Print Download PDF Send Feedback

Previous

Next

Upgrading one R7x Multi-Domain Server with Gradual Migration of Domain Management Servers

Attention:

This upgrade method is supported only when you upgrade from R7x versions.

We recommend to upgrade the entire Multi-Domain Server at once with one of these methods:

Because upgrade of the entire Multi-Domain Server at once is the default recommended method, use the Gradual Migration of Domain Management Servers only in these cases:

  • The entire Multi-Domain Server cannot be upgraded at once because of a business impact.
  • During the upgrade, you need to rename some or all of the Domain Management Servers.
  • In Multi-Domain Server High Availability deployment, you need to change the number of Domain Management Servers on Multi-Domain Servers.

If you use the Gradual Migration method:

Workflow:

  1. Perform a Clean Install of a target R80.20 Multi-Domain Server
  2. Create the corresponding Domain Management Servers (but do not start or configure anything in them)
  3. Export the Global Policies from the R7x Multi-Domain Server
  4. Import the R7x Global Policies on the R80.20 Multi-Domain Server
  5. On the R7x Multi-Domain Server, export the entire management database from the applicable source Domain Management Servers one by one
  6. Transfer the exported R7x Domain Management Server management databases to the R80.20 Multi-Domain Server
  7. On the target R80.20 Multi-Domain Server, import the entire management database to the applicable target Domain Management Servers one by one
  8. Configure the Multi-Domain Server administrators and GUI clients
  9. Upgrade the attributes of all managed objects in all Domain Management Servers
  10. Reset SIC, create a new ICA, and establish SIC Trust with managed Security Gateways
  11. Rebuild the status of Global VPN communities after the gradual upgrade
  12. Configure the VPN keys
  13. Test the functionality

Step 1 of 13: Perform a Clean Install of a target R80.20 Multi-Domain Server

Perform a clean install of the R80.20 Multi-Domain Server.

Step 2 of 13: Create the corresponding Domain Management Servers

Create the Domain Management Servers, into which you import the entire management database from the source Domain Management Servers.

Step 3 of 13: Export the Global Policies from the R7x Multi-Domain Server

Export the R7x global management database as described in Migrating Global Policies from R7x Multi-Domain Server.

Step 4 of 13: Import the R7x Global Policies on the R80.20 Multi-Domain Server

Import the R7x global management database as described in Migrating Global Policies from R7x Multi-Domain Server.

Step 5 of 13: On the R7x Multi-Domain Server, export the entire management database from the applicable source Domain Management Servers one by one

Step

Description

1

Connect to the command line on the current Multi-Domain Server.

2

Log in with the superuser credentials.

3

Log in to the Expert mode.

4

Go to the directory, where you put the R80.20 Management Server Migration Tool package:

[Expert@R7x_MDS:0]# cd /var/log/path_to_migration_tool/

5

Extract the R80.20 Management Server Migration Tool package:

[Expert@R7x_MDS:0]# tar zxvf <Name of Management Server Migration Tool Package>.tgz

6

Go to the context of each applicable Domain Management Server:

[Expert@R7x_MDS:0]# mdsenv <IP Address or Name of Domain Management Server>

7

Export the entire management database from each applicable Domain Management Server:

[Expert@R7x_MDS:0]# yes | nohup ./migrate export [-l | -x] /<Full Path>/<Name of R7x Domain Exported File> &

Notes:

  • yes | nohup ... & - are mandatory parts of the syntax.
  • See the R80.20 CLI Reference Guide - Chapter Security Management Server Commands - Section migrate.

8

Calculate the MD5 for each exported database file:

[Expert@R7x_MDS:0]# md5sum /<Full Path>/<Name of R7x Domain Exported File>.tgz

9

Transfer each exported Domain Management Server database from the current Multi-Domain Server to an external storage:

/<Full Path>/<Name of R7x Domain Exported File>.tgz

Note - Make sure to transfer the files in the binary mode.

Step 6 of 13: Transfer the exported R7x Domain Management Server management databases to the R80.20 Multi-Domain Server

Step

Description

1

Transfer the exported R7x Domain Management Server management databases from an external storage to the R80.20 Multi-Domain Server, to some directory.

Note - Make sure to transfer the files in the binary mode.

2

Make sure the transferred files are not corrupted. Calculate the MD5 for the transferred files and compare them to the MD5 that you calculated on the R7x Multi-Domain Server:

[Expert@R80.20_MDS:0]# md5sum /<Full Path>/<Name of R7x Domain Exported File>.tgz

Step 7 of 13: On the target R80.20 Multi-Domain Server, import the entire management database to the applicable target Domain Management Servers one by one

Step

Description

1

Connect to the command line on the current Multi-Domain Server.

2

Log in with the superuser credentials.

3

Log in to the Expert mode.

4

Make sure a valid license is installed:

mdsenv

cplic print

If it is not already installed, then install a valid license now.

5

Unset the shell idle environment variable:

[Expert@R80.20_MDS:0]# unset TMOUT

6

Import the R7x Domain Management Server management databases one by one:

[Expert@R80.20_MDS:0]# cma_migrate /<Full Path>/<Name of R7x Domain Exported File>.tgz /<Full Path>/<$FWDIR Directory of the New Domain Management Server>/

Example:

[Expert@R80.20_MDS:0]# cma_migrate /var/log/orig_R7x_database.tgz /opt/CPmds-R80.20/customers/MyDomain3/CPsuite-R80.20/fw1/

Note - This command updates the database schema before it imports. First, the command runs pre-upgrade verification. If no errors are found, migration continues. If there are errors, you must fix them on the source R7x Domain Management Server according to instructions in the error messages. Then do this procedure again.

7

Start the new Domain Management Server with the imported R7x management database:

[Expert@R80.20_MDS:0]# mdsstart_customer <IP Address or Name of Domain Management Server>

8

Make sure all the required daemons (FWM, FWD, CPD, and CPCA) on the new Domain Management Server are in the state "up" and show their PID:

[Expert@MDS:0]# mdsstat

If some of the required daemons on a Domain Management Server are in the state "down" or "N/A", wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands:

[Expert@MDS:0]# mdsstop_customer <IP Address or Name of Domain Management Server>

[Expert@MDS:0]# mdsstart_customer <IP Address or Name of Domain Management Server>

[Expert@MDS:0]# mdsstat

Step 8 of 13: Upgrade the attributes of all managed objects in all Domain Management Servers

Step

Description

1

Connect to the command line on the R80.20 Multi-Domain Server.

2

Log in with the superuser credentials.

3

Log in to the Expert mode.

4

Make sure that on all Domain Management Servers, none of the required daemons (FWM, FWD, CPD, and CPCA) are in the state "down" (the "pnd" state is acceptable):

[Expert@MDS:0]# mdsstat

If some of the required daemons on a Domain Management Server are in the state "down", wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands:

[Expert@MDS:0]# mdsstop_customer <IP Address or Name of Domain Management Server>

[Expert@MDS:0]# mdsstart_customer <IP Address or Name of Domain Management Server>

[Expert@MDS:0]# mdsstat

5

Go to the main MDS context:

[Expert@MDS:0]# mdsenv

6

Upgrade the attributes of all managed objects in each Domain Management Server one by one:

[Expert@MDS:0]# $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL -n <Name of Domain Management Server>

Note - Because the command prompts you for a 'yes/no' for each Domain and each object in the Domain, you can explicitly provide the 'yes' answer to all questions with this command:

[Expert@MDS:0]# yes | $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL -n <Name of Domain Management Server>

7

Allow the database synchronization to run:

[Expert@MDS:0]# $CPDIR/bin/cpprod_util CPPROD_SetValue "FW1/6.0" AfterUpgradeDbsyncIndication 1 1 0

Restart the Check Point services:

[Expert@MDS:0]# mdsstop

[Expert@MDS:0]# mdsstart

For more information, see sk121718.

8

Make sure that on all Domain Management Servers, none of the required daemons (FWM, FWD, CPD, and CPCA) are in the state "down" (the "pnd" state is acceptable):

[Expert@MDS:0]# mdsstat

If some of the required daemons on a Domain Management Servers are in the state "down", wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands:

[Expert@MDS:0]# mdsstop_customer <IP Address or Name of Domain Management Server>

[Expert@MDS:0]# mdsstart_customer <IP Address or Name of Domain Management Server>

[Expert@MDS:0]# mdsstat

Step 9 of 13: Configure the Multi-Domain Server administrators and GUI clients

The gradual upgrade does not keep all data.

You must manually redefine and reassign the Multi-Domain Server administrators and GUI clients to Domains after the gradual upgrade.

Step

Description

1

Run the mdsconfig command and configure the options Administrators and GUI clients.

2

See the R80.20 Multi-Domain Security Management Administration Guide - Chapter Managing Domains - Section Creating a New Domain - Subsection Assigning Trusted Clients to Domains.

Step 10 of 13: Reset SIC, create a new ICA, and establish SIC Trust with managed Security Gateways

Note - This step applies if the new R80.20 Domain Management Server has a different IPv4 address than the R7x Domain Management Server.

Step

Description

1

Connect to the command line on the R80.20 Multi-Domain Server.

2

Log in with the superuser credentials.

3

Log in to the Expert mode.

4

Stop the new Domain Management Server, into which you migrated the management database from an R7x Domain Management Server:

[Expert@R80.20_MDS:0]# mdsstop_customer <IP Address or Name of Domain Management Server>

5

Go to the context of the new Domain Management Server:

[Expert@R80.20_MDS:0]# mdsenv <IP Address or Name of Domain Management Server>

6

Reset the SIC on the Domain Management Server:

[Expert@R80.20_MDS:0]# fwm sic_reset

7

Create a new Internal Certificate Authority:

[Expert@R80.20_MDS:0]# mdsconfig -ca <Name of Domain Management Server> <IPv4 Address of Domain Management Server>

8

Start the new Domain Management Server:

[Expert@R80.20_MDS:0]# mdsstart_customer <IP Address or Name of Domain Management Server>

9

Make sure all the required daemons (FWM, FWD, CPD, and CPCA) on the new Domain Management Server are in the state "up" and show their PID:

[Expert@MDS:0]# mdsstat

If some of the required daemons on a Domain Management Server are in the state "down" or "N/A", wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands:

[Expert@MDS:0]# mdsstop_customer <IP Address or Name of Domain Management Server>

[Expert@MDS:0]# mdsstart_customer <IP Address or Name of Domain Management Server>

[Expert@MDS:0]# mdsstat

10

Establish the Secure Internal Communication (SIC) between the Management Server and the managed Security Gateways:

  1. Reset SIC on each Security Gateway that was managed by the original R7x Domain Management Server.

    For detailed procedure, see sk65764: How to reset SIC.

  2. Connect with SmartConsole to the new Domain Management Server.
  3. Open the object of each Security Gateway.
  4. Establish SIC Trust with of each Security Gateway.
  5. Install the Access Control Policy on each Security Gateway.

Step 11 of 13: Rebuild the status of Global VPN communities after the gradual upgrade

The gradual upgrade does not keep all data.

Step

Description

1

Connect to the command on the R80.20 Multi-Domain Server.

2

Log in with the superuser credentials.

3

Log in to the Expert mode.

4

Go to the main MDS context:

[Expert@R80.20_MDS:0]# mdsenv

5

Rebuild the status of Global VPN communities:

[Expert@R80.20_MDS:0]# fwm mds rebuild_global_communities_status all

Step 12 of 13: Configure the VPN keys

Note - This step applies if the original R7x Domain Management Server managed VPN gateways.

There can be an issue with the IKE certificates after you migrate the management database, if a VPN tunnel is established between a Check Point Security Gateway and an externally managed, third-party gateway.

The VPN Security Gateway presents its IKE certificate to its peer. The third-party gateway uses the FQDN of the certificate to retrieve the host name and IP address of the Certificate Authority. If the IKE certificate was issued by a Check Point Internal CA, the FQDN contains the host name of the original Management Server. The peer gateway will fail to contact the original server and will not accept the certificate.

To fix:

Step 12 of 13: Test the functionality

Step

Description

1

Connect with SmartConsole to the R80.20 Multi-Domain Server.

2

Make sure the management database and configuration were upgraded correctly on each Domain Management Server.