This procedure lets you export the entire management database from an R7x Security Management Server and import it to a new Domain Management Server on an R80.20 Multi-Domain Server.
Note - This procedure is not supported for exporting the management database from an R8x Security Management Server and importing it to an R80.20 Domain Management Server.
Important - Before you migrate:
Step |
Description |
---|---|
1 |
Back up your current configuration. The procedure below resets SIC on the Domain Management Server to be migrated! |
2 |
Make sure that you are migrating the database only on one Domain Management Server. If you migrate a database to more than one Domain Management Server, the import fails and shows an error message. |
Important - Before you import the database on the Secondary Multi-Domain Server in Management High Availability, you must change the state of its Global Domain to Active:
Workflow:
Step 1 of 7: Get the R80.20 Management Server Migration Tool
Step |
Description |
---|---|
1 |
Download the R80.20 Management Server Migration Tool from the R80.20 Home Page SK. |
2 |
Transfer the R80.20 Management Server Migration Tool package to the R7x Standalone to some directory (for example, Note - Make sure to transfer the file in the binary mode. |
Step 2 of 7: Export the entire management database from the R7x Security Management Server
Step |
Description |
---|---|
1 |
Connect to the command line on the R7x Security Management Server. |
2 |
Log in to the Expert mode. |
3 |
Go to the directory, where you put the R80.20 Management Server Migration Tool package:
|
4 |
Extract the R80.20 Management Server Migration Tool package:
|
5 |
Export the entire management database:
Notes:
|
6 |
Calculate the MD5 for the exported database file:
|
7 |
Transfer the exported database from the R7x Security Management Server to an external storage:
Note - Make sure to transfer the file in the binary mode. |
Step 3 of 7: On the R80.20 Multi-Domain Server, create a new Domain Management Server
Step |
Description |
---|---|
1 |
Connect to the command line on the R80.20 Multi-Domain Server. |
2 |
Log in to the Expert mode. |
3 |
Make sure a valid license is installed:
If it is not already installed, then install a valid license now. |
4 |
Create a new Domain Management Server: Note - This is one long command will multiple parameters.
For more information, see the Management API Reference - mgmt_cli tool - Chapter Multi-Domain - Section Domain - Subsection add domain. Important! After you create the new Domain with this command, do not change the Domain IPv4 address until you run the |
Step 4 of 7: Transfer the exported R7x Security Management Server management database to the R80.20 Multi-Domain Server
Step |
Description |
---|---|
1 |
Transfer the exported R7x Security Management Server management database from an external storage to the R80.20 Multi-Domain Server, to some directory. Note - Make sure to transfer the file in the binary mode. |
2 |
Make sure the transferred file is not corrupted. Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the R7x Security Management Server:
|
Step 5 of 7: On the R80.20 Multi-Domain Server, import R7x Security Management Server management database to the new Domain Management Server
Step |
Description |
---|---|
1 |
Unset the shell idle environment variable:
|
2 |
Import the R7x Security Management Server management database:
Example:
Note - This command updates the database schema before it imports. First, the command runs pre-upgrade verification. If no errors are found, migration continues. If there are errors, you must fix them on the source R7x Security Management Server according to instructions in the error messages. Then do this procedure again. |
Step 6 of 7: Reset SIC, create a new ICA, and establish SIC Trust with managed Security Gateways
Note - This step applies if the new R80.20 Domain Management Server has a different IPv4 address than the R7x Security Management Server.
Step |
Description |
---|---|
1 |
Connect to the command on the R80.20 Multi-Domain Server. |
2 |
Log in to the Expert mode. |
3 |
Stop the new Domain Management Server, into which you migrated the management database from an R7x Domain Management Server:
|
4 |
Go to the context of the new Domain Management Server:
|
5 |
Reset the SIC on the Domain Management Server:
|
6 |
Create a new Internal Certificate Authority:
|
7 |
Start the new Domain Management Server:
|
8 |
Make sure all the required daemons (FWM, FWD, CPD, and CPCA) on the new Domain Management Server are in the state "
If some of the required daemons on a Domain Management Server are in the state "
|
9 |
Establish the Secure Internal Communication (SIC) between the Management Server and the managed Security Gateways:
|
Step 7 of 7: Configure the VPN keys
Note - This step applies if the original R7x Security Management Server managed VPN gateways.
There can be an issue with the IKE certificates after you migrate the management database, if a VPN tunnel is established between a Check Point Security Gateway and an externally managed, third-party gateway.
The VPN Security Gateway presents its IKE certificate to its peer. The third-party gateway uses the FQDN of the certificate to retrieve the host name and IP address of the Certificate Authority. If the IKE certificate was issued by a Check Point Internal CA, the FQDN contains the host name of the original Management Server. The peer gateway will fail to contact the original server and will not accept the certificate.
To fix: