Upgrading a Multi-Domain Log Server from R80.20.M1 or R80.20.M2 with Migration

In a migration and upgrade scenario, you perform the procedure on the source Multi-Domain Server and the different target Multi-Domain Server.

Note - This procedure is supported only for a Multi-Domain Server that runs R80.20.M1 or R80.20.M2.

Important - Before you upgrade a Multi-Domain Log Server:

Step	Description
1	Back up your current configuration.
2	See the Upgrade Options and Prerequisites.
3	You must upgrade your Multi-Domain Servers.
4	You must close all GUI clients (SmartConsole applications) connected to the source Multi-Domain Log Server.

Workflow:

Get the required Upgrade Tools on the R80.20.M1 / R80.20.M2 Multi-Domain Log Server
On the R80.20.M1 / R80.20.M2 Multi-Domain Log Server, run the Pre-Upgrade Verifier and export the entire management database
Perform clean install of the new R80.30 Multi-Domain Log Server
Get the required Upgrade Tools on the new R80.30 Multi-Domain Log Server
On the new R80.30 Multi-Domain Log Server, import the entire management database
Install the R80.30 SmartConsole
On the new R80.30 Multi-Domain Log Server, install the management database
On the new R80.30 Multi-Domain Log Server, upgrade the attributes of all managed objects in all Domain Log Servers
Test the functionality on R80.30 Multi-Domain Log Server
Test the functionality on R80.30 Multi-Domain Server
Disconnect the old Multi-Domain Log Server from the network
Connect the new Multi-Domain Log Server to the network

Step 1 of 12: Get the required Upgrade Tools on the R80.20.M1 / R80.20.M2 Multi-Domain Log Server

Step	Description
1	Download the required Upgrade Tools from sk135172. Note - This is a CPUSE Offline package.
2	Install the required Upgrade Tools with CPUSE. See Installing Software Packages on Gaia and follow the applicable action plan for the local offline installation.
3	Make sure the package is installed. Run this command in the Expert mode: `[Expert@MDLS:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.30 BuildNumber 1` The output must show the same build number you see in the name of the downloaded package. Example: Name of the downloaded package: `ngm_upgrade_wrapper_992000043_1.tgz` `[Expert@MDLS:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.30 BuildNumber 1` `992000043` `[Expert@MDLS:0]#`

Step

Description

Download the required Upgrade Tools from sk135172.

Note - This is a CPUSE Offline package.

Install the required Upgrade Tools with CPUSE.

See Installing Software Packages on Gaia and follow the applicable action plan for the local offline installation.

Make sure the package is installed.

Run this command in the Expert mode:

[Expert@MDLS:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.30 BuildNumber 1

The output must show the same build number you see in the name of the downloaded package.

Example:

Name of the downloaded package: ngm_upgrade_wrapper_992000043_1.tgz

[Expert@MDLS:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.30 BuildNumber 1
992000043
[Expert@MDLS:0]#

Note - The command migrate_server from these Upgrade Tools always tries to connect to Check Point Cloud over the Internet. This is to make sure you always have the latest version of these Upgrade Tools installed. If the connection to Check Point Cloud fails, this message appears:
"Timeout. Failed to retrieve Upgrade Tools package. To download the package manually, refer to sk135172."

Step 2 of 12: On the R80.20.M1 / R80.20.M2 Multi-Domain Log Server, run the Pre-Upgrade Verifier and export the entire management database

Step	Description
1	Connect to the command line on the current Multi-Domain Log Server.
2	Log in with the superuser credentials.
3	Log in to the Expert mode.
4	Run the Pre-Upgrade Verifier. If this Multi-Domain Log Server is connected to the Internet, run: `[Expert@MDLS:0]# $MDS_FWDIR/scripts/migrate_server verify -v R80.30` If this Multi-Domain Log Server is not connected to the Internet, run: `[Expert@MDLS:0]# $MDS_FWDIR/scripts/migrate_server verify -v R80.30 -skip_upgrade_tools_check` Syntax options: `-v R80.30` - Specifies the version, to which you plan to upgrade. `-skip_upgrade_tools_check` - Does not try to connect to Check Point Cloud to check for a more recent version of the Upgrade Tools.
5	Read the Pre-Upgrade Verifier output. If you need to fix errors: Follow the instructions in the report. Run the Pre-Upgrade Verifier again.
6	Go to the `$MDS_FWDIR/scripts/` directory: `[Expert@MDLS:0]# cd $MDS_FWDIR/scripts`
7	Export the management database: This Multi-Domain Log Server is connected to the Internet, run: `[Expert@MDLS:0]# ./migrate_server export -v R80.30 [-l \| -x] /<`Full Path`>/<`Name of Exported File`>.tgz` This Multi-Domain Log Server is not connected to the Internet, run: `[Expert@MDLS:0]# ./migrate_server export -v R80.30 -skip_upgrade_tools_check [-l \| -x] /<`Full Path`>/<`Name of Exported File`>.tgz` Syntax options: `-v R80.30` - Specifies the version, to which you plan to upgrade. `-skip_upgrade_tools_check` - Does not try to connect to Check Point Cloud to check for a more recent version of the Upgrade Tools. `-l` - Exports the Check Point logs without log indexes in the `$FWDIR/log/` directory. Note - The command can export only closed logs (to which the information is not currently written). `-x` - Exports the Check Point logs with their log indexes in the `$FWDIR/log/` directory. Note - The command can export only closed logs (to which the information is not currently written).
8	Calculate the MD5 for the exported database files: `[Expert@MDLS:0]# md5sum /<`Full Path`>/<`Name of Database File`>.tgz`
9	Transfer the exported databases from the current Multi-Domain Log Server to an external storage: `/<`Full Path`>/<`Name of Database File`>.tgz` Note - Make sure to transfer the file in the binary mode.

Step 3 of 12: Perform clean install of the new R80.30 Multi-Domain Log Server

Perform the clean install in one of these ways (do not perform initial configuration in SmartConsole):

Install the R80.30 with the CPUSE - select the R80.30 package and perform Clean Install. See sk92449 for detailed steps.
Install the R80.30 Multi-Domain Log Server from scratch.

Important:

The IP addresses of the source and target R80.30 Multi-Domain Log Servers must be the same. If you need to have a different IP address on the R80.30 Multi-Domain Log Server, you can change it only after the upgrade procedure. Note that you have to issue licenses for the new IP address. For applicable procedure, see sk74020.

Step 4 of 12: Get the required Upgrade Tools on the new R80.30 Multi-Domain Log Server

Step	Description
1	Download the required Upgrade Tools from sk135172. Note - This is a CPUSE Offline package.
2	Install the required Upgrade Tools with CPUSE. See Installing Software Packages on Gaia and follow the applicable action plan for the local offline installation.
3	Make sure the package is installed. Run this command in the Expert mode: `[Expert@MDLS:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.30 BuildNumber 1` The output must show the same build number you see in the name of the downloaded package. Example: Name of the downloaded package: `ngm_upgrade_wrapper_992000043_1.tgz` `[Expert@MDLS:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.30 BuildNumber 1` `992000043` `[Expert@MDLS:0]#`

Step

Description

Download the required Upgrade Tools from sk135172.

Note - This is a CPUSE Offline package.

Install the required Upgrade Tools with CPUSE.

See Installing Software Packages on Gaia and follow the applicable action plan for the local offline installation.

Make sure the package is installed.

Run this command in the Expert mode:

[Expert@MDLS:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.30 BuildNumber 1

The output must show the same build number you see in the name of the downloaded package.

Example:

Name of the downloaded package: ngm_upgrade_wrapper_992000043_1.tgz

[Expert@MDLS:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.30 BuildNumber 1
992000043
[Expert@MDLS:0]#

Step 5 of 12: On the new R80.30 Multi-Domain Log Server, import the entire management database

Step	Description
1	Connect to the command line on the R80.30 Multi-Domain Log Server.
2	Log in with the superuser credentials.
3	Log in to the Expert mode.
4	Make sure a valid license is installed: `mdsenv` `cplic print` If it is not already installed, then install a valid license now.
5	Transfer the exported database from an external storage to the R80.30 Multi-Domain Log Server, to some directory. Note - Make sure to transfer the file in the binary mode.
6	Make sure the transferred file is not corrupted. Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the original Multi-Domain Log Server: `[Expert@MDLS:0]# md5sum /<`Full Path`>/<`Name of Exported File`>.tgz`
7	Go to the `$MDS_FWDIR/scripts/` directory: `[Expert@MDLS:0]# cd $MDS_FWDIR/scripts/`
8	Import the management database: This Multi-Domain Log Server is connected to the Internet, run: `[Expert@MDLS:0]# ./migrate_server import -v R80.30 [-l \| -x] /<`Full Path`>/<`Name of Exported File`>.tgz` This Multi-Domain Log Server is not connected to the Internet, run: `[Expert@MDLS:0]# ./migrate_server import -v R80.30 -skip_upgrade_tools_check [-l \| -x] /<`Full Path`>/<`Name of Exported File`>.tgz` Syntax options: `-v R80.30` - Specifies the version, to which you plan to upgrade. `-skip_upgrade_tools_check` - Does not try to connect to Check Point Cloud to check for a more recent version of the Upgrade Tools. `-l` - Imports the Check Point logs without log indexes in the `$FWDIR/log/` directory. `-x` - Imports the Check Point logs with their log indexes in the `$FWDIR/log/` directory.
9	Make sure that on all Domain Log Servers, none of the required daemons (FWM, FWD, CPD, and CPCA) are in the state "`down`" (the "`pnd`" state is acceptable): `[Expert@MDLS:0]# mdsstat` If some of the required daemons on a Domain Log Server are in the state "`down`", wait for 5-10 minutes, restart that Domain Log Server and check again. Run these three commands: `[Expert@MDLS:0]# mdsstop_customer <`IP Address or Name of Domain Log Server`>` `[Expert@MDLS:0]# mdsstart_customer <`IP Address or Name of Domain Log Server`>` `[Expert@MDLS:0]# mdsstat`

Step 6 of 12: Install the R80.30 SmartConsole

See Installing SmartConsole.

Step 7 of 12: Install the management database

Step	Description
1	Connect with SmartConsole to each R80.30 Domain Management Server that manages the Domain Log Server.
2	In the top left corner, click Menu > Install database.
3	Select all objects.
4	Click Install.
5	Click OK.

Step 8 of 12: Upgrade the attributes of all managed objects in all Domain Log Servers

Step	Description
1	Connect to the command line on the R80.30 Multi-Domain Log Server.
2	Log in with the superuser credentials.
3	Log in to the Expert mode.
4	Make sure that on all Domain Log Servers, none of the required daemons (FWM, FWD, CPD, and CPCA) are in the state "`down`" (the "`pnd`" state is acceptable): `[Expert@MDLS:0]# mdsstat` If some of the required daemons on a Domain Log Server are in the state "`down`", wait for 5-10 minutes, restart that Domain Log Server and check again. Run these three commands: `[Expert@MDLS:0]# mdsstop_customer <`IP Address or Name of Domain Log Server`>` `[Expert@MDLS:0]# mdsstart_customer <`IP Address or Name of Domain Log Server`>` `[Expert@MDLS:0]# mdsstat`
5	Go to the main MDS context: `[Expert@MDLS:0]# mdsenv`
6	Upgrade the attributes of all managed objects in all Domain Log Servers at once: `[Expert@MDLS:0]# $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL` Notes: Because the command prompts you for a '`yes/no`' for each Domain and each object in the Domain, you can explicitly provide the '`yes`' answer to all questions with this command: `[Expert@MDLS:0]# yes \| $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL` You can perform this action on one Multi-Domain Log Server at a time with this command: `[Expert@MDLS:0]# $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL -n <`Name of Multi-Domain Log Server`>`
7	Make sure that on all Domain Log Servers, none of the required daemons (FWM, FWD, CPD, and CPCA) are in the state "`down`" (the "`pnd`" state is acceptable): `[Expert@MDLS:0]# mdsstat` If some of the required daemons on a Domain Log Server are in the state "`down`", wait for 5-10 minutes, restart that Domain Log Server and check again. Run these three commands: `[Expert@MDLS:0]# mdsstop_customer <`IP Address or Name of Domain Log Server`>` `[Expert@MDLS:0]# mdsstart_customer <`IP Address or Name of Domain Log Server`>` `[Expert@MDLS:0]# mdsstat`

Step 9 of 12: Test the functionality on R80.30 Multi-Domain Log Server

Step	Description
1	Connect with SmartConsole to the R80.30 Multi-Domain Log Server.
2	Make sure the configuration was upgraded correctly and it works as expected.

Step 10 of 12: Test the functionality on R80.30 Multi-Domain Server

Step	Description
1	Connect with SmartConsole to the R80.30 Multi-Domain Server.
2	Make sure the logging works as expected.

Step 11 of 12: Disconnect the old Multi-Domain Server from the network

Step 12 of 12: Connect the new Multi-Domain Server to the network