Upgrading Multi-Domain Servers in High Availability from R80.20.M1 or R80.20.M2 with Migration
In a migration and upgrade scenario, you perform the procedure on the source Multi-Domain Servers and the different target Multi-Domain Servers.
Note - This procedure is supported only for Multi-Domain Servers that run R80.20.M1 or R80.20.M2.
Important - Before you upgrade:
Step
|
Description
|
1
|
Back up your current configuration.
|
2
|
See the Upgrade Options and Prerequisites.
|
3
|
In R80 and above, examine the SmartConsole sessions:
- Connect with the SmartConsole to each Domain Management Server.
- From the left navigation panel, click .
- You must publish or discard all sessions, for which the column shows a number greater than zero.
Right-click on such session and select or .
|
4
|
You must close all GUI clients (SmartConsole applications) connected to the source Multi-Domain Servers.
|
5
|
Install the latest version of the CPUSE from sk92449.
Note - The default CPUSE does not support the required Upgrade Tools package.
|
Workflow:
- If the Primary R80.20.M1 / R80.20.M2 Multi-Domain Server is not available, promote the Secondary R80.20.M1 / R80.20.M2 Multi-Domain Server to be the Primary
- Make sure the Global Domain is Active on the Primary R80.20.M1 / R80.20.M2 Multi-Domain Server
- Get the required Upgrade Tools on the Primary and the Secondary R80.20.M1 / R80.20.M2 Multi-Domain Server
- On the Primary R80.20.M1 / R80.20.M2 Multi-Domain Server, run the Pre-Upgrade Verifier
- On the Secondary R80.20.M1 / R80.20.M2 Multi-Domain Server, run the Pre-Upgrade Verifier
- On the Primary R80.20.M1 / R80.20.M2 Multi-Domain Server, export the entire management database
- On the Secondary R80.20.M1 / R80.20.M2 Multi-Domain Server, export the entire management database
- Perform clean install of another R80.30 Primary Multi-Domain Server
- Get the required Upgrade Tools on the Primary R80.30 Multi-Domain Server
- On the Primary R80.30 Multi-Domain Server, import the entire management database
- Perform clean install of another R80.30 Secondary Multi-Domain Server
- Get the required Upgrade Tools on the Secondary R80.30 Multi-Domain Server
- On the Secondary R80.30 Multi-Domain Server, import the entire management database
- Upgrade the Multi-Domain Log Server, dedicated Log Servers, and dedicated SmartEvent Servers
- Install the R80.30 SmartConsole
- Install the management database
- On every Multi-Domain Server with Active Domain Management Servers, upgrade the attributes of all managed objects in all Domain Management Servers
- Test the functionality
Step 1 of 18: If the Primary R80.20.M1 / R80.20.M2 Multi-Domain Server is not available, promote the Secondary R80.20.M1 / R80.20.M2 Multi-Domain Server to be the Primary
For instructions, see the R80.30 Multi-Domain Security Management Administration Guide - Chapter Working with High Availability - Section Failure Recovery - Subsection Promoting the Secondary Multi-Domain Server to Primary.
Step 2 of 18: Make sure the Global Domain is Active on the Primary R80.20.M1 / R80.20.M2 Multi-Domain Server
Step
|
Description
|
1
|
Connect with SmartConsole to the Primary R80.20.M1 / R80.20.M2 Multi-Domain Server.
|
2
|
From the left navigation panel, click .
The table shows Domains and Multi-Domain Servers:
- Every column shows a Multi-Domain Server.
- Active Domain Management Servers (for a Domain) on a Multi-Domain Server are marked with a solid black "barrel" icon.
- Standby Domain Management Servers (for a Domain) on a Multi-Domain Server are marked with an empty "barrel" icon.
|
3
|
In the leftmost column , examine the bottom row for the Primary Multi-Domain Server.
If the Global Domain is in the Standby state on the Primary Multi-Domain Server (marked with an empty "barrel" icon), then make it Active:
- Right-click on the Primary Multi-Domain Server and click . High Availability Status window opens.
- In the section , click .
- Click to confirm.
- Wait for the full synchronization to complete.
- Close SmartConsole.
|
Step 3 of 18: Get the required Upgrade Tools on the Primary and the Secondary R80.20.M1 / R80.20.M2 Multi-Domain Server
Step
|
Description
|
1
|
Download the required Upgrade Tools from sk135172.
Note - This is a CPUSE Offline package.
|
2
|
Install the required Upgrade Tools with CPUSE.
See Installing Software Packages on Gaia and follow the applicable action plan for the local offline installation.
|
3
|
Make sure the package is installed.
Run this command in the Expert mode:
[Expert@MDS:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.30 BuildNumber 1
The output must show the same build number you see in the name of the downloaded package.
Example:
Name of the downloaded package: ngm_upgrade_wrapper_992000043_1.tgz
[Expert@MDS:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.30 BuildNumber 1
992000043
[Expert@MDS:0]#
|
Note - The command migrate_server
from these Upgrade Tools always tries to connect to Check Point Cloud over the Internet. This is to make sure you always have the latest version of these Upgrade Tools installed. If the connection to Check Point Cloud fails, this message appears:
"Timeout. Failed to retrieve Upgrade Tools package. To download the package manually, refer to sk135172.
"
Step 4 of 18: On the Primary R80.20.M1 / R80.20.M2 Multi-Domain Server, run the Pre-Upgrade Verifier
Step
|
Description
|
1
|
Connect to the command line on the current Multi-Domain Server.
|
2
|
Log in with the superuser credentials.
|
3
|
Log in to the Expert mode.
|
4
|
Run the Pre-Upgrade Verifier.
Syntax options:
-v R80.30 - Specifies the version, to which you plan to upgrade.-skip_upgrade_tools_check - Does not try to connect to Check Point Cloud to check for a more recent version of the Upgrade Tools.
|
5
|
Read the Pre-Upgrade Verifier output.
If you need to fix errors:
- Follow the instructions in the report.
- Run the Pre-Upgrade Verifier again.
|
Step 5 of 18: On the Secondary R80.20.M1 / R80.20.M2 Multi-Domain Server, run the Pre-Upgrade Verifier
Step
|
Description
|
1
|
Connect to the command line on the current Multi-Domain Server.
|
2
|
Log in with the superuser credentials.
|
3
|
Log in to the Expert mode.
|
4
|
Run the Pre-Upgrade Verifier.
Syntax options:
-v R80.30 - Specifies the version, to which you plan to upgrade.-skip_upgrade_tools_check - Does not try to connect to Check Point Cloud to check for a more recent version of the Upgrade Tools.
|
5
|
Read the Pre-Upgrade Verifier output.
If you need to fix errors:
- Follow the instructions in the report.
- Run the Pre-Upgrade Verifier again.
|
Step 6 of 18: On the Primary R80.20.M1 / R80.20.M2 Multi-Domain Server, export the entire management database
Step
|
Description
|
1
|
Connect to the command line on the current Multi-Domain Server.
|
2
|
Log in with the superuser credentials.
|
3
|
Log in to the Expert mode.
|
6
|
Go to the $MDS_FWDIR/scripts/ directory:
[Expert@MDS:0]# cd $MDS_FWDIR/scripts
|
7
|
Export the management database:
- This Multi-Domain Server is connected to the Internet, run:
[Expert@MDS:0]# ./migrate_server export -v R80.30 [-l | -x] /< Full Path>/< Name of Exported File>.tgz
- This Multi-Domain Server is not connected to the Internet, run:
[Expert@MDS:0]# ./migrate_server export -v R80.30 -skip_upgrade_tools_check [-l | -x] /< Full Path>/< Name of Exported File>.tgz
Syntax options:
-v R80.30 - Specifies the version, to which you plan to upgrade.-skip_upgrade_tools_check - Does not try to connect to Check Point Cloud to check for a more recent version of the Upgrade Tools.-l - Exports the Check Point logs without log indexes in the $FWDIR/log/ directory. Note - The command can export only closed logs (to which the information is not currently written).-x - Exports the Check Point logs with their log indexes in the $FWDIR/log/ directory. Note - The command can export only closed logs (to which the information is not currently written).
|
8
|
Calculate the MD5 for the exported database files:
[Expert@MDS:0]# md5sum /< Full Path>/< Name of Database File>.tgz
|
9
|
Transfer the exported databases from the current Multi-Domain Server to an external storage:
/< Full Path>/< Name of Database File>.tgz
Note - Make sure to transfer the file in the binary mode.
|
Step 7 of 18: On the Secondary R80.20.M1 / R80.20.M2 Multi-Domain Server, export the entire management database
Step
|
Description
|
1
|
Connect to the command line on the current Multi-Domain Server.
|
2
|
Log in with the superuser credentials.
|
3
|
Log in to the Expert mode.
|
6
|
Go to the $MDS_FWDIR/scripts/ directory:
[Expert@MDS:0]# cd $MDS_FWDIR/scripts
|
7
|
Export the management database:
- This Multi-Domain Server is connected to the Internet, run:
[Expert@MDS:0]# ./migrate_server export -v R80.30 [-l | -x] /< Full Path>/< Name of Exported File>.tgz
- This Multi-Domain Server is not connected to the Internet, run:
[Expert@MDS:0]# ./migrate_server export -v R80.30 -skip_upgrade_tools_check [-l | -x] /< Full Path>/< Name of Exported File>.tgz
Syntax options:
-v R80.30 - Specifies the version, to which you plan to upgrade.-skip_upgrade_tools_check - Does not try to connect to Check Point Cloud to check for a more recent version of the Upgrade Tools.-l - Exports the Check Point logs without log indexes in the $FWDIR/log/ directory. Note - The command can export only closed logs (to which the information is not currently written).-x - Exports the Check Point logs with their log indexes in the $FWDIR/log/ directory. Note - The command can export only closed logs (to which the information is not currently written).
|
8
|
Calculate the MD5 for the exported database files:
[Expert@MDS:0]# md5sum /< Full Path>/< Name of Database File>.tgz
|
9
|
Transfer the exported databases from the current Multi-Domain Server to an external storage:
/< Full Path>/< Name of Database File>.tgz
Note - Make sure to transfer the file in the binary mode.
|
Step 8 of 18: Perform clean install of another R80.30 Primary Multi-Domain Server
Perform a clean install of the R80.30 Multi-Domain Server on another computer (do not perform initial configuration in SmartConsole).
Important:
The IP addresses of the source R80.20.M1 / R80.20.M2 and target R80.30 Multi-Domain Servers can be different. If you need to have a different IP address on the target R80.30 Multi-Domain Server, you must create a special JSON configuration file before you import the management database from the source R80.20.M1 or R80.20.M2 Multi-Domain Server. Note that you have to issue licenses for the new IP address. You must use the same JSON configuration file on all servers in the same Multi-Domain Security Management environment.
Step 9 of 18: Get the required Upgrade Tools on the Primary R80.30 Multi-Domain Server
Step
|
Description
|
1
|
Download the required Upgrade Tools from sk135172.
Note - This is a CPUSE Offline package.
|
2
|
Install the required Upgrade Tools with CPUSE.
See Installing Software Packages on Gaia and follow the applicable action plan for the local offline installation.
|
3
|
Make sure the package is installed.
Run this command in the Expert mode:
[Expert@MDS:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.30 BuildNumber 1
The output must show the same build number you see in the name of the downloaded package.
Example:
Name of the downloaded package: ngm_upgrade_wrapper_992000043_1.tgz
[Expert@MDS:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.30 BuildNumber 1
992000043
[Expert@MDS:0]#
|
Note - The command migrate_server
from these Upgrade Tools always tries to connect to Check Point Cloud over the Internet. This is to make sure you always have the latest version of these Upgrade Tools installed. If the connection to Check Point Cloud fails, this message appears:
"Timeout. Failed to retrieve Upgrade Tools package. To download the package manually, refer to sk135172.
"
Step 10 of 18: On the Primary R80.30 Multi-Domain Server, import the entire management database you exported from the Primary R80.20.M1 or R80.20.M2 Multi-Domain Server
Prerequisites:
If you installed the target R80.30 Multi-Domain Server with a different IP address than the source R80.20.M1 or R80.20.M2 Multi-Domain Server, you must create a special JSON configuration file before you import the management database from the source R80.20.M1 or R80.20.M2 Multi-Domain Server. Note that you have to issue licenses for the new IP address.
Important Notes:
- If none of the servers in the same Multi-Domain Security Management environment change their original IP addresses, you do not need to create the special JSON configuration.
- You must use the same JSON configuration file on all servers in the same Multi-Domain Security Management environment. Even if only one of the servers migrates to a new IP address, all the servers must get this configuration file for the import process.
To create the JSON configuration file:
Step
|
Description
|
1
|
Connect to the command line on the target R80.30 Multi-Domain Server.
|
2
|
Log in to the Expert mode.
|
3
|
Create the /var/log/mdss.json file that contains every server migrated to a new IP address.
- Format for migrating only the Primary Multi-Domain Server to a new IP address:
[{"name":" <Name of Primary R80.20.M1 or R80.20.M2 Multi-Domain Server Object in SmartConsole>","newIpAddress4":" <New IPv4 Address of Primary R80.30 Multi-Domain Server>"}]
- Format for migrating both the Primary and the Secondary Multi-Domain Servers to new IP addresses:
[{"name":" <Name of Primary R80.20.M1 or R80.20.M2 Multi-Domain Server Object in SmartConsole>","newIpAddress4":" <New IPv4 Address of Primary R80.30 Multi-Domain Server>"},{"name":" <Name of Secondary R80.20.M1 or R80.20.M2 Multi-Domain Server Object in SmartConsole>","newIpAddress4":" <New IPv4 Address of Secondary R80.30 Multi-Domain Server>"}]
- Format for migrating both the Primary and the Secondary Multi-Domain Servers, and the Multi-Domain Log Server to new IP addresses:
[{"name":" <Name of Primary R80.20.M1 or R80.20.M2 Multi-Domain Server Object in SmartConsole>","newIpAddress4":" <New IPv4 Address of Primary R80.30 Multi-Domain Server>"},{"name":" <Name of Secondary R80.20.M1 or R80.20.M2 Multi-Domain Server Object in SmartConsole>","newIpAddress4":" <New IPv4 Address of Secondary R80.30 Multi-Domain Server>"},{"name":" <Name of R80.20.M1 or R80.20.M2 Multi-Domain Log Server Object in SmartConsole>","newIpAddress4":" <New IPv4 Address of R80.30 Multi-Domain Log Server"}]
|
|
Example:
There are 3 servers in the Multi-Domain Security Management environment - the Primary Multi-Domain Server, the Secondary Multi-Domain Server, and the Multi-Domain Log Server. Both the Primary and the Secondary Multi-Domain Servers are migrated to new IP addresses. The Multi-Domain Log Server remains with the original IP address.
- The current IPv4 address of the source Primary R80.20.M1 or R80.20.M2 Multi-Domain Server is:
192.168.10.21
- The current IPv4 address of the source Secondary R80.20.M1 or R80.20.M2 Multi-Domain Server is:
192.168.10.22
- The name of the source Primary R80.20.M1 or R80.20.M2 Multi-Domain Server object in SmartConsole is:
MyPrimaryMultiDomainServer
- The name of the source Secondary R80.20.M1 or R80.20.M2 Multi-Domain Server object in SmartConsole is:
MySecondaryMultiDomainServer
- The new IPv4 address of the target Primary R80.30 Multi-Domain Server is:
172.30.40.51
- The new IPv4 address of the target Secondary R80.30 Multi-Domain Server is:
172.30.40.52
- The required syntax for the JSON configuration file you must use on both the Primary and the Secondary Multi-Domain Servers, and on the Multi-Domain Log Server:
[{"name":"MyPrimaryMultiDomainServer","newIpAddress4":"172.30.40.51"},{"name":"MySecondaryMultiDomainServer","newIpAddress4":"172.30.40.52"}]
Clarification - All servers in this environment must get this information.
|
Procedure:
Step
|
Description
|
1
|
Connect to the command line the R80.30 Multi-Domain Server.
|
2
|
Log in with the superuser credentials.
|
3
|
Log in to the Expert mode.
|
4
|
Make sure a valid license is installed:
mdsenv
cplic print
If it is not already installed, then install a valid license now.
|
5
|
Transfer the exported database from an external storage to the R80.30 Multi-Domain Server, to some directory.
Note - Make sure to transfer the file in the binary mode.
|
6
|
Make sure the transferred file is not corrupted.
Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the original Multi-Domain Server:
[Expert@MDS:0]# md5sum /< Full Path>/< Name of Exported File>.tgz
|
7
|
Go to the $MDS_FWDIR/scripts/ directory:
[Expert@MDS:0]# cd $MDS_FWDIR/scripts/
|
8
|
Import the management database:
- This Multi-Domain Server is connected to the Internet, run:
[Expert@MDS:0]# ./migrate_server import -v R80.30 [-l | -x] [-change_ips_file /var/log/mdss.json] /< Full Path>/< Name of Exported File>.tgz
- This Multi-Domain Server is not connected to the Internet, run:
[Expert@MDS:0]# ./migrate_server import -v R80.30 -skip_upgrade_tools_check [-l | -x] [-change_ips_file /var/log/mdss.json] /< Full Path>/< Name of Exported File>.tgz
Syntax options:
-v R80.30 - Specifies the version, to which you plan to upgrade.-skip_upgrade_tools_check - Does not try to connect to Check Point Cloud to check for a more recent version of the Upgrade Tools.-l - Imports the Check Point logs without log indexes in the $FWDIR/log/ directory.-x - Imports the Check Point logs with their log indexes in the $FWDIR/log/ directory.-change_ips_file /var/log/mdss.json - Specifies the JSON file with a new IPv4 address
|
9
|
Make sure that on all Domain Management Servers, none of the required daemons (FWM, FWD, CPD, and CPCA) are in the state "down " (the "pnd " state is acceptable):
[Expert@MDS:0]# mdsstat
If some of the required daemons on a Domain Management Server are in the state "down ", wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands:
[Expert@MDS:0]# mdsstop_customer < IP Address or Name of Domain Management Server>
[Expert@MDS:0]# mdsstart_customer < IP Address or Name of Domain Management Server>
[Expert@MDS:0]# mdsstat
|
Step 11 of 18: Perform clean install of another R80.30 Secondary Multi-Domain Server
Perform a clean install of the Secondary R80.30 Multi-Domain Server on another computer (do not perform initial configuration in SmartConsole).
Important:
The IP addresses of the source R80.20.M1 / R80.20.M2 and target R80.30 Multi-Domain Servers can be different. If you need to have a different IP address on the target R80.30 Multi-Domain Server, you must create a special JSON configuration file before you import the management database from the source R80.20.M1 or R80.20.M2 Multi-Domain Server. Note that you have to issue licenses for the new IP address. You must use the same JSON configuration file on all servers in the same Multi-Domain Security Management environment.
Step 12 of 18: Get the required Upgrade Tools on the Secondary R80.30 Multi-Domain Server
Step
|
Description
|
1
|
Connect to the command line on the R80.30 Multi-Domain Server.
|
2
|
Log in with the superuser credentials.
|
3
|
Log in to the Expert mode.
|
4
|
Make sure that on all Domain Management Servers, none of the required daemons (FWM, FWD, CPD, and CPCA) are in the state "down " (the "pnd " state is acceptable):
[Expert@MDS:0]# mdsstat
If some of the required daemons on a Domain Management Server are in the state "down ", wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands:
[Expert@MDS:0]# mdsstop_customer < IP Address or Name of Domain Management Server>
[Expert@MDS:0]# mdsstart_customer < IP Address or Name of Domain Management Server>
[Expert@MDS:0]# mdsstat
|
5
|
Go to the main MDS context:
[Expert@MDS:0]# mdsenv
|
6
|
Upgrade the attributes of all managed objects in all Domain Management Servers at once:
[Expert@MDS:0]# $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL
Notes:
|
7
|
Make sure that on all Domain Management Servers, none of the required daemons (FWM, FWD, CPD, and CPCA) are in the state "down " (the "pnd " state is acceptable):
[Expert@MDS:0]# mdsstat
If some of the required daemons on a Domain Management Server are in the state "down ", wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands:
[Expert@MDS:0]# mdsstop_customer < IP Address or Name of Domain Management Server>
[Expert@MDS:0]# mdsstart_customer < IP Address or Name of Domain Management Server>
[Expert@MDS:0]# mdsstat
|
Step 13 of 18: On the Secondary R80.30 Multi-Domain Server, import the entire management database you exported from the Secondary R80.20.M1 or R80.20.M2 Multi-Domain Server
Prerequisites:
If you installed the target R80.30 Multi-Domain Server with a different IP address than the source R80.20.M1 or R80.20.M2 Multi-Domain Server, you must create a special JSON configuration file before you import the management database from the source R80.20.M1 or R80.20.M2 Multi-Domain Server. Note that you have to issue licenses for the new IP address.
Important Notes:
- If none of the servers in the same Multi-Domain Security Management environment change their original IP addresses, you do not need to create the special JSON configuration.
- You must use the same JSON configuration file on all servers in the same Multi-Domain Security Management environment. Even if only one of the servers migrates to a new IP address, all the servers must get this configuration file for the import process.
To create the JSON configuration file:
Step
|
Description
|
1
|
Connect to the command line on the target R80.30 Multi-Domain Server.
|
2
|
Log in to the Expert mode.
|
3
|
Create the /var/log/mdss.json file that contains every server migrated to a new IP address.
- Format for migrating only the Primary Multi-Domain Server to a new IP address:
[{"name":" <Name of Primary R80.20.M1 or R80.20.M2 Multi-Domain Server Object in SmartConsole>","newIpAddress4":" <New IPv4 Address of Primary R80.30 Multi-Domain Server>"}]
- Format for migrating both the Primary and the Secondary Multi-Domain Servers to new IP addresses:
[{"name":" <Name of Primary R80.20.M1 or R80.20.M2 Multi-Domain Server Object in SmartConsole>","newIpAddress4":" <New IPv4 Address of Primary R80.30 Multi-Domain Server>"},{"name":" <Name of Secondary R80.20.M1 or R80.20.M2 Multi-Domain Server Object in SmartConsole>","newIpAddress4":" <New IPv4 Address of Secondary R80.30 Multi-Domain Server>"}]
- Format for migrating both the Primary and the Secondary Multi-Domain Servers, and the Multi-Domain Log Server to new IP addresses:
[{"name":" <Name of Primary R80.20.M1 or R80.20.M2 Multi-Domain Server Object in SmartConsole>","newIpAddress4":" <New IPv4 Address of Primary R80.30 Multi-Domain Server>"},{"name":" <Name of Secondary R80.20.M1 or R80.20.M2 Multi-Domain Server Object in SmartConsole>","newIpAddress4":" <New IPv4 Address of Secondary R80.30 Multi-Domain Server>"},{"name":" <Name of R80.20.M1 or R80.20.M2 Multi-Domain Log Server Object in SmartConsole>","newIpAddress4":" <New IPv4 Address of R80.30 Multi-Domain Log Server"}]
|
|
Example:
There are 3 servers in the Multi-Domain Security Management environment - the Primary Multi-Domain Server, the Secondary Multi-Domain Server, and the Multi-Domain Log Server. Both the Primary and the Secondary Multi-Domain Servers are migrated to new IP addresses. The Multi-Domain Log Server remains with the original IP address.
- The current IPv4 address of the source Primary R80.20.M1 or R80.20.M2 Multi-Domain Server is:
192.168.10.21
- The current IPv4 address of the source Secondary R80.20.M1 or R80.20.M2 Multi-Domain Server is:
192.168.10.22
- The name of the source Primary R80.20.M1 or R80.20.M2 Multi-Domain Server object in SmartConsole is:
MyPrimaryMultiDomainServer
- The name of the source Secondary R80.20.M1 or R80.20.M2 Multi-Domain Server object in SmartConsole is:
MySecondaryMultiDomainServer
- The new IPv4 address of the target Primary R80.30 Multi-Domain Server is:
172.30.40.51
- The new IPv4 address of the target Secondary R80.30 Multi-Domain Server is:
172.30.40.52
- The required syntax for the JSON configuration file you must use on both the Primary and the Secondary Multi-Domain Servers, and on the Multi-Domain Log Server:
[{"name":"MyPrimaryMultiDomainServer","newIpAddress4":"172.30.40.51"},{"name":"MySecondaryMultiDomainServer","newIpAddress4":"172.30.40.52"}]
Clarification - All servers in this environment must get this information.
|
Procedure:
If you installed the target R80.30 Multi-Domain Server with a different IP address than the source R80.20.M1 or R80.20.M2 Multi-Domain Server, you must create a special JSON configuration file before you import the management database from the source R80.20.M1 or R80.20.M2 Multi-Domain Server. Note that you have to issue licenses for the new IP address.
Important Notes:
- If none of the servers in the same Multi-Domain Security Management environment change their original IP addresses, you do not need to create the special JSON configuration.
- You must use the same JSON configuration file on all servers in the same Multi-Domain Security Management environment. Even if only one of the servers migrates to a new IP address, all the servers must get this configuration file for the import process.
To create the JSON configuration file:
Step
|
Description
|
1
|
Connect to the command line on the target R80.30 Multi-Domain Server.
|
2
|
Log in to the Expert mode.
|
3
|
Create the /var/log/mdss.json file that contains every server migrated to a new IP address.
- Format for migrating only the Primary Multi-Domain Server to a new IP address:
[{"name":" <Name of Primary R80.20.M1 or R80.20.M2 Multi-Domain Server Object in SmartConsole>","newIpAddress4":" <New IPv4 Address of Primary R80.30 Multi-Domain Server>"}]
- Format for migrating both the Primary and the Secondary Multi-Domain Servers to new IP addresses:
[{"name":" <Name of Primary R80.20.M1 or R80.20.M2 Multi-Domain Server Object in SmartConsole>","newIpAddress4":" <New IPv4 Address of Primary R80.30 Multi-Domain Server>"},{"name":" <Name of Secondary R80.20.M1 or R80.20.M2 Multi-Domain Server Object in SmartConsole>","newIpAddress4":" <New IPv4 Address of Secondary R80.30 Multi-Domain Server>"}]
- Format for migrating both the Primary and the Secondary Multi-Domain Servers, and the Multi-Domain Log Server to new IP addresses:
[{"name":" <Name of Primary R80.20.M1 or R80.20.M2 Multi-Domain Server Object in SmartConsole>","newIpAddress4":" <New IPv4 Address of Primary R80.30 Multi-Domain Server>"},{"name":" <Name of Secondary R80.20.M1 or R80.20.M2 Multi-Domain Server Object in SmartConsole>","newIpAddress4":" <New IPv4 Address of Secondary R80.30 Multi-Domain Server>"},{"name":" <Name of R80.20.M1 or R80.20.M2 Multi-Domain Log Server Object in SmartConsole>","newIpAddress4":" <New IPv4 Address of R80.30 Multi-Domain Log Server"}]
|
|
Example:
There are 3 servers in the Multi-Domain Security Management environment - the Primary Multi-Domain Server, the Secondary Multi-Domain Server, and the Multi-Domain Log Server. Both the Primary and the Secondary Multi-Domain Servers are migrated to new IP addresses. The Multi-Domain Log Server remains with the original IP address.
- The current IPv4 address of the source Primary R80.20.M1 or R80.20.M2 Multi-Domain Server is:
192.168.10.21
- The current IPv4 address of the source Secondary R80.20.M1 or R80.20.M2 Multi-Domain Server is:
192.168.10.22
- The name of the source Primary R80.20.M1 or R80.20.M2 Multi-Domain Server object in SmartConsole is:
MyPrimaryMultiDomainServer
- The name of the source Secondary R80.20.M1 or R80.20.M2 Multi-Domain Server object in SmartConsole is:
MySecondaryMultiDomainServer
- The new IPv4 address of the target Primary R80.30 Multi-Domain Server is:
172.30.40.51
- The new IPv4 address of the target Secondary R80.30 Multi-Domain Server is:
172.30.40.52
- The required syntax for the JSON configuration file you must use on both the Primary and the Secondary Multi-Domain Servers, and on the Multi-Domain Log Server:
[{"name":"MyPrimaryMultiDomainServer","newIpAddress4":"172.30.40.51"},{"name":"MySecondaryMultiDomainServer","newIpAddress4":"172.30.40.52"}]
Clarification - All servers in this environment must get this information.
|
Step 14 of 18: Upgrade the Multi-Domain Log Server, dedicated Log Servers, and dedicated SmartEvent Servers
If your Multi-Domain Servers manage Multi-Domain Log Servers, dedicated Log Servers, or dedicated SmartEvent Servers, you must upgrade these dedicated servers to the same version as the Multi-Domain Server:
Step 15 of 18: Install the R80.30 SmartConsole
See Installing SmartConsole.
Step 16 of 18: Install the management database
Step
|
Description
|
1
|
Connect with SmartConsole to each Domain Management Server.
|
2
|
In the top left corner, click .
|
3
|
Select all objects.
|
4
|
Click .
|
5
|
Click .
|
Step 17 of 18: On every Multi-Domain Server with Active Domain Management Servers, upgrade the attributes of all managed objects in all Domain Management Servers
To determine which Multi-Domain Servers run Active Domain Management Servers:
- Connect with SmartConsole to an Multi-Domain Server to the context.
- From the left navigation panel, click .
The table shows Domains and Multi-Domain Servers:
- Every column shows a Multi-Domain Server.
- Active Domain Management Servers (for a Domain) on a Multi-Domain Server are marked with a solid black "barrel" icon.
- Standby Domain Management Servers (for a Domain) on a Multi-Domain Server are marked with an empty "barrel" icon.
Procedure:
Step
|
Description
|
1
|
Connect to the command line every Multi-Domain Server that has at least one Active Domain Management Server.
|
2
|
Log in with the superuser credentials.
|
3
|
Log in to the Expert mode.
|
4
|
Make sure that on all Domain Management Servers, none of the required daemons (FWM, FWD, CPD, and CPCA) are in the state "down " (the "pnd " state is acceptable):
[Expert@MDS:0]# mdsstat
If some of the required daemons on a Domain Management Server are in the state "down ", wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands:
[Expert@MDS:0]# mdsstop_customer < IP Address or Name of Domain Management Server>
[Expert@MDS:0]# mdsstart_customer < IP Address or Name of Domain Management Server>
[Expert@MDS:0]# mdsstat
|
5
|
Go to the main MDS context:
[Expert@MDS:0]# mdsenv
|
6
|
Upgrade the attributes of all managed objects in all Domain Management Servers at once:
[Expert@MDS:0]# $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL
Notes:
|
7
|
Make sure that on all Domain Management Servers, none of the required daemons (FWM, FWD, CPD, and CPCA) are in the state "down " (the "pnd " state is acceptable):
[Expert@MDS:0]# mdsstat
If some of the required daemons on a Domain Management Server are in the state "down ", wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands:
[Expert@MDS:0]# mdsstop_customer < IP Address or Name of Domain Management Server>
[Expert@MDS:0]# mdsstart_customer < IP Address or Name of Domain Management Server>
[Expert@MDS:0]# mdsstat
|
Step 18 of 18: Test the functionality
Step
|
Description
|
1
|
Connect with SmartConsole to the R80.30 Multi-Domain Server.
|
2
|
Make sure the management database and configuration were imported correctly.
|
3
|
Test the Management High Availability functionality.
|