Print Download PDF Send Feedback

Previous

Next

Migrating Database from an R7x Domain Management Server to an R80.20 Domain Management Server

This procedure lets you export the entire management database from a specific Domain Management Server on an R7x Multi-Domain Server and import it to a new Domain Management Server on an R80.20 Multi-Domain Server.

Note - This procedure is not supported for exporting the management database from a specific Domain Management Server on an R8x Multi-Domain Server and importing it on an R80.20 Multi-Domain Server.

Important - Before you migrate:

Step

Description

1

Back up your current configuration.

The procedure below resets SIC on the Domain Management Server to be migrated!

2

Make sure in R7x SmartDomain Manager that there is one Domain Management Server in the Active state in each Domain to be migrated.

3

Make sure that you are migrating the database only on one Domain Management Server.

If you migrate a database to more than one Domain Management Server, the import fails and shows an error message.

Important - Before you import the database on the Secondary Multi-Domain Server in Management High Availability, you must change the state of its Global Domain to Active:

  1. Connect with SmartConsole to the Secondary Multi-Domain Server.
  2. From the left navigation panel, click Multi Domain > Domains.
  3. Right-click the Global Domain of the Secondary Multi-Domain Server and click Connect to Domain.
  4. Click Menu > Management High Availability.
  5. Select Actions > Set Active for the Connected Domain.
  6. Close SmartConsole.

Workflow:

  1. Get the R80.20 Management Server Migration Tool
  2. On the R7x Multi-Domain Server, export the Domain Management Server management database
  3. On the R80.20 Multi-Domain Server, create a new Domain Management Server
  4. Transfer the exported R7x Domain Management Server management database to the R80.20 Multi-Domain Server
  5. On the R80.20 Multi-Domain Server, import the R7x Domain Management Server management database to the new Domain Management Server
  6. Reset SIC, create a new ICA, and establish SIC Trust with managed Security Gateways
  7. Configure the VPN keys

Step 1 of 7: Get the R80.20 Management Server Migration Tool

Step

Description

1

Download the R80.20 Management Server Migration Tool from the R80.20 Home Page SK.

2

Transfer the R80.20 Management Server Migration Tool package to the R7x Multi-Domain Server to some directory (for example, /var/log/path_to_migration_tool/).

Note - Make sure to transfer the file in the binary mode.

Step 2 of 7: On the R7x Multi-Domain Server, export the Domain Management Server management database

Step

Description

1

Connect to the command line on the R7x Multi-Domain Server.

2

Log in with the superuser credentials.

3

Log in to the Expert mode.

4

Go to the directory, where you put the R80.20 Management Server Migration Tool package:

[Expert@R7x_MDS:0]# cd /var/log/path_to_migration_tool/

5

Extract the R80.20 Management Server Migration Tool package:

[Expert@R7x_MDS:0]# tar zxvf <Name of Management Server Migration Tool Package>.tgz

6

Go to the context of the applicable Domain Management Server:

[Expert@R7x_MDS:0]# mdsenv <IP Address or Name of Domain Management Server>

7

Export the entire management database from the Domain Management Server:

[Expert@R7x_MDS:0]# yes | nohup ./migrate export [-l | -x] /<Full Path>/<Name of R7x Domain Exported File> &

Notes:

  • yes | nohup ... & - are mandatory parts of the syntax.
  • See the R80.20 CLI Reference Guide - Chapter Security Management Server Commands - Section migrate.

8

Calculate the MD5 for the exported database file:

[Expert@R7x_MDS:0]# md5sum /<Full Path>/<Name of R7x Domain Exported File>.tgz

9

Transfer the exported Domain Management Server database from the current Multi-Domain Server to an external storage:

/<Full Path>/<Name of R7x Domain Exported File>.tgz

Note - Make sure to transfer the file in the binary mode.

Step 3 of 7: On the R80.20 Multi-Domain Server, create a new Domain Management Server

Step

Description

1

Connect to the command line on the R80.20 Multi-Domain Server.

2

Log in with the superuser credentials.

3

Log in to the Expert mode.

4

Make sure a valid license is installed:

mdsenv

cplic print

If it is not already installed, then install a valid license now.

5

Create a new Domain Management Server:

Note - This is one long command will multiple parameters.

[Expert@R80.20_MDS:0]# mgmt_cli --root true add domain name <Name of New Domain> comments "<Desired Comment Text>" servers.ip-address <IPv4 Address of New Domain> servers.name <Name of New Domain Management Server> servers.multi-domain-server <Name of R80.20 Multi-Domain Server> servers.skip-start-domain-server true

For more information, see the Management API Reference - mgmt_cli tool - Chapter Multi-Domain - Section Domain - Subsection add domain.

Important! After you create the new Domain with this command, do not change the Domain IPv4 address until you run the cma_migrate command.

Step 4 of 7: Transfer the exported R7x Domain Management Server management database to the R80.20 Multi-Domain Server

Step

Description

1

Transfer the exported R7x Domain Management Server management database from an external storage to the R80.20 Multi-Domain Server, to some directory.

Note - Make sure to transfer the file in the binary mode.

2

Make sure the transferred file is not corrupted.

Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the R7x Multi-Domain Server:

[Expert@R80.20_MDS:0]# md5sum /<Full Path>/<Name of R7x Domain Exported File>.tgz

Step 5 of 7: On the R80.20 Multi-Domain Server, import the R7x Domain Management Server management database to the new Domain Management Server

Step

Description

1

Connect to the command line on the R80.20 Multi-Domain Server.

2

Log in with the superuser credentials.

3

Log in to the Expert mode.

4

Unset the shell idle environment variable:

[Expert@R80.20_MDS:0]# unset TMOUT

5

Import the R7x Domain Management Server management database:

[Expert@R80.20_MDS:0]# cma_migrate /<Full Path>/<Name of R7x Domain Exported File>.tgz /<Full Path>/<$FWDIR Directory of the New Domain Management Server>/

Example:

[Expert@R80.20_MDS:0]# cma_migrate /var/log/orig_R7x_database.tgz /opt/CPmds-R80.20/customers/MyDomain3/CPsuite-R80.20>/fw1/

Note - This command updates the database schema before it imports. First, the command runs pre-upgrade verification. If no errors are found, migration continues. If there are errors, you must fix them on the source R7x Domain Management Server according to instructions in the error messages. Then do this procedure again.

6

Start the new Domain Management Server with the imported R7x management database:

[Expert@R80.20_MDS:0]# mdsstart_customer <IP Address or Name of Domain Management Server>

7

Make sure all the required daemons (FWM, FWD, CPD, and CPCA) on the new Domain Management Server are in the state "up" and show their PID:

[Expert@R80.20_MDS:0]# mdsstat

If some of the required daemons on a Domain Management Server are in the state "down" or "N/A", wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands:

[Expert@R80.20_MDS:0]# mdsstop_customer <IP Address or Name of Domain Management Server>

[Expert@R80.20_MDS:0]# mdsstart_customer <IP Address or Name of Domain Management Server>

[Expert@R80.20_MDS:0]# mdsstat

Step 6 of 7: Reset SIC, create a new ICA, and establish SIC Trust with managed Security Gateways

Note - This step applies if the new R80.20 Domain Management Server has a different IPv4 address than the R7x Domain Management Server.

Step

Description

1

Connect to the command on the R80.20 Multi-Domain Server.

2

Log in with the superuser credentials.

3

Log in to the Expert mode.

4

Stop the new Domain Management Server, into which you migrated the management database from an R7x Domain Management Server:

[Expert@R80.20_MDS:0]# mdsstop_customer <IP Address or Name of Domain Management Server>

5

Go to the context of the new Domain Management Server:

[Expert@R80.20_MDS:0]# mdsenv <IP Address or Name of Domain Management Server>

6

Reset the SIC on the Domain Management Server:

[Expert@R80.20_MDS:0]# fwm sic_reset

7

Create a new Internal Certificate Authority:

[Expert@R80.20_MDS:0]# mdsconfig -ca <Name of Domain Management Server> <IPv4 Address of Domain Management Server>

8

Start the new Domain Management Server:

[Expert@R80.20_MDS:0]# mdsstart_customer <IP Address or Name of Domain Management Server>

9

Make sure all the required daemons (FWM, FWD, CPD, and CPCA) on the new Domain Management Server are in the state "up" and show their PID:

[Expert@R80.20_MDS:0]# mdsstat

If some of the required daemons on a Domain Management Server are in the state "down" or "N/A", wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands:

[Expert@R80.20_MDS:0]# mdsstop_customer <IP Address or Name of Domain Management Server>

[Expert@R80.20_MDS:0]# mdsstart_customer <IP Address or Name of Domain Management Server>

[Expert@R80.20_MDS:0]# mdsstat

10

Establish the Secure Internal Communication (SIC) between the Management Server and the managed Security Gateways:

  1. Reset SIC on each Security Gateway that was managed by the original R7x Domain Management Server.

    For detailed procedure, see sk65764: How to reset SIC.

  2. Connect with SmartConsole to the new Domain Management Server.
  3. Open the object of each Security Gateway.
  4. Establish SIC Trust with of each Security Gateway.
  5. Install the Access Control Policy on each Security Gateway.

Step 7 of 7: Configure the VPN keys

Note - This step applies if the original R7x Domain Management Server managed VPN gateways.

There can be an issue with the IKE certificates after you migrate the management database, if a VPN tunnel is established between a Check Point Security Gateway and an externally managed, third-party gateway.

The VPN Security Gateway presents its IKE certificate to its peer. The third-party gateway uses the FQDN of the certificate to retrieve the host name and IP address of the Certificate Authority. If the IKE certificate was issued by a Check Point Internal CA, the FQDN contains the host name of the original Management Server. The peer gateway will fail to contact the original server and will not accept the certificate.

To fix:

To migrate a management database from R7x Domain Management Server on a Secondary R80.20 Multi-Domain Server

Step

Description

1

Connect to the command line on the Secondary R80.20 Multi-Domain Server.

2

Log in with the superuser credentials.

3

Log in to the Expert mode.

4

Connect with SmartConsole to the Secondary Multi-Domain Server.

5

From the left navigation panel, click Multi Domain > Domains.

6

Right-click the Global Domain of the Secondary Multi-Domain Server and click Connect to Domain.

7

In the top left corner, click Menu > Management High Availability.

8

In the High Availability Status window, in the Connected To section, click Actions > Set Active.

9

Close the Domain SmartConsole instance.