Print Download PDF Send Feedback

Previous

Next

Migrating Database from an R7x Security Management Server to an R80.20 Domain Management Server

This procedure lets you export the entire management database from an R7x Security Management Server and import it to a new Domain Management Server on an R80.20 Multi-Domain Server.

Note - This procedure is not supported for exporting the management database from an R8x Security Management Server and importing it to an R80.20 Domain Management Server.

Important - Before you migrate:

Step

Description

1

Back up your current configuration.

The procedure below resets SIC on the Domain Management Server to be migrated!

2

Make sure that you are migrating the database only on one Domain Management Server.

If you migrate a database to more than one Domain Management Server, the import fails and shows an error message.

Important - Before you import the database on the Secondary Multi-Domain Server in Management High Availability, you must change the state of its Global Domain to Active:

  1. Connect with SmartConsole to the Secondary Multi-Domain Server.
  2. From the left navigation panel, click Multi Domain > Domains.
  3. Right-click the Global Domain of the Secondary Multi-Domain Server and click Connect to Domain.
  4. Click Menu > Management High Availability.
  5. Select Actions > Set Active for the Connected Domain.
  6. Close SmartConsole.

Workflow:

  1. Get the R80.20 Management Server Migration Tool
  2. Export the entire management database from the R7x Security Management Server
  3. On the R80.20 Security Management Server, create a new Domain Management Server
  4. Transfer the exported R7x Security Management Server management database to the R80.20 Multi-Domain Server
  5. On the R80.20 Multi-Domain Server, import R7x Security Management Server management database to the new Domain Management Server
  6. Reset SIC, create a new ICA, and establish SIC Trust with managed Security Gateways
  7. Configure the VPN keys

Step 1 of 7: Get the R80.20 Management Server Migration Tool

Step

Description

1

Download the R80.20 Management Server Migration Tool from the R80.20 Home Page SK.

2

Transfer the R80.20 Management Server Migration Tool package to the R7x Standalone to some directory (for example, /var/log/path_to_migration_tool/).

Note - Make sure to transfer the file in the binary mode.

Step 2 of 7: Export the entire management database from the R7x Security Management Server

Step

Description

1

Connect to the command line on the R7x Security Management Server.

2

Log in to the Expert mode.

3

Go to the directory, where you put the R80.20 Management Server Migration Tool package:

[Expert@R7x_MGMT:0]# cd /var/log/Management Server Migration Tool/

4

Extract the R80.20 Management Server Migration Tool package:

[Expert@R7x_MGMT:0]# tar zxvf <Name of Management Server Migration Tool Package>.tgz

5

Export the entire management database:

[Expert@R7x_MGMT:0]# yes | nohup ./migrate export [-f] [-n] /<Full Path>/<Name of R7x MGMT Exported File> &

Notes:

  • yes | nohup ... & - are mandatory parts of the syntax.
  • See the R80.20 CLI Reference Guide - Chapter Security Management Server Commands - Section migrate.

6

Calculate the MD5 for the exported database file:

[Expert@R7x_MGMT:0]# md5sum /<Full Path>/<Name of R7x MGMT Exported File>.tgz

7

Transfer the exported database from the R7x Security Management Server to an external storage:

/<Full Path>/<Name of R7x MGMT Exported File>.tgz

Note - Make sure to transfer the file in the binary mode.

Step 3 of 7: On the R80.20 Multi-Domain Server, create a new Domain Management Server

Step

Description

1

Connect to the command line on the R80.20 Multi-Domain Server.

2

Log in to the Expert mode.

3

Make sure a valid license is installed:

mdsenv

cplic print

If it is not already installed, then install a valid license now.

4

Create a new Domain Management Server:

Note - This is one long command will multiple parameters.

[Expert@R80.20_MDS:0]# mgmt_cli --root true add domain name <Name of New Domain> comments "<Desired Comment Text>" servers.ip-address <IPv4 Address of New Domain> servers.name <Name of New Domain Management Server> servers.multi-domain-server <Name of R80.20 Multi-Domain Server> servers.skip-start-domain-server true

For more information, see the Management API Reference - mgmt_cli tool - Chapter Multi-Domain - Section Domain - Subsection add domain.

Important! After you create the new Domain with this command, do not change the Domain IPv4 address until you run the cma_migrate command.

Step 4 of 7: Transfer the exported R7x Security Management Server management database to the R80.20 Multi-Domain Server

Step

Description

1

Transfer the exported R7x Security Management Server management database from an external storage to the R80.20 Multi-Domain Server, to some directory.

Note - Make sure to transfer the file in the binary mode.

2

Make sure the transferred file is not corrupted.

Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the R7x Security Management Server:

[Expert@R80.20_MDS:0]# md5sum /<Full Path>/<Name of R7x MGMT Exported File>.tgz

Step 5 of 7: On the R80.20 Multi-Domain Server, import R7x Security Management Server management database to the new Domain Management Server

Step

Description

1

Unset the shell idle environment variable:

[Expert@R80.20_MDS:0]# unset TMOUT

2

Import the R7x Security Management Server management database:

[Expert@R80.20_MDS:0]# cma_migrate /<Full Path>/<Name of R7x MGMT Exported File>.tgz /<Full Path>/<$FWDIR Directory of the New Domain Management Server>/

Example:

[Expert@R80.20_MGMT:0]# cma_migrate /var/log/orig_R7x_database.tgz /opt/CPmds-R80.20/customers/MyDomain3/CPsuite-R80.20/fw1/

Note - This command updates the database schema before it imports. First, the command runs pre-upgrade verification. If no errors are found, migration continues. If there are errors, you must fix them on the source R7x Security Management Server according to instructions in the error messages. Then do this procedure again.

Step 6 of 7: Reset SIC, create a new ICA, and establish SIC Trust with managed Security Gateways

Note - This step applies if the new R80.20 Domain Management Server has a different IPv4 address than the R7x Security Management Server.

Step

Description

1

Connect to the command on the R80.20 Multi-Domain Server.

2

Log in to the Expert mode.

3

Stop the new Domain Management Server, into which you migrated the management database from an R7x Domain Management Server:

[Expert@R80.20_MDS:0]# mdsstop_customer <IP Address or Name of Domain Management Server>

4

Go to the context of the new Domain Management Server:

[Expert@R80.20_MDS:0]# mdsenv <IP Address or Name of Domain Management Server>

5

Reset the SIC on the Domain Management Server:

[Expert@R80.20_MDS:0]# fwm sic_reset

6

Create a new Internal Certificate Authority:

[Expert@R80.20_MDS:0]# mdsconfig -ca <Name of Domain Management Server> <IPv4 Address of Domain Management Server>

7

Start the new Domain Management Server:

[Expert@R80.20_MDS:0]# mdsstart_customer <IP Address or Name of Domain Management Server>

8

Make sure all the required daemons (FWM, FWD, CPD, and CPCA) on the new Domain Management Server are in the state "up" and show their PID:

[Expert@R80.20_MDS:0]# mdsstat

If some of the required daemons on a Domain Management Server are in the state "down" or "N/A", wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands:

[Expert@R80.20_MDS:0]# mdsstop_customer <IP Address or Name of Domain Management Server>

[Expert@R80.20_MDS:0]# mdsstart_customer <IP Address or Name of Domain Management Server>

[Expert@R80.20_MDS:0]# mdsstat

9

Establish the Secure Internal Communication (SIC) between the Management Server and the managed Security Gateways:

  1. Reset SIC on each Security Gateway that was managed by the original R7x Security Management Server.

    For detailed procedure, see sk65764: How to reset SIC.

  2. Connect with SmartConsole to the new Domain Management Server.
  3. Open the object of each Security Gateway.
  4. Establish SIC Trust with of each Security Gateway.
  5. Install the Access Control Policy on each Security Gateway.

Step 7 of 7: Configure the VPN keys

Note - This step applies if the original R7x Security Management Server managed VPN gateways.

There can be an issue with the IKE certificates after you migrate the management database, if a VPN tunnel is established between a Check Point Security Gateway and an externally managed, third-party gateway.

The VPN Security Gateway presents its IKE certificate to its peer. The third-party gateway uses the FQDN of the certificate to retrieve the host name and IP address of the Certificate Authority. If the IKE certificate was issued by a Check Point Internal CA, the FQDN contains the host name of the original Management Server. The peer gateway will fail to contact the original server and will not accept the certificate.

To fix: