Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jones
Collaborator
Collaborator
Jump to solution

How to perform Advanced Upgrade for CloudGuard Management version in Azure with a name and IP change

I have a SmartCenter on R81.20 on-premise and like to go to a CloudGuard Azure SmartCenter. The name and ip-address of the SmartCenter must change. The current name includes a character "-" that is not supported when creating a CloudGuard Azure SmartCenter and also the customer likes a new name for his new SmartCenter.

There is sk155632: How to perform Advanced Upgrade for CloudGuard Management version in AWS, Azure, or GCP (Side-by-Sid...

This SK does not describe how to deal with an hostname change.

 Then there is sk42071: Changing a Security Management (SmartCenter) Name (checkpoint.com)

So what is the recommend and supported path to go from on-premise SmartCenter to Azure CloudGuard SmartCenter with a new hostname and ip-address?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Changing the IP of the management isn't an issue as the gateways will re-establish connectivity with the new management after a policy installation from the migrated management server.
Changing the hostname on your management will require resetting SIC as all the relevant certificates will need to be regenerated with the new name: https://support.checkpoint.com/results/sk/sk164055 
You can minimize the potential outage by employing this SK when resetting SIC on the individual gateways: https://support.checkpoint.com/results/sk/sk86521 

View solution in original post

4 Replies
PhoneBoy
Admin
Admin

Changing the IP of the management isn't an issue as the gateways will re-establish connectivity with the new management after a policy installation from the migrated management server.
Changing the hostname on your management will require resetting SIC as all the relevant certificates will need to be regenerated with the new name: https://support.checkpoint.com/results/sk/sk164055 
You can minimize the potential outage by employing this SK when resetting SIC on the individual gateways: https://support.checkpoint.com/results/sk/sk86521 

the_rock
Legend
Legend

You got the right answer from Phoneboy.

Andy

0 Kudos
Jones
Collaborator
Collaborator

Thank guys. I was thinking about how to bypass the reSIC because there are a lot of gateways to reSIC, and there there are client VPN's and S2S VPN's in play.

In the R81.20 Installation and Upgrade Guide, it is described how to migrate an SMS to a DMS, and also from a DMS to SMS. When executing these two steps in order, a reSIC is not needed. The main CA will of course show the old name of the SmartCenter.

0 Kudos
PhoneBoy
Admin
Admin

You could theoretically perform the steps I suggested without reSICing and end up in the same basic place as that process.
Not entirely sure what issues result from the SIC name being different from the management hostname.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events