This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Pavol_Toman
Explorer
‎2019-10-09 06:10 AM
Jump to solution

Merging multiple CMAs into one

Hello all,

Our Check Point MDS server has 4 CMAs (Domains) with approximately 10 firewall clusters in each (in total 80 security gateways). Whole environment, MDS and all the security gateways are owned by single customer. We are considering merging 4 CMAs into one and changing Multi Domain Management Server just to Management Server. Do you think it is a good idea or did someone of you such a migration? Any experiences how to do it in-house or do we need to engage Check Point professional services?

Thank you

2 Solutions

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion
‎2019-10-09 08:43 AM
Jump to solution

 

Hi @Pavol_Toman,

There is no way to merge several CMAˋs into one with R80.10 -R80.30 MDS tools.

This way could work.

ExportImportPolicyPackage tool enables you to export a policy package from a R80.x management database to a .tar.gz file, which can then be imported into any other R80.x management database.

This tool can be used for backups, database transfers, testing, and more.

In the case you are exporting a policy package from a CMA, please verify that a global policy was NOT assigned to that CMA.
The tool doesn't support exporting a policy with global policy assigned!

Limitations:

This export/import script does not gather all data from a given management server/CMA.
In general, it is limited by the R80.x Management APIs.
Specifically, this means:

  • CMAs with a Global Policy assigned cannot be exported
    • Workaround: unassign the Global Policy prior to export
  • Gateway/Cluster objects have to be recreated
    • Placeholder objects will be created
  • UserCheck messages have to be recreated
    • Placeholder objects will be created
  • The Internal Certificate Authority will not be copied. This means:
    • Re-establishing SIC with the appropriate gateways
    • Re-generating VPN certificates
    • Manually recreating HTTPS Inspection and DLP Rules
  • Other objects not currently readable/writable via the R80.x API will not be copied

More here:

https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Python-tool-for-exporting-importi...

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

HeikoAnkenbrand
Champion Champion
Champion
‎2019-10-09 02:51 PM
In response to PhoneBoy
Jump to solution

With R80.40 only policy export and import is possible:

- SMS to CMA

- CMA to SMS

Merging should not be possible with the R80.40 MDS tools. 

Or did I get this wrong?

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

4 Replies
HeikoAnkenbrand
Champion Champion
Champion
‎2019-10-09 08:43 AM
Jump to solution

 

Hi @Pavol_Toman,

There is no way to merge several CMAˋs into one with R80.10 -R80.30 MDS tools.

This way could work.

ExportImportPolicyPackage tool enables you to export a policy package from a R80.x management database to a .tar.gz file, which can then be imported into any other R80.x management database.

This tool can be used for backups, database transfers, testing, and more.

In the case you are exporting a policy package from a CMA, please verify that a global policy was NOT assigned to that CMA.
The tool doesn't support exporting a policy with global policy assigned!

Limitations:

This export/import script does not gather all data from a given management server/CMA.
In general, it is limited by the R80.x Management APIs.
Specifically, this means:

  • CMAs with a Global Policy assigned cannot be exported
    • Workaround: unassign the Global Policy prior to export
  • Gateway/Cluster objects have to be recreated
    • Placeholder objects will be created
  • UserCheck messages have to be recreated
    • Placeholder objects will be created
  • The Internal Certificate Authority will not be copied. This means:
    • Re-establishing SIC with the appropriate gateways
    • Re-generating VPN certificates
    • Manually recreating HTTPS Inspection and DLP Rules
  • Other objects not currently readable/writable via the R80.x API will not be copied

More here:

https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Python-tool-for-exporting-importi...

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
PhoneBoy
Admin
Admin
‎2019-10-09 01:26 PM
Jump to solution

It's possible some of this will be made easier with the introduction of R80.40.
Specifically, adding the ability to migrate a CMA to a standalone management server.
I believe the whole "Merging" of CMAs will require using a script like the following: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Python-tool-for-exporting-importi...
That said, this is the kind of thing you may want to engage Professional Services for.

Whether you should go through this exercise or not is a separate question.
Might be worth a chat with your Check Point SE.
HeikoAnkenbrand
Champion Champion
Champion
‎2019-10-09 02:51 PM
In response to PhoneBoy
Jump to solution

With R80.40 only policy export and import is possible:

- SMS to CMA

- CMA to SMS

Merging should not be possible with the R80.40 MDS tools. 

Or did I get this wrong?

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
PhoneBoy
Admin
Admin
‎2019-10-10 01:27 PM
In response to HeikoAnkenbrand
Jump to solution

You're correct as far as I know.
Merging multiple CMAs together will still require export/import using a tool like the one referred to above.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events