This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
kaka
Explorer
a week ago
Jump to solution

Move S1C to On-prem

Hello guy!

 

As the user experience with S1C we decided to move from cloud to on-prem. I have 2 gateway run as clusterxl. Currently SIC version R82 and the new mgmt run R81.20 latest HF. 

May I know the best practices for preparation during move gw to new mgmt? 

Note: The new mgmt setup completely with import database from SIC and object and policies was synced. 

 

Regard,

Labels
0 Kudos
1 Solution

Accepted Solutions
kaka
Explorer
Tuesday
Jump to solution

Hi guys, 

The success migration step with below detail:

Checkpoint Firewall Management migration plan
1. Change firewall IP address that connect to existing management
- Go to New mgmt on-prem via SmartConsole --> GATEWAYS & SERVERS 
- Double click on gateway properties, On IPv4 Address: change from MaaS tunnel IP to MGMT IP.
 
2. Turn off the management tunnel where connected to existing management 
- SSH to Gateways perform command:maas off
- Disable/Delete the maas_tunnel interface from topology: [Option]
 
3. Reset SIC on Firewall 
- SSH to Gateway with export mode (without restart services) 
cp_conf sic init [OTP] norestart
cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"
cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"
 
4. Rejoin checkpoint gateways to new management
- Gateway Properies  > 
- Secure Internal Communication > Communication > Reset > Fill One-time password: [OTP]
- Install policy on gateways
 
6. Verification step
- Checkpoint firewall status on Dashboard. 
- No alert on smartconsole dashboard
- Testing all blad are working fine. 
 
7. Troubleshooting
- TAC involve
 
Thanks you for your help!!

View solution in original post

(1)
13 Replies
Lesley
Leader Leader
Leader
a week ago
Jump to solution

Hi,

To be sure syc is already active between new onprem mgmt and all gateways? If you have done import and policies are in place you are good to go. Did you already installed policy with new mgmt?

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
kaka
Explorer
a week ago
In response to Lesley
Jump to solution

Hi @Lesley , 

Install policy from new mgmt not yet do, due to gateway connected to SIC through tunnel interfaces. 

Regard,

0 Kudos
Martijn
Advisor
Advisor
Thursday
Jump to solution

Hi,

I assume the on-prem SmartCenter has a new IP? 

When you import the database, SIC is already OK. But gateways have the old IP-address in the database.
- On old SmartCenter, create a dummy object for the new SmartCenter IP.
- On old SmartCenter, include the dummy object in rules between SmartCenter and gateways
- On old SmartCenter, push policy to gateways.
- Traffic between gateways and new SmartCenter IP is allowed now.

- On the new SmartCenter, make sure traffic between new SmartCenter IP and gateways is allowed.
- On the new SmartCenter push policy.

You can also follow sk86521- How to reset SIC without restarting the Check Point services
But make sure traffic between new SmartCenter IP and gateways is allowed by adding a dummy object.

Good luck.

Martijn


0 Kudos
kaka
Explorer
Thursday
In response to Martijn
Jump to solution

Hi @Martijn 

Thanks you for your advises. let me include the mention step with my plan. 

Regard,

0 Kudos
the_rock
Legend
Legend
Thursday
Jump to solution

Personally, I would not move from S1C to on-prem, but if thats decision user made, o well : - ). Anyway, what both @Martijn and @Lesley had said is valid and I would follow those steps.

Andy

0 Kudos
G_W_Albrecht
Legend Legend
Legend
Thursday
Jump to solution

Why not contact TAC ? They could give you hints and be prepared for RAS during the maintenance window when switching over to resolve any unforseen issues !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
D_TK
Advisor
Thursday
Jump to solution

We're thinking of going the other way: prem -> cloud for logging and management (10 gw clusters).  Can you expand on the reasons why you're going back to prem?   Thanks.

kaka
Explorer
Thursday
In response to D_TK
Jump to solution

Hi mate, 

The main reason's latency and user experience. cloud is a bit slow then on-prem. 

Regard, thanks  

 

0 Kudos
the_rock
Legend
Legend
Thursday
In response to kaka
Jump to solution

I found and this is just my personal opinion, back in 2020, when I initially started working with S1C, it was not that great, I will admit. But now, I find its great and has gotten way better since then. All customers are already upgraded to R82 version in the cloud and I find the portal is actually even more responsive than before.

Again, my honest feedback about it.

Andy

0 Kudos
kaka
Explorer
Thursday
In response to the_rock
Jump to solution

yes, obsoletely R82 better then oldest for SIC. but it's customer choice.  

0 Kudos
the_rock
Legend
Legend
Thursday
In response to kaka
Jump to solution

I think the fact you can make rulebase change from literally any computer with Internet access from anywhere in the world, is a biggest advantage, in my opinion.

Andy

0 Kudos
kaka
Explorer
Tuesday
Jump to solution

Hi guys, 

The success migration step with below detail:

Checkpoint Firewall Management migration plan
1. Change firewall IP address that connect to existing management
- Go to New mgmt on-prem via SmartConsole --> GATEWAYS & SERVERS 
- Double click on gateway properties, On IPv4 Address: change from MaaS tunnel IP to MGMT IP.
 
2. Turn off the management tunnel where connected to existing management 
- SSH to Gateways perform command:maas off
- Disable/Delete the maas_tunnel interface from topology: [Option]
 
3. Reset SIC on Firewall 
- SSH to Gateway with export mode (without restart services) 
cp_conf sic init [OTP] norestart
cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"
cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"
 
4. Rejoin checkpoint gateways to new management
- Gateway Properies  > 
- Secure Internal Communication > Communication > Reset > Fill One-time password: [OTP]
- Install policy on gateways
 
6. Verification step
- Checkpoint firewall status on Dashboard. 
- No alert on smartconsole dashboard
- Testing all blad are working fine. 
 
7. Troubleshooting
- TAC involve
 
Thanks you for your help!!
(1)
the_rock
Legend
Legend
Tuesday
In response to kaka
Jump to solution

Awesome job!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events