Migrating Global Policies from an R7x Multi-Domain Server

This procedure lets you export the Global Policies from an R7x Multi-Domain Server and import them to the R80.20 Multi-Domain Server.

Note - This procedure is not supported for exporting the Global Policies from an R8x Multi-Domain Server.

Important:

You must migrate the Global Policies before you migrate the databases from other Domains.
You can migrate the Global Policies only one time from the R7x Multi-Domain Server.

Workflow:

Perform a Clean Install of a target R80.20 Multi-Domain Server
Get the R80.20 Management Server Migration Tool on the R7x Multi-Domain Server
Export the global management database from the R7x Global Domain
On the Primary R80.20 Multi-Domain Server, set the Global Domain to the Active state
On the R80.20 Multi-Domain Server, remove all the global objects from the Global Domain
On the R80.20 Multi-Domain Server, import the R7x global management database to the Global Domain
In R80.20 Multi-Domain Server High Availability, synchronize the global databases

Step 1 of 7: Install a target R80.20 Multi-Domain Server

Perform a clean install of the R80.20 Multi-Domain Server.

Important - Do not create Domains.

Step 2 of 7: Get the R80.20 Management Server Migration Tool on the R7x Multi-Domain Server

Step	Description
1	Download the R80.20 Management Server Migration Tool from the R80.20 Home Page SK.
2	Transfer the R80.20 Management Server Migration Tool package to the R7x Multi-Domain Server to some directory (for example, `/var/log/path_to_migration_tool/`). Note - Make sure to transfer the file in the binary mode.

Step

Description

Download the R80.20 Management Server Migration Tool from the R80.20 Home Page SK.

Transfer the R80.20 Management Server Migration Tool package to the R7x Multi-Domain Server to some directory (for example, /var/log/path_to_migration_tool/).

Note - Make sure to transfer the file in the binary mode.

Step 3 of 7: Export the global management database from the R7x Global Domain

Step	Description
1	Close all GUI clients (SmartConsole applications) connected to the R7x Multi-Domain Server.
2	Connect to the command line on the R7x Multi-Domain Server.
3	Log in with the superuser credentials.
4	Log in to the Expert mode.
5	Go to the directory, where you put the R80.20 Management Server Migration Tool package: `[Expert@R7x_MDS:0]# cd /var/log/path_to_migration_tool/`
6	Extract the R80.20 Management Server Migration Tool package: `[Expert@R7x_MDS:0]# tar zxvf <`Name of Management Server Migration Tool Package`>.tgz`
7	Go to the main MDS context: `[Expert@R7x_MDS:0]# mdsenv`
8	Export the entire management database: `[Expert@R7x_MDS:0]# yes \| nohup ./migrate export [-f] [-n] /<`Full Path`>/R7x_global_policies` & Notes: `yes \| nohup ... &` - are mandatory parts of the syntax. See the R80.20 CLI Reference Guide - Chapter Security Management Server Commands - Section migrate.
9	Calculate the MD5 for the exported database file: `[Expert@R7x_MDS:0]# md5sum /<`Full Path`>/R7x_global_policies.tgz`
10	Transfer the exported database from the R7x Multi-Domain Server to an external storage: `/<`Full Path`>/R7x_global_policies.tgz` Note - Make sure to transfer the file in the binary mode.

Step 4 of 7: On the Primary R80.20 Multi-Domain Server, set the Global Domain to the Active state

In Management High Availability environment, make sure Global Domain is in the Active state on the Primary Multi-Domain Server.

Step	Description
1	Connect with SmartConsole to the IP address of the Primary R80.20 Multi-Domain Server. Select the MDS context.
2	From the left navigation panel, click Multi-Domain > Domains.
3	If the Global Domain on the Primary Multi-Domain Server is in the Standby state, then proceed to the next Step 4. If the Global Domain on the Primary Multi-Domain Server is already in the Active state, then skip to the next procedure Step 5 of 7.
4	Right-click the cell of the Global Domain, and select Connect to Domain Server.
5	In the Domain SmartConsole instance, in the top left corner, click Menu > Management High Availability.
6	In the High Availability Status window, in the Connected To section, click Actions > Set Active.
7	Close the Domain SmartConsole instance.

Step 5 of 7: On the R80.20 Multi-Domain Server, remove all the global objects from the Global Domain

Note - This step applies only if you already configured global objects on the R80.20 Multi-Domain Server.

Step	Description
1	Connect with SmartConsole to the IP address of the Multi-Domain Server. Select the MDS context. Note - In Multi-Domain Server High Availability environment, connect to the Primary Multi-Domain Server.
2	From the left navigation panel, click Multi-Domain > Domains.
3	Right-click the cell of the Global Domain, and select Connect to Domain Server.
4	In the Domain SmartConsole instance, click Objects menu > Object Explorer.
5	Remove all the global objects.
6	Publish the session.
7	Close the Domain SmartConsole instance.

Step 6 of 7: On the R80.20 Multi-Domain Server, import the R7x global management database to the Global Domain

Step	Description
1	Connect to the command line on the R80.20 Multi-Domain Server. Note - In Multi-Domain Server High Availability environment, connect to the Primary Multi-Domain Server.
2	Log in with the superuser credentials.
3	Log in to the Expert mode.
4	Make sure a valid license is installed: `mdsenv` `cplic print` If it is not already installed, then install a valid license now.
5	Transfer the exported database from an external storage to the R80.20 (Primary) Multi-Domain Server, to some directory. Note - Make sure to transfer the file in the binary mode.
6	Make sure the transferred file is not corrupted. Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the original R7x Multi-Domain Server: `[Expert@R8x_MDS:0]# md5sum /<`Full Path`>/R7x_global_policies.tgz`
7	Go to the main MDS context: `[Expert@R8x_MDS:0]# mdsenv`
8	Import the global management database: `[Expert@R8x_MDS:0]# ./migrate_global_policies /<`Full Path`>/R7x_global_policies.tgz` Note - When executing this command, the Multi-Domain Server is stopped.
9	Restart the Check Point services: `[Expert@R8x_MDS:0]# mdsstop` `[Expert@R8x_MDS:0]# mdsstart`
10	Make sure that on all Domain Management Servers, all the required daemons (FWM, FWD, CPD, and CPCA) are in the state "`up`" and show their PID: `[Expert@R8x_MDS:0]# mdsstat` If some of the required daemons on a Domain Management Server are in the state "`down`" or "`N/A`", wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands: `[Expert@R8x_MDS:0]# mdsstop_customer <`IP Address or Name of Domain Management Server`>` `[Expert@R8x_MDS:0]# mdsstart_customer <`IP Address or Name of Domain Management Server`>` `[Expert@R8x_MDS:0]# mdsstat`

Step 7 of 7: In R80.20 Multi-Domain Server High Availability, synchronize the global databases

Step	Description
1	Connect with SmartConsole to the IP address of the Primary R80.20 Multi-Domain Server. Select the MDS context.
2	From the left navigation panel, click Multi-Domain > Domains.
3	Right-click the cell of the Global Domain Server in the Active state, and select Connect to Domain Server.
4	In the Domain SmartConsole instance, in the top left corner, click Menu > Management High Availability.
5	In the High Availability Status window, in the Peers section, click Sync Peer. Note - The synchronization operation can take many minutes to complete.
6	Close the Domain SmartConsole instance.