Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Pavol_Toman
Explorer
Jump to solution

Merging multiple CMAs into one

Hello all,

Our Check Point MDS server has 4 CMAs (Domains) with approximately 10 firewall clusters in each (in total 80 security gateways). Whole environment, MDS and all the security gateways are owned by single customer. We are considering merging 4 CMAs into one and changing Multi Domain Management Server just to Management Server. Do you think it is a good idea or did someone of you such a migration? Any experiences how to do it in-house or do we need to engage Check Point professional services?

Thank you

2 Solutions

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

 

Hi @Pavol_Toman,

There is no way to merge several CMAˋs into one with R80.10 -R80.30 MDS tools.

This way could work.

ExportImportPolicyPackage tool enables you to export a policy package from a R80.x management database to a .tar.gz file, which can then be imported into any other R80.x management database.

This tool can be used for backups, database transfers, testing, and more.

In the case you are exporting a policy package from a CMA, please verify that a global policy was NOT assigned to that CMA.
The tool doesn't support exporting a policy with global policy assigned!

Limitations:

This export/import script does not gather all data from a given management server/CMA.
In general, it is limited by the R80.x Management APIs.
Specifically, this means:

  • CMAs with a Global Policy assigned cannot be exported
    • Workaround: unassign the Global Policy prior to export
  • Gateway/Cluster objects have to be recreated
    • Placeholder objects will be created
  • UserCheck messages have to be recreated
    • Placeholder objects will be created
  • The Internal Certificate Authority will not be copied. This means:
    • Re-establishing SIC with the appropriate gateways
    • Re-generating VPN certificates
    • Manually recreating HTTPS Inspection and DLP Rules
  • Other objects not currently readable/writable via the R80.x API will not be copied

More here:

https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Python-tool-for-exporting-importi...

➜ CCSM Elite, CCME, CCTE

View solution in original post

HeikoAnkenbrand
Champion Champion
Champion

With R80.40 only policy export and import is possible:

- SMS to CMA

- CMA to SMS

Merging should not be possible with the R80.40 MDS tools. 

Or did I get this wrong?

➜ CCSM Elite, CCME, CCTE

View solution in original post

4 Replies
HeikoAnkenbrand
Champion Champion
Champion

 

Hi @Pavol_Toman,

There is no way to merge several CMAˋs into one with R80.10 -R80.30 MDS tools.

This way could work.

ExportImportPolicyPackage tool enables you to export a policy package from a R80.x management database to a .tar.gz file, which can then be imported into any other R80.x management database.

This tool can be used for backups, database transfers, testing, and more.

In the case you are exporting a policy package from a CMA, please verify that a global policy was NOT assigned to that CMA.
The tool doesn't support exporting a policy with global policy assigned!

Limitations:

This export/import script does not gather all data from a given management server/CMA.
In general, it is limited by the R80.x Management APIs.
Specifically, this means:

  • CMAs with a Global Policy assigned cannot be exported
    • Workaround: unassign the Global Policy prior to export
  • Gateway/Cluster objects have to be recreated
    • Placeholder objects will be created
  • UserCheck messages have to be recreated
    • Placeholder objects will be created
  • The Internal Certificate Authority will not be copied. This means:
    • Re-establishing SIC with the appropriate gateways
    • Re-generating VPN certificates
    • Manually recreating HTTPS Inspection and DLP Rules
  • Other objects not currently readable/writable via the R80.x API will not be copied

More here:

https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Python-tool-for-exporting-importi...

➜ CCSM Elite, CCME, CCTE
PhoneBoy
Admin
Admin
It's possible some of this will be made easier with the introduction of R80.40.
Specifically, adding the ability to migrate a CMA to a standalone management server.
I believe the whole "Merging" of CMAs will require using a script like the following: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Python-tool-for-exporting-importi...
That said, this is the kind of thing you may want to engage Professional Services for.

Whether you should go through this exercise or not is a separate question.
Might be worth a chat with your Check Point SE.
HeikoAnkenbrand
Champion Champion
Champion

With R80.40 only policy export and import is possible:

- SMS to CMA

- CMA to SMS

Merging should not be possible with the R80.40 MDS tools. 

Or did I get this wrong?

➜ CCSM Elite, CCME, CCTE
PhoneBoy
Admin
Admin
You're correct as far as I know.
Merging multiple CMAs together will still require export/import using a tool like the one referred to above.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events