Starting from Take 117 of R80.20 Jumbo Hotfix Accumulator (PRJ-5250), you can export the entire management database from an R80.20 Security Management Server and import it on an R80.20Multi-Domain Server into a Domain Management Server.
For the list of known limitations, see sk156072.
Prerequisites on the source Security Management Server:
[Expert@MGMT:0]# cpwd_admin list
The "STAT" column must show "E" (executing) for all processes.
$FWDIR/log/fw.log
) and Audit log ($FWDIR/log/fw.adtlog
) files:[Expert@MGMT:0]# fw logswitch
[Expert@MGMT:0]# fw logswitch -audit
Instructions in SmartConsole:
No |
Name |
Source |
Destination |
Services & |
Action |
Track |
Install |
---|---|---|---|---|---|---|---|
1 |
Traffic from new Domain Management Server to managed Gateways |
Host object with new IP address |
Applicable objects of managed Security Gateways and Clusters |
|
|
|
|
Notes:
These default policies are called:
Name of VSX Gateway or VSX Cluster Object<
>_VSX
Prerequisites on the target Multi-Domain Server:
Workflow:
Step 1 of 9: On the source R80.20 Security Management Server, export the database
Step |
Description |
---|---|
1 |
Run this API:
For API documentation, see the Check Point Management API Reference - search for migrate-export-domain. Example:
|
2 |
Calculate the MD5 of the export file:
|
Step 2 of 9: Transfer the export file to the target R80.20 Multi-Domain Server
Step |
Description |
---|---|
1 |
Transfer the export file from the source Security Management Server to the target Multi-Domain Server, to some directory. Note - Make sure to transfer the file in the binary mode. |
2 |
Make sure the transferred file is not corrupted. Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the source Security Management Server:
|
Step 3 of 9: On the target Multi-Domain Server, import the Security Management Server database into a Domain Management Server
Step |
Description |
---|---|
1 |
Make sure you have the sufficient license. |
2 |
Run this API:
For API documentation, see the Check Point Management API Reference - search for migrate-import-domain. Make sure the name of the Domain you create does not conflict with the name of an existing Domain. Example:
|
3 |
Make sure that all the required daemons (FWM, FWD, CPD, and CPCA) are in the state "up" and show their PID (the "pnd" state is also acceptable):
If some of the required daemons on a Domain Management Server are in the state "down", then wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands:
|
Step 4 of 9: Configure and assign the Administrators and GUI clients
Step |
Description |
---|---|
1 |
Configure the Multi-Domain Server Administrators and GUI clients:
|
2 |
Assign the Administrators to the Domains. See the R80.20 Multi-Domain Security Management Administration Guide - Chapter Managing Domains - Section Creating a New Domain and Section Assigning Trusted Clients to Domains. |
Step 5 of 9: Stop the source R80.20 Security Management Server
Step |
Description |
---|---|
1 |
Connect to the command line on the source Security Management Server. |
2 |
Stop the source Security Management Server:
|
Step 6 of 9: Test the functionality on the target R80.20 Domain Management Server
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the Domain Management Server. |
2 |
Make sure the management database and configuration were imported correctly. |
Step 7 of 9: Install policy on all managed Security Gateways and Clusters
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the Active Domain (to which this Domain Management Server belongs). |
2 |
Install the applicable policies on all managed Security Gateways and Clusters. |
Step 8 of 9: Disconnect the source R80.20 Security Management Server
Disconnect the source Security Management Server from the network.
Step 9 of 9: Delete the special Access Control rule you added before migration
Important -This step applies only if the target Domain Management Server has a different IP address than the source Security Management Server.
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the Domain Management Server. |
2 |
In each Security Policy, delete the Access Control rule with the new Host object you added on the source Security Management Server before migration. |
3 |
Delete the Host object you added on the source Security Management Server before migration. |
4 |
Install the applicable policies on all managed Security Gateways and Clusters. |