Export CMA's from Multi-domain and import into a n...

Bob_Delinsky · ‎2018-11-28

I have a client that is moving away from a managed service provider that manages two of their gateway clusters (R77.30) via Multi Domain(Provider-1). The client wishes to build an internal SMS and manage the gateways themselves going forward. I am having trouble finding a Check Point SK for exporting CMA's from Multi-domain and importing into a single SMS sever, if this is even a supported path. Looking for a supported option if there is one, or would the customer need to purchase an MDSM license and import the CMA's directly into that? Thank you.

Ofir_Shikolski · ‎2018-11-28

I will recommend Check Point PS :Professional Services | Check Point Software

High level to "export" Domain (CMA) to SMS

1. Install secondary SMS - same fixes and etc..

2. Synchronize databases

3. Promote the SMS

Maarten_Sjouw · ‎2018-11-28

Wow, that is a long time ago that I heard this one being a solution.

Regards, Maarten

Bob_Delinsky · ‎2018-11-28

I like the idea, however there is no connectivity between where the new SMS is being built (Azure) and the current MSSP. They will not provide connectivity directly as its a managed service, will only provide an export. Layer 8 (political) partly in play here

Maarten_Sjouw · ‎2018-11-29

Bob,

Talked about this with a colleague of mine, he said, ok so you just build a secondary SMS, next to the MDS, in your environment. you sync it all make the SMS the master and do the migrate export from there.

Regards, Maarten

Bob_Delinsky · ‎2018-12-10

Thanks for the suggestion Maarten. I have used the secondary SMS as a method to export and bring over the database from the MDSM in the past. In this case, the MSSP would only provide the export of the CSA, could not get a secondary SMS stood up. What we ended up doing was taking the CSA export, build a new SMS VM in ESX, and was then able to Migrate Import the data after matching all add-ons (R77.30 + add on). The sticking point was the licensing and Re-IP of the SMS which others have mentioned in past posts and not being able to log in with Smart Conssole, but it is possible to remove all the MDSM related licenses, add an eval license locally, then Re-IP the SMS following sk40993, then applying a new permanent SMS license. Then reset SIC on the gateways, install policy and good to go.

Maarten_Sjouw · ‎2018-12-10

Bob,

You should have built a MDSM in ESX and and SMS next to it, the MDSM to import the |CMA and the Secondary SMS to move the CMA to a SMS.

There are a lot of problems, these can happen lets say 2 weeks after running all ok and then all the sudden it breaks.

So please do rethink your way forward.

Regards, Maarten.

Regards, Maarten

Soeren_Rothe · ‎2019-02-27

Maarten Sjouw

Maarten,

in the Check Point KB it is mentioned, that a migration from MDSM to SMS is officially not supported (sk33067).

Can you please tell me, if you tried this also on R80.10 / R80.20 ?

Thanks

Sören

Maarten_Sjouw · ‎2019-02-27

We did not have a need for this yet. But as you might have seen there is work ongoing at Check Point development in regarding the export and import tools for these possible directions:

SMS to DMS
DMS to SMS
DMS to DMS
SMS to SMS

That should cover all possibilities. See Eran Habad's answer in this thread

Regards, Maarten

peter_schumache · ‎2019-03-01

I've written a complete step-by-step guide on how to migrate a Provider-1 cma to a single SMS. Although it is several years old and based on R75.40VS, most of it ist still valid for R77.30.

You can get it here

Soeren_Rothe · ‎2019-03-01

Hi Peter,

thank you very much, but it doesn't work for R80.xx

Regards,

Sören

genisis__ · ‎2024-01-21

Has anyone actually managed to do this using the SK's?
I've tried and I'm getting errors when attempting to import, however I can't see any logs produced to give me a clue where to look.

Are you a member of CheckMates?

Export CMA's from Multi-domain and import into a new SMS