from your 4600 to your new 5400 appliance cluster
Olga_Kuts
Advisor
‎2018-10-30 11:52 PM
In response to Danny

Thanks a lot!

As for 3rd point:  Check Point's R80.10 Upgrade Verification and Environment Simulation servicenot support StandAlone installation unfortunately. 

And what about Security Gateway which is installed on this appliance too?

Also want to add that migrate export doesn't save Gaia OS configuration. I think we should save it separate.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-10-31 01:22 AM
In response to Olga_Kuts

You will find all needed information in sk108902 Best Practices - Backup on Gaia OS ! But i have to add that Full HA Cluster is not the configuration of my choice at all - if possible, make this move completely satisfying by changing to a distributed deployment with SMS in VM and 5400 GW cluster.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Daniel_Szydelko
Advisor
Advisor
‎2018-11-02 09:30 AM
In response to Olga_Kuts

You can run pre_upgrade_verifier script on full ha primary machine without issue. And yes, you need to backup Gaia OS configuration and prepare your draft to new platform.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top