CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 5 of 5

Thread: IPSO => Gaia

  1. #1
    Join Date
    2016-08-02
    Posts
    4
    Rep Power
    0

    Default IPSO => Gaia

    Hi,

    Background to the probably daft questions I'm about to ask.

    The group I work for has just absorbed another group, which has a project running to replace a pair of Nokia IP565 with a pair of SG5600-NGTP. The 2 guys who were running the technical side of the project have left and it's landed in my lap.

    Googling leads me to all kinds of resources dealing with upgrading from one version to the other, but not so much on migrating between hardware as well.

    Can anyone give me a hint on whether the following is heading in the right direction? Or how badly wrong this is going to go...

    Build the VM for the new management server
    Export the configuration from the existing management server (migrate-export?)
    Import this into the new management server (migrate-import)
    Configure the network on the new boxes.
    Configure SIC between everything
    Push policy.
    Turn off old, swap new in, cross fingers & hope.

    Cheers

    J

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,623
    Rep Power
    9

    Default Re: IPSO => Gaia

    Quote Originally Posted by Jericho View Post
    Hi,

    Background to the probably daft questions I'm about to ask.

    The group I work for has just absorbed another group, which has a project running to replace a pair of Nokia IP565 with a pair of SG5600-NGTP. The 2 guys who were running the technical side of the project have left and it's landed in my lap.

    Googling leads me to all kinds of resources dealing with upgrading from one version to the other, but not so much on migrating between hardware as well.

    Can anyone give me a hint on whether the following is heading in the right direction? Or how badly wrong this is going to go...

    Build the VM for the new management server
    Export the configuration from the existing management server (migrate-export?)
    Import this into the new management server (migrate-import)
    Configure the network on the new boxes.
    Configure SIC between everything
    Push policy.
    Turn off old, swap new in, cross fingers & hope.

    Cheers

    J
    I'm assuming you already have a dedicated management server for the IP boxes?

    For the management server you want to download the latest migration utility for your target version. Also checkpoint has a upgrade wizard on their site. Not sure what version you're on but for example you can't go from R65 directly to R77.30. The wizard will (ahem should) explain.

    What i would look at on the current IP boxes is the following.
    static routes
    dynamic routing protocols
    proxy arps
    $FWDIR/modules/fwkern.conf
    patches - egrep -i hotfix /opt/CPshrd-R77/registry/HKLM_registry.data. Chances are you won't need these as i'm guessing you'll be making a big version jump.
    update topology (interface names will change)

    Wouldn't hurt to put the latest GA jumbo hotfixes on everything as well.

    Worst case you can just move cables back just make sure its part of your change control to expect some outage time and account for back out time.



    Really you can recreate the firewalls in a VM as well to give enhanced warm fuzzies. Just make some vms to represent routers and a few critical servers. This way you can make sure traffic passes like you would think.

  3. #3
    Join Date
    2016-08-02
    Posts
    4
    Rep Power
    0

    Default Re: IPSO => Gaia

    Thanks.

    I'm assuming there is a management server as well....
    The site documentation (I've not been there yet) suggests so, but is wildly inaccurate in other areas.

    I'm heading there to look for myself tomorrow, so no doubt will be panicking by lunchtime.

    How long would you normally expect this kind of thing to take?

  4. #4
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,623
    Rep Power
    9

    Default Re: IPSO => Gaia

    Thats really hard to say. You need to lab out the upgrade process to see if there are any gotchas before you'll have a good idea. For the cutover I would ask for at least an hour long outage window, meaning network access is down (because of firewall xyz). If you can't figure out a connectivity issue by then might be time to back out.

    Of course its up to the businesss to tell you if thats ok or not.

  5. #5
    Join Date
    2016-08-02
    Posts
    4
    Rep Power
    0

    Default Re: IPSO => Gaia

    Well, that was a lot easier than I expected.

    The new boxes were already set up, separate management server, VRRP etc working. Just needed the rules & objects migrating. All 9 rules and 30 odd objects...

    But of copying and repatching over lunchtime and it's all done with no complaints.

    Thanks for the advice & pointers.

    Cheers

    J

Similar Threads

  1. Upgrading from IPSO R65 TO Gaia R77.30
    By carl_t in forum R77.30
    Replies: 5
    Last Post: 2016-03-04, 18:21
  2. .rpm error while upgrading from IPSO to GAIA
    By clickmesri in forum R75.40 (GAiA)
    Replies: 1
    Last Post: 2013-11-25, 05:24
  3. Manual Migration of IPSO to GAiA
    By nathbooth in forum R75.40 (GAiA)
    Replies: 1
    Last Post: 2013-09-03, 10:33
  4. problems with upgrading ipso to gaia
    By johan in forum R75.40 (GAiA)
    Replies: 1
    Last Post: 2012-08-17, 12:00
  5. IPSO => GAIA ...?
    By SecPuh in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 4
    Last Post: 2011-11-23, 22:06

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •