Re: Migrating Checkpoint Management Server from Hy...

praveen0312 · ‎2024-06-19

Hello Checkmates,

We have a Checkpoint Security Management Server (Gaia R81.10 JHF 150) managing two 5400 Gateways (Gaia R81.10 JHF 150) in a high availability cluster. The current SMS is an open server in Hyper-V. Our customer asked us to migrate all the servers we have in Hyper-V to Nutanix AHV. For this migration, Checkpoint TAC suggested me to build a new server in AHV and import the existing management database with migrate_server command to the new SMS in AHV.

I wanted to have your opinion on the below method.

Instead of importing management database with migrate_server command can I use the snapshot of the existing SMS in Hyper-V to build the new SMS in AHV?

Chris_Atkinson · ‎2024-06-19

A limitation of GAiA snapshots is that the source and destination hardware/appliance must be the same, so this would likely fall into unsupported territory.

CCSM R77/R80/ELITE

PhoneBoy · ‎2024-06-20

migrate_server is the best way to do this, yes.
I would also install the "new" VM on R81.20 which has a more up-to-date installer that should improve disk I/O (only occurs on fresh installs).

praveen0312 · ‎2024-06-21

Thank You @PhoneBoy and @Chris_Atkinson

Are there any prerequisites that I need to take care on the newly built server, before I import the database with migrate_server command?

I can keep the same IP address and Hostname as the old server. Does this impact the Licensing and SIC between the gateways and the new SMS? Or do I need to regenerate the license again and reestablish the SIC between the gateways and new SMS?

emmap · ‎2024-06-21

If you keep the same IP and hostname you will not have to reset SIC. The licenses will also be transferred over with the migrate.

PhoneBoy · ‎2024-06-21

migrate_server brings the licenses and SIC certificates across, so you don't lose anything there.
Even if you change the management IP address, simply pushing policy to the gateways from the new management will re-establish connectivity.
Depending on your policy configuration, you may need to perform an fw unloadlocal first (unloads security policy, so should be done in an outage window).

praveen0312

Hello @PhoneBoy @Chris_Atkinson @emmap

I am trying to build a new SMS in the Nutanix AHV. While trying to boot the Check_Point_R81.10_T335_Fresh_Install_and_Upgrade.tar image, I am getting the below warning on the screen.

Warning:- "No hard drives have been found. You probably need to manually choose device drivers for the installation to succeed. Would you like to select drivers now? Yes or No"

Could you please let me know what might be the reason for this warning?

And how can I resolve this?

Chris_Atkinson

You might have better luck with the images available in sk158292.

CCSM R77/R80/ELITE

PhoneBoy

Confirm your Nutanix version/product is one of the versions listed here: https://www.checkpoint.com/support-services/hcl/
Also, I would try the specific installation images in sk158292.

praveen0312

@PhoneBoy

Below is the Nutanix Product we are using.

Nutanix Acropolis Hypervisor

AHV Version:- 20201105.2298

AOS Version:- 5.20.4.6

In the link provided by you I found that only AHV versions 20170830.434, 20201105.2030 & 20201105.30398 are supported by Gaia R81.10.

Our AHV version is 20201105.2298 which is different. This seems like a compatibility issue.

Bob_Zimmerman

I don't know. It seems unlikely Nutanix would change the storage controller between build 2030 and build 2298.

Are you a member of CheckMates?

Migrating Checkpoint Management Server from Hyper-V to AHV