Migrating Global Policies from an R7x Multi-Domain Server

This procedure lets you export the Global Policies from an R7x Multi-Domain Server and import them to the R80.40 Multi-Domain Server.

Note - This procedure is not supported for exporting the Global Policies from an R8x Multi-Domain Server.

Important:

  • You must migrate the Global Policies before you migrate the databases from other Domains.

  • You can migrate the Global Policies only one time from the R7x Multi-Domain Server.

Procedure:

  1. Step

    Instructions

    1

    See the R80.40 Release Notes for requirements.

    2

    Perform the clean install in one of these ways:

    Important - Do not perform initial configuration in SmartConsole.

    Important - Do not create Domains.

  2. Step

    Instructions

    1

    Download the R80.40 Management Server Migration Tool from the R80.40 Home Page SK (see Management Server Migration Tool and Upgrade Tools).

    2

    Transfer the R80.40 Management Server Migration Tool package to the current server to some directory (for example, /var/log/path_to_migration_tool/).

    Note - Make sure to transfer the file in the binary mode.

  3. Step

    Instructions

    1

    Close all GUI clients (SmartConsole applications) connected to the R7x Multi-Domain Server.

    2

    Connect to the command line on the R7x Multi-Domain Server.

    3

    Log in with the superuser credentials.

    4

    Log in to the Expert mode.

    5

    Go to the directory, where you put the R80.40 Management Server Migration Tool package:

    cd /var/log/path_to_migration_tool/

    6

    Extract the R80.40 Management Server Migration Tool package:

    tar zxvf <Name of Management Server Migration Tool Package>.tgz

    7

    Go to the main MDS context:

    mdsenv

    8

    Export the entire management database:

    yes | nohup ./migrate export [-f] [-n] /<Full Path>/R7x_global_policies &

    Notes:

    • yes | nohup ... & are mandatory parts of the syntax.

    • R7x_global_policies is the name of the export file.

    • For details, see the R80.40 CLI Reference Guide - Chapter Multi-Domain Security Management Commands - Section migrate.

    9

    Calculate the MD5 for the exported database file:

    md5sum /<Full Path>/R7x_global_policies.tgz

    10

    Transfer the exported database from the R7x Multi-Domain Server to an external storage:

    /<Full Path>/R7x_global_policies.tgz

    Note - Make sure to transfer the file in the binary mode.

  4. Note - In Management High Availability environment, make sure the Global Domain is in the Active state on the Primary Multi-Domain Server.

    Step

    Instructions

    1

    Connect with SmartConsole to the IP address of the Primary R80.40 Multi-Domain Server.

    Select the MDS context.

    2

    From the left navigation panel, click Multi-Domain > Domains.

    3

    If the Global Domain on the Primary Multi-Domain Server is in the Standby state, then proceed to the next Step 4 in this procedure.

    If the Global Domain on the Primary Multi-Domain Server is already in the Active state, then skip to the next Step 5 in the main procedure.

    4

    Right-click the cell of the Global Domain, and select Connect to Domain Server.

    5

    In the Domain SmartConsole instance, in the top left corner, click Menu > Management High Availability.

    6

    In the High Availability Status window, in the Connected To section, click Actions > Set Active.

    7

    Close the Domain SmartConsole instance.

  5. Important - This step applies only if you already configured global objects on the R80.40 Multi-Domain Server.

    Step

    Instructions

    1

    Connect with SmartConsole to the IP address of the Multi-Domain Server.

    Select the MDS context.

    Note - In Multi-Domain Server High Availability environment, connect to the Primary Multi-Domain Server.

    2

    From the left navigation panel, click Multi-Domain > Domains.

    3

    Right-click the cell of the Global Domain, and select Connect to Domain Server.

    4

    In the Domain SmartConsole instance, click Objects menu > Object Explorer.

    5

    Remove all the global objects.

    6

    Publish the SmartConsole session.

    7

    Close the Domain SmartConsole instance.

  6. Important - Before you import the management database, we strongly recommend to install the latest General Availability Take of the R80.40 Jumbo Hotfix Accumulator. This makes sure the R80.40 server has the latest improvements for reported import issues.

    Step

    Instructions

    1

    Connect to the command line on the R80.40 Multi-Domain Server.

    Note - In Multi-Domain Server High Availability environment, connect to the Primary Multi-Domain Server.

    2

    Log in with the superuser credentials.

    3

    Log in to the Expert mode.

    4

    Make sure a valid license is installed:

    mdsenv

    cplic print

    If it is not already installed, then install a valid license now.

    5

    Transfer the exported database from an external storage to the R80.40 Primary Multi-Domain Server, to some directory.

    Note - Make sure to transfer the file in the binary mode.

    6

    Make sure the transferred file is not corrupted.

    Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the original R7x Multi-Domain Server:

    md5sum /<Full Path>/R7x_global_policies.tgz

    7

    Go to the main MDS context:

    mdsenv

    8

    Import the global management database:

    migrate_global_policies /<Full Path>/R7x_global_policies.tgz

    Note - This commands stops the Multi-Domain Server.

    9

    Restart the Check Point services:

    mdsstop

    mdsstart

    10

    Make sure that all the required daemons (FWM, FWD, CPD, and CPCA) are in the state "up" and show their PID (the "pnd" state is also acceptable):

    mdsstat

    If some of the required daemons on a Domain Management Server are in the state "down", then wait for 5-10 minutes, restart that Domain Management Server, and check again. Run these three commands:

    mdsstop_customer <IP Address or Name of Domain Management Server>

    mdsstart_customer <IP Address or Name of Domain Management Server>

    mdsstat

  7. Step

    Instructions

    1

    Connect with SmartConsole to the IP address of the Primary R80.40 Multi-Domain Server.

    Select the MDS context.

    2

    From the left navigation panel, click Multi-Domain > Domains.

    3

    Right-click the cell of the Global Domain Server in the Active state, and select Connect to Domain Server.

    4

    In the Domain SmartConsole instance, in the top left corner, click Menu > Management High Availability.

    5

    In the High Availability Status window, in the Peers section, click Sync Peer.

    Note - The synchronization operation can take many minutes to complete.

    6

    Close the Domain SmartConsole instance.