Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SeanVanLoon
Participant

Migrate smartcenter to another by adding policy manually with new IP and hostname

Hi All,

We have two management servers (SMS) and we would like to integrate both into one. The management server that needs to be migrated to the centralized mangement server has only one policy with single cluster gateway. The other centralized management server has mulitple policies. The centralized management server is reachable only via a routed network over MPLS, the current one is local (same datacenter). The version we use is R80.40 for both old and new management server (at least that is the idea to have similar versions).

I was thinking on how to migrate this with the least impact possible with following steps:

First assure that the ports are open for new management server to gateway comms two-way

https://community.checkpoint.com/t5/Security-Gateways/R81-x-Ports-Used-for-Communication-by-Various-...

18191,18192,18211,256,18210,18202,18183,18208

  1. Create the security gateway objects on the new centralized management server
  2. Create the security policy manually (it is not big so that would be feasible)
  3. Then in maintenance window perform SIC reset on the standby gateway cluster using sk65764
  4. Establish SIC from the new management server to the standby gateway
  5. verify using sk103356 if the ICAip registry is reflecting the new management server IP address
  6. Install policy from the new management server to the standby gateway
  7. Perform failover to the standby gateway to verify if everything is fine
  8. Then perform the same for the other gateway

Would this procedure work if both hostname and IP address changes and establishing SIC to the new management server after manually migrate and install a security policy to it? 

Is it possible to do this per gateway so first standby then the other gateway to minimize the downtime? 

Any remark and recommendation would be highly appreciated.

Marvin

0 Kudos
8 Replies
PhoneBoy
Admin
Admin

You can reset SIC without a cprestart by performing the following steps: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
And yes, you can change the management hostname and IP.
Pushing policy is generally done to both cluster members, and in this case, not sure you can do that independently.

0 Kudos
SeanVanLoon
Participant

Hi thanks for sharing the link, if i read the notes then special steps are involved to add the new IP address of the management server to the implied rules for the policy fetch/push to work properly?

so create a dummy management server object with the new IP and add it to the implied rules correct?

0 Kudos
PhoneBoy
Admin
Admin

Yes, that sounds correct.

0 Kudos
SeanVanLoon
Participant

But it should be quiet easy as we have two SMS and we prepare the new management server already with correct stealth rules etcetera. So after reset SIC the firewall gateway has initial policy so we can simply push the policy from new SMS (with correct management IP) and should be allowed automatically or wouldnt that work?

0 Kudos
PhoneBoy
Admin
Admin

Actually if you follow the process I linked to above, it will maintain the existing policy (i.e. won't load InitialPolicy).
Provided that policy allows a push from the new management IP, then yes, it should work.

0 Kudos
dehaasm
Explorer

Hi This is to confirm that i followed above procedure sk86521 where first step is to reset SIC from old SMS. We were able to perform first the standby only firewall member connect it to the new SMS and install policy (with checkbox enabled that it can fail on one member). So after the standby firewall had new policy from new SMS and the active firewall had policy installed from old SMS, clusterXL was still working, performed failover with clusterXL_admin down and everything went smooth. Finally did the other member, so you can basically do this without downtime (just a failover). Thanks again for the advise. So yes I confirm you can do that independently.

The actual hostname changes we did before the SMS move only with local SMS using below procedure, dont forget to publish after step 6

How to change the name of a cluster object or member in SmartConsole (checkpoint.com)

0 Kudos
dehaasm
Explorer

Hi PhoneBoy, now that we tested this procedure with normal gateways would this procedure also work with VSX gateways following the article sk86521 you mentioned? 

I see it doesnt indicate VSX so should we verify this with TAC?

0 Kudos
PhoneBoy
Admin
Admin

I don't believe there is a similar no downtime procedure for VSX as there is for regular gateways (i.e. sk86521).
You can check with TAC to confirm, of course.

0 Kudos