Solved: R80.10 Multi-Domain log server support

Kaspars_Zibarts · ‎2017-08-21

Does anyone have a straight answer if the log server (Multi-Domain environment) is supported in R80.10? I'm getting conflicting info from user centre - sk117159 says it's not yet R80.10 release notes says it is. Raised an SR but didn't get an answer either..

In case it's not supported, can we still upgrade actual primary and secondary MDM servers to R80.10 leaving log server on R80?

The reason why I'm asking is that lab upgrade failed on the log server (upgrading from R80). Primary and secondary upgraded OK:

Kaspars_Zibarts · ‎2017-09-13

Good news!

We have successfully tested and implemented MLM rebuild procedure to R80.10. Took a while and a lot of lab work but it worked at the end.

For those were stuck in the same situation with MDS on R80.10 and MLM R80, you can follow these steps:

do not delete CLMs from MDS panel but log into each domain/CMA separately, remove any usage of CLM object, then delete CLM object (remember to install DB and push policy of course as you are changing logging target for gateways). Once that's done you will have to stop/start CMA. After this step CLMs should be gone from MDS
Install MLM with R80 first. If you install R80.10 directly it will not sync with MDS and will complain about different hotfix levels. Before re-creating CLMs, upgrade to R80.10 and the same hotfix level as MDS using CPUSE
Then proceed to create MLM object and corresponding CLMs. Remember to attach licenses to each CLM

Cheers, K

View solution in original post

PhoneBoy · ‎2017-08-22

What sk117159 refers to is logging to the MDM itself (i.e. without a separate log server).

You should be able to log to an MLM.

Kaspars_Zibarts · ‎2017-08-22

Actually I got an answer at the end. You cannot upgrade MLM from R80 to R80.10 (or any other release I believe) - your only option is clean install and then re-build everything from scratch manually (cannot restore any backups or upgrade import). But, it happily runs MDS servers on R80.10 and MLM still on R80. We did production upgrade yesterday and so far so good. You get an error on MDS screen that Sync has failed due to different hotfix levels on MDS and MLM but manual database install works OK on all CMAs, so I believe the Sync error can be ignored for now.

Hugo_vd_Kooij · ‎2017-08-23

You might want to check if user accounts are synced correctly. I think that is one of the few things that might not work properly.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>

Kaspars_Zibarts · ‎2017-08-24

Just tested the user account Hugo - added a new domain user with limited access to only one domain and all seems to be working ok - I can still see the logs presented on R80 CLM in that domain

Kaspars_Zibarts · ‎2017-09-06

I stand corrected and apologise for spreading untrue info! Different sources within CP..

The latest is that MLM upgrade using CPUSE (WebUI or CLI) from R80 to R80.10 is supported but "a small number of customers has had issues". So I have opened SR and hopefully we will have fix soon!

Kaspars_Zibarts · ‎2017-09-06

Back to square one!

From: Check Point Support [mailto:support@checkpoint.com]

Sent: den 6 september 2017 15:22

Subject: UPDATE 1-9722772851 MLM upgrade from R80 to R80.10 fails

Dear Kaspars,

RE: MLM upgrade from R80 to R80.10 fails

I just got an update from RnD about it.

Currently there is no way to upgrade MLM and Secondary server's.

The only way to do it is with Fresh install.

RnD are working on a solution that should be publish during Q4 of 2017.

Maxim_Tremblay · ‎2017-09-08

Hi

For us in our LAB (testing upgrade R80 to R80.10 before run it on our production environment), we had the same error as from sk117539. After we’ve executed the Groovy script from SK116056, we were able to upgrade our Primary MDM, Secondary MDM.

But MLM upgrade still not working and we still waiting from CP. Ticket opened since middle of June.

Thank,

Kaspars_Zibarts · ‎2017-09-13

Good news!

We have successfully tested and implemented MLM rebuild procedure to R80.10. Took a while and a lot of lab work but it worked at the end.

For those were stuck in the same situation with MDS on R80.10 and MLM R80, you can follow these steps:

do not delete CLMs from MDS panel but log into each domain/CMA separately, remove any usage of CLM object, then delete CLM object (remember to install DB and push policy of course as you are changing logging target for gateways). Once that's done you will have to stop/start CMA. After this step CLMs should be gone from MDS
Install MLM with R80 first. If you install R80.10 directly it will not sync with MDS and will complain about different hotfix levels. Before re-creating CLMs, upgrade to R80.10 and the same hotfix level as MDS using CPUSE
Then proceed to create MLM object and corresponding CLMs. Remember to attach licenses to each CLM

Cheers, K

Maxim_Tremblay · ‎2017-11-14

@Kaspars Zibarts

I have tested in our lab your described procedure before and yes it work, but for us it was not a good solution when we have more than 75 gateway that pointing on few CLM. We’ve pushed on Check Point to find what was wrong with our environment and they produce the sk121262, where the solution correct some specific problem in our DB environment and tweaking upgrade process. Upgrade is still through CPUSE for MLM. The CP solution provided from sk121262 work for us.

Kaspars_Zibarts · ‎2017-11-15

Nice to hear that finally that little chestnut is resolved! Obviously we were not enough important customer had to crack it ourselves

Are you a member of CheckMates?

R80.10 Multi-Domain log server support