- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: Merging multiple CMAs into one
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Merging multiple CMAs into one
Hello all,
Our Check Point MDS server has 4 CMAs (Domains) with approximately 10 firewall clusters in each (in total 80 security gateways). Whole environment, MDS and all the security gateways are owned by single customer. We are considering merging 4 CMAs into one and changing Multi Domain Management Server just to Management Server. Do you think it is a good idea or did someone of you such a migration? Any experiences how to do it in-house or do we need to engage Check Point professional services?
Thank you
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Pavol_Toman,
There is no way to merge several CMAˋs into one with R80.10 -R80.30 MDS tools.
This way could work.
ExportImportPolicyPackage tool enables you to export a policy package from a R80.x management database to a .tar.gz file, which can then be imported into any other R80.x management database.
This tool can be used for backups, database transfers, testing, and more.
In the case you are exporting a policy package from a CMA, please verify that a global policy was NOT assigned to that CMA.
The tool doesn't support exporting a policy with global policy assigned!
Limitations:
This export/import script does not gather all data from a given management server/CMA.
In general, it is limited by the R80.x Management APIs.
Specifically, this means:
- CMAs with a Global Policy assigned cannot be exported
- Workaround: unassign the Global Policy prior to export
- Gateway/Cluster objects have to be recreated
- Placeholder objects will be created
- UserCheck messages have to be recreated
- Placeholder objects will be created
- The Internal Certificate Authority will not be copied. This means:
- Re-establishing SIC with the appropriate gateways
- Re-generating VPN certificates
- Manually recreating HTTPS Inspection and DLP Rules
- Other objects not currently readable/writable via the R80.x API will not be copied
More here:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With R80.40 only policy export and import is possible:
- SMS to CMA
- CMA to SMS
Merging should not be possible with the R80.40 MDS tools.
Or did I get this wrong?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Pavol_Toman,
There is no way to merge several CMAˋs into one with R80.10 -R80.30 MDS tools.
This way could work.
ExportImportPolicyPackage tool enables you to export a policy package from a R80.x management database to a .tar.gz file, which can then be imported into any other R80.x management database.
This tool can be used for backups, database transfers, testing, and more.
In the case you are exporting a policy package from a CMA, please verify that a global policy was NOT assigned to that CMA.
The tool doesn't support exporting a policy with global policy assigned!
Limitations:
This export/import script does not gather all data from a given management server/CMA.
In general, it is limited by the R80.x Management APIs.
Specifically, this means:
- CMAs with a Global Policy assigned cannot be exported
- Workaround: unassign the Global Policy prior to export
- Gateway/Cluster objects have to be recreated
- Placeholder objects will be created
- UserCheck messages have to be recreated
- Placeholder objects will be created
- The Internal Certificate Authority will not be copied. This means:
- Re-establishing SIC with the appropriate gateways
- Re-generating VPN certificates
- Manually recreating HTTPS Inspection and DLP Rules
- Other objects not currently readable/writable via the R80.x API will not be copied
More here:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Specifically, adding the ability to migrate a CMA to a standalone management server.
I believe the whole "Merging" of CMAs will require using a script like the following: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Python-tool-for-exporting-importi...
That said, this is the kind of thing you may want to engage Professional Services for.
Whether you should go through this exercise or not is a separate question.
Might be worth a chat with your Check Point SE.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With R80.40 only policy export and import is possible:
- SMS to CMA
- CMA to SMS
Merging should not be possible with the R80.40 MDS tools.
Or did I get this wrong?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Merging multiple CMAs together will still require export/import using a tool like the one referred to above.
