CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 11 of 11

Thread: Security Management Server migration

  1. #1
    Join Date
    2018-09-17
    Posts
    6
    Rep Power
    0

    Default Security Management Server migration

    Hi all,

    I have 'inherited' an environment with 7 security gateways around the globe (with mesh site to site VPNs) and 1 management server running in AWS. Our support has lapsed (with no plans to renew, not my decision) and we no longer use any advanced features i.e. we just push any firewall changes from the management server. I've been tasked with either migrating on premise or decommissioning the management server to to save the cost of the machine in AWS.

    Couple of questions:
    1. Is there any side effect of decommissioning the management server? Can I just switch it off, then remove whatever association the security gateways have with it, then manage the gateways separately... or will this break VPNs or other functions due to certs or other reason?
    2. If I do migrate it on premise (following the PDF titled 'Migrating Security Management Server and changing IP Address and Hostname'), are there any gotchas as this looks 'kinda' simple but involves SIC reset etc, does this break VPNs or is it relatively low impact?

    Really appreciate any guidance on this; having not done it before it looks a bit scary! :)

    Thanks,
    Simon

  2. #2
    Join Date
    2006-06-07
    Posts
    21
    Rep Power
    0

    Default Re: Security Management Server migration

    The process ( like most things when familiar with them ) isn't that bad

    The Management Server is unless you have a separate log server used also for Traffic logging so the gateways would start to log locally. If the disk fills then the box falls over.
    It is also used for Certificate Validation which if fails your VPN mesh fails

    So basically don't just turn it off. That is NOT an option so will have to migrate to an onpremise.

    However what you should do is

    1.) Build a new OnPremise Management Server ideally use the same hostname.
    2.) Add rules permitting that Server IP to communicate with the Gateway. Obviousy take into account that may need to NAT through the Local Gateway where is located to get to the other gateways.
    3.) Delete the Object representing the New Management Server from the Policy but do NOT install Policy
    4.) Migrate Export from the existing Smartcentre
    5.) Migrate Import to on Premises SmartCentre do the work around Change IP/Hostname. Easiest thing to do is simply KEEP THE SAME HOSTNAME so that the Internal CA and Hostname all match up. Should be able to just update the IP in SmartConsole.
    6.) You should now have connectivity from the new SmartCentre to the gateways
    7.) License the Gateways to the new SmartCentre IP
    8.) Install Security Policy to the Gateways


    You shouldn't have to reset SIC during this process as long as follow through fully.

  3. #3
    Join Date
    2018-09-17
    Posts
    6
    Rep Power
    0

    Default Re: Security Management Server migration

    Thanks mdjmcnally!

    I understand I do require to set up the management server on prem. Really appreciate the info, I will post back my results!

    Cheers,
    Simon

  4. #4
    Join Date
    2018-09-17
    Posts
    6
    Rep Power
    0

    Default Re: Security Management Server migration

    Hmm.. export / import issues! I am going from R80 to R80.10, run export from current and then get an error importing ' must use same tools', so I copied the tools from the new version to the old and now it says 'migrating from the current management version is not supported'.

    Do I need to upgrade my current SMS to the same version first? Unfortunately if I need to download any files from checkpoint I am stuffed as we don't have support so I cannot access them.

    Any ideas, maybe upgrading first is the only way to go so the versions match?

    Thanks,
    Simon

  5. #5
    Join Date
    2018-09-17
    Posts
    6
    Rep Power
    0

    Default Re: Security Management Server migration

    Okay so you cannot migrate export / import from R80 to R80.10. I have to upgrade to R80.20.Mx then it should work.

  6. #6
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    270
    Rep Power
    12

    Default Re: Security Management Server migration

    Why not move from R80 on AWS to R80 in your own datacenter? The migrate-and-upgrade path seems unnecessarily difficult.

    Edited to add: mdjmcnally touched on this in item 2, but please be aware that you can't manage the firewalls over a VPN. The firewalls need to talk to the management server to bring a VPN up, so if they depend on the VPN to talk to the management, they won't be able to hit it. You can either give the SmartCenter a real public IP or you can NAT it to a public IP on one of the gateways.
    Last edited by Bob_Zimmerman; 2018-09-25 at 10:10.
    Zimmie

  7. #7
    Join Date
    2015-08-02
    Posts
    6
    Rep Power
    0

    Default Re: Security Management Server migration

    Quote Originally Posted by simbur View Post
    Okay so you cannot migrate export / import from R80 to R80.10. I have to upgrade to R80.20.Mx then it should work.
    Hi,

    Please note that R80.20 is now GA. At this time we recommend using R80.20 GA instead of the R80.20 Mx.

    The steps described earlier in this thread are correct. I'm pretty sure we also have an upgrade guide that gives this as well (upgrade + migration + IP chagne), but I can't seem to find the relevant section right this instance.
    It looks like you can use the official upgrade guide at https://sc1.checkpoint.com/documents...l_frameset.htm and use sk73120 for the IP change guidance.

    If you need assistance with this you can contact me offline at yonatanph@checkpoint.com.

    Regards,
    Yonatan

  8. #8
    Join Date
    2018-09-17
    Posts
    6
    Rep Power
    0

    Default Re: Security Management Server migration

    Hi all,

    Thanks for talking the time to respond... unfortunately I am stuck at this point. For some reason I am able to download R80.10 clean install (must be a glitch in checkpoint website security). I cannot download any other version as we don't have an active support contract. We used to have R77 onsite. This was migrated to an AWS instance of R80. So we don't have the R80 media for me to continue with the migration, and I cant download R80.20 to upgrade / migrate.

    I asked CheckPoint and they said 'although you effectively own and can generate a license for the product, you must have a support contract to download the media'. Seems a bit odd to me but that is how they roll, so we will bring forward our migration to Fortinet.

    Thanks again,
    Simon

  9. #9
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,488
    Rep Power
    16

    Default Re: Security Management Server migration

    Quote Originally Posted by simbur View Post
    Thanks for talking the time to respond... unfortunately I am stuck at this point. For some reason I am able to download R80.10 clean install (must be a glitch in checkpoint website security).
    While yes, in general, most software downloads require a software subscription, we do allow download of R80.10 by design (mostly for evaluation purposes).
    I suppose now that R80.20 is out, that should be adjusted.
    Your local office may be able to get you temporary access to download R80.20 in the meantime.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  10. #10
    Join Date
    2018-09-17
    Posts
    6
    Rep Power
    0

    Default Re: Security Management Server migration

    Hi,

    Okay so I manged to get 80.20 installed, and the export / import worked well. I can now log into the new server and all looks good. So I'm at the bit where I change IP, change the SMS object to the new IP, confirm gateway connectivity through a NAT on the local gateway, license the gateways to the new SMS. A couple of queries here:

    - when I change IP on new SMS and detach licenses, then re-apply them to the new IP, will this unlicense the existing gateways until I attach them to the new SMS - will that break VPNs while they are still talking to the old SMS?
    - related to above, do I need to chop this all over at once or can I move gateways one by one over a few weeks? Maybe I should get a trial license for the new SMS so I can have both licensed at once? Or does this not matter.

    Appreciate your advice!

    Thanks,
    Simon

  11. #11
    Join Date
    2007-06-04
    Posts
    3,278
    Rep Power
    16

    Default Re: Security Management Server migration

    Quote Originally Posted by simbur View Post
    Hi,

    Okay so I manged to get 80.20 installed, and the export / import worked well. I can now log into the new server and all looks good. So I'm at the bit where I change IP, change the SMS object to the new IP, confirm gateway connectivity through a NAT on the local gateway, license the gateways to the new SMS. A couple of queries here:

    - when I change IP on new SMS and detach licenses, then re-apply them to the new IP, will this unlicense the existing gateways until I attach them to the new SMS - will that break VPNs while they are still talking to the old SMS?
    - related to above, do I need to chop this all over at once or can I move gateways one by one over a few weeks? Maybe I should get a trial license for the new SMS so I can have both licensed at once? Or does this not matter.

    Appreciate your advice!

    Thanks,
    Simon
    Leave the existing licenses on the Gateways initially.
    Get the licenses re-iped to the new SMS IP address and get then attach those updated licenses onto the gateways. Don't detach the old SMS IP licenses before attaching the updated licenses.

    Once the SMS is up and running and the Gateways have the new IP licenses, are attached to the new SMS then you can detach the old ip licenses and then remove from the SMS License Repository.

Similar Threads

  1. Management Interface on Security Management Server
    By bhavinjbhatt in forum R77.30
    Replies: 1
    Last Post: 2016-02-04, 11:49
  2. Replies: 1
    Last Post: 2013-05-31, 07:33
  3. Replies: 2
    Last Post: 2012-02-14, 12:54
  4. Standalone Security Management Server to Multi-Domain Security Management
    By DaniloNC in forum Provider-1 (Multi-Domain Management)
    Replies: 1
    Last Post: 2011-12-08, 16:59
  5. Migration from R65 Window management server to Smart-1 (SPLAT) management server
    By nick_bar in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 3
    Last Post: 2011-08-24, 02:22

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •