This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AleLovaz82
Collaborator
Collaborator
‎2024-10-07 07:32 AM

MDS 81.10 from 5150 to 6000XL

Hi

I have a primary and secondary MDS ,two 5150 with 5 CMA and 81.10 Take 152 and almost 11 TB of logs.
I have to move everything ,log included, on the new 6000XL

my idea.

cpstop on smart1-primary
change ip on smart1-primary     ( to continue to reach it in SSH for copy script and so on )
launch an mds_backup

configure 6000XL with the old ip of smart1-primary and same hostname
restore with an mds_restore

In this way SIC and communications with all my firewall should be granted withouth any mod.

I don't know how to manage the copy of the 11TB of logs.
If I use the mds_backup ,included log,i probably don't have enough space to locally save the backup.

Is possible to mount a folder from the 6000XL to the 5150 and directly save tehe backup on the 6000XL ?

Or is better to proceed with the mds_backup/restore excluding log ( -l flag ,if I remember well ) and then use SCP to copy log from the old location to equivalent location on the new MDS

so for example from the "old"
[Expert@MDS:0]# cd /var/log/mds_logs
[Expert@MDS:0]# ls
CMA1 CMA2 CMA3 ...
to the new equivalent folders.



0 Kudos
11 Replies
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-10-07 07:55 AM

This won't work.

We have entire SK of how to migrate IP in MDS, this is not trivial.

Also, you're DB won't be aligned with the IP - changing the IP doesn't change the IP that gateways try to fetch policy and send logs, it's the IP in SmartConsole and for every CMA it has another IP.

You can see all the important points in the following:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Installation_and_Upgrade_Guide/Top...

As for logs,

a. You can exclude logs in mds_backup (see Capture.PNG)

b. If you have much logs I would try to configure retention that answer your needs - might lower the amount of storage you use for logs. Also mind the indexing policy

c. You can move the logs to the server after the installation. The issue - they would need to be re-indexed. Re-indexing that much logs may take time and resources. See this SK for indexing: https://support.checkpoint.com/results/sk/sk111766

d. I know that you can mount external storage but I don't remember I tried with another CP server. You might find this useful: https://support.checkpoint.com/results/sk/sk66003#Upgrade

 

Kind regards, Amir Senn
Preview file
52 KB
0 Kudos
AleLovaz82
Collaborator
Collaborator
‎2024-10-07 08:26 AM
In response to Amir_Senn

i will use the same ip of the old MDS

0 Kudos
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-10-07 08:46 AM
In response to AleLovaz82

I edited my answer with more information after I finished a meeting. You're welcomed to take a look.

Kind regards, Amir Senn
0 Kudos
AleLovaz82
Collaborator
Collaborator
‎2024-10-07 09:05 AM
In response to Amir_Senn

Also, you're DB won't be aligned with the IP - changing the IP doesn't change the IP that gateways try to fetch policy and send logs, it's the IP in SmartConsole and for every CMA it has another IP.

To be clear,I won't change ip.
I will use the same ip and hostname of the old Primary MDS so I should avoid all the problem related to changing ip/hostname.
I will change the ip of the OLD mgmt only for an SSH access to move the log

b. If you have much logs I would try to configure retention that answer your needs - might lower the amount of storage you use for logs. Also mind the indexing policy

I can't , the retention is configured as the customer asked,and so the indexing policy

c. You can move the logs to the server after the installation. The issue - they would need to be re-indexed. Re-indexing that much logs may take time and resources
the indexed log are less than 11 TB , is not a problem to manual reindex them , we index the last 15days for each CMA, but the customer want to store the old log on this machine 

0 Kudos
AleLovaz82
Collaborator
Collaborator
‎2024-10-10 05:08 AM
In response to Amir_Senn

hi Amir ,sorry but u want to point me to something that involve an ip change but as i wrote the idea is to use  the same ip of the actual MDS the MDS itself and for all the CMA

0 Kudos
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-10-10 05:47 AM
In response to AleLovaz82

On the contrary, I'm against changing IP.

On the original message you wrote you wanted to change IP but I may have misunderstood your intent.

My suggestion is to import the DB and configuration to the new appliance without actually connecting it to the network (different lab, serial console etc.), and when the operation finished, shut down the old one and replace between appliances.

Kind regards, Amir Senn
0 Kudos
AleLovaz82
Collaborator
Collaborator
‎2024-10-10 06:32 AM
In response to Amir_Senn

i watn to change the ip of the actual MDS to reach it using SSH for moving log with SCP for example,but the NEW mds will have THE same ip

0 Kudos
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-10-10 07:05 AM
In response to AleLovaz82

If you just want to use it to move files no problem. I talked about issues changing IP on running MDS and DB issues.

Just make sure to run "mdsstop". Another option is to move the logs temporarily to another servers.

Kind regards, Amir Senn
0 Kudos
AleLovaz82
Collaborator
Collaborator
‎2024-10-16 04:29 AM
In response to Amir_Senn

i'll definitely change the vlan so that i can reach it from a new point to point from the new MDS ,but the old cannot reach the real management vlan.
this should be enought safe. thx 😉

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-10-13 11:53 PM

If you do as you plan, migrate without logs etc, you can then just scp log files over the network between old and new servers. Just make sure you put the logs in the right folders. Once they are transferred they will be available but not indexed, if you want them indexed you can but if you just need them available just in case, no need to index them.

0 Kudos
AleLovaz82
Collaborator
Collaborator
‎2024-10-16 04:27 AM
In response to emmap

good to hear! yep probably i'll move only the log that I must have indexed for tshoot purpose and leave the old MDS as repository ...basically i think i'll use it only as a linux server with a lot of storage 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events