CheckPoint SMART-1 Migration
If you need to migrate your Check Point Smart-1 MDMS (MDS/Provider-1) installation to a new device/appliance, the below steps cover the entire process from start to finish.
This post includes the steps needed if your target appliance/device is different from your source appliance. I successfully migrated from a Smart-1 150 to a Smart-1 3150 running R77.30 using these steps. You can skip the Additional Steps for changing the LeadingIP and external interface if your target appliance has the same naming convention as your source.
Below are the details of the migration I completed successfully.
Source
Platform: Smart-1 150
Version: R77.30
HA: No
Physical Interface: Mgmt1
Target
Platform: Smart-1 3150
Version: R77.30
HA: No
Physical Interface: bond0
MIGRATION STEPS
Note: The target device should be prepared by having a basic installation of MDS.
SOURCE DEVICE
- Create a new directory for the backup.
#mkdir /var/log/MDSMigrate - Backup current MDS installation.
#mds_backup -L all -l -s -i -d /var/log/MDSMigrate - Calculate the MD5 hash of the backup file and make note of it.
#md5sum 1Jan2017-225112.mdsbk.tgz - Move the backup file and other required files off the device.
#cd /var/log/MDSMigrate
#ftp x.x.x.x
ftp> bin
ftp> hash
ftp> put 1Jan2017-225112.mdsbk.tgz
ftp> put gtar
ftp> put gzip
ftp> put tar
ftp> put mds_restore
ftp> bye
TARGET DEVICE
- Create a temporary directory.
#mkdir /var/tmp/MDSMigrate #cd /var/tmp/MDSMigrate/ - Copy the files to the device.
#ftp x.x.x.x
ftp> bin
ftp> hash
ftp> get tar
ftp> get mds_restore
ftp> get gzip
ftp> get gtar
ftp> get 1Jan2017-225112.mdsbk.tgz
ftp> bye - Calculate the MD5 hash of the backup file and compare with the hash from the source device. If the hashes are the same, you’re good to go. If not, try copying the files again.
#md5sum 1Jan2017-225112.mdsbk.tgz
SOURCE DEVICE
- Take the device offline – just unplug the network cable. This is needed if the target device needs to have the same IP address as the source device.
TARGET DEVICE
- Change to the MDS config directory and modify the LeadingIP. This needs to be done before restoring from the backup to avoid any errors during the restoration process and is only needed if the target device has been installed on the network with a different IP address.
#cd /opt/CPmds-R77/conf/
#vi LeadingIP
#cat LeadingIP - Change to the temporary directory and modify file permissions.
#cd /var/tmp/MDSMigrate/
#chmod 777 * - Restore the MDS from the backup file.
#./mds_restore 1Jan2017-225112.mdsbk.tgz
ADDITIONAL STEPS
- Stop the MDS service.
#mdsstop - Change the external interface – this is the physical interface you want to use on the new device.
#cd $MDSDIR/conf
#vi external.if
#cat external.if - Change the virtual IP for each of the customers (domain/CMA) to reflect the IP addresses from the source device.
#cat /opt/CPmds-R77/customers/Customer_1/CPsuite-R77/fw1/conf/vip_index.conf
#vi /opt/CPmds-R77/customers/Customer_1/CPsuite-R77/fw1/conf/vip_index.conf
#cat /opt/CPmds-R77/customers/Customer_1/CPsuite-R77/fw1/conf/vip_index.conf
#cat /opt/CPmds-R77/customers/Customer_2/CPsuite-R77/fw1/conf/vip_index.conf
#vi /opt/CPmds-R77/customers/Customer_2/CPsuite-R77/fw1/conf/vip_index.conf
#cat /opt/CPmds-R77/customers/Customer_2/CPsuite-R77/fw1/conf/vip_index.conf
#cat /opt/CPmds-R77/customers/Customer_3/CPsuite-R77/fw1/conf/vip_index.conf
#vi /opt/CPmds-R77/customers/Customer_3/CPsuite-R77/fw1/conf/vip_index.conf
#cat /opt/CPmds-R77/customers/Customer_3/CPsuite-R77/fw1/conf/vip_index.conf - Start the MDS service.
#mdsstart
VERIFICATION
Verify that all the CMAs are up and running. This will take a few seconds.
#mdsstat
Login to the SmartDomain Manager and install the policy on at least one gateway in each CMA to verify restoration.
Comments ()