R81 CLI Reference Guide

migrate_server

Important - This command is used to migrate the management database from R80.20.M1, R80.20, R80.20.M2, R80.30, and higher versions.

For more information, see:

Description

Exports the management database and applicable Check Point configuration.

Imports the exported management database and applicable Check Point configuration.

Backing up and restoring in Management High Availability environment:

To back up and restore a consistent environment, make sure to collect and restore the backups and snapshots from all servers in the High Availability environment at the same time.
Make sure other administrators do not make changes in SmartConsole until the backup operation is completed.

For more information:

About Gaia Backup and Gaia Snapshot, see the R81 Gaia Administration Guide.
About Virtual Machine Snapshots, see the vendor documentation.

Notes:

You must run this command from the Expert mode.
If it is necessary to back up the current management database, and you do not plan to import it on a Management Server that runs a higher software version, then you can use the built-in command in the $FWDIR/scripts/ directory.
If you plan to import the management database on a Management Server that runs a higher software version, then you must use the migrate_server utility from the migration tools package created specifically for that higher software version. See the Installation and Upgrade Guide for that higher software version.
If this command completes successfully, it creates this log file:

/var/log/opt/CPshrd-R81/migrate-<YYYY.MM.DD_HH.MM.SS>.log

For example: /var/log/opt/CPshrd-R81/migrate-2019.06.14_11.03.46.log
If this command fails, it creates this log file:

$CPDIR/log/migrate-<YYYY.MM.DD_HH.MM.SS>.log

For example: /opt/CPshrd-R81/log/migrate-2020 - 2024.06.14_11.21.39.log

Syntax

To see the built-in help:

[Expert@MGMT:0]# cd $FWDIR/scripts/

[Expert@MGMT:0]# ./migrate_server -h

To run the Pre-Upgrade Verifier:

[Expert@MGMT:0]# cd $FWDIR/scripts/

[Expert@MGMT:0]# ./migrate_server verify -v R81 [-skip_upgrade_tools_check]

To export the management database and configuration:

[Expert@MGMT:0]# cd $FWDIR/scripts/

[Expert@MGMT:0]# ./migrate_server export -v R81 [-skip_upgrade_tools_check] [-l | -x] [--include-uepm-msi-files] [--exclude-uepm-postgres-db] [--ignore_warnings] /<Full Path>/<Name of Exported File>

To import the management database and configuration:

[Expert@MGMT:0]# cd $FWDIR/scripts/

[Expert@MGMT:0]# ./migrate_server import -v R81 [-skip_upgrade_tools_check] [-l | -x] [/var/log/mdss.json] [--include-uepm-msi-files] [--exclude-uepm-postgres-db] /<Full Path>/<Name of Exported File>.tgz

To import the Domain Management Server database and configuration on a Security Management Server:

[Expert@MGMT:0]# cd $FWDIR/scripts/

[Expert@MGMT:0]# ./migrate_server migrate_import_domain -v R81 [-skip_upgrade_tools_check] [-l | -x] [--include-uepm-msi-files] [--exclude-uepm-postgres-db] /<Full Path>/<Name of Exported File>.tgz

Parameters

Parameter

Description

-h

Shows the built-in help.

export

Exports the management database and applicable Check Point configuration.

import

Imports the management database and applicable Check Point configuration that were exported from another Management Server.

Important:

This command automatically restarts Check Point services (runs the "cpstop" and "cpstart" commands).

This note applies to a Multi-Domain Security Management environment, if at least one of the servers changes its IPv4 address comparing to the source server, from which you exported its database.

You must do these steps before you start the upgrade and import:

You must create a special JSON configuration file with the new IPv4 address(es).

Syntax:

[{"name":"<Name of Server 1 Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Server 1>"},

{"name":"<Name of Server 2 Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Server 2>"}]

Example:

[{"name":"MyPrimaryMultiDomainServer","newIpAddress4":"172.30.40.51"},{"name":"MySecondaryMultiDomainServer","newIpAddress4":"172.30.40.52"}]

You must call this file: mdss.json
You must put this file on all servers in this directory: /var/log/

migrate_import_domain

On a Security Management Server, imports the management database and applicable Check Point configuration that were exported from a Domain Management Server.

Important - This command automatically restarts Check Point services (runs the "cpstop" and "cpstart" commands).

verify

Verifies the management database and applicable Check Point configuration that were exported from another Management Server.

-v R81

Specifies the version, to which you plan to migrate / upgrade.

-skip_upgrade_tools_check

Does not try to connect to Check Point Cloud to check for a more recent version of the Upgrade Tools.

Best Practice - Use this parameter on the Management Server that is not connected to the Internet.

-l

Exports and imports the Check Point logs without log indexes in the $FWDIR/log/ directory.

Important:

The command can export only closed logs (to which the information is not currently written).
If you use this parameter, it can take the command a long time to complete (depends on the number of logs).

-x

Exports and imports the Check Point logs with their log indexes in the $FWDIR/log/ directory.

Important:

This parameter only supports Management Servers and Log Servers R80.10 and higher.
The command can export only closed logs (to which the information is not currently written).
If you use this parameter, it can take the command a long time to complete (depends on the number of logs and indexes).

/var/log/mdss.json

Previously:

-change_ips_file /<Full Path>/<Name>.json

Important:

In the Upgrade Tools for R81 build higher than 995000519, the syntax is (this filename is mandatory):

/var/log/mdss.json

You must create the file /var/log/mdss.json and not use the parameter "-change_ips_file".

In the Upgrade Tools for R81 build 995000519 and lower, the syntax was:

-change_ips_file /<Full Path>/<Name of JSON File>.json

Specifies the absolute path to the special JSON configuration file with new IPv4 addresses.

This file is mandatory during an upgrade of a Multi-Domain Security Management environment.

Even if only one of the servers migrates to a new IP address, all the other servers must get this configuration file for the import process.

Syntax:

[{"name":"<Name of Server 1 Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Server 1>"},

{"name":"<Name of Server 2 Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Server 2>"}]

Example:

[{"name":"MyPrimaryMultiDomainServer","newIpAddress4":"172.30.40.51"},

{"name":"MySecondaryMultiDomainServer","newIpAddress4":"172.30.40.52"}]

--include-uepm-msi-files

During the export operation, backs up the MSI files from the Endpoint Security Management Server.
During the import operation, restores the MSI files on the Endpoint Security Management Server.

--exclude-uepm-postgres-db

During the export operation, does not back up the PostgreSQL database from the Endpoint Security Management Server.
During the import operation, does not restore the PostgreSQL database on the Endpoint Security Management Server.

--ignore_warnings

If during an upgrade procedure, the Pre-Upgrade Verifier shows warnings, you can use this parameter to ignore warnings and continue the upgrade.

Important - To prevent issues during and after upgrade, we strongly recommend to resolve all issues and not use this parameter.

-n

Disables the interactive mode.

/<Full Path>/<Name of Exported File>

Specifies the absolute path to the exported database file. This path must exist.

During the export operation, specifies the name of the output file.

The command automatically adds the *.tgz extension.
During the import operation, specifies the name of the exported file.

You must manually enter the *.tgz extension in the end.

Example 1 - Export operation succeeded

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server export /var/log/Migrate_Export
 
You are required to close all clients to Security Management Server
or execute 'cpstop' before the Export operation begins.
 
Do you want to continue? (y/n) [n]? y
 
 
Copying required files...
Compressing files...
 
The operation completed successfully.
 
Location of archive with exported database: /var/log/Migrate_Export.tgz
 
[Expert@MGMT:0]#
[Expert@MGMT:0]# find / -name migrate-\* -type f
/var/log/opt/CPshrd-R81/migrate-2020 - 2024.06.14_11.03.46.log
[Expert@MGMT:0]#

Example 2 - Export operation failed

[Expert@MGMT:0]# ./migrate_server export /var/log/My_Migrate_Export
Execution finished with errors. See log file '/opt/CPshrd-R81/log/migrate-2020 - 2024.06.14_11.21.39.log' for further details
[Expert@MGMT:0]#

16 March 2024

© 2020 - 2024 Check Point Software Technologies Ltd.