Upgrading one R7x Multi-Domain Server with Gradual Migration of Domain Management Servers

Attention:

This upgrade method is supported only when you upgrade from R7x versions.

We recommend to upgrade the entire Multi-Domain Server at once with one of these methods:

Upgrading one Multi-Domain Server from R80.20, R80.10, and lower with CPUSE
Upgrading one Multi-Domain Server from R80.20, R80.10, and lower with Advanced Upgrade

Because upgrade of the entire Multi-Domain Server at once is the default recommended method, use the Gradual Migration of Domain Management Servers only in these cases:

The entire Multi-Domain Server cannot be upgraded at once because of a business impact.
During the upgrade, you need to rename some or all of the Domain Management Servers.
In Multi-Domain Server High Availability deployment, you need to change the number of Domain Management Servers on Multi-Domain Servers.

If you use the Gradual Migration method:

You must migrate the Global Policies before you migrate the databases from other Domains.
You can migrate the Global Policies only one time from the R7x Multi-Domain Server.
Until the entire migration procedure is completed, you cannot make changes in the Global Policies on the source Multi-Domain Servers.
If you need to make changes on the source Multi-Domain Servers, follow these guidelines:
- If you deleted or modified a global object in the source R7x Multi-Domain Server database, you must make the same changes in the migrated Global Policies on the target R80.20 Multi-Domain Server.
- If you added a global object in the source R7x Multi-Domain Server database, you must delete that global object before you export the databases from other Domains.

Workflow:

Perform a Clean Install of a target R80.20 Multi-Domain Server
Create the corresponding Domain Management Servers (but do not start or configure anything in them)
Export the Global Policies from the R7x Multi-Domain Server
Import the R7x Global Policies on the R80.20 Multi-Domain Server
On the R7x Multi-Domain Server, export the entire management database from the applicable source Domain Management Servers one by one
Transfer the exported R7x Domain Management Server management databases to the R80.20 Multi-Domain Server
On the target R80.20 Multi-Domain Server, import the entire management database to the applicable target Domain Management Servers one by one
Configure the Multi-Domain Server administrators and GUI clients
Upgrade the attributes of all managed objects in all Domain Management Servers
Reset SIC, create a new ICA, and establish SIC Trust with managed Security Gateways
Rebuild the status of Global VPN communities after the gradual upgrade
Configure the VPN keys
Test the functionality

Step 1 of 13: Perform a Clean Install of a target R80.20 Multi-Domain Server

Perform a clean install of the R80.20 Multi-Domain Server.

Step 2 of 13: Create the corresponding Domain Management Servers

Create the Domain Management Servers, into which you import the entire management database from the source Domain Management Servers.

You can create the Domain Management Servers in one these ways:
- In SmartConsole.
  See the R80.20 Multi-Domain Security Management Administration Guide - Chapter Managing Domains - Section Creating a New Domain.
- With the mgmt_cli add domain command.
  See the Management API Reference - mgmt_cli tool - Chapter Multi-Domain - Section Domain - Subsection add domain.
Do not start the new Domain Management Servers.
Do not configure anything in the new Domain Management Servers.

Step 3 of 13: Export the Global Policies from the R7x Multi-Domain Server

Export the R7x global management database as described in Migrating Global Policies from R7x Multi-Domain Server.

Step 4 of 13: Import the R7x Global Policies on the R80.20 Multi-Domain Server

Import the R7x global management database as described in Migrating Global Policies from R7x Multi-Domain Server.

Step 5 of 13: On the R7x Multi-Domain Server, export the entire management database from the applicable source Domain Management Servers one by one

Step	Description
1	Connect to the command line on the current Multi-Domain Server.
2	Log in with the superuser credentials.
3	Log in to the Expert mode.
4	Go to the directory, where you put the R80.20 Management Server Migration Tool package: `[Expert@R7x_MDS:0]# cd /var/log/path_to_migration_tool/`
5	Extract the R80.20 Management Server Migration Tool package: `[Expert@R7x_MDS:0]# tar zxvf <`Name of Management Server Migration Tool Package`>.tgz`
6	Go to the context of each applicable Domain Management Server: `[Expert@R7x_MDS:0]# mdsenv <`IP Address or Name of Domain Management Server`>`
7	Export the entire management database from each applicable Domain Management Server: [`Expert@R7x_MDS:0]# yes \| nohup ./migrate export [-l \| -x] /<`Full Path`>/<`Name of R7x Domain Exported File`>` & Notes: `yes \| nohup ... &` - are mandatory parts of the syntax. See the R80.20 CLI Reference Guide - Chapter Security Management Server Commands - Section migrate.
8	Calculate the MD5 for each exported database file: `[Expert@R7x_MDS:0]# md5sum /<`Full Path`>/<`Name of R7x Domain Exported File`>.tgz`
9	Transfer each exported Domain Management Server database from the current Multi-Domain Server to an external storage: `/<`Full Path`>/<`Name of R7x Domain Exported File`>.tgz` Note - Make sure to transfer the files in the binary mode.

Step 6 of 13: Transfer the exported R7x Domain Management Server management databases to the R80.20 Multi-Domain Server

Step	Description
1	Transfer the exported R7x Domain Management Server management databases from an external storage to the R80.20 Multi-Domain Server, to some directory. Note - Make sure to transfer the files in the binary mode.
2	Make sure the transferred files are not corrupted. Calculate the MD5 for the transferred files and compare them to the MD5 that you calculated on the R7x Multi-Domain Server: `[Expert@R80.20_MDS:0]# md5sum /<`Full Path`>/<`Name of R7x Domain Exported File`>.tgz`

Step

Description

Transfer the exported R7x Domain Management Server management databases from an external storage to the R80.20 Multi-Domain Server, to some directory.

Note - Make sure to transfer the files in the binary mode.

Make sure the transferred files are not corrupted. Calculate the MD5 for the transferred files and compare them to the MD5 that you calculated on the R7x Multi-Domain Server:

[Expert@R80.20_MDS:0]# md5sum /<Full Path>/<Name of R7x Domain Exported File>.tgz

Step 7 of 13: On the target R80.20 Multi-Domain Server, import the entire management database to the applicable target Domain Management Servers one by one

Step	Description
1	Connect to the command line on the current Multi-Domain Server.
2	Log in with the superuser credentials.
3	Log in to the Expert mode.
4	Make sure a valid license is installed: `mdsenv` `cplic print` If it is not already installed, then install a valid license now.
5	Unset the shell idle environment variable: `[Expert@R80.20_MDS:0]# unset TMOUT`
6	Import the R7x Domain Management Server management databases one by one: `[Expert@R80.20_MDS:0]# cma_migrate /<`Full Path`>/<`Name of R7x Domain Exported File`>.tgz /<`Full Path`>/<`$FWDIR Directory of the New Domain Management Server`>/` Example: `[Expert@R80.20_MDS:0]# cma_migrate /var/log/orig_R7x_database.tgz /opt/CPmds-R80.20/customers/MyDomain3/CPsuite-R80.20/fw1/` Note - This command updates the database schema before it imports. First, the command runs pre-upgrade verification. If no errors are found, migration continues. If there are errors, you must fix them on the source R7x Domain Management Server according to instructions in the error messages. Then do this procedure again.
7	Start the new Domain Management Server with the imported R7x management database: `[Expert@R80.20_MDS:0]# mdsstart_customer <`IP Address or Name of Domain Management Server`>`
8	Make sure all the required daemons (FWM, FWD, CPD, and CPCA) on the new Domain Management Server are in the state "`up`" and show their PID: `[Expert@MDS:0]# mdsstat` If some of the required daemons on a Domain Management Server are in the state "`down`" or "`N/A`", wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands: `[Expert@MDS:0]# mdsstop_customer <`IP Address or Name of Domain Management Server`>` `[Expert@MDS:0]# mdsstart_customer <`IP Address or Name of Domain Management Server`>` `[Expert@MDS:0]# mdsstat`

Step 8 of 13: Upgrade the attributes of all managed objects in all Domain Management Servers

Step	Description
1	Connect to the command line on the R80.20 Multi-Domain Server.
2	Log in with the superuser credentials.
3	Log in to the Expert mode.
4	Make sure that on all Domain Management Servers, none of the required daemons (FWM, FWD, CPD, and CPCA) are in the state "`down`" (the "`pnd`" state is acceptable): `[Expert@MDS:0]# mdsstat` If some of the required daemons on a Domain Management Server are in the state "`down`", wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands: `[Expert@MDS:0]# mdsstop_customer <`IP Address or Name of Domain Management Server`>` `[Expert@MDS:0]# mdsstart_customer <`IP Address or Name of Domain Management Server`>` `[Expert@MDS:0]# mdsstat`
5	Go to the main MDS context: `[Expert@MDS:0]# mdsenv`
6	Upgrade the attributes of all managed objects in each Domain Management Server one by one: `[Expert@MDS:0]# $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL -n <`Name of Domain Management Server`>` Note - Because the command prompts you for a '`yes/no`' for each Domain and each object in the Domain, you can explicitly provide the '`yes`' answer to all questions with this command: `[Expert@MDS:0]# yes \| $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL -n <`Name of Domain Management Server`>`
7	Allow the database synchronization to run: `[Expert@MDS:0]# $CPDIR/bin/cpprod_util CPPROD_SetValue "FW1/6.0" AfterUpgradeDbsyncIndication 1 1 0` Restart the Check Point services: `[Expert@MDS:0]# mdsstop` `[Expert@MDS:0]# mdsstart` For more information, see sk121718.
8	Make sure that on all Domain Management Servers, none of the required daemons (FWM, FWD, CPD, and CPCA) are in the state "`down`" (the "`pnd`" state is acceptable): `[Expert@MDS:0]# mdsstat` If some of the required daemons on a Domain Management Servers are in the state "`down`", wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands: `[Expert@MDS:0]# mdsstop_customer <`IP Address or Name of Domain Management Server`>` `[Expert@MDS:0]# mdsstart_customer <`IP Address or Name of Domain Management Server`>` `[Expert@MDS:0]# mdsstat`

Step 9 of 13: Configure the Multi-Domain Server administrators and GUI clients

The gradual upgrade does not keep all data.

You must manually redefine and reassign the Multi-Domain Server administrators and GUI clients to Domains after the gradual upgrade.

Step	Description
1	Run the `mdsconfig` command and configure the options Administrators and GUI clients.
2	See the R80.20 Multi-Domain Security Management Administration Guide - Chapter Managing Domains - Section Creating a New Domain - Subsection Assigning Trusted Clients to Domains.

Step 10 of 13: Reset SIC, create a new ICA, and establish SIC Trust with managed Security Gateways

Note - This step applies if the new R80.20 Domain Management Server has a different IPv4 address than the R7x Domain Management Server.

Step	Description
1	Connect to the command line on the R80.20 Multi-Domain Server.
2	Log in with the superuser credentials.
3	Log in to the Expert mode.
4	Stop the new Domain Management Server, into which you migrated the management database from an R7x Domain Management Server: `[Expert@R80.20_MDS:0]# mdsstop_customer <`IP Address or Name of Domain Management Server`>`
5	Go to the context of the new Domain Management Server: `[Expert@R80.20_MDS:0]# mdsenv <`IP Address or Name of Domain Management Server`>`
6	Reset the SIC on the Domain Management Server: `[Expert@R80.20_MDS:0]# fwm sic_reset`
7	Create a new Internal Certificate Authority: `[Expert@R80.20_MDS:0]# mdsconfig -ca <`Name of Domain Management Server`> <`IPv4 Address of Domain Management Server`>`
8	Start the new Domain Management Server: `[Expert@R80.20_MDS:0]# mdsstart_customer <`IP Address or Name of Domain Management Server`>`
9	Make sure all the required daemons (FWM, FWD, CPD, and CPCA) on the new Domain Management Server are in the state "`up`" and show their PID: `[Expert@MDS:0]# mdsstat` If some of the required daemons on a Domain Management Server are in the state "`down`" or "`N/A`", wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands: `[Expert@MDS:0]# mdsstop_customer <`IP Address or Name of Domain Management Server`>` `[Expert@MDS:0]# mdsstart_customer <`IP Address or Name of Domain Management Server`>` `[Expert@MDS:0]# mdsstat`
10	Establish the Secure Internal Communication (SIC) between the Management Server and the managed Security Gateways: Reset SIC on each Security Gateway that was managed by the original R7x Domain Management Server. For detailed procedure, see sk65764: How to reset SIC. Connect with SmartConsole to the new Domain Management Server. Open the object of each Security Gateway. Establish SIC Trust with of each Security Gateway. Install the Access Control Policy on each Security Gateway.

Step 11 of 13: Rebuild the status of Global VPN communities after the gradual upgrade

The gradual upgrade does not keep all data.

Step	Description
1	Connect to the command on the R80.20 Multi-Domain Server.
2	Log in with the superuser credentials.
3	Log in to the Expert mode.
4	Go to the main MDS context: `[Expert@R80.20_MDS:0]# mdsenv`
5	Rebuild the status of Global VPN communities: `[Expert@R80.20_MDS:0]# fwm mds rebuild_global_communities_status all`

Step 12 of 13: Configure the VPN keys

Note - This step applies if the original R7x Domain Management Server managed VPN gateways.

There can be an issue with the IKE certificates after you migrate the management database, if a VPN tunnel is established between a Check Point Security Gateway and an externally managed, third-party gateway.

The VPN Security Gateway presents its IKE certificate to its peer. The third-party gateway uses the FQDN of the certificate to retrieve the host name and IP address of the Certificate Authority. If the IKE certificate was issued by a Check Point Internal CA, the FQDN contains the host name of the original Management Server. The peer gateway will fail to contact the original server and will not accept the certificate.

To fix:

Update the external DNS server to resolve the host name to the IP address of the applicable Domain Management Server.
Revoke the IKE certificate for the gateway and create a new one.

Step 12 of 13: Test the functionality

Step	Description
1	Connect with SmartConsole to the R80.20 Multi-Domain Server.
2	Make sure the management database and configuration were upgraded correctly on each Domain Management Server.