This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
an_technical
Explorer
‎2025-01-17 03:01 AM

migrating from standalone to distributed model

Hi Team,

 

we have following architecture in our organization.

2 standalone firewalls in cluster

1 in distributed setup

 

we got new mgmt server and want to manage all firewalls through new mgmt server.

I can do database export import for distributed setup but how can i move policies from standalone firewall to new mgmt server. I used export_import_package and its throwing lot of errors. 

0 Kudos
16 Replies
Tal_Paz-Fridman
Employee
Employee
‎2025-01-17 03:36 AM

Please make sure to follow the instructions in https://support.checkpoint.com/results/sk/sk179444

Migration from a Standalone environment to a Distributed environment to versions R81.10 and higher versions

0 Kudos
an_technical
Explorer
‎2025-01-17 03:56 AM
In response to Tal_Paz-Fridman

Thanks @Tal_Paz-Fridman : I will test this.

I also wanted to know how to migrate the distributed env mgmt server to the new mgmt server. Will migrate_server will solve the problem?

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2025-01-17 04:01 AM
In response to an_technical

As noted in the SK, migrate_server is part of the flow 

0 Kudos
an_technical
Explorer
‎2025-01-18 09:15 PM
In response to Tal_Paz-Fridman

Okay. One more question I have. migrate_server from standalone and distributed can be imported into new mgmt server?

 

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2025-01-19 01:21 AM
In response to an_technical

migrate_server is the utility used for the export and import. It can be run from any machine that has a database. 

Just follow the instructions closely and it will work.

0 Kudos
an_technical
Explorer
‎2025-01-19 07:14 AM
In response to Tal_Paz-Fridman

Hi @Tal_Paz-Fridman :

I tried replicating sk179444. It failed with error: Migration between full HA and non full HA machine is not supported. The standalone devices are in HA.

Any suggestions. How to resolve this?

0 Kudos
an_technical
Explorer
‎2025-01-19 08:29 AM
In response to an_technical

Hi @Tal_Paz-Fridman : I tried following this article:
https://community.checkpoint.com/t5/Management/Moving-from-Full-HA-to-Distributed-on-R80-x/m-p/13068

I can only see the configuration2 file not the configuration file.

When I export export_standalone file. I get below content:

 

drwxr-xr-x 8 admin root 4.0K Jan 19 11:27 .
drwx------ 16 admin root 4.0K Jan 19 21:54 ..
drwxr-xr-x 3 admin root 164 Jan 19 11:27 31ab94da-4ab1-5da9-a03d-ddddddaaaaaa
drwxr-xr-x 3 admin root 164 Jan 19 11:27 41e821a0-3720-11e3-aa6e-0800200c9fde
drwxr-xr-x 3 admin root 164 Jan 19 11:27 8bf4ac51-2df7-40e1-9bce-bedbedbedbed
drwxr-xr-x 4 admin root 4.0K Jan 19 11:27 a0bbbc99-adef-4ef8-bb6d-cebcebcebceb
drwxr-xr-x 3 admin root 164 Jan 19 11:27 a0eebc99-afed-4ef8-bb6d-fedfedfedfed
-rw-r--r-- 1 admin root 57M Jan 19 11:27 a0eebc99-afed-4ef8-bb6d-fedfedfedfed.tgz
-rw-r--r-- 1 admin root 23K Jan 19 11:27 com.checkpoint.management.mgmt_blade.objects.DomainBase.data
-rw-r--r-- 1 admin root 7.3K Jan 19 11:27 com.checkpoint.management.upgrade.objects.UpgradeRuleData.data
-rw-rw---- 1 admin root 60M Jan 19 21:54 export_standalone
drwxr-xr-x 4 admin root 4.0K Jan 19 11:28 extra_data

This don't have configuration file.

If I extract a0eebc99-afed-4ef8-bb6d-fedfedfedfed.tgz
This has configuration2 file. After making the changes. I run below command 

tar -cvzPf export_standalone * and import the file. Import fails. I tried with .tgz extension as well.

Please suggest.

@_Val_ : Can you also please guide.

Thank You

 

 

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2025-01-19 08:55 AM
In response to an_technical

The SK states clearly:

 

Limitations

These migration procedures do not support Full High Availability clusters (Full HA).

 

This might require contacting TAC or PS or use tools just to export and import the policy:

https://github.com/CheckPointSW/ExportObjects

https://github.com/CheckPointSW/ExportImportPolicyPackage

 

_Val_
Admin
Admin
‎2025-01-20 01:06 AM
In response to an_technical

As Tal already mentioned, Full HA migration is not supported. Open a TAC ticket to see if they can help you. Otherwise, you will need to engage with Check Point PS or re-create policy manually or through APIs

0 Kudos
_Val_
Admin
Admin
‎2025-01-20 01:08 AM
In response to an_technical

Also, the article is for a much older SW version, the suggested case will not work for you anymore.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2025-02-05 06:30 AM
In response to an_technical

 

See here for a working solution:  Migrate R80.40 Full HA to distributed Management

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
an_technical
Explorer
‎2025-02-05 07:41 AM
In response to G_W_Albrecht

Hi @G_W_Albrecht I went though the solution but I am looking for different solution. Let me explain.

NEW MGMT SERVER - A
VSX CLUSTER - B

GATEWAY - C

OLD MGMT SERVER -D

We already built new firewalls as VSX cluster (B) and integrated with new mgmt server (A). Now we need move the polices from Old MGMT server (D) having different set of policies for gateway (C) to new mgmt server (A).
I run migrate_server export on old mgmt server (D) and imported on new mgmt server (A). Once import was done, it removed VSX cluster and policies related to it and made replica of old mgmt server (D). This way we are loosing the configuration already running on new mgmt server. How can we retain that and migrate polices from other mgmt server to new one. I tried export_import_Policy package but its throwing lot of errors.
I see only option is to do manual configuration of polices on new mgmt server.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2025-02-05 07:51 AM
In response to an_technical

No, see here: https://community.checkpoint.com/t5/API-CLI-Discussion/Python-tool-for-exporting-importing-a-policy-...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
an_technical
Explorer
‎2025-02-05 05:17 AM
In response to Tal_Paz-Fridman

Hi @Tal_Paz-Fridman : I was testing in lab. I already have new mgmt server integrated with VSX gateway and another distributed setup having 1 gateway. I use migrate_server and exported the database from mgmt that manages 1 gateway and imported to new mgmt. It overwrites the existing database and all VSX gateway and configuration is lost.

0 Kudos
the_rock
Legend
Legend
‎2025-02-05 08:16 AM
In response to an_technical

I would definitely open TAC case to verify all this.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2025-02-06 06:42 AM
In response to an_technical

Expected behavior as migrate_server overwrites the existing management database.
To merge multiple managements, you’ll need the following: https://community.checkpoint.com/t5/API-CLI-Discussion/Python-tool-for-exporting-importing-a-policy-... 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events