Advanced Upgrade with Database Migration

In This Section:

Preparing to Migrate the Database

Database Migration lets you move the database from an earlier Security Management Server or Multi-Domain Server, to an R80 server.

Important Notes:

R80 is a management-only release and does not support migration from a Standalone deployment (server and gateway on the same machine). Standalone to Standalone migration will be supported in R80.10.

Upgrade from IPSO is not supported.

This procedure has steps to close GUI clients (SmartConsole applications) and to stop Check Point services (cpstop). If you do not do one of these before you upgrade, the exported management database can be corrupted.

Before you begin:

Make sure the environment meets the requirements
Make sure that you have SmartConsole and SmartConsole for the correct source and target versions to connect to the management server.
Save a backup from the Gaia WebUI.
Gaia operating system settings are not backed up. If you restore the database later, you must configure these settings manually. Before you upgrade, open the Gaia WebUI and take note of these settings: interfaces, servers (such as DHCP, DNS, and proxy), routes, NetFlow, system settings (such as time and date, SNMP, jobs), advanced routing protocols and functionality, user management, and High Availability.

Overview of Database Migration to R80

This procedure is an overview that explains how to migrate the database to a R80 Security Management Server with a new IP address.

Get the R80 migration tools package.
It is important that you use the correct migration tools package. Download the latest version of the migration tools from the Support Center.
1. Extract the downloaded package, to the source and the target servers.
  Important - Extract all the files to the same directory and run the tools from that directory.
2. Make sure the files have executable permissions: chmod 777 *
Create a new temporary host object in SmartConsole or SmartDashboard with the IP address of the target.
Define a Firewall rule that lets the new R80 server connect to Security Gateways:
Source: new server

Destination: target Security Gateways

Service:

FW1 (TCP 256)

CPD (TCP 18191)

FW1_CPRID (TCP 18208)

CPM (TCP 19009)
Install the new security policy on all gateways.
If the source has IPv6 addresses, on the source operating system, disable IPv6.
In SmartConsole or SmartDashboard, delete the temporary host objects from the primary Security Management Server.
Close all Check Point GUI clients that are connected to the Security Management Server.
If this server is not in production, run: cpstop
Export the database with the R80 export tools.
- Security Management Server
- Multi-Domain Server
Clean install the new R80 Security Management Server or Multi-Domain Server.
- Install on an appliance.
- Install on a Gaia open server.
Configure Gaia OS settings in the Gaia WebUI or CLI.
Import the database.
- Security Management Server
- Multi-Domain Server

Requirements for Database Migration

Required Disk Space:

The hard disk on the target machine must be at least 5 times the size of the exported database.
The size of the /var/log folder on the target must be at least 25% of the size of the /var/ log directory on the source machine.

Required Network Access:

The source and target servers must be connected to a network.
The connected network interface must have an IP address.

IPv4:

The target must use the same IP address configuration as the source. If the source uses IPv6, you must change it to IPv4 before you can migrate.

Target Version and Products:

You can only upgrade or migrate the version of the server or set of products. The target must have the same or higher version and the same set of installed products.

Upgrade Tools

Before you upgrade appliances or servers, get the upgrade tools. There is a different package of tools for each source platform.

Important! To make sure you have the latest version of the upgrade tools, download the appropriate package from the Tools section in the Check Point R80 Support site.

When you open the upgrade_tools package, you see these files:

Package	Description
migrate.conf	Holds configuration settings for Advanced Upgrade / Database Migration.
migrate	Runs Advanced Upgrade or migration. On Windows, this is migrate.exe.
pre_upgrade_verifier	Analyzes compatibility of the currently installed configuration with the upgrade version. It gives a report on the actions to take before and after the upgrade. On Windows this is pre_upgrade_verifier.exe `pre_upgrade_verifier -p $FWDIR -c` <Current Version> `-t` <Target Version>
migrate export	Backs up all Check Point configurations, without operating system information. On Windows, this is migrate.exe export
migrate import	Restores backed up configuration.

Migrate Command Reference

The migrate command exports a source Security Management Server database to a file, or imports the database file to a target Security Management Server. Use absolute paths in the command, or relative paths from the current directory.

Before you run this command for export, close all SmartConsole clients or run cpstop on the Security Management Server.

Before you run this command for import, run cpstop on the Security Management Server.

Syntax:

migrate {export | import} [-l] [-n] <filename> [--exclude-uepm-postgres-db] [--include-uepm-msi-files]

Parameters	Description
`export` `import`	One of these actions must be used. Make sure services are stopped.
`-l`	Optional. Export or import SmartView Tracker logs and SmartLog data. Only closed logs are exported. Use the `fw logswitch` command to close the logs before you do the export.
`-n`	Optional. Run silently (non-interactive) using the default options for each setting. Important: If you export a management database in this mode, to a directory with a file with the same name, it is overwritten without prompting. If you import using this option, the command runs `cpstop` automatically.
`--exclude-uepm-postgres-db`	Skip over backup/restore of PostgreSQL database of the Endpoint product.
`--include-uepm-msi-files`	Export/import the uepm msi files.
`filename`	Required. Enter the name of the archive file with the server database. The path to the archive must exist.

Upgrading Security Management Server with Migration

Note - Before you upgrade the Security Management Server, make sure that the correct ports are open for SmartConsole to communicate with the Security Management Server.

Exporting the Current Security Management Server Database

To create a management database export file on the source server:

Log in to expert mode.
Run the Pre-Upgrade Verifier tool: pre_upgrade_verifier
If there are errors, correct them before you continue.
Run: <upgrade_tools_path>/migrate export <filename>.tgz
The migrate export command exports the content of one Security Management Server database to a TGZ file.
Follow the instructions.
The management database is exported to the file that you named in the command. Make sure you define it as a TGZ.
If SmartEvent is installed on the source server, export the Events database.

Importing the Security Management Server Database

Import the Security Management Server configuration that you exported. Make sure that you use the migration tools for the target version.

Before you begin: Install the R80 Security Management Server.

Important: When you transfer the exported database from the source to the target, use binary mode during the transfer.

To import the management server configuration:

Log in to Expert mode.
Transfer (with FTP, SCP, or similar) the exported configuration file collected from the source () to the new server.
Calculate the MD5 for the transferred file and compare to the MD5 that was calculated on original server:
# md5sum /<directory>/<name>.DDMMYYY-HHMMSS.tgz
Import the configuration: <migration_tools_path>/migrate import <path_exported_database>/<filename>.tgz
Test the target installation.
Disconnect the source server from the network.
Connect the target server to the network.

Migrating the Database of a Secondary Security Management Server

Export the database file from the primary Security Management Server.
If the primary Security Management Server is not available, convert the secondary Security Management Server to a primary Security Management Server. To get assistance with this step, contact Check Point Technical Support or your vendor.
Install a new primary Security Management Server.
Import the management database file to the new primary Security Management Server.
Install new secondary R80 Security Management Server.
Establish SIC with the secondary Security Management Server.
Synchronize the new secondary Security Management Server with the new primary Security Management Server.

Migrating Log and Event Databases

When you migrate the Security Management Server to R80, the SmartEvent databases are not included.

For more about how to migrate the events database to R80, see sk110173.

Upgrading Multi-Domain Security Management with Migration

We recommend that you use database export/import to upgrade. This procedure migrates all system databases, Domain Servers, Rule Bases, logs and Global Domains to a target Multi-Domain Server.

Important - Unlike in previous versions, in R80, the order that you import servers is very important. First you must import the Primary Multi-Domain Server, then Secondary Multi-Domain Servers and Multi-Domain Log Servers. If there is no Primary Multi-Domain Server, you must first promote a secondary Multi-Domain Server to be the primary.

Exporting the Multi-Domain Server Databases

Before you begin:

Export one database at a time. Start with the Primary Multi-Domain Server.
Make sure the Global Domain Server is active on the Primary Multi-Domain Server.

To create the export file on a source Multi-Domain Server:

Stop all Check Point services: # mdsstop
Switch to the Multi-Domain Server context:
# mdsenv

# mcd
Mount the ISO file:
# mount -o loop /path_to/Check_Point_R80_Gaia.iso /mnt/cdrom
Go to the installation folder:
# cd /mnt/cdrom/linux/p1_install
Run the installation script:
# ./mds_setup
Run the Pre-Upgrade Verifier: enter 1 when this menu shows:
(1) Run Pre-upgrade verification only [recommended before upgrade]

(2) Upgrade to R80

(3) Backup current Multi-Domain Server

(4) Export current Multi-Domain Server

Or 'Q' to quit.

The pre-upgrade verifier analyzes compatibility of the management database and its current configuration. A detailed report shows the steps to do before and after the upgrade.

Note: The pre-upgrade verifier can only verify a database that is intended for import into a different major version (for example, R77.xx to R80). It cannot be used on a database that is intended for import to the same major version.
Read the Pre-Upgrade Verifier output and fix all errors according to the instructions.
After fixing errors, open the SmartConsole and reassign the Global Policy on all Domains.
Stop the services again: # mdsstop
Run the installation script # ./mds_setup
Export the current Multi-Domain Server configuration: enter 4 when this menu shows:
(1) Run Pre-upgrade verification only [recommended before upgrade]

(2) Upgrade to R80

(3) Backup current Multi-Domain Server

(4) Export current Multi-Domain Server

Or 'Q' to quit.
Answer the interactive questions:
Would you like to proceed with the export now [yes/no] ? yes
Please enter target directory for your Multi-Domain Server export (or 'Q' to quit): /var/log
Do you plan to import to a version newer than R80 [yes/no] ? no
Using migrate_tools from disk.
Do you wish to export the log database [yes/no] ? yes or no

If you enter no to export the logs, the configuration is still exported.
Make sure this export file is created:
# ls -l /var/log/exported_mds.DDMMYYY-HHMMSS.tgz
Calculate the MD5 for this file:
# md5sum /var/log/exported_mds.DDMMYYY-HHMMSS.tgz

Importing the Database to the Primary Multi-Domain Server

Import the Multi-Domain Server configuration that you exported.

Important - When you transfer the exported database from the source to the target, use binary mode during the transfer.

Before you begin, install R80 Multi-Domain Security Management on the target Multi-Domain Server.

Note - When you complete the upgrade process for the Primary Multi-Domain Server, the Multi-Site upgrade is not finished. You can only access objects that are stored on other Multi-Domain Security Management servers when the upgrade process for the other Multi-Domain Servers is complete.

To import the Multi-Domain Server configuration:

Log in to expert mode.
Transfer (with FTP, SCP, or similar) the exported configuration file collected from the source to the new server: exported_mds.DDMMYYY-HHMMSS.tgz
Calculate the MD5 for the transferred file and compare to the MD5 that was calculated on original server:
# md5sum /<directory>/exported_mds.DDMMYYY-HHMMSS.tgz
Import the configuration: $MDSDIR/scripts/mds_import.sh <path_exported_database>/exported_mds.DDMMYYY-HHMMSS.tgz
Test the target installation.
Disconnect the source server from the network.
Connect the target server to the network and run mdsstart

To update the version of the Domain Server and Domain Log Server objects on this Multi-Domain Server:

On each Domain Server and Domain Log Server that you import, run:
$MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL -n <Multi-Domain Server name>

Importing the Database to Secondary Multi-Domain Servers

Import the Multi-Domain Server configuration that you exported to a Secondary Multi-Domain Server or Multi-Domain Log Server. If you have multiple servers, import the database to one server at a time.

Important: When you transfer the exported database from the source to the target, use binary mode during the transfer.

Before you begin:

Install R80 Multi-Domain Security Management on the target Multi-Domain Server.
Make sure the Primary Multi-Domain Server is running.
Make sure that the Primary Multi-Domain Server has the correct license to work in Multi-Site environment.
Make sure that there is good connectivity between all the servers. System databases, logs, and Global domains are upgraded only on the Primary Multi-Domain Server. The connection is necessary to synchronize the other Multi-Domain Servers and Multi-Domain Log Servers.
The IP address of the source and target Secondary Multi-Domain Servers and Multi-Domain Log Servers must be the same.

To import the Multi-Domain Server configuration:

Log in to expert mode.
Transfer (with FTP, SCP, or similar) the exported configuration file collected from the source to the new server: exported_mds.DDMMYYY-HHMMSS.tgz
Calculate the MD5 for the transferred file and compare to the MD5 that was calculated on source Multi-Domain Server:
# md5sum /<directory>/exported_mds.DDMMYYY-HHMMSS.tgz
Make sure that there is connectivity to the newly upgraded primary Multi-Domain Server.
Import the configuration: $MDSDIR/scripts/mds_import.sh -secondary -primaryip <IP_primary_server> <path_exported_database>/exported_mds.DDMMYYYY-HHMMSS.tgz
On the Primary Multi-Domain Server, make sure that the Full Sync task completes successfully.
Test the target installation.
Disconnect the source server from the network.
Connect the target server to the network and run mdsstart.

To update the version of the Domain Server and Domain Log Server objects on this Multi-Domain Server:

On each Domain Server and Domain Log Server that you import, run:
$MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL -n <Multi-Domain Server name>
Open SmartConsole and make sure that the version for each of the upgraded objects is R80.

Migrating Global Policies

The migrate_global_policies command upgrades a Global Policy database from a Multi-Domain Server and imports it to a R80 Multi-Domain Server.

Note - When executing the migrate_global_policies utility, the Multi-Domain Server and the Domain Servers are stopped.

Before you run the migrate_global_policies utility, make sure that you remove all the data from the Global database of the R80 Multi-Domain Server.

To upgrade Global Policies from R77.xx to R80:

On the R77.xx Multi-Domain Server, extract the Upgrade Tools from the R80 CD or ISO, if you did not do this already.
Run: # mdsenv
Run: # <full path to migrate command> migrate export <output file>
Copy the TGZ file from the R77.xx server to the R80 Multi-Domain Server.
Run: # migrate_global_policies <full_path_exported_tgz>
Run: # mdsstart

Migrating Domain Server Database

This procedure exports, updates, and imports the database of an R77.xx Domain Server to an R80 Domain Server.

Before you begin:

Make sure that there is one Active Domain Server in each Domain to be migrated.
If you want to import logs with the database, run a log switch before you export.
Make sure that you are migrating the database only on one Domain Server. If you migrate a database to more than one Domain Server, the import fails and shows an error message.

To import from R77.xx Domain Server to R80:

On the R77.xx Domain Server, get the Upgrade Tools from the R80 CD or ISO.
Extract the tools.
Extraction makes the upgrade_tools subdirectory. In this path, extract the Multi-Domain Security Management tools: p1_upgrade_tools.tgz

For example:

Install from CD:
# gtar xvfz /mnt/cdrom/linux/upgrade_tools/linux/p1_upgrade_tools.tgz -C /var/opt/export_tools

Install from DVD:
# gtar xvfz /mnt/cdrom/Linux/linux/upgrade_tools/linux/p1_upgrade_tools.tgz -C /var/opt/export_tools
Run: # mdsenv <domainServer_name>
Before you export the database, make sure that you remove the Global Policy from the source Domain Server.
Run: # <full path to migrate command> migrate export [-l] <output file>
- The migrate export command exports one Domain Server database to a TGZ file.
- The output file must be specified with the fully qualified path. Make sure there is sufficient disk space for the output file.
- The optional –l flag includes closed log files and SmartLog data from the source Domain Server in the output archive.
On the R80 Multi-Domain Server, run these API commands to create a new Domain and a new Domain Server (without starting it):
# mgmt_cli login <user_name> <password>

# mgmt_cli add domain name <my_domain_name> servers.ip-address <my_IP_address> servers.name <my_domain_server_name> servers.multi-domain-server <R80_multi-domain-server_Name> servers.skip-start-domain-server true
Copy the TGZ file from the R77.xx Domain Server to the R80 Multi-Domain Server.
When the new Domain is ready, import the exported database:
# cma_migrate <source_server> <new_server>/<FWDIR_path>

For example: # cma_migrate /tmp/myR77-30.tgz /opt/CPmds-r80/domains/my_dms/CPsuite-R80/fw1

You must run cma_migrate to import the database. This command updates the database schema before it imports.

First, the command runs pre-upgrade verification. If no errors are found, migration continues. If there are errors, you must change the source Domain Server according to instructions in the error messages. Then do this procedure again.
If the R80 server has a different IP address than the R77.xx server, establish trust with the Security Gateways.
If the R77.xx server had VPN gateways, configure the keys.
Restart the R80 Domain Server: # mdsstop and then mdsstart

Certificate Authority Data

The cma_migrate process does not change the Certificate Authority or key data. The R80 Domain Server has SIC with Security Gateways. If the IP address of the R80 server is not the same as the IP address of the R77.xx server, you must establish trust between the new server and the gateways.

Before you begin, see sk17197 to make sure the environment is prepared.

To initialize a Domain Server Internal Certificate Authority:

Remove the current Internal Certificate Authority for the specified environment, run:
# mdsstop_customer <DomainServer NAME>
# mdsenv <DomainServer NAME>
# fwm sic_reset
Create a new Internal Certificate Authority, run:
# mdsconfig -ca <DomainServer NAME> <DomainServer IP>
# mdsstart_customer <DomainServer NAME>

Resolving Issues with IKE Certificates

With a VPN tunnel that has an externally managed, third-party gateway and a Check Point Security Gateway, sometimes there is an issue with the IKE certificates after you migrate the management database.

The Security Gateway presents its IKE certificate to its peer. The third-party gateway uses the FQDN of the certificate to retrieve the host name and IP address of the Certificate Authority. If the IKE certificate was issued by a Check Point Internal CA, the FQDN contains the host name of the original management server. The peer gateway will fail to contact the original server and will not accept the certificate.

To fix:

Update the external DNS server to resolve the host name to the IP address of the relevant Domain Server.
Revoke the IKE certificate for the gateway and create a new one.

Migrating an R80 Database to Another R80 Server

You can migrate the R80 Security Management Server database to a different R80 server. The procedure is similar to upgrading from an earlier version to R80.

Create a backup file of the current system settings from the Gaia WebUI.
For Multi-Domain Server run mds_backup
Perform the steps to migrate to another R80 Security Management Server or Multi-Domain Server.

Migrating a License to a New IP Address (Security Management Server)

Licenses are related to the management IP addresses. You must update the license and configure the environment to recognize the new server.

Update the licenses with the new IP address. If you use central licenses, they must also be updated with the new IP Address.
Run cpstop and cpstart on Security Management Server.
Connect to the new IP address with SmartConsole.
Remove the host object and the rule that you created before migration.
Update the primary Security Management Server object to make the IP Address and topology match the new configuration.
Run evstop and evstart on SmartEvent servers.
On the DNS, map the target Security Management Server host name to the new IP address.

Configuring the new IP address for Log Servers and SmartEvent:

When you log in to SmartConsole for the first time, open the Domain Log Server or SmartEvent object.
Change the IP address to the new IP address.
Publish and install the database.
Open the distributed Domain Log Server or SmartEvent object again.
In the Platform section, click Get.
This updates the server to the correct version.
Click OK.
Publish and install the database.

Restoring on Failure

If there are issues with the upgrade, you can restore the original database. Make sure you have the OS settings that you noted when you backed up.

Clean install the original version.
Use the Installation and Upgrade Guide for major versions, or the Release Notes for minor versions or hotfixes.
Configure Gaia OS settings in the Gaia WebUI or CLI.
Import the exported database.
- Security Management Server
- Multi-Domain Server