In a migration and upgrade scenario, you perform the procedure on the source Multi-Domain Servers and the different target Multi-Domain Servers.
Note - To upgrade from R80.20.M1 or R80.20.M2, see Upgrading Multi-Domain Servers in High Availability from R80.20.M1 or R80.20.M2 with Migration.
Important - Before you upgrade:
Step |
Description |
---|---|
1 |
|
2 |
See the Upgrade Options and Prerequisites. |
3 |
In R80 and above, examine the SmartConsole sessions:
|
4 |
In Multi-Domain Server R80 or R80.10 with enabled vSEC Controller:
|
5 |
You must close all GUI clients (SmartConsole applications) connected to the source Multi-Domain Servers. |
Workflow:
Step 1 of 16: If the Primary Multi-Domain Server is not available, promote the Secondary Multi-Domain Server to be the Primary
For instructions, see the R80.30 Multi-Domain Security Management Administration Guide - Chapter Working with High Availability - Section Failure Recovery - Subsection Promoting the Secondary Multi-Domain Server to Primary.
Step 2 of 16: Get the R80.30 installation image
Step |
Description |
---|---|
1 |
Download the R80.30 Clean Install ISO file from the R80.30 Home Page SK. |
2 |
Transfer the R80.30 ISO file to the current Multi-Domain Server to some directory (for example, Note - Make sure to transfer the file in the binary mode. |
Step 3 of 16: On the current Primary Multi-Domain Server, run the Pre-Upgrade Verifier and export the entire management database
Step |
Description |
---|---|
1 |
Connect to the command line the current Primary Multi-Domain Server. |
2 |
Log in with the superuser credentials. |
3 |
Log in to the Expert mode. |
4 |
Stop all Check Point services:
|
5 |
Go to the main MDS context:
|
6 |
Mount the R80.30 ISO file:
|
7 |
Go to the installation folder in the ISO:
|
8 |
Run the installation script:
This menu shows:
|
9 |
Enter 1 to run the Pre-upgrade verification. Note - The Pre-Upgrade Verifier analyzes compatibility of the currently installed configuration with the version, to which you upgrade. A detailed report shows the steps to do before and after the upgrade. |
10 |
Read the Pre-Upgrade Verifier output. If you need to fix errors:
|
11 |
Enter 3 to export the current Primary Multi-Domain Server configuration. |
12 |
Answer the interactive questions:
Note - If you enter no in the question " |
13 |
Make sure the export file is created in the specified directory:
|
14 |
Calculate the MD5 for the exported file:
|
15 |
Rename the exported file:
|
16 |
Transfer the exported database from the current Primary Multi-Domain Server to an external storage:
Note - Make sure to transfer the file in the binary mode. |
Step 4 of 16: Install another Primary R80.30 Multi-Domain Server
Perform a clean install of the R80.30 Multi-Domain Server on another computer (do not perform initial configuration in SmartConsole).
Important:
The IP addresses of the source and target Multi-Domain Servers must be the same. If you need to have a different IP address on the R80.30 Multi-Domain Server, you can change it only after the upgrade procedure. Note that you have to issue licenses for the new IP address. For applicable procedure, see sk74020.
Step 5 of 16: On the Primary R80.30 Multi-Domain Server, import the entire management database
Step |
Description |
---|---|
1 |
Connect to the command line on the Primary R80.30 Multi-Domain Server. |
2 |
Log in with the superuser credentials. |
3 |
Log in to the Expert mode. |
4 |
Make sure a valid license is installed:
If it is not already installed, then install a valid license now. |
5 |
Transfer the exported database from an external storage to the Primary R80.30 Multi-Domain Server, to some directory. Note - Make sure to transfer the file in the binary mode. |
6 |
Make sure the transferred file is not corrupted. Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the original Primary Multi-Domain Server:
|
7 |
Import the configuration:
Note: |
8 |
Make sure that on all Domain Management Servers, none of the required daemons (FWM, FWD, CPD, and CPCA) are in the state "
If some of the required daemons on a Domain Management Server are in the state "
|
Step 6 of 16: Install the R80.30 SmartConsole
Step 7 of 16: On the Primary R80.30 Multi-Domain Server, install the management database
Step |
Description |
---|---|
1 |
Connect with SmartConsole to each Domain Management Server. |
2 |
In the top left corner, click Menu > Install database. |
3 |
Select all objects. |
4 |
Click Install. |
5 |
Click OK. |
Step 8 of 16: On the current Secondary Multi-Domain Server, run the Pre-Upgrade Verifier and export the entire management database
Step |
Description |
---|---|
1 |
Connect to the command line the current Secondary Multi-Domain Server. |
2 |
Log in with the superuser credentials. |
3 |
Log in to the Expert mode. |
4 |
Stop all Check Point services:
|
5 |
Go to the main MDS context:
|
6 |
Mount the R80.30 ISO file:
|
7 |
Go to the installation folder in the ISO:
|
8 |
Run the installation script:
This menu shows:
|
9 |
Enter 1 to run the Pre-upgrade verification. Note - The Pre-Upgrade Verifier analyzes compatibility of the currently installed configuration with the version, to which you upgrade. A detailed report shows the steps to do before and after the upgrade. |
10 |
Read the Pre-Upgrade Verifier output. If you need to fix errors:
|
11 |
Enter 3 to export the current Secondary Multi-Domain Server configuration. |
12 |
Answer the interactive questions:
Note - If you enter no in the question " |
13 |
Make sure the export file is created in the specified directory:
|
14 |
Calculate the MD5 for the exported file:
|
15 |
Rename the exported file:
|
16 |
Transfer the exported database from the current Secondary Multi-Domain Server to an external storage:
Note - Make sure to transfer the file in the binary mode. |
Step 9 of 16: Install another Secondary R80.30 Multi-Domain Server
Perform a clean install of the R80.30 Multi-Domain Server on another computer (do not perform initial configuration in SmartConsole).
Important:
The IP addresses of the source and target Multi-Domain Servers must be the same. If you need to have a different IP address on the R80.30 Multi-Domain Server, you can change it only after the upgrade procedure. Note that you have to issue licenses for the new IP address. For applicable procedure, see sk74020.
Step 10 of 16: On the Secondary R80.30 Multi-Domain Server, import the entire management database
Notes:
These preliminary steps apply to a Multi-Site setup, in which some of the Domain Management Servers are Active on the Primary Multi-Domain Server, and some of the Domain Management Servers are Active on the Secondary Multi-Domain Servers.
Note - This example assumes that you already upgraded the Primary Multi-Domain Server and one of the Secondary Multi-Domain Servers with Active Domain Management Servers on it.
The Primary Multi-Domain Server
The first Secondary Multi-Domain Server
In case of a failure, you must resolve it before you can import the database.
The Primary Multi-Domain Server
The first Secondary Multi-Domain Server
The second Secondary Multi-Domain Server
In case of a failure, you must resolve it before you can import the database.
Repeat the above test on all other Secondary Multi-Domain Servers before you import the entire management database on them.
Procedure:
Step |
Description |
---|---|
1 |
Connect to the command line the Secondary R80.30 Multi-Domain Server. |
2 |
Log in with the superuser credentials. |
3 |
Log in to the Expert mode. |
4 |
Make sure a valid license is installed:
If it is not already installed, then install a valid license now. |
5 |
Transfer the exported database from an external storage to the Secondary R80.30 Multi-Domain Server, to some directory. Note - Make sure to transfer the file in the binary mode. |
6 |
Make sure the transferred file is not corrupted. Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the original Multi-Domain Server:
|
7 |
Import the configuration:
Note: |
8 |
Make sure that on all Domain Management Servers, none of the required daemons (FWM, FWD, CPD, and CPCA) are in the state "
If some of the required daemons on a Domain Management Server are in the state "
|
Step 11 of 16: On the Secondary R80.30 Multi-Domain Server, install the management database
Step |
Description |
---|---|
1 |
Connect with SmartConsole to each Domain Management Server. |
2 |
In the top left corner, click Menu > Install database. |
3 |
Select all objects. |
4 |
Click Install. |
5 |
Click OK. |
Step 12 of 16: Upgrade the Multi-Domain Log Server, dedicated Log Servers, and dedicated SmartEvent Servers
If your Multi-Domain Servers manages Multi-Domain Log Servers, dedicated Log Servers, or dedicated SmartEvent Servers, you must upgrade these dedicated servers to the same version as the Multi-Domain Server:
Step 13 of 16: On every Multi-Domain Server with Active Domain Management Servers, upgrade the attributes of all managed objects in all Domain Management Servers
Step |
Description |
---|---|
1 |
Connect to the command line on the R80.30 Multi-Domain Server. |
2 |
Log in with the superuser credentials. |
3 |
Log in to the Expert mode. |
4 |
Make sure that on all Domain Management Servers, none of the required daemons (FWM, FWD, CPD, and CPCA) are in the state "
If some of the required daemons on a Domain Management Server are in the state "
|
5 |
Go to the main MDS context:
|
6 |
Upgrade the attributes of all managed objects in all Domain Management Servers at once:
Notes:
|
7 |
Allow the database synchronization to run:
Restart the Check Point services:
For more information, see sk121718. |
8 |
Make sure that on all Domain Management Servers, none of the required daemons (FWM, FWD, CPD, and CPCA) are in the state "
If some of the required daemons on a Domain Management Server are in the state "
|
Step 14 of 16: Test the functionality
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the R80.30 Multi-Domain Server. |
2 |
Make sure the management database and configuration were imported correctly. |
3 |
Test the Management High Availability functionality. |
Step 15 of 16: Disconnect the old Multi-Domain Servers from the network
Step 16 of 16: Connect the new Multi-Domain Servers to the networks