Print Download PDF Send Feedback

Previous

Next

Upgrading Multi-Domain Servers in High Availability from R80.20.M1 with Migration

In a migration and upgrade scenario, you perform the procedure on the source Multi-Domain Servers and the different target Multi-Domain Servers.

Note - This procedure is supported only for Multi-Domain Servers that run R80.20.M1.

Important - Before you upgrade:

Step

Description

1

Back up your current configuration.

2

See the Upgrade Options and Prerequisites.

3

In R80 and above, examine the SmartConsole sessions:

  1. Connect with the SmartConsole to each Domain Management Server.
  2. From the left navigation panel, click Manage & Settings > Sessions > View Sessions.
  3. You must publish or discard all sessions, for which the Changes column shows a number greater than zero.

    Right-click on such session and select Publish or Discard.

 

4

You must close all GUI clients (SmartConsole applications) connected to the source Multi-Domain Servers.

5

Install the latest version of the CPUSE from sk92449.

Note - The default CPUSE does not support the required Upgrade Tools package.

Workflow:

  1. If the Primary Multi-Domain Server is not available, promote the Secondary Multi-Domain Server to be the Primary
  2. Get the required Upgrade Tools on the Primary R80.20.M1 Multi-Domain Server
  3. On the Primary R80.20.M1 Multi-Domain Server, run the Pre-Upgrade Verifier and export the management database
  4. Perform clean install of another R80.20 Primary Multi-Domain Server
  5. Get the required Upgrade Tools on the Primary R80.20 Multi-Domain Server
  6. On the Primary R80.20 Multi-Domain Server, import the entire management database
  7. Install the R80.20 SmartConsole
  8. Perform a clean install of another R80.20 on the Secondary Multi-Domain Server
  9. Get the required Upgrade Tools on the Secondary R80.20 Multi-Domain Server
  10. Install the management database
  11. Upgrade the Multi-Domain Log Server, dedicated Log Servers, and dedicated SmartEvent Servers
  12. On every Multi-Domain Server with Active Domain Management Servers, upgrade the attributes of all managed objects in all Domain Management Servers
  13. Test the functionality

Step 1 of 13: If the Primary Multi-Domain Server is not available, promote the Secondary Multi-Domain Server to be the Primary

For instructions, see the R80.20 Multi-Domain Security Management Administration Guide - Chapter Working with High Availability - Section Failure Recovery - Subsection Promoting the Secondary Multi-Domain Server to Primary.

Step 2 of 13: Get the required Upgrade Tools on the Primary R80.20.M1 Multi-Domain Server

Step

Description

1

Download the required Upgrade Tools from sk135172.

Note - This is a CPUSE Offline package.

2

Install the required Upgrade Tools with CPUSE.

See Installing Software Packages on Gaia and follow the applicable action plan for the local offline installation.

3

Make sure the package is installed.

Run this command in the Expert mode:

[Expert@MDS:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.20 BuildNumber 1

The output must show the same build number you see in the name of the downloaded package.

Example:

Name of the downloaded package: ngm_upgrade_wrapper_992000043_1.tgz

[Expert@MDS:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.20 BuildNumber 1
992000043
[Expert@MDS:0]#

Note - The command migrate_server from these Upgrade Tools always tries to connect to Check Point Cloud over the Internet. This is to make sure you always have the latest version of these Upgrade Tools installed. If the connection to Check Point Cloud fails, this message appears:
"Timeout. Failed to retrieve Upgrade Tools package. To download the package manually, refer to sk135172."

Step 3 of 13: On the Primary R80.20.M1 Multi-Domain Server, run the Pre-Upgrade Verifier and export the management database

Step

Description

1

Connect to the command line on the current Primary Multi-Domain Server.

2

Log in with the superuser credentials.

3

Log in to the Expert mode.

4

Run the Pre-Upgrade Verifier.

  • If this Multi-Domain Server is connected to the Internet, run:

    [Expert@PrimaryMDS:0]# $MDS_FWDIR/scripts/migrate_server verify -v R80.20

  • If this Multi-Domain Server is not connected to the Internet, run:

    [Expert@PrimaryMDS:0]# $MDS_FWDIR/scripts/migrate_server verify -v R80.20 -skip_upgrade_tools_check

Syntax options:

  • -v R80.20 - Specifies the version, to which you plan to upgrade.
  • -skip_upgrade_tools_check - Does not try to connect to Check Point Cloud to check for a more recent version of the Upgrade Tools.

5

Read the Pre-Upgrade Verifier output.

If you need to fix errors:

  1. Follow the instructions in the report.
  2. Run the Pre-Upgrade Verifier again.

6

Go to the $MDS_FWDIR/scripts/ directory:

[Expert@PrimaryMDS:0]# cd $MDS_FWDIR/scripts

7

Export the management database:

  • This Multi-Domain Server is connected to the Internet, run:

    [Expert@PrimaryMDS:0]# ./migrate_server export -v R80.20 [-l | -x] /<Full Path>/<Name of Exported File>.tgz

  • This Multi-Domain Server is not connected to the Internet, run:

    [Expert@PrimaryMDS:0]# ./migrate_server export -v R80.20 -skip_upgrade_tools_check [-l | -x] /<Full Path>/<Name of Exported File>.tgz

Syntax options:

  • -v R80.20 - Specifies the version, to which you plan to upgrade.
  • -skip_upgrade_tools_check - Does not try to connect to Check Point Cloud to check for a more recent version of the Upgrade Tools.
  • -l - Exports the Check Point logs without log indexes in the $FWDIR/log/ directory. Note - The command can export only closed logs (to which the information is not currently written).
  • -x - Exports the Check Point logs with their log indexes in the $FWDIR/log/ directory. Note - The command can export only closed logs (to which the information is not currently written).

8

Calculate the MD5 for the exported database files:

[Expert@PrimaryMDS:0]# md5sum /<Full Path>/<Name of Database File>.tgz

9

Transfer the exported databases from the current Multi-Domain Server to an external storage:

/<Full Path>/<Name of Database File>.tgz

Note - Make sure to transfer the file in the binary mode.

Step 4 of 13: Perform clean install of another R80.20 Primary Multi-Domain Server

Perform a clean install of the R80.20 Multi-Domain Server on another computer (do not perform initial configuration in SmartConsole).

Important:

The IP addresses of the source and target Multi-Domain Servers must be the same. If you need to have a different IP address on the R80.20 Multi-Domain Server, you can change it only after the upgrade procedure. Note that you have to issue licenses for the new IP address. For applicable procedure, see sk74020.

Step 5 of 13: Get the required Upgrade Tools on the Primary R80.20 Multi-Domain Server

Step

Description

1

Download the required Upgrade Tools from sk135172.

Note - This is a CPUSE Offline package.

2

Install the required Upgrade Tools with CPUSE.

See Installing Software Packages on Gaia and follow the applicable action plan for the local offline installation.

3

Make sure the package is installed.

Run this command in the Expert mode:

[Expert@MDS:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.20 BuildNumber 1

The output must show the same build number you see in the name of the downloaded package.

Example:

Name of the downloaded package: ngm_upgrade_wrapper_992000043_1.tgz

[Expert@MDS:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.20 BuildNumber 1
992000043
[Expert@MDS:0]#

Note - The command migrate_server from these Upgrade Tools always tries to connect to Check Point Cloud over the Internet. This is to make sure you always have the latest version of these Upgrade Tools installed. If the connection to Check Point Cloud fails, this message appears:
"Timeout. Failed to retrieve Upgrade Tools package. To download the package manually, refer to sk135172."

Step 6 of 13: On the Primary R80.20 Multi-Domain Server, import the entire management database

Step

Description

1

Connect to the command line the R80.20 Multi-Domain Server.

2

Log in with the superuser credentials.

3

Log in to the Expert mode.

4

Make sure a valid license is installed:

mdsenv

cplic print

If it is not already installed, then install a valid license now.

5

Transfer the exported database from an external storage to the R80.20 Multi-Domain Server, to some directory.

Note - Make sure to transfer the file in the binary mode.

6

Make sure the transferred file is not corrupted.

Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the original Multi-Domain Server:

[Expert@MDS:0]# md5sum /<Full Path>/<Name of Exported File>.tgz

7

Go to the $MDS_FWDIR/scripts/ directory:

[Expert@MDS:0]# cd $MDS_FWDIR/scripts/

8

Import the management database:

  • This Multi-Domain Server is connected to the Internet, run:

    [Expert@MDS:0]# ./migrate_server import -v R80.20 [-l | -x] /<Full Path>/<Name of Exported File>.tgz

  • This Multi-Domain Server is not connected to the Internet, run:

    [Expert@MDS:0]# ./migrate_server import -v R80.20 -skip_upgrade_tools_check [-l | -x] /<Full Path>/<Name of Exported File>.tgz

Syntax options:

  • -v R80.20 - Specifies the version, to which you plan to upgrade.
  • -skip_upgrade_tools_check - Does not try to connect to Check Point Cloud to check for a more recent version of the Upgrade Tools.
  • -l - Imports the Check Point logs without log indexes in the $FWDIR/log/ directory.
  • -x - Imports the Check Point logs with their log indexes in the $FWDIR/log/ directory.

9

Make sure that on all Domain Management Servers, none of the required daemons (FWM, FWD, CPD, and CPCA) are in the state "down" (the "pnd" state is acceptable):

[Expert@MDS:0]# mdsstat

If some of the required daemons on a Domain Management Server are in the state "down", wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands:

[Expert@MDS:0]# mdsstop_customer <IP Address or Name of Domain Management Server>

[Expert@MDS:0]# mdsstart_customer <IP Address or Name of Domain Management Server>

[Expert@MDS:0]# mdsstat

Step 7 of 13: Install the R80.20 SmartConsole

See Installing SmartConsole.

Step 8 of 13: Perform a clean install of another R80.20 on the Secondary Multi-Domain Server

Perform a clean install of the Secondary R80.20 Multi-Domain Server.

Important:

The IP addresses of the source and target Multi-Domain Servers must be the same. If you need to have a different IP address on the R80.20 Multi-Domain Server, you can change it only after the upgrade procedure. Note that you have to issue licenses for the new IP address. For applicable procedure, see sk74020.

Step 9 of 13: Get the required Upgrade Tools on the Secondary R80.20 Multi-Domain Server

Note - This step is needed only to be able to export the management database (for backup purposes) with the latest Upgrade Tools.

Step

Description

1

Download the required Upgrade Tools from sk135172.

Note - This is a CPUSE Offline package.

2

Install the required Upgrade Tools with CPUSE.

See Installing Software Packages on Gaia and follow the applicable action plan for the local offline installation.

3

Make sure the package is installed.

Run this command in the Expert mode:

[Expert@MDS:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.20 BuildNumber 1

The output must show the same build number you see in the name of the downloaded package.

Example:

Name of the downloaded package: ngm_upgrade_wrapper_992000043_1.tgz

[Expert@MDS:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.20 BuildNumber 1
992000043
[Expert@MDS:0]#

Note - The command migrate_server from these Upgrade Tools always tries to connect to Check Point Cloud over the Internet. This is to make sure you always have the latest version of these Upgrade Tools installed. If the connection to Check Point Cloud fails, this message appears:
"Timeout. Failed to retrieve Upgrade Tools package. To download the package manually, refer to sk135172."

Step 10 of 13: Install the management database

Step

Description

1

Connect with SmartConsole to each Domain Management Server.

2

In the top left corner, click Menu > Install database.

3

Select all objects.

4

Click Install.

5

Click OK.

Step 11 of 13: Upgrade the Multi-Domain Log Server, dedicated Log Servers, and dedicated SmartEvent Servers

If your Multi-Domain Servers manage Multi-Domain Log Servers, dedicated Log Servers, or dedicated SmartEvent Servers, you must upgrade these dedicated servers to the same version as the Multi-Domain Server:

Step 12 of 13: On every Multi-Domain Server with Active Domain Management Servers, upgrade the attributes of all managed objects in all Domain Management Servers

To determine which Multi-Domain Servers run Active Domain Management Servers:

  1. Connect with SmartConsole to an Multi-Domain Server to the MDS context.
  2. From the left navigation panel, click Multi Domain > Domains.

The table shows Domains and Multi-Domain Servers:

Procedure:

Step

Description

1

Connect to the command line every Multi-Domain Server that has at least one Active Domain Management Server.

2

Log in with the superuser credentials.

3

Log in to the Expert mode.

4

Make sure that on all Domain Management Servers, none of the required daemons (FWM, FWD, CPD, and CPCA) are in the state "down" (the "pnd" state is acceptable):

[Expert@MDS:0]# mdsstat

If some of the required daemons on a Domain Management Server are in the state "down", wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands:

[Expert@MDS:0]# mdsstop_customer <IP Address or Name of Domain Management Server>

[Expert@MDS:0]# mdsstart_customer <IP Address or Name of Domain Management Server>

[Expert@MDS:0]# mdsstat

5

Go to the main MDS context:

[Expert@MDS:0]# mdsenv

6

Upgrade the attributes of all managed objects in all Domain Management Servers at once:

[Expert@MDS:0]# $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL

Notes:

  • Because the command prompts you for a 'yes/no' for each Domain and each object in the Domain, you can explicitly provide the 'yes' answer to all questions with this command:

    [Expert@MDS:0]# yes | $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL

  • You can perform this action on one Multi-Domain Server at a time with this command:

    [Expert@MDS:0]# $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL -n <Name of Multi-Domain Server>

7

Make sure that on all Domain Management Servers, none of the required daemons (FWM, FWD, CPD, and CPCA) are in the state "down" (the "pnd" state is acceptable):

[Expert@MDS:0]# mdsstat

If some of the required daemons on a Domain Management Server are in the state "down", wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands:

[Expert@MDS:0]# mdsstop_customer <IP Address or Name of Domain Management Server>

[Expert@MDS:0]# mdsstart_customer <IP Address or Name of Domain Management Server>

[Expert@MDS:0]# mdsstat

Step 13 of 13: Test the functionality

Step

Description

1

Connect with the SmartConsole to the R80.20 Multi-Domain Server.

2

Make sure the management database and configuration were imported correctly.

3

Test the Management High Availability functionality.

15 March 2020
Was this helpful?
Incorrect information Not what I'm looking for Too much information Confusing information
© 2020 Check Point Software Technologies Ltd. All rights reserved.