Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
CyberBreaker
Contributor
Jump to solution

Security Gateway Migration

Hi Guys,

I am task to migrate a security gateway purposely for VPN to a new 5600 NGTP with R80.20 OS. I would like to know how to migrate a security gateway, do I still need to do the migrate export and migrate import?

Thanks

0 Kudos
1 Solution

Accepted Solutions
mdjmcnally
Advisor

OK so the Security Policy is held on the Managment Server so that doesn't migrate.

What looking at is extracting the Gaia OS config and importing onto the new Box

You can use the show configuration command to display the current Gaia OS configuration from the unit.

You can take that output and place into a text file

Then edit the configuration to reflect the new Appliances Interface Names.   Don't know your current model so may not use the same interface names

You can then paste the file contents into the 5600 after running through the initial config wizard.  This should get your interfaces and routes into the box,

Obviously this only takes the Gaia Config so will need to look at other files that may have been modified

 

$FWDIR/boot/modules/fwkern.conf  - kernel paramaters

$FWDIR/conf/trac_client_1.ttm   - remote access client

 

Are the ones that I usually find the need to look at, again, probably worth checking the contents of all of these.    They may or may not exist in your environment.   Certainly the last 4 which are for RSA SecurID for instance.

  • $FWDIR/boot/modules/fwkern.conf
  • $FWDIR/boot/modules/vpnkern.conf
  • $PPKDIR/boot/modules/simkern.conf
  • $PPKDIR/boot/modules/sim_aff.conf
  • $FWDIR/conf/fwaffinity.conf
  • $FWDIR/conf/fwauthd.conf
  • $FWDIR/conf/discntd.if
  • $FWDIR/conf/cpha_bond_ls_config.conf
  • /var/ace/sdconf.rec
  • /var/ace/sdopts.rec
  • /var/ace/sdstatus.12
  • /var/ace/securid

 

Other people may be able to add other files to look at,

 

Can then establish SIC, license and push policy

View solution in original post

10 Replies
mdjmcnally
Advisor

migrate export/import is a management level tool

 

When you say migrate do you mean migrate to be

a) new hardware - ie box replacement

b) move vpn in policy to new termination point

 

 

0 Kudos
CyberBreaker
Contributor

Hi @mdjmcnally 

What I mean is to move all configuration from old hardware (r77.x) to new hardware (r80.20).

Thanks

0 Kudos
mdjmcnally
Advisor

OK so the Security Policy is held on the Managment Server so that doesn't migrate.

What looking at is extracting the Gaia OS config and importing onto the new Box

You can use the show configuration command to display the current Gaia OS configuration from the unit.

You can take that output and place into a text file

Then edit the configuration to reflect the new Appliances Interface Names.   Don't know your current model so may not use the same interface names

You can then paste the file contents into the 5600 after running through the initial config wizard.  This should get your interfaces and routes into the box,

Obviously this only takes the Gaia Config so will need to look at other files that may have been modified

 

$FWDIR/boot/modules/fwkern.conf  - kernel paramaters

$FWDIR/conf/trac_client_1.ttm   - remote access client

 

Are the ones that I usually find the need to look at, again, probably worth checking the contents of all of these.    They may or may not exist in your environment.   Certainly the last 4 which are for RSA SecurID for instance.

  • $FWDIR/boot/modules/fwkern.conf
  • $FWDIR/boot/modules/vpnkern.conf
  • $PPKDIR/boot/modules/simkern.conf
  • $PPKDIR/boot/modules/sim_aff.conf
  • $FWDIR/conf/fwaffinity.conf
  • $FWDIR/conf/fwauthd.conf
  • $FWDIR/conf/discntd.if
  • $FWDIR/conf/cpha_bond_ls_config.conf
  • /var/ace/sdconf.rec
  • /var/ace/sdopts.rec
  • /var/ace/sdstatus.12
  • /var/ace/securid

 

Other people may be able to add other files to look at,

 

Can then establish SIC, license and push policy

CyberBreaker
Contributor

Hi @mdjmcnally ,

Even if I will not import the following files, it will still work right? By the way, I am using MEP for my remote access VPN, where is the configuration of that?

FILES:

  • $FWDIR/boot/modules/fwkern.conf  - kernel paramaters
  • $FWDIR/conf/trac_client_1.ttm   - remote access client
  • $FWDIR/boot/modules/fwkern.conf
  • $FWDIR/boot/modules/vpnkern.conf
  • $PPKDIR/boot/modules/simkern.conf
  • $PPKDIR/boot/modules/sim_aff.conf
  • $FWDIR/conf/fwaffinity.conf
  • $FWDIR/conf/fwauthd.conf
  • $FWDIR/conf/discntd.if
  • $FWDIR/conf/cpha_bond_ls_config.conf
  • /var/ace/sdconf.rec
  • /var/ace/sdopts.rec
  • /var/ace/sdstatus.12
  • /var/ace/securid

Thank you so much for the help.

0 Kudos
PhoneBoy
Admin
Admin
That's considered part of the Security Policy, which is pushed from management.
0 Kudos
Mick1
Explorer

So, building the new box with the existing configs from the old box then pushing the policy with the VPN configs should bring everything over for remote access configs? 

0 Kudos
PhoneBoy
Admin
Admin

Yes

0 Kudos
Mick1
Explorer

Thanks dude for the reply! i had a couple more questions that i replied via email to the community. 

0 Kudos
muri_ruiz
Explorer

@PhoneBoy 
About the license? We need open a ticket with CP to move? From a Appliance to another?

0 Kudos
PhoneBoy
Admin
Admin

Unless you're dealing with Open Server, you're not usually moving licenses.
If IP addresses are changing, you will need Account Services to issue you new license(s).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events