Re: How to migrate from Standalone HA with 5600 to...

Anestis_Koukis

We have a customer with a Standalone HA 5600 NGTX Appliances on 81.10 Take 181 and we want to migrate to a distribute HA 9100 on the same version and upgrade next to 82 Take 43.

We have found the following sk179444

https://support.checkpoint.com/results/sk/sk179444

But on the limitations, it says this sk in not supported for Full High Availability clusters.

Is any other process that support migration for HA or does anyone can suggest a procedure that made and worked.

Best Regards

Anestis Koukis

the_rock

Hey Anestis,

I really recommend engaging TAC here for an official answer, because if you use full HA, that sk definitely would NOT apply.

Best,
Andy

Don_Paterson

Just to check a few things.

Have you done the planning around the new management deployment for this solution?

- Platform choice - Appliance vs on-prem VM vs MaaS (Infinity Portal)

- Licensing and pricing

The management licenses on a SG appliance (9100 and 5600) are not transferable to a distributed management server. New licenses are required.

Is it definitely a pair of 5600 appliance in Full HA?

- Meaning that they are deployed as Management and Security Gateway on both boxes - Management HA and SG cluster.

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Installation_and_Upgrade_Gui...

Like Andy suggests, you can talk to TAC or maybe look into Professional Services options.

These are the more complex types of migrations.

the_rock

I feel clean install here would be best.

Best,
Andy

Don_Paterson

Yeah, I would always tend to think that a clean install of the SMS and SGs and adding the config after is a valid option to consider.

If the config is not massive then doing it manually may be less costly than the whole procedure of migration or PS.

There is always the API to show the config and transform as required and then API it into the new management server.

Then there are the Gaia show configuration and save configuration options if or when those will help with the firewall configurations 😉

Cheers,

Don

the_rock

I agree, definitely depends on the size of the config.

Best,
Andy

Anestis_Koukis

We have the idea to make a clean installation for new SMS and the 9100 GWs on 82. Then manullay create the controll plane on the GAIA for the GWs and then use cp_mgmt_api_python_sdk to export and import the policy from the old full HA Standalone to the new destribute SMS. But we don't know if the python scrit will work correctly and transfer also the S2S VPN configuration.

Don_Paterson

One of the main challenges is the single object that appears in the current SmartConsole representing the SMS & SG.

In the distributed deployment they are separate and appear separately in the relevant rules/policy configuration. For example the VPN that you've highlighted.

You can do an export of objects easily in the Object Explorer and use that for the new build configuration.

You can also use the API for that and policy configuration.

You could inject a lot of the objects and rules into the new build quite easily with the API but I imagine there will be some manual work around some configuration, again its about the VPN (shared secrets?) and also configuration in global properties and manage & settings.

Someone will need to spend time planning, testing, and preparing before the cut over.

I'll share an API command here later to show objects on the old and prepare for important to the new.

Regards,

Don

the_rock

Yea, I find that a big challenge as well Don. Its always super tricky with full HA...

Best,
Andy

Don_Paterson

Just going to leave this here:

https://community.checkpoint.com/t5/API-CLI-Discussion/CLI-API-Example-for-exporting-importing-and-d...

the_rock

I personally feel that would be best option here. Other than that, sounds like Professional services may be required.

Best,
Andy

Anestis_Koukis

Hello the planning was made from our presales and as aftersales we have to implemented. The 2 X 9100 they have license for 3 years and the same for SMS for open server.

The 5900 are on full HA Standalone, I have review the configuration recently.

The PS are not a option any more because we have already made the sale and it doesn't sounds very well to go now to the customer ask from more cost.

I think the only option is the TAC but I believe they are going to gently tell me this not a Break and fix case.

the_rock

Truth be told, any TAC out there is indeed break-fix shop, regardless of what firewall vendor. They can give you some ideas, and help you troubleshoot if things are not working, but as @Don_Paterson had said, there would definitely be some manual work involved. Maybe not a bad idea to check with your local SE, see what they say.

Best,
Andy

the_rock

But maybe if PS were to be engaged, your local team can try work something out to give customer a discount.

Best,
Andy

Anestis_Koukis

Hello guys, at the moment we try to simulate to our lab the following post using the open servers.

https://community.checkpoint.com/t5/General-Topics/Migrate-R80-40-Full-HA-to-distributed-Management/...

Due the limit time we have unitl the end of month where 5600 are going EOF, we thinking as first step to migrate the old full HA (standalone) with 5600 on 81.10 to a new full HA (standalone) with 9100 on 81.20 and then later on find out how we will go to a distribute model. I will try to keep update the post.

I have one more question because is the first time we come on with a case like this. The 5600 are becoming EOS on 31/12/2025 and also the subscription ends on 31/12/2025. Is any one knows what we will happen on 1/1/2026 are the blades are going to stop working? or just we will not have updates?