CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 5 of 5

Thread: Moving Security server from one datacenter to another

  1. #1
    Join Date
    2008-09-05
    Posts
    10
    Rep Power
    0

    Default Moving Security server from one datacenter to another

    Hi,

    We have a new project of moving a management security server (VM) from one datacenter to another.
    The management is running Gaia R77.20. It currently manage 10 external cluster firewalls (Gaia R77.20) and the licensing is centrally managed to the management server.

    The challenge we are facing are as follow:
    Moving the security server from datacenter A to datacenter B implies that the ISP are different and that the public IP scheme is different.
    The internal IP schema at datacenter B is also different from datacenter A, meaning that among other things the security management server needs to be readdressed.


    Base on the above, we can for see the following necessary steps:

    - The need to re license all the firewalls in usercenter with new NATed public IP of the security center located at target datacenter B.
    - The need to change IP of the management server as per SK40993


    As anyone performed such a migration/move? Which other steps should we consider.


    Thanks for taking the time to read my post,


    Andy

  2. #2
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    9

    Default Re: Moving Security server from one datacenter to another

    From what I can tell, you will also need to re-establish SIC from the SMS to everything.

  3. #3
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    20

    Default Re: Moving Security server from one datacenter to another

    What I would do

    1.) Migrate Export the current SmartCenter A
    2.) Build new VM with new DataCentre IP address but SAME HOSTNAME
    3.) On existing SmartCentre A define a new object with the Public IP at DataCentre B that will NAT new SmartCentre behind
    4.) Create Rule allowing the new Object access too the the Gateways with Check Point Management Protocols
    5.) Install Policy to Gateways
    6.) Configure Firewall at DataCentre B to NAT the SmartCentre B to the Public IP defined in 3.
    7.) As is the same ICA then should see that SmartCentre B shows connected state in SmartView Monitor.
    8.) Relicense Gateways to SmartCentre B address
    9.) Import Licenses to SmartUpdate in SmartCentre B and attach licenses to Gateways
    10.) Install Security Policies to Gateways
    11.) Test
    12.) Change Internal DNS to point Smartcentre name to SmartCentre B IP address
    13.) You may want to reset the CA at some point so that points at the correct IP however would see how you go. The CA Hostname is still the same so shouldn't be an issue. We have migrated customers ( on CMA's as opposed to SmartCentres admittedly ) where kept same CMA name but IP changed and VPN Certs still work, still get Cert Expiry messages etc.

    This is based upon what we do when taking on a new Managed Service where the existing supplier allows access from our IP with Check Point, then exports the system and we import. The Gateway already allows our connections for the CP Protocols so can do the initial push etc. Is still the same CA on the Check Point SmartCentre so works. No need to reset SIC at this point.

  4. #4
    Join Date
    2008-09-05
    Posts
    10
    Rep Power
    0

    Default Re: Moving Security server from one datacenter to another

    Thanks to the both of you for taking the time to reply.

    @mcnallym
    I like that idea better, seems smoother then my former idea where involving re-sic everything...

    I went trough the details you explained and I would surely test this procedure in non-production environnment to familiarize with it.
    There are a few steps I'd like to better understand, see in bold below:


    1.) Migrate Export the current SmartCenter A
    2.) Build new VM with new DataCentre IP address but SAME HOSTNAME
    3.) On existing SmartCentre A define a new object with the Public IP at DataCentre B that will NAT new SmartCentre behind

    Just to clarify Step 3, are we talking about a new HOST NODE object or a new "CheckPoint > Security Management" Object that need to be created with the public IP of DataCentre B?

    4.) Create Rule allowing the new Object access too the the Gateways with Check Point Management Protocols

    I had in mind ALLOWING the NEW SMARTCENTER (public IP) with ANY SERVICE towards ALL REMOTE Firewall GATEWAYS
    ALLOWING ALL Firewalls GATEWAYS with ANY SERVICE to the NEW SMARTCENTER (public IP)


    5.) Install Policy to Gateways


    6.) Configure Firewall at DataCentre B to NAT the SmartCentre B to the Public IP defined in 3.

    Do we MIGRATE IMPORT from the MIGRATE EXPORT taken at step 1 at this point

    7.) As is the same ICA then should see that SmartCentre B shows connected state in SmartView Monitor

    8.) Relicense Gateways to SmartCentre B address
    9.) Import Licenses to SmartUpdate in SmartCentre B and attach licenses to Gateways
    10.) Install Security Policies to Gateways
    11.) Test
    12.) Change Internal DNS to point Smartcentre name to SmartCentre B IP address
    13.) You may want to reset the CA at some point so that points at the correct IP however would see how you go. The CA Hostname is still the same so shouldn't be an issue. We have migrated customers ( on CMA's as opposed to SmartCentres admittedly ) where kept same CMA name but IP changed and VPN Certs still work, still get Cert Expiry messages etc.




    I will go sleep on this a bit.
    Thanks for sharing,

    Andy

  5. #5
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    20

    Default Re: Moving Security server from one datacenter to another

    Quote Originally Posted by sysko View Post
    Thanks to the both of you for taking the time to reply.

    @mcnallym
    I like that idea better, seems smoother then my former idea where involving re-sic everything...

    I went trough the details you explained and I would surely test this procedure in non-production environnment to familiarize with it.
    There are a few steps I'd like to better understand, see in bold below:


    1.) Migrate Export the current SmartCenter A
    2.) Build new VM with new DataCentre IP address but SAME HOSTNAME
    3.) On existing SmartCentre A define a new object with the Public IP at DataCentre B that will NAT new SmartCentre behind

    Just to clarify Step 3, are we talking about a new HOST NODE object or a new "CheckPoint > Security Management" Object that need to be created with the public IP of DataCentre B?

    4.) Create Rule allowing the new Object access too the the Gateways with Check Point Management Protocols

    I had in mind ALLOWING the NEW SMARTCENTER (public IP) with ANY SERVICE towards ALL REMOTE Firewall GATEWAYS
    ALLOWING ALL Firewalls GATEWAYS with ANY SERVICE to the NEW SMARTCENTER (public IP)


    5.) Install Policy to Gateways


    6.) Configure Firewall at DataCentre B to NAT the SmartCentre B to the Public IP defined in 3.

    Do we MIGRATE IMPORT from the MIGRATE EXPORT taken at step 1 at this point

    7.) As is the same ICA then should see that SmartCentre B shows connected state in SmartView Monitor

    8.) Relicense Gateways to SmartCentre B address
    9.) Import Licenses to SmartUpdate in SmartCentre B and attach licenses to Gateways
    10.) Install Security Policies to Gateways
    11.) Test
    12.) Change Internal DNS to point Smartcentre name to SmartCentre B IP address
    13.) You may want to reset the CA at some point so that points at the correct IP however would see how you go. The CA Hostname is still the same so shouldn't be an issue. We have migrated customers ( on CMA's as opposed to SmartCentres admittedly ) where kept same CMA name but IP changed and VPN Certs still work, still get Cert Expiry messages etc.




    I will go sleep on this a bit.
    Thanks for sharing,

    Andy
    3.) - Host Node is fine, main thing is to allow the IP address to connect to the Gateways.

    6.) Sorry yes should migrate import before adding the DataCentre B Firewall and configuring.

Similar Threads

  1. Upgrading from R65 to R75 and moving to new server
    By derekivey in forum Installing And Upgrading
    Replies: 3
    Last Post: 2011-05-18, 10:01
  2. Moving Security Gateways to new Hardware
    By bytes in forum Installing And Upgrading
    Replies: 8
    Last Post: 2010-06-07, 10:16
  3. moving management server
    By ducnv in forum Check Point SecurePlatform (SPLAT)
    Replies: 7
    Last Post: 2009-04-03, 18:37
  4. Moving from Windows RAS server to Checkpoint VPN?
    By GordonCopestake in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 5
    Last Post: 2007-06-25, 03:42
  5. moving NG AI management server to new hardware
    By Youngy in forum Installing And Upgrading
    Replies: 16
    Last Post: 2006-07-24, 03:07

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •