PDA

View Full Version : Migrating a Smart Center with multiple policies to P1



mihaie
2011-10-03, 22:09
Hi Guys,

I want some of your opinions in migrating a Smart Center with multiple policies to P1 multiple CMAs?? So for example migrate Policy X to CMA1 and policy Y to CMA 2 or Policy Z and Policy V to CMA 3... so on...

alienbaby
2011-10-03, 22:31
I can envision a process like:

1. Create CMA A
2. import SC into CMA A.
3. Destroy the Internal CA of CMA A

4. Create CMA B
5. import SC into CMA B.
6. Destroy the Internal CA of CMA B

7. Create CMA C
8. import SC into CMA C.
9. Destroy the Internal CA of CMA C

Re-generate the CAs and delete the extra policies from each CMA.

mihaie
2011-10-03, 23:53
how do you destroy internal CA for a CMA after migration?

I've done that(apart from destroying the CA), removed the policies and unused objects but then old FW objects that I've deleted using Smart Dashboard are still present in P1 in the Network Options view so I've used GUIDBedit to remove the objects and any traces of those objects but then when I return to P1 the objects are still there :(

Bluebeetle
2011-10-04, 09:33
If you are migrating in the sense that you want to have both online and reachable at the same time I would suggest cp_merge. It also gives you the flexibility to pull the objects and policies from two SmartCenters into one CMA.

See sk33751 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk33751&js_peid=P-114a7bc3b09-10006&partition=General&product=Security) for details on cp_merge.

Once you have your objects and policies moved into your Prover-1 environment you can start migrating firewalls over.

mihaie
2011-10-04, 23:19
thought of but look at this sk24354; this utility's not supported in P1

and even if it was I don't want to establish SIC with all the FW; ideal situation is to backup using migrate command in Smart Center, restore in a new CMA and delete unused objects and repeat this action. Now during tests I've found that's hard to remove FW objects...

Any ideas?

alienbaby
2011-10-04, 23:52
Export SC to new box or VM (Fake SC). In the Fake SC, delete the Firewall/Cluster objects. Export fake SC for use in P1 imports.

Bluebeetle
2011-10-04, 23:53
thought of but look at this sk24354; this utility's not supported in P1

and even if it was I don't want to establish SIC with all the FW; ideal situation is to backup using migrate command in Smart Center, restore in a new CMA and delete unused objects and repeat this action. Now during tests I've found that's hard to remove FW objects...

Any ideas?

I used it a just a couple years back, just as I described, and it worked great. I wouldn't be surprised if sk24354 was referring to running against a CMA with global objects... I'd bet SmartCenter to CMA works just fine.

I don't think its going to be possible to pull two SmartCenters into one CMA with out re-establishing SIC to some firewalls.

Are you getting an error when you try to remove the firewalls?

mihaie
2011-10-05, 15:59
Export SC to new box or VM (Fake SC). In the Fake SC, delete the Firewall/Cluster objects. Export fake SC for use in P1 imports.

That is what I've tried so Exported to VM, delete polices, unused objects and Firewall/Cluster objects but then after I've done all that in P1 GUI in the Network Objects view I can still see the Firewall/Cluster that I've deleted in Smart Dashboard. I've rebooted P1, same result so used DBedit to remove traces of Firewall/Cluster objects with same result :(

alienbaby
2011-10-05, 16:12
I'm confused.. How is it posible that you're seeing remnants of deleted firewalls. Are you using the objects.C for something? It's possible that whatever process you're using is keying off the objects.C. I understand the objects.C doesn't get regenerated from objects_5_0.C until a policy is pushed.

Try deleting the firewall objects; then save and close your GUI. cpstop the fake SC. The move the backup objects_5_0.C, and all object.C file to safe location. cpstart, login smartdashboard and install the Database back to the fake SC ( Policy / Install Database ).

Then follow the process to import the fake SC into P1.

mihaie
2011-10-05, 16:42
Cool, never thought of it that way, I was using two P1s....I will try that :).... so to recap upgrade export my SC, dump it in VM, delete whatever, migrate to CMA and so on... I'm excited, it might work :)