View Full Version : Splitting one SC to many CMA - VS

2009-03-11, 06:19

any idea how to replace gradually a single (overloaded) SmartCenter 1 policy with thousands rules which manages 2 Cluster with hundreds VLANs

to P1 with many CMAs each with its own VSX VS ?

somethingh like

CMA1_policy4financedept - VS1_vlans4finance-building
CMA2_policy4engineering - VS2_vlans4engineering-building

the idea is to set up P1 and the VSX Cluster then migrate gradually the vlan and the vlan related rules ,

how to migrate ONLY the right set of rules belonging to the original VLAN to the destination CMA ?


2009-03-13, 09:30
Only way I can think of is too manually perform the process.

2009-03-25, 05:56

There may be several ways, but none I know of that are very automatic.

The most usual way:
- Export old CMA
- Import it on new CMA (cma_migrate or maybe cp_merge)
- Clean up everything that is not needed in the new CMA.
- Manually make new VS with interfaces
- If a lot of static routes, run script to import, else enter manually

This keeps the rule base and objects, but you manually have to create the VS.

How you figure out what to clean out or use of the old rules, I cannot tell, there are no easy ways to do that, no tools that I know of that can automate it, it may be difficult to make a generic tool to do this, as networks can be extremely complex.

It is possible to use analyzing tools such as Eventia Reporter or AlgoSec to tell which rules are actually used, but that is based on log data.

It may be possible to do query on the src and dst columns in the rule base with the ranges for you network(s) you want to move, to see what rules may match and then take a note of that, and after the import delete most of the remaining rules.

Hmm, this was a good idea. I already have made an ugly perl script to parse the rule file and run src/dst from logs to find which rule+NAT matches a given log entry. I can try to expand that to show matching rules for an IP-range/network instead.

- Petter

2009-03-25, 06:11

i would import the old cma in one step on the new P1 but the point is to split one existing (overloaded) cma/sc
to many new cma according to the vlan/rules relation,

this is the goal :

extracting from one cma/sc

vlan 1,2,3 (objects) and related rules to cma1
vlan 5,6,7 (objects) and related rules to cma2 and so on.