Upgrading a Management Server or Log Server from R80.20.M1 with Migration

In a migration and upgrade scenario, you perform the procedure on the source Security Management Server and the different target Security Management Server.

Notes:

This procedure is supported only for Check Point computers that run R80.20.M1.
These instructions equally apply to:
- Security Management Server
- Endpoint Security Management Server
- CloudGuard Controller
- Dedicated Log Server
- Dedicated SmartEvent Server

Important - Before you upgrade a Security Management Server:

Step	Description
1	Back up your current configuration.
2	See the Upgrade Options and Prerequisites.
3	In R80 and above, examine the SmartConsole sessions: Connect with the SmartConsole to the Security Management Server. From the left navigation panel, click Manage & Settings > Sessions > View Sessions. You must publish or discard all sessions, for which the Changes column shows a number greater than zero. Right-click on such session and select Publish or Discard.
4	You must close all GUI clients (SmartConsole applications) connected to the source Security Management Server.
5	Install the latest version of the CPUSE from sk92449. Note - The default CPUSE does not support the required Upgrade Tools package.

Workflow:

Get the required Upgrade Tools on the R80.20.M1 Security Management Server
On the R80.20.M1 Security Management Server, run the Pre-Upgrade Verifier and export the management database
Install a new R80.20 Security Management Server
Get the required Upgrade Tools on the new R80.20 Security Management Server
On the R80.20 Security Management Server, import the databases
Install the R80.20 SmartConsole
Install the new licenses, if the R80.20 Security Management Server has a different IP address than the source Security Management Server
Upgrade the dedicated Log Servers and dedicated SmartEvent Servers
Install the management database
Install the Event Policy
Test the functionality
Disconnect the old Security Management Server from the network
Connect the new Security Management Server to the network

Step 1 of 13: Get the required Upgrade Tools on the R80.20.M1 Security Management Server

Step	Description
1	Download the required Upgrade Tools from sk135172. Note - This is a CPUSE Offline package.
2	Install the required Upgrade Tools with CPUSE. See Installing Software Packages on Gaia and follow the applicable action plan for the local offline installation.
3	Make sure the package is installed. Run this command in the Expert mode: `[Expert@MGMT:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.20 BuildNumber 1` The output must show the same build number you see in the name of the downloaded package. Example: Name of the downloaded package: `ngm_upgrade_wrapper_992000043_1.tgz` `[Expert@MGMT:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.20 BuildNumber 1` `992000043` `[Expert@MGMT:0]#`

Step

Description

Download the required Upgrade Tools from sk135172.

Note - This is a CPUSE Offline package.

Install the required Upgrade Tools with CPUSE.

See Installing Software Packages on Gaia and follow the applicable action plan for the local offline installation.

Make sure the package is installed.

Run this command in the Expert mode:

[Expert@MGMT:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.20 BuildNumber 1

The output must show the same build number you see in the name of the downloaded package.

Example:

Name of the downloaded package: ngm_upgrade_wrapper_992000043_1.tgz

[Expert@MGMT:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.20 BuildNumber 1
992000043
[Expert@MGMT:0]#

Note - The command migrate_server from these Upgrade Tools always tries to connect to Check Point Cloud over the Internet. This is to make sure you always have the latest version of these Upgrade Tools installed. If the connection to Check Point Cloud fails, this message appears:
"Timeout. Failed to retrieve Upgrade Tools package. To download the package manually, refer to sk135172."

Step 2 of 13: On the R80.20.M1 Security Management Server, run the Pre-Upgrade Verifier and export the management database

Step	Description
1	Connect to the command line on the current Security Management Server.
2	Log in to the Expert mode.
3	Run the Pre-Upgrade Verifier. If this Security Management Server is connected to the Internet, run: `[Expert@MGMT:0]# $FWDIR/scripts/migrate_server verify -v R80.20` If this Security Management Server is not connected to the Internet, run: `[Expert@MGMT:0]# $FWDIR/scripts/migrate_server verify -v R80.20 -skip_upgrade_tools_check`
4	Read the Pre-Upgrade Verifier output. If you need to fix errors: Follow the instructions in the report. Run the Pre-Upgrade Verifier again.
5	Go to the `$FWDIR/scripts/` directory: `[Expert@MGMT:0]# cd $FWDIR/scripts`
6	Export the management database: If Endpoint Policy Management blade is disabled on this Security Management Server and: This Security Management Server is connected to the Internet, run: `[Expert@MGMT:0]# ./migrate_server export -v R80.20 [-l \| -x] /<`Full Path`>/<`Name of Exported File`>.tgz` This Security Management Server is not connected to the Internet, run: `[Expert@MGMT:0]# ./migrate_server export -v R80.20 -skip_upgrade_tools_check [-l \| -x] /<`Full Path`>/<`Name of Exported File`>.tgz` If Endpoint Policy Management blade is enabled on this Security Management Server and: This Security Management Server is connected to the Internet, run: `[Expert@MGMT:0]# ./migrate_server export -v R80.20 [-l \| -x] [--include-uepm-msi-files] /<`Full Path`>/<`Name of Exported File`>.tgz` This Security Management Server is not connected to the Internet, run: `[Expert@MGMT:0]# ./migrate_server export -v R80.20 -skip_upgrade_tools_check [-l \| -x] [--include-uepm-msi-files] /<`Full Path`>/<`Name of Exported File`>.tgz` Syntax options: `-v R80.20` - Specifies the version, to which you plan to upgrade. `-skip_upgrade_tools_check` - Does not try to connect to Check Point Cloud to check for a more recent version of the Upgrade Tools. `-l` - Exports the Check Point logs without log indexes in the `$FWDIR/log/` directory. Note - The command can export only closed logs (to which the information is not currently written). `-x` - Exports the Check Point logs with their log indexes in the `$FWDIR/log/` directory. Note - The command can export only closed logs (to which the information is not currently written). `--include-uepm-msi-files` - Backs up the MSI files from the Endpoint Security Management Server during the export operation.
7	Calculate the MD5 for the exported database files: `[Expert@MGMT:0]# md5sum /<`Full Path`>/<`Name of Database File`>.tgz`
8	Transfer the exported databases from the current Security Management Server to an external storage: `/<`Full Path`>/<`Name of Database File`>.tgz` Note - Make sure to transfer the file in the binary mode.

Step 3 of 13: Install a new R80.20 Security Management Server

Perform a clean install of the R80.20 Security Management Server on another computer (do not perform initial configuration in SmartConsole).

Important - These options are available:

The IP addresses of the source and target Security Management Servers can be the same.
If in the future you need to have a different IP address on the R80.20 Security Management Server, you can change it.

For applicable procedures, see sk40993 and sk65451.

Note that you have to issue licenses for the new IP address.
The IP addresses of the source and target Security Management Servers can be different.
Note that you have to issue licenses for the new IP address.

You must install the new licenses only after you import the databases.

Step 4 of 13: Get the required Upgrade Tools on the new R80.20 Security Management Server

Step	Description
1	Download the required Upgrade Tools from sk135172. Note - This is a CPUSE Offline package.
2	Install the required Upgrade Tools with CPUSE. See Installing Software Packages on Gaia and follow the applicable action plan for the local offline installation.
3	Make sure the package is installed. Run this command in the Expert mode: `[Expert@MGMT:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.20 BuildNumber 1` The output must show the same build number you see in the name of the downloaded package. Example: Name of the downloaded package: `ngm_upgrade_wrapper_992000043_1.tgz` `[Expert@MGMT:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.20 BuildNumber 1` `992000043` `[Expert@MGMT:0]#`

Step

Description

Download the required Upgrade Tools from sk135172.

Note - This is a CPUSE Offline package.

Install the required Upgrade Tools with CPUSE.

See Installing Software Packages on Gaia and follow the applicable action plan for the local offline installation.

Make sure the package is installed.

Run this command in the Expert mode:

[Expert@MGMT:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.20 BuildNumber 1

The output must show the same build number you see in the name of the downloaded package.

Example:

Name of the downloaded package: ngm_upgrade_wrapper_992000043_1.tgz

[Expert@MGMT:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.20 BuildNumber 1
992000043
[Expert@MGMT:0]#

Step 5 of 13: On the R80.20 Security Management Server, import the databases

Step	Description
1	Connect to the command line on the R80.20 Security Management Server.
2	Log in to the Expert mode.
3	Make sure a valid license is installed: `cplic print` If it is not already installed, then install a valid license now.
4	Transfer the exported databases from an external storage to the R80.20 Security Management Server, to some directory. Note - Make sure to transfer the files in the binary mode.
5	Make sure the transferred files are not corrupted. Calculate the MD5 for the transferred files and compare them to the MD5 that you calculated on the original Security Management Server: `[Expert@MGMT:0]# md5sum /<`Full Path`>/<`Name of Database File`>.tgz`
6	Go to the `$FWDIR/scripts/` directory: `[Expert@MGMT:0]# cd $FWDIR/scripts/`
7	Import the management database: If Endpoint Policy Management blade is disabled on this Security Management Server and: This Security Management Server is connected to the Internet, run: `[Expert@MGMT:0]# ./migrate_server import -v R80.20 [-l \| -x] /<`Full Path`>/<`Name of Exported File`>.tgz` This Security Management Server is not connected to the Internet, run: `[Expert@MGMT:0]# ./migrate_server import -v R80.20 -skip_upgrade_tools_check [-l \| -x] /<`Full Path`>/<`Name of Exported File`>.tgz` If Endpoint Policy Management blade is enabled on this Security Management Server and: This Security Management Server is connected to the Internet, run: `[Expert@MGMT:0]# ./migrate_server import -v R80.20 [-l \| -x] [--include-uepm-msi-files] /<`Full Path`>/<`Name of Exported File`>.tgz` This Security Management Server is not connected to the Internet, run: `[Expert@MGMT:0]# ./migrate_server import -v R80.20 -skip_upgrade_tools_check [-l \| -x] [--include-uepm-msi-files] /<`Full Path`>/<`Name of Exported File`>.tgz` Note - The `migrate_server import` command automatically restarts Check Point services (performs `cpstop` and `cpstart`). Syntax options: `-v R80.20` - Specifies the version, to which you plan to upgrade. `-skip_upgrade_tools_check` - Does not try to connect to Check Point Cloud to check for a more recent version of the Upgrade Tools. `-l` - Imports the Check Point logs without log indexes in the `$FWDIR/log/` directory. `-x` - Imports the Check Point logs with their log indexes in the `$FWDIR/log/` directory. `--include-uepm-msi-files` - Restores the MSI files from the Endpoint Security Management Server during the import operation.

Step 6 of 13: Install the R80.20 SmartConsole

See Installing SmartConsole.

Step 7 of 13: Install the new licenses, if the R80.20 Security Management Server has a different IP address than the source Security Management Server

If the IP addresses of the source and target Security Management Servers are different, follow these steps:

Step	Description
1	Issue licenses for the new IP address in your Check Point User Center account.
2	Install the new licenses on the R80.20 Security Management Server. You can do this either in the CLI with the `cplic put` command, or in the Gaia Portal.
3	Wait for a couple of minutes for the Security Management Server to detect the new licenses. Alternatively, restart Check Point services: `[Expert@MGMT:0]# cpstop` `[Expert@MGMT:0]# cpstart`

Step

Description

Issue licenses for the new IP address in your Check Point User Center account.

Install the new licenses on the R80.20 Security Management Server.

You can do this either in the CLI with the cplic put command, or in the Gaia Portal.

Wait for a couple of minutes for the Security Management Server to detect the new licenses.

Alternatively, restart Check Point services:

[Expert@MGMT:0]# cpstop

[Expert@MGMT:0]# cpstart

Step 8 of 13: Upgrade the dedicated Log Servers and dedicated SmartEvent Servers

If your Security Management Server manages dedicated Log Servers or SmartEvent Servers, you must upgrade these dedicated servers to the same version as the Security Management Server.

See Upgrading a Management Server or Log Server from R80.20.M1.

Step 9 of 13: Install the management database

Step	Description
1	Connect with SmartConsole to the R80.20 Security Management Server.
2	In the top left corner, click Menu > Install database.
3	Select all objects.
4	Click Install.
5	Click OK.

Step 10 of 13: Install the Event Policy

This step applies only if the SmartEvent Correlation Unit Software Blade is enabled on the R80.20 Security Management Server.

Step	Description
1	Connect with the SmartConsole to the R80.20 Security Management Server.
2	In the SmartConsole, from the left navigation panel, click Logs & Monitor.
3	At the top, click + to open a new tab.
4	In the bottom left corner, in the External Apps section, click SmartEvent Settings & Policy. The Legacy SmartEvent client opens.
5	In the top left corner, click Menu > Actions > Install Event Policy.
6	Confirm.
7	Wait for these messages to appear: `SmartEvent Policy Installer installation complete` `SmartEvent Policy Installer installation succeeded`
8	Click Close.
9	Close the Legacy SmartEvent client.

Step 11 of 13: Test the functionality

Step	Description
1	Connect with the SmartConsole to the R80.20 Security Management Server.
2	Make sure the management database and configuration were upgraded correctly.

Step 12 of 13: Disconnect the old R80.20.M1 Security Management Server from the network

Step 13 of 13: Connect the new R80.20 Security Management Server to the network