CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 10 of 10

Thread: Clustered FW errors on cp_merge

  1. #1
    Join Date
    2016-06-20
    Posts
    4
    Rep Power
    0

    Default Clustered FW errors on cp_merge

    Hi all.

    Trying to migrate across from R65 P1 to SMS R77, following below thread loosely:

    https://www.cpug.org/forums/showthre...t-1-standalone

    Got our 3rd party to dump objects_5_0.C file, and rulebase.fws file, trying to merge just objects file into new server.

    Around 99% of objects are created successfully in the new database, but any clustered objects (such as the FWs that will eventually be managed by this new server) aren't being added, seemingly erroring on a cluster property in the object:


    Code:
    NEWSPUB.LHC : Validation error in field 'Number of cluster members' of element #1 at object 'NEWSPUB.LHC' @ 'Network Objects' --> The referenced object 'fw1.newspub.telhc' from table 'network_objects' does not exist in the database
    
    ...
    
    fw2.newspub.telhc : Validation error in field 'Cluster Object' at object 'fw2.newspub.telhc' @ 'Network Objects' --> The referenced object 'NEWSPUB.LHC' from table 'network_objects' does not exist in the database
    
    fw1.newspub.telhc : Validation error in field 'Cluster Object' at object 'fw1.newspub.telhc' @ 'Network Objects' --> The referenced object 'NEWSPUB.LHC' from table 'network_objects' does not exist in the database

    There's about 30 of these objects not being added, and I can manually add them if I have to - just wondered why these are erroring, and whether there will be any issue migrating these FWs from P1 to Smart-1.

    Thanks!

    CS

  2. #2
    Join Date
    2007-06-04
    Posts
    3,232
    Rep Power
    15

    Default Re: Clustered FW errors on cp_merge

    Is there a reason that cannot use the standard migration tools. I am going to hazard a guess that having an issue with the CA not being present on the box that attempting to import too. Isn't like the 4.1 days when could copy a file to move a management server. Use the Migration Tools as move the parts that are necessary.

    Personally would do the following.

    1.) Build a P1 R77. ( Virtuals are good for this )
    2.) Use the R77 Migration Tools to export the R65 to the R77 - make sure that remove Global Policy from the CMA/Domain first of all as per standard migration
    3.) Build an R77 SMS as a Secondary Management Server and synch the R77 SMS with the R77 CMA/Domain
    4.) Shutdown the R77 P1 and then promote the R77 SMS from Secondary to Primary
    5.) Delete any policies you don't want

    sk65385 contains How To docs one of which is how to promote Secondary Management to Primary, found in the Security Management Section. Whilst is R65 the process is the same for R7x as well.

  3. #3
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,397
    Rep Power
    8

    Default Re: Clustered FW errors on cp_merge

    Can you go from 65 to 77? The upgrade wizard says you need to go through R75.

  4. #4
    Join Date
    2007-06-04
    Posts
    3,232
    Rep Power
    15

    Default Re: Clustered FW errors on cp_merge

    Quote Originally Posted by jflemingeds View Post
    Can you go from 65 to 77? The upgrade wizard says you need to go through R75.
    Excellent point! Didn't think that with saying that attempting it

    From the R77 Release notes

    You can upgrade these Security Management Server and Security Gateway versions to R77:
     R71.50
     R75, R75.10, R75.20, R75.30, R75.40, R75.45, R75.46, R75.40VS
     R76

    So yes will need to do an intermediate step of R65 to one of these then the intermediate to R77

  5. #5
    Join Date
    2016-06-20
    Posts
    4
    Rep Power
    0

    Default Re: Clustered FW errors on cp_merge

    Hey guys

    Thanks for the replies...

    I've actually just added these gateway/clusters on manually, so I can add the rules.

    I'm at the point where I've got 2 x R77.10 SMS, with all objects and rules added. So next step is to actually do the migration; my thoughts are:

    1. Reset SIC on Gateways
    2. Initialise trust on SMS towards gateways
    3. Get topology from each cluster/gateway I initialise trust with
    4. (after ensuring new rulebase matches old rulebase) install policy on gateways

    Is this about right? My only concern is the topology "get", not 100% sure on why this is needed - can I manually define, and not bother? Or better to run the "get"?

    Cheers

    CS

  6. #6
    Join Date
    2007-06-04
    Posts
    3,232
    Rep Power
    15

    Default Re: Clustered FW errors on cp_merge

    The interface names/ip address etc need to match what is o the box.

    Is why is better to do the Get Interfaces so that it pulls this through from the gateway after establishing SIC. No reason why cannot do all manually if you want however.

    Unless doing a Get Interfaces with Topology then will have to configure the Address Spoofing manually anyway.

    Is really just a case of using the tools provided so that don't have to do the work manually really.

  7. #7
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    3

    Default Re: Clustered FW errors on cp_merge

    Quote Originally Posted by captainserious View Post
    Is this about right?
    A - Yes, this is indeed correct.

    Quote Originally Posted by captainserious View Post
    My only concern is the topology "get", not 100% sure on why this is needed - can I manually define, and not bother?
    A - Yes, you could if you really wanted to.

    Quote Originally Posted by captainserious View Post
    Or better to run the "get"?
    A - This is (arguably) the better option:
    - faster
    - easier
    - and if for some reason you mis-configured the IP on the device itself, when you "get", this can server as another layer of verification for such details

  8. #8
    Join Date
    2016-06-20
    Posts
    4
    Rep Power
    0

    Default Re: Clustered FW errors on cp_merge

    Quote Originally Posted by jdmoore0883 View Post
    A - Yes, this is indeed correct.



    A - Yes, you could if you really wanted to.



    A - This is (arguably) the better option:
    - faster
    - easier
    - and if for some reason you mis-configured the IP on the device itself, when you "get", this can server as another layer of verification for such details
    Great, thanks a lot - reasonably new to Checkpoint, and been chucked into the deep-end somewhat.

    Are there any gotchas regarding moving the existing gateways to new the management server?

    Also, in terms of a rollback plan (as I'd like a reverse path :) ), I could just reset SIC again, and re-initialise to the old server?

  9. #9
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    3

    Default Re: Clustered FW errors on cp_merge

    Quote Originally Posted by captainserious View Post
    Are there any gotchas regarding moving the existing gateways to new the management server?
    A - Not really... I mean, you'll have to reset SIC which can restart the Checkpoint services (there is a way to do so without that restart though, if need be), but other than that, it should be rather straightforward.

    Quote Originally Posted by captainserious View Post
    Also, in terms of a rollback plan (as I'd like a reverse path :) ), I could just reset SIC again, and re-initialise to the old server?
    A - This is correct.

  10. #10
    Join Date
    2016-06-20
    Posts
    4
    Rep Power
    0

    Default Re: Clustered FW errors on cp_merge

    Quote Originally Posted by jdmoore0883 View Post
    A - Not really... I mean, you'll have to reset SIC which can restart the Checkpoint services (there is a way to do so without that restart though, if need be), but other than that, it should be rather straightforward.



    A - This is correct.
    Okay that should be fine anyway - we've got 2 pairs of FWs, one pair active and one pair stby, so we can just do stby and then failover to 2nd DC.

    Cheers!

Similar Threads

  1. Issues with R80 cp_merge
    By sanhy85 in forum R80
    Replies: 2
    Last Post: 2016-05-15, 22:52
  2. cp_merge
    By moaahk in forum Check Point Backup Procedures
    Replies: 2
    Last Post: 2008-07-14, 21:28
  3. cp_merge error failure
    By toastyhamster in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 1
    Last Post: 2008-03-03, 06:06
  4. Help with cp_merge
    By Calumski in forum Installing And Upgrading
    Replies: 0
    Last Post: 2007-03-22, 13:05
  5. CP_Merge Utility NG3
    By jemma_noor in forum Miscellaneous
    Replies: 6
    Last Post: 2006-01-27, 07:45

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •