Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Nadezda_Zuka
Participant

Specific domain policy export-import on MDS

Hi, is it possible to export policy from a specific domain in MDS (R77.30), and import it to another new domain on the same MDS?

8 Replies
G_W_Albrecht
Legend
Legend

See Installation and Upgrade Guide R80.20:

- Go to the context of the applicable Domain Management Server:  [Expert@R7x_MDS:0]# mdsenv <IP Address or Name of Domain Management Server>

- Export the management database from the Domain Management Server:  [Expert@R7x_MDS:0]# yes | nohup ./migrate export [-l | -x] [-f] /<Full Path>/<Name of R7x Domain Exported File>

- Import the R7x Domain Management Server management database:  [Expert@R7x_MDS:0]#  cma_migrate /<Full Path>/<Name of R7x Domain Exported File>.tgz /<Full Path>/<$FWDIR Directory of the New Domain Management Server>

The Guide is for export on R77.xx and import on R80,20, but that does not really matter here.

CCSE CCTE CCSM SMB Specialist
0 Kudos
AlekseiShelepov
Advisor

I believe that this approach will create a couple of issues, because the destination CMA is on the same MDS as the source one. If you migrate without any changes, then IP address of the CMA will stay the same together with all certificates. Also, I believe that there will be some difficulties with rule UIDs.

Nadezda Zuka

Do you plan to delete the source domain?

Do you need to copy only objects and rules of one policy package?

Do you have VSX gateways?

Do you have some more tricky and difficult configurations in the policy, than just for example firewall rules, NAT, VPN?

I'm thinking about cp_merge tool - sk33751. It is officially not supported with MDS/CMA, but you can export objects and rules from a CMA for sure. Then you can import it to a virtual machine, do some tricks with it and then try cp_merge again for new domain or import "migrate export" from the virtual machine.

0 Kudos
Maarten_Sjouw
Champion
Champion

Aleksei, the IP will not remain the same for the CMA, as you export and import into a new CMA with a different IP.

It will keep all SIC's and indeed the certificate will remain the same and this will cause some issues, you will have a duplicate certificates in the MDS. I know there was a way to reset this certificate but you will loose all SIC with that as well.

I can recall we did a similar thing about 10 years ago, we needed to split a Domain into 2, a customers company split up and a couple of gateways went left an the other went right, each already had a different policy so it was easy to just export and import as a new domain, but we never noticed the underwater issues with the certificates, that became apparent a couple of years later. I do not know what the problem was we ran into, but I do know it is more than just cosmetic.

Regards, Maarten
Nadezda_Zuka
Participant

Thank you for answers!

Yes, we have VSX, so source and target firewalls are virtual systems on the same VSX cluster.

It is only objects and rules need to be copied, no specific configuration - just firewall and NAT rules.

The situation is as following: customer is changing its name, and as we have not found any easy way to rename domain name and management server, as well VS name (which seems to be impossible at all, as per CheckPoint support answer). So we are going to create a new domain with new management server (other IP address), and of course new VS.

I was searching a fast way to migrate the policy from one domain into another, and then in service window, we will delete old VS interfaces and enable those on new VS in new domain.

Maarten_Sjouw
Champion
Champion

You can still do the Migrate export and import the new domain, however, before importing you need to create a file to allow the import, then when done you need to delete the VS from the domain completely. this can be done with the aid of GUI-DBedit, but will require you to be very careful into knowing what you are doing. Ie make sure the master VSX Domain is locked while you're making the changes by having a dashboard open in read-write, same for the original domain. 

Then you can attempt to delete the VS network objects and the vs-slot entries.

Regards, Maarten
0 Kudos
Nadezda_Zuka
Participant

I always prefer to have a valid rollback plan.. so deleting original VS just after policy import-export doesn't seem acceptable..

Well, I expected some kind of official Check Point solution for this, so if there is no such, manual copy-pasting policy could be the way to go.. but I am wondering, why there is no easy way of exporting policy and importing to other domain, or why we cannot rename domain from GUI...

0 Kudos
Maarten_Sjouw
Champion
Champion

Nadezda, you keep the ORIGINAL Domain up and running until you are ready to move over to the new VS, as you said you will create a new VS in the new Domain to do the actual migration.

once you have imported the Domain you first need to clear all references for the original VS, that is still managed by the original Domain and replace this with the new VS.

Regards, Maarten
0 Kudos
PhoneBoy
Admin
Admin

Another option is odumper/ofiller: https://fireverse.org/?page_id=88 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events