Moving SmartCenter

[MorfiusX]

Here's some background:

I have a Nokia IP350 running NGX R61. All of the components are currently running on this machine. I have a second IP350. What we are trying to do is move the SmartCenter services to a central dedicated box, and have a single IP350 running as a gateway only.

I was able to use cp_merge to export the current policy, objects, and users into the new SmartCenter. When I imported the policy, a few pieces did not get imported. None of my VPN tunnel shared secrets imported. Also, neither did the global properties. So, I manually inserted the shared secrets.

When we attempted to switch over to the new IP350, about half of my site to site VPNs wouldn't route traffic. I saw a few IKE errors in the log, but for the most part, ping traffic was leaving the gateway via the tunnel, just not returning.

So, my question is this:

Is there a way or something I missed in importing shared secrets and the global properties? Is there a recommended approach for moving SmartCenter to a second machine?

TIA

[abusharif]

run a simple upgrade_export and then upgrade_import if this is clean new smartcenter you are building up. Psk always follow with it. Use cp_merge (actually never used it personaly) if you are gonna add it to the already existing policy on the new smartcenter.

[MorfiusX]

Maybe I am confused... By running the upgrade_export/import, I am making a backup of the whole system. When I imported this into the new standalone SmartCenter, it now looks like the old box. I don't want this. I am trying to get SmartCenter on one machine, and the Gateway on a separate machine.

[chillyjim]

Instructions are posted here:

http://www.cpug.org/check_point_reso...Deployment.htm

[MorfiusX]

Thanks for the link. I will give it a shot.

[abusharif]

Quote:

Originally Posted by MorfiusX

Maybe I am confused... By running the upgrade_export/import, I am making a backup of the whole system. When I imported this into the new standalone SmartCenter, it now looks like the old box. I don't want this. I am trying to get SmartCenter on one machine, and the Gateway on a separate machine.

Yepp ur confused ;)
If u have standalone system today with fw/smartcenter on same machine u can still do upgrade_export and import it into your NEW distributed enviroment (smartcenter). You will get rules,objects,certs,psk's etc from the old smartcenter. Distributed vs standalone installation choice is something you make when you install software itself. Upgrade export/import is not aware of this setup.

Ofc when u open ur policy first time u will see only old fw/smartcenter object. You convert that object into your new smartcenter (so it matches ip wise etc) and create new Fw object for ur firewall module, establish sic etc etc

[MorfiusX]

So I followed the guide posted above. Everything went as it stated. But, none of my site to site VPN tunnels will establish. All of them are using shared secrets. Any particular reason why this would happen? Everything works just fine.