Migration from a Standalone to a Domain Management Server is supported only from R7x versions to a Domain Management Server on a Multi-Domain Server R80.20 or above. To do this, you have to separate the Security Management Server and Security Gateway on the R7x Standalone. Then you manage the former Standalone as a Security Gateway only, from the R80.20 Domain Management Server.
Important - Before migrating a database from an R7x Standalone to an R80.20 Domain Management Server:
Step |
Description |
---|---|
1 |
Make sure that the target Domain Management Server IP address can communicate with all the Security Gateways managed by the R7x Standalone. |
2 |
Workflow:
Step 1 of 14: Configure the required policies to allow communication with R80.20 Domain Management Server
Step |
Description |
---|---|
1 |
Connect with R7x SmartDashboard to the R7x Standalone. |
2 |
Create a new Check Point Host object to represent the R80.20 Domain Management Server and define it as a Secondary Security Management Server.
|
3 |
Create the applicable Firewall rules in all applicable policies to allow the new Check Point Host object (that represents the R80.20 Domain Management Server) to communicate with all managed Security Gateways. |
4 |
Install the Network Security policies on all managed Security Gateways. |
5 |
Delete the new Check Point Host object (that represents the R80.20 Domain Management Server) and the Firewall rules created in Steps 2-4. |
6 |
Save the changes (click File > Save). |
Step 2 of 14: Configure the R7x Standalone object
Step |
Description |
---|---|
1 |
Connect with R7x SmartDashboard to the R7x Standalone. |
2 |
If the R7x Standalone object participates in a VPN community, remove it from the VPN community and delete its certificate. Note these settings, to configure them again after the migration. |
3 |
Remove the R7x Standalone object from the Install On column in all policies. |
4 |
Open the R7x Standalone object. |
5 |
Click General Properties page > Network Security tab. |
6 |
Clear all the Software Blades. |
7 |
Click OK. |
8 |
Save the changes (click File > Save). |
9 |
Do not install the Network Security policy on the R7x Standalone object. |
10 |
Close the SmartDashboard. |
Step 3 of 14: Get the R80.20 Management Server Migration Tool
Step |
Description |
---|---|
1 |
Download the R80.20 Management Server Migration Tool from the R80.20 Home Page SK. |
2 |
Transfer the R80.20 Management Server Migration Tool package to the R7x Standalone to some directory (for example, Note - Make sure to transfer the file in the binary mode. |
Step 4 of 14: Export the entire management database from the R7x Standalone
Step |
Description |
---|---|
1 |
Connect to the command line on the R7x Standalone. |
2 |
Log in to the Expert mode. |
3 |
Go to the directory, where you put the R80.20 Management Server Migration Tool package:
|
4 |
Extract the R80.20 Management Server Migration Tool package:
|
5 |
Export the entire management database:
Notes:
|
6 |
Calculate the MD5 for the exported database file:
|
7 |
Transfer the exported database from the R7x Standalone to an external storage:
Note - Make sure to transfer the file in the binary mode. |
Step 5 of 14: On the R80.20 Multi-Domain Server, create a new Domain Management Server
Step |
Description |
---|---|
1 |
Connect to the command line on the R80.20 Multi-Domain Server. |
2 |
Log in to the Expert mode. |
3 |
Create a new Domain Management Server: Note - This is one long command will multiple parameters.
For more information, see the Management API Reference - mgmt_cli tool - Chapter Multi-Domain - Section Domain - Subsection add domain. Important! After you create the new Domain with this command, do not change the Domain IPv4 address until you run the |
Step 6 of 14: Transfer the exported R7x Standalone management database to the R80.20 Multi-Domain Server
Step |
Description |
---|---|
1 |
Transfer the exported R7x Standalone management database from an external storage to the R80.20 Multi-Domain Server, to some directory. Note - Make sure to transfer the file in the binary mode. |
2 |
Make sure the transferred file is not corrupted. Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the R7x Standalone:
|
Step 7 of 14: On the R80.20 Multi-Domain Server, import R7x Standalone management database to the new Domain Management Server
Step |
Description |
---|---|
1 |
Unset the shell idle environment variable:
|
2 |
Import the R7x Security Management Server management database:
Example:
Note - This command updates the database schema before it imports. First, the command runs pre-upgrade verification. If no errors are found, migration continues. If there are errors, you must fix them on the source R7x Security Management Server according to instructions in the error messages. Then do this procedure again. |
Step 8 of 14: Reset SIC, create a new ICA, and establish SIC Trust with managed Security Gateways
Note - This step applies if the new R80.20 Domain Management Server has a different IPv4 address than the R7x Security Management Server.
Step |
Description |
---|---|
1 |
Connect to the command on the R80.20 Multi-Domain Server. |
2 |
Log in to the Expert mode. |
3 |
Stop the new Domain Management Server, into which you migrated the management database from an R7x Domain Management Server:
|
4 |
Go to the context of the new Domain Management Server:
|
5 |
Reset the SIC on the Domain Management Server:
|
6 |
Create a new Internal Certificate Authority:
|
7 |
Start the new Domain Management Server:
|
8 |
Make sure all the required daemons (FWM, FWD, CPD, and CPCA) on the new Domain Management Server are in the state "
If some of the required daemons on a Domain Management Server are in the state "
|
9 |
Establish the Secure Internal Communication (SIC) between the Management Server and the managed Security Gateways:
|
Step 9 of 14: Configure the VPN keys
Note - This step applies if the original R7x Standalone managed VPN gateways.
There can be an issue with the IKE certificates after you migrate the management database, if a VPN tunnel is established between a Check Point Security Gateway and an externally managed, third-party gateway.
The VPN Security Gateway presents its IKE certificate to its peer. The third-party gateway uses the FQDN of the certificate to retrieve the host name and IP address of the Certificate Authority. If the IKE certificate was issued by a Check Point Internal CA, the FQDN contains the host name of the original Management Server. The peer gateway will fail to contact the original server and will not accept the certificate.
To fix:
Step 10 of 14: Configure the Domain Management Server object in SmartConsole
The Domain Management Server object represents the Management Server component of the R7x Standalone.
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the R80.20 Domain Management Server. |
2 |
From the left navigation panel, click Gateways & Servers. |
3 |
Locate these objects:
|
4 |
Open the Domain Management Server object. |
5 |
From the left navigation tree, click Network Management. |
6 |
Delete all interfaces:
|
7 |
Click OK. |
8 |
Publish the SmartConsole session. |
Step 11 of 14: Create the new Security Gateway object in SmartConsole
You must create a new Security Gateway object to represent the Gateway component of the R7x Standalone. This new Security Gateway object represents the separate Security Gateway.
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the R80.20 Domain Management Server. |
2 |
From the left navigation panel, click Gateways & Servers. |
3 |
Create a new Security Gateway object (that represents the Gateway component of the R7x Standalone) in one of these ways:
|
4 |
In the Check Point Security Gateway Creation window, click Classic Mode. Check Point Gateway properties window opens on the General Properties page. |
5 |
In the Name field, enter the desired name for this Security Gateway object. |
6 |
In the IPv4 address (and IPv6 address) field, enter some dummy IP address. You change this IP address later to the real IP address. |
7 |
Do not establish the Secure Internal Communication. |
8 |
In the Platform section, select the correct options:
|
9 |
On the Network Security tab, enable the desired Software Blades. Important - Do not select anything on the Management tab. |
10 |
Click OK. |
11 |
Publish the SmartConsole session. |
Step 12 of 14: Install the R80.20 Security Gateway
You must install a separate Security Gateway to represent the Gateway component of the R7x Standalone.
You can install the Security Gateway from scratch on the R7x Standalone.
Step |
Description |
---|---|
1 |
Install the Gaia Operating System: |
2 |
|
3 |
During the First Time Configuration Wizard, you must configure these settings:
|
Step 13 of 14: Configure the new Security Gateway object in SmartConsole
You must create a new Security Gateway object to represent the Gateway component of the R7x Standalone.
This new Security Gateway object represents the separate Security Gateway.
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the new R80.20 Domain Management Server. |
2 |
From the left navigation panel, click Gateways & Servers. |
3 |
Open the Security Gateway object that represents the Gateway component of the R7x Standalone. |
4 |
In the IPv4 address and IPv6 address fields, configure the same IPv4 and IPv6 addresses that you configured on the Management Connection page of the Security Gateway's First Time Configuration Wizard. Make sure the Security Management Server or Multi-Domain Server can connect to these IP addresses. |
5 |
Establish the Secure Internal Communication (SIC) between the Management Server and this Security Gateway:
|
|
If the Certificate state field does not show
|
6 |
Click OK. |
7 |
Publish the SmartConsole session. |
Step 14 of 14: Replace the R7x Standalone object in all policies in SmartConsole
You must create a new Security Gateway object to represent the Gateway component of the R7x Standalone.
This new Security Gateway object represents the separate Security Gateway.
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the new R80.20 Domain Management Server. |
2 |
From the left navigation panel, click Security Policies. |
3 |
In all existing policies, replace the R7x Standalone object with the new Security Gateway object that represents the Gateway component of the R7x Standalone. |
4 |
Publish the SmartConsole session. |
5 |
Install the Access Control Policy on all Security Gateways. |