CPUG
The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

HOWTO:  Migrate From A Single Gateway to Distributed Deployment

How to migrate from a single gateway to a distributed setup with SmartCenter Server and enforcement module running on separate dedicated machines:

Please make sure that the reader and reviewer of this document takes a close look at the introductory explanation section describing the type of setup being used for the procedures, together with its diagram.

In this sample configuration, the following setup will be used:

Internet | | 204.32.38.102/24 Windows 2000 Server (jupiter) VPN-1/FireWall-1 NG R55 192.168.2.1/24 | | 192.168.2.100/24 Windows 2000 Server (saturn) SmartConsole NG R55

In the diagram above, the VPN-1/FireWall-1 NG R55 on jupiter runs both the SmartCenter Server and enforcement module. The VPN-1/FireWall-1 NG R55 on jupiter runs the following Check Point products:

  • VPN-1/FireWall-1 NG R55 HFA 17
  • FloodGate-1 NG R55
  • Policy Server NG R55

The single gateway network object (ie. jupiter) is a participant gateway in the following VPN communities:

  • RemoteAccess (Remote Access VPN community)
  • star_vpn (Star VPN community)
  • mesh_vpn (Meshed VPN community)

In this sample migration tutorial, once the SmartCenter Server component will be migrated from the 204.32.38.102/24 machine to the 192.168.2.100/24 machine, and therefore all Check Point products on the 204.32.38.102/24 machine will be uninstalled to set the machine up as a new enforcement module managed by the new SmartCenter Server running on the 192.168.2.100/24 machine.

In order to migrate from a single gateway (SmartCenter Server and enforcement module running on the same machine) to a distributed setup (SmartCenter Server and enforcement running on separate dedicated machines), the following procedural outline will be followed:

  • (1) Detach all licenses for the current single gateway VPN-1/FireWall-1 NG R55 machine
  • (2) Run the upgrade_export utility on the single gateway VPN-1/FireWall-1 NG R55 machine
  • (3) Install the VPN-1/FireWall-1 (and/or FloodGate-1) NG R55 SmartCenter Server on the new SmartCenter Server machine
  • (4) Apply the same HFA that was running on the original single gateway on the new VPN-1/FireWall-1 SmartCenter Server
  • (5) Run the upgrade_import utility on the new VPN-1/FireWall-1 SmartCenter Server
  • (6) Remove the single gateway network object from all VPN communities in the SmartDashboard
  • (7) Modify the host name and the IP address of single gateway network object in the SmartDashboard
  • (8) Uncheck unnecessary Check Point products for the single gateway network object in the SmartDashboard
  • (9) Convert the single gateway network object from a Check Point Gateway to a Check Point Host
  • (10) Install the VPN-1/FireWall-1 (and/or FloodGate-1, Policy Server) NG R55 on the new enforcement module machine
  • (11) Apply the same HFA that was running on the original single gateway on the new enforcement module machine
  • (12) Create a new Check Point Gateway network object for the new enforcement module
  • (13) Establish the SIC between the new VPN-1/FireWall-1 SmartCenter Server and the enforcement module
  • (14) Make any necessary adjustments for the network objects, rulebase, network address translation rules, desktop security rules
  • (15) Install the security policy on the new enforcement module
  • (16) Install new licenses for the new SmartCenter Server and new enforcement module

The following are the detailed procedures to accomplish each of the steps mentioned above:

(1) Detach all licenses for the current single gateway VPN-1/FireWall-1 NG R55 machine

On the SmartUpdate GUI 1. Select the Licenses tab 2. In the Licenses Management pane on the Licenses tab, expand the 204.32.38.102 (single gateway IP address) > jupiter (single gateway network object name) branch 3. Right click on a license to be deleted under the jupiter (single gateway network object name) branch 4. Select Detach License 5. A dialog box with the following message will be displayed:

Check Point SmartUpdate Are you sure you want to detach the selected license(s)?

Note: For the last license to be detached from the jupiter (single gateway network object name) branch, a dialog box with the following message will be displayed:

Check Point SmartUpdate You are about to leave your SmartCenter Server without a license. Are you sure?

Click on Yes

6. Click on Yes 7. Repeat step 3. to 6. for all remaining licenses showing under the jupiter (single gateway network object name) branch 8. Close the SmartUpdate GUI

(2) Run the upgrade_export utility on the single gateway VPN-1/FireWall-1 NG R55 machine

On the single gateway machine:

  • 1. Close all GUI clients
  • 2. Create the C:\upgrade directory for downloading the upgrade utilities
  • 3. Access the following URL:  http://www.checkpoint.com/downloads/quicklinks/utilities/downloadsng/utilities.html#upgrade_verify
  • 4. In the "Upgrading to NG with Application Intelligence (R55)" section, click on the link appropriate for the operating system (Windows) running on the single gateway machine
  • 5. Download the upgrade utilities file (upgrade_checker_B541000019_1_win32.tgz) to the C:\upgrade directory
  • 6. Extract the all of the upgrade_checker_B541000019_1_win32.tgz contents to the C:\upgrade directory (the upgrade_checker_B541000019_1_win32.tgz file can be extracted with the WinZip utility, which can be downloaded from www.winzip.com)
  • 7. Open the command prompt
  • 8. Change the current directory to C:\upgrade
  • 9. Issue the following command to run the upgrade_export utility:  upgrade_export firewall_export
  • 10. The following message will be displayed:  You are required to close all Check Point clients before the Export operation begins. If the export fails, stop Check Point services and run the upgrade_export command again. Press ENTER when ready..
  • 11. Press Enter
  • 12. Once the upgrade_export process completes and the command prompt returns, verify that the firewall_export.tgz file has been generated in the C:\upgrade directory
  • 13. Transfer the firewall_export file to the new 192.168.2.100 SmartCenter Server machine (transfer in binary mode if using ftp)

(3) Install the VPN-1/FireWall-1 (and/or FloodGate-1) NG R55 SmartCenter Server on the new SmartCenter Server machine

On the new SmartCenter Server machine:

  • 1. Install VPN-1/FireWall-1 (and/or FloodGate-1) NG R55 SmartCenter Server on the new 192.168.2.100 SmartCenter Server machine
  • 2. Reboot the machine at the end of the VPN-1/FireWall-1 (and/or FloodGate-1) NG R55 SmartCenter Server installation

(4) Apply the same HFA that was running on the original single gateway on the new VPN-1/FireWall-1 SmartCenter Server

On the new SmartCenter Server machine:

  • 1. Apply the same HFA (ie. HFA 17) that was running on the original single gateway on the new 192.168.2.100 SmartCenter Server
  • 2. Reboot the machine after the HFA installation process completes

(5) Run the upgrade_import utility on the new VPN-1/FireWall-1 SmartCenter Server

On the new SmartCenter Server machine:

  • 1. Create the C:\upgrade directory for downloading the upgrade utilities
  • 2. Access the following URL:  http://www.checkpoint.com/downloads/quicklinks/utilities/downloadsng/utilities.html#upgrade_verify
  • 3. In the "Upgrading to NG with Application Intelligence (R55)" section, click on the link appropriate for the operating system (Windows) running on the single gateway machine
  • 4. Download the upgrade utilities file (upgrade_checker_B541000019_1_win32.tgz) to the C:\upgrade directory
  • 5. Extract the all of the upgrade_checker_B541000019_1_win32.tgz contents to the C:\upgrade directory (the upgrade_checker_B541000019_1_win32.tgz file can be extracted with the WinZip utility, which can be downloaded from www.winzip.com)
  • 6. Place the firewall_export.tgz (generated by the upgrade_export utility on the original single gateway machine)
  • 7. Open the command prompt
  • 8. Change the current directory to C:\upgrade
  • 9. Issue the following command to run the upgrade_import utility:  upgrade_import firewall_export.tgz
  • 10. The following message will be displayed:  The 'Import' operation will stop all Check Point services (cpstop). Do you want to continue? (y/n) [n] ?
  • 11. Enter "y" and hit Enter
  • 12. Once the upgrade_import process completes and the command prompt returns, issue the following command:  cpstart

(6) Remove the single gateway network object from all VPN communities in the SmartDashboard

In order to log into the SmartDashboard, log into the IP address of the new SmartCenter Server machine (ie. 192.168.2.100)

In order to remove the single gateway network object from the RemoteAccess VPN community, proceed with the following:

On the SmartDashboard:

  • 1. Select Manage > VPN Communities
  • 2. In the VPN Communities dialog box, select the RemoteAccess VPN community from the VPN communities list
  • 3. Click on Edit
  • 4. In the Remote Access Community Properties dialog box, select the Participating Gateways branch in the left pane
  • 5. In the Participating Gateways page, select the single gateway network object (ie. jupiter) from the Participant Gateways window
  • 6. Click on Remove
  • 7. Click on OK in the Remote Access Community Properties dialog box
  • 8. Click on Close in the VPN Communities dialog box

In order to remove the single gateway network object from the Star VPN Community (ie. star_vpn), proceed with the following:

On the SmartDashboard:

  • 1. Select Manage > VPN Communities
  • 2. In the VPN Communities dialog box, select the Star VPN community (ie. star_vpn) from the VPN communities list
  • 3. Click on Edit
  • 4. In the Star Community Properties dialog box, select either the Central Gateways or Satellite Gateways branch in the left pane
  • 5. In the Central Gateways/Satellite Gateways page, select the single gateway network object (ie. jupiter) from the Participant Gateways window
  • 6. Click on Remove
  • 7. Click on OK in the Star Community Properties dialog box
  • 8. Click on Close in the VPN Communities dialog box

In order to remove the single gateway network object from the Meshed VPN Community (ie. mesh_vpn), proceed with the following:

On the SmartDashboard:

  • 1. Select Manage > VPN Communities
  • 2. In the VPN Communities dialog box, select the Meshed VPN community (ie. mesh_vpn) from the VPN communities list
  • 3. Click on Edit
  • 4. In the Meshed Community Properties dialog box, select the Participant Gateways branch in the left pane
  • 5. In the Participant Gateways page, select the single gateway network object (ie. jupiter) from the Participant Gateways window
  • 6. Click on Remove
  • 7. Click on OK in the Meshed Community Properties dialog box
  • 8. Click on Close in the VPN Communities dialog box

(7) Modify the host name and the IP address of single gateway network object in the SmartDashboard

On the SmartDashboard:

  • 1. Select Manage > Network Objects
  • 2. In the Network Objects dialog box, select the network object representing the original single gateway (ie. jupiter)
  • 3. Click on Edit
  • 4. In the Check Point Gateway dialog box, select the General Properties branch in the left pane
  • 5. In the General Properties page, uncheck the VPN check box in the Check Point Products section
  • 6. A dialog box with the following message will be displayed:  Check Point SmartDashboard You are removing the VPN-1 from a machine with encryption. This will remove the defined encryption key. Are you sure?
  • 7. Click on Yes
  • 8. In the General Properties page, modify the Name and IP Address field to reflect the host name and the IP address of the new SmartCenter Server, as follows:  Name: saturn IP Address: 192.168.2.100
  • 9. Click on OK in the Check Point Gateway dialog box
  • 10. Click on Close in the Network objects dialog box

(8) Uncheck unnecessary Check Point products for the single gateway network object in the SmartDashboard

On the SmartDashboard:

  • 1. Select Manage > Network Objects
  • 2. In the Network Objects dialog box, select the network object representing the original single gateway (ie. jupiter)
  • 3. Click on Edit
  • 4. In the Check Point Gateway dialog box, select the General Properties branch in the left pane
  • 5. In the General Properties page, uncheck all of the following check boxes in the Check Point Products section:  QoS FireWall
  • 6. Make sure that only the following check boxes are checked in the Check Point Products section:
    • Primary Management Station
    • SVN Foundation
    • Log Server
  • 7. Click on OK in the Check Point Gateway dialog box 8. Click on Close in the Network Ojbects dialog box

(9) Convert the single gateway network object from a Check Point Gateway to a Check Point Host

On the SmartDashboard:

  • 1. If the Objects Tree pane is not displayed in the SmartDashboard, select View > Objects Tree
  • 2. In the Objects Tree pane, select the first Network Objects tab
  • 3. In the Network Objects tab, select and expand the Network Objects > Check Point branch
  • 4. Under the Check Point branch, right click on the single gateway network object (ie. jupiter)
  • 5. Select Convert to Host
  • 6. A dialog box with the following message will be displayed:  Check Point SmartDashboard jupiter will be converted to Host. Are you sure?
  • 7. Click on Yes
  • 8. The Check Point Host dialog box will be displayed 9. Click on OK in the Check Point Host dialog box

(10) Install the VPN-1/FireWall-1 (and/or FloodGate-1, Policy Server) NG R55 on the new enforcement module machine

If installing the new enforcement module on the same machine as the original single gateway machine, first uninstall all Check Point products on the single gateway machine and reboot the machine

On the new enforcement module (ie. 204.32.38.102 machine) 1. Install the VPN-1/FireWall-1 (and/or FloodGate-1, Policy Server) NG R55 on the new enforcement module machine 2. Reboot the machine

(11) Apply the same HFA that was running on the original single gateway on the new enforcement module machine

On the new enforcement module (ie. 204.32.38.102 machine) 1. Apply the same HFA (ie. HFA 17) that was running on the original single gateway on the new enforcement module machine 2. Reboot the machine

(12) Create a new Check Point Gateway network object for the new enforcement module

On the SmartDashboard:

  • 1. Select Manage > Network Objects
  • 2. In the Network Objects dialog box, select New > Check Point > Gateway
  • 3. In the Check Point installed Gateway creation dialog box, select the Classic mode option
  • 4. Click on OK in the Check Point installed Gateway creation dialog box
  • 5. In the Check Point Gateway dialog box, select the General Properties branch in the left pane
  • 6. In the General Properties page, configure in the following manner:  Name: jupiter IP Address: 204.32.38.102 Version: NG with Application Intelligence Type: Check Point Enterprise/Pro Check Point Products: FireWall, VPN, QoS, SecureClient Policy Server
  • 7. Click on OK in the Check Point Gateway dialog box
  • 8. Click on Close in the Network Objects dialog box
  • 9. A dialog box with the following message will be displayed:  Check Point SmartDashboard No interfaces are defined. Topology information must be configured in order to use the Anti-Spoofing feature Are you sure you want to continue?
  • 10. Click on Yes
  • 11. A dialog box with the following message will be displayed:  Check Point SmartDashboard This node is defined as VPN-1 installed, an internal CA certificate will be created now and IKE properties will be set.
  • 12. Click on OK
  • 13. A dialog box with the following message will be displayed:  Check Point SmartDashboard Certificate operation succeeded
  • 14. Click on OK
  • 15. Click on Close in the Network Objects dialog box
  • 16. Save the current configuration by selecting File > Save

(13) Establish the SIC between the new VPN-1/FireWall-1 SmartCenter Server and the enforcement module

On the SmartDashboard:

  • 1. Select Manage > Network Objects
  • 2. In the Network Objects dialog box, select the network object representing the original single gateway (i.e. jupiter)
  • 3. Click on Edit
  • 4. In the Check Point Gateway dialog box, select the General Properties branch in the left pane
  • 5. In the General Properties page, click on the Communication button in the Secure Internal Communication section
  • 6. In the Communication dialog box, enter the activation key set on the enforcement module in the Activation Key field and Confirm Activation Key field
  • 7. Click on Initialize
  • 8. Verify that the Trust State now shows as Trust established
  • 9. Click on OK in the Communication dialog box
  • 10. In the Check Point Gateway dialog box, select the Topology branch in the left pane
  • 11. In the Topology page, select Get > Interfaces
  • 12. Verify that the Get Topology Results dialog box shows all the interfaces and their respective IP addresses/network masks
  • 13. Click on Accept in the Get Topology Results dialog box
  • 14. Configure the properties of each of the interfaces showing in the Topology page
  • 15. Configure the other properties of the new enforcement module
  • 16. Click on OK in the Check Point Gateway dialog box
  • 17. Click on Close in the Network Objects dialog box

(14) Make any necessary adjustments for the network objects, rulebase, network address translation rules, desktop security rules

On the SmartDashboard:

Make any necessary adjustments for the following in the SmartDashboard network object properties security rulebase QoS rulebase network address translation rules desktop security rules Global Properties SmartDefense

(15) Install the security policy on the new enforcement module

On the SmartDashboard:

After verifying that all necessary configuration modifications have been made on the SmartDashboard, install the security policy on the new enforcement module (i.e. jupiter)

(16) Install new licenses for the new SmartCenter Server and new enforcement module

In the SmartUpdate GUI

  • 1. Select the Licenses tab
  • 2. If the License Repository windows is not being displayed, select Licenses > View Repository
  • 3. Right click in the License Repository window
  • 4. Select New License > Import File
  • 5. In the Choose License File dialog box, switch to the local directory containing the new license for the new SmartCenter Server (ie. CPLicenseFile.lic file generated in the User Center Account for the new 192.168.2.100 SmartCenter Server)
  • 6. Click on Open
  • 7. In the License Repository window, select the new license for the new 192.168.2.100 SmartCenter Server, right click and select Attach
  • 8. In the Attach Licenses dialog box, select the new SmartCenter Server network object (ie. saturn)
  • 9. Click on Attach
  • 10. Right click in the License Repository window
  • 11. Select New License > Import File
  • 12. In the Choose License File dialog box, switch to the local directory containing the new license for the new enforcement module (ie. CPLicenseFile.lic file generated in the User Center Account for the new 204.32.38.102 enforcement module)
  • 13. Click on Open
  • 14. In the License Repository window, select the new license for the new 204.32.38.102 enforcement module, right click and select Attach
  • 15. In the Attach Licenses dialog box, select the new SmartCenter Server network object (ie. saturn)
  • 16. Click on Attach