Migrate from Smart-1 HA SMS to Virtual SMS with ne...

Michael_Thompso · ‎2019-07-24

Hi all,

I am planning on migrating from a Smart-1 77.30 HA SMS to a Virtual 77.30 SMS with a new IP and ideally new hostname. The gateways managed by the smart-1 SMS perform site-to-site vpns and remote access vpns with the checkpoint client. Also, checkpoint utm edge servers and smb devices are managed by the Smart-1 SMS; these devices are also configured with site-to-site VPNs. I have seen other articles that explain that you need to retain the same IP on the new manager, perform configuration changes e.g. licensing, firewall rules, migrate-import, then you can use the new IP. A couple of questions. How do I connect to the new Virtual SMS with the old IP to make those changes when it is not routable to that part of the network? Second what is the correct procedure to perform this migration? Also what would be the rollback?

Thanks for your help.

PhoneBoy · ‎2019-07-25

When you do the initial install on the new management VM, you can configure it with the new IP.
Once you migrate import the configuration into the new VM, you will need to change the IP on the management object.
The gateways will change to the new management IP once you push policy from the new manager to the gateway(s).
Rollback is pushing policy from the old manager.

Michael_Thompso · ‎2019-07-28

Thank you for your response. So that I understand correctly when I migrate import on the new manager it will start using the management IP of the old manager. At that point, the only way I would be able to access the new manager is through the console; since it is a VM and in a different part of the network. In that case, I would have to change the management IP back to the new IP from the cli. Then connect using smartdashboard and change to the new ip on the management object. Finally, push policy to the gateways. Does that sound about right?

Vladimir · ‎2019-07-25

If you are already in the process of migrating, why do so to a new 77.30?

It is scheduled to be out of support in a few months. Go to R80.30 not to waste the effort.

Michael_Thompso · ‎2019-07-28

Good Point Vladimir. Does R80.30 support R77.30 gateways and UTM Edge gateways? We are managing UTM Edge gateways through smart provisioning.

PhoneBoy · ‎2019-07-28

R77.30 gateways are supported.
UTM-1 EDGE devices? Depends on the vintage.
Most of them are End of Support.

The pre-upgrade verifier for R80.30 can be used to validate if you have any "out of support" gateways.
https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_Installation_and_Upgrade_Gui...

Michael_Thompso · ‎2019-09-15

@PhoneBoy @Vladimir Per the upgrade guide of R80.20 and R80.30... "Important:

The IP addresses of the source and target R80.30 Security Management Servers must be the same. If you need to have a different IP address on the R80.30 Security Management Server, you can change it only after the upgrade procedure. Note that you have to issue licenses for the new IP address. For applicable procedures, see sk40993 and sk65451."

Does this mean I can follow the same steps PhoneBoy suggested for R80.20 and R80.30? Does "Upgrade procedure" mean after the migrate import or the install database from the upgrade guide?

PhoneBoy · ‎2019-09-15

In this case, the "upgrade procedure" is the migrate export/import.
I believe you can configure the new management VM with the new IP before the migrate import.
After that, you can apply the new licenses and change the configuration to support the new IP as described in sk65451 and sk40993 as needed.

Migrate from Smart-1 HA SMS to Virtual SMS with new IP