Moving current Policies/Database from R80.40 Smart...

aboo008 · ‎2021-08-19

Hi Team,

We have a management cluster running R80.40 that manages 2 Cluster Gateways in HA. I would like to copy the policies over to the New Management server ( currently it has a different IP and would like to keep that different IP). We also have new Gateway clusters that we will be moving to so the new design currently has a 2- Management servers in HA (Open Servers) and 2 Clusters of 7000 series appliances in HA. What will be my ideal method to move everything over and do a cutover under downtime. First would be to migrate my current policies over to the new VM server - change IP's so it won't duplicate. Second will be to do export the backup of the gateways and change IP's offline so it won't duplicate. The night of the cutover we will just move cables to the new gateways and call it a day. Please assist in the details of how this can be achieved. Please see attached files of how they are currently configured and new setup as well. Thank you.

Bob_Zimmerman · ‎2021-08-19

As long as you keep the management's hostname the same, you should be able to move with just 'migrate export' on the old one (remember to use the new migrate tools!), 'migrate import' on the primary VM, change the IP in the object, import your licenses as needed, and push. No outage, since the management just manages the rules, it doesn't enforce them. You can do this in advance to confirm the rules are all present in their new home, though it's my understanding you can only 'migrate import' on a system once; to import again, you should reinstall the OS on the management VM again. It's a VM, so that part should be easy.

Licensing would probably be the most difficult part. Every license you have using the old management IP would need to be generated again for the new IP, imported to the new management server, and applied where relevant. This would definitely include the license for the management server itself, but would also include any centrally-licensed firewalls. Honestly not too bad, just something to remember.

The firewalls can be swapped in another step. I would personally do them in a whole different window, but I'm averse to changing multiple things in one window in general. If you're sure you want to, they can be swapped in the same window.

I would treat it like replacing failed cluster members. Shut down the old one, bring up the new one with all the same IPs as the old firewall, establish SIC, push policy. Force a failover, then do the next one.

Changing a management server's name is where things get complicated. The management server has an internal certificate authority it uses for SIC which is signed to its name. To change the name, you have to reset the internal certificate authority. If you need to change the name, you'll have to discuss it with the TAC, as the steps involved are dangerous to the management server.

aboo008 · ‎2021-08-19

Thanks for the response Bob. We bought new licenses for the new Open Server which now have been applied.

Just to clarify, we have the new management servers up and license have already been applied to them. If you look at the attachment you will see. The old mgmt server name is : FWMGMT1 & FWMGMT2 and the new one is FWSMS-1 & FWSMS-2. Will copying the policies using the migration tool require the names to be same ? Are we not just copying the policies and object etc. Also the IP's will be different on the new management servers R81 with the migration the IP's will change but plan is to change them back. Thanks for the response.

Are you a member of CheckMates?

Moving current Policies/Database from R80.40 Smart-1 to R81 VM- Open Server - need proper steps