Re: MDS 81.10 from 5150 to 6000XL

AleLovaz82 · ‎2024-10-07

Hi

I have a primary and secondary MDS ,two 5150 with 5 CMA and 81.10 Take 152 and almost 11 TB of logs.
I have to move everything ,log included, on the new 6000XL

my idea.

cpstop on smart1-primary
change ip on smart1-primary ( to continue to reach it in SSH for copy script and so on )
launch an mds_backup

configure 6000XL with the old ip of smart1-primary and same hostname
restore with an mds_restore

In this way SIC and communications with all my firewall should be granted withouth any mod.

I don't know how to manage the copy of the 11TB of logs.
If I use the mds_backup ,included log,i probably don't have enough space to locally save the backup.

Is possible to mount a folder from the 6000XL to the 5150 and directly save tehe backup on the 6000XL ?

Or is better to proceed with the mds_backup/restore excluding log ( -l flag ,if I remember well ) and then use SCP to copy log from the old location to equivalent location on the new MDS

so for example from the "old"
[Expert@MDS:0]# cd /var/log/mds_logs
[Expert@MDS:0]# ls
CMA1 CMA2 CMA3 ...
to the new equivalent folders.

Amir_Senn · ‎2024-10-07

This won't work.

We have entire SK of how to migrate IP in MDS, this is not trivial.

Also, you're DB won't be aligned with the IP - changing the IP doesn't change the IP that gateways try to fetch policy and send logs, it's the IP in SmartConsole and for every CMA it has another IP.

You can see all the important points in the following:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Installation_and_Upgrade_Guide/Top...

As for logs,

a. You can exclude logs in mds_backup (see Capture.PNG)

b. If you have much logs I would try to configure retention that answer your needs - might lower the amount of storage you use for logs. Also mind the indexing policy

c. You can move the logs to the server after the installation. The issue - they would need to be re-indexed. Re-indexing that much logs may take time and resources. See this SK for indexing: https://support.checkpoint.com/results/sk/sk111766

d. I know that you can mount external storage but I don't remember I tried with another CP server. You might find this useful: https://support.checkpoint.com/results/sk/sk66003#Upgrade

Kind regards, Amir Senn

AleLovaz82 · ‎2024-10-07

i will use the same ip of the old MDS

Amir_Senn · ‎2024-10-07

I edited my answer with more information after I finished a meeting. You're welcomed to take a look.

Kind regards, Amir Senn

AleLovaz82 · ‎2024-10-07

Also, you're DB won't be aligned with the IP - changing the IP doesn't change the IP that gateways try to fetch policy and send logs, it's the IP in SmartConsole and for every CMA it has another IP.

To be clear,I won't change ip.
I will use the same ip and hostname of the old Primary MDS so I should avoid all the problem related to changing ip/hostname.
I will change the ip of the OLD mgmt only for an SSH access to move the log

b. If you have much logs I would try to configure retention that answer your needs - might lower the amount of storage you use for logs. Also mind the indexing policy

I can't , the retention is configured as the customer asked,and so the indexing policy

c. You can move the logs to the server after the installation. The issue - they would need to be re-indexed. Re-indexing that much logs may take time and resources
the indexed log are less than 11 TB , is not a problem to manual reindex them , we index the last 15days for each CMA, but the customer want to store the old log on this machine

AleLovaz82 · ‎2024-10-10

hi Amir ,sorry but u want to point me to something that involve an ip change but as i wrote the idea is to use the same ip of the actual MDS the MDS itself and for all the CMA

Amir_Senn · ‎2024-10-10

On the contrary, I'm against changing IP.

On the original message you wrote you wanted to change IP but I may have misunderstood your intent.

My suggestion is to import the DB and configuration to the new appliance without actually connecting it to the network (different lab, serial console etc.), and when the operation finished, shut down the old one and replace between appliances.

Kind regards, Amir Senn

AleLovaz82 · ‎2024-10-10

i watn to change the ip of the actual MDS to reach it using SSH for moving log with SCP for example,but the NEW mds will have THE same ip

Amir_Senn · ‎2024-10-10

If you just want to use it to move files no problem. I talked about issues changing IP on running MDS and DB issues.

Just make sure to run "mdsstop". Another option is to move the logs temporarily to another servers.

Kind regards, Amir Senn

AleLovaz82 · ‎2024-10-16

i'll definitely change the vlan so that i can reach it from a new point to point from the new MDS ,but the old cannot reach the real management vlan.
this should be enought safe. thx 😉

emmap · ‎2024-10-13

If you do as you plan, migrate without logs etc, you can then just scp log files over the network between old and new servers. Just make sure you put the logs in the right folders. Once they are transferred they will be available but not indexed, if you want them indexed you can but if you just need them available just in case, no need to index them.

AleLovaz82 · ‎2024-10-16

good to hear! yep probably i'll move only the log that I must have indexed for tshoot purpose and leave the old MDS as repository ...basically i think i'll use it only as a linux server with a lot of storage 🙂

Are you a member of CheckMates?

MDS 81.10 from 5150 to 6000XL