This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
CyberBreaker
Contributor
‎2020-02-11 09:04 AM
Jump to solution

Security Gateway Migration

Hi Guys,

I am task to migrate a security gateway purposely for VPN to a new 5600 NGTP with R80.20 OS. I would like to know how to migrate a security gateway, do I still need to do the migrate export and migrate import?

Thanks

0 Kudos
1 Solution

Accepted Solutions
mdjmcnally
Advisor
‎2020-02-12 01:02 AM
In response to CyberBreaker
Jump to solution

OK so the Security Policy is held on the Managment Server so that doesn't migrate.

What looking at is extracting the Gaia OS config and importing onto the new Box

You can use the show configuration command to display the current Gaia OS configuration from the unit.

You can take that output and place into a text file

Then edit the configuration to reflect the new Appliances Interface Names.   Don't know your current model so may not use the same interface names

You can then paste the file contents into the 5600 after running through the initial config wizard.  This should get your interfaces and routes into the box,

Obviously this only takes the Gaia Config so will need to look at other files that may have been modified

 

$FWDIR/boot/modules/fwkern.conf  - kernel paramaters

$FWDIR/conf/trac_client_1.ttm   - remote access client

 

Are the ones that I usually find the need to look at, again, probably worth checking the contents of all of these.    They may or may not exist in your environment.   Certainly the last 4 which are for RSA SecurID for instance.

  • $FWDIR/boot/modules/fwkern.conf
  • $FWDIR/boot/modules/vpnkern.conf
  • $PPKDIR/boot/modules/simkern.conf
  • $PPKDIR/boot/modules/sim_aff.conf
  • $FWDIR/conf/fwaffinity.conf
  • $FWDIR/conf/fwauthd.conf
  • $FWDIR/conf/discntd.if
  • $FWDIR/conf/cpha_bond_ls_config.conf
  • /var/ace/sdconf.rec
  • /var/ace/sdopts.rec
  • /var/ace/sdstatus.12
  • /var/ace/securid

 

Other people may be able to add other files to look at,

 

Can then establish SIC, license and push policy

View solution in original post

10 Replies
mdjmcnally
Advisor
‎2020-02-11 10:46 AM
Jump to solution

migrate export/import is a management level tool

 

When you say migrate do you mean migrate to be

a) new hardware - ie box replacement

b) move vpn in policy to new termination point

 

 

0 Kudos
CyberBreaker
Contributor
‎2020-02-11 07:29 PM
In response to mdjmcnally
Jump to solution

Hi @mdjmcnally 

What I mean is to move all configuration from old hardware (r77.x) to new hardware (r80.20).

Thanks

0 Kudos
mdjmcnally
Advisor
‎2020-02-12 01:02 AM
In response to CyberBreaker
Jump to solution

OK so the Security Policy is held on the Managment Server so that doesn't migrate.

What looking at is extracting the Gaia OS config and importing onto the new Box

You can use the show configuration command to display the current Gaia OS configuration from the unit.

You can take that output and place into a text file

Then edit the configuration to reflect the new Appliances Interface Names.   Don't know your current model so may not use the same interface names

You can then paste the file contents into the 5600 after running through the initial config wizard.  This should get your interfaces and routes into the box,

Obviously this only takes the Gaia Config so will need to look at other files that may have been modified

 

$FWDIR/boot/modules/fwkern.conf  - kernel paramaters

$FWDIR/conf/trac_client_1.ttm   - remote access client

 

Are the ones that I usually find the need to look at, again, probably worth checking the contents of all of these.    They may or may not exist in your environment.   Certainly the last 4 which are for RSA SecurID for instance.

  • $FWDIR/boot/modules/fwkern.conf
  • $FWDIR/boot/modules/vpnkern.conf
  • $PPKDIR/boot/modules/simkern.conf
  • $PPKDIR/boot/modules/sim_aff.conf
  • $FWDIR/conf/fwaffinity.conf
  • $FWDIR/conf/fwauthd.conf
  • $FWDIR/conf/discntd.if
  • $FWDIR/conf/cpha_bond_ls_config.conf
  • /var/ace/sdconf.rec
  • /var/ace/sdopts.rec
  • /var/ace/sdstatus.12
  • /var/ace/securid

 

Other people may be able to add other files to look at,

 

Can then establish SIC, license and push policy

CyberBreaker
Contributor
‎2020-02-13 06:53 AM
In response to mdjmcnally
Jump to solution

Hi @mdjmcnally ,

Even if I will not import the following files, it will still work right? By the way, I am using MEP for my remote access VPN, where is the configuration of that?

FILES:

  • $FWDIR/boot/modules/fwkern.conf  - kernel paramaters
  • $FWDIR/conf/trac_client_1.ttm   - remote access client
  • $FWDIR/boot/modules/fwkern.conf
  • $FWDIR/boot/modules/vpnkern.conf
  • $PPKDIR/boot/modules/simkern.conf
  • $PPKDIR/boot/modules/sim_aff.conf
  • $FWDIR/conf/fwaffinity.conf
  • $FWDIR/conf/fwauthd.conf
  • $FWDIR/conf/discntd.if
  • $FWDIR/conf/cpha_bond_ls_config.conf
  • /var/ace/sdconf.rec
  • /var/ace/sdopts.rec
  • /var/ace/sdstatus.12
  • /var/ace/securid

Thank you so much for the help.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-16 11:21 PM
In response to CyberBreaker
Jump to solution

That's considered part of the Security Policy, which is pushed from management.
0 Kudos
Mick1
Explorer
‎2020-12-01 09:46 AM
In response to PhoneBoy
Jump to solution

So, building the new box with the existing configs from the old box then pushing the policy with the VPN configs should bring everything over for remote access configs? 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-12-01 09:49 AM
In response to Mick1
Jump to solution

Yes

0 Kudos
Mick1
Explorer
‎2020-12-01 10:11 AM
In response to PhoneBoy
Jump to solution

Thanks dude for the reply! i had a couple more questions that i replied via email to the community. 

0 Kudos
muri_ruiz
Explorer
‎2024-04-01 09:59 AM
In response to PhoneBoy
Jump to solution

@PhoneBoy 
About the license? We need open a ticket with CP to move? From a Appliance to another?

0 Kudos
PhoneBoy
Admin
Admin
‎2024-04-12 02:41 PM
In response to muri_ruiz
Jump to solution

Unless you're dealing with Open Server, you're not usually moving licenses.
If IP addresses are changing, you will need Account Services to issue you new license(s).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events