Migrating Database from an R80.20 Security Management Server to an R80.20 Domain Management Server

Starting from Take 117 of R80.20 Jumbo Hotfix Accumulator (PRJ-5250), you can export the entire management database from an R80.20 Security Management Server and import it on an R80.20Multi-Domain Server into a Domain Management Server.

For the list of known limitations, see sk156072.

Prerequisites on the source Security Management Server:

Make sure to publish all changes you wish to migrate.
Make sure all required processes are up and running:
[Expert@MGMT:0]# cpwd_admin list

The "STAT" column must show "E" (executing) for all processes.
Close the active Security log ($FWDIR/log/fw.log) and Audit log ($FWDIR/log/fw.adtlog) files:
[Expert@MGMT:0]# fw logswitch

[Expert@MGMT:0]# fw logswitch -audit

If the target Domain Management Server must have a different IP address than the source Security Management Server, then you must prepare the source database before the export.

Instructions in SmartConsole:

Create a new Host object with the new IP address of the target Domain Management Server.

In each Security Policy, add a new Access Control rule to allow specific traffic from the Host object with new IP address to all managed Security Gateways and Clusters.

No	Name	Source	Destination	Services & Applications	Action	Track	Install On
1	Traffic from new Domain Management Server to managed Gateways	Host object with new IP address	Applicable objects of managed Security Gateways and Clusters	`FW1` `FW1_CPRID` `CPD`	`Accept`	`None`	`Policy Targets`

Name

Source

Destination

Services &
Applications

Action

Track

Install
On

Traffic from new Domain Management Server to managed Gateways

Host object with new IP address

Applicable objects of managed Security Gateways and Clusters

FW1

FW1_CPRID

CPD

Accept

None

Policy Targets

Notes:

You must use the pre-defined Check Point services.
If the source Security Management Server manages VSX Gateways or VSX Clusters, you must also add this Access Control rule to their default VSX policies.
These default policies are called:

<Name of VSX Gateway or VSX Cluster Object>_VSX

Install all updated Access Control Policies.

Prerequisites on the target Multi-Domain Server:

The free disk space must be at least 5 times the size of the database file you export from the source Security Management Server.
Back up the current Multi-Domain Server. See Backing Up and Restoring.
Do not create a new Domain Management Server on the target Multi-Domain Server. This procedure creates it automatically.
Make sure you install the required license.

Workflow:

On the source R80.20 Security Management Server, export the database.
Transfer the export file to the target R80.20 Multi-Domain Server.
On the target Multi-Domain Server, import the Security Management Server database into a Domain Management Server.
Configure and assign the Administrators and GUI clients.
Stop the source R80.20 Security Management Server.
Test the functionality on the R80.20 Domain Management Server.
Install policy on all managed Security Gateways and Clusters.
Disconnect the source R80.20 Security Management Server.
Delete the special Access Control rule you added before migration.

Step 1 of 9: On the source R80.20 Security Management Server, export the database

Step	Description
1	Run this API: `migrate-export-domain` For API documentation, see the Check Point Management API Reference - search for migrate-export-domain. Example: `mgmt_cli migrate-export-domain file-path "/var/log/SecMgmtServer_Export.tgz" include-logs "false"`
2	Calculate the MD5 of the export file: `md5sum <`Full Path to Export File`>.tgz`

Step

Description

Run this API:

migrate-export-domain

For API documentation, see the Check Point Management API Reference - search for migrate-export-domain.

Example:

mgmt_cli migrate-export-domain file-path "/var/log/SecMgmtServer_Export.tgz" include-logs "false"

Calculate the MD5 of the export file:

md5sum <Full Path to Export File>.tgz

Step 2 of 9: Transfer the export file to the target R80.20 Multi-Domain Server

Step	Description
1	Transfer the export file from the source Security Management Server to the target Multi-Domain Server, to some directory. Note - Make sure to transfer the file in the binary mode.
2	Make sure the transferred file is not corrupted. Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the source Security Management Server: `md5sum <`Full Path to Export File`>.tgz`

Step

Description

Transfer the export file from the source Security Management Server to the target Multi-Domain Server, to some directory.

Note - Make sure to transfer the file in the binary mode.

Make sure the transferred file is not corrupted.

Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the source Security Management Server:

md5sum <Full Path to Export File>.tgz

Step 3 of 9: On the target Multi-Domain Server, import the Security Management Server database into a Domain Management Server

Step	Description
1	Make sure you have the sufficient license.
2	Run this API: `migrate-import-domain` For API documentation, see the Check Point Management API Reference - search for migrate-import-domain. Make sure the name of the Domain you create does not conflict with the name of an existing Domain. Example: `mgmt_cli migrate-import-domain domain-name "MyDomain3" domain-server-name "MyDomainServer3" domain-ip-address "192.168.20.30" file-path "/var/log/SecMgmtServer_Export.tgz" include-logs "false"`
3	Make sure that all the required daemons (FWM, FWD, CPD, and CPCA) are in the state "up" and show their PID (the "pnd" state is also acceptable): `mdsstat` If some of the required daemons on a Domain Management Server are in the state "down", then wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands: `mdsstop_customer <`IP Address or Name of Domain Management Server`>` `mdsstart_customer <`IP Address or Name of Domain Management Server`>` `mdsstat`

Step

Description

Make sure you have the sufficient license.

Run this API:

migrate-import-domain

For API documentation, see the Check Point Management API Reference - search for migrate-import-domain.

Make sure the name of the Domain you create does not conflict with the name of an existing Domain.

Example:

mgmt_cli migrate-import-domain domain-name "MyDomain3" domain-server-name "MyDomainServer3" domain-ip-address "192.168.20.30" file-path "/var/log/SecMgmtServer_Export.tgz" include-logs "false"

Make sure that all the required daemons (FWM, FWD, CPD, and CPCA) are in the state "up" and show their PID (the "pnd" state is also acceptable):

mdsstat

If some of the required daemons on a Domain Management Server are in the state "down", then wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands:

mdsstop_customer <IP Address or Name of Domain Management Server>

mdsstart_customer <IP Address or Name of Domain Management Server>

mdsstat

Step 4 of 9: Configure and assign the Administrators and GUI clients

Step	Description
1	Configure the Multi-Domain Server Administrators and GUI clients: Run the `mdsconfig` command Configure the Administrators Configure the GUI clients Exit the `mdsconfig` menu
2	Assign the Administrators to the Domains. See the R80.20 Multi-Domain Security Management Administration Guide - Chapter Managing Domains - Section Creating a New Domain and Section Assigning Trusted Clients to Domains.

Step

Description

Configure the Multi-Domain Server Administrators and GUI clients:

Run the mdsconfig command
Configure the Administrators
Configure the GUI clients
Exit the mdsconfig menu

Assign the Administrators to the Domains.

See the R80.20 Multi-Domain Security Management Administration Guide - Chapter Managing Domains - Section Creating a New Domain and Section Assigning Trusted Clients to Domains.

Step 5 of 9: Stop the source R80.20 Security Management Server

Step	Description
1	Connect to the command line on the source Security Management Server.
2	Stop the source Security Management Server: `cpstop`

Step

Description

Connect to the command line on the source Security Management Server.

Stop the source Security Management Server:

cpstop

Step 6 of 9: Test the functionality on the target R80.20 Domain Management Server

Step	Description
1	Connect with SmartConsole to the Domain Management Server.
2	Make sure the management database and configuration were imported correctly.

Step 7 of 9: Install policy on all managed Security Gateways and Clusters

Step	Description
1	Connect with SmartConsole to the Active Domain (to which this Domain Management Server belongs).
2	Install the applicable policies on all managed Security Gateways and Clusters.

Step 8 of 9: Disconnect the source R80.20 Security Management Server

Disconnect the source Security Management Server from the network.

Step 9 of 9: Delete the special Access Control rule you added before migration

Important -This step applies only if the target Domain Management Server has a different IP address than the source Security Management Server.

Step	Description
1	Connect with SmartConsole to the Domain Management Server.
2	In each Security Policy, delete the Access Control rule with the new Host object you added on the source Security Management Server before migration.
3	Delete the Host object you added on the source Security Management Server before migration.
4	Install the applicable policies on all managed Security Gateways and Clusters.