As a company grows from needing one firewall to several, it may be desirable to move the management functions from the firewall platform to a separate box that functions only as a management module. Check Point has, unfortunately , made the process of doing so far more complicated in NG than it was in earlier versions. The assumption is that the two management modules will be of the same type (i.e., they will both be UNIX-type platforms or they will both be Windows-type platforms). This is critical because there is currently no way to convert a UNIX-type registry to a Windows-type registry or vice versa. Also, both management modules should be at the same software revision level, that is, if one management module has NG FP3 with Hotfix Accumulator patch 308 (HFA-308) loaded, then the other management module needs to be at that level as well. Note that the two management modules do not ultimately have to have the same IP address. Before proceeding, perform a cpstop on both management servers. For the purposes of discussion, let us assume you have a machine that has a management module installed on it. This will be the source machine. Let us also assume that you have a newer , more powerful machine that will replace the source machine. This will be the destination machine. The destination machine has had Check Point FireWall-1 loaded on it, configured as a management module. Whether these are both UNIX or Windows machines at this point is not relevant because I provide steps for both UNIX and Windows and will note any differences. What is relevant is that both management modules are the same type of platform (i.e., you cannot do this where one platform is Windows, the other a UNIX type). If the management modules are UNIX, issue the following commands on the destination server: destination# rm rf $CPDIR/conf/* $CPDIR/database/* destination# rm rf $FWDIR/conf/* $FWDIR/database/* $FWDIR/log/* For Windows, the commands are: C:\> del /s %CPDIR%\conf\* C:\> del /s %CPDIR%\database\* C:\> del /s %FWDIR%\conf\* C:\> del /s %FWDIR%\database\* C:\> del /s %FWDIR%\log\* Next , copy the contents of the following directories from the source machine to the destination machine.
On the destination machine, remove the following files, if they exist. They will get recreated when FireWall-1 starts up.
Now you need to copy the SIC key from the registry on the source machine to the destination machine. These steps depend on whether the management stations are UNIX or Windows. On a UNIX platform, edit the registry file. In NG FP1 and NG FP2, the file is $CPDIR/../registry/HKLM_registry.data . In NG FP3 and above, the file is $CPDIR/registry/HKLM_registry.data . On the destination management server, find the entries between the line that begins with : (SIC and the line that contains only a right parenthesis. Delete any entries between those two lines. For example, prior to making this change, the section in the registry file might look like the following: : (SIC :ICAState ("[4]3") :ICAdn ("o=chef.phoneboy.com..iz6ech") :HasCertificate ("[4]1") :MySICname ("cn=cp_mgmt,o=chef.phoneboy.com..iz6ech") :CertPath ("/opt/CPshrd-50-03/conf/sic_cert.p12")) After you make the deletion, the section will look like this: : (SIC) NOTE!
Once you have deleted those entries on the destination machine, copy all entries between the : (SIC and ) lines in the registry file from the source machine to the same location in the destination machine's registry. On a Windows platform, use regedit to export the key HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\SIC from the source platform's registry and copy to the destination. If the destination machine had FireWall-1 installed to a different directory than the source, change the CertPath registry entry accordingly . Next, load up new licenses on the destination platform. If the destination server's IP is different, you will need new licenses. Finally, start the destination management server. If the source and destination servers have the same IP, you can skip to Testing Your Migrated Management Module, which follows the next subsection. Source and Destination Management Servers Have Different IP AddressesAssuming that a new management object was created (it should be in most cases), all instances of the source management server's object must be replaced with the destination management server's object. You can easily find all the relevant locations by selecting the source object, right-clicking, and selecting Where Used. If a new management object was not created, simply edit the existing one to match the new configuration. If a new management object was created, both objects now have the same SIC name . This is bad and must be corrected. Close Policy Editor/SmartDashboard and use either dbedit or the Check Point Database Tool to clear the SIC name from the old object. The attribute is called sic_name . For example, if your management object were called charlie_brown, the command in dbedit would be: dbedit> modify network_objects charlie_brown sic_name "" dbedit> update network_objects charlie_brown If you wish to delete the source management object, cpstop the destination management server, then edit $FWDIR/conf/objects_5_0.C (see FAQ 4.2 for guidelines). Find the source management object. Change the attribute Deleteable to true (it will be under the AdminInfo section). Save the changes. Now cpstart the management station, and use Policy Editor/SmartDashboard to remove the object. WARNING!
Next, you must adjust the fully qualified domain name (FQDN) in the ICA. This is used to generate the Certificates Revocation List (CRL) distribution point URL that is written on the ICA-generated certificates. In many cases, you will need to change the FQDN definition to the destination management module's FQDN. You do this in the cpconfig program on UNIX platforms or with the Check Point Configuration Tool on Windows. When gateways managed by the management station are using VPNs with external entities (nonmanaged) and the authentication of these VPNs is done with ICA-generated certificates, changing the FQDN may not be desirable because the authentication of these VPNs will likely fail. There are two possible ways to resolve this.
Finally, adjust the masters and log servers for each module to point at the destination management server before attempting to install the security policy on these modules. Testing Your Migrated Management ModuleThere are five actions you should perform to verify that the destination management station is functional and that the relevant firewall modules are now using it.
If all of these steps work, congratulationsyou've successfully moved a management station from one system to another. Limitations on Moving Management StationsThere are some limitations related to moving management stations.
Moving the Management Module off a Standalone GatewayOften, a small organization begins with a standalone gateway that has the firewall and management module on the same platform. However, there comes a time when the firewall needs to be "just a firewall" and the management module duties are best done on a separate platform. The following section explains how to accomplish this task. Once the new management module is set up with the proper IP addresses and FireWall-1 is configured, you can follow the steps provided earlier. Follow the instructions for deleting the old primary management object because you will need to recreate that object as a firewall module only. Now for the tricky part: convincing your old management plus firewall module to be just a firewall module. In this instance, Check Point recommends reinstalling the software. However, it is possible to take an unsupported shortcut here. After stopping the module with cpstop , you will need to edit the $CPDIR/registry/HKLM_registry.data file to do two things:
To remove SIC information, look for the lines in the registry file that look like this: : (SIC :ICAState ("[4]3") :ICAdn ("o=chef.phoneboy.com..iz6ech") :HasCertificate ("[4]1") :MySICname ("cn=cp_mgmt,o=chef.phoneboy.com..iz6ech") :CertPath ("/opt/CPshrd-50-03/conf/sic_cert.p12")) Remove everything between the first and last lines shown above so the result looks like this: : (SIC) Below the SIC section is the FW1 section. In this section, the following lines will likely need to be changed: :StandAlone ("[4]0") :FWManagement ("[4]0") :Management ("[4]0") :LogServer ("[4]0") :Primary ("[4]0") :HAManagement ("[4]0") On your ex-management station, one or more of these values may be set to "[4]1" . All of the preceding lines should be set to "[4]0" as shown above. At this point, you should use cpconfig to establish a new OTP on the firewall module. If you haven't done so already, create the new gateway object for the firewall module, and establish SIC using the OTP you specified on the firewall module. |