PDA

View Full Version : IPSO => Gaia



Jericho
2016-08-02, 15:07
Hi,

Background to the probably daft questions I'm about to ask.

The group I work for has just absorbed another group, which has a project running to replace a pair of Nokia IP565 with a pair of SG5600-NGTP. The 2 guys who were running the technical side of the project have left and it's landed in my lap.

Googling leads me to all kinds of resources dealing with upgrading from one version to the other, but not so much on migrating between hardware as well.

Can anyone give me a hint on whether the following is heading in the right direction? Or how badly wrong this is going to go...

Build the VM for the new management server
Export the configuration from the existing management server (migrate-export?)
Import this into the new management server (migrate-import)
Configure the network on the new boxes.
Configure SIC between everything
Push policy.
Turn off old, swap new in, cross fingers & hope.

Cheers

J

jflemingeds
2016-08-02, 16:04
Hi,

Background to the probably daft questions I'm about to ask.

The group I work for has just absorbed another group, which has a project running to replace a pair of Nokia IP565 with a pair of SG5600-NGTP. The 2 guys who were running the technical side of the project have left and it's landed in my lap.

Googling leads me to all kinds of resources dealing with upgrading from one version to the other, but not so much on migrating between hardware as well.

Can anyone give me a hint on whether the following is heading in the right direction? Or how badly wrong this is going to go...

Build the VM for the new management server
Export the configuration from the existing management server (migrate-export?)
Import this into the new management server (migrate-import)
Configure the network on the new boxes.
Configure SIC between everything
Push policy.
Turn off old, swap new in, cross fingers & hope.

Cheers

J

I'm assuming you already have a dedicated management server for the IP boxes?

For the management server you want to download the latest migration utility for your target version. Also checkpoint has a upgrade wizard on their site. Not sure what version you're on but for example you can't go from R65 directly to R77.30. The wizard will (ahem should) explain.

What i would look at on the current IP boxes is the following.
static routes
dynamic routing protocols
proxy arps
$FWDIR/modules/fwkern.conf
patches - egrep -i hotfix /opt/CPshrd-R77/registry/HKLM_registry.data. Chances are you won't need these as i'm guessing you'll be making a big version jump.
update topology (interface names will change)

Wouldn't hurt to put the latest GA jumbo hotfixes on everything as well.

Worst case you can just move cables back just make sure its part of your change control to expect some outage time and account for back out time.



Really you can recreate the firewalls in a VM as well to give enhanced warm fuzzies. Just make some vms to represent routers and a few critical servers. This way you can make sure traffic passes like you would think.

Jericho
2016-08-02, 17:22
Thanks.

I'm assuming there is a management server as well....
The site documentation (I've not been there yet) suggests so, but is wildly inaccurate in other areas.

I'm heading there to look for myself tomorrow, so no doubt will be panicking by lunchtime.

How long would you normally expect this kind of thing to take?

jflemingeds
2016-08-02, 17:34
Thats really hard to say. You need to lab out the upgrade process to see if there are any gotchas before you'll have a good idea. For the cutover I would ask for at least an hour long outage window, meaning network access is down (because of firewall xyz). If you can't figure out a connectivity issue by then might be time to back out.

Of course its up to the businesss to tell you if thats ok or not.

Jericho
2016-08-03, 14:18
Well, that was a lot easier than I expected.

The new boxes were already set up, separate management server, VRRP etc working. Just needed the rules & objects migrating. All 9 rules and 30 odd objects...

But of copying and repatching over lunchtime and it's all done with no complaints.

Thanks for the advice & pointers.

Cheers

J