Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
peter2020
Explorer

Calling VSX experts

I have migrated our security manager over to a new server (different IP address) as it is a different location and now in the process of migrating our gateways over to this new server.   We have some physical firewalls and some VSX firewalls.  All the physical firewalls have now been migrated over which was quite simple by reconfiguring sic on both the firewall and new manger.  However VSX ones seem to be a challenge.  There doesn’t seem a great deal of documents on how to do this for VSX and what I have read you shouldn’t do the same ie cpconfig etc.   Any advice on best way to do this for migration for VSX? 

thanks

0 Kudos
Reply
7 Replies
Kaspars_Zibarts
Authority
Authority

It's not a straight forward process and I would suggest to get professional services help if you have never done it before. There are multiple ways to migrate VSX, all depends on your actual environment. If you do want to try, check VSX provisioning tool in VSX admin guide.

  • first build the "non-VSX" part of the gateway, configure physical interfaces, DNS, NTP, mgmt routing, backups, users etc. Just as you did with the regular gateway
  • Create VSX cluster / VS-0 manually in the new mgmt (instead of regular cluster)
  • then you can use VSX provisioning tool to dump VSX config from old mgmt and then re-create them in the new using the same tool.

You will need to take care of any physical interface name changes in the scripts btw

That's in nutshell. 

0 Kudos
Reply
_Val_
Admin
Admin

Migrating MGMT server to a new IP address is usually trivial with migtrate_server tool, and it does not require much to do on GW side, VSX or otherwise (other than ensuring implied rules cover the new MGMT object as well).

Could you please elaborate on why you are doing migration in several stages?

0 Kudos
Reply
peter2020
Explorer

Hi Val  - I have migrated the whole database to the new server ok using the migrate_server tool and that is fine.   I have also established the gateways  to connect to the new management server IP address by re-establishing sic on both the firewall and then the manager .   All I have to do is get the VSX gateways to establish sic from the old manager to the new manager and what is the correct way/steps  of doing this without breaking anything.    There doesn't seem to be any documentation out there to do this and people don't seem to know how to do it correctly.    Any knowledge you have on this would be very grateful?   Many Thanks

0 Kudos
Reply
_Val_
Admin
Admin

That is exactly my point. SIC should work out of the box, no additional hustle, if everything is done correctly.

You do not need to re-establish SIC.

On old management you should add a dummy object as a secondary MGMT server, with IP address of the new MGMT server. After pushing policies on all FWs, shut down the old MGMT server and check SIC from the new one. It should work. If it does not, something in the middle is interfering.

All that under assumption you did not disable control connections in implied rules. If you did, on old MGMT you should also add an early explicit rule allowing control connections to/from FW & new MGMT IP. 

0 Kudos
Reply
peter2020
Explorer

Thanks for you message.   The new manager has all the DB migrated from the old manager so has the firewalls and the contexts etc.   The only issue I have is disconnecting the VSX gateways from the old management server to the new management server.   VSX seems to be very temperamental and seems you cannot use cpconfig with the sic on gateways like a non vsx gateway.   Doesn't seem to be any documents regarding VSX on how to this and the people I have spoken to so far don't seem to know the proper way of doing this 

0 Kudos
Reply
Kaspars_Zibarts
Authority
Authority

I this scenario I would run vsx_util_reconfigure from new mgmt and re-build VSX to avoid any issues with certs and SIC. You would need to do reset_gw first.

Depends how much downtime can you have. But start with standby and once done fail over and re-build other one

0 Kudos
Reply
Maarten_Sjouw
Champion
Champion

Then I have a couple of questions for you:

  • Did you add a rule in the old situation to allow full access from the new IP to the gateways?
    • if the answer is yes:
  • Did  you try to push policy from the new server without resetting SIC to any of the normal gateways?
  • Did you try to push policy to the VSX gateways? 

 

If the answer to the first question was No, please add that to the rules for the VSX Gateways and push policy from the old management to the VSX gateways and then try to push policy from the new management to the VSX gateways. Once this has succeeded, push the policy to the VSs.

Regards, Maarten
0 Kudos
Reply