This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Massi
Participant
‎2020-04-28 10:43 AM

How to migrate Full HA R80.40 environment to Distributed environment

Hi Community,

I hope you are well.

I have a request for you, because I can't find an SK that resolve my problem.

Our client currently has a Full HA environment running on two 5200 appliances with the latest version of gaia  (R80.40).

He purchased an other 5200 appliance, and he want to add it to the cluster environnement, but this is not possible because full HA only works with two (02) GWs, and now he wants to migrate from full HA to the distributed environnement.

Is there any SK or recommended documentation to migrate full HA R80.40 to distributed environment ?

Thanks in advance

4 Replies
PhoneBoy
Admin
Admin
‎2020-04-30 01:07 PM

As noted in sk44201, there is not currently a supported procedure from migrating from a FullHA configuration to distributed.
However, there is a thread here that suggests how this might be done: https://community.checkpoint.com/t5/General-Management-Topics/Moving-from-Full-HA-to-Distributed-on-...
Massi
Participant
‎2020-05-07 03:38 PM
In response to PhoneBoy

Hi PhoneBoy, 

Thank you for yor replay.

I have tested it in a LAB but it is not applicable for fullha configuration, I have these errors:

[1 May 23:48:01] [Dos2UnixFile] Converting file '/opt/CPsuite-R80.40/fw1/tmp/migrate/main_db/objects_5_0.C'
[1 May 23:48:01] ...<-- Dos2UnixFile
[1 May 23:48:01] [HACompatibilityChecker::ReadRequiredFiles] Reading objects_5_0.C from '/opt/CPsuite-R80.40/fw1/tmp/migrate/main_db/objects_5_0.C'
[1 May 23:48:01] ...--> ReadFwsetFile
[1 May 23:48:01] ....--> UpgradeMacroReplacer::Instance
[1 May 23:48:01] ....<-- UpgradeMacroReplacer::Instance
[1 May 23:48:01] [ReadFwsetFile] Going to read file '/opt/CPsuite-R80.40/fw1/tmp/migrate/main_db/objects_5_0.C'
[1 May 23:48:01] HashResizeMode_verify_trigger_ratio: Illegal trigger value (1) should be 2..8
[1 May 23:48:01] [ReadFwsetFile] Succeeded to read file
[1 May 23:48:01] ...<-- ReadFwsetFile
[1 May 23:48:01] ..<-- HACompatibilityChecker::ReadRequiredFiles
[1 May 23:48:01] ..--> HACompatibilityChecker::CheckCompatibility
[1 May 23:48:01] [HACompatibilityChecker::CheckCompatibility] Checking for HA presence on source machine
[1 May 23:48:01] ...--> HACompatibilityChecker::CheckHAPresence
[1 May 23:48:01] [HACompatibilityChecker::CheckHAPresence] Found primary management
[1 May 23:48:01] [HACompatibilityChecker::CheckHAPresence] Primary is Full HA
[1 May 23:48:01] ...<-- HACompatibilityChecker::CheckHAPresence
[1 May 23:48:01] [HACompatibilityChecker::CheckCompatibility] Checking for HA presence on destination machine
[1 May 23:48:01] [HACompatibilityChecker::CheckCompatibility] ERR: Machines are Full HA incompatible
[1 May 23:48:01] ..<-- HACompatibilityChecker::CheckCompatibility
[1 May 23:48:01] .<-- HACompatibilityChecker::exec
[1 May 23:48:01] <-- ConditionalExecutor::exec
[1 May 23:48:01] [ActivitiesManager::exec] ERR: Activity 'ConditionalExecutor' failed
[1 May 23:48:01] [ActivitiesManager::exec] WRN: Activities execution finished with errors
[1 May 23:48:01] [ActivitiesManager::exec] WRN: Activities 'ConditionalExecutor' have failed
[1 May 23:48:01] [ActivitiesManager::exec] Designated exit code is 1
[1 May 23:48:01] --> CleanupManager::Instance
[1 May 23:48:01] <-- CleanupManager::Instance
[1 May 23:48:01] --> CleanupManager::DoCleanup
[1 May 23:48:01] [CleanupManager::DoCleanup] Starting to perform cleanup
[1 May 23:48:01] .--> DirCleaner::exec
[1 May 23:48:01] [DirCleaner::exec] Going to remove directory '/opt/CPsuite-R80.40/fw1/tmp/migrate/'
[1 May 23:48:01] .<-- DirCleaner::exec
[1 May 23:48:01] .--> ImportFailureMarker::exec
[1 May 23:48:01] [ImportFailureMarker::exec] Checking if cleaner is active
[1 May 23:48:01] [ImportFailureMarker::exec] Cleaner is not active, nothing to do
[1 May 23:48:01] .<-- ImportFailureMarker::exec
[1 May 23:48:01] [CleanupManager::DoCleanup] Completed the cleanup
[1 May 23:48:01] <-- CleanupManager::DoCleanup

With my collegues we have find a workaround to replace steps 8 to 11 from sk44201 with this sk154033.

Best regards

PhoneBoy
Admin
Admin
‎2020-05-07 04:40 PM
In response to Massi

I do remember seeing the procedure in sk154033 discussed internally a while back.
One thing to be aware of here: we didn't test it with a Full HA config.
At least that's what the internal notes on it says.
Did it actually work for you?
0 Kudos
Massi
Participant
‎2020-05-07 04:55 PM
In response to PhoneBoy

We tested it twice and it worked in LAB environment with the creation of a few objects and policies.
I will get to you a feedback once the migration is done in the production environment.

I have just to check if I will not have a problem with the ICA (Users Certificats), when I promote the new secondary management server to primary, because the name and management IP will be chnaged.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events