Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Suguru_Kawahara
Contributor

How to migration 2200 to 3100

Hi,

We have a 2200 appliance with R77.30 running on it. What is the best way to migration to 3100 for R77.30?

Regards,

0 Kudos
6 Replies
AlekseiShelepov
Advisor

It a bit depends on the outage time that you can afford for this network part. I assumed you have only one 2200 gateway, not a cluster. The general procedure looks like this:

  1. Install clean and updated R77.30 Gaia image on 3100 appliance
  2. Install latest general availability Jumbo Hotfix Accumulator for R77.30 on 3100 appliance
  3. Export configuration from 2200 appliance - show configuration, save configuration
  4. Import configuration to 3100 appliance - paste commands from export, manual verification required, interfaces may change
  5. On management server, delete SIC for 2200 appliance (initial policy will be loaded on it, no traffic flow trough the gateway)
  6. Same gateway object should be used for 3100 appliance, need to change hardware version in gateway properties 
  7. Establish SIC with 3100 appliance
  8. Check topology settings of the gateway (get topology button, manual verification, antispoofing groups verification)
  9. Install policy on 3100 appliance

0 Kudos
Suguru_Kawahara
Contributor

Hi Aleksei,

Thank you for your comments. Your information has been helpful for me.

Is the following method I think wrong?

1. Migrate Gaia settings using Gaia Clish. - manual verification required, interfaces may change

2. Use "Migrate export command" to migrate Security Managment settings. This includes all settings in SmartDashboard.

Best,

Suguru

0 Kudos
AlekseiShelepov
Advisor

1. It is a very similar thing to what I suggested for 3 and 4 steps, it is a good approach.

The reason why I didn't recommend it to you previously is because there might be some issues with the order of commands in these configuration files. For example, if you have some command like set interface eth1.80 ipv4-address... but you didn't have another command for adding this vlan interface before, it will stop importing configuration. Not just continue with some partial errors like in Cisco. At least that is what often happens with this method. So, still need to manually chack and amend this configuration file, that's why I suggested just to paste them manually in a correct order.

Discussion on this topic:

Is Show configuration output oreder is correct 

2. migrate export is required only for management server database. I think that you don't have a management server installed on 2200, but there is some central bigger appliance or VM for that. Right? As I remember you cannot even install management server on 2200 appliance. All rules, objects, etc. will be installed from management server to this new appliance.

Generally speaking, Check Point has two main software layers - OS (Gaia) and Check Point software (don't know how to properly name it). If you configure only OS level, you will have something like a router (interfaces, routing, dns, ntp settings, etc.). This is everything that you can configure from web-interface, and this is what you can see in show configuration. And the Check Point software level is on top of that, adding firewall policies, IPS profiles, and many thing for other blades, clustering and session synchronization. This comes with policy installation from a management server, this is what you see in Dashboard.

There is another similar thread about replacing appliances:

Hardware upgrade - 2200 to 4200 

0 Kudos
Suguru_Kawahara
Contributor

Hi Aleksei,

 

Thanks for your reply. I apologize to you. I had to tell you about Stand-Alone.

Your information was good and kind.

Suguru

0 Kudos
G_W_Albrecht
Legend
Legend

For a StandAlone deployment, i would suggest the following steps:

  1. Install clean and updated R77.30 Gaia image on 3100 appliance
  2. Install latest general availability Jumbo Hotfix Accumulator for R77.30 on 3100 appliance
  3. Perform a migrate export -l on 2200 and save the file in a safe place
  4. Perform FTW on 3100 for the basic configuration and licensing
  5. Perform a migrate import on 3100 appliance
  6. Connect to 3100 appliance using Dashboard
  7. If using IPS / NGTP, update it manually
  8. Change GWs hardware type, reset its SIC and install policy

You then should be ready to put your new hardware into production! To be able to connect to the internet during this process, a maintenance window is needed if both old and new aplliance use the same public IP address.

CCSE CCTE CCSM SMB Specialist
0 Kudos
Suguru_Kawahara
Contributor

Dear Günther W. Albrecht,

Thanks for your message.

Your information has helped me a lot. I will verify in this way.

Thanks again,

Suguru

from Japan

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events