Migrating Database from an R81 Security Management Server to an R81 Domain Management Server

This procedure lets you export the entire management database from an R81 Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. and import it on an R81 Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. into a Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

For the list of known limitations, see sk156072.

Prerequisites on the source Security Management Server:

• Make sure to publish all changes you wish to migrate.

• Make sure all required processes are up and running:

  cpwd_admin list

  The "STAT" column must show "E" (executing) for all processes.

• Close the active Security log ($FWDIR/log/fw.log) and Audit log ($FWDIR/log/fw.adtlog) files:

  fw logswitch fw logswitch -audit

• If the target Domain Management Server must have a different IP address than the source Security Management Server, then you must prepare the source database before the export.

  Instructions in SmartConsole

  1. Create a new Host object with the new IP address of the target Domain Management Server.

  2. In each Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., add a new Access Control rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. to allow specific traffic from the Host object with new IP address to all managed Security Gateways and Clusters.

     No	Name	Source	Destination	VPN	Services & Applications	Action	Track	Install On
     1	Traffic from new Domain Management Server to managed Gateways	Host object with new IP address	Applicable objects of managed Security Gateways and Clusters	Any	FW1 FW1_CPRID CPD	Accept	None	Policy Targets

     Notes: You must use the pre-defined Check Point services. If the source Security Management Server manages VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Gateways or VSX Clusters, you must also add this Access Control rule to their default VSX policies. These default policies are called: <Name of VSX Gateway or VSX Cluster Object>_VSX

  3. Install all updated Access Control Policies.

Procedure:

1. On the source R81 Security Management Server, export the database

   1. Run this API:

      migrate-export-domain

      For API documentation, see the Check Point Management API Reference - search for migrate-export-domain.

      Example:

      mgmt_cli -d "System Data" migrate-export-domain file-path "/var/log/SecMgmtServer_Export.tgz" include-logs "false"

      Important - The option -d "System Data" is mandatory.

   2. Calculate the MD5 of the export file:

      md5sum <Full Path to Export File>.tgz

2. Transfer the export file to the target R81 Multi-Domain Server

   1. Transfer the export file from the source Security Management Server to the target Multi-Domain Server, to some directory.

      Note - Make sure to transfer the file in the binary mode.

   2. Make sure the transferred file is not corrupted.

      Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the source Security Management Server:

      md5sum <Full Path to Export File>.tgz

3. On the target Multi-Domain Server, import the Security Management Server database into a Domain Management Server

   1. Make sure you have the sufficient license.

   2. Run this API:

      migrate-import-domain

      For API documentation, see the Check Point Management API Reference - search for migrate-import-domain.

      Make sure the name of the Domain you create does not conflict with the name of an existing Domain.

      Example:

      mgmt_cli -d "System Data" migrate-import-domain domain-name "MyDomain3" domain-server-name "MyDomainServer3" domain-ip-address "192.168.20.30" file-path "/var/log/SecMgmtServer_Export.tgz" include-logs "false"

      Important - The option -d "System Data" is mandatory.

   3. Make sure that all the required daemons (FWM, FWD, CPD, and CPCA) are in the state "up" and show their PID (the "pnd" state is also acceptable):

      mdsstat

      If some of the required daemons on a Domain Management Server are in the state "down", then wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands:

      mdsstop_customer <IP Address or Name of Domain Management Server> mdsstart_customer <IP Address or Name of Domain Management Server> mdsstat

4. Configure and assign the Administrators and GUI clients

   You must again configure the Multi-Domain Server Administrators and GUI clients and assign them to the new Domain.

   1. Configure the Multi-Domain Server Administrators and GUI clients:

      1. Run the mdsconfig command.

      2. Configure the Administrators.

      3. Configure the GUI clients.

      4. Exit the mdsconfig menu.

   2. Assign the Administrators and GUI clients to the new Domain.

      See the R81 Multi-Domain Security Management Administration Guide - Chapter Managing Domains - Section Creating a New Domain and Section Assigning Trusted Clients to Domains.

5. Stop the source R81 Security Management Server

   1. Connect to the command line on the source Security Management Server.

   2. Stop the source Security Management Server you migrated:

      cpstop

6. Test the functionality on the R81 Domain Management Server

   1. Connect with SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Domain Management Server.

   2. Make sure the management database and configuration were imported correctly.

7. Install policy on all managed Security Gateways and Clusters

   In SmartConsole, install the applicable policies on all managed Security Gateways and Clusters.

8. Disconnect the source R81 Security Management Server

   Disconnect the source Security Management Server from the network.

9. Delete the special Access Control rule you added before migration

   Important - This step applies only if the target Domain Management Server has a different IP address than the source Security Management Server.

   1. Connect with SmartConsole to the target Domain Management Server.

   2. In each Security Policy, delete the Access Control rule with the new Host object you added on the source Security Management Server before migration.

   3. Delete the Host object you added on the source Security Management Server before migration.

   4. Install the applicable policies on all managed Security Gateways and Clusters.