Moving NG to a replacement server

[wilsons935]

Looking for any help that can be provided on this one.

I have a current working Firewall-1 NG system running on an aging Dell system and it is time to replace it with a newer system with Raid, more memory, faster processors etc.

The configuration will end up exactly the same with the same IP addresses etc.

I am looking to setup the new server and make sure policies, licences etc load ok before removing the old one.

Does anyone have any advice on the best way to recreate the existing system on the new one. The original idea was to Ghost the old one but due to hardware changes this is not possible.

All ideas welcome!

 

[wirelesspeap]

Hi there,

You didn't say whether the system is a "standalone"
firewall or distributed system where the management server
and the enforcement modules reside on separate machines.

In either case, this is very easy to accomplish. You need
to do the following (if you have distributed system, you
only need to do this on the management server):

1) do an upgrade_export on your existing system. The
upgrade_export resided in $FWDIR/bin/upgrade_tools directory. That will create a *.tgz file. Move this file
to another machine so that the new system can get to it

2) Build a brand new system with the same checkpoint version and the same IP addresses as the old one. Put this
system into your staging environment so that the IP
address of this system will not conflict with the production system

3) Run cpconfig on the new system and get it ready. Move
the *.tgz file into a temporary directory of the new
system

4) Go into the $FWDIR/bin/upgrade_tools directory and
run "upgrade_import whatever_file.tgz" with the tgz file in
step 1.

5) Reboot the box

6) Remove the old system and place in the new system.

pretty simple, isn't it?

Good luck!

 

[wilsons935]

Hi wirelesspeap

Thanks for your reply. I should have stated clearly this is a stand-alone setup with the Management and Enforcement running on the same machine with Checkpoint Firewall-1 NG FP3 loaded.

I will give this a go as soon as I can shutdown the firewall. I am assuming this would be best?

One extra point on licencing, if I am creating the new machine as a copy of the old do I need to do anything extra on licensing or will the export routine take everything I need?

Thanks for you prompt reply.

 

[wirelesspeap]

upgrade_import will take care of "everything" including the license. One extra note, make sure the new system has the same HFA as the old one. In other word, they must have
the same NG FP3 and same HotFix Accumulators (HFA).

Good Luck!

 

[wilsons935]

Hi wirelesspeap

As suggested I have tried to run the Update_export and this is the message I get once the Firewall services have stopped.

Checking the existence of necessary files...
Copying files to temp dir...
Building configuration file...
Compressing the files...
Error: Failed to execute "C:\WINNT\FW1\5.0\bin\.\gtar.exe" -c -C "C:\WINNT\FW1\
5.0\tmp\upgrade_temp_dir" -f "cp_db_configuration.tgz.tar" . command
Error: Failed to compress Check Point Software files

The upgrade_temp_dir has been created and the files from the FWDIR and CPDIR have been copied in so it seems like the process of creating the tar file is failing but I can't see why.

Have you come across this before?

Many thanks

 

[wirelesspeap]

Hi wilson935,

Yes, I've seen this problem specifically with NG Feature Pack 3. There is a "known" issue with the gtar binary in
NG Feature Pack 3. This problem isn't isolated to just windows. I've seen this problem across platform, SPLAT and Solaris as well.

You need to open a TAC case with Checkpoint and they will provide you with a newer version of the gtar binary. Replace the old gtar binary with the new one and I think everything will work.

Gook luck!