This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Simon_Taylor
Contributor
‎2020-08-12 01:31 AM

How to Decouple Manager from Firewall

Hi,

I've inherited an R77.30 manager that runs off an actual firewall.

I've migrated the config to a standalone R80.40 VM and created a new management object and can install database but the old manager object (now a firewall object) is still lurking in the config - Smartdashboard think its involved in the mgmt ha and the tracker says there is no log server.

I edited the management/primary_management fields on the old object in guidbedit to false and after cpstop/cpstart fwm now dies so I cant get back in. fwm.elg says "fwm_cmain: error: cant initialize cpmi server: Address already in use".

I expect some entries from the registry need to be removed but dont know which (old manager object is install-on item for numerous NAT objects so its not so simple to grep).

I have a TAC case but I'm not confident there.

Any ideas?

Cheers,

Simon 

 

0 Kudos
6 Replies
_Val_
Admin
Admin
‎2020-08-12 01:48 AM

Several notes:

1. R77.30 is out of support for quite a few years.

2. You should not edit manually the properties. 

3. Migrate export / import procedure is the way to move management to a new platform. As part of it, you can also move SMS to a new IP address. The latter requires changing the licenses. The least effort procedure is to keep the same IP address of the management on the new machine. 

4. If you decide to keep the IP address, make sure you are migrating from an open server and not a Smart-1 appliance. If latter is the case, you will have to provision new license for your management server anyway.

0 Kudos
Simon_Taylor
Contributor
‎2020-08-12 02:01 AM
In response to _Val_

thanks @_Val_ although I don't think you understood the issue. I need to keep the firewall object but delete any evidence that it used to be a smart centre as well.  What I've created is a new smart centre object. Its 99% working I just need to remove the ghost HA peer. 

0 Kudos
_Val_
Admin
Admin
‎2020-08-12 02:31 AM
In response to Simon_Taylor

One can only understand what's being explained 🙂
Ok, so what you are trying to do is to move Standalone to distributed configuration. Did you follow sk44201? Specifically, look at step 22. FW module will have to be re-installed.

Simon_Taylor
Contributor
‎2020-08-12 04:40 AM
In response to _Val_

Fair enough and I do appreciate the help.

I did not know of that sk but what I have done is not too dissimilar. My condition now appears to be the same as this https://community.checkpoint.com/t5/General-Management-Topics/Removing-orphaned-Management-HA-depend...  (well at least the first screenshot) with the exception that my ghost mgmt ha peer is actually a firewall object I need. I'm in two minds to try deleting it and recreating as a new firewall object but it is used 200+ times in the policy/objects. 

0 Kudos
Sigbjorn
Advisor
Advisor
‎2020-08-12 05:51 AM
In response to Simon_Taylor

The where-used and replace function works quite well.

You could replace the gw object with a dummy object, delete it and import/add the new gateway, then do a new where-used->replace from the dummy to the new gateway.

0 Kudos
_Val_
Admin
Admin
‎2020-08-12 06:27 AM
In response to Simon_Taylor

If you still have the original standalone machine available (or its backup/migrate export file), follow the SK. It will yield clean results you are looking for. Otherwise, do what @Sigbjorn is recommending.

Quoted discussion is irrelevant, situation with R80.x standalone procedures is quite more complex.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events