The user has a distributed environment - Security Management Server managing two Security Gateways configured as a cluster. The user now wants to migrate to a single Full HA cluster, and migrate the Security Management Server to the primary cluster member.
Note: Procedure described below is based on UTM-1 appliances running SecurePlatform OS.
Table of Contents
Upgrading the primary cluster member and migrating the Security Management Server
Configuring the cluster
Upgrading the second UTM-1 appliance and configuring the secondary cluster member
(I) Upgrading the primary cluster member and migrating the Security Management Server
Backup the network configuration from the source cluster member, by copying netconf.C to a remote location. (Later you will copy it to the target primary full HA appliance.)
Refer to the "Migration to a New Machine with a Different IP Address" instructions in Chapter 7 of the Upgrade Guide Version NGX R65. Create a Security Management Server object that represents the target Security Management Server's IP Address:
Create a new Check Point "Secondary Security Management Server" with the VIP of the target HA cluster.
Create another new Check Point "Secondary Security Management Server" with the IP of the cluster member that will be the primary cluster member/Security Management Server.
Install Policy on all Security Gateways.
After the Policy installs successfully, delete these Secondary Security Management Servers.
If the reporting server is set as "off" on the source (external) Security Management Server, import to UTM-1 standalone will fail because the Reporting Server there is set "on". To correct this:
Run cpstop on the target UTM-1 standalone.
Run evconfig, and turn off the Reporting Server (option 1) on the target UTM-1 primary cluster member, then "save and exit" (option 4).
cd to $FWDIR/conf/ and run the following command: cp reporting/obj/reporting_*.C .
Import the source (external) Security Management Server database to the newly installed member (the disconnected member).
Important: If you encounter the 'Database migration between Standalone and Management only machines is not supported' error on the Standalone machine when trying to import the configuration from the Distributed environment, refer to sk85900.
Note: You may also see the following message: "Warning: Failed to upgrade Eventia Reporter".
Install the relevant SmartDashboard and connect to the newly installed member.
The IP address should be changed manually in the SmartDashboard after the database import. The MAC addresses, the routing tables and other system configurations remain as defined before the import. There is no need to modify these after the import. For more detailed information on database export/import, refer to the Upgrade Guide - Chapter 7 "Advanced Upgrade of Security Management Servers & Standalone Gateways".
All the products that were enabled in the source database, will be enabled in the destination server after the import, as well. Therefore, there is no need to enable them in the SmartDashboard. The user must make sure that all the specified products are actually installed on the server and have a valid license.
Save and close SmartDashboard.
(II) Configuring the cluster
Using the WebUI, on the Product Configuration page, make the standalone appliance the primary member of a Full HA cluster.
Reboot the member.
In SmartDashboard, connect again to the Security Management Server on the target primary cluster member. The UTM-1 cluster wizard opens.
Configure the cluster name.
Note: When configuring the new cluster, you cannot use the previous cluster name since it still exists in the database.
Configure the primary cluster member.
Skip secondary member configuration by selecting "Selecting this option results in a UTM-1 cluster with a single primary member". On the Cluster topology page of the cluster wizard, enter the Virtual IP address of the cluster. Finish the cluster wizard.
Access the Security Rule Base, and modify rules that referred to the "old" Security Gateways and cluster with the new UTM-1 network objects (Security Management Server).
Delete the source UTM-1 cluster. (You must delete the source cluster member in order to be able to install Policy on the newly created cluster.)
Install Policy on the newly created cluster (Primary cluster member /Security Management Server):
Select the "Installed on each selected GW independently" option.
Uncheck the "For GW clusters installed on all the members, if it fails do not install at all" option.
(III) Upgrading the second UTM-1 appliance and configuring the secondary cluster member
Connect the primary cluster member to the network, and disconnect the other UTM-1 appliance. A minimal downtime should occur, while switching between the primary cluster member/Security ManagementServer and the other appliance.
Before starting the secondary WebUI installation, the user should decide which SYNC network will be used for Sync purposes. Cable the two appliances together, using LAN1 as the SYNC interface.
Note: Each SYNC interface can be defined by either using the WebUI First Time Configuration Wizard, or later using the WebUI Menu (Network > Connections).
Using a USB key, install the other machine as locally managed, and as the secondary member of a UTM-1 cluster.
Verify that the LAN1/SYNC interface, on both appliances, is on the same subnet.
Connect the new secondary machine to the network.
Open SmartDashboard (connecting to the Security Management Server on the target primary cluster member).
Double-click the cluster object. Select "simple mode wizard". The first-time UTM-1 cluster wizard opens again.
Configure the secondary cluster member using the wizard and click "Finish".
Configure the cluster using the UTM-1 cluster configuration.
Install Policy and Synchronize DB (Policy > Management High Availability > Synchronize).
Give us Feedback
Thanks for your feedback!
Are you sure you want to rate this stars?