Print Download PDF Send Feedback

Previous

Next

Migrating Database from an R7x Standalone to an R80.20 Domain Management Server

Migration from a Standalone to a Domain Management Server is supported only from R7x versions to a Domain Management Server on a Multi-Domain Server R80.20 or above. To do this, you have to separate the Security Management Server and Security Gateway on the R7x Standalone. Then you manage the former Standalone as a Security Gateway only, from the R80.20 Domain Management Server.

Important - Before migrating a database from an R7x Standalone to an R80.20 Domain Management Server:

Step

Description

1

Make sure that the target Domain Management Server IP address can communicate with all the Security Gateways managed by the R7x Standalone.

2

Back up your current configuration.

Workflow:

  1. Configure the required policies to allow communication with R80.20 Domain Management Server
  2. Configure the R7x Standalone object
  3. Get the R80.20 Management Server Migration Tool
  4. Export the entire management database from the R7x Standalone
  5. On the R80.20 Multi-Domain Server, create a new Domain Management Server
  6. Transfer the exported R7x Standalone management database to the R80.20 Multi-Domain Server
  7. On the R80.20 Multi-Domain Server, import R7x Standalone management database to the new Domain Management Server
  8. Reset SIC, create a new ICA, and establish SIC Trust with managed Security Gateways
  9. Configure the VPN keys
  10. Configure the Domain Management Server object in SmartConsole
  11. Create the new Security Gateway object in SmartConsole
  12. Install the R80.20 Security Gateway
  13. Configure the new Security Gateway object in SmartConsole
  14. Replace the R7x Standalone object in all policies in SmartConsole

Step 1 of 14: Configure the required policies to allow communication with R80.20 Domain Management Server

Step

Description

1

Connect with R7x SmartDashboard to the R7x Standalone.

2

Create a new Check Point Host object to represent the R80.20 Domain Management Server and define it as a Secondary Security Management Server.

  1. Create the object in one of these ways:
    • From the top toolbar, click the New (Star icon) > More > Check Point Host.
    • In the top left corner, click Objects menu > More object types > Network Object > Gateways & Servers > New Check Point Host.
    • In the top right corner, click Objects Pane > New > More > Network Object > Gateways and Servers > Check Point Host.
  2. In the Name field, enter the desired name.
  3. In the IPv4 Address and IPv6 Address fields, enter the applicable IP addresses of the R80.20 Domain Management Server.
  4. In the Platform section:
    • In the Hardware field, select the applicable option
    • In the Version field, select the highest version.
    • In the OS field, select Gaia
  5. Do not initialize the SIC communication.
  6. On the General Properties page, click the Management tab. Make sure the Secondary Server is selected and greyed out.
  7. Click OK.

3

Create the applicable Firewall rules in all applicable policies to allow the new Check Point Host object (that represents the R80.20 Domain Management Server) to communicate with all managed Security Gateways.

4

Install the Network Security policies on all managed Security Gateways.

5

Delete the new Check Point Host object (that represents the R80.20 Domain Management Server) and the Firewall rules created in Steps 2-4.

6

Save the changes (click File > Save).

Step 2 of 14: Configure the R7x Standalone object

Step

Description

1

Connect with R7x SmartDashboard to the R7x Standalone.

2

If the R7x Standalone object participates in a VPN community, remove it from the VPN community and delete its certificate.

Note these settings, to configure them again after the migration.

3

Remove the R7x Standalone object from the Install On column in all policies.

4

Open the R7x Standalone object.

5

Click General Properties page > Network Security tab.

6

Clear all the Software Blades.

7

Click OK.

8

Save the changes (click File > Save).

9

Do not install the Network Security policy on the R7x Standalone object.

10

Close the SmartDashboard.

Step 3 of 14: Get the R80.20 Management Server Migration Tool

Step

Description

1

Download the R80.20 Management Server Migration Tool from the R80.20 Home Page SK.

2

Transfer the R80.20 Management Server Migration Tool package to the R7x Standalone to some directory (for example, /var/log/path_to_migration_tool/).

Note - Make sure to transfer the file in the binary mode.

Step 4 of 14: Export the entire management database from the R7x Standalone

Step

Description

1

Connect to the command line on the R7x Standalone.

2

Log in to the Expert mode.

3

Go to the directory, where you put the R80.20 Management Server Migration Tool package:

[Expert@R7x_SA:0]# cd /var/log/path_to_migration_tool/

4

Extract the R80.20 Management Server Migration Tool package:

[Expert@R7x_SA:0]# tar zxvf <Name of Management Server Migration Tool Package>.tgz

5

Export the entire management database:

[Expert@R7x_SA:0]# yes | nohup ./migrate export [-f] [-n] /<Full Path>/<Name of R7x StandAlone Exported File> &

Notes:

  • yes | nohup ... & - are mandatory parts of the syntax.
  • See the R80.20 CLI Reference Guide - Chapter Security Management Server Commands - Section migrate.

6

Calculate the MD5 for the exported database file:

[Expert@R7x_SA:0]# md5sum /<Full Path>/<Name of R7x StandAlone Exported File>.tgz

7

Transfer the exported database from the R7x Standalone to an external storage:

/<Full Path>/<Name of R7x StandAlone Exported File>.tgz

Note - Make sure to transfer the file in the binary mode.

Step 5 of 14: On the R80.20 Multi-Domain Server, create a new Domain Management Server

Step

Description

1

Connect to the command line on the R80.20 Multi-Domain Server.

2

Log in to the Expert mode.

3

Create a new Domain Management Server:

Note - This is one long command will multiple parameters.

[Expert@R80.20_MDS:0]# mgmt_cli --root true add domain name <Name of New Domain> comments "<Desired Comment Text>" servers.ip-address <IPv4 Address of New Domain> servers.name <Name of New Domain Management Server> servers.multi-domain-server <Name of R80.20 Multi-Domain Server> servers.skip-start-domain-server true

For more information, see the Management API Reference - mgmt_cli tool - Chapter Multi-Domain - Section Domain - Subsection add domain.

Important! After you create the new Domain with this command, do not change the Domain IPv4 address until you run the cma_migrate command.

Step 6 of 14: Transfer the exported R7x Standalone management database to the R80.20 Multi-Domain Server

Step

Description

1

Transfer the exported R7x Standalone management database from an external storage to the R80.20 Multi-Domain Server, to some directory.

Note - Make sure to transfer the file in the binary mode.

2

Make sure the transferred file is not corrupted.

Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the R7x Standalone:

[Expert@R80.20_MDS:0]# md5sum /<Full Path>/<Name of R7x StandAlone Exported File>.tgz

Step 7 of 14: On the R80.20 Multi-Domain Server, import R7x Standalone management database to the new Domain Management Server

Step

Description

1

Unset the shell idle environment variable:

[Expert@R80.20_MDS:0]# unset TMOUT

2

Import the R7x Security Management Server management database:

[Expert@R80.20_MDS:0]# cma_migrate /<Full Path>/<Name of R7x StandAlone Exported File>.tgz /<Full Path>/<$FWDIR Directory of the New Domain Management Server>/

Example:

[Expert@R80.20_MDS:0]# cma_migrate /var/log/orig_R7x_database.tgz /opt/CPmds-R80.20/customers/MyDomain3/CPsuite-R80.20/fw1/

Note - This command updates the database schema before it imports. First, the command runs pre-upgrade verification. If no errors are found, migration continues. If there are errors, you must fix them on the source R7x Security Management Server according to instructions in the error messages. Then do this procedure again.

Step 8 of 14: Reset SIC, create a new ICA, and establish SIC Trust with managed Security Gateways

Note - This step applies if the new R80.20 Domain Management Server has a different IPv4 address than the R7x Security Management Server.

Step

Description

1

Connect to the command on the R80.20 Multi-Domain Server.

2

Log in to the Expert mode.

3

Stop the new Domain Management Server, into which you migrated the management database from an R7x Domain Management Server:

[Expert@R80.20_MDS:0]# mdsstop_customer <IP Address or Name of Domain Management Server>

4

Go to the context of the new Domain Management Server:

[Expert@R80.20_MDS:0]# mdsenv <IP Address or Name of Domain Management Server>

5

Reset the SIC on the Domain Management Server:

[Expert@R80.20_MDS:0]# fwm sic_reset

6

Create a new Internal Certificate Authority:

[Expert@R80.20_MDS:0]# mdsconfig -ca <Name of Domain Management Server> <IPv4 Address of Domain Management Server>

7

Start the new Domain Management Server:

[Expert@R80.20_MDS:0]# mdsstart_customer <IP Address or Name of Domain Management Server>

8

Make sure all the required daemons (FWM, FWD, CPD, and CPCA) on the new Domain Management Server are in the state "up" and show their PID:

[Expert@R80.20_MDS:0]# mdsstat

If some of the required daemons on a Domain Management Server are in the state "down" or "N/A", wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands:

[Expert@R80.20_MDS:0]# mdsstop_customer <IP Address or Name of Domain Management Server>

[Expert@R80.20_MDS:0]# mdsstart_customer <IP Address or Name of Domain Management Server>

[Expert@R80.20_MDS:0]# mdsstat

9

Establish the Secure Internal Communication (SIC) between the Management Server and the managed Security Gateways:

  1. Reset SIC on each Security Gateway that was managed by the original R7x Security Management Server.

    For detailed procedure, see sk65764: How to reset SIC.

  2. Connect with SmartConsole to the new Domain Management Server.
  3. Open the object of each Security Gateway.
  4. Establish SIC Trust with of each Security Gateway.
  5. Install the Access Control Policy on each Security Gateway.

Step 9 of 14: Configure the VPN keys

Note - This step applies if the original R7x Standalone managed VPN gateways.

There can be an issue with the IKE certificates after you migrate the management database, if a VPN tunnel is established between a Check Point Security Gateway and an externally managed, third-party gateway.

The VPN Security Gateway presents its IKE certificate to its peer. The third-party gateway uses the FQDN of the certificate to retrieve the host name and IP address of the Certificate Authority. If the IKE certificate was issued by a Check Point Internal CA, the FQDN contains the host name of the original Management Server. The peer gateway will fail to contact the original server and will not accept the certificate.

To fix:

Step 10 of 14: Configure the Domain Management Server object in SmartConsole

The Domain Management Server object represents the Management Server component of the R7x Standalone.

Step

Description

1

Connect with SmartConsole to the R80.20 Domain Management Server.

2

From the left navigation panel, click Gateways & Servers.

3

Locate these objects:

  • An object with the Name and IP address of the Domain Management Server.

    Previous references to the R7x Standalone object now refer to this object.

  • An object for each Security Gateway managed previously by the R7x Standalone.

4

Open the Domain Management Server object.

5

From the left navigation tree, click Network Management.

6

Delete all interfaces:

  1. Select each interface.
  2. Click Actions > Delete Interface.
  3. Click Yes.

7

Click OK.

8

Publish the SmartConsole session.

Step 11 of 14: Create the new Security Gateway object in SmartConsole

You must create a new Security Gateway object to represent the Gateway component of the R7x Standalone. This new Security Gateway object represents the separate Security Gateway.

Step

Description

1

Connect with SmartConsole to the R80.20 Domain Management Server.

2

From the left navigation panel, click Gateways & Servers.

3

Create a new Security Gateway object (that represents the Gateway component of the R7x Standalone) in one of these ways:

  • From the top toolbar, click the New (Star icon) > Gateway.
  • In the top left corner, click Objects menu > More object types > Network Object > Gateways and Servers > New Gateway.
  • In the top right corner, click Objects Pane > New > More > Network Object > Gateways and Servers > Gateway.

4

In the Check Point Security Gateway Creation window, click Classic Mode.

Check Point Gateway properties window opens on the General Properties page.

5

In the Name field, enter the desired name for this Security Gateway object.

6

In the IPv4 address (and IPv6 address) field, enter some dummy IP address.

You change this IP address later to the real IP address.

7

Do not establish the Secure Internal Communication.

8

In the Platform section, select the correct options:

  1. In the Hardware field:
    • If you install the separate Security Gateway on a Check Point Appliance, select the correct appliances series.
    • If you install the separate Security Gateway on an Open Server, select Open server.
  2. In the Version field, select R80.20.
  3. In the OS field, select Gaia.

9

On the Network Security tab, enable the desired Software Blades.

Important - Do not select anything on the Management tab.

10

Click OK.

11

Publish the SmartConsole session.

Step 12 of 14: Install the R80.20 Security Gateway

You must install a separate Security Gateway to represent the Gateway component of the R7x Standalone.
You can install the Security Gateway from scratch on the R7x Standalone.

Step

Description

1

Install the Gaia Operating System:

2

Run the Gaia First Time Configuration Wizard.

3

During the First Time Configuration Wizard, you must configure these settings:

  • In the Installation Type window, select Security Gateway and/or Security Management.
  • In the Products window:
    1. In the Products section, select Security Gateway only.
    2. In the Clustering section, clear Unit is a part of a cluster, type.
  • In the Dynamically Assigned IP window, select the No.
  • In the Secure Internal Communication window, enter the desired Activation Key (between 4 and 127 characters long).

Step 13 of 14: Configure the new Security Gateway object in SmartConsole

You must create a new Security Gateway object to represent the Gateway component of the R7x Standalone.
This new Security Gateway object represents the separate Security Gateway.

Step

Description

1

Connect with SmartConsole to the new R80.20 Domain Management Server.

2

From the left navigation panel, click Gateways & Servers.

3

Open the Security Gateway object that represents the Gateway component of the R7x Standalone.

4

In the IPv4 address and IPv6 address fields, configure the same IPv4 and IPv6 addresses that you configured on the Management Connection page of the Security Gateway's First Time Configuration Wizard. Make sure the Security Management Server or Multi-Domain Server can connect to these IP addresses.

5

Establish the Secure Internal Communication (SIC) between the Management Server and this Security Gateway:

  1. Near the Secure Internal Communication field, click Communication.
  2. In the Platform field:
    • Select Open server / Appliance for all Check Point appliances models except 1100, 1200R, and 1400.
    • Select Open server / Appliance for an Open Server.
  3. Enter the same Activation Key you entered during the Security Gateway's First Time Configuration Wizard.
  4. Click Initialize.
  5. Click OK.

 

If the Certificate state field does not show Established, perform these steps:

  1. Connect to the command line on the Security Gateway.
  2. Make sure there is a physical connectivity between the Security Gateway and the Multi-Domain Server (for example, pings can pass).
  3. Run: cpconfig
  4. Enter the number of this option: Secure Internal Communication.
  5. Follow the instructions on the screen to change the Activation Key.
  6. In the SmartConsole, click Reset.
  7. Enter the same Activation Key you entered in the cpconfig menu.
  8. Click Initialize.

6

Click OK.

7

Publish the SmartConsole session.

Step 14 of 14: Replace the R7x Standalone object in all policies in SmartConsole

You must create a new Security Gateway object to represent the Gateway component of the R7x Standalone.
This new Security Gateway object represents the separate Security Gateway.

Step

Description

1

Connect with SmartConsole to the new R80.20 Domain Management Server.

2

From the left navigation panel, click Security Policies.

3

In all existing policies, replace the R7x Standalone object with the new Security Gateway object that represents the Gateway component of the R7x Standalone.

4

Publish the SmartConsole session.

5

Install the Access Control Policy on all Security Gateways.