fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Check Point - Migrate a Provider-1 R55 CMA to a R65 Smart Centre Server

Below are the steps required to migrate a Provider-1 CMA to a Smart Centre Server. This tutorial was based on exporting and migrating from R55 to R65 and will involve the following steps,
 
1. Export the CMA on the Provider-1
2. Import the CMA into Smart Centre
3. Export and detach license
4. Update the Smart Centre Object (IP, Name, and Topology)
5. Via the CLI reinitialise the Certificate Authority
6. Import and attach License
7. Update Package details
 
Export the CMA
 
Note: The upgrade_export command is run from the $FWDIR/bin/upgrade_tools directory of the CMA.
Log into the Provider-1 via SSH and remove the following Links,

#mdsenv [cma]
#rm $FWDIR/conf/cp-admins
#rm $FWDIR/conf/cp-gui-clients
#rm $FWDIR/conf/packages.c 

 Delete the links, (you can find the CMA name/IP using mdsstat) and then run:

#mdsenv
#mdsstop_customer [cma]
#mdsenv [cma]
#mcd bin (note the path)
#cd upgrade_tools
#./upgrade_export /var/tmp

 If you want to continue to use the CMA you will need to restore the links. Here are the steps to restore your CMA,

#mdsstop_customer [cma]
#mdsenv [cma]
#mcd conf
#ln -s /opt/CPmds-R55/conf/mdsdb/cp-admins.C cp-admins
#ln -s /opt/CPmds-R55/conf/mdsdb/cp-gui-clients.C cp-gui-clients
#ln -s /opt/CPmds-R55/conf/mdsdb/packages.c packages.c
#mdsenv
#mdsstart_customer [cma] 

  
Import the CMA in Smart Centre Server
 
1. Copy the exported CMA to your Smart Centre Server.
2. Import the config by using
$FWDIR/bin/upgrade_tools/upgrade_import [exported_cma].tgz
3. When asked about the licensing select “No”.
4. Once the import is complete you will find that you receive an error when trying to run cpconfig.
5. Run the command
cd $CPDIR/conf ; mv inst.conf inst.conf.bak
6. Run cpstart
7. Within the Smart Dashboard change the Origin IP of the Manager and select Install Database.
 
Export and Detach license
 
1. Log into the Smart Centre Server via the Smart Dashboard and goto Smart Update.
2. Export the license as a file and detach from the Smart Centre Server Object.
 
Update the Smart Centre Object
 
1. Edit the Check Point Manager Object to reflect the new Smart Centre details (Name, IP, Tolopolgy and Operating System)
2. Change the Object Name to that of the Smart Centre`s hostname.
 
Reinitialise the Certificate Authority

1. Using cpconfig select the “Certificate Authority” option.
2. Select “Yes” to Reinitialise the CA and use the Smart Centre Object name as the internal CA name.
 
Import and attach License

1. Re-import the license into the repository and reattach to the Smart centre server.
 
Update Package details
 
1. Go into Smart Update and under the Packages tab select “Get Gateway Data” for the Smart Centre Server.
2. If this option is greyed out, a missing symlink could be missing. 
Troubleshooting steps can be found at : http://www.cpug.org/forums/smartupdate/8162-error-when-getting-gateway-data-smartupdate.html or select (from toolbar) Packages > Get Data From All.
 
Final Steps
 
1. As an additional test of the Smart Centres ICA connectivity select “Get OS” within the Smart Centre Object. If this completes without any dialog then the communication is fine.
2. Then re-push the policy from your new manager to your firewalls.
 
Additional Reources :  CheckPoint KB : SK22867 – “Peer Sent Wrong DN” - Useful for ICA issues.

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001