Relocate devices

This procedure describes how to relocate devices between nodes in distributed architectures, providing a full Remote Agent migration tool.

For example, you may want to do this while in the process of decommissioning end-of-life appliances or moving up to the cloud.

Relocation is performed in the background without system downtime, and supports the following options:

  • From the ASMS Central Manager to Remote Agents.
  • From Remote Agents to the ASMS Central Manager.
  • Between different Remote Agents.

Relocating a device relocates all device-related data, including reports.

Important: If you are relocating devices from a Central Manager to a Remote Agent, ensure that your devices are collected together in a device group in AFA. When relocating devices from a Central Manager, you must relocate a group, even if you are only relocating a single device. The group being relocated should include only top-level devices. For more details, see Manage groups.

Do the following:

  1. Ensure that the ASMS version and build installed on both your source and target machines are identical.

  2. On the Central Manager, connect to administration interface via SSH and log in as root.

    For details, see Connect to and Utilize the Administration Interface.

  3. In the main menu, enter 16 to migrate ASMS units.

  4. Enter 2 to relocate devices between nodes.

  5. The detected nodes and their IPs are displayed. Select the following when prompted:

    • The source node, where the devices are currently located.

      When relocating from the Central Manager to a Remote Agent, you must also specify a device group to relocate.

    • The target node, where you want to move the devices.

  6. Enter a time limit, in minutes, after which you want the relocation process to time-out if not completed.

    The default value is 0, and leaves no time limit.

  7. If prompted, determine whether you want to disable monitoring, scheduled analysis, and log collection for all devices once relocated.

    Tip: We recommend disabling these functions, especially when relocating devices to the Central Manager, to reduce CPU load on the Central Manager machine. For more details, see Default configurations for relocated devices.

  8. At the prompt, 

    do you want to relocate devices whose connectivity check failed, despite the failure (not recommended)? (y/n) [n]:

    By default, N, devices without connectivity are not relocated. However, by entering Y you can force relocation of devices that are down when needed.

  9. Press ENTER to start the relocation process. Relocation is performed in the background and the log file location is displayed.

    Just before the relocation is complete, the system checks the connectivity to the new device. If the check passes, the relocation processes is completed. If the connectivity check fails, the devices remain on the source node.

    Note: If you have relocated management devices and their children, AFA runs an automatic connectivity check on the management device only. For any child, managed devices, manually verify that connectivity is active between ASMS and the device.

    If connectivity is down, edit the device configuration in the AFA Administration area. For details, see Access the DEVICES SETUP page.

  10. If device relocation is partially successful because some of the nodes were skipped, re-run the process to relocate the skipped devices.

  11. After relocation is complete, edit the device configuration if needed, such as to reconfigure a syslog server or rescheduling analysis, in the AFA Administration area. For details, see Default configurations for relocated devices and Access the DEVICES SETUP page. To change the IP of the Remote Agent to which devices were relocated, see To change the IP address of a Remote Agent.

Important: When relocating a Check Point PV1/MDS that has an MLM log server configured, the MLM log server must be manually relocated. It is not automatically relocated.

Relocation configures the system as follows, depending on the relocation you have performed:

From the ASMS Central Manager to Remote Agents

Monitoring, scheduled analysis, and syslog messaging is enabled for all relocated devices.

From Remote Agents to the ASMS Central Manager

Relocated devices are added to a single group on the Central Manager. This group is named after the source Remote Agent, enabling you to relocate the devices again as needed.

Note: If you are relocating management devices, such as a Palo Alto Panorama or Juniper Space Security Director, this group includes only the management device names, although both management and managed devices are relocated as configured.

Monitoring, scheduled analysis, and syslog messages is disabled for all relocated devices to reduce load on the Central Manager.*

Between different Remote Agents

Monitoring, scheduled analysis, and syslog message is kept unchanged for each relocated device.*
Local syslog configuration

When relocating devices that use a local syslog server, this configuration is also automatically relocated to the target node.

No changes are made for external syslog servers.

*Re-enable monitoring, scheduled analysis, and syslog messaging

If monitoring, scheduled analysis, and syslog messages are disabled on your device after relocating, use the enableDevices and enableDevicesOnRemoteAgent APIs to re-enable these again.

If you want to relocate specific devices together, do so by creating a group and then relocating that group via API.

For example, you may want to do this if you have two Remote Agents, each with their own devices.

If the first Remote Agent is being disabled temporarily for maintenance purposes, group its devices to retain the membership details. Then use the relocation API call to relocate that group to the second Remote Agent. When the maintenance is complete, relocate that same group back again to the first Remote Agent.

When creating this group, verify the following:

  • Verify that you include only devices that are managed by this same Remote Agent

  • Verify that you include any management devices required, such as Palo Alto Panorama or Juniper Space Security Director devices.

    All devices managed by these parent devices are relocated together with their management devices, and do not need to be included in the group.

  • Verify that all devices included in the group are accessible from the target machine.

Use the relocation REST API call and the treeNames parameter to define the name of the group you want to relocate. For more details, see Relocate devices between nodes and Manage groups.

OPSEC certificates for Check Point devices are generated per IP. Therefore, while most relocations of Check Point devices to new Remote Agents should succeed, you may have unexpected issues. In such cases, regenerate the certificate and re-install the certificate on the device.

For more details, see OPSEC Setup .

To check relocation progress or to cancel relocation, note the UUID displayed in the CLI, and use one of the following REST API requests:

  • GET device-relocation-controller
  • DELETE device-relocation-controller

For each of these API requests, use the UUID as the value for the uuid parameter. For more details, see Check device relocation progress and Cancel device relocation.

Tip: We recommend using the ASMS Swagger API documentation to perform these API requests.

For more details, see ASMS Swagger documentation.

 

â See also: