3 min read

CheckPoint SMART-1 Migration

CheckPoint SMART-1 Migration
Photo by JJ Ying / Unsplash

If you need to migrate your Check Point Smart-1 MDMS (MDS/Provider-1) installation to a new device/appliance, the below steps cover the entire process from start to finish.

This post includes the steps needed if your target appliance/device is different from your source appliance. I successfully migrated from a Smart-1 150 to a Smart-1 3150 running R77.30 using these steps. You can skip the Additional Steps for changing the LeadingIP and external interface if your target appliance has the same naming convention as your source.

Below are the details of the migration I completed successfully.

Platform: Smart-1 150
Version: R77.30
HA: No
Physical Interface: Mgmt1

Platform: Smart-1 3150
Version: R77.30
HA: No
Physical Interface: bond0


Note: The target device should be prepared by having a basic installation of MDS.


  1. Create a new directory for the backup.
    #mkdir /var/log/MDSMigrate
  2. Backup current MDS installation.
    #mds_backup -L all -l -s -i -d /var/log/MDSMigrate
  3. Calculate the MD5 hash of the backup file and make note of it.
    #md5sum 1Jan2017-225112.mdsbk.tgz
  4. Move the backup file and other required files off the device.
    #cd /var/log/MDSMigrate
    #ftp x.x.x.x
    ftp> bin
    ftp> hash
    ftp> put 1Jan2017-225112.mdsbk.tgz
    ftp> put gtar
    ftp> put gzip
    ftp> put tar
    ftp> put mds_restore
    ftp> bye


  1. Create a temporary directory.
    #mkdir /var/tmp/MDSMigrate #cd /var/tmp/MDSMigrate/
  2. Copy the files to the device.
    #ftp x.x.x.x
    ftp> bin
    ftp> hash
    ftp> get tar
    ftp> get mds_restore
    ftp> get gzip
    ftp> get gtar
    ftp> get 1Jan2017-225112.mdsbk.tgz
    ftp> bye
  3. Calculate the MD5 hash of the backup file and compare with the hash from the source device. If the hashes are the same, you’re good to go. If not, try copying the files again.
    #md5sum 1Jan2017-225112.mdsbk.tgz


  1. Take the device offline – just unplug the network cable. This is needed if the target device needs to have the same IP address as the source device.


  1. Change to the MDS config directory and modify the LeadingIP. This needs to be done before restoring from the backup to avoid any errors during the restoration process and is only needed if the target device has been installed on the network with a different IP address.
    #cd /opt/CPmds-R77/conf/
    #vi LeadingIP
    #cat LeadingIP
  2. Change to the temporary directory and modify file permissions.
    #cd /var/tmp/MDSMigrate/
    #chmod 777 *
  3. Restore the MDS from the backup file.
    #./mds_restore 1Jan2017-225112.mdsbk.tgz


  1. Stop the MDS service.
  2. Change the external interface – this is the physical interface you want to use on the new device.
    #cd $MDSDIR/conf
    #vi external.if
    #cat external.if
  3. Change the virtual IP for each of the customers (domain/CMA) to reflect the IP addresses from the source device.
    #cat /opt/CPmds-R77/customers/Customer_1/CPsuite-R77/fw1/conf/vip_index.conf
    #vi /opt/CPmds-R77/customers/Customer_1/CPsuite-R77/fw1/conf/vip_index.conf
    #cat /opt/CPmds-R77/customers/Customer_1/CPsuite-R77/fw1/conf/vip_index.conf
    #cat /opt/CPmds-R77/customers/Customer_2/CPsuite-R77/fw1/conf/vip_index.conf
    #vi /opt/CPmds-R77/customers/Customer_2/CPsuite-R77/fw1/conf/vip_index.conf
    #cat /opt/CPmds-R77/customers/Customer_2/CPsuite-R77/fw1/conf/vip_index.conf
    #cat /opt/CPmds-R77/customers/Customer_3/CPsuite-R77/fw1/conf/vip_index.conf
    #vi /opt/CPmds-R77/customers/Customer_3/CPsuite-R77/fw1/conf/vip_index.conf
    #cat /opt/CPmds-R77/customers/Customer_3/CPsuite-R77/fw1/conf/vip_index.conf
  4. Start the MDS service.


Verify that all the CMAs are up and running. This will take a few seconds.


Login to the SmartDomain Manager and install the policy on at least one gateway in each CMA to verify restoration.