How To Change CMA/Domain Name – Preserve SIC

Our local MDS god figured this out. Renaming CMA/Domains

Verified on R77.10.

Note this procedure preserves SIC.

Check Point says this procedure is OK as long as the global policy doesn’t change under you.

 

1. Remove CLM from FW cluster object logging.
2. Old logs:
   1. User Tracker on CLM to issue log switch.
   2. Back up CLM logs (optional).
   3. Make sure to use “p” option to preserve log file timestamps:

“cp –p 2016* /var/temp-logs/”

3. Delete CLM via MDG.
4. Take CMA backup:
   1. mdsenv cma-xyz
   2. cd $FWDIR/bin/upgrade_tools
   3. ./migrate export /var/export_cma-xyz.tgz
5. Delete entire old domain containing CMA.
6. Create new domain & CMA with new names.
   1. Make sure GUI-clients is “any”.
   2. Use same IP address as old CMA so FW still talks to same CMA IP.
   3. Don’t start the CMA till after the import below.
7. Import CMA objects using file /var/export_cma-xyz.tgz.
   1. Click “continue” to the global policy warning.
8. Assign new CMA to appropriate global policy.
9. Create CLM with new names.  Copy logs back in.
10. Tell cluster to send logs to new CLM.
    1. Push policy
    2. Install database.

PA Daily Operations update – From The Trenches

Firewalls have been around for 25+ years and at this point to me is a firewall is a firewall no matter what the label on the box says. I am totally mystified why organizations randomly jump from one vendor to another based on technology alone. I know licensing costs soar, support sucks, platforms are unstable, etc. But in the end a firewall is a firewall and the grass doesn’t get much greener after you make the switch. You probably get 1 year of cheap hardware and kiss ass support before you swirl to the bottom of the toilet as the new vendor pulls in new customers and forgets all the fireworks they promised would fly from your behind.

So yes I am talking the PA vs. CP debacle. PA is a fine firewall (if you don’t turn on all the misc junk). CP is a fine firewall (if you don’t turn on all the misc. junk). PA is a massive marketing machine the earth has never before seen. CP has an incredible enterprise management and logging infrastructure that can’t sell snow to Eskimos.

I just spent 3 hours in a PA hands-on class. Been 5 years since touching one. My reaction : painful.  Why? Because from the marketing rah-rah I was expecting fireworks would fly from my behind. The reality is: Its just another firewall. The web interface reminds me of all the other freeware java/ajax shakey hope-to-god-this-works GUI firewall interfaces. Or maybe they hired a bunch of ex-Cisco CSM programmers and sent them to Web development school for 6 weeks.  I mean its OK, but primitive compared to CP for an enterprise environment. Their logging just sucks compared to SmartLog.

I just don’t get it, but kudos to their marketing machine.

I have friends at another  enterprise corp that spent millions and countless hours to switch. Years ago they had about 300-400 CP firewalls and ~5-10 firewall people. NOW:

• ~50 firewall bodies
• PA management and logging is OK but definitely not as good as CP
• It is stable
• App control is starting to be deployed and mostly works sometimes
• Various 3rd party analysis tools don’t work like Tufin, Firemon, etc. so rule reviews are difficult
• EXPENSIVE
• Support is hot/cold

So millions were spent and countless hours were toiled and they went from Point A to Point A with 5x more bodies. How did that increase security? How did that lower costs?

Summary: Don’t drink the Kool-aid. Understand what your end goal is, don’t just go from Point A to Point A. Spend those funds on more important security projects that have a cost/benefit.