Support Center > Search Results > SecureKnowledge Details
How to migrate a distributed SmartCenter to a Full HA Cluster Technical Level
Solution

The user has a distributed environment - Security Management Server managing two Security Gateways configured as a cluster. The user now wants to migrate to a single Full HA cluster, and migrate the Security Management Server to the primary cluster member.

Note: Procedure described below is based on UTM-1 appliances running SecurePlatform OS.

Table of Contents

  1. Upgrading the primary cluster member and migrating the Security Management Server
  2. Configuring the cluster
  3. Upgrading the second UTM-1 appliance and configuring the secondary cluster member

 

(I) Upgrading the primary cluster member and migrating the Security Management Server

  1. Backup the network configuration from the source cluster member, by copying netconf.C to a remote location. (Later you will copy it to the target primary full HA appliance.)

  2. Refer to the "Migration to a New Machine with a Different IP Address" instructions in Chapter 7 of the Upgrade Guide Version NGX R65. Create a Security Management Server object that represents the target Security Management Server's IP Address:

    1. Create a new Check Point "Secondary Security Management Server" with the VIP of the target HA cluster.

    2. Create another new Check Point "Secondary Security Management Server" with the IP of the cluster member that will be the primary cluster member/Security Management Server.

    3. Install Policy on all Security Gateways.

    4. After the Policy installs successfully, delete these Secondary Security Management Servers.


  3. Export the Security Management Server database using the upgrade_export command.

    Important: If you want to change the primary object name, you must change the name prior to performing upgrade_export. You are not allowed to change a primary object name in Full HA Cluster.

  4. Disconnect the active (source) member from the network, causing a failover to the standby member.

  5. Perform a fresh install on the now disconnected member, as follows:

    1. Install from a USB key. (Refer to sk33876: Installing UTM-1 NGX R65 with Messaging Security.).

    2. Using the WebUI First Time Configuration Wizard, install as a standalone. On the Management Type page, select "Locally Managed". (Do not choose any cluster option at this stage.)

    3. From the CLI, restore network configuration by modifying the new netconf.C (under /etc/sysconf/) based on the backup.

      Note: Only copy the 2nd section, starting from route: This is the routing table.

      Important: If installing R70, refer to sk37231: How to reinstall Power-1/UTM-1 appliance.


  6. If the reporting server is set as "off" on the source (external) Security Management Server, import to UTM-1 standalone will fail because the Reporting Server there is set "on". To correct this:

    1. Run cpstop on the target UTM-1 standalone.

    2. Run evconfig, and turn off the Reporting Server (option 1) on the target UTM-1 primary cluster member, then "save and exit" (option 4).

    3. cd to $FWDIR/conf/ and run the following command: cp reporting/obj/reporting_*.C .

    4. Run cpstart.


  7. Import the source (external) Security Management Server database to the newly installed member (the disconnected member).

    Important: If you encounter the 'Database migration between Standalone and Management only machines is not supported' error on the Standalone machine when trying to import the configuration from the Distributed environment, refer to sk85900.

    Note: You may also see the following message: "Warning: Failed to upgrade Eventia Reporter".

  8. Install the relevant SmartDashboard and connect to the newly installed member.

    Notes:
    • The IP address should be changed manually in the SmartDashboard after the database import. The MAC addresses, the routing tables and other system configurations remain as defined before the import. There is no need to modify these after the import. For more detailed information on database export/import, refer to the Upgrade Guide - Chapter 7 "Advanced Upgrade of Security Management Servers & Standalone Gateways".

    • All the products that were enabled in the source database, will be enabled in the destination server after the import, as well. Therefore, there is no need to enable them in the SmartDashboard. The user must make sure that all the specified products are actually installed on the server and have a valid license.


  9. Save and close SmartDashboard.

 

(II) Configuring the cluster

  1. Using the WebUI, on the Product Configuration page, make the standalone appliance the primary member of a Full HA cluster.

  2. Reboot the member.

  3. In SmartDashboard, connect again to the Security Management Server on the target primary cluster member. The UTM-1 cluster wizard opens.

  4. Configure the cluster name.

    Note: When configuring the new cluster, you cannot use the previous cluster name since it still exists in the database.

  5. Configure the primary cluster member.

  6. Skip secondary member configuration by selecting "Selecting this option results in a UTM-1 cluster with a single primary member". On the Cluster topology page of the cluster wizard, enter the Virtual IP address of the cluster. Finish the cluster wizard.

  7. Note the source UTM-1 Cluster Configuration (e.g. VPN, NAT, ClusterXL mode, SmartDefense Profile).

  8. Access the Security Rule Base, and modify rules that referred to the "old" Security Gateways and cluster with the new UTM-1 network objects (Security Management Server).

  9. Delete the source UTM-1 cluster. (You must delete the source cluster member in order to be able to install Policy on the newly created cluster.)

  10. Install Policy on the newly created cluster (Primary cluster member /Security Management Server):

    1. Select the "Installed on each selected GW independently" option.

    2. Uncheck the "For GW clusters installed on all the members, if it fails do not install at all" option.

 

(III) Upgrading the second UTM-1 appliance and configuring the secondary cluster member

  1. Connect the primary cluster member to the network, and disconnect the other UTM-1 appliance. A minimal downtime should occur, while switching between the primary cluster member/Security ManagementServer and the other appliance.

  2. Before starting the secondary WebUI installation, the user should decide which SYNC network will be used for Sync purposes. Cable the two appliances together, using LAN1 as the SYNC interface.

    Note: Each SYNC interface can be defined by either using the WebUI First Time Configuration Wizard, or later using the WebUI Menu (Network > Connections).

  3. Using a USB key, install the other machine as locally managed, and as the secondary member of a UTM-1 cluster.

  4. Verify that the LAN1/SYNC interface, on both appliances, is on the same subnet.

  5. Connect the new secondary machine to the network.

  6. Open SmartDashboard (connecting to the Security Management Server on the target primary cluster member).

  7. Double-click the cluster object. Select "simple mode wizard". The first-time UTM-1 cluster wizard opens again.

  8. Configure the secondary cluster member using the wizard and click "Finish".

  9. Configure the cluster using the UTM-1 cluster configuration.

  10. Install Policy and Synchronize DB (Policy > Management High Availability > Synchronize).
This solution is about products that are no longer supported and it will not be updated

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment