CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 7 of 7

Thread: How to Move one VSX cluster from one CMA to other CMA.

  1. #1
    Join Date
    2011-11-08
    Posts
    16
    Rep Power
    0

    Default How to Move one VSX cluster from one CMA to other CMA.

    Hi,

    I have two VSX cluster running under one CMA, on which 3 Virtual systems configured.
    Below is the how the current configuration look like.
    CMA ABC
    o Test1_VSX_Cluster
    1. VS_1
    2. VS_2
    3. VS_3
    o Test2_VSX_Cluster
    1. VS_A
    2. VS_B
    3. VS_C
    Now I want two move one virtual cluster two other CMA under same MDS
    I tried this by exporting configuration of 1st CMA & tried to import into 2nd CMA but ended with Errors & warnings.
    Can any please guide me a better way to do so.
    MDS
    CMA ABC
    o Test1_VSX_Cluster
    1. VS_1
    2. VS_2
    3. VS_3
    CMA XYZ
    o Test2_VSX_Cluster
    1. VS_A
    2. VS_B
    3. VS_C

  2. #2
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    17

    Default Re: How to Move one VSX cluster from one CMA to other CMA.

    Exporting and then importing is the way. However as you have found you get issues when doing this on the same MDS as the CMA/Domain has the same CA as the exported CMA/Domain, which the MDS really doesn't like.

    What I ended up doing when moving from physical to VS was

    1.) Export CMA/Domain for Physical Gateways
    2.) Imports into a new Temporary MDS and Domain - this won't have a duplicate CA as the temporary MDS doesn't have the production CMA/Domain on it.
    3.) Reset the CA on the CMA/Domain - note that this will require that all SIC configuration is lost and needs to be re-established, also need to delete and remove any VPN configuration from the CMA/Domain. Also remove anything from the CMA/Domain that not interested in.
    4.) Export the Reset CMA/Domain from the Temporary MDS into the Production MDS. It now has a separate CA so shouldn't clash with the original CMA/Domain. add back in the VPN configuration if any
    5.) Re-establish SIC between VSX and new CMA/Domain, and install policy.
    6.) Delete VS from the original CMA/Domain - no longer has SIC established with VS so shouldn't affect the VSX Cluter/Gateways etc.

    When doing the VPN removal all I did was remove the Physical Gateway/Cluster from the VPN communities. Pre-Shared Keys are registered against the 3rd Party Gateway Objects so are retained as long as they aren't removed from the VPN community. Simply then just re-add the VS into the VPN Community after resetting the CA on the CMA/Domain.

  3. #3
    Join Date
    2011-11-08
    Posts
    16
    Rep Power
    0

    Default Re: How to Move one VSX cluster from one CMA to other CMA.

    Thanks ! Good workaround but i don't have temporary MDS server in my environment :(


    Below is the one of the errors received.

    >>> Executing VSX Objects Detector

    Error: Management with VSX objects detected.

    A management of this sort should be migrated according to a special procedure

    described in 'VSX Migration With Provider-1 WhitePaper'.

    Please contact Check Point support in order to get this document.

    ----------------------------------------------------------------------
    VSX Objects Detector completed with errors.
    ================================================== ====================
    >>> Executing Security Management Server Pre Upgrade Verifier

  4. #4
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    17

    Default Re: How to Move one VSX cluster from one CMA to other CMA.

    Create a file named

    AllowVsxMigration in the root directory of your MDS machine as follows:

    touch /AllowVsxMigration (this file will need to be created after the migration of each cma containing vsx objects).




    This will prevent the first error that you are getting and is taken from sk32633.

    http://supportcontent.checkpoint.com...nload?id=35084

    Links to a document in the How To section called How To Perform VSX Migration for Multi Domain Management. Is a pretty good reference. Note that you will need to create the file before every import of a Domain/CMA into the MDS. The file is deleted after the import. File should be left empty.

    Don't forget that you can install the MDS into VMware, or any hardware that can get Splat/Gaia onto. ( I used VMware personally ) It won't be used in anger so doesn't need to be anything special.

  5. #5
    Join Date
    2011-11-08
    Posts
    16
    Rep Power
    0

    Default Re: How to Move one VSX cluster from one CMA to other CMA.

    Created MDS on VM-ware & Followed the process mentioned in post 1 but received error " VSX Objects Detector completed with errors."

    Then i Followed the process mentioned in later post as per guide till page 17 point 21, not observed any issue, I am able to finish till that point & output was just like mentioned in document.

    But when I checked from CLI mdsstat output, process “FWM” is showing down & not coming UP. It might be one of the reason imported CMA not showing anything.
    Click image for larger version. 

Name:	DBedit & Mdsstat.jpg 
Views:	413 
Size:	102.0 KB 
ID:	840

    In the document it is mentioned that for change in server IP needs to update via dbedit.
    But unable to login into it, getting error “session not establish : failed to login into it.
    Enclosed MDSSTAT output & dbedit output.

  6. #6
    Join Date
    2011-11-08
    Posts
    16
    Rep Power
    0

    Default Re: How to Move one VSX cluster from one CMA to other CMA.

    Any other workaround or any solution on this?

  7. #7
    Join Date
    2011-11-08
    Posts
    16
    Rep Power
    0

    Default Re: How to Move one VSX cluster from one CMA to other CMA.

    Repeated above procedure in LAB 2-3 times but same result, " FWM" process not coming UP.( just like above post)

    Is any one have has other views on this?

Similar Threads

  1. R65 License move
    By symon in forum Licensing
    Replies: 3
    Last Post: 2011-05-16, 10:29
  2. Move of mgt server
    By davidvdk in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 5
    Last Post: 2010-03-10, 09:12
  3. Move to Provider-1
    By MarioL in forum Provider-1 (Multi-Domain Management)
    Replies: 5
    Last Post: 2009-05-29, 08:49
  4. move the policy+objects from one CMA to another
    By matus.cech in forum Installing And Upgrading
    Replies: 4
    Last Post: 2008-08-21, 03:34
  5. Move DB management
    By alez72 in forum Installing And Upgrading
    Replies: 1
    Last Post: 2007-02-26, 14:50

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •