Upgrading a Multi-Domain Log Server from R80.20 and higher with Migration

In a migration and upgrade scenario, you perform the procedure on the source Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. and the different target Multi-Domain Server.

Notes: This procedure is supported only for servers that run R80.20.M1, R80.20, R80.20.M2, R80.30, or higher versions. For additional information related to this upgrade, see sk163814.

Important - Before you upgrade a Multi-Domain Log Server Dedicated Check Point server that runs Check Point software to store and process logs in a Multi-Domain Security Management environment. The Multi-Domain Log Server consists of Domain Log Servers that store and process logs from Security Gateways that are managed by the corresponding Domain Management Servers. Acronym: MDLS.: Step Instructions 1 Back up your current configuration (see Backing Up and Restoring). 2 See the Upgrade Options and Prerequisites. 3 You must upgrade your Multi-Domain Servers. 4 You must close all GUI clients (SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. applications) connected to the source Multi-Domain Log Server Dedicated Check Point server that runs Check Point software to store and process logs.. 5 Run the Pre-Upgrade Verifier on all source servers and fix all detected issues before you start the upgrade.

Procedure:

1. Get the required Upgrade Tools on the source server

   Important - See Upgrade Tools to understand if your server can download and install the latest version of the Upgrade Tools automatically.

   Step	Instructions
   1	Download the R81 Upgrade Tools from the sk135172. (See Upgrade Tools.) Note - This is a CPUSE Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself. For details, see sk92449. Offline package.
   2	Install the R81 Upgrade Tools with CPUSE. See Installing Software Packages on Gaia and follow the applicable action plan for the Local - Offline installation.
   3	Make sure the package is installed. Run this command in the Expert mode: cpprod_util CPPROD_GetValue CPupgrade-tools-R81 BuildNumber 1 The output must show the same build number you see in the name of the downloaded TGZ package. Example Name of the downloaded package: ngm_upgrade_wrapper_993000222_1.tgz [Expert@HostName:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R81 BuildNumber 1 993000222 [Expert@HostName:0]#

   Note - The command "migrate_server" from these Upgrade Tools always tries to connect to Check Point Cloud over the Internet. This is to make sure you always have the latest version of these Upgrade Tools installed. If the connection to Check Point Cloud fails, this message appears: Timeout. Failed to retrieve Upgrade Tools package. To download the package manually, refer to sk135172.

2. On the current Multi-Domain Log Server, run the Pre-Upgrade Verifier and export the entire management database

   Step	Instructions
   1	Connect to the command line on the current Multi-Domain Log Server.
   2	Log in with the superuser credentials.
   3	Log in to the Expert mode.
   4	Run the Pre-Upgrade Verifier. If this Multi-Domain Log Server is connected to the Internet, run: $MDS_FWDIR/scripts/migrate_server verify -v R81 If this Multi-Domain Log Server is not connected to the Internet, run: $MDS_FWDIR/scripts/migrate_server verify -v R81 -skip_upgrade_tools_check For details, see the R81 CLI Reference Guide - Chapter Multi-Domain Security Management Commands - Section migrate_server.
   5	Read the Pre-Upgrade Verifier output. If it is necessary to fix errors: Follow the instructions in the report. Run the Pre-Upgrade Verifier again.
   6	Go to the $MDS_FWDIR/scripts/ directory: cd $MDS_FWDIR/scripts
   7	Export the management database: If this Multi-Domain Log Server is connected to the Internet, run: ./migrate_server export -v R81 [-l | -x] /<Full Path>/<Name of Exported File> If this Multi-Domain Log Server is not connected to the Internet, run: ./migrate_server export -v R81 -skip_upgrade_tools_check [-l | -x] /<Full Path>/<Name of Exported File> For details, see the R81 CLI Reference Guide - Chapter Multi-Domain Security Management Commands - Section migrate_server.
   8	Calculate the MD5 for the exported database files: md5sum /<Full Path>/<Name of Database File>.tgz
   9	Transfer the exported databases from the source Multi-Domain Log Server to an external storage: /<Full Path>/<Name of Database File>.tgz Note - Make sure to transfer the file in the binary mode.

3. Install another R81 Multi-Domain Log Server

   Step	Instructions
   1	See the R81 Release Notes for requirements.
   2	Perform the clean install on another server in one of these ways (do not perform initial configuration in SmartConsole): Follow Installing Software Packages on Gaia - select the R81 package and perform Clean Install. See sk92449 for detailed steps. Follow Installing a Multi-Domain Log Server.

   Important - The IP addresses of the source and target R81 servers must be the same. If it is necessary to have a different IP address on the R81 server, you can change it only after the upgrade procedure. Note that you have to issue licenses for the new IP address. See Changing the IP Address of a Multi-Domain Server or Multi-Domain Log Server.

4. Get the required Upgrade Tools on the R81 server

   Important - See Upgrade Tools to understand if your server can download and install the latest version of the Upgrade Tools automatically.

   Step	Instructions
   1	Download the R81 Upgrade Tools from the sk135172. (See Upgrade Tools.) Note - This is a CPUSE Offline package.
   2	Install the R81 Upgrade Tools with CPUSE. See Installing Software Packages on Gaia and follow the applicable action plan for the Local - Offline installation.
   3	Make sure the package is installed. Run this command in the Expert mode: cpprod_util CPPROD_GetValue CPupgrade-tools-R81 BuildNumber 1 The output must show the same build number you see in the name of the downloaded TGZ package. Example Name of the downloaded package: ngm_upgrade_wrapper_993000222_1.tgz [Expert@HostName:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R81 BuildNumber 1 993000222 [Expert@HostName:0]#

   Note - The command "migrate_server" from these Upgrade Tools always tries to connect to Check Point Cloud over the Internet. This is to make sure you always have the latest version of these Upgrade Tools installed. If the connection to Check Point Cloud fails, this message appears: Timeout. Failed to retrieve Upgrade Tools package. To download the package manually, refer to sk135172.

5. On the R81 Multi-Domain Log Server, import the databases

   Step	Instructions
   1	Connect to the command line on the R81 Multi-Domain Log Server.
   2	Log in with the superuser credentials.
   3	Log in to the Expert mode.
   4	Make sure a valid license is installed: cplic print If it is not already installed, then install a valid license now.
   5	Transfer the exported database from an external storage to the R81 Multi-Domain Log Server, to some directory. Note - Make sure to transfer the file in the binary mode.
   6	Make sure the transferred file is not corrupted. Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the original Multi-Domain Server: md5sum /<Full Path>/<Name of Exported File>.tgz
   7	Go to the $MDS_FWDIR/scripts/ directory: cd $MDS_FWDIR/scripts/
   8	Import the management database: If this Multi-Domain Log Server is connected to the Internet, run: ./migrate_server import -v R81 [-l | -x] /<Full Path>/<Name of Exported File>.tgz If this Multi-Domain Log Server is not connected to the Internet, run: ./migrate_server import -v R81 -skip_upgrade_tools_check [-l | -x] /<Full Path>/<Name of Exported File>.tgz For details, see the R81 CLI Reference Guide - Chapter Multi-Domain Security Management Commands - Section migrate_server.
   9	Make sure that all the required daemons have the correct state: mdsstat The state of the FWM, FWD, and CPD daemons must be "up" on all levels. These daemons must show their PID, or "pnd". The state of the CPCA daemon must be "N/R" on the MDS level. The state of the CPCA daemon must be "down" on the Domain Log Server level. If the state of one of the required daemons (FWM, FWD, or CPD) on a Domain Log Server is "down", then wait for 5-10 minutes, restart that Domain Log Server, and check again. Run these three commands: mdsstop_customer <IP Address or Name of Domain Log Server> mdsstart_customer <IP Address or Name of Domain Log Server> mdsstat

6. Install the R81 SmartConsole

   See Installing SmartConsole.

7. Update the version of the Multi-Domain Log Server object

   Step	Instructions
   1	Connect with SmartConsole to the R81 Multi-Domain Server that manages the Multi-Domain Log Server.
   2	From the left navigation panel, click Multi-Domain > Domains.
   3	From the top toolbar, open the Multi-Domain Log Server object.
   4	From the left tree, click General.
   5	In the Platform section > in the Version field, select R81.
   6	Click OK.

8. Reconfigure the Log Exporter

   Step	Instructions
   1	Connect to the command line on the server.
   2	Log in to the Expert mode.
   3	Restore the Log Exporter configuration as described in sk127653.
   4	Reconfigure the Log Exporter: cp_log_export reconf
   5	Restart the Log Exporter: cp_log_export restart

   For more information, see the R81 Logging and Monitoring Administration Guide > Chapter Log Exporter.

9. Test the functionality on the R81 Multi-Domain Log Server

   Step	Instructions
   1	Connect with SmartConsole to the R81 Multi-Domain Log Server.
   2	Make sure the management database and configuration were upgraded correctly.

10. Test the functionality on the R81 Multi-Domain Server

    Step	Instructions
    1	Connect with SmartConsole to the R81 Multi-Domain Server that manages the Multi-Domain Log Server.
    2	Make sure the logging works as expected.

11. Disconnect the old Multi-Domain Log Server from the network

    Disconnect the network cables the old Multi-Domain Log Server.

12. Connect the new Multi-Domain Log Server to the network

    Connect the network cables to the new Multi-Domain Log Server.