This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
BlueGrass
Contributor
2 weeks ago
Jump to solution

How to migrate a Standalone 6200 unit to a VM SMS server?

Hi all,

 

We are trying to migrate a Standalone 6200 unit to a VM SMS server with another TWO new Gateways as cluster for the production.

Might I know the correct step-by-step for this purpose?

 

Can we just use export_migrate to achieve it? Or, we even need to do more extra work?

Thanks in advance.

0 Kudos
3 Solutions

Accepted Solutions
Vincent_Bacher
Leader Leader
Leader
2 weeks ago
Jump to solution

migrate export alone is not enough, because when you move from a standalone appliance to a new management VM with new gateway cluster, the management server’s IP address and often its hostname change.

 

This breaks the old trust structure:

 

  • The Internal CA on the standalone is tied to the old management IP/hostname.
  • All SIC certificates are tied to that Internal CA and therefore become invalid.
  • The old gateway object cannot be reused because the standalone gateway no longer exists.

 

 

So even though migrate export does successfully migrate the database, you still must:

 

  • Recreate the Internal CA,
  • Re-establish all SIC connections,
  • Create a new cluster object for the new gateways.

 

 

In short: migrate export gives you the management data, but because of the new IP/hostname and the old CA, you must rebuild the trust (CA + SIC) and create new gateway/cluster objects.

 

There are sk articles about that but as it’s weekend now in Frankfurt/Germany other mates may share.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

View solution in original post

the_rock
MVP Platinum
MVP Platinum
2 weeks ago
Jump to solution

Sadly, as Vince said, migrate export would never work here, Im 100% positive, as that only works sms-sms OR standalone-standalone, NOT standalone-sms

You can try below.

https://support.checkpoint.com/results/sk/sk154033

Best,
Andy

View solution in original post

0 Kudos
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
2 weeks ago
Jump to solution

Please refer to:

Migration from a Standalone environment to a Distributed environment to versions R81.10 and higher versions

https://support.checkpoint.com/results/sk/sk179444 

View solution in original post

7 Replies
Vincent_Bacher
Leader Leader
Leader
2 weeks ago
Jump to solution

migrate export alone is not enough, because when you move from a standalone appliance to a new management VM with new gateway cluster, the management server’s IP address and often its hostname change.

 

This breaks the old trust structure:

 

  • The Internal CA on the standalone is tied to the old management IP/hostname.
  • All SIC certificates are tied to that Internal CA and therefore become invalid.
  • The old gateway object cannot be reused because the standalone gateway no longer exists.

 

 

So even though migrate export does successfully migrate the database, you still must:

 

  • Recreate the Internal CA,
  • Re-establish all SIC connections,
  • Create a new cluster object for the new gateways.

 

 

In short: migrate export gives you the management data, but because of the new IP/hostname and the old CA, you must rebuild the trust (CA + SIC) and create new gateway/cluster objects.

 

There are sk articles about that but as it’s weekend now in Frankfurt/Germany other mates may share.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
Ricky_Wong
Participant
a week ago
In response to Vincent_Bacher
Jump to solution

What if we join one new just SMS unit to the current standalone as slave SMS.

Then remove the standalone directly.

 

Does this way work and like migration done?

0 Kudos
Vincent_Bacher
Leader Leader
Leader
a week ago
In response to Ricky_Wong
Jump to solution

Frankly said I don’t know but I would not recommend such a setup and prefer to change the setup to a clean distributed environment with independent management and gateway.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
the_rock
MVP Platinum
MVP Platinum
a week ago
In response to Ricky_Wong
Jump to solution

As Vince said, that might work, though not guaranteed and it would be much better to clean distributed environment.

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
2 weeks ago
Jump to solution

Sadly, as Vince said, migrate export would never work here, Im 100% positive, as that only works sms-sms OR standalone-standalone, NOT standalone-sms

You can try below.

https://support.checkpoint.com/results/sk/sk154033

Best,
Andy
0 Kudos
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
2 weeks ago
Jump to solution

Please refer to:

Migration from a Standalone environment to a Distributed environment to versions R81.10 and higher versions

https://support.checkpoint.com/results/sk/sk179444 

the_rock
MVP Platinum
MVP Platinum
2 weeks ago
In response to Tal_Paz-Fridman
Jump to solution

My bad Tal, forgot that sk, as it was referenced in the one I mentioned.

Best,
Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events