Print Download PDF Send Feedback

Previous

Next

Migrating Database from an R80.20 Security Management Server to an R80.20 Domain Management Server

Starting from Take 117 of R80.20 Jumbo Hotfix Accumulator (PRJ-5250), you can export the entire management database from an R80.20 Security Management Server and import it on an R80.20Multi-Domain Server into a Domain Management Server.

For the list of known limitations, see sk156072.

Prerequisites on the source Security Management Server:

Prerequisites on the target Multi-Domain Server:

Workflow:

  1. On the source R80.20 Security Management Server, export the database.
  2. Transfer the export file to the target R80.20 Multi-Domain Server.
  3. On the target Multi-Domain Server, import the Security Management Server database into a Domain Management Server.
  4. Configure and assign the Administrators and GUI clients.
  5. Stop the source R80.20 Security Management Server.
  6. Test the functionality on the R80.20 Domain Management Server.
  7. Install policy on all managed Security Gateways and Clusters.
  8. Disconnect the source R80.20 Security Management Server.
  9. Delete the special Access Control rule you added before migration.

Step 1 of 9: On the source R80.20 Security Management Server, export the database

Step

Description

1

Run this API:

migrate-export-domain

For API documentation, see the Check Point Management API Reference - search for migrate-export-domain.

Example:

mgmt_cli migrate-export-domain file-path "/var/log/SecMgmtServer_Export.tgz" include-logs "false"

2

Calculate the MD5 of the export file:

md5sum <Full Path to Export File>.tgz

Step 2 of 9: Transfer the export file to the target R80.20 Multi-Domain Server

Step

Description

1

Transfer the export file from the source Security Management Server to the target Multi-Domain Server, to some directory.

Note - Make sure to transfer the file in the binary mode.

2

Make sure the transferred file is not corrupted.

Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the source Security Management Server:

md5sum <Full Path to Export File>.tgz

Step 3 of 9: On the target Multi-Domain Server, import the Security Management Server database into a Domain Management Server

Step

Description

1

Make sure you have the sufficient license.

2

Run this API:

migrate-import-domain

For API documentation, see the Check Point Management API Reference - search for migrate-import-domain.

Make sure the name of the Domain you create does not conflict with the name of an existing Domain.

Example:

mgmt_cli migrate-import-domain domain-name "MyDomain3" domain-server-name "MyDomainServer3" domain-ip-address "192.168.20.30" file-path "/var/log/SecMgmtServer_Export.tgz" include-logs "false"

3

Make sure that all the required daemons (FWM, FWD, CPD, and CPCA) are in the state "up" and show their PID (the "pnd" state is also acceptable):

mdsstat

If some of the required daemons on a Domain Management Server are in the state "down", then wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands:

mdsstop_customer <IP Address or Name of Domain Management Server>

mdsstart_customer <IP Address or Name of Domain Management Server>

mdsstat

Step 4 of 9: Configure and assign the Administrators and GUI clients

Step

Description

1

Configure the Multi-Domain Server Administrators and GUI clients:

  1. Run the mdsconfig command
  2. Configure the Administrators
  3. Configure the GUI clients
  4. Exit the mdsconfig menu

2

Assign the Administrators to the Domains.

See the R80.20 Multi-Domain Security Management Administration Guide - Chapter Managing Domains - Section Creating a New Domain and Section Assigning Trusted Clients to Domains.

Step 5 of 9: Stop the source R80.20 Security Management Server

Step

Description

1

Connect to the command line on the source Security Management Server.

2

Stop the source Security Management Server:

cpstop

Step 6 of 9: Test the functionality on the target R80.20 Domain Management Server

Step

Description

1

Connect with SmartConsole to the Domain Management Server.

2

Make sure the management database and configuration were imported correctly.

Step 7 of 9: Install policy on all managed Security Gateways and Clusters

Step

Description

1

Connect with SmartConsole to the Active Domain (to which this Domain Management Server belongs).

2

Install the applicable policies on all managed Security Gateways and Clusters.

Step 8 of 9: Disconnect the source R80.20 Security Management Server

Disconnect the source Security Management Server from the network.

Step 9 of 9: Delete the special Access Control rule you added before migration

Important -This step applies only if the target Domain Management Server has a different IP address than the source Security Management Server.

Step

Description

1

Connect with SmartConsole to the Domain Management Server.

2

In each Security Policy, delete the Access Control rule with the new Host object you added on the source Security Management Server before migration.

3

Delete the Host object you added on the source Security Management Server before migration.

4

Install the applicable policies on all managed Security Gateways and Clusters.