Scribd
Upload
182 views3 pages

Checkpoint SMS Migration Process

This guide explains how to migrate from one SMS to another. Changing Hostname, Platform and Version.

Uploaded by

Dave Cullen
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
182 views3 pages

Checkpoint SMS Migration Process

This guide explains how to migrate from one SMS to another. Changing Hostname, Platform and Version.

Uploaded by

Dave Cullen
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Checkpoint SMS Migration and Hostname Change

Desired Result:
Migrate from existing SMS to a brand new SMS. Changing the IP (LAN and External), Linux
Hostname and SMS name within SmartDashboard and ICA.
The new SMS in this example is built with a different hostname to the old one.
Process:
1. Create separate dummy node objects for both the LAN IP and the Internet/NAT IP of the new SMS,
in the OLD SMS rule base. Also, add the static NAT IP to the LAN node and select to install on its
local gateway. Ensure the names used will not conflict with the actual name of the new SMS, anything
else can be used here, E.G MGT1-LAN MGT1-NAT. (Before creating a separate node object for
the NAT IP I was getting blocks in tracker)
2. Right click the node object for the LAN IP of the new SMS > More > Convert to Checkpoint Host.
Open the host object and enable the relevant management blades, match your current SMS object for
example. (I did this to ensure any implied rules specifically for management were applied to the IPs of
the new SMS) Dont establish SIC, its not required
3. Push to all Gateways and close SmartDashboard
4. Migrate export from the old SMS (Using latest upgrade tools)
5. Migrate import to the new SMS (Using latest upgrade tools)
6. Add the newly generated MGT license to the SMS, reflecting the LAN IP change
7. Connect to the new SMS using SmartDashboard
8. Change the previously created dummy objects IPs from the new SMS to the old SMS IPs (this
ensures the old SMS can communicate with the gateways in the event of requiring to roll back the
change and migrate gateways back to the old SMS)
9. Change the interface name, IP and topology of the old SMS object to reflect the new SMS details
10. Change the platform info of the old SMS object to reflect the new box platform OS
11. SSH to the new SMS and enter expert mode
12. Navigate to $FWDIR/conf
cd /$FWDIR/conf
13. Backup the database
cp objects_5_0.C objects_5_0.orig
14. Open objects_5_0.C in vi
vi objects_5_0.C
15. Use the search and replace function in vi to replace all instances of the old hostname with the new
one
:%s/oldHostname/newHostname
Exit VI with :wq

16. If you have created IKE certificates, remove them from the objects_5_0.C file. This command
string will do this and backup the file
cp $FWDIR/conf/objects_5_0.C /var/tmp/objects_5_0.C.old; awk 'BEGIN {c=0}; /:certificates \(\)/
{print;next}; /:certificates \(/ {c=1;print;next}; c>0 && /\(/ {c++}; c>0 && /\)/ {c--}; c<=0 {print}'
$FWDIR/conf/objects_5_0.C > /var/tmp/objects.new; cp /var/tmp/objects.new
$FWDIR/conf/objects_5_0.C
17. Destroy the Internal Certificate Authority
fwm sic_reset
18. Recreate the CA
cpconfig
Certificate Authority
19. Make sure it shows the new hostname here. If not, make sure you set the hostname correctly
20. After the CA is initialised, exit cpconfig
21. Reboot the SMS
22. Connect with SmartDashboard and make sure the SMS object name reflects the new hostname
24. SSH to the first gateway you need migrate
25. In Expert, navigate to the root directory
Cd /
26. Create a script that will run cpconfig, then unload the firewall policy straight after. This is a
precautionary measure to ensure you are not locked out of gateway after SIC is reset and default
policy is loaded.
Vi sic.bat
Type i to enter insert mode
The content of the file should read:
Cpconfig
Fw unloadlocal
Press escape to exit insert mode
Type :wq and hit enter to save and exit the file
27. Once the file is created, you need to make it executable
Chmod 777 sic.bat
28. Run the batch file
./sic.bat
29. Within cpconfig, select Secure Internal Communication, confirm you want to reset SIC, enter the
activation code and exit cpconfig. The changes are only applied upon exit!!
By using the script, you are ensuring that after SIC is reset and cpconfig is exited, an fw unloadlocal
command is run.
30. In SmartDashboard reset SIC on the corresponding gateway and click OK to close the gateway
properties window. A new certificate will be generated and can be viewed in the gateway objects
IPSec VPN tab

Now you need to open and close (click OK) for each gateway in SmartDashboard. This action
generates a new certificate from the ICA, otherwise verification will fail as not all gateways
have a certificate. If this does not generate a certificate for any reason, you can get around
this by manually generating a certificate with the Add button. Enter any nickname, click
Generate and click OK. This certificate can be removed later if required.
31. Push policy to the gateway that now has SIC with the new SMS.
32. I suggest repeating the above with one other gateway within the same VPN community first, to
ensure these sites can communicate. Ping the remote site and check SmartView Monitor for the
active VPN tunnel. If successful, repeat the SIC steps and push to all other gateways.
Remember you need to push to Edge and any applicable Appliance profiles to ensure the
policy is there next time these devices perform a pull. You may also need to HTTPS to any of
these devices to manually reset SIC and specify a new management IP if this has changed as a
result of the migration. For edge appliances or 1200 series appliances, you do not need to
script the SIC reset process, doing this from the WebUI will not cut you off. I cannot comment
for any other appliances.
Reference:

Changing Security Management server hostname in SmartDashboard fails


This SK article explains the process of changing the hostname and Checkpoint object name of which I
have taken the steps required to achieve the end result in my scenario.
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk94871
Disclaimer:
The above is a result of trial and error within a lab environment. Variables on my systems and yours
may lead to different or undesired results. Use these steps at your own risk. Although I am happy to
answer any questions within my own time, I will not be responsible for any results desired or
undesired, as a result of you following my personal processes. This is being shared in an attempt to
assist with fellow checkpoint administrators facing similar tasks. Feel free to customise and store
locally for your own reference. Please do not duplicate and publish on the internet.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy