Check Point: Migrate Provider-1 R55 CMA to R65 Smart Centre Server

Below are the steps required to migrate a Provider-1 CMA to a Smart Centre Server. This tutorial was based on exporting and migrating from R55 to R65 and will involve the following steps,

1. Export the CMA on the Provider-1
2. Import the CMA into Smart Centre
3. Export and detach license
4. Update the Smart Centre Object (IP, Name, and Topology)
5. Via the CLI reinitialise the Certificate Authority
6. Import and attach License
7. Update Package details

Export the CMA

Note: The upgrade_export command is run from the $FWDIR/bin/upgrade_tools directory of the CMA.

Log into the Provider-1 via SSH and remove the following Links,

#mdsenv [cma]
#rm $FWDIR/conf/cp-admins
#rm $FWDIR/conf/cp-gui-clients
#rm $FWDIR/conf/packages.c

Delete the links, (you can find the CMA name/IP using mdsstat) and then run:

#mdsenv
#mdsstop_customer [cma]
#mdsenv [cma]
#mcd bin (note the path)
#cd upgrade_tools
#./upgrade_export /var/tmp

If you want to continue to use the CMA you will need to restore the links. Here are the steps to restore your CMA,

#mdsstop_customer [cma]
#mdsenv [cma]
#mcd conf
#ln -s /opt/CPmds-R55/conf/mdsdb/cp-admins.C cp-admins
#ln -s /opt/CPmds-R55/conf/mdsdb/cp-gui-clients.C cp-gui-clients
#ln -s /opt/CPmds-R55/conf/mdsdb/packages.c packages.c
#mdsenv
#mdsstart_customer [cma]

Import the CMA in Smart Centre Server

1. Copy the exported CMA to your Smart Centre Server.
2. Import the config by using $FWDIR/bin/upgrade_tools/upgrade_import [exported_cma].tgz
3. When asked about the licensing select “No”.
4. Once the import is complete you will find that you receive an error when trying to run cpconfig.
5. Run the command cd $CPDIR/conf ; mv inst.conf inst.conf.bak
6. Run cpstart

7. Within the Smart Dashboard change the Origin IP of the Manager and select Install Database.

Export and Detach license

1. Log into the Smart Centre Server via the Smart Dashboard and goto Smart Update.
2. Export the license as a file and detach from the Smart Centre Server Object.

Update the Smart Centre Object

1. Edit the Check Point Manager Object to reflect the new Smart Centre details (Name, IP, Tolopolgy and Operating System)

2. Change the Object Name to that of the Smart Centre`s hostname.

Reinitialise the Certificate Authority

1. Using cpconfig select the “Certificate Authority” option.
2. Select “Yes” to Reinitialise the CA and use the Smart Centre Object name as the internal CA name.

Import and attach License

1. Re-import the license into the repository and reattach to the Smart centre server.

Update Package details

1. Go into Smart Update and under the Packages tab select “Get Gateway Data” for the Smart Centre Server.
2. If this option is greyed out, a missing symlink could be missing.
Troubleshooting steps can be found by selecting (from toolbar) Packages > Get Data From All.

Final Steps

1. As an additional test of the Smart Centres ICA connectivity select “Get OS” within the Smart Centre Object. If this completes without any dialog then the communication is fine.
2. Then re-push the policy from your new manager to your firewalls.

Additional Reources : CheckPoint KB : SK22867 – “Peer Sent Wrong DN” – Useful for ICA issues.

Author
Recent Posts

Rick Donato

Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial