In Provider-1 documentation there's a procedure for migrating a Standalone
(management + firewall) into a CMA. I don't know if such a procedure is
documented in SmartCenter.pdf (anyone?) but you could basically do the same
procedure by using upgrade_export / upgrade_import.
An outline of how this could be down (not very elegant but should work):
------------------------------------------------------------------------------------------------------
1. In order for SIC to remain with the other firewalls your Standalone is
managing,
*before* exporting DB to a new management define the following rule on top->
src:newSmartCenter IP, dst:ANY, srv:CPD,FW1,FW1_CPRID,FW1_log accept and
install policy on the other firewalls.
2. Since you'll be splitting your SmartCenter and firewall they'll need
different IPs. This means you *must* have a valid license for the new
SmartCenter IP or else fwm won't start after you import your database. Add a
license for the new SmartCenter IP to your license repository *before* running
upgrade_export.
3. Run upgrade_export on your Standalone.
NOTE: if the target version you want to import to is higher than your current
Standalone version (upgrade) then you *must* use the upgrade_export of the
*target version*. The upgrade_export of the target version may be found on the
CD you purchased or downloaded from CP's download center. If the target version
you want to import the DB to is the same as the current one then you can use:
$FWDIR/bin/upgrade_tools/upgrade_export <exported_file_name>
4. Install a new SmartCenter on a separate machine and copy the
<exported_file_name>.tgz to it.
Run $FWDIR/bin/upgrade_tools/upgrade_import <exported_file_name>.tgz
Test that all the processes are up and running (fwm should be up is it there's
a valid license).
5. Uninstall your previous Standalone machine (make sure to remove any
leftovers in /var/opt/CP* and /opt/CP*, in windows run cpclean after
uninstalling). Install VPN-1 Pro *only*.
6. Launch SmartDashboard to your new SmartCenter.
Right-click in objects tree > Query Network Objects and search for your
Standalone object. Consider removing the object's occurance after each match
you find in the search. It should be removed from all VPN communities.
Reset the VPN ceritifcate by checking / unchecking <VPN> in the Products List.
Reset and establish SIC with the new gateway (it previously was a Standalone).
7. Right-click on the SmartCenter object and select "Convert to host". Next go
to the topology tab and delete *all* network interfaces.
8. Install policy on all your firewall gateways.
If you don't receive logs from a gateway make sure it's defined to send logs to
the new SmartCenter re-install policy on it and Install Database on the
SmartCenter.
Good luck and keep us posted on your results.
Adam
Simon Ashford <Simon.Ashford AT NPL.CO DOT UK> wrote: I currently have a single
firewall running both Management
and Enforcement modules. I am intending to split this
into a two-server configuration with the Management Module
on a new machine and the Enforcement Module staying where
it is.
How difficult is this to do? Is there any documentation
or guidance anywhere I should read?
Thanks.
Simon Ashford.
-------------------------------------------------------------------
This e-mail and any attachments may contain confidential and/or
privileged material; it is for the intended addressee(s) only.
If you are not a named addressee, you must not use, retain or
disclose such information.
NPL Management Ltd cannot guarantee that the e-mail or any
attachments are free from viruses.
NPL Management Ltd. Registered in England and Wales. No: 2937881
Registered Office: Serco House, 16 Bartley Wood Business Park,
Hook, Hampshire, United Kingdom RG27 9UY
-------------------------------------------------------------------
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
---------------------------------
New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
