Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Advanced Upgrade

In an advanced upgrade scenario, you perform the upgrade procedure on the same Multi-Domain Servers.

Notes:

  • This procedure is supported only for servers that run R80.20.M1, R80.20, R80.20.M2, R80.30, or higher versions.

  • For additional information related to this upgrade, see sk163814.

Important - Before you upgrade Multi-Domain Servers:

Step

Instructions

1

Back up your current configuration (see Backing Up and Restoring).

2

See the Upgrade Options and Prerequisites.

3

Only the latest published database revision is upgraded.

If there are pending changes, we recommend to Publish the session.

4

If there are Global Policies configured on the Global Domain:

  1. Connect with SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Global Domain on your source Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS..

  2. Reassign all Global Policies to all applicable Domains.

Important - Do not publish any changes in the Global Domain until you complete the upgrade to the next available version. This is necessary to avoid any potential issues caused by different policy revisions on the Global Domain and on other Domains.

5

You must close all GUI clients (SmartConsole applications) connected to the source Multi-Domain Server.

6

Install the latest version of the CPUSEClosed Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself. For details, see sk92449. from sk92449.

Note - This is to make sure the CPUSE is able to support the required Upgrade Tools package.

7

Run the Pre-Upgrade Verifier on all source servers and fix all detected issues before you start the upgrade.

8

In Management High Availability, before you start the upgrade on other servers:

  1. Make sure the Primary Multi-Domain Server is upgraded and runs.

  2. Make sure the Multi-Domain Security Management Servers can communicate with each other and SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. works between these servers. For details, see sk179794.

Important - Before you can install Hotfixes on servers that work in Management High Availability, you must upgrade all these servers.

Procedure:

  1. For instructions, see the R81.10 Multi-Domain Security Management Administration Guide - Chapter Working with High Availability - Section Failure Recovery - Subsection Promoting the Secondary Multi-Domain Server to Primary.

  2. Step

    Instructions

    1

    Connect with SmartConsole to the Primary Multi-Domain Server.

    2

    From the left navigation panel, click Multi Domain > Domains.

    The table shows Domains and Multi-Domain Servers:

    • Every column shows a Multi-Domain Server.

    • Active Domain Management Servers (for a Domain) are marked with a solid black "barrel" icon.

    • Standby Domain Management Servers (for a Domain) are marked with an empty "barrel" icon.

    3

    In the leftmost column Domains, examine the bottom row Global for the Primary Multi-Domain Server.

    If the Global Domain is in the Standby state on the Primary Multi-Domain Server (marked with an empty "barrel" icon), then make it Active:

    1. Right-click on the Primary Multi-Domain Server and click Connect to Domain Server.

      The High Availability Status window opens.

    2. In the section Connected To, click Actions > Set Active.

    3. Click Yes to confirm.

    4. Wait for the full synchronization to complete.

    5. Close SmartConsole.

  3. Important - See Upgrade Tools to understand if your server can download and install the latest version of the Upgrade Tools automatically.

    Step

    Instructions

    1

    Download the R81.10 Upgrade Tools from the sk135172..

    Note - This is a CPUSE Offline package.

    2

    Install the R81.10 Upgrade Tools with CPUSE.

    See Installing Software Packages on Gaia and follow the applicable action plan for the Local - Offline installation.

    3

    Make sure the package is installed.

    Run this command in the Expert mode:

    cpprod_util CPPROD_GetValue CPupgrade-tools-R81.10 BuildNumber 1

    The output must show the same build number you see in the name of the downloaded TGZ package.

    Name of the downloaded package: ngm_upgrade_wrapper_993000222_1.tgz

    [Expert@HostName:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R81.10 BuildNumber 1

    993000222

    [Expert@HostName:0]#

    Note - The command "migrate_server" from these Upgrade Tools always tries to connect to Check Point Cloud over the Internet.

    This is to make sure you always have the latest version of these Upgrade Tools installed.

    If the connection to Check Point Cloud fails, this message appears:

    Timeout. Failed to retrieve Upgrade Tools package. To download the package manually, refer to sk135172.

  4. Step

    Instructions

    1

    Connect to the command line on the current Multi-Domain Server.

    2

    Log in with the superuser credentials.

    3

    Log in to the Expert mode.

    4

    Run the Pre-Upgrade Verifier.

    • If this Multi-Domain Server is connected to the Internet, run:

      $MDS_FWDIR/scripts/migrate_server verify -v R81.10

    • If this Multi-Domain Server is not connected to the Internet, run:

      $MDS_FWDIR/scripts/migrate_server verify -v R81.10 -skip_upgrade_tools_check

    For details, see the R81.10 CLI Reference Guide - Chapter Multi-Domain Security Management Commands - Section migrate_server.

    5

    Read the Pre-Upgrade Verifier output.

    If it is necessary to fix errors:

    1. Follow the instructions in the report.

    2. Run the Pre-Upgrade Verifier again.

  5. Step

    Instructions

    1

    Connect to the command line on the current Multi-Domain Server.

    2

    Log in with the superuser credentials.

    3

    Log in to the Expert mode.

    4

    Run the Pre-Upgrade Verifier.

    • If this Multi-Domain Server is connected to the Internet, run:

      $MDS_FWDIR/scripts/migrate_server verify -v R81.10

    • If this Multi-Domain Server is not connected to the Internet, run:

      $MDS_FWDIR/scripts/migrate_server verify -v R81.10 -skip_upgrade_tools_check

    For details, see the R81.10 CLI Reference Guide - Chapter Multi-Domain Security Management Commands - Section migrate_server.

    5

    Read the Pre-Upgrade Verifier output.

    If it is necessary to fix errors:

    1. Follow the instructions in the report.

    2. Run the Pre-Upgrade Verifier again.

  6. Step

    Instructions

    1

    Go to the $MDS_FWDIR/scripts/ directory:

    cd $MDS_FWDIR/scripts

    2

    Export the management database:

    • If this Multi-Domain Server is connected to the Internet, run:

      ./migrate_server export -v R81.10 [-l | -x] /<Full Path>/Primary_<Name of Exported File>

    • If this Multi-Domain Server is not connected to the Internet, run:

      ./migrate_server export -v R81.10 -skip_upgrade_tools_check [-l | -x] /<Full Path>/Primary_<Name of Exported File>

    For details, see the R81.10 CLI Reference Guide - Chapter Multi-Domain Security Management Commands - Section migrate_server.

    3

    Calculate the MD5 for the exported database files:

    md5sum /<Full Path>/Primary_<Name of Database File>.tgz

    4

    Transfer the exported databases from the source Multi-Domain Server to an external storage:

    /<Full Path>/Primary_<Name of Database File>.tgz

    Note - Make sure to transfer the file in the binary mode.

  7. Step

    Instructions

    1

    Go to the $MDS_FWDIR/scripts/ directory:

    cd $MDS_FWDIR/scripts

    2

    Export the management database:

    • If this Multi-Domain Server is connected to the Internet, run:

      ./migrate_server export -v R81.10 [-l | -x] /<Full Path>/Secondary_<Name of Exported File>

    • If this Multi-Domain Server is not connected to the Internet, run:

      ./migrate_server export -v R81.10 -skip_upgrade_tools_check [-l | -x] /<Full Path>/Secondary_<Name of Exported File>

    For details, see the R81.10 CLI Reference Guide - Chapter Multi-Domain Security Management Commands - Section migrate_server.

    3

    Calculate the MD5 for the exported database files:

    md5sum /<Full Path>/Secondary_<Name of Database File>.tgz

    4

    Transfer the exported databases from the source Multi-Domain Server to an external storage:

    /<Full Path>/Secondary_<Name of Database File>.tgz

    Note - Make sure to transfer the file in the binary mode.

  8. Step

    Instructions

    1

    See the R81.10 Release Notes for requirements.

    2

    Important - The IP addresses of the source and target server can be different. If it is necessary to have a different IP address on the target R81.10 server, you must create a special JSON configuration file before you import the management database from the source server.

    Note that you have to issue licenses for the new IP address.

    You must use the same JSON configuration file on all servers in the same Multi-Domain Security Management environment.

  9. Important - See Upgrade Tools to understand if your server can download and install the latest version of the Upgrade Tools automatically.

    Step

    Instructions

    1

    Download the R81.10 Upgrade Tools from the sk135172..

    Note - This is a CPUSE Offline package.

    2

    Install the R81.10 Upgrade Tools with CPUSE.

    See Installing Software Packages on Gaia and follow the applicable action plan for the Local - Offline installation.

    3

    Make sure the package is installed.

    Run this command in the Expert mode:

    cpprod_util CPPROD_GetValue CPupgrade-tools-R81.10 BuildNumber 1

    The output must show the same build number you see in the name of the downloaded TGZ package.

    Name of the downloaded package: ngm_upgrade_wrapper_993000222_1.tgz

    [Expert@HostName:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R81.10 BuildNumber 1

    993000222

    [Expert@HostName:0]#

    Note - The command "migrate_server" from these Upgrade Tools always tries to connect to Check Point Cloud over the Internet.

    This is to make sure you always have the latest version of these Upgrade Tools installed.

    If the connection to Check Point Cloud fails, this message appears:

    Timeout. Failed to retrieve Upgrade Tools package. To download the package manually, refer to sk135172.

  10. If you installed the target R81.10 Multi-Domain Server with a different IP address than the source Multi-Domain Server, you must create a special JSON configuration file before you import the management database from the source Multi-Domain Server. Note that you have to issue licenses for the new IP address.

    Important:

    • If none of the servers in the same Multi-Domain Security Management environment changed their original IP addresses, then you do not need to create the special JSON configuration file.

    • Even if only one of the servers migrates to a new IP address, all the other servers (including all Multi-Domain Log Servers, Log Servers, and SmartEvent Servers) must get this configuration file for the import process.

      You must use the same JSON configuration file on all servers (including Multi-Domain Log Servers, Log Servers, and SmartEvent Servers) in the same Multi-Domain Security Management environment.

    To create the required JSON configuration file:

    Step

    Instructions

    1

    Connect to the command line on the target R81.10 Multi-Domain Server.

    2

    Log in to the Expert mode.

    3

    Create the /var/log/mdss.json file that contains each server that migrates to a new IP address.

    [{"name":"<Name of Primary Multi-Domain Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Primary R81.10 Multi-Domain Server>"}]

    [{"name":"<Name of Primary Multi-Domain Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Primary R81.10 Multi-Domain Server>"},

    {"name":"<Name of Secondary Multi-Domain Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Secondary R81.10 Multi-Domain Server>"}]

    [{"name":"<Name of Primary Multi-Domain Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Primary R81.10 Multi-Domain Server>"},

    {"name":"<Name of Secondary Multi-Domain Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Secondary R81.10 Multi-Domain Server>"},

    {"name":"<Name of Multi-Domain Log Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of R81.10 Multi-Domain Log Server"}]

     

    There are 3 servers in the R80.30 Multi-Domain Security Management environment - the Primary Multi-Domain Server, the Secondary Multi-Domain Server, and the Multi-Domain Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs in a Multi-Domain Security Management environment. The Multi-Domain Log Server consists of Domain Log Servers that store and process logs from Security Gateways that are managed by the corresponding Domain Management Servers. Acronym: MDLS.. Both the Primary and the Secondary Multi-Domain Servers migrate to new IP addresses. The Multi-Domain Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs. remains with the original IP address.

    1. The current IPv4 address of the source Primary R80.30 Multi-Domain Server is:

      192.168.10.21

    2. The current IPv4 address of the source Secondary R80.30 Multi-Domain Server is:

      192.168.10.22

    3. The name of the source Primary R80.30 Multi-Domain Server object in SmartConsole is:

      MyPrimaryMDS

    4. The name of the source Secondary R80.30 Multi-Domain Server object in SmartConsole is:

      MySecondaryMDS

    5. The new IPv4 address of the target Primary R81.10 Multi-Domain Server is:

      172.30.40.51

    6. The new IPv4 address of the target Secondary R81.10 Multi-Domain Server is:

      172.30.40.52

    7. The required syntax for the JSON configuration file you must use on both the Primary and the Secondary Multi-Domain Servers, and on the Multi-Domain Log Server:

      [{"name":"MyPrimaryMDS","newIpAddress4":"172.30.40.51"},

      {"name":"MySecondaryMDS","newIpAddress4":"172.30.40.52"}]

      Important - All servers in this environment must get the same configuration file.

    Important - Make sure you followed the instructions in the above section "Required JSON configuration file".

    Step

    Instructions

    1

    Connect to the command line the Primary R81.10 Multi-Domain Server.

    2

    Log in with the superuser credentials.

    3

    Log in to the Expert mode.

    4

    Make sure a valid license is installed:

    cplic print

    If it is not already installed, then install a valid license now.

    5

    Transfer the exported database from an external storage to the R81.10 Multi-Domain Server, to some directory.

    Note - Make sure to transfer the file in the binary mode.

    6

    Make sure the transferred file is not corrupted.

    Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the original Multi-Domain Server:

    md5sum /<Full Path>/Primary_<Name of Exported File>.tgz

    7

    Go to the $MDS_FWDIR/scripts/ directory:

    cd $MDS_FWDIR/scripts/

    8

    Import the management database:

    • If this Multi-Domain Server is connected to the Internet:

      • And none of the servers changed their IP addresses, run:

        ./migrate_server import -v R81.10 [-l | -x] /<Full Path>/Primary_<Name of Exported File>.tgz

      • And at least one of the servers changed its IP address:

        • Make sure the required file /var/log/mdss.json exists and run:

          ./migrate_server import -v R81.10 [-l | -x] /<Full Path>/Primary_<Name of Exported File>.tgz

        • Or run:

          ./migrate_server import -v R81.10 [-l | -x] /var/log/mdss.json /<Full Path>/Primary_<Name of Exported File>.tgz

          Note - Before the release of updated Upgrade Tools in July 2021 (build 996000356 and lower), the syntax was "-change_ips_file /var/log/mdss.json".

    • If this Multi-Domain Server is not connected to the Internet:

      • And none of the servers changed their IP addresses, run:

        ./migrate_server import -v R81.10 -skip_upgrade_tools_check [-l | -x] /<Full Path>/Primary_<Name of Exported File>.tgz

      • And at least one of the servers changed its IP address:

        • Make sure the required file /var/log/mdss.json exists and run:

          ./migrate_server import -v R81.10 [-l | -x] -skip_upgrade_tools_check /<Full Path>/Primary_<Name of Exported File>.tgz

        • Or run:

          ./migrate_server import -v R81.10 [-l | -x] -skip_upgrade_tools_check /var/log/mdss.json /<Full Path>/Primary_<Name of Exported File>.tgz

          Note - Before the release of updated Upgrade Tools in July 2021 (build 996000356 and lower), the syntax was "-change_ips_file /var/log/mdss.json".

    For details, see the R81.10 CLI Reference Guide - Chapter Multi-Domain Security Management Commands - Section migrate_server.

    9

    Make sure that all the required daemons (FWM, FWD, CPD, and CPCA) are in the state "up" and show their PID (the "pnd" state is also acceptable):

    mdsstat

    If some of the required daemons on a Domain Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. are in the state "down", then wait for 5-10 minutes, restart that Domain Management Server, and check again. Run these three commands:

    mdsstop_customer <IP Address or Name of Domain Management Server>

    mdsstart_customer <IP Address or Name of Domain Management Server>

    mdsstat

  11. Step

    Instructions

    1

    See the R81.10 Release Notes for requirements.

    2

    Important - The IP addresses of the source and target server can be different. If it is necessary to have a different IP address on the target R81.10 server, you must create a special JSON configuration file before you import the management database from the source server.

    Note that you have to issue licenses for the new IP address.

    You must use the same JSON configuration file on all servers in the same Multi-Domain Security Management environment.

  12. Note - This step is needed only to be able to export the entire management database (for backup purposes) with the latest Upgrade Tools.

    Important - See Upgrade Tools to understand if your server can download and install the latest version of the Upgrade Tools automatically.

    Step

    Instructions

    1

    Download the R81.10 Upgrade Tools from the sk135172..

    Note - This is a CPUSE Offline package.

    2

    Install the R81.10 Upgrade Tools with CPUSE.

    See Installing Software Packages on Gaia and follow the applicable action plan for the Local - Offline installation.

    3

    Make sure the package is installed.

    Run this command in the Expert mode:

    cpprod_util CPPROD_GetValue CPupgrade-tools-R81.10 BuildNumber 1

    The output must show the same build number you see in the name of the downloaded TGZ package.

    Name of the downloaded package: ngm_upgrade_wrapper_993000222_1.tgz

    [Expert@HostName:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R81.10 BuildNumber 1

    993000222

    [Expert@HostName:0]#

    Note - The command "migrate_server" from these Upgrade Tools always tries to connect to Check Point Cloud over the Internet.

    This is to make sure you always have the latest version of these Upgrade Tools installed.

    If the connection to Check Point Cloud fails, this message appears:

    Timeout. Failed to retrieve Upgrade Tools package. To download the package manually, refer to sk135172.

  13. If you installed the target R81.10 Multi-Domain Server with a different IP address than the source Multi-Domain Server, you must create a special JSON configuration file before you import the management database from the source Multi-Domain Server. Note that you have to issue licenses for the new IP address.

    Important:

    • If none of the servers in the same Multi-Domain Security Management environment changed their original IP addresses, then you do not need to create the special JSON configuration file.

    • Even if only one of the servers migrates to a new IP address, all the other servers (including all Multi-Domain Log Servers, Log Servers, and SmartEvent Servers) must get this configuration file for the import process.

      You must use the same JSON configuration file on all servers (including Multi-Domain Log Servers, Log Servers, and SmartEvent Servers) in the same Multi-Domain Security Management environment.

    To create the required JSON configuration file:

    Step

    Instructions

    1

    Connect to the command line on the target R81.10 Multi-Domain Server.

    2

    Log in to the Expert mode.

    3

    Create the /var/log/mdss.json file that contains each server that migrates to a new IP address.

    [{"name":"<Name of Primary Multi-Domain Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Primary R81.10 Multi-Domain Server>"}]

    [{"name":"<Name of Primary Multi-Domain Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Primary R81.10 Multi-Domain Server>"},

    {"name":"<Name of Secondary Multi-Domain Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Secondary R81.10 Multi-Domain Server>"}]

    [{"name":"<Name of Primary Multi-Domain Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Primary R81.10 Multi-Domain Server>"},

    {"name":"<Name of Secondary Multi-Domain Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Secondary R81.10 Multi-Domain Server>"},

    {"name":"<Name of Multi-Domain Log Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of R81.10 Multi-Domain Log Server"}]

     

    There are 3 servers in the R80.30 Multi-Domain Security Management environment - the Primary Multi-Domain Server, the Secondary Multi-Domain Server, and the Multi-Domain Log Server. Both the Primary and the Secondary Multi-Domain Servers migrate to new IP addresses. The Multi-Domain Log Server remains with the original IP address.

    1. The current IPv4 address of the source Primary R80.30 Multi-Domain Server is:

      192.168.10.21

    2. The current IPv4 address of the source Secondary R80.30 Multi-Domain Server is:

      192.168.10.22

    3. The name of the source Primary R80.30 Multi-Domain Server object in SmartConsole is:

      MyPrimaryMDS

    4. The name of the source Secondary R80.30 Multi-Domain Server object in SmartConsole is:

      MySecondaryMDS

    5. The new IPv4 address of the target Primary R81.10 Multi-Domain Server is:

      172.30.40.51

    6. The new IPv4 address of the target Secondary R81.10 Multi-Domain Server is:

      172.30.40.52

    7. The required syntax for the JSON configuration file you must use on both the Primary and the Secondary Multi-Domain Servers, and on the Multi-Domain Log Server:

      [{"name":"MyPrimaryMDS","newIpAddress4":"172.30.40.51"},

      {"name":"MySecondaryMDS","newIpAddress4":"172.30.40.52"}]

      Important - All servers in this environment must get the same configuration file.

    Important - Make sure you followed the instructions in the above section "Required JSON configuration file".

    Step

    Instructions

    1

    Connect to the command line the Secondary R81.10 Multi-Domain Server.

    2

    Log in with the superuser credentials.

    3

    Log in to the Expert mode.

    4

    Make sure a valid license is installed:

    cplic print

    If it is not already installed, then install a valid license now.

    5

    Transfer the exported database from an external storage to the R81.10 Multi-Domain Server, to some directory.

    Note - Make sure to transfer the file in the binary mode.

    6

    Make sure the transferred file is not corrupted.

    Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the original Multi-Domain Server:

    md5sum /<Full Path>/Secondary_<Name of Exported File>.tgz

    7

    Go to the $MDS_FWDIR/scripts/ directory:

    cd $MDS_FWDIR/scripts/

    8

    Import the management database:

    • If this Multi-Domain Server is connected to the Internet:

      • And none of the servers changed their IP addresses, run:

        ./migrate_server import -v R81.10 [-l | -x] /<Full Path>/Secondary_<Name of Exported File>.tgz

      • And at least one of the servers changed its IP address:

        • Make sure the required file /var/log/mdss.json exists and run:

          ./migrate_server import -v R81.10 [-l | -x] /<Full Path>/Secondary_<Name of Exported File>.tgz

        • Or run:

          ./migrate_server import -v R81.10 [-l | -x] /var/log/mdss.json /<Full Path>/Secondary_<Name of Exported File>.tgz

          Note - Before the release of updated Upgrade Tools in July 2021 (build 996000356 and lower), the syntax was "-change_ips_file /var/log/mdss.json".

    • If this Multi-Domain Server is not connected to the Internet:

      • And none of the servers changed their IP addresses, run:

        ./migrate_server import -v R81.10 -skip_upgrade_tools_check [-l | -x] /<Full Path>/Secondary_<Name of Exported File>.tgz

      • And at least one of the servers changed its IP address, run:

        • Make sure the required file /var/log/mdss.json exists and run:

          ./migrate_server import -v R81.10 [-l | -x] -skip_upgrade_tools_check /<Full Path>/Secondary_<Name of Exported File>.tgz

        • Or run:

          ./migrate_server import -v R81.10 [-l | -x] -skip_upgrade_tools_check /var/log/mdss.json /<Full Path>/Secondary_<Name of Exported File>.tgz

          Note - Before the release of updated Upgrade Tools in July 2021 (build 996000356 and lower), the syntax was "-change_ips_file /var/log/mdss.json".

    For details, see the R81.10 CLI Reference Guide - Chapter Multi-Domain Security Management Commands - Section migrate_server.

    9

    Make sure that all the required daemons (FWM, FWD, CPD, and CPCA) are in the state "up" and show their PID (the "pnd" state is also acceptable):

    mdsstat

    If some of the required daemons on a Domain Management Server are in the state "down", then wait for 5-10 minutes, restart that Domain Management Server, and check again. Run these three commands:

    mdsstop_customer <IP Address or Name of Domain Management Server>

    mdsstart_customer <IP Address or Name of Domain Management Server>

    mdsstat

  14. See Installing SmartConsole.

  15. Step

    Instructions

    1

    Connect with SmartConsole to the R81.10 Primary Multi-Domain Server.

    2

    From the left navigation panel, click Multi-Domain > Domains.

    3

    From the top toolbar, open the Secondary Multi-Domain Server object.

    4

    From the left tree, click General.

    5

    In the Platform section > in the Version field, select R81.10.

    6

    Click OK.

  16. Important - If your Multi-Domain Server manages Multi-Domain Log Servers, dedicated Log Servers, or dedicated SmartEvent Servers, you must upgrade these dedicated servers to the same version as the Multi-Domain Server.

    Select the applicable upgrade option:

  		17.

    Important - This step applies only if the User and Device Management (UDM) is configured on one of the Domain Management Servers.

    Step

    Instructions

    1

    Close all SmartConsole clients connected the R81.10 Multi-Domain Server.

    2

    Connect to the command line on the R81.10 Multi-Domain Server.

    3

    Log in with the superuser credentials.

    4

    Log in to the Expert mode.

    5

    Go to the main MDS context:

    mdsenv

    6

    Examine the port numbers configured in the file $MDSDIR/conf/mdsdb/webservices_cmas_ports.conf in the attribute "port ()":

    cat $MDSDIR/conf/mdsdb/webservices_cmas_ports.conf

    Example:

    (
  : (My_Domain_Management_Server_1
    :port (30000)
    :port_SL (30001)
    :ip_addr (192.168.2.1)
  )
  : (My_Domain_Management_Server_2
    :port (30002)
    :port_SL (30003)
    :ip_addr (192.168.2.2)
  )
)

    7

    Configure the same port numbers in the file $UDMDIR/conf/cmas_list.conf in the attribute "WSPort":

    vi $UDMDIR/conf/cmas_list.conf

    Example:

    192.168.2.1:WSPort=30000:MDSip=192.168.2.254

    192.168.2.2:WSPort=30002:MDSip=192.168.2.254

    8

    		 Save the changes in the file and exit the editor.

    9

    Restart the User and Device Management services:

    udmstop ; udmstart

  18. Step

    Instructions

    1

    Connect to the command line on the server.

    2

    Log in to the Expert mode.

    3

    Restore the Log Exporter configuration as described in sk127653.

    4

    Reconfigure the Log Exporter:

    cp_log_export reconf

    5

    Restart the Log Exporter:

    cp_log_export restart

    For more information, see the R81.10 Logging and Monitoring Administration Guide > Chapter Log Exporter.

  		19.

    Important - This step applies to each Domain Management Server that manages SmartLSM Security Profiles.

    Step

    Instructions

    1

    Install the Access Control Policy:

    1. Click Install Policy.

    2. In the Policy field, select the applicable Access Control Policy.

    3. Select the applicable SmartLSM Security Profile objects.

    4. Click Install.

    5. The Access Control Policy must install successfully.

    2

    Install the Threat Prevention Policy:

    1. Click Install Policy.

    2. In the Policy field, select the applicable Threat Prevention Policy.

    3. Select the applicable SmartLSM Security Profile objects.

    4. Click Install.

    5. The Threat Prevention Policy must install successfully.

    For more information, see the R81.10 SmartProvisioning Administration Guide.

  20. Step

    Instructions

    1

    Connect with SmartConsole to the Primary R81.10 Multi-Domain Server.

    2

    Make sure the management database and configuration were upgraded correctly.

    3

    Test the Management High Availability functionality.