Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
NhatKha
Contributor
Jump to solution

Migration from 5200 appliance to 9100 appliance - Standalone

Hello everyone,

Currently, we are preparing a plan to replace three 5200 devices on three office sites with three 9100 devices, all of which will run standalone.

Current product: 5200 appliance, standalone, R81.20 hotfix take 65
New replacement product: 9100 appliance
Blade uses:

  • Network Security: Firewall, Application, URL Filtering, Threat Prevention, IPSec VPN (Site-to-Site VPN, Remote Access VPN)
  • Management: Network Security Management, Logging & Status

We plan to do so according to the following document: Migrating Database Between R81.20 Security Management Servers (checkpoint.com)

But we have a few concerns:

  • Following the above document, "./migrate_server" will be used. Does someone know which configurations below will be migrated:
    • Gateway: Interfaces, VLANs, and Routes
    • Management: Security Policy, VPN, Object (especially about 100 local users on the checkpoint we created, using a cert for authentication. If the users and certs cannot be migrated, it will take a lot of time to create and give a cert file for each employee.)
  • Based on your experience, are there any issues we need to pay attention to to avoid problems?


Or is there another best-practice way to migrate standalone configurations?


Please help me the answer.


Thank you so much,

Best Regards.

 

0 Kudos
1 Solution

Accepted Solutions
Bob_Zimmerman
Authority
Authority

If it's defined through SmartConsole, migrate_server covers it.

If it's defined on the command line or in a web interface of some kind, migrate_server does not cover it.

View solution in original post

6 Replies
G_W_Albrecht
Legend Legend
Legend

Best option is not to use StandAlone deployment at all ! If the GW is under heavy load you will not be able to manually fight this situation.

migrate_server: This command is used to migrate the management database from R80.20.M1, R80.20, R80.20.M2, R80.30, and higher versions.

For more information, see:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid...

For gateway migration see https://support.checkpoint.com/results/sk/sk108902

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
NhatKha
Contributor

Hi G_W_Albrecht

Thanks for your advice and information.
Currently, we are being asked by customers to configure a standalone configuration because their system is already operating familiarly. Changing to a distributed configuration may be implemented in the future.

Sorry, but at the two links you give me, I can't see the confirmation of which configurations will be migrated using the command "./migrate_server". I'm very sorry if I missed anything. I also searched for this but couldn't find anything related.

Thanks & Best Regard.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

migrate_server does not save any GAiA configuration ! This is found in the second link, chapter

8. Comparison of Backup Methods

  Snapshot
Management
System
Backup
"show
configuration"
"migrate export"
How much time
does it take?
30 - 60 minutes 5 - 30 minutes Few seconds Depends on
configuration
Size of output file
on Security Gateway
5-100 GB Depends on
configuration
Few KB N/A
Size of output file
on Management Server
5-100 GB 5-100 GB Few KB Depends on
configuration
Does it back up
Gaia OS configuration?
Yes Yes Yes No
Does it back up
Products configuration?
Yes Yes No Yes
Does it back up
Hotfixes?
Yes

No

(does not apply to "mds_backup")

No No
Does it back up
Check Point
logs?
No No No

Not by default.

Use the flag "-l"
in the syntax
to back up the
SmartView Tracker
logs as well.

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
NhatKha
Contributor

Hi G_W_Albrecht

Thank you so much. I have seen it will not migrate GAiA configuration.

But there are still a few points at Management:  "./migrate_server" is it possible to migrate VPN configuration (S2S, C2S), Object?
Especially for local users, after migrating to the 9100 appliance, can employees still use the certificate previously issued on the 5200 appliance to connect to remote access VPN?

Thanks & Best Regard.

 
0 Kudos
Bob_Zimmerman
Authority
Authority

If it's defined through SmartConsole, migrate_server covers it.

If it's defined on the command line or in a web interface of some kind, migrate_server does not cover it.

NhatKha
Contributor

Thanks for your information. I really appreciate it.

Best Regards.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events