Advanced Upgrade and Database Migration

In This Section: Before and After Database Migration Supported Upgrade Paths, Platforms and Products Legacy Hardware Platforms Requirements for Advanced Upgrade and Migration Migration Workflow Migrate Command Reference

Before and After Database Migration

Before Database Migration

After Database Migration

Item	Description		Item	Description
1	Source computer		1	Target R77 computer connected to network
2	Management database migration path
3	R77 target computer, not connected to the network
		Important - If the source environment uses only IPv4 or only IPv6, you cannot migrate to an environment that uses only the other type of addresses.

Supported Upgrade Paths, Platforms and Products

Make sure that the upgrade version and products are supported on the target operating system and hardware platform. For a list of supported upgrade paths, platforms and products, see the R77 Release Notes.

Solaris: You can migrate a Solaris database to Gaia.

Legacy Hardware Platforms

A legacy platform is a hardware platform unsupported for new installations but still supported for database migration.

Solaris is a legacy platform. You can migrate the Solaris database to Windows and SecurePlatform and Gaia. But only from Check Point versions in the supported upgrade path. See the R77 Release Notes.

• For Security Management Server

  The database migration procedure for Solaris is the same as for SecurePlatform and Gaia, as described in this chapter.

• For SmartDomain Manager

  To export the SmartDomain Manager database from a legacy platform, use the R77 SecurePlatform DVD. Only two menu options are available:

  • preupgrade verification
  • mds export

Requirements for Advanced Upgrade and Migration

Required Disk Space:

• The hard disk on the target machine must be at least 5 times the size of the exported database.
• The size of the /var/log folder on the target must be at least 25% of the size of the /var/ log directory on the source machine.

Required Network Access:

• The source and target servers must be connected to a network.
• The connected network interface must have an IP address.

IPv4 or IPv6:

If the source environment uses only IPv4 or only IPv6, the target must use the same IP address configuration. You cannot migrate to an environment that uses only the other type of addresses.

Target Version and Products:

You can only upgrade or migrate the version of the server or set of products. The target must have the same or higher version and the same set of installed products.

Migration Workflow

This section includes a procedural overview for database migration and continues with detailed procedures for each platform. Also included are special procedures for migrating:

• A secondary Security Management Server
• To a server with a different IP address
• SmartReporter
• SmartEvent

Migration Workflow

1. Prepare the source Security Management Server for export.
2. Install the R77 Security Management Server or a standalone deployment on the target server.
3. Export the management database from source Security Management Server.
4. Import the management database to the target Security Management Server.
5. Test the target deployment.
6. Connect the target Security Management Server to the network.

General Workflow

On the source server:

1. Get the migration tools package.
2. Extract the downloaded package.

   Important - Put all extracted files in the same directory, and run the tools from this directory.

3. Make sure the files have executable permissions. For example, In the temporary directory, run
   chmod 777 *
4. Run fw logswitch to close the SmartView Tracker log files and the SmartLog data. Only closed logs are migrated.
5. Close all Check Point GUI clients that are connected to the Security Management Server.

   Alternatively, if this is a computer that is not in production, run cpstop on the source computer.

   Important - If you do not close the GUI clients or run cpstop, the exported management database can become corrupted.

6. Make sure the source server and the target server have network access.
   • The source and target servers must be connected to a network.
   • The connected network interface must have an IP address.
   • On SecurePlatform, the ifconfig command output must show that the interface is UP.
   • On Windows, the interface must be enabled in the Network Connections window.
7. Run the pre_upgrade_verifier command.
8. Correct all errors before continuing.
9. If the target server must have a different IP address than the source server, make the necessary changes on the source server.
10. Export the management database.
    • If SmartReporter is installed on the source server, export the Log Consolidation database.
    • If SmartEvent is installed on the source server, export the Events database.

On the target server:

1. Install the R77 Security Management Server or a standalone deployment. Configure as required.
2. Get the most updated migration tools package for the target platform (recommended) or use the installed migration tools in $FWDIR/bin/upgrade_tools on Unix platforms or %FWDIR%\bin\upgrade_tools on Windows.
3. Import the management database from the source server to the target.
   • If SmartReporter is installed on the source server, import the Log Consolidation database.
   • If SmartEvent is installed on the source server, import the SmartEvent Events database.
4. If the target server has a different IP address than the source server, make the necessary changes to the license and target computer.

   If the target server is a different platform that the source server, edit the database.

5. Test the target installation.
6. Disconnect the source server from the network.
7. Connect the target server to the network.

Preparing the Source Server for New IP Address

Licenses are related to the Security Management Server IP address. If you migrate the Security Management Server database to a server with a new IP address, there will be licensing issues. We recommend that you keep the same IP address for the target Security Management Server. If this is not possible, you must prepare the source database before the export and edit the target database after the import.

There are additional steps for a Security Management Server that manages VSX Gateways in these configurations:

• From a Security Management Server to a new Domain Management Server or Security Management Server
• From a Domain Management Server to a new Domain Management Server

On the source computer before migration:

1. Create a new host object in SmartDashboard with the IP address of the target Security Management Server.
2. Define a Firewall rule that lets this new Security Management Server connect to Security Gateways.

   Source	Destination	Service
   new server	any	FW1 (TCP 256) CPD (TCP 18191) FW1_CPRID (TCP 18208)

3. Install the new security policy on all gateways.
4. For configurations that include VSX Gateways, to these steps:
   1. Define the previous Firewall rule again for the VSX policy.
   2. Install the policy on the VSX Gateways.

Understanding IPv4 and IPv6 Address Issues During Migration

If you migrate from a Security Management Server or Domain Management Server to a target with a different IP address configuration, you must configure the source before you export the database:

• Configure IP address assignments
• Enable IPv6 from the Portal or mdsconfig

After you import the database, add or remove IPv4 and IPv6 addresses as required.

Security Management Server

When migrating from a Security Management Server with only IPv4 addresses to:

Target	You need to:
Security Management Server with only IPv4 addresses	Follow the normal migration process.
Security Management Server with only IPv6 addresses	Enable IPv6 on the Source Operating System before exporting the database After importing the database, change the IP address of the management
Security Management Server with a mixture of IPv4 and IPv6 addresses.	Enable IPv6 on the Source Operating System before exporting the database After importing the database, add the IPv6 addresses
Domain Management Server with IPv4 addresses	Follow the normal migration process.
Domain Management Server with a mixture of IPv4 and IPv6 addresses	Enable IPv6 on the Source Operating System before exporting the database After importing the database, add the IPv6 addresses

When migrating from a Security Management Server with only IPv6 addresses to:

Target	You need to:
Security Management Server with only IPv4 addresses	After importing the database, change the IPv6 address of the management to IPv4
Security Management Server with only IPv6 addresses	Follow the normal migration procedure
Security Management Server with a mixture of IPv4 and IPv6 addresses.	After importing the database, add the IPv4 addresses
Domain Management Server with IPv4 addresses	After importing the database, remove IPv6 addresses from the management object in SmartDashboard and add IPv4
Domain Management Server with a mixture of IPv4 and IPv6 addresses	After importing the database: Enable IPv6 on the Operating System Change the IP address of the management to IPv4

When migrating from a Security Management Server with a mixture of IPv4 and IPv6 addresses to:

Target	You need to:
Security Management Server with only IPv4 addresses	After importing the database: Disable IPv6 on the Operating System Change the IP address of the management to IPv4
Security Management Server with only IPv6 addresses	After importing the database, remove the IPv4 address from the management
Security Management Server with a mixture of IPv4 and IPv6 addresses.	Follow the normal migration procedure
Domain Management Server with IPv4 addresses	After importing the database, remove the IPv6 address from the management object in SmartDashboard
Domain Management Server with a mixture of IPv4 and IPv6 addresses	Follow the normal migration procedure

Domain Management Server

When migrating from a Domain Management Server with only IPv4 addresses to:

Target	You need to:
Security Management Server with only IPv4 addresses	Follow the normal migration procedure
Security Management Server with only IPv6 addresses	After importing the database: Enable IPv6 on the Operating System Change the IP address of the management to IPv6
Security Management Server with a mixture of IPv4 and IPv6 addresses.	Enable IPv6 on the Operating System Add IPv6 addresses
Domain Management Server with IPv4 addresses	Follow the normal migration procedure
Domain Management Server with a mixture of IPv4 and IPv6 addresses	After importing the database: Enable IPv6 on the Operating System Add IPv6 Addresses

When migrating from a Domain Management Server with a mixture of IPv4 and IPv6 addresses to:

Target	You need to:
Security Management Server with only IPv4 addresses	Disable IPv6 on the source Operating System before exporting the database After importing the database, change the IP address of the management to IPv4
Security Management Server with only IPv6 addresses	After importing the database, remove the IPv4 address from the management.
Security Management Server with a mixture of IPv4 and IPv6 addresses.	Follow the normal migration procedure
Domain Management Server with IPv4 addresses	Disable IPv6 on the source Operating System before exporting the database Remove the IPv6 address from the target Domain Management Server object in SmartDashboard
Domain Management Server with a mixture of IPv4 and IPv6 addresses	Follow the normal migration procedure

Getting the Migration Tools Package

It is important that you use the correct migration tools package. Download the latest version of the migration tools from the Support Center. This is the best way to make sure that you get the most recent version.

Alternatively, you can get the migration tools package from the target computer.

To get the migration tools package from the target computer:

1. Install R77 on the target computer.
2. Copy the complete directory from the target computer to the source computer:
   • SecurePlatform / Gaia - $FWDIR/bin/upgrade_tools
   • Windows - %FWDIR%\bin\upgrade_tools

   Use FTP, SCP or similar. The source directory can be anywhere, such as /var/tmp.

The migration tool files are contained in a compressed package. The files in the package are:

• migrate
• migrate_conf
• migrate export
• migrate import

Using the Pre-Upgrade Verification Tool

We recommend that you run the pre-upgrade verifier on the source server before exporting the management database. The pre-upgrade verifier analyzes compatibility of the management database and its current configuration. A detailed report shows the steps to do before and after the upgrade.

The pre-upgrade verifier can only verify a database that is intended for import into a different major version (for example, R77.xx to R77). It cannot be used on a database that is intended for import into the same major version.

Action Items

• Errors - Issues that must be resolved before you can continue with the upgrade. If you proceed without correcting these errors, the upgrade may fail, or you may have problems after upgrade.
• Warnings - Issues that are recommended to resolve before or after the upgrade.

Exporting the Management Database

On Gaia and SecurePlatform - CLI

To create a management database export file on the source computer:

1. Log in to the expert mode.
2. Get the R77 migration tools.
3. Run:
   <path to migration tools directory>/migrate export <exported database name>.tgz.
4. Do the instructions shown on the screen. This creates the <exported database name>.tgz file.

On Gaia and SecurePlatform - GUI on DVD

To create a management database export file on the source computer:

1. Insert the R77 DVD into source computer drive.
2. At the command prompt, run: patch add cd
3. Select SecurePlatform R77 Upgrade Package.
4. Enter y to confirm the checksum calculation.
5. You are prompted to create a backup image for automatic revert. There is no need to create a backup image now because exporting the management database does not change the system.

   Note - Creating a backup image can take up to twenty minutes, during which time Check Point products are stopped.

6. The welcome screen opens. Press n.
7. Press Y to accept the license agreement.
8. From the Security Management Upgrade Option screen, select Export Security Management configuration. Press N to continue.
9. Select a source for the upgrade utilities.

   We recommend that you select Download the most updated files from the Check Point website to get the latest files. You can also select Use the upgrade tools contained on the CD.
   Press N to continue.

10. If the Pre-Upgrade Verification fails, correct the errors and restart this procedure from the step 2. Otherwise, press N to continue.
11. In the Export window, press N to continue. The management database is saved in /var/tmp/cpexport.tgz.
12. Press E to exit the installation program.

Importing the Management Database

To import the management database file to the target computer:

1. Log in to the expert mode.
2. Copy the management database file that you exported from the source computer to a directory of your choice on the target computer. Use FTP, SCP or similar.
3. Run:
   <path to migration tools directory>/migrate import <path to the file>/<exported database name>.tgz.
4. Do the instructions on the screen to import the management database.

Migrating the Database of a Secondary Security Management Server

1. Export the database file from the primary Security Management Server.

   If the Primary Security Management Server is not available, convert the Secondary Security Management Server to a Primary Security Management Server. To get assistance with this step, contact Check Point Support or your vendor.

2. Install a new Primary Security Management Server.
3. Import the management database file to the new Primary Security Management Server.
4. Install new Secondary R77 Security Management Server.
5. Establish SIC with the Secondary Security Management Server.
6. Synchronize the new Secondary Security Management Server with the new Primary Security Management Server.

Completing Migration to a New IP Address

Licenses are related to the Security Management Server IP addresses. You must update the license and configure the environment to recognize the new Security Management Server.

1. Update the Security Management Server licenses with the new IP address. If you use central licenses, they must also be updated with the new IP Address.
2. Run cpstop
3. Run cpstart
4. Connect to the new IP address with SmartDashboard.
5. Remove the host object and the rule that you created before migration.
6. Update the primary Security Management Server object to make the IP Address and topology match the new configuration.
7. Reset SIC for all SmartEvent distributed servers.
8. Run evstop and evstart on SmartEvent and SmartReporter distributed servers.
9. On the DNS, map the target Security Management Server host name to the new IP address.

SmartReporter and SmartEvent Database Migration for Non-Windows

To migrate the SmartReporter and SmartEvent database from a non-Windows platform to a non-Windows platform, use this procedure. You can also use this procedure to backup and restore the databases.

Tools

• Use the evs_backup utility to back up the SmartEvent and SmartReporter database and configuration files, and place them in a compressed file. Use the version suitable for the target platform. Download it from the Support Center, or from the $RTDIR/bin directory on the target Unix platform.
• Use the evs_backup_extractor utility to restore the backup file.
• Use the migration tools to backup and restore the Security Management database and files. Use the version suitable for the target platform. Download it from the Support Center, or from $FWDIR/bin/upgrade_tools/ directory on the target Unix platform.

Backup Procedure

Run the following commands in Expert mode. Use different file name for each of the utilities:

# cd $FWDIR/bin/upgrade_tools/ # ./migrate export <file name 1> # cd $RTDIR/bin # ./evs_backup [-filename <file name 2>] -ExportPreUpgrade

Restore Procedure

Copy the backup files to the target platform and run these commands in Expert mode:

# cd $FWDIR/bin/upgrade_tools/ # ./migrate import <file name 1> # cd $RTDIR/bin # ./evs_backup_extractor [-filename <file name 2>] -ImportPostUpgrade

Migrate Command Reference

The migrate command exports a source Security Management Server database to a file, or imports the database file to a target Security Management Server. Use absolute paths in the command, or relative paths from the current directory.

Before you run this command for export, close all SmartConsole clients or run cpstop on the Security Management Server.

Before you run this command for import, run cpstop on the Security Management Server.

Syntax:

migrate {export | import} [-l] [-n] <filename> [--exclude-uepm-postgres-db] [--include-uepm-msi-files]

Parameters	Description
export import	One of these actions must be used. Make sure services are stopped.
-l	Optional. Export or import SmartView Tracker logs and SmartLog data. Only closed logs are exported. Use the fw logswitch command to close the logs before you do the export.
-n	Optional. Run silently (non-interactive) using the default options for each setting. Important: If you export a management database in this mode, to a directory with a file with the same name, it is overwritten without prompting. If you import using this option, the command runs cpstop automatically.
--exclude-uepm-postgres-db	Skip over backup/restore of PostgreSQL database of the Endpoint product.
--include-uepm-msi-files	Export/import the uepm msi files.
filename	Required. Enter the name of the archive file with the server database. The path to the archive must exist.