Migrating Database from an R80.20 Security Management Server to an R80.20 Domain Management Server

Starting from Take 117 of R80.20 Jumbo Hotfix Accumulator (PRJ-5250), you can export the entire management database from a Domain Management Server on an R80.20Multi-Domain Server and import it on an R80.20Security Management Server.

For the list of known limitations, see sk156072.

Prerequisites on the source Domain Management Server:

Back up the current Multi-Domain Server. See Backing Up and Restoring.
Make sure to publish all changes you wish to migrate.

If the target Security Management Server must have a different IP address than the source Domain Management Server, then you must prepare the source database before the export.

Instructions in SmartConsole:

Create a new Host object with the new IP address of the target Security Management Server.

In each Security Policy, add a new Access Control rule to allow specific traffic from the Host object with new IP address to all managed Security Gateways and Clusters.

No	Name	Source	Destination	Services & Applications	Action	Track	Install On
1	Traffic from new Security Management Server to managed Gateways	Host object with new IP address	Applicable objects of managed Security Gateways and Clusters	`FW1` `FW1_CPRID` `CPD`	`Accept`	`None`	`Policy Targets`

Name

Source

Destination

Services &
Applications

Action

Track

Install
On

Traffic from new Security Management Server to managed Gateways

Host object with new IP address

Applicable objects of managed Security Gateways and Clusters

FW1

FW1_CPRID

CPD

Accept

None

Policy Targets

Notes:

You must use the pre-defined Check Point services.
If the source Domain Management Server manages VSX Gateways or VSX Clusters, you must also add this Access Control rule to their default VSX policies.
These default policies are called:

<Name of VSX Gateway or VSX Cluster Object>_VSX

Install all updated Access Control Policies.

Prerequisites on the target Security Management Server:

Perform a clean install of an R80.20 Security Management Server.
See Installing One Security Management Server only, or Primary Security Management Server in Management High Availability.
Make sure you install the required license.

Workflow:

On the source R80.20 Domain Management Server, export the database.
Transfer the export file to the target R80.20 Security Management Server.
On the target Security Management Server, import the Domain Management Server database.
Configure and assign the Administrators and GUI clients.
Stop the source R80.20 Domain Management Server.
Test the functionality on the target R80.20 Security Management Server.
Install policy on all managed Security Gateways and Clusters.
Delete the source R80.20 Domain Management Server.
Delete the special Access Control rule you added before migration.

Step 1 of 9: On the source R80.20 Domain Management Server, export the database

Step	Description
1	Run this API: `migrate-export-domain` For API documentation, see the Check Point Management API Reference - search for migrate-export-domain. Example: `mgmt_cli migrate-export-domain domain "MyDomain3" file-path "/var/log/MyDomain3_Export.tgz" include-logs "false"`
2	Calculate the MD5 of the export file: `md5sum <`Full Path to Export File`>.tgz`

Step

Description

Run this API:

migrate-export-domain

For API documentation, see the Check Point Management API Reference - search for migrate-export-domain.

Example:

mgmt_cli migrate-export-domain domain "MyDomain3" file-path "/var/log/MyDomain3_Export.tgz" include-logs "false"

Calculate the MD5 of the export file:

md5sum <Full Path to Export File>.tgz

Step 2 of 9: Transfer the export file to the target R80.20 Security Management Server

Step	Description
1	Transfer the export file from the source Multi-Domain Server to the target Security Management Server, to some directory. Note - Make sure to transfer the file in the binary mode.
2	Make sure the transferred file is not corrupted. Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the source Multi-Domain Server: `md5sum <`Full Path to Export File`>.tgz`

Step

Description

Transfer the export file from the source Multi-Domain Server to the target Security Management Server, to some directory.

Note - Make sure to transfer the file in the binary mode.

Make sure the transferred file is not corrupted.

Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the source Multi-Domain Server:

md5sum <Full Path to Export File>.tgz

Step 3 of 9: On the target Security Management Server, import the Domain Management Server database

Step	Description
1	Connect to the command line.
2	Log in to the Expert mode.
3	In a plain-text editor, prepare the applicable syntax for your environment: `$MDS_FWDIR/scripts/migrate_import_domain.sh -sn <`Name of New Security Management Server`> -dsi <`IP Address of New Security Management Server`> -o <`Full Path to Exported File`>.tgz [-skip_logs]` Where: `-sn <`Name of New Security Management Server`>` Specifies a new name of the new Security Management Server object. `-dsi <`IP Address of New Security Management Server`>` Specifies a new IP Address of the new Security Management Server object. `-o <`Full Path to Exported File`>.tgz` Specifies the full path to the export file you transferred from the source R80.20 Multi-Domain Server. `-skip_logs` Optional. Specifies not to import log files `$FWDIR/log/fw.*log`.
4	On the target Security Management Server, run the `$MDS_FWDIR/scripts/migrate_import_domain.sh` script with the syntax you prepared.

Step 4 of 9: Configure and assign the Administrators and GUI clients

Configure the Multi-Domain Server Administrators and GUI clients:

Run the cpconfig command
Configure the Administrators
Configure the GUI clients
Exit the cpconfig menu

Step 5 of 9: Stop the source R80.20 Domain Management Server

Step	Description
1	Connect to the command line on the source Multi-Domain Server.
2	Stop the source Domain Management Server you migrated: `mdsstop_customer <`IP address or Name of Domain Management Server`>`

Step

Description

Connect to the command line on the source Multi-Domain Server.

Stop the source Domain Management Server you migrated:

mdsstop_customer <IP address or Name of Domain Management Server>

Step 6 of 9: Test the functionality on the target R80.20 Security Management Server

Step	Description
1	Connect with SmartConsole to the target Security Management Server.
2	Make sure the management database and configuration were imported correctly.

Step 7 of 9: Install policy on all managed Security Gateways and Clusters

Install the applicable policies on all managed Security Gateways and Clusters.

Step 8 of 9: Delete the source R80.20 Domain Management Server

Make sure you backed up the Multi-Domain Server. See Backing Up and Restoring.

Step	Description
1	Connect with SmartConsole to the source Multi-Domain Server to the MDS context.
2	From the left navigation panel, click Multi Domain > Domains.
3	Right-click the Domain Management Server object you migrated and select Delete.

Step 9 of 9: Delete the special Access Control rule you added before migration

Important - This step applies only if the target Security Management Server has a different IP address than the source Domain Management Server.

Step	Description
1	Connect with SmartConsole to the Domain Management Server.
2	In each Security Policy, delete the Access Control rule with the new Host object you added on the source Security Management Server before migration.
3	Delete the Host object you added on the source Security Management Server before migration.
4	Install the applicable policies on all managed Security Gateways and Clusters.