This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
K1ngb0rA
Explorer
‎2023-01-10 07:51 AM
Jump to solution

Migrate R80.40 Full HA to distributed Management

Hello Community,

today I would like to share my experience of a customer project where we need to migrate a Full HA cluster of two 4400 appliances to new 6200 appliances with distributed management.
Due to the lack of an official solution, I will explain the necessary steps we did to achieve this goal:

  1. Replicate the installation and config from 4400 Full HA cluster to 6200 Full HA cluster
    • output of “show configuration“ to quickly restore basic interface settings and so on
    • “migrate export” and “migrate import” to restore database and configuration
  2. Install new secondary security management server using the same version and Jumbo HF as the primary appliance node A
  3. Configure a secondary security management server in SmartConsole by following the instructions in the R80.x Security Management Administration Guide in the chapter "Configuring a Secondary Server in SmartConsole"
  4. Make sure that the management servers are synchronized (View High Availibility Status)
  5. Execute the following commands on the primary management server appliance node A
    • cp_conf fullha del_peer
    • cp_conf fullha disable
  6. Remove secondary appliance node B from the cluster and perform a fresh installation using the same version and Jumbo HF
    • Run First Time Wizard without management
    • restore basic interface settings from output of “show configuration“
    • Add node B to the existing cluster again
    • Install security policy
  7. Change the former installed new secondary security management server to active
    • “cpprod_util FwSetActiveManagement 0” on appliance node A
    • “cpprod_util FwSetActiveManagement 1” on new management server
  8. Restart SmartConsole and log in to new management server and make sure that the management servers are synchronized (View High Availibility Status)
  9. Remove primary appliance node A from the cluster and perform a fresh installation using the same version and Jumbo HF
    • Run First Time Wizard without management
    • restore basic interface settings from output of “show configuration“
  10. Promote the active management server to primary
    • "$FWDIR/bin/promote_util"
    • "cpstop"
    • Remove the $FWDIR/conf/mgha* files
    • "cpstart"
  11. Create a new cluster with a different name
    • Add appliance node A to the new cluster
    • Configure the new cluster in the same way as the original old cluster (open a second SmartConsole session in read-only)
    • Install security policy
  12. Remove appliance node B from the old cluster, re-add it to the new cluster and install the security policy
  13. Delete the old cluster
    • Only after the steps 11. til 13. the old peers of the initial Full HA configuration disappears in the “View High Availibility Status”

 

for reference purpose the following knowledgebase and checkmates articles were used and point us in the right direction:

sk154033 - How to migrate R80.x standalone management environment to a distributed environment                https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

sk114933 - How to migrate Full HA environment to Distributed environment                https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

sk34495 - Changing the HA status of the Management station from command line                https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

sk114933 - How to promote the Secondary Management server to become the Primary server                https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

sk108902 - Best Practices - Backup on Gaia OS
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

CP_R80.40_SecurityManagement_AdminGuide
https://downloads.checkpoint.com/fileserver/SOURCE/direct/ID/96090/FILE/CP_R80.40_SecurityManagement...

How to migrate Full HA R80.30 environment to Distributed R81.10 environment
https://community.checkpoint.com/t5/General-Topics/How-to-migrate-Full-HA-R80-30-environment-to-Dist...

 

1 Solution

Accepted Solutions
K1ngb0rA
Explorer
‎2023-01-10 11:07 PM
In response to the_rock
Jump to solution

see steps 6. and 9. - the nodes were reinstalled without management.

and step 2. - Install new secondary security management - that is changed to active in step 7. and promoted to primary in step 10.

so at the end it is a cluster of two 6200 appliances with a virtual security management server.

step 1. was done for the case that the migration/conversation should not be successful - due to the mentioned lack of an official solution - to simply migrate the existing Full HA config to the new hardware.

View solution in original post

4 Replies
_Val_
Admin
Admin
‎2023-01-10 08:56 AM
Jump to solution

Thanks for sharing

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-10 11:14 AM
Jump to solution

I'm confused, are you migrating one Full HA cluster to another Full HA cluster (different hardware) or are you migrating a Full HA cluster to a new cluster with management on separate hardware?
The steps seem to suggest a Full HA cluster on new hardware.

0 Kudos
the_rock
Legend
Legend
‎2023-01-10 11:31 AM
Jump to solution

Much appreciated for taking time to list all the steps, but Im with @PhoneBoy , also slightly confused, as your steps seem to insinuate migration to another full HA config, not distributed environment.

0 Kudos
K1ngb0rA
Explorer
‎2023-01-10 11:07 PM
In response to the_rock
Jump to solution

see steps 6. and 9. - the nodes were reinstalled without management.

and step 2. - Install new secondary security management - that is changed to active in step 7. and promoted to primary in step 10.

so at the end it is a cluster of two 6200 appliances with a virtual security management server.

step 1. was done for the case that the migration/conversation should not be successful - due to the mentioned lack of an official solution - to simply migrate the existing Full HA config to the new hardware.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top