CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 3 of 3

Thread: Migrate Checkpoint cluster from one management server to another

  1. #1
    Join Date
    2016-11-02
    Posts
    2
    Rep Power
    0

    Default Migrate Checkpoint cluster from one management server to another

    Hey guys, maybe some of you more experienced can help.

    We need to migrate single Checkpoint cluster from Checkpoint management (Openserver SPLAT R75.10) to different one (Openserver Gaia R77.30) - this firewall has its own policy package.

    1) Database of objects on source management is huge and contains multiple policies, policy package has around 700 rules.
    2) Source and also destination management server also have other policy package managing multiple other clusters containing thousands of rules.
    3) I can export source R75.10 management and import it to temporary server + upgrade to R77.30 to have source and destination management servers on same version - no problem (just to avoid some issues on way)
    4) I can export policy to file and move it to target server for import - should be no issue as long as all objects used by the policy are present on target management - and here it comes:

    *I need to somehow export/import objects which are referred by policy for cluster being moved.
    How can I achieve that?

    *There are same objects existing on both management servers and I need to resolve conflicts properly - objects have to be overwritten by those from source management in most cases.
    If I use cp_merge to merge objects_5_0.C, conflicts will be untouched and also I would import also objects which are not referred by policy and used by cluster being moved...

    *There are odumper and ofiller tools, which exist since 2006, and I considered using them to extract data in some "readable" form and use manual work between export and import.
    Since tools are old and can be obsolete, there is high chance that it will not work and can damage data on target management server.

    dbedit is there, but output from source is in XML not suitable for modification and import - to use dbedit on target seems to be no-go because it requires syntax to create+modify object properties

    Has anyone any tips which could help? So far it looks like spending month(s) to prepare objects on target manualy and then export + import policy or recreate policy manually on target 1:1

  2. #2
    Join Date
    2007-06-04
    Posts
    3,278
    Rep Power
    16

    Default Re: Migrate Checkpoint cluster from one management server to another

    Quote Originally Posted by Krtek View Post
    Hey guys, maybe some of you more experienced can help.

    We need to migrate single Checkpoint cluster from Checkpoint management (Openserver SPLAT R75.10) to different one (Openserver Gaia R77.30) - this firewall has its own policy package.

    1) Database of objects on source management is huge and contains multiple policies, policy package has around 700 rules.
    2) Source and also destination management server also have other policy package managing multiple other clusters containing thousands of rules.
    3) I can export source R75.10 management and import it to temporary server + upgrade to R77.30 to have source and destination management servers on same version - no problem (just to avoid some issues on way)
    4) I can export policy to file and move it to target server for import - should be no issue as long as all objects used by the policy are present on target management - and here it comes:

    *I need to somehow export/import objects which are referred by policy for cluster being moved.
    How can I achieve that?

    *There are same objects existing on both management servers and I need to resolve conflicts properly - objects have to be overwritten by those from source management in most cases.
    If I use cp_merge to merge objects_5_0.C, conflicts will be untouched and also I would import also objects which are not referred by policy and used by cluster being moved...

    *There are odumper and ofiller tools, which exist since 2006, and I considered using them to extract data in some "readable" form and use manual work between export and import.
    Since tools are old and can be obsolete, there is high chance that it will not work and can damage data on target management server.

    dbedit is there, but output from source is in XML not suitable for modification and import - to use dbedit on target seems to be no-go because it requires syntax to create+modify object properties

    Has anyone any tips which could help? So far it looks like spending month(s) to prepare objects on target manualy and then export + import policy or recreate policy manually on target 1:1

    Migrate Export and Import is out as overrites the original management server so the tool that would be available is cp_merge as you identified.

    I know the cp_merge that Professional Services have is different to the one that is available to partners/end users etc so don't know if Professional Services would be help here. Yes there is a cost vs the cost of your time.

    Nearest could say is

    1.) Migrate Export, Import the R75.10 to R77.30
    2.) Delete other Policies from R77.30
    3.) Use the Search Query Network Objects to show any unused Objects - then delete those objects using the Remove
    4.) Heres where starts getting messy - rename objects remaining with a pre-fix to indicate that coming from this mgmt server
    5.) cp_merge the object and the policy into the other R77.30 object - the prefix removes any conflicts
    6.) Use the Search Query Network objects and look for duplicate IP, identify those then go through the policy replacing the pre-fix with the object from the existing mgmt server that cp_merge into

    Not ideal but probably the best I can think of.

    Other people may have scripts etc that they have for this however not really had this problem on this scale myself.

  3. #3
    Join Date
    2016-11-02
    Posts
    2
    Rep Power
    0

    Default Re: Migrate Checkpoint cluster from one management server to another

    Many thanks for your tips. Avoiding conflict with prefix before merge is helping alot overcoming several issues. It allows to get policy and objects to target MGMT server at least!

Similar Threads

  1. Replies: 1
    Last Post: 2015-06-30, 16:01
  2. Migrate Management Server R77 with VSX to MultiDomain R77
    By mnoce@licenciasonline.com in forum Provider-1 (Multi-Domain Management)
    Replies: 0
    Last Post: 2014-03-21, 20:06
  3. Purpose of the secondary management server deletion before migrate
    By ptitgerm in forum Provider-1 (Multi-Domain Management)
    Replies: 0
    Last Post: 2013-08-31, 04:25
  4. Migrate Security Management Server from Windows to Splat
    By laskd in forum Installing And Upgrading
    Replies: 2
    Last Post: 2011-07-22, 11:34
  5. How to Migrate to another Management Server?
    By hi_there in forum Installing And Upgrading
    Replies: 3
    Last Post: 2006-08-08, 02:16

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •