Re: Move security gateways from different separate...

GABRIEL_MUMBOBI · ‎2018-10-10

Hello folks there,

i have tracked the forum hoping to find answer to my needs by i could not find any topic related to my concern.

may be one can help. My project :

I'm responsible of a project which purpose is to migrate the management of 21 security gateways managed locally to a centralized location within a an existing mds environment. All different sites (in diferent contries) are connected trough site-to-site VPN to the ecntralized sites were is located the mds.

Current architecture :

8 sites within the same VPN community with their firewall already remotely managed in the same domain server within the mds.

we are planning to move the management of 21 security gateways located in four different remote sites to this existing domain server. Each of these sites is connected to the central by site-to-site VPN.

Site A:

A cluster of two security gateways localy managed by a manager hosted by one of them.

Version R77.30

Site B :

2 clusters of two gateways each and two other standalone gateways (FW version R77.30 and R80.10), both locally managed by by a sms under R80.10

Site C :

A clusters of two firewalls with four other standalone firewall, both under 77.30 and managed by a sms under R80.10 version.

My change plan is to recreate manually objects and policy to the remote domain server (using public IP adresses for connectivity) and establish SIC, Reconfigure VPNs sincthere are different other VPN configured on each sites.

For the site A i will additionally rebuild the cluster memeber that host the management to be a simple security gateway.

In all casesone member should be move first to avoid a long downtime

My concern is : Is there another way to move this management to a centralized environment ?

I will appreciate your help

your

G_W_Albrecht · ‎2018-10-11

I find it a good idea to re-create all rules and objects in the new MDS. The alternative way is migrate export / import, see sk32506 upgrade_export command support on CMA for details.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

GABRIEL_MUMBOBI · ‎2018-10-12

Hi Günther,

thanks a lot for your comment. The SK32506 is not helpfull for since i will not move the management server to the remote MDS, only gateways will be managed by existing domain server in the remote MDS.

I could not find any topic related to my situation.

G_W_Albrecht · ‎2018-10-12

But you asked: Is there another way to move this management to a centralized environment ? Nad now you tell me that you will not move the management server to the remote MDS.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

GABRIEL_MUMBOBI · ‎2018-10-12

My apologize. I wouldn't mean moving the management server, but moving these gateways to the management server in the mds. As I stated above, this server is already managing 12 other remote gateways. My concernn is to know whether is there any other way to export policy and objects to the remote server than just manually creating each of object and single rule. In one of local manager I have more than thousend objects.

PhoneBoy · ‎2018-10-13

You've got a couple different issues here.

It sounds like Site A is a "Full HA" cluster (management + gateway on both members), which as I recall, you can't do a migrate export of. You'll have to do something like the following SK first: How to migrate Full HA environment to Distributed environment
For R80.10 > R80.10, you'll need to use this script, which will require some manual steps (recreating the gateway objects, cleaning up duplicate objects, etc): Python tool for exporting/importing a policy package or parts of it‌

Are you a member of CheckMates?

Move security gateways from different separated sms to an existing remote mds