Re: Migration of security gateway to Maestro

anikaralam · ‎2024-04-28

Current state
==============

Current SMS ==> R81.10 Jumbo Hotfix Take 109

Gateway 1 (2 Appliance) ==> R 81.10
Gateway 2 (2 Appliance) ==> R 81.10

Future state
=================

New SMS ==> Currently running 81.10 and need to upgrade to R81.10 Jumbo Hotfix Take 139

Maestro ==> R81.10
New security gateway/Group (2 groups and 4 new appliances)==> R81.10

The requirement is to migrate the current state to the Future state, Including all the configurations. Security gateway interface configuration will be done manually on Maestro uplink. My understanding is all other configs can take backup and restore

I'm looking for what is the best practice to do this migration.

would like to know if we need to upgrade Maestro and Security Gateway to R81.10 Jumbo Hotfix Take 139, Or is it good to keep it at 81.10 itself

While migrating the current device policy to the new security group will not get much lead time.

Also looking for correct order to do this Migration. Thanks in advance

Dario_Perez · ‎2024-04-28

Gateway 1 (2 Appliance) ==> R 81.10
Gateway 2 (2 Appliance) ==> R 81.10

is this a cluster right? if does maestro is represent as a single gateway so you need to create a new gw on smartconsole using only the VIP and replace the config

The recommended version is R81.20 you can use R81.10 as well, but take 109 is too old hotfix, we recommend to use latest GA

anikaralam · ‎2024-04-28

It's a cluster.

I'm looking for input more toward the best practice to do this migration.

emmap · ‎2024-04-29

You can't do any backup/restore from a normal cluster to a Maestro security group, you'll need to build it from scratch. It will need to exist in SmartConsole as a new gateway object, you won't be able to reuse the old cluster object.

anikaralam · ‎2024-04-29

After adding the new security group object(Gateway) in the new SMS (Similar to the existing cluster). Can we reuse any part of the existing config from the current SMS/Gateway cluster to the new SMS with Maestro.

emmap · ‎2024-04-29

You can migrate the SMS over as-is, you just can't reuse any of the existing gateway cluster object. Everything else is probably fine.

anikaralam · ‎2024-05-02

I'm looking for the checkpoint URL with the best practice to do this Migration. What is the best way to take backup from current SMS and two security policy and to import it to new SMS and respective policy to security group.

emmap · ‎2024-05-02

The Install and Upgrade Admin Guide for your version has this information in it. You'll want the Upgrade with Migration procedure.

anikaralam · ‎2024-05-02

Regarding the Migration, We configured a new SMS (R81.10 Hotfix 139) and two Security groups in Maestro.

Now need to migrate all object and security policies from the current SMS/Security gateway to the new one which is already configured and completely new IP address. Looking for documents that support this work.

emmap · ‎2024-05-06

That's doing it the hard way, it's possible to use the APIs to export and import objects and policies, I believe there was a tool on this board that could help with that, or you can contact your local sales office to engage CP Professional Services to assist.

Or you could just migrate your SMS the documented way and start again with setting up the Maestro gateway object.