Check Point Smart-1 Migration
If you need to migrate your Check Point Smart-1 MDMS (MDS/Provider-1) installation to a new device/appliance, the below steps cover the entire process from start to finish.
This post includes the steps needed if your target appliance/device is different from your source appliance. I successfully migrated from a Smart-1 150 to a Smart-1 3150 running R77.30 using these steps. You can skip the Additional Steps for changing the LeadingIP and external interface if your target appliance has the same naming convention as your source.
Below are the details of the migration I completed successfully.
Platform: Smart-1 150
Physical Interface: Mgmt1
Platform: Smart-1 3150
Physical Interface: bond0
Note: The target device should be prepared by having a basic installation of MDS.
- Create a new directory for the backup.
- Backup current MDS installation.
#mds_backup -L all -l -s -i -d /var/log/MDSMigrate
- Calculate the MD5 hash of the backup file and make note of it.
- Move the backup file and other required files off the device.
ftp> put 1Jan2017-225112.mdsbk.tgz
ftp> put gtar
ftp> put gzip
ftp> put tar
ftp> put mds_restore
- Create a temporary directory.
#mkdir /var/tmp/MDSMigrate #cd /var/tmp/MDSMigrate/
- Copy the files to the device.
ftp> get tar
ftp> get mds_restore
ftp> get gzip
ftp> get gtar
ftp> get 1Jan2017-225112.mdsbk.tgz
- Calculate the MD5 hash of the backup file and compare with the hash from the source device. If the hashes are the same, you’re good to go. If not, try copying the files again.
- Take the device offline – just unplug the network cable. This is needed if the target device needs to have the same IP address as the source device.
- Change to the MDS config directory and modify the LeadingIP. This needs to be done before restoring from the backup to avoid any errors during the restoration process and is only needed if the target device has been installed on the network with a different IP address.
- Change to the temporary directory and modify file permissions.
#chmod 777 *
- Restore the MDS from the backup file.
- Stop the MDS service.
- Change the external interface – this is the physical interface you want to use on the new device.
- Change the virtual IP for each of the customers (domain/CMA) to reflect the IP addresses from the source device.
- Start the MDS service.
Verify that all the CMAs are up and running. This will take a few seconds.
Login to the SmartDomain Manager and install the policy on at least one gateway in each CMA to verify restoration.
Prithvi is an experienced cyber security professional with global experience across 3 continents. He has proven skills and experience on Cisco, Check Point, Fortinet, Juniper and other vendors’ products and technologies. He also has a passion for nature and landscape photography and can be seen lugging his camera gear in and around some pretty locations.
A few of the industry credentials he currently holds include CISSP, CISM, CISA, CCNP R&S, CCNA Security, CCNA.