Attention:
This upgrade method is supported only when you upgrade from R7x versions. We recommend to upgrade the entire Multi-Domain Server at once with one of these methods:
Because upgrade of the entire Multi-Domain Server at once is the default recommended method, use the Gradual Migration of Domain Management Servers only in these cases:
|
If you use the Gradual Migration method:
If you need to make changes on the source Multi-Domain Servers, follow these guidelines:
Workflow:
Step 1 of 13: Perform a Clean Install of a target R80.30 Multi-Domain Server
Perform a clean install of the R80.30 Multi-Domain Server.
Step 2 of 13: Create the corresponding Domain Management Servers
Create the Domain Management Servers, into which you import the entire management database from the source Domain Management Servers.
See the R80.30 Multi-Domain Security Management Administration Guide - Chapter Managing Domains - Section Creating a New Domain.
mgmt_cli add domain
command.See the Management API Reference - mgmt_cli tool - Chapter Multi-Domain - Section Domain - Subsection add domain.
Step 3 of 13: Export the Global Policies from the R7x Multi-Domain Server
Export the R7x global management database as described in Migrating Global Policies from R7x Multi-Domain Server.
Step 4 of 13: Import the R7x Global Policies on the R80.30 Multi-Domain Server
Import the R7x global management database as described in Migrating Global Policies from R7x Multi-Domain Server.
Step 5 of 13: On the R7x Multi-Domain Server, export the entire management database from the applicable source Domain Management Servers one by one
Step |
Description |
---|---|
1 |
Connect to the command line on the current Multi-Domain Server. |
2 |
Log in with the superuser credentials. |
3 |
Log in to the Expert mode. |
4 |
Go to the directory, where you put the R80.30 Management Server Migration Tool package:
|
5 |
Extract the R80.30 Management Server Migration Tool package:
|
6 |
Go to the context of each applicable Domain Management Server:
|
7 |
Export the entire management database from each applicable Domain Management Server: [ Notes:
|
8 |
Calculate the MD5 for each exported database file:
|
9 |
Transfer each exported Domain Management Server database from the current Multi-Domain Server to an external storage:
Note - Make sure to transfer the files in the binary mode. |
Step 6 of 13: Transfer the exported R7x Domain Management Server management databases to the R80.30 Multi-Domain Server
Step |
Description |
---|---|
1 |
Transfer the exported R7x Domain Management Server management databases from an external storage to the R80.30 Multi-Domain Server, to some directory. Note - Make sure to transfer the files in the binary mode. |
2 |
Make sure the transferred files are not corrupted. Calculate the MD5 for the transferred files and compare them to the MD5 that you calculated on the R7x Multi-Domain Server:
|
Step 7 of 13: On the target R80.30 Multi-Domain Server, import the entire management database to the applicable target Domain Management Servers one by one
Step |
Description |
---|---|
1 |
Connect to the command line on the current Multi-Domain Server. |
2 |
Log in with the superuser credentials. |
3 |
Log in to the Expert mode. |
4 |
Make sure a valid license is installed:
If it is not already installed, then install a valid license now. |
5 |
Unset the shell idle environment variable:
|
6 |
Import the R7x Domain Management Server management databases one by one:
Example:
Note - This command updates the database schema before it imports. First, the command runs pre-upgrade verification. If no errors are found, migration continues. If there are errors, you must fix them on the source R7x Domain Management Server according to instructions in the error messages. Then do this procedure again. |
7 |
Start the new Domain Management Server with the imported R7x management database:
|
8 |
Make sure all the required daemons (FWM, FWD, CPD, and CPCA) on the new Domain Management Server are in the state "
If some of the required daemons on a Domain Management Server are in the state "
|
Step 8 of 13: Upgrade the attributes of all managed objects in all Domain Management Servers
Step |
Description |
---|---|
1 |
Connect to the command line on the R80.30 Multi-Domain Server. |
2 |
Log in with the superuser credentials. |
3 |
Log in to the Expert mode. |
4 |
Make sure that on all Domain Management Servers, none of the required daemons (FWM, FWD, CPD, and CPCA) are in the state "
If some of the required daemons on a Domain Management Server are in the state "
|
5 |
Go to the main MDS context:
|
6 |
Upgrade the attributes of all managed objects in each Domain Management Server one by one:
Note - Because the command prompts you for a '
|
7 |
Allow the database synchronization to run:
Restart the Check Point services:
For more information, see sk121718. |
8 |
Make sure that on all Domain Management Servers, none of the required daemons (FWM, FWD, CPD, and CPCA) are in the state "
If some of the required daemons on a Domain Management Servers are in the state "
|
Step 9 of 13: Configure the Multi-Domain Server administrators and GUI clients
The gradual upgrade does not keep all data.
You must manually redefine and reassign the Multi-Domain Server administrators and GUI clients to Domains after the gradual upgrade.
Step |
Description |
---|---|
1 |
Run the |
2 |
See the R80.30 Multi-Domain Security Management Administration Guide - Chapter Managing Domains - Section Creating a New Domain - Subsection Assigning Trusted Clients to Domains. |
Step 10 of 13: Reset SIC, create a new ICA, and establish SIC Trust with managed Security Gateways
Note - This step applies if the new R80.30 Domain Management Server has a different IPv4 address than the R7x Domain Management Server.
Step |
Description |
---|---|
1 |
Connect to the command line on the R80.30 Multi-Domain Server. |
2 |
Log in with the superuser credentials. |
3 |
Log in to the Expert mode. |
4 |
Stop the new Domain Management Server, into which you migrated the management database from an R7x Domain Management Server:
|
5 |
Go to the context of the new Domain Management Server:
|
6 |
Reset the SIC on the Domain Management Server:
|
7 |
Create a new Internal Certificate Authority:
|
8 |
Start the new Domain Management Server:
|
9 |
Make sure all the required daemons (FWM, FWD, CPD, and CPCA) on the new Domain Management Server are in the state "
If some of the required daemons on a Domain Management Server are in the state "
|
10 |
Establish the Secure Internal Communication (SIC) between the Management Server and the managed Security Gateways:
|
Step 11 of 13: Rebuild the status of Global VPN communities after the gradual upgrade
The gradual upgrade does not keep all data.
Step |
Description |
---|---|
1 |
Connect to the command on the R80.30 Multi-Domain Server. |
2 |
Log in with the superuser credentials. |
3 |
Log in to the Expert mode. |
4 |
Go to the main MDS context:
|
5 |
Rebuild the status of Global VPN communities:
|
Step 12 of 13: Configure the VPN keys
Note - This step applies if the original R7x Domain Management Server managed VPN gateways.
There can be an issue with the IKE certificates after you migrate the management database, if a VPN tunnel is established between a Check Point Security Gateway and an externally managed, third-party gateway.
The VPN Security Gateway presents its IKE certificate to its peer. The third-party gateway uses the FQDN of the certificate to retrieve the host name and IP address of the Certificate Authority. If the IKE certificate was issued by a Check Point Internal CA, the FQDN contains the host name of the original Management Server. The peer gateway will fail to contact the original server and will not accept the certificate.
To fix:
Step 12 of 13: Test the functionality
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the R80.30 Multi-Domain Server. |
2 |
Make sure the management database and configuration were upgraded correctly on each Domain Management Server. |