 | ||
 Splitting a SmartCenter in two | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2007-11-13 | |||
| |||
 Splitting a SmartCenter in two Hello, I have a question regarding both disaster recovery and backup/restore procedures: but I do not want to crosspost in all directories... yet... My point is: I have a distributed R65 installed on a GreenSmartCenter with two (DarkGreen and LighGreen) fw modules connected to it. I have another bright new empty R65 RedSmartCenter, with a different IP and different name, without any fw module managed yet. I'd like to split the modules on both gateways => get DarkGreen managed by RedSmartCenter... without the need to recreate greens objects and policies: that's the challenge. (Possibly, I wouldn't like to have to re-SIC the modules but it is optionnal since when migrated, the module won't go back to its original GreenSmartCenter again). What should I use to import objects and rulebase from GreenSC to RedSC efficiently ? I tried cp_merge with object...5.C and DarkGreenPolicy.W files: all NAT configuration get screwed... What else should I try: upgrade_export and then import ? But what about the certificates, the new IP address, the SIC... anything else for future ? odumper/ofiler ? Not officially supported nor maintained since a long time ... Any advice appreciated. Cheers.  |
| 2007-11-13 | |||
| |||
| Re: Splitting a SmartCenter in two Have done a similar thing. All I used was cp_merge and everything worked fine. Didn't have any problems. It was a while ago when I did the migration, but from memory I think this was the procedure I used... 1) copy over objects_5_0.C file to new smart centre server 2) export the policy from the old smart centre server using cp_merge 3) export user accounts from old smart centre using dbexport 4) import objects into new smart centre using cp_merge 5) manually created user groups on new smart centre 6) imported users into new smart centre using dbimport 7) imported policy onto new smart centre using cp_merge 8) made appropriate adjustments to the policy as required 9) installed policy everything was OK after doing this. The only other preparation work I did was to ensure the policy didn't state which gateway the rules were to be installed on. Hope this helps. |
| 2007-11-14 | |||
| |||
| Re: Splitting a SmartCenter in two Thanks for your detailed answer Acidio, what you described here looks very similar to what I did but without the same success. Currently, the policy states for almost each rule on which firewall it applies but I'm almost sure the firewalls are known firewalls. I'll try to redo it with your "preparation trick" first. Thanks again for your answer. |
| 2007-11-27 | |||
| |||
| Re: Splitting a SmartCenter in two Well, cp_merge is not my friend... upgrade_export/import + piece of CKPT doc dealing with migration of IP address of SmartCenter + regeneration of CA certificate +... and finaly get it working... Lot of sweat... |
| 2007-11-27 | |||
| |||
| Re: Splitting a SmartCenter in two You used the DarkGreen.W If you have exported the policy with cp_merge then you end up with a .pol file. The .W is not an exported file. The release notes / user guide say use the .W file if you have too, but isn't recommended, you should export and use the exported DarkGreen.pol file and then import that .pol file instead. |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
