Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
jegan_s
Participant

Migration to new GW with new Mgmt server

Currently a cluster of Nokia GW is running with a Management server, we would like to migrate from Nokia to Checkpoint GW but with different mgmt. server. new mgmt. server has already many gateway integrated.

Steps that I am thinking to do,

1.Configuring the new GW.

2.creating a checkpoint object in the new mgmt. server.

3.replicating the policy.

4.establishing SIC on both GW

5.On the new mgmt server, establishing SIC from the cluster member of the new checkpoint object.

6.modifying the topology in the checkpoint object.

7.updating the antispoofing folder.

8.pushing the policy.

can any one assist me if I have missed anything.

3 Replies
XBensemhoun
Employee
Employee

Well, this is an ideal situation

  1. Prepare your new Security Gateways : configure/update O.S., configure network and all needed local little things (could be CoreXL, kernel values, files for RemoteAccess, ...) ; I propose you to even set up false IP addresses so that you can test all the setup in parallel of the actual Production environment you're replacing
  2. Creating all your target rules and objects on the target Security Management Server ; BTW: do you know how to proceed? how many objects/rules you'll have to create? What is the actual version of SMS: pre-R80 or R80x?

At this step: you should have all configured, maybe using false IP address so that you can test new functionalities/inspection engines, maybe new blades, ... My advise is: take your time to test all of that especially if there is a big gap between actual version running on Nokia and your target version.

Then, when you'll be ready: just have to change interfaces' IP address and pushing policy.

Again, this is still ideal situation because if anything goes wrong and if you have a short period for cut-over: "unplug new SGs / plug old ones" Smiley Happy

Some things should be also prepared before cut-over:

  • ISP/providers availability for assistance just in case ; for ARP issues: just force failover between nodes of your cluster so that Gratuitous ARP Requests will be sent
  • If you change/add new blades, prepare yourself to test such new functionalities (surely with other application owners or system owners)
Information Security enthusiast, CISSP, CCSP
jegan_s
Participant

Hello Xavier,

Thank you for your response and Advice !

The new GW was used for some other services, so I have wiped out all network management configuration (Route, Interface and host entry).

both Nokia IP690 (Old FW) and Checkpoint 12200 (New FW) image is R77.30 Gaia

New Gateway is prepared with false IP address.

Policy has been replicated to new management server (There are other firewalls integrated with this mgmt server).

SIC established and I am able to push the policy to the new gateway.

but we are facing issues in configuring ClusterXL and VRRP in the new mgmt server cluster object, it is throwing error "Different members cannot have interfaces with the same IP address and Net Mask".

both members are using different ip address and Net Mask.

In Old Nokia firewall, we are using VRRP, So HA has been set in the 3rd Party configuration tab on the cluster properties.

Thanks

Jegan

0 Kudos
jegan_s
Participant

Hello All,

I forgot to remove Checkpoint mgmt IP address from the topology. after remove, I am able to change the cluster settings to VRRP.

Thanks

Jegan

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events