1

Back up your current configuration.

The procedure below resets SIC on the Domain Management Server to be migrated!

2

Make sure that you are migrating the database only on one Domain Management Server.

If you migrate a database to more than one Domain Management Server, the import fails and shows an error message.

1

Download the R80.20 Management Server Migration Tool from the R80.20 Home Page SK.

2

Transfer the R80.20 Management Server Migration Tool package to the R7x Standalone to some directory (for example, /var/log/path_to_migration_tool/).

Note - Make sure to transfer the file in the binary mode.

1

Connect to the command line on the R7x Security Management Server.

2

Log in to the Expert mode.

3

Go to the directory, where you put the R80.20 Management Server Migration Tool package:

[Expert@R7x_MGMT:0]# cd /var/log/Management Server Migration Tool/

4

Extract the R80.20 Management Server Migration Tool package:

[Expert@R7x_MGMT:0]# tar zxvf <Name of Management Server Migration Tool Package>.tgz

5

Export the entire management database:

[Expert@R7x_MGMT:0]# yes | nohup ./migrate export [-f] [-n] /<Full Path>/<Name of R7x MGMT Exported File> &

Notes:

• yes | nohup ... & - are mandatory parts of the syntax.
• See the R80.20 CLI Reference Guide - Chapter Security Management Server Commands - Section migrate.

6

Calculate the MD5 for the exported database file:

[Expert@R7x_MGMT:0]# md5sum /<Full Path>/<Name of R7x MGMT Exported File>.tgz

7

Transfer the exported database from the R7x Security Management Server to an external storage:

/<Full Path>/<Name of R7x MGMT Exported File>.tgz

Note - Make sure to transfer the file in the binary mode.

1

Connect to the command line on the R80.20 Multi-Domain Server.

2

Log in to the Expert mode.

3

Make sure a valid license is installed:

mdsenv

cplic print

If it is not already installed, then install a valid license now.

4

Create a new Domain Management Server:

Note - This is one long command will multiple parameters.

[Expert@R80.20_MDS:0]# mgmt_cli --root true add domain name <Name of New Domain> comments "<Desired Comment Text>" servers.ip-address <IPv4 Address of New Domain> servers.name <Name of New Domain Management Server> servers.multi-domain-server <Name of R80.20 Multi-Domain Server> servers.skip-start-domain-server true

For more information, see the Management API Reference - mgmt_cli tool - Chapter Multi-Domain - Section Domain - Subsection add domain.

Important! After you create the new Domain with this command, do not change the Domain IPv4 address until you run the cma_migrate command.

1

Transfer the exported R7x Security Management Server management database from an external storage to the R80.20 Multi-Domain Server, to some directory.

Note - Make sure to transfer the file in the binary mode.

2

Make sure the transferred file is not corrupted.

Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the R7x Security Management Server:

[Expert@R80.20_MDS:0]# md5sum /<Full Path>/<Name of R7x MGMT Exported File>.tgz

1

Unset the shell idle environment variable:

[Expert@R80.20_MDS:0]# unset TMOUT

2

Import the R7x Security Management Server management database:

[Expert@R80.20_MDS:0]# cma_migrate /<Full Path>/<Name of R7x MGMT Exported File>.tgz /<Full Path>/<$FWDIR Directory of the New Domain Management Server>/

Example:

[Expert@R80.20_MGMT:0]# cma_migrate /var/log/orig_R7x_database.tgz /opt/CPmds-R80.20/customers/MyDomain3/CPsuite-R80.20/fw1/

Note - This command updates the database schema before it imports. First, the command runs pre-upgrade verification. If no errors are found, migration continues. If there are errors, you must fix them on the source R7x Security Management Server according to instructions in the error messages. Then do this procedure again.

1

Connect to the command on the R80.20 Multi-Domain Server.

2

Log in to the Expert mode.

3

Stop the new Domain Management Server, into which you migrated the management database from an R7x Domain Management Server:

[Expert@R80.20_MDS:0]# mdsstop_customer <IP Address or Name of Domain Management Server>

4

Go to the context of the new Domain Management Server:

[Expert@R80.20_MDS:0]# mdsenv <IP Address or Name of Domain Management Server>

5

Reset the SIC on the Domain Management Server:

[Expert@R80.20_MDS:0]# fwm sic_reset

6

Create a new Internal Certificate Authority:

[Expert@R80.20_MDS:0]# mdsconfig -ca <Name of Domain Management Server> <IPv4 Address of Domain Management Server>

7

Start the new Domain Management Server:

[Expert@R80.20_MDS:0]# mdsstart_customer <IP Address or Name of Domain Management Server>

8

Make sure all the required daemons (FWM, FWD, CPD, and CPCA) on the new Domain Management Server are in the state "up" and show their PID:

[Expert@R80.20_MDS:0]# mdsstat

If some of the required daemons on a Domain Management Server are in the state "down" or "N/A", wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands:

[Expert@R80.20_MDS:0]# mdsstop_customer <IP Address or Name of Domain Management Server>

[Expert@R80.20_MDS:0]# mdsstart_customer <IP Address or Name of Domain Management Server>

[Expert@R80.20_MDS:0]# mdsstat

9

Establish the Secure Internal Communication (SIC) between the Management Server and the managed Security Gateways:

1. Reset SIC on each Security Gateway that was managed by the original R7x Security Management Server.

   For detailed procedure, see sk65764: How to reset SIC.

2. Connect with SmartConsole to the new Domain Management Server.
3. Open the object of each Security Gateway.
4. Establish SIC Trust with of each Security Gateway.
5. Install the Access Control Policy on each Security Gateway.