Advanced Upgrade and Database Migration
Before and After Database Migration
|
|
|
|
Before Database Migration
|
After Database Migration
|
Item
|
Description
|
Item
|
Description
|
1
|
Source computer
|
1
|
Target R76 computer connected to network
|
2
|
Management database migration path
|
|
|
3
|
R76 target computer, not connected to the network
|
|
|
Supported Upgrade Paths, Platforms and Products
Make sure that the upgrade from the version on the source computer is a supported. For a list of supported upgrade paths, platforms and products, see the R76 Release Notes.
Legacy Hardware Platforms
A legacy platform is a hardware platform unsupported for new installations but still supported for database migration.
Solaris
Although Solaris is a legacy platform (unsupported for new installations), you can migrate the Solaris database to Windows, SecurePlatform, and Gaia. But only from Check Point versions in the supported upgrade path. See the R76 Release Notes.
- For Security Management Server
The database migration procedure for Solaris is the same as for SecurePlatform and Gaia, as described in this chapter.
- For SmartDomain Manager
To export the SmartDomain Manager database from a legacy platform, use the R76 SecurePlatform CD. Only two menu options are available:
- preupgrade verification
- mds export
Migration Workflow
This section includes a procedural overview for database migration and continues with detailed procedures for each platform. Also included are special procedures for migrating:
- A secondary Security Management server
- To a server with a different IP address
- SmartReporter
- SmartEvent
Migration Workflow
General Workflow
First read the Release Notes to make sure that your upgrade path is supported.
If the target Security Management Server will not use the IP address of the source, prepare the environment to recognize the new IP address. Do this before you do the steps below.
On the source server:
- Get the migration tools package.
- Extract the downloaded package.
|
Important - Put all extracted files in the same directory, and run the tools from this directory.
|
- Make sure the files have executable permissions. For example, In the temporary directory, run
chmod 777 *
- Run
fw logswitch to close the SmartView Tracker log files. Only closed logs are migrated. - Close all Check Point GUI clients that are connected to the Security Management server.
Alternatively, if this is a computer that is not in production, run cpstop on the source computer.
|
Important - If you do not close the GUI clients or run cpstop , the exported management database can become corrupted.
|
- Make sure the source server and the target server have network access.
- The source and target servers must be connected to a network.
- The connected network interface must have an IP address.
- On SecurePlatform, the
ifconfig command output must show that the interface is UP. - On Windows, the interface must be enabled in the window.
- Run the
pre_upgrade_verifier command. - Correct all errors before continuing.
- If the target server must have a different IP address than the source server, make the necessary changes on the source server.
- Export the management database.
- If SmartReporter is installed on the source server, export the Log Consolidation database.
- If SmartEvent is installed on the source server, export the Events database.
On the target server:
- Install the R76 Security Management server or a standalone deployment. Configure as required.
- Get the most updated migration tools package for the target platform (recommended) or use the installed migration tools in
$FWDIR/bin/upgrade_tools on Unix platforms or %FWDIR%\bin\upgrade_tools on Windows. - Import the management database from the source server to the target.
- If SmartReporter is installed on the source server, import the Log Consolidation database.
- If SmartEvent is installed on the source server, import the SmartEvent Events database.
- If the target server has a different IP address than the source server, make the necessary changes to the license and target computer.
If the target server is a different platform that the source server, edit the database.
- Test the target installation.
- Disconnect the source server from the network.
- Connect the target server to the network.
Preparing the Source Server for New IP Address
Licenses are related to the Security Management server IP address. If you migrate the Security Management server database to a server with a new IP address, licensing issues can arise. We recommend that you keep the same IP address for the target Security Management server. If this is not possible, you must prepare the source database before the export and edit the target database after the import.
There are additional steps for a Security Management server that manages VSX Gateways in these configurations:
- From a Security Management server to a new Domain Management Server or Security Management server
- From a Domain Management Server to a new Domain Management Server
On the source computer before migration:
- Create a new host object in SmartDashboard with the IP address of the target Security Management server.
- Define a firewall rule that lets this new Security Management server connect to Security Gateways.
|
|
|
new server
|
|
FW1 (TCP 256)
CPD (TCP 18191)
FW1_CPRID (TCP 18208)
|
- Install the new security policy on all gateways.
- For configurations that include VSX Gateways, to these steps:
- Define the previous firewall rule again for the VSX policy.
- Install the policy on the VSX Gateways.
Getting the Migration Tools Package
It is important that you use the correct migration tools package. Download the latest version of the migration tools from the Support Center. This is the best way to make sure that you get the most recent version.
Alternatively, you can get the migration tools package from the target computer.
To get the migration tools package from the target computer:
- Install R76 on the target computer.
- Copy the complete directory from the target computer to the source computer:
- SecurePlatform / Gaia -
$FWDIR/bin/upgrade_tools - Windows -
%FWDIR%\bin\upgrade_tools
Use FTP, SCP or similar. The source directory can be anywhere, such as /var/tmp .
The migration tool files are contained in a compressed package. The files in the package are:
migrate migrate_conf upgrade_export upgrade_import
Using the Pre-Upgrade Verification Tool
We recommend that you run the pre-upgrade verifier on the Security Management server source computer before exporting the management database. The pre-upgrade verifier does a compatibility analysis of the Security Management server database and its current configuration. A detailed report shows the steps to do before and after the upgrade.
The pre-upgrade verifier can only verify a database that is intended for import into a different major version of the Security Management server. It cannot be used on a database that is intended for import into the same major version of the Security Management server.
The pre_upgrade_verifier command
Go to the migration tools directory. The tool is in the downloaded package, and is in the extracted directory. All files from the package must be in the same extracted directory.
Run pre_upgrade_verifier without arguments to see its syntax and options.
Action Items
- Errors - Issues that must be resolved before you can continue with the upgrade. If you proceed without correcting these errors, the upgrade may fail, or you may have problems after upgrade.
- Warnings - Issues that are recommended to resolve before or after the upgrade.
Exporting the Database
On Gaia and SecurePlatform - CLI
To create a management database export file on the source computer:
- Log in to the expert mode.
- Get the R76 migration tools.
- Run:
< path to migration tools directory>/migrate export < exported database name>.tgz.
- Do the instructions shown on the screen. This creates the
< exported database name>.tgz file.
On Gaia and SecurePlatform - GUI on DVD
To create a management database export file on the source computer:
- Insert the R76 DVD into source computer drive.
- At the command prompt, run:
patch add cd
- Select SecurePlatform R76 Upgrade Package.
- Enter y to confirm the checksum calculation.
- You are prompted to create a backup image for automatic revert. There is no need to create a backup image now because exporting the management database does not change the system.
|
Note - Creating a backup image can take up to twenty minutes, during which time Check Point products are stopped.
|
- The welcome screen opens. Press n.
- Press Y to accept the license agreement.
- From the Security Management Upgrade Option screen, select Export Security Management configuration. Press N to continue.
- Select a source for the upgrade utilities.
We recommend that you select Download the most updated files from the Check Point website to get the latest files. You can also select Use the upgrade tools contained on the CD. Press N to continue.
- If the Pre-Upgrade Verification fails, correct the errors and restart this procedure from the step 2. Otherwise, press N to continue.
- In the Export window, press N to continue. The management database is saved in
/var/tmp/cpexport.tgz . - Press E to exit the installation program.
On IP Appliance
To create a management database export file on the source computer:
- Get the R76 migration tools.
- Run:
< path to migration tools directory>/migrate export < exported database name>.tgz.
- Do the instructions shown on the screen. This creates the
< exported database name>.tgz file.
On Windows - CLI
To create a management database export file on the source computer:
- Get the R76 migration tools.
- From the Windows command prompt, run:
<path to migration tools directory>\migrate.exe export <exported database name>.tgz . - Do the instructions shown on the screen. This creates the <exported database name>.tgz file
.
On Windows - GUI on DVD
To create a management database export file on the source computer:
- Log in to Windows using Administrator credentials.
- Insert the R76 DVD in the optical drive.
If the wizard does not start automatically, run setup.exe from the DVD.
- Click Next in the Thank you window.
- Accept the terms of the License Agreement and click Next.
- Select Export.
- Use one of these options to get the upgrade utilities.
- Download the most recent upgrade utilities from the Support center.
- Use the upgrade utilities that you downloaded to your local disk.
- Use the upgrade utilities on the DVD.
- When prompted, do not disable the option.
- If there are pre-upgrade verification errors, correct them and start this procedure again from step 3. Otherwise, click Next to continue.
- Enter path and management database export file name. The default is:
c:\temp\cp_db_configuration.tgz . - When the export completes, click OK.
Importing the Database
To SecurePlatform
To import the management database file to the target computer:
- Log in to the expert mode.
- Copy the management database file that you exported from the source computer to a directory of your choice on the target computer. Use FTP, SCP or similar.
- Run:
< path to migration tools directory>/migrate import <path to the file>/< exported database name>.tgz.
- Do the instructions on the screen to import the management database.
To IP Appliance
To import the management database file to the target computer:
- Copy the management database file that you exported from the source computer to a directory of your choice on the target computer. Use FTP, SCP or similar.
- Run:
< path to migration tools directory>/migrate import <path to the file>/< exported database name>.tgz.
- Do the instructions on the screen to import the management database.
To Windows
To import the management database file to the target computer:
- Copy the management database file that you exported from the source computer to a directory of your choice on the target computer. Use FTP, SCP or similar.
- From the Windows command prompt, run:
<path to migration tools directory>\migrate.exe import <path to the file>\<exported database name>.tgz . - Do the instructions on the screen to import the management database.
Migrating the Database of a Secondary Security Management Server
To do an advanced upgrade for a Secondary Security Management server:
- Export the management database file from the primary Security Management server.
If the primary Security Management server is not available, convert the secondary Security Management server to a primary Security Management server. To get assistance with this step, contact Check Point Technical Support or your vendor.
- Install a new primary Security Management server.
- Import the management database file to the new primary Security Management server.
- Install new secondary R76 Security Management server.
- Establish SIC with the secondary Security Management Server.
- Synchronize the new secondary Security Management server with the new primary Security Management server.
Completing Migration to a New IP Address
Licenses are related to the Security Management server IP addresses. You must update the license and configure the environment to recognize the new Security Management server.
- Update the Security Management server licenses with the new IP address. If you use central licenses, they must also be updated with the new IP Address.
- Run
cpstop
- Run
cpstart
- Connect to the new IP address with SmartDashboard.
- Remove the host object and the rule that you created before migration.
- Update the primary Security Management server object to make the IP Address and topology match the new configuration.
- Reset SIC for all SmartEvent distributed servers.
- Run
evstop and evstart on SmartEvent and SmartReporter distributed servers. - On the DNS, map the target Security Management server host name to the new IP address.
Migrating to a Server with a Different Platform
If you migrate the management database to a server with a platform or operating system that is different from the source server, you must update the primary management object's properties accordingly.
|
Warning - Failure to do so may cause security issues.
|
After migration:
- Connect with the SmartDashboard to the target Security Management Server.
- Edit the primary object:
- Update the target computer platform.
- Update the target computer operating system.
- Save the database.
Example:
If you migrate from a Windows Security Management server to an appliance:
- Change from to .
- Change from to .
SmartReporter and SmartEvent Report Results Migration
If you have SmartReporter or SmartEvent reports on the source server, you can back them up and copy them to the target server.
To backup and restore SmartReporter and SmartEvent reports:
On the source server:
- Open the file
$FWDIR/conf/reporting_configuration.C On Windows: %FWDIR%/conf/reporting_configuration.C
- Search for the entry:
generation_result_location
For example:
:generation_result_location ("/var/opt/CPrt-R76/Results")
- Create an archive of the files in the directory specified by this entry. In this example:
/var/opt/CPrt-R76/Results . We will refer to this directory as <results dir>.
cd <results dir>
tar zcvf /var/tmp/results.tgz <results dir>
- Copy
/var/tmp/results.tgz to the target server.
On the target server:
- If the target server has a newer version than the source server, create a new directory with the same name as
<results dir> :
mkdir –p <results dir>
- Untar all the files from
results.tgz :cd <results dir>
tar xzvf results.tgz
SmartReporter Database Migration
While the database migration procedure automatically migrates the SmartReporter management database to the target server, it does not migrate the SmartReporter database. If you have SmartReporter installed on the source server, you must do several additional steps to migrate the database to the target.
Exporting the SmartReporter Database
To create the SmartReporter database export file on the source server:
- Run
cpstop . - Find and open the MySQL configuration file using a text editor:
- On SecurePlatform:
$RTDIR/Database/conf/my.cnf . - On Windows:
%RTDIR%\Database\conf\my.ini
Use this file to locate directory names for use in the next steps.
- Delete the contents of the directory specified in the
innodb_log_group_home_dir= <xxx> setting.
- Create the database export file. Assign the name
datadir.tgz to this file.- Go to the directory specified by the datadir= <xxx> parameter in the MySQL configuration file.
This directory contains the database files.
- Use GNU tar/gzip utilities to create an archive file containing all files in the directory specified by the datadir=<xxx> setting. For example on SecurePlatform use:
tar zcvf datadir.tgz <datadir setting>
- Backup these items to a different device (USB drive, CD, FTP server, network location, etc.):
- The datadir export file (datadir.tgz).
- The MySQL configuration file (
my .cnf or my.ini ). After copying the file to a backup device, rename the file by appending a .old suffix to the file name. For example, rename file my.cnf to my.cnf.old . (Import scripts require this suffix.) - Company logo image files located in the
$RTDIR/bin (%RTDIR%\bin on Windows) directory. - Custom distribution scripts located in
$RTDIR/DistributionScripts (%RTDIR%\DistributionScripts on Windows).
Importing the SmartReporter Database
On the target server:
- If you have not already done so, install R76 and SmartReporter, on the target server.
- Run
cpstop . - Copy:
- For SecurePlatform
: my.cnf.old to $RTDIR/Database/conf/ - For Windows:
my.ini.old to %RTDIR%\Database\conf .
|
Note - If you are migrating to a platform where the name of configuration file is different (for example, migrating from Windows to SecurePlatform) rename the configuration file accordingly.
|
- Copy these files from the backup device to the target server:
- The SmartReporter exported database file (datadir.tgz) to the one of these locations:
- SecurePlatform:
$RTDIR/bin
- Windows
: %RTDIR%\bin
- Company logo image files to the
$RTDIR/bin (%RTDIR%\bin on Windows) directory. - Custom distribution scripts to the
$RTDIR/DistributionScripts (%RTDIR%\DistributionScripts on Windows) directory.
Completing the SmartReporter Upgrade
To complete the SmartReporter upgrade:
- When upgrading from a version before R75.40VS:
- Run
cpstop
- Run:
cpprod_util_CPPROD_SetValue_"Reporting Module" DefaultDatabase 1 "MySQL" 1
- Run:
./EVR_DB_Upgrade -mysql "<absolute path to file>/<SmartReporter database export file>.tgz"
For example, if datadir.tgz is located in $RTDIR/bin , run:
EVR_DB_Upgrade -mysql "$RTDIR/bin/datadir.tgz"
- If you are not using the default directory paths, change these fields in the
MySQL configuration file to match the locations of these directories:datadir=
innodb_log_group_home_dir=
innodb_data_file_path=
- Run
cpstart
- In SmartDashboard, from the menu, select .
- In SmartReporter, from the tab, remove the existing consolidation session and create a new one.
SmartEvent Events Database Migration
While the database migration procedure automatically migrates the SmartEvent management database to the target computer, it does not migrate the SmartEvent events database. If you have SmartEvent installed on the source server, you must do more to migrate the events database to the target.
|
Note - The Events Database can be very large, and the manual migration take time.
|
These steps explain how to use the eva_db_backup and eva_db_restore scripts with the default options. By default, the commands are run without options. You must have write permissions for the current directory.
To see more options:
- On SecurePlatform, run:
$RTDIR/bin/eva_db_backup.csh --help
- On Windows, run:
%RTDIR%\bin\eva_db_backup.exe --help
When upgrading from R70.20 and higher:
- On the source machine, go to
$RTDIR/bin or %RTDIR%\bin . - Run the backup tool:
- On SecurePlatform, run:
./eva_db_backup.csh - On Windows, run:
eva_db_backup.exe
- Copy the backup file created by the tool to the destination machine. By default, the name of a backup file is: <current date>
-events_db.backup . - Run
cpstop on the destination machine. - Run the restore tool:
- On SecurePlatform, run:
$RTDIR/bin/eva_db_restore.csh -filename <path to the backup file> - On Windows, run:
%RTDIR%\bin\eva_db_restore.exe -filename <path to the backup file>
- Open the
eventia_upgrade.C file in $RTDIR/conf or %RTDIR%\conf . If it has DONE in online_status or background_status attribute of the Database section, delete DONE and save the file.
- Run:
cpstart
When upgrading from a version older than R70.20:
On Source server:
Copy the database file ($RTDIR/events_db/events.sql or %RTDIR%/events_db/events.sql file by default) from source machine to the destination machine.
On Destination server:
- Run:
cpstop - Run the
PostgreSQL daemon: - SecurePlatform:
$CPDIR/database/postgresql/util/PostgreSQLCmd start - Windows:
"%CPDIR%\database\postgresql\util\PostgreSQLCmd.exe" start
- Drop the previous
PostgreSQL database content. - Log in to the
postgres database: - SecurePlatform:
$CPDIR/database/postgresql/bin/psql -U cp_postgres -p 18272 postgres - Windows:
"%CPDIR%\database\postgresql\bin\psql.exe" -U cp_postgres -p 18272 postgres
- Run:
drop database events_db;
If you get an error that the database does not exist, ignore it.
- Run
"\q" to exit the database.
- Run the database upgrade tool twice:
- Stop the
PostgreSQL daemon: - SecurePlatform:
$CPDIR/database/postgresql/util/PostgreSQLCmd stop - Windows:
"%CPDIR%\database\postgresql\util\PostgreSQLCmd.exe" stop
- Open the
eventia_upgrade.C file in $RTDIR/conf or %RTDIR%\conf
If it shows DONE in the online_status or background_status attribute of the Database section, delete DONE and save the file.
- Run:
cpstart - Delete the
events.sql file from destination machine.
Migrate Command Reference
The migrate command exports a source Security Management server database to a file, or imports the database file to a target Security Management server. Use absolute paths in the command, or relative paths from the current directory.
Before you run this command for export, close all SmartConsole clients or run cpstop on the Security Management Server.
Before you run this command for import, run cpstop on the Security Management Server.
Syntax:
migrate (export | import) [-l] [-n] <filename>
Parameters:
Value
|
Description
|
export
import
|
One of these actions must be used. Make sure services are stopped.
|
-l
|
Optional. Export or import SmartView Tracker logs. Only closed logs are exported. Use the fw logswitch command to close the logs before you do the export.
|
-n
|
Optional. Run silently (non-interactive) using the default options for each setting.
Important note: If you export a management database in this mode, to a directory with a file with the same name, it will be overwritten without prompting.
If you import using this option, the command runs cpstop automatically.
|
filename
|
Required. Enter the name of the archive file that contains the Security Management server database. The path to the archive must exist.
|
|
|