Moving Security server from one datacenter to another

**sysko** · 2015-10-13

Hi,

We have a new project of moving a management security server (VM) from one datacenter to another.
The management is running Gaia R77.20. It currently manage 10 external cluster firewalls (Gaia R77.20) and the licensing is centrally managed to the management server.

The challenge we are facing are as follow:
Moving the security server from datacenter A to datacenter B implies that the ISP are different and that the public IP scheme is different.
The internal IP schema at datacenter B is also different from datacenter A, meaning that among other things the security management server needs to be readdressed.

Base on the above, we can for see the following necessary steps:

- The need to re license all the firewalls in usercenter with new NATed public IP of the security center located at target datacenter B.
- The need to change IP of the management server as per SK40993

As anyone performed such a migration/move? Which other steps should we consider.

Thanks for taking the time to read my post,

Andy

**jdmoore0883** · 2015-10-13

From what I can tell, you will also need to re-establish SIC from the SMS to everything.

**mcnallym** · 2015-10-13

What I would do

1.) Migrate Export the current SmartCenter A
2.) Build new VM with new DataCentre IP address but SAME HOSTNAME
3.) On existing SmartCentre A define a new object with the Public IP at DataCentre B that will NAT new SmartCentre behind
4.) Create Rule allowing the new Object access too the the Gateways with Check Point Management Protocols
5.) Install Policy to Gateways
6.) Configure Firewall at DataCentre B to NAT the SmartCentre B to the Public IP defined in 3.
7.) As is the same ICA then should see that SmartCentre B shows connected state in SmartView Monitor.
8.) Relicense Gateways to SmartCentre B address
9.) Import Licenses to SmartUpdate in SmartCentre B and attach licenses to Gateways
10.) Install Security Policies to Gateways
11.) Test
12.) Change Internal DNS to point Smartcentre name to SmartCentre B IP address
13.) You may want to reset the CA at some point so that points at the correct IP however would see how you go. The CA Hostname is still the same so shouldn't be an issue. We have migrated customers ( on CMA's as opposed to SmartCentres admittedly ) where kept same CMA name but IP changed and VPN Certs still work, still get Cert Expiry messages etc.

This is based upon what we do when taking on a new Managed Service where the existing supplier allows access from our IP with Check Point, then exports the system and we import. The Gateway already allows our connections for the CP Protocols so can do the initial push etc. Is still the same CA on the Check Point SmartCentre so works. No need to reset SIC at this point.

**sysko** · 2015-10-14

Thanks to the both of you for taking the time to reply.

@mcnallym
I like that idea better, seems smoother then my former idea where involving re-sic everything...

I went trough the details you explained and I would surely test this procedure in non-production environnment to familiarize with it.
There are a few steps I'd like to better understand, see in bold below:

1.) Migrate Export the current SmartCenter A
2.) Build new VM with new DataCentre IP address but SAME HOSTNAME
3.) On existing SmartCentre A define a new object with the Public IP at DataCentre B that will NAT new SmartCentre behind

Just to clarify Step 3, are we talking about a new HOST NODE object or a new "CheckPoint > Security Management" Object that need to be created with the public IP of DataCentre B?

4.) Create Rule allowing the new Object access too the the Gateways with Check Point Management Protocols

I had in mind ALLOWING the NEW SMARTCENTER (public IP) with ANY SERVICE towards ALL REMOTE Firewall GATEWAYS
ALLOWING ALL Firewalls GATEWAYS with ANY SERVICE to the NEW SMARTCENTER (public IP)

5.) Install Policy to Gateways

6.) Configure Firewall at DataCentre B to NAT the SmartCentre B to the Public IP defined in 3.

Do we MIGRATE IMPORT from the MIGRATE EXPORT taken at step 1 at this point

7.) As is the same ICA then should see that SmartCentre B shows connected state in SmartView Monitor

8.) Relicense Gateways to SmartCentre B address
9.) Import Licenses to SmartUpdate in SmartCentre B and attach licenses to Gateways
10.) Install Security Policies to Gateways
11.) Test
12.) Change Internal DNS to point Smartcentre name to SmartCentre B IP address
13.) You may want to reset the CA at some point so that points at the correct IP however would see how you go. The CA Hostname is still the same so shouldn't be an issue. We have migrated customers ( on CMA's as opposed to SmartCentres admittedly ) where kept same CMA name but IP changed and VPN Certs still work, still get Cert Expiry messages etc.

I will go sleep on this a bit.
Thanks for sharing,

Andy

**mcnallym** · 2015-10-15

Originally Posted by sysko

Thanks to the both of you for taking the time to reply.

@mcnallym
I like that idea better, seems smoother then my former idea where involving re-sic everything...

I went trough the details you explained and I would surely test this procedure in non-production environnment to familiarize with it.
There are a few steps I'd like to better understand, see in bold below:

1.) Migrate Export the current SmartCenter A
2.) Build new VM with new DataCentre IP address but SAME HOSTNAME
3.) On existing SmartCentre A define a new object with the Public IP at DataCentre B that will NAT new SmartCentre behind

Just to clarify Step 3, are we talking about a new HOST NODE object or a new "CheckPoint > Security Management" Object that need to be created with the public IP of DataCentre B?

4.) Create Rule allowing the new Object access too the the Gateways with Check Point Management Protocols

I had in mind ALLOWING the NEW SMARTCENTER (public IP) with ANY SERVICE towards ALL REMOTE Firewall GATEWAYS
ALLOWING ALL Firewalls GATEWAYS with ANY SERVICE to the NEW SMARTCENTER (public IP)

5.) Install Policy to Gateways

6.) Configure Firewall at DataCentre B to NAT the SmartCentre B to the Public IP defined in 3.

Do we MIGRATE IMPORT from the MIGRATE EXPORT taken at step 1 at this point

7.) As is the same ICA then should see that SmartCentre B shows connected state in SmartView Monitor

8.) Relicense Gateways to SmartCentre B address
9.) Import Licenses to SmartUpdate in SmartCentre B and attach licenses to Gateways
10.) Install Security Policies to Gateways
11.) Test
12.) Change Internal DNS to point Smartcentre name to SmartCentre B IP address
13.) You may want to reset the CA at some point so that points at the correct IP however would see how you go. The CA Hostname is still the same so shouldn't be an issue. We have migrated customers ( on CMA's as opposed to SmartCentres admittedly ) where kept same CMA name but IP changed and VPN Certs still work, still get Cert Expiry messages etc.

I will go sleep on this a bit.
Thanks for sharing,

Andy

3.) - Host Node is fine, main thing is to allow the IP address to connect to the Gateways.

6.) Sorry yes should migrate import before adding the DataCentre B Firewall and configuring.