Aug 31, 2022 3 min read

CheckPoint SMART-1 Migration

If you need to migrate your Check Point Smart-1 MDMS (MDS/Provider-1) installation to a new device/appliance, the below steps cover the entire process from start to finish.

This post includes the steps needed if your target appliance/device is different from your source appliance. I successfully migrated from a Smart-1 150 to a Smart-1 3150 running R77.30 using these steps. You can skip the Additional Steps for changing the LeadingIP and external interface if your target appliance has the same naming convention as your source.

Below are the details of the migration I completed successfully.

Source
Platform: Smart-1 150
Version: R77.30
HA: No
Physical Interface: Mgmt1

Target
Platform: Smart-1 3150
Version: R77.30
HA: No
Physical Interface: bond0

MIGRATION STEPS

Note: The target device should be prepared by having a basic installation of MDS.

SOURCE DEVICE

Create a new directory for the backup.
#mkdir /var/log/MDSMigrate
Backup current MDS installation.
#mds_backup -L all -l -s -i -d /var/log/MDSMigrate
Calculate the MD5 hash of the backup file and make note of it.
#md5sum 1Jan2017-225112.mdsbk.tgz
Move the backup file and other required files off the device.
#cd /var/log/MDSMigrate
#ftp x.x.x.x
ftp> bin
ftp> hash
ftp> put 1Jan2017-225112.mdsbk.tgz
ftp> put gtar
ftp> put gzip
ftp> put tar
ftp> put mds_restore
ftp> bye

TARGET DEVICE

Create a temporary directory.
#mkdir /var/tmp/MDSMigrate #cd /var/tmp/MDSMigrate/
Copy the files to the device.
#ftp x.x.x.x
ftp> bin
ftp> hash
ftp> get tar
ftp> get mds_restore
ftp> get gzip
ftp> get gtar
ftp> get 1Jan2017-225112.mdsbk.tgz
ftp> bye
Calculate the MD5 hash of the backup file and compare with the hash from the source device. If the hashes are the same, you’re good to go. If not, try copying the files again.
#md5sum 1Jan2017-225112.mdsbk.tgz

SOURCE DEVICE

Take the device offline – just unplug the network cable. This is needed if the target device needs to have the same IP address as the source device.

TARGET DEVICE

Change to the MDS config directory and modify the LeadingIP. This needs to be done before restoring from the backup to avoid any errors during the restoration process and is only needed if the target device has been installed on the network with a different IP address.
#cd /opt/CPmds-R77/conf/
#vi LeadingIP
#cat LeadingIP
Change to the temporary directory and modify file permissions.
#cd /var/tmp/MDSMigrate/
#chmod 777 *
Restore the MDS from the backup file.
#./mds_restore 1Jan2017-225112.mdsbk.tgz

ADDITIONAL STEPS

Stop the MDS service.
#mdsstop
Change the external interface – this is the physical interface you want to use on the new device.
#cd $MDSDIR/conf
#vi external.if
#cat external.if
Change the virtual IP for each of the customers (domain/CMA) to reflect the IP addresses from the source device.
#cat /opt/CPmds-R77/customers/Customer_1/CPsuite-R77/fw1/conf/vip_index.conf
#vi /opt/CPmds-R77/customers/Customer_1/CPsuite-R77/fw1/conf/vip_index.conf
#cat /opt/CPmds-R77/customers/Customer_1/CPsuite-R77/fw1/conf/vip_index.conf
#cat /opt/CPmds-R77/customers/Customer_2/CPsuite-R77/fw1/conf/vip_index.conf
#vi /opt/CPmds-R77/customers/Customer_2/CPsuite-R77/fw1/conf/vip_index.conf
#cat /opt/CPmds-R77/customers/Customer_2/CPsuite-R77/fw1/conf/vip_index.conf
#cat /opt/CPmds-R77/customers/Customer_3/CPsuite-R77/fw1/conf/vip_index.conf
#vi /opt/CPmds-R77/customers/Customer_3/CPsuite-R77/fw1/conf/vip_index.conf
#cat /opt/CPmds-R77/customers/Customer_3/CPsuite-R77/fw1/conf/vip_index.conf
Start the MDS service.
#mdsstart

VERIFICATION

Verify that all the CMAs are up and running. This will take a few seconds.

#mdsstat