- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: R80.20 Standalone cluster migration to a Distr...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
R80.20 Standalone cluster migration to a Distributed environment
Dear All,
We have being trying to do an R80.20 Standalone cluster migration to a Distributed environment without success. We have followed the below SK without any success
Also, is there a script/way to migrate the rules, objects and NATs since the above does not work.
Any help will be appreciated. Thank you.
George
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If by Standalone Cluster, you mean Full HA (where management is on both cluster members), the procedure in sk179444 is not supported.
This is noted in the Limitations section.
Your only option is something like the following: https://community.checkpoint.com/t5/API-CLI-Discussion/Python-tool-for-exporting-importing-a-policy-...
You can run this tool against the primary system to export much of the Access Policy and Threat Prevention configuration and import it into a newly installed management server.
You will have to create several objects manually, but it’s far easier than recreating the entire configuration from scratch.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where did you fail? It is hard to help you without knowing more details.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If by Standalone Cluster, you mean Full HA (where management is on both cluster members), the procedure in sk179444 is not supported.
This is noted in the Limitations section.
Your only option is something like the following: https://community.checkpoint.com/t5/API-CLI-Discussion/Python-tool-for-exporting-importing-a-policy-...
You can run this tool against the primary system to export much of the Access Policy and Threat Prevention configuration and import it into a newly installed management server.
You will have to create several objects manually, but it’s far easier than recreating the entire configuration from scratch.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Val and PhoneBoy,
Thank you both for the replies. Yes, it's a Full HA and we saw the limitation on SK. So, the only way is to try the python script. We will do so and hopefully we will be able to export most of the access policy. Thank you again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See here for a working solution Migrate R80.40 Full HA to distributed Management
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi and thank you for the reply. Will this work on a Full HA R80.20 also?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That may well be - but i would try to upgrade to R80.40 first, R80.20 is unsupported since last September...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, we will try that.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi again,
We followed the procedure with both R80.40 and R81.10 with the same issue, we can not promote the Management
[Expert@CPMGT:0]# $FWDIR/bin/promote_util
Binding to localhost...Done
Opening database...Done
Promote failed.
Please make sure all clients are disconnected
Any ideas are welcomed. Thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe TAC can help with this step. It is from sk114933 - so this step is supported.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi again,
We have a case with the TAC since day one, unfortunately not much help there. Thank you anyway.