Check Point Smart-1 Migration

If you need to migrate your Check Point Smart-1 MDMS (MDS/Provider-1) installation to a new device/appliance, the below steps cover the entire process from start to finish.

This post includes the steps needed if your target appliance/device is different from your source appliance. I successfully migrated from a Smart-1 150 to a Smart-1 3150 running R77.30 using these steps. You can skip the Additional Steps for changing the LeadingIP and external interface if your target appliance has the same naming convention as your source.

Below are the details of the migration I completed successfully.

Source
Platform: Smart-1 150
Version: R77.30
HA: No
Physical Interface: Mgmt1

Target
Platform: Smart-1 3150
Version: R77.30
HA: No
Physical Interface: bond0

Migration Steps

Note: The target device should be prepared by having a basic installation of MDS.

Source Device

  1. Create a new directory for the backup.

    #mkdir /var/log/MDSMigrate

  2. Backup current MDS installation.

    #mds_backup -L all -l -s -i -d /var/log/MDSMigrate

  3. Calculate the MD5 hash of the backup file and make note of it.

    #md5sum 1Jan2017-225112.mdsbk.tgz

  4. Move the backup file and other required files off the device.

    #cd /var/log/MDSMigrate
    #ftp x.x.x.x
    ftp> bin
    ftp> hash
    ftp> put 1Jan2017-225112.mdsbk.tgz
    ftp> put gtar
    ftp> put gzip
    ftp> put tar
    ftp> put mds_restore
    ftp> bye

Target Device

  1. Create a temporary directory.

    #mkdir /var/tmp/MDSMigrate #cd /var/tmp/MDSMigrate/

  2. Copy the files to the device.

    #ftp x.x.x.x
    ftp> bin
    ftp> hash
    ftp> get tar
    ftp> get mds_restore
    ftp> get gzip
    ftp> get gtar
    ftp> get 1Jan2017-225112.mdsbk.tgz
    ftp> bye

  3. Calculate the MD5 hash of the backup file and compare with the hash from the source device. If the hashes are the same, you’re good to go. If not, try copying the files again.

    #md5sum 1Jan2017-225112.mdsbk.tgz

Source Device

  1. Take the device offline – just unplug the network cable. This is needed if the target device needs to have the same IP address as the source device.

Target Device

  1. Change to the MDS config directory and modify the LeadingIP. This needs to be done before restoring from the backup to avoid any errors during the restoration process and is only needed if the target device has been installed on the network with a different IP address.

    #cd /opt/CPmds-R77/conf/
    #vi LeadingIP
    #cat LeadingIP

  2. Change to the temporary directory and modify file permissions.

    #cd /var/tmp/MDSMigrate/
    #chmod 777 *

  3. Restore the MDS from the backup file.

    #./mds_restore 1Jan2017-225112.mdsbk.tgz

Additional Steps

  1. Stop the MDS service.

    #mdsstop

  2. Change the external interface – this is the physical interface you want to use on the new device.

    #cd $MDSDIR/conf
    #vi external.if
    #cat external.if

  3. Change the virtual IP for each of the customers (domain/CMA) to reflect the IP addresses from the source device.

    #cat /opt/CPmds-R77/customers/Customer_1/CPsuite-R77/fw1/conf/vip_index.conf
    #vi /opt/CPmds-R77/customers/Customer_1/CPsuite-R77/fw1/conf/vip_index.conf
    #cat /opt/CPmds-R77/customers/Customer_1/CPsuite-R77/fw1/conf/vip_index.conf
    #cat /opt/CPmds-R77/customers/Customer_2/CPsuite-R77/fw1/conf/vip_index.conf
    #vi /opt/CPmds-R77/customers/Customer_2/CPsuite-R77/fw1/conf/vip_index.conf
    #cat /opt/CPmds-R77/customers/Customer_2/CPsuite-R77/fw1/conf/vip_index.conf
    #cat /opt/CPmds-R77/customers/Customer_3/CPsuite-R77/fw1/conf/vip_index.conf
    #vi /opt/CPmds-R77/customers/Customer_3/CPsuite-R77/fw1/conf/vip_index.conf
    #cat /opt/CPmds-R77/customers/Customer_3/CPsuite-R77/fw1/conf/vip_index.conf

  4. Start the MDS service.

    #mdsstart

Verification

Verify that all the CMAs are up and running. This will take a few seconds.

#mdsstat

Login to the SmartDomain Manager and install the policy on at least one gateway in each CMA to verify restoration.

 

Prithvi Mandava

Prithvi Mandava

Prithvi is an experienced cyber security professional with global experience across 3 continents. He has proven skills and experience on Cisco, Check Point, Fortinet, Juniper and other vendors’ products and technologies. He also has a passion for nature and landscape photography and can be seen lugging his camera gear in and around some pretty locations.

A few of the industry credentials he currently holds include CISSP, CISM, CISA, CCNP R&S, CCNA Security, CCNA.

Prithvi Mandava Photography
Original Indian Music