Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Migration

In a migration and upgrade scenario, you perform the procedure on the source Multi-Domain Servers and the different target Multi-Domain Servers.

Notes: This procedure is supported only for servers that run R80.20.M1, R80.20, R80.20.M2, or R80.30 versions. For additional information related to this upgrade, see sk163814.

Important - Before you upgrade Multi-Domain Servers: Step Instructions 1 Back up your current configuration (see Backing Up and Restoring). 2 See the Upgrade Options and Prerequisites. 3 Only the latest published database revision is upgraded. If there are pending changes, we recommend to Publish the session. 4 If there are Global Policies configured on the Global Domain: Connect with SmartConsole to the Global Domain on your source Multi-Domain Server. Reassign all Global Policies to all applicable Domains. Important - Do not publish any changes in the Global Domain until you complete the upgrade to the next available version. This is necessary to avoid any potential issues caused by different policy revisions on the Global Domain and on other Domains. 5 You must close all GUI clients (SmartConsole applications) connected to the source Multi-Domain Server. 6 Install the latest version of the CPUSE from sk92449. Note - This is to make sure the CPUSE is able to support the required Upgrade Tools package. 7 Run the Pre-Upgrade Verifier on all source servers and fix all detected issues before you start the upgrade. 8 In Management High Availability, before you start the upgrade on other servers: Make sure the Primary Multi-Domain Server is upgraded and runs. Make sure the Multi-Domain Security Management Servers can communicate with each other and SIC works between these servers. For details, see sk179794.

Important - Before you can install Hotfixes on servers that work in Management High Availability, you must upgrade all these servers.

Procedure:

1. If the Primary Multi-Domain Server is not available, promote the Secondary Multi-Domain Server to be the Primary

   For instructions, see the R80.40 Multi-Domain Security Management Administration Guide - Chapter Working with High Availability - Section Failure Recovery - Subsection Promoting the Secondary Multi-Domain Server to Primary.

2. Make sure the Global Domain is Active on the Primary Multi-Domain Server

   Step	Instructions
   1	Connect with SmartConsole to the Primary Multi-Domain Server.
   2	From the left navigation panel, click Multi Domain > Domains. The table shows Domains and Multi-Domain Servers: Every column shows a Multi-Domain Server. Active Domain Management Servers (for a Domain) are marked with a solid black "barrel" icon. Standby Domain Management Servers (for a Domain) are marked with an empty "barrel" icon.
   3	In the leftmost column Domains, examine the bottom row Global for the Primary Multi-Domain Server. If the Global Domain is in the Standby state on the Primary Multi-Domain Server (marked with an empty "barrel" icon), then make it Active: Right-click on the Primary Multi-Domain Server and click Connect to Domain Server. The High Availability Status window opens. In the section Connected To, click Actions > Set Active. Click Yes to confirm. Wait for the full synchronization to complete. Close SmartConsole.

3. Get the required Upgrade Tools on the Primary and on the Secondary Multi-Domain Servers

   Important - See Management Server Migration Tool and Upgrade Tools to understand if your server can download and install the latest version of the Upgrade Tools automatically.

   Step	Instructions
   1	Download the R80.40 Upgrade Tools from the sk135172. (See Management Server Migration Tool and Upgrade Tools.) Note - This is a CPUSE Offline package.
   2	Install the R80.40 Upgrade Tools with CPUSE. See Installing Software Packages on Gaia and follow the applicable action plan for the Local - Offline installation.
   3	Make sure the package is installed. Run this command in the Expert mode: cpprod_util CPPROD_GetValue CPupgrade-tools-R80.40 BuildNumber 1 The output must show the same build number you see in the name of the downloaded TGZ package. Example Name of the downloaded package: ngm_upgrade_wrapper_993000222_1.tgz [Expert@HostName:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.40 BuildNumber 1 993000222 [Expert@HostName:0]#

   Note - The command "migrate_server" from these Upgrade Tools always tries to connect to Check Point Cloud over the Internet. This is to make sure you always have the latest version of these Upgrade Tools installed. If the connection to Check Point Cloud fails, this message appears: Timeout. Failed to retrieve Upgrade Tools package. To download the package manually, refer to sk135172.

4. On the Primary Multi-Domain Server, run the Pre-Upgrade Verifier

   Step	Instructions
   1	Connect to the command line on the current Multi-Domain Server.
   2	Log in with the superuser credentials.
   3	Log in to the Expert mode.
   4	Run the Pre-Upgrade Verifier. If this Multi-Domain Server is connected to the Internet, run: $MDS_FWDIR/scripts/migrate_server verify -v R80.40 If this Multi-Domain Server is not connected to the Internet, run: $MDS_FWDIR/scripts/migrate_server verify -v R80.40 -skip_upgrade_tools_check For details, see the R80.40 CLI Reference Guide - Chapter Multi-Domain Security Management Commands - Section migrate_server.
   5	Read the Pre-Upgrade Verifier output. If it is necessary to fix errors: Follow the instructions in the report. Run the Pre-Upgrade Verifier again.

5. On the Secondary Multi-Domain Server, run the Pre-Upgrade Verifier

   Step	Instructions
   1	Connect to the command line on the current Multi-Domain Server.
   2	Log in with the superuser credentials.
   3	Log in to the Expert mode.
   4	Run the Pre-Upgrade Verifier. If this Multi-Domain Server is connected to the Internet, run: $MDS_FWDIR/scripts/migrate_server verify -v R80.40 If this Multi-Domain Server is not connected to the Internet, run: $MDS_FWDIR/scripts/migrate_server verify -v R80.40 -skip_upgrade_tools_check For details, see the R80.40 CLI Reference Guide - Chapter Multi-Domain Security Management Commands - Section migrate_server.
   5	Read the Pre-Upgrade Verifier output. If it is necessary to fix errors: Follow the instructions in the report. Run the Pre-Upgrade Verifier again.

6. On the Primary Multi-Domain Server, export the entire management database

   Step	Instructions
   1	Go to the $MDS_FWDIR/scripts/ directory: cd $MDS_FWDIR/scripts
   2	Export the management database: If this Multi-Domain Server is connected to the Internet, run: ./migrate_server export -v R80.40 [-l | -x] /<Full Path>/Primary_<Name of Exported File> If this Multi-Domain Server is not connected to the Internet, run: ./migrate_server export -v R80.40 -skip_upgrade_tools_check [-l | -x] /<Full Path>/Primary_<Name of Exported File> For details, see the R80.40 CLI Reference Guide - Chapter Multi-Domain Security Management Commands - Section migrate_server.
   3	Calculate the MD5 for the exported database files: md5sum /<Full Path>/Primary_<Name of Database File>.tgz
   4	Transfer the exported databases from the source Multi-Domain Server to an external storage: /<Full Path>/Primary_<Name of Database File>.tgz Note - Make sure to transfer the file in the binary mode.

7. On the Secondary Multi-Domain Server, export the entire management database

   Step	Instructions
   1	Go to the $MDS_FWDIR/scripts/ directory: cd $MDS_FWDIR/scripts
   2	Export the management database: If this Multi-Domain Server is connected to the Internet, run: ./migrate_server export -v R80.40 [-l | -x] /<Full Path>/Secondary_<Name of Exported File> If this Multi-Domain Server is not connected to the Internet, run: ./migrate_server export -v R80.40 -skip_upgrade_tools_check [-l | -x] /<Full Path>/Secondary_<Name of Exported File> For details, see the R80.40 CLI Reference Guide - Chapter Multi-Domain Security Management Commands - Section migrate_server.
   3	Calculate the MD5 for the exported database files: md5sum /<Full Path>/Secondary_<Name of Database File>.tgz
   4	Transfer the exported databases from the source Multi-Domain Server to an external storage: /<Full Path>/Secondary_<Name of Database File>.tgz Note - Make sure to transfer the file in the binary mode.

8. Install another Primary R80.40 Multi-Domain Server

   Step	Instructions
   1	See the R80.40 Release Notes for requirements.
   2	Perform the clean install on another server in one of these ways: Important - Do not perform initial configuration in SmartConsole. Follow Installing Software Packages on Gaia. Select the R80.40 package and perform Clean Install. See sk92449 for detailed steps. Follow Installing One Multi-Domain Server Only, or Primary Multi-Domain Server in Management High Availability.

   Important - The IP addresses of the source and target server can be different. If it is necessary to have a different IP address on the target R80.40 server, you must create a special JSON configuration file before you import the management database from the source server. Note that you have to issue licenses for the new IP address. You must use the same JSON configuration file on all servers (including Log Servers and SmartEvent Servers) in the same Multi-Domain Security Management environment.

9. Get the required Upgrade Tools on the Primary server

   Important - See Management Server Migration Tool and Upgrade Tools to understand if your server can download and install the latest version of the Upgrade Tools automatically.

   Step	Instructions
   1	Download the R80.40 Upgrade Tools from the sk135172. (See Management Server Migration Tool and Upgrade Tools.) Note - This is a CPUSE Offline package.
   2	Install the R80.40 Upgrade Tools with CPUSE. See Installing Software Packages on Gaia and follow the applicable action plan for the Local - Offline installation.
   3	Make sure the package is installed. Run this command in the Expert mode: cpprod_util CPPROD_GetValue CPupgrade-tools-R80.40 BuildNumber 1 The output must show the same build number you see in the name of the downloaded TGZ package. Example Name of the downloaded package: ngm_upgrade_wrapper_993000222_1.tgz [Expert@HostName:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.40 BuildNumber 1 993000222 [Expert@HostName:0]#

   Note - The command "migrate_server" from these Upgrade Tools always tries to connect to Check Point Cloud over the Internet. This is to make sure you always have the latest version of these Upgrade Tools installed. If the connection to Check Point Cloud fails, this message appears: Timeout. Failed to retrieve Upgrade Tools package. To download the package manually, refer to sk135172.

10. On the Primary R80.40 Multi-Domain Server, import the databases

    Required JSON configuration file

    If you installed the target R80.40 Multi-Domain Server with a different IP address than the source Multi-Domain Server, you must create a special JSON configuration file before you import the management database from the source Multi-Domain Server. Note that you have to issue licenses for the new IP address.

    Important: If none of the servers in the same Multi-Domain Security Management environment changed their original IP addresses, then you do not need to create the special JSON configuration file. Even if only one of the servers migrates to a new IP address, all the other servers (including all Log Servers and SmartEvent Servers) must get this configuration file for the import process. You must use the same JSON configuration file on all servers (including Log Servers and SmartEvent Servers) in the same Multi-Domain Security Management environment.

    To create the required JSON configuration file:

    Step	Instructions
    1	Connect to the command line on the target R80.40 Multi-Domain Server.
    2	Log in to the Expert mode.
    3	Create the /var/log/mdss.json file that contains each server that migrates to a new IP address. Format for migrating only the Primary Multi-Domain Server to a new IP address [{"name":"<Name of Primary Multi-Domain Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Primary R80.40 Multi-Domain Server>"}] Format for migrating both the Primary and the Secondary Multi-Domain Servers to new IP addresses [{"name":"<Name of Primary Multi-Domain Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Primary R80.40 Multi-Domain Server>"},{"name":"<Name of Secondary Multi-Domain Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Secondary R80.40 Multi-Domain Server>"}] Format for migrating both the Primary and the Secondary Multi-Domain Servers, and the Multi-Domain Log Server to new IP addresses [{"name":"<Name of Primary Multi-Domain Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Primary R80.40 Multi-Domain Server>"},{"name":"<Name of Secondary Multi-Domain Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Secondary R80.40 Multi-Domain Server>"},{"name":"<Name of Multi-Domain Log Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of R80.40 Multi-Domain Log Server"}]
    	Example There are 3 servers in the R80.30 Multi-Domain Security Management environment - the Primary Multi-Domain Server, the Secondary Multi-Domain Server, and the Multi-Domain Log Server. Both the Primary and the Secondary Multi-Domain Servers migrate to new IP addresses. The Multi-Domain Log Server remains with the original IP address. The current IPv4 address of the source Primary R80.30 Multi-Domain Server is: 192.168.10.21 The current IPv4 address of the source Secondary R80.30 Multi-Domain Server is: 192.168.10.22 The name of the source Primary R80.30 Multi-Domain Server object in SmartConsole is: MyPrimaryMDS The name of the source Secondary R80.30 Multi-Domain Server object in SmartConsole is: MySecondaryMDS The new IPv4 address of the target Primary R80.40 Multi-Domain Server is: 172.30.40.51 The new IPv4 address of the target Secondary R80.40 Multi-Domain Server is: 172.30.40.52 The required syntax for the JSON configuration file you must use on both the Primary and the Secondary Multi-Domain Servers, and on the Multi-Domain Log Server: [{"name":"MyPrimaryMDS","newIpAddress4":"172.30.40.51"},{"name":"MySecondaryMDS","newIpAddress4":"172.30.40.52"}] Important - All servers in this environment must get the same configuration file.

    Importing the databases

    Important: Make sure you followed the instructions in the above section "Required JSON configuration file". Before you import the management database, we strongly recommend to install the latest General Availability Take of the R80.40 Jumbo Hotfix Accumulator. This makes sure the R80.40 server has the latest improvements for reported import issues.

    Step	Instructions
    1	Connect to the command line the Primary R80.40 Multi-Domain Server.
    2	Log in with the superuser credentials.
    3	Log in to the Expert mode.
    4	Make sure a valid license is installed: cplic print If it is not already installed, then install a valid license now.
    5	Transfer the exported database from an external storage to the R80.40 Multi-Domain Server, to some directory. Note - Make sure to transfer the file in the binary mode.
    6	Make sure the transferred file is not corrupted. Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the original Multi-Domain Server: md5sum /<Full Path>/Primary_<Name of Exported File>.tgz
    7	Go to the $MDS_FWDIR/scripts/ directory: cd $MDS_FWDIR/scripts/
    8	Import the management database: If this Multi-Domain Server is connected to the Internet: And none of the servers changed their IP addresses, run: ./migrate_server import -v R80.40 [-l | -x] /<Full Path>/Primary_<Name of Exported File>.tgz And at least one of the servers changed its IP address, run: ./migrate_server import -v R80.40 [-l | -x] /var/log/mdss.json /<Full Path>/Primary_<Name of Exported File>.tgz Note - Before the release of updated Upgrade Tools in July 2021, the syntax was "-change_ips_file /var/log/mdss.json". If this Multi-Domain Server is not connected to the Internet: And none of the servers changed their IP addresses, run: ./migrate_server import -v R80.40 -skip_upgrade_tools_check [-l | -x] /<Full Path>/Primary_<Name of Exported File>.tgz And at least one of the servers changed its IP address, run: ./migrate_server import -v R80.40 [-l | -x] -skip_upgrade_tools_check /var/log/mdss.json /<Full Path>/Primary_<Name of Exported File>.tgz Note - Before the release of updated Upgrade Tools in July 2021, the syntax was "-change_ips_file /var/log/mdss.json". For details, see the R80.40 CLI Reference Guide - Chapter Multi-Domain Security Management Commands - Section migrate_server.
    9	Make sure that all the required daemons (FWM, FWD, CPD, and CPCA) are in the state "up" and show their PID (the "pnd" state is also acceptable): mdsstat If some of the required daemons on a Domain Management Server are in the state "down", then wait for 5-10 minutes, restart that Domain Management Server, and check again. Run these three commands: mdsstop_customer <IP Address or Name of Domain Management Server> mdsstart_customer <IP Address or Name of Domain Management Server> mdsstat

11. Install another Secondary R80.40 Multi-Domain Server

    Step	Instructions
    1	See the R80.40 Release Notes for requirements.
    2	Perform the clean install on another server in one of these ways: Important - Do not perform initial configuration in SmartConsole. Follow Installing Software Packages on Gaia. Select the R80.40 package and perform Clean Install. See sk92449 for detailed steps. Follow Installing a Secondary Multi-Domain Server in Management High Availability.

    Important - The IP addresses of the source and target server can be different. If it is necessary to have a different IP address on the target R80.40 server, you must create a special JSON configuration file before you import the management database from the source server. Note that you have to issue licenses for the new IP address. You must use the same JSON configuration file on all servers in the same Multi-Domain Security Management environment.

12. Get the required Upgrade Tools on the Secondary R80.40 Multi-Domain Server

    Note - This step is needed only to be able to export the entire management database (for backup purposes) with the latest Upgrade Tools.

    Important - See Management Server Migration Tool and Upgrade Tools to understand if your server can download and install the latest version of the Upgrade Tools automatically.

    Step	Instructions
    1	Download the R80.40 Upgrade Tools from the sk135172. (See Management Server Migration Tool and Upgrade Tools.) Note - This is a CPUSE Offline package.
    2	Install the R80.40 Upgrade Tools with CPUSE. See Installing Software Packages on Gaia and follow the applicable action plan for the Local - Offline installation.
    3	Make sure the package is installed. Run this command in the Expert mode: cpprod_util CPPROD_GetValue CPupgrade-tools-R80.40 BuildNumber 1 The output must show the same build number you see in the name of the downloaded TGZ package. Example Name of the downloaded package: ngm_upgrade_wrapper_993000222_1.tgz [Expert@HostName:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.40 BuildNumber 1 993000222 [Expert@HostName:0]#

    Note - The command "migrate_server" from these Upgrade Tools always tries to connect to Check Point Cloud over the Internet. This is to make sure you always have the latest version of these Upgrade Tools installed. If the connection to Check Point Cloud fails, this message appears: Timeout. Failed to retrieve Upgrade Tools package. To download the package manually, refer to sk135172.

13. On the Secondary R80.40 Multi-Domain Server, import the databases

    Required JSON configuration file

    If you installed the target R80.40 Multi-Domain Server with a different IP address than the source Multi-Domain Server, you must create a special JSON configuration file before you import the management database from the source Multi-Domain Server. Note that you have to issue licenses for the new IP address.

    Important: If none of the servers in the same Multi-Domain Security Management environment changed their original IP addresses, then you do not need to create the special JSON configuration file. Even if only one of the servers migrates to a new IP address, all the other servers (including all Log Servers and SmartEvent Servers) must get this configuration file for the import process. You must use the same JSON configuration file on all servers (including Log Servers and SmartEvent Servers) in the same Multi-Domain Security Management environment.

    To create the required JSON configuration file:

    Step	Instructions
    1	Connect to the command line on the target R80.40 Multi-Domain Server.
    2	Log in to the Expert mode.
    3	Create the /var/log/mdss.json file that contains each server that migrates to a new IP address. Format for migrating only the Primary Multi-Domain Server to a new IP address [{"name":"<Name of Primary Multi-Domain Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Primary R80.40 Multi-Domain Server>"}] Format for migrating both the Primary and the Secondary Multi-Domain Servers to new IP addresses [{"name":"<Name of Primary Multi-Domain Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Primary R80.40 Multi-Domain Server>"},{"name":"<Name of Secondary Multi-Domain Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Secondary R80.40 Multi-Domain Server>"}] Format for migrating both the Primary and the Secondary Multi-Domain Servers, and the Multi-Domain Log Server to new IP addresses [{"name":"<Name of Primary Multi-Domain Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Primary R80.40 Multi-Domain Server>"},{"name":"<Name of Secondary Multi-Domain Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Secondary R80.40 Multi-Domain Server>"},{"name":"<Name of Multi-Domain Log Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of R80.40 Multi-Domain Log Server"}]
    	Example There are 3 servers in the R80.30 Multi-Domain Security Management environment - the Primary Multi-Domain Server, the Secondary Multi-Domain Server, and the Multi-Domain Log Server. Both the Primary and the Secondary Multi-Domain Servers migrate to new IP addresses. The Multi-Domain Log Server remains with the original IP address. The current IPv4 address of the source Primary R80.30 Multi-Domain Server is: 192.168.10.21 The current IPv4 address of the source Secondary R80.30 Multi-Domain Server is: 192.168.10.22 The name of the source Primary R80.30 Multi-Domain Server object in SmartConsole is: MyPrimaryMDS The name of the source Secondary R80.30 Multi-Domain Server object in SmartConsole is: MySecondaryMDS The new IPv4 address of the target Primary R80.40 Multi-Domain Server is: 172.30.40.51 The new IPv4 address of the target Secondary R80.40 Multi-Domain Server is: 172.30.40.52 The required syntax for the JSON configuration file you must use on both the Primary and the Secondary Multi-Domain Servers, and on the Multi-Domain Log Server: [{"name":"MyPrimaryMDS","newIpAddress4":"172.30.40.51"},{"name":"MySecondaryMDS","newIpAddress4":"172.30.40.52"}] Important - All servers in this environment must get the same configuration file.

    Importing the databases

    Important: Make sure you followed the instructions in the above section "Required JSON configuration file". Before you import the management database, we strongly recommend to install the latest General Availability Take of the R80.40 Jumbo Hotfix Accumulator. This makes sure the R80.40 server has the latest improvements for reported import issues.

    Step	Instructions
    1	Connect to the command line the Secondary R80.40 Multi-Domain Server.
    2	Log in with the superuser credentials.
    3	Log in to the Expert mode.
    4	Make sure a valid license is installed: cplic print If it is not already installed, then install a valid license now.
    5	Transfer the exported database from an external storage to the R80.40 Multi-Domain Server, to some directory. Note - Make sure to transfer the file in the binary mode.
    6	Make sure the transferred file is not corrupted. Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the original Multi-Domain Server: md5sum /<Full Path>/Secondary_<Name of Exported File>.tgz
    7	Go to the $MDS_FWDIR/scripts/ directory: cd $MDS_FWDIR/scripts/
    8	Import the management database: If this Multi-Domain Server is connected to the Internet: And none of the servers changed their IP addresses, run: ./migrate_server import -v R80.40 [-l | -x] /<Full Path>/Secondary_<Name of Exported File>.tgz And at least one of the servers changed its IP address, run: ./migrate_server import -v R80.40 [-l | -x] /var/log/mdss.json /<Full Path>/Secondary_<Name of Exported File>.tgz Note - Before the release of updated Upgrade Tools in July 2021 (build 994000406 and lower), the syntax was "-change_ips_file /var/log/mdss.json". If this Multi-Domain Server is not connected to the Internet: And none of the servers changed their IP addresses, run: ./migrate_server import -v R80.40 -skip_upgrade_tools_check [-l | -x] /<Full Path>/Secondary_<Name of Exported File>.tgz And at least one of the servers changed its IP address, run: ./migrate_server import -v R80.40 [-l | -x] -skip_upgrade_tools_check /var/log/mdss.json /<Full Path>/Secondary_<Name of Exported File>.tgz Note - Before the release of updated Upgrade Tools in July 2021 (build 994000406 and lower), the syntax was "-change_ips_file /var/log/mdss.json". For details, see the R80.40 CLI Reference Guide - Chapter Multi-Domain Security Management Commands - Section migrate_server.
    9	Make sure that all the required daemons (FWM, FWD, CPD, and CPCA) are in the state "up" and show their PID (the "pnd" state is also acceptable): mdsstat If some of the required daemons on a Domain Management Server are in the state "down", then wait for 5-10 minutes, restart that Domain Management Server, and check again. Run these three commands: mdsstop_customer <IP Address or Name of Domain Management Server> mdsstart_customer <IP Address or Name of Domain Management Server> mdsstat

14. Update the object version of the Secondary Multi-Domain Server

    Step	Instructions
    1	Connect with SmartConsole to the R80.40 Primary Multi-Domain Server.
    2	From the left navigation panel, click Multi-Domain > Domains.
    3	From the top toolbar, open the Secondary Multi-Domain Server object.
    4	From the left tree, click General.
    5	In the Platform section > in the Version field, select R80.40.
    6	Click OK.

15. Upgrade the Multi-Domain Log Servers, dedicated Log Servers, and dedicated SmartEvent Servers

    Important - If your Multi-Domain Server manages Multi-Domain Log Servers, dedicated Log Servers, or dedicated SmartEvent Servers, you must upgrade these dedicated servers to the same version as the Multi-Domain Server.

    Select the applicable upgrade option:

    • For servers R80.20 and higher:

      • Upgrading a Multi-Domain Log Server from R80.20 and higher

      • Upgrading a Security Management Server or Log Server from R80.20 and higher

    • For servers R80.10 and lower:

      • Upgrading a Multi-Domain Log Server from R80.10 and lower

      • Upgrading a Dedicated Log Server from R80.10 and lower

      • Upgrading a Dedicated SmartEvent Server from R80.10 and lower

16. Install the management database on each Domain Management Server

    Step	Instructions
    1	Connect with SmartConsole to each Domain Management Server.
    2	In the top left corner, click Menu > Install database.
    3	Select all objects.
    4	Click Install.
    5	Click OK.

17. Upgrade the attributes of all managed objects in all Domain Management Servers

    Important - Perform this steps on every Multi-Domain Server with Active Domain Management Servers. To determine which Multi-Domain Servers run Active Domain Management Servers: Connect with SmartConsole to a Multi-Domain Server and select the MDS context. From the left navigation panel, click Multi Domain > Domains. The table shows Domains and Multi-Domain Servers: Every column shows a Multi-Domain Server. Active Domain Management Servers (for a Domain) are marked with a solid black "barrel" icon. Standby Domain Management Servers (for a Domain) are marked with an empty "barrel" icon.

    Step	Instructions
    1	Connect to the command line on the R80.40 Multi-Domain Server.
    2	Log in with the superuser credentials.
    3	Log in to the Expert mode.
    4	Make sure that all the required daemons (FWM, FWD, CPD, and CPCA) are in the state "up" and show their PID (the "pnd" state is also acceptable): mdsstat If some of the required daemons on a Domain Management Server are in the state "down", then wait for 5-10 minutes, restart that Domain Management Server, and check again. Run these three commands: mdsstop_customer <IP Address or Name of Domain Management Server> mdsstart_customer <IP Address or Name of Domain Management Server> mdsstat
    5	Go to the main MDS context: mdsenv
    6	Upgrade the attributes of all managed objects in all Domain Management Servers at once: $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL Notes: Because the command prompts you for a 'yes/no' for each Domain and each object in the Domain, you can explicitly provide the 'yes' answer to all questions with this command: yes | $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL You can perform this action on one Multi-Domain Server at a time with this command: $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL -n <Name of Multi-Domain Server>
    7	Make sure that all the required daemons (FWM, FWD, CPD, and CPCA) are in the state "up" and show their PID (the "pnd" state is also acceptable): mdsstat If some of the required daemons on a Domain Management Server are in the state "down", then wait for 5-10 minutes, restart that Domain Management Server, and check again. Run these three commands: mdsstop_customer <IP Address or Name of Domain Management Server> mdsstart_customer <IP Address or Name of Domain Management Server> mdsstat

18. Reconfigure the Log Exporter

    Step	Instructions
    1	Connect to the command line on the server.
    2	Log in to the Expert mode.
    3	Restore the Log Exporter configuration as described in sk127653.
    4	Reconfigure the Log Exporter: cp_log_export reconf
    5	Restart the Log Exporter: cp_log_export restart

    For more information, see the R80.40 Logging and Monitoring Administration Guide > Chapter Log Exporter.

19. In SmartConsole of each applicable Domain Management Server, install policy on all SmartLSM Security Profiles

    Important - This step applies to each Domain Management Server that manages SmartLSM Security Profiles.

    Step	Instructions
    1	Install the Access Control Policy: Click Install Policy. In the Policy field, select the applicable Access Control Policy. Select the applicable SmartLSM Security Profile objects. Click Install. The Access Control Policy must install successfully.
    2	Install the Threat Prevention Policy: Click Install Policy. In the Policy field, select the applicable Threat Prevention Policy. Select the applicable SmartLSM Security Profile objects. Click Install. The Threat Prevention Policy must install successfully.

    For more information, see the R80.40 SmartProvisioning Administration Guide.

20. Test the functionality on the Primary R80.40 Multi-Domain Server

    Step	Instructions
    1	Connect with SmartConsole to the Primary R80.40 Multi-Domain Server.
    2	Make sure the management database and configuration were upgraded correctly.
    3	Test the Management High Availability functionality.