This procedure lets you export the entire management database from a specific Domain Management Server on an R7x Multi-Domain Server and import it to a new Domain Management Server on an R80.20 Multi-Domain Server.
Note - This procedure is not supported for exporting the management database from a specific Domain Management Server on an R8x Multi-Domain Server and importing it on an R80.20 Multi-Domain Server.
Important - Before you migrate:
Step |
Description |
---|---|
1 |
Back up your current configuration. The procedure below resets SIC on the Domain Management Server to be migrated! |
2 |
Make sure in R7x SmartDomain Manager that there is one Domain Management Server in the Active state in each Domain to be migrated. |
3 |
Make sure that you are migrating the database only on one Domain Management Server. If you migrate a database to more than one Domain Management Server, the import fails and shows an error message. |
Important - Before you import the database on the Secondary Multi-Domain Server in Management High Availability, you must change the state of its Global Domain to Active:
Workflow:
Step 1 of 7: Get the R80.20 Management Server Migration Tool
Step |
Description |
---|---|
1 |
Download the R80.20 Management Server Migration Tool from the R80.20 Home Page SK. |
2 |
Transfer the R80.20 Management Server Migration Tool package to the R7x Multi-Domain Server to some directory (for example, Note - Make sure to transfer the file in the binary mode. |
Step 2 of 7: On the R7x Multi-Domain Server, export the Domain Management Server management database
Step |
Description |
---|---|
1 |
Connect to the command line on the R7x Multi-Domain Server. |
2 |
Log in with the superuser credentials. |
3 |
Log in to the Expert mode. |
4 |
Go to the directory, where you put the R80.20 Management Server Migration Tool package:
|
5 |
Extract the R80.20 Management Server Migration Tool package:
|
6 |
Go to the context of the applicable Domain Management Server:
|
7 |
Export the entire management database from the Domain Management Server:
Notes:
|
8 |
Calculate the MD5 for the exported database file:
|
9 |
Transfer the exported Domain Management Server database from the current Multi-Domain Server to an external storage:
Note - Make sure to transfer the file in the binary mode. |
Step 3 of 7: On the R80.20 Multi-Domain Server, create a new Domain Management Server
Step |
Description |
---|---|
1 |
Connect to the command line on the R80.20 Multi-Domain Server. |
2 |
Log in with the superuser credentials. |
3 |
Log in to the Expert mode. |
4 |
Make sure a valid license is installed:
If it is not already installed, then install a valid license now. |
5 |
Create a new Domain Management Server: Note - This is one long command will multiple parameters.
For more information, see the Management API Reference - mgmt_cli tool - Chapter Multi-Domain - Section Domain - Subsection add domain. Important! After you create the new Domain with this command, do not change the Domain IPv4 address until you run the |
Step 4 of 7: Transfer the exported R7x Domain Management Server management database to the R80.20 Multi-Domain Server
Step |
Description |
---|---|
1 |
Transfer the exported R7x Domain Management Server management database from an external storage to the R80.20 Multi-Domain Server, to some directory. Note - Make sure to transfer the file in the binary mode. |
2 |
Make sure the transferred file is not corrupted. Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the R7x Multi-Domain Server:
|
Step 5 of 7: On the R80.20 Multi-Domain Server, import the R7x Domain Management Server management database to the new Domain Management Server
Step |
Description |
---|---|
1 |
Connect to the command line on the R80.20 Multi-Domain Server. |
2 |
Log in with the superuser credentials. |
3 |
Log in to the Expert mode. |
4 |
Unset the shell idle environment variable:
|
5 |
Import the R7x Domain Management Server management database:
Example:
Note - This command updates the database schema before it imports. First, the command runs pre-upgrade verification. If no errors are found, migration continues. If there are errors, you must fix them on the source R7x Domain Management Server according to instructions in the error messages. Then do this procedure again. |
6 |
Start the new Domain Management Server with the imported R7x management database:
|
7 |
Make sure all the required daemons (FWM, FWD, CPD, and CPCA) on the new Domain Management Server are in the state "
If some of the required daemons on a Domain Management Server are in the state "
|
Step 6 of 7: Reset SIC, create a new ICA, and establish SIC Trust with managed Security Gateways
Note - This step applies if the new R80.20 Domain Management Server has a different IPv4 address than the R7x Domain Management Server.
Step |
Description |
---|---|
1 |
Connect to the command on the R80.20 Multi-Domain Server. |
2 |
Log in with the superuser credentials. |
3 |
Log in to the Expert mode. |
4 |
Stop the new Domain Management Server, into which you migrated the management database from an R7x Domain Management Server:
|
5 |
Go to the context of the new Domain Management Server:
|
6 |
Reset the SIC on the Domain Management Server:
|
7 |
Create a new Internal Certificate Authority:
|
8 |
Start the new Domain Management Server:
|
9 |
Make sure all the required daemons (FWM, FWD, CPD, and CPCA) on the new Domain Management Server are in the state "
If some of the required daemons on a Domain Management Server are in the state "
|
10 |
Establish the Secure Internal Communication (SIC) between the Management Server and the managed Security Gateways:
|
Step 7 of 7: Configure the VPN keys
Note - This step applies if the original R7x Domain Management Server managed VPN gateways.
There can be an issue with the IKE certificates after you migrate the management database, if a VPN tunnel is established between a Check Point Security Gateway and an externally managed, third-party gateway.
The VPN Security Gateway presents its IKE certificate to its peer. The third-party gateway uses the FQDN of the certificate to retrieve the host name and IP address of the Certificate Authority. If the IKE certificate was issued by a Check Point Internal CA, the FQDN contains the host name of the original Management Server. The peer gateway will fail to contact the original server and will not accept the certificate.
To fix:
To migrate a management database from R7x Domain Management Server on a Secondary R80.20 Multi-Domain Server
Step |
Description |
---|---|
1 |
Connect to the command line on the Secondary R80.20 Multi-Domain Server. |
2 |
Log in with the superuser credentials. |
3 |
Log in to the Expert mode. |
4 |
Connect with SmartConsole to the Secondary Multi-Domain Server. |
5 |
From the left navigation panel, click Multi Domain > Domains. |
6 |
Right-click the Global Domain of the Secondary Multi-Domain Server and click Connect to Domain. |
7 |
In the top left corner, click Menu > Management High Availability. |
8 |
In the High Availability Status window, in the Connected To section, click Actions > Set Active. |
9 |
Close the Domain SmartConsole instance. |