The below procedure allows you to migrate a standalone management environment to a distributed environment by creating a new secondary management server that is installed as a security management server only and promote that management server to become the primary.
This procedure does not work for R80.20 and R80.30 versions, because the ISO and kernel versions are different between the standalone server (gateway ISO) and distributed secondary Management server (Management ISO with New Kernel), which will fail the synchronization.
In R80.40, the ISO is once again unified with Gaia 3.10 on both Security gateway and Management. Therefore, the procedure of migrating standalone Management environment to a distributed environment management environment will work in R80.40 and higher versions.
- Make sure to perform a full backup of your Security Management Server configuration prior to performing this procedure.
- If the installation of Threat Prevention policy fails on the gateways, this could be due to IPS version mismatch between the management and the gateways. To solve this, update the IPS version to the latest and install the policy.
- Install a new secondary security management server using the same version, HF and Jumbo HF as the primary
- Configure a secondary security management server in SmartConsole by following the instructions in the R80.x Security Management Administration Guide that are in the chapter "Configuring a Secondary Server in SmartConsole"
- Make sure that the two management servers are synchronized.
- Install a new Security Gateway with the same version, HF and Jumbo HF, as the old standalone security management.
- Configure the new Security Gateway in the same way as the gateway part on the old standalone Security Management.
- Install the same security policy that is used on the gateway part of the old standalone security management to the newly installed Security gateway.
This allows the new Security Gateway to take over the responsibilities of the gateway part of the old standalone Security Management Server.
- Move all traffic that was handled by the gateway part on the old standalone security management to the newly installed gateway and verify that the traffic and VPN access is working as expected.
- Install the policy to all security gateways in the environment to make them aware of the new secondary management server object.
- Install the database on all log servers and SmartEvent servers in the environment to make them aware of the new secondary management server object.
- Disconnect and power off the old primary management server that is currently acting as management and gateway
- Promote the newly installed secondary management server to become primary by following the instructions in R80.x Security Management Administration Guide in the chapter "Promoting a Secondary Server to Primary".
- Make sure you can successfully install the policy on all security gateways in the environment
- Note: To be able to revert, it is recommended to create a rule allowing the old standalone management server's IP-address to communicate will all gateways. This allows you a fallback method to push the policy from the old management server to the gateways if anything would go wrong.
- Make sure you can successfully install the database on all log servers and SmartEvent servers in the environment.
- Make sure that traffic and VPN access is working as expected
- Make sure that all gateways are sending logs to the new primary management server
If any of the steps fails in this procedure, you can easily revert by:
- Disconnecting the new Security Management Server.
- Disconnecting the new Security Gateway.
- Power-on and reconnecting the old standalone Security Management server that is also acting as gateway.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.