Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Rakesh_Dhanda
Explorer
Jump to solution

R77.30 to R80.10 SMS Migration

Hi All,

I am going to upgrade our SMS from R77.30 to R80.10, can anyone please share the procedure how to do that .

0 Kudos
1 Solution

Accepted Solutions
Nick_Doropoulos
Advisor
Hi Rakesh,
Below is the migration workflow I have followed:

Migration Workflow

 

  1. Prepare the source Security Management Server for export.
    1. Ensure that the latest DA agent is installed.
    2. Ensure that the latest hotfixes are installed.
    3. Fix all validation errors if any.
    4. Verify all firewall policies.
    5. Take backups, snapshots and copies of the existing configuration.

 

  1. Export the management database from source Security Management Server.
    1. Get the migration tools package

      You need to use the Migration tools for the version you wish to upgrade to, not the version you are upgrading from.

      For example, if you want to migrate your R77.30 management to R80.10, you need to use the R80.10 version of migration tools.

    2. Extract the downloaded package.

Important - Put all extracted files in the same directory, and run the tools from this directory.

  1. Make sure the files have executable permissions. For example, In the temporary directory, run
    chmod 777 *
  2. Run fw logswitch to close the SmartView Tracker log files and the SmartLog data. Only closed logs are migrated.
  3. Close all Check Point GUI clients that are connected to the Security Management Server.
    Alternatively, if this is a computer that is not in production, run 
    cpstop on the source computer.

 

Important - If you do not close the GUI clients or run cpstop, the exported management database can become corrupted.

 

 

 

 

  1. [Expert@MGMT:0]# who (to see who is logged in)
  2. [Expert@MGMT:0]# pkill -KILL -u [user] (to disconnect a specific user)
  3. [Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
  1. [Expert@MGMT:0]# ./pre_upgrade_verifier -p $FWDIR -c R77 -t R80 -f /opt/puv
  1. The above command should result in a html file inside the /opt/puv path. Correct all errors before proceeding.
  2. [Expert@MGMT:0]# yes | nohup ./migrate export [options] /<full path>/<name of exported file without any extension> (to survive a closed/timed-out SSH session)
  3. Extract the exported database with WinSCP and transfer it to a safe location.
  4. Create a hash of the database on https://md5file.com/calculator.

 

  1. Install the R77 Security Management Server or a standalone deployment on the target server.

 

  1. Import the management database to the target Security Management Server.
    1. Create a hash of the exported database once again and ensure it matches the previous one.
    2. [Expert@MGMT:0]# unset TMOUT (so you won’t get locked out half way through the process as it might take some time)
    3. [Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
    4. [Expert@MGMT:0]# yes | nohup ./migrate import [options] /<full path>/<name of exported file>.tgz (to survive a closed/timed-out SSH session)
    5. [Expert@MGMT:0]# watch -n1 $FWDIR/scripts/cpm status.sh (until it says "the security management server is running and ready")
    6. Verify that all security policies are correct.
I hope it helps.

View solution in original post

5 Replies
peter_schumache
Collaborator

It depends on how your SMS is deployed today. Ideally, it runs as a virtual machine. Then you clone it and keep the original for a rollback. On the clone, you can perform a new installation or an inline upgrade. See the R80.10 Upgrade and installation docs for more details.

I personally prefer the new installation, since you get rid of all old and unwanted crap on your SMS.

Independent of your deployment, first you run the R80.10 migration tool pre_upgrade_verifier on your curent SMS to check if the DB is clean and R80.10 compliant.

Then you cleanup the DB if required.

Then you do the migrate export on your current SMS and migrate import on your fresh installation of R80.10 SMS.

If anything goes wrong with it, you can easily switch back to your old SMS by activating the old VM.

Hope this helps

Vincent_Bacher
Advisor
Advisor

Yes, upgrading using migration tools is always the best way, imho.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
PhoneBoy
Admin
Admin
0 Kudos
Nick_Doropoulos
Advisor
Hi Rakesh,
Below is the migration workflow I have followed:

Migration Workflow

 

  1. Prepare the source Security Management Server for export.
    1. Ensure that the latest DA agent is installed.
    2. Ensure that the latest hotfixes are installed.
    3. Fix all validation errors if any.
    4. Verify all firewall policies.
    5. Take backups, snapshots and copies of the existing configuration.

 

  1. Export the management database from source Security Management Server.
    1. Get the migration tools package

      You need to use the Migration tools for the version you wish to upgrade to, not the version you are upgrading from.

      For example, if you want to migrate your R77.30 management to R80.10, you need to use the R80.10 version of migration tools.

    2. Extract the downloaded package.

Important - Put all extracted files in the same directory, and run the tools from this directory.

  1. Make sure the files have executable permissions. For example, In the temporary directory, run
    chmod 777 *
  2. Run fw logswitch to close the SmartView Tracker log files and the SmartLog data. Only closed logs are migrated.
  3. Close all Check Point GUI clients that are connected to the Security Management Server.
    Alternatively, if this is a computer that is not in production, run 
    cpstop on the source computer.

 

Important - If you do not close the GUI clients or run cpstop, the exported management database can become corrupted.

 

 

 

 

  1. [Expert@MGMT:0]# who (to see who is logged in)
  2. [Expert@MGMT:0]# pkill -KILL -u [user] (to disconnect a specific user)
  3. [Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
  1. [Expert@MGMT:0]# ./pre_upgrade_verifier -p $FWDIR -c R77 -t R80 -f /opt/puv
  1. The above command should result in a html file inside the /opt/puv path. Correct all errors before proceeding.
  2. [Expert@MGMT:0]# yes | nohup ./migrate export [options] /<full path>/<name of exported file without any extension> (to survive a closed/timed-out SSH session)
  3. Extract the exported database with WinSCP and transfer it to a safe location.
  4. Create a hash of the database on https://md5file.com/calculator.

 

  1. Install the R77 Security Management Server or a standalone deployment on the target server.

 

  1. Import the management database to the target Security Management Server.
    1. Create a hash of the exported database once again and ensure it matches the previous one.
    2. [Expert@MGMT:0]# unset TMOUT (so you won’t get locked out half way through the process as it might take some time)
    3. [Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
    4. [Expert@MGMT:0]# yes | nohup ./migrate import [options] /<full path>/<name of exported file>.tgz (to survive a closed/timed-out SSH session)
    5. [Expert@MGMT:0]# watch -n1 $FWDIR/scripts/cpm status.sh (until it says "the security management server is running and ready")
    6. Verify that all security policies are correct.
I hope it helps.
Rakesh_Dhanda
Explorer
Thnaks Nicholas_Doropo for your support and explanation..
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events