Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Aiman_Azzim
Participant
Jump to solution

Migrate MDS from R77.10 to R80.10

Hi all,

I would like to ask some question regarding MDS. Basically, I still new in deployment VSX and MDS. My task is to migrate MDS from version R77.10 to R80.10. The old MDS box is running using version R77.10 and I need to export all the policy to migrate to new MDS box that running using version R80.10. Is there any tools or step that I can do to migrate policy from R77.10 to R80.10? 

1 Solution

Accepted Solutions
Mark_Mitchell
Advisor

Hi Muhammad, 

For the purposes of your test migration to a lab environment. Your CMA can be migrated by following the below. The below excerpt has been copied from the "Installation and Upgrade Guide R80.10". I would recommend reading the guide specifically the section "Upgrading an R77.xx Multi-Domain Security Management with Migration" of the guide before proceeding with the lab environment so that the full process is understood before proceeding. 

Installation and Upgrade Guide R80.10  

"To import from R77.xx Domain Management Server to R80.10:

  1. On the Multi-Domain Server with the active global policy, get the Upgrade Tools from the R80.10 CD or ISO.
  2. Extract the tools.

    Extraction makes the upgrade_tools subdirectory.

    In this path, extract the Multi-Domain Security Management tools - p1_upgrade_tools.tgz

    For example:

    Install from CD:

    # gtar xvfz /mnt/cdrom/linux/upgrade_tools/linux/p1_upgrade_tools.tgz -C /var/opt/export_tools

    Install from DVD:

    # gtar xvfz /mnt/cdrom/Linux/linux/upgrade_tools/linux/p1_upgrade_tools.tgz -C /var/opt/export_tools

  3. Go to the context of the Domain Management Server. Run:

    # mdsenv <IP address or Name of Domain Management Server>

  4. Run:

    # cd <full path to migrate command>

    # ./migrate export [-l] <output file>

    • The migrate export command exports one Domain Management Server database to a TGZ file.
    • The output file must be specified with the fully qualified path. Make sure there is sufficient disk space for the output file.
    • The optional –l flag includes closed log files and SmartLog data from the source Domain Management Server in the output archive.
  5. On the R80.10 Multi-Domain Server, run these API commands to create a new Domain and a new Domain Management Server (without starting it):

    # mgmt_cli --root true add domain name <my_domain_name> servers.ip-address <my_IP_address> servers.name <my_domain_server_name> servers.multi-domain-server <R80.10_multi-domain-server_Name> servers.skip-start-domain-server true

    Important! - After you create the new Domain with this command, do not change the Domain IP address until you run the cma_migrate command.

  6. Copy the TGZ file from the source Domain Management Server to the R80.10 Multi-Domain Server. Import the exported database:

    # unset TMOUT

    # cma_migrate <source management tgz file> <target Domain Management Server $FWDIR directory>

    For example:

# cma_migrate tmp/orig_mgmt.tgz /opt/CPmds-R80/customers/cma1/CPsuite-R80/fw1

This command updates the database schema before it imports. First, the command runs pre-upgrade verification. If no errors are found, migration continues. If there are errors, you must change the source Domain Management Server according to instructions in the error messages. Then do this procedure again."

Source: Installation and Upgrade Guide R80.10 > Upgrading an R77.xx Multi-Domain Security Management with Migration

As per previous recommendations to ensure that the migration goes smoothly and there are no issues during or after I would recommend the professional services route as previously mentioned. 

Regards

Mark

View solution in original post

13 Replies
Mark_Mitchell
Advisor

Hi Muhammad,

For migration to R80.10 MDS the follow link should detail all the required steps and pre-req's.

Installation and Upgrade Guide R80.10 

Topic: 158379 within the link. Couldn't link directly to the page. 

I would recommend a good plan and also run through in a lab if you have time to build one. 

Regards

Mark

0 Kudos
Aiman_Azzim
Participant

Hi @Mark Mitchell,

Thank you for the link. Basically, I will export out MDS and import to Lab environment before deployment. Another question, how we want to export CMA that running version R77.10 to R80.10? Is the step same like copy migration tools R80.10 > put inside R77.10 > and run ./migrate export ? or other solution ?

Regards,

Muhammad

0 Kudos
Mark_Mitchell
Advisor

Hi Muhammad, 

For the purposes of your test migration to a lab environment. Your CMA can be migrated by following the below. The below excerpt has been copied from the "Installation and Upgrade Guide R80.10". I would recommend reading the guide specifically the section "Upgrading an R77.xx Multi-Domain Security Management with Migration" of the guide before proceeding with the lab environment so that the full process is understood before proceeding. 

Installation and Upgrade Guide R80.10  

"To import from R77.xx Domain Management Server to R80.10:

  1. On the Multi-Domain Server with the active global policy, get the Upgrade Tools from the R80.10 CD or ISO.
  2. Extract the tools.

    Extraction makes the upgrade_tools subdirectory.

    In this path, extract the Multi-Domain Security Management tools - p1_upgrade_tools.tgz

    For example:

    Install from CD:

    # gtar xvfz /mnt/cdrom/linux/upgrade_tools/linux/p1_upgrade_tools.tgz -C /var/opt/export_tools

    Install from DVD:

    # gtar xvfz /mnt/cdrom/Linux/linux/upgrade_tools/linux/p1_upgrade_tools.tgz -C /var/opt/export_tools

  3. Go to the context of the Domain Management Server. Run:

    # mdsenv <IP address or Name of Domain Management Server>

  4. Run:

    # cd <full path to migrate command>

    # ./migrate export [-l] <output file>

    • The migrate export command exports one Domain Management Server database to a TGZ file.
    • The output file must be specified with the fully qualified path. Make sure there is sufficient disk space for the output file.
    • The optional –l flag includes closed log files and SmartLog data from the source Domain Management Server in the output archive.
  5. On the R80.10 Multi-Domain Server, run these API commands to create a new Domain and a new Domain Management Server (without starting it):

    # mgmt_cli --root true add domain name <my_domain_name> servers.ip-address <my_IP_address> servers.name <my_domain_server_name> servers.multi-domain-server <R80.10_multi-domain-server_Name> servers.skip-start-domain-server true

    Important! - After you create the new Domain with this command, do not change the Domain IP address until you run the cma_migrate command.

  6. Copy the TGZ file from the source Domain Management Server to the R80.10 Multi-Domain Server. Import the exported database:

    # unset TMOUT

    # cma_migrate <source management tgz file> <target Domain Management Server $FWDIR directory>

    For example:

# cma_migrate tmp/orig_mgmt.tgz /opt/CPmds-R80/customers/cma1/CPsuite-R80/fw1

This command updates the database schema before it imports. First, the command runs pre-upgrade verification. If no errors are found, migration continues. If there are errors, you must change the source Domain Management Server according to instructions in the error messages. Then do this procedure again."

Source: Installation and Upgrade Guide R80.10 > Upgrading an R77.xx Multi-Domain Security Management with Migration

As per previous recommendations to ensure that the migration goes smoothly and there are no issues during or after I would recommend the professional services route as previously mentioned. 

Regards

Mark

Aiman_Azzim
Participant

Hi  Mark Mitchell,

Thank you for the guide. I will perform the lab testing and update back if I got the issue. Thank again. About the global object, before I do the migrate from R77.10 to R80.10 I need to remove the global object from local policy layer right? 

0 Kudos
Mark_Mitchell
Advisor

Hi Muhammad,

You can also migrate the global policy database also using the "migrate_global_policies" command. 

However the Multi Domain Server and Domain Servers will be stopped whilst this is completed.

Regards

Mark

0 Kudos
Vladimir
Champion
Champion

Muhammad,

Upgrading or migrating MDS with VSX is one of the most complex tasks there is, so I am hesitant to recommend any steps for you to follow in order to achieve this.

Unless you are familiar with these products, you may not even realize the limitations that the R80+ version imposes on MDS. Please search this forum for the threads pertaining to this subject, there are quite a few of them.

I strongly suggest engaging Check Point professional services to aid you with this project. Even with them taking a lead it may not be a trivial undertaking.

Regards,

Vladimir

0 Kudos
_Val_
Admin
Admin

As far as see, one needs to rebuilt completely VSX at some point. Although with vsx provision utility it can be done in a short period of time, I second the suggestion of engaging external consulting to plan and perform the migration.

0 Kudos
Niv_Gafni
Employee Alumnus
Employee Alumnus

Hi Valeri,

when upgrading MDS, there is no need to recreate the VSX, as the version of the VSX stays the same, and the object in the mgmt DB are updated as part of the mgmt upgrade, similar to SGW objects.

when upgrading the VSX itself, there is also no need to recreate the VSX. the procedure should be:

1. upgrade the mgmt db using vsx_util upgrade

2. run  cpuse upgrade on the gw (if you have a vsx cluster, use CU procedre to preserve connections between the members)

both vsx_util upgrade and cpuse upgrade preserve the existing configurations 

if the migration preserve the same domain names and IPs, the new mgmt will work seemly with the old VSX. if there is a change in domain name or IP, you can recreate the VSX automatically with the vsx_util reconfigure command from the new domain

0 Kudos
_Val_
Admin
Admin

The topic starter mentioned export of policies. I assume the story is about per domain gradual migration. If so, it is not possible to do today by standard tools with VSX in place. 

If this is one shot advanced upgrade of the whole MDS, I do agree with you, there is a standard procedure to do so, regardless of VSX. 

In my comment I was addressing the first scenario only.

0 Kudos
Mark_Mitchell
Advisor

Completely agree with Vladimir Yakovlev‌ if you are new to both products VSX and MDS engage with your preferred Check Point Partner and/or Check Point professional services. 

Regards

Mark

0 Kudos
Maarten_Sjouw
Champion
Champion

I would use the export_mds script to create a export of the R77.10 MDS and use the mds_import on the R80.10 MDS to get this migration done.

The only thing would be to make sure you have enough disc space on the R77.10 machine to be able to store the export file.

The main advantage of this method is you can first run a dry run on a test VM R80.10 MDS.

Regards, Maarten
0 Kudos
Aiman_Azzim
Participant

Hi  Maarten Sjouw,

Sorry for late reply. Do you mean that you export config R77.10 using export_mds script R80.10 and import to MDS R80.10? Do you encounter any error while export R77.10 using script R80.10?

0 Kudos
Maarten_Sjouw
Champion
Champion

Sorry, I have not done this myself yet, I will be doing this in a couple of months with a set of 3 MDS's with around 150 CMA's on them.

Regards, Maarten

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events