CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 11 of 11

Thread: Windows R77.30 to Gaia R77.30 Migration

  1. #1
    Join Date
    2016-10-31
    Posts
    47
    Rep Power
    0

    Default Windows R77.30 to Gaia R77.30 Migration

    I am trying to migrated Windows R77.30 on to open server R77.30 I think following process needs to follow.Has anyone followed same process to achieve and successful.


    • export the Database from the windows R77.30

    C:\Windows\FW1\R77\fw1\bin\upgrade_tools\migrate export <Name>

    • Install the Gaia R77.30 with same level of Version and Add-on.

    Import the databse
    migrate import <Name>

    • Apply the license to Gaia which is generated with new IP MGMT IP address.
    • Perform CPSTOP and CPSTART.
    • launch the SmartDashboard and update the MGMT Object and topology with new IP address.
    • Install the Database.
    • Login SmartCenter with new IP address.
    • Stop Check Point services: cpstop
    • Change the hostname:
    In Gaia's clish: >set hostname <newHostname>
    In Gaia, run >save config
    • Back up the $FWDIR/conf/objects_5_0.C. file and edit it with VI editor.
    • Use the Search and Replace feature in vi to replace all instances of the old hostname with the new one:
    • Run "vi objects_5_0.C" and remove the entire certificate block from each entry by going to the colon at the beginning of each certificate entry and delete. Once complete, save file by using

    For example:
    :certificates (
    : (defaultCert
    Should become:
    :certificates ()
    • Destroy the Internal Certificate Authority: fwm sic_reset
    • Recreate the CA by running cpconfig, then select the Certificate Authority option.
    • Reboot
    • Connect with SmartDashboard to confirm that the new hostname shows up.
    • Reset SIC to gateways.

  2. #2
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    941
    Rep Power
    12

    Default Re: Windows R77.30 to Gaia R77.30 Migration

    Quote Originally Posted by ba3113 View Post
    I am trying to migrated Windows R77.30 on to open server R77.30 I think following process needs to follow.Has anyone followed same process to achieve and successful.



    In Gaia, run >save config
    • Back up the $FWDIR/conf/objects_5_0.C. file and edit it with VI editor.
    • Use the Search and Replace feature in vi to replace all instances of the old hostname with the new one:
    • Run "vi objects_5_0.C" and remove the entire certificate block from each entry by going to the colon at the beginning of each certificate entry and delete. Once complete, save file by using

    For example:
    :certificates (
    : (defaultCert
    Should become:
    :certificates ()
    • Destroy the Internal Certificate Authority: fwm sic_reset
    • Recreate the CA by running cpconfig, then select the Certificate Authority option.
    • Reboot
    • Connect with SmartDashboard to confirm that the new hostname shows up.
    • Reset SIC to gateways.
    Why on earth do you want to reset SIC with GWs? Why tampering with CA and object name? It is much easier to maintain the old object name for MGMT itself. Quoted problematic part only.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  3. #3
    Join Date
    2016-10-31
    Posts
    47
    Rep Power
    0

    Default Re: Windows R77.30 to Gaia R77.30 Migration

    I am going to leave online windows R77.30 SmartManagement in network so can't use same hostname and IP address.

  4. #4
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    3

    Default Re: Windows R77.30 to Gaia R77.30 Migration

    Quote Originally Posted by ba3113 View Post
    I am going to leave online windows R77.30 SmartManagement in network
    Why? Why do this? You will cause yourself pain and misery trying to do this.

  5. #5
    Join Date
    2016-10-31
    Posts
    47
    Rep Power
    0

    Default Re: Windows R77.30 to Gaia R77.30 Migration

    They are going to manage different cluster and I need move some of the clusters on to new management.

  6. #6
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    941
    Rep Power
    12

    Default Re: Windows R77.30 to Gaia R77.30 Migration

    Quote Originally Posted by ba3113 View Post
    They are going to manage different cluster and I need move some of the clusters on to new management.
    That is completely different story. This is not migrating management but splitting it. You may want to reset CA on MGMT in this case on at least one of MGMT servers
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  7. #7
    Join Date
    2016-10-31
    Posts
    47
    Rep Power
    0

    Default Re: Windows R77.30 to Gaia R77.30 Migration

    True,
    You can say we are splitting the mgmt function for a time begin but after some time the legacy one needs to migrate.I am happy to reset the CA on new management.I would like your expert advise to change hostname and IP address of new management.

  8. #8
    Join Date
    2006-03-21
    Posts
    64
    Rep Power
    12

    Default Re: Windows R77.30 to Gaia R77.30 Migration

    Hi ba3113,

    I agree with Valeri, changing the SMS name should be your last option. If the aim is to migrate the legacy SMS as well, you can survive for a while with the same name in both servers.

    If you still want to go ahead, I have followed the following [unofficial] process to reset the CA in the past.

    1. Run cpstop.
    2. Modify %FWDIR%/conf/objects_5_0.C as follows:
    3. Search for the “certificates” property in the properties that are listed for all firewall module network object(s). This section will look like the following:
      ———————————————————–
      :backup_gateway ()
      :certificates (
      :
      :
      :
      )
      :define_logging_servers (false)
      ———————————————————–
    4. Edit the certificates property so that all of its contents between the open parentheses and the close parentheses are deleted. After the edit, the same section should look like the following:
      ———————————————————–
      :backup_gateway ()
      :certificates ()
      :define_logging_servers (false)
      ———————————————————–
    5. Issue fwm sic_reset. This step takes some time to be completed so be patient (output example)
      [Expert@MGMT]# fwm sic_reset
      ***************** Warning: ****************
      This operation will reset the Secure Internal Communication (SIC).
      The internal Certificate Authority will be destroyed and Check Point Components
      will not be able to communicate.
      You will have to perform the following operations to enable communication:
      1. Re-initialize the internal Certificate Authority (use cpconfig).
      2. Restart Check Point Services (cpstart, cpridstart).
      3. Reset SIC on each Station that is managed by this Security Management Server.
      4. Re-establish Trust with each Station that is managed by
      this Security Management Server.
      *******************************************
      This operation will stop all Check Point Services (cpstop)
      Are you sure you want to reset? (y/n) [n] ? y

      *** Checking IKE Certificates ***

      *** Stopping services ***
      cpwd_admin:
      Process DASERVICE terminated
      cpwd_admin:
      Process SMARTLOG_SERVER isn't monitored by cpWatchDog. Stop request aborts
      UEPM: Endpoint Security Management isn't activated
      Management Portal: Stopping CPWMD
      cpwd_admin:
      Process CPWMD terminated
      Management Portal: Stopping CPHTTPD
      cpwd_admin:
      Process CPHTTPD terminated
      evstop: Stopping product - SmartEvent Correlation Unit
      Check Point SmartEvent Correlation Unit stopped
      Stopping SmartReporter...
      Stopping the SmartReporter Server.
      Stopping the SmartReporter Log Consolidator.
      Stopping SmartReporter Database.
      Note: Database shutdown takes a few minutes. rmdstart will fail while
      shutdown is in progress.
      SmartView Monitor: Management stopped
      VPN-1/FW-1 stopped
      Multi portal stopped
      Local host is not a FireWall-1 module
      SVN Foundation: cpd stopped
      SVN Foundation: cpWatchDog stopped
      SVN Foundation: Stopping PostgreSQL Database
      SVN Foundation stopped
      cpridstop: cprid watchdog stopped
      cpridstop: cprid stopped

      *** Destroying internal Certificate Authority ***

      *** Updating objects database ***

      SIC Reset operation completed successfully

      Recreating the new CA
      Issue cpstart
      run cpconfig
      Select “Certificate Authority”
      Configuring Certificate Authority...
      ====================================

      The Internal CA will now be initialized
      with the following name: NEW-MGMT
      Is it OK (y/n) [y] ? y

      Initializing the Internal CA...(may take several minutes)
      Internal Certificate Authority created successfully
      Certificate was created successfully
      Certificate Authority initialization ended successfully
      Trying to contact Certificate Authority. It might take a while...
      NEW-MGMT was successfully set to the Internal CA
      Done
    6. Issue cpstop; cpstart
    7. By using Smart Update, export to a file the current attached licenses within the old management object and detach all licenses from that object.
    8. Reset SIC in all the FWs modules
    9. Re-import licenses and attach them accordingly.



    Regards

    Ed

  9. #9
    Join Date
    2016-10-31
    Posts
    47
    Rep Power
    0

    Default Re: Windows R77.30 to Gaia R77.30 Migration

    Thank you.
    So changing the IP address should not be an issue and changing a hostname will be an challenge.I will see if we ca retain both SMS name same.

  10. #10
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    941
    Rep Power
    12

    Default Re: Windows R77.30 to Gaia R77.30 Migration

    Quote Originally Posted by ba3113 View Post
    Thank you.
    So changing the IP address should not be an issue and changing a hostname will be an challenge.I will see if we ca retain both SMS name same.
    Not a good idea, especially if you want to run VPNs between FWs managed by two different SMSs after this split...
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  11. #11
    Join Date
    2016-10-31
    Posts
    47
    Rep Power
    0

    Default Re: Windows R77.30 to Gaia R77.30 Migration

    True and appreciated your comment.
    We are not going to have VPN firewall on to windows based SMS.We are only going to use SMS only for dedicate firewalls blade only .The new Gaia based SMS will have all NGTP managed firewalls.

Similar Threads

  1. Windows R77.30 to Gaia R77.30 Migration
    By ba3113 in forum Check Point Smart-1 Security Management Appliances
    Replies: 2
    Last Post: 2016-12-27, 07:47
  2. R77.30 migration form SPLAT to GAIA
    By Mariusz1 in forum Installing And Upgrading
    Replies: 23
    Last Post: 2016-12-22, 08:03
  3. CrossBeam X45 to12400 GAiA 77.10 migration
    By techy777 in forum Crossbeam
    Replies: 5
    Last Post: 2016-08-19, 12:06
  4. Manual Migration of IPSO to GAiA
    By nathbooth in forum R75.40 (GAiA)
    Replies: 1
    Last Post: 2013-09-03, 10:33
  5. ngx migration from windows to splat
    By nirtzen in forum Installing And Upgrading
    Replies: 5
    Last Post: 2006-02-25, 22:57

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •