This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
fjulianom
Advisor
a week ago

Does migrate_server export stop processes?

Hi community,

 

Just a quick question, does migrate_server export stop processes? It is not clear. I have lookup at the documentation, and R81.20 CLI Reference guide doesn't explicitly says it does for export, but it does explicitly says it does for import

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_CLI_ReferenceGuide/Content/T...

migrate_server.PNG

But the same page shows the following picture:

migrate_server_2.PNG

And sk135172 explictly says it stops the processes for both import and export:

migrate_server_3.PNG

I have tested in my lab with a virtualized R81.20 MDS, and when I run ./migrate_server export I don't have the message "You are required to close all clients to Security Management Server or execute 'cpstop' before the Export operation begins.". And during the process I checked with mdsstat and see all the processes up, and also CPM: Check Point Security Management Server is running and ready.

So, what do you think?

 

Regards,

Julián

 

 

0 Kudos
6 Replies
Peter_Lyndley
Advisor
Advisor
a week ago

I have used migrate_server quite a few times.

From memory, the export process will ask you if you want to stop/start services on an SMS but on an MDS nothing is restarted. However - we see that certain functions of this CMA and all other CMAs are locked during the time the migrate_server script is running.(i.e policy push)

For import , on an SMS - there is no system running whilst you do an import , you cannot import over a working SMS.

For import on an MDS - again it is creating a new CMA when you import, so does not affect existing. However - again some processes are locked out whilst the import is running on all other CMAs

fjulianom
Advisor
a week ago
In response to Peter_Lyndley

Hi,

It is very weird. It seems when sk135172 says "The "migrate_server export" command requires to close all SmartConsole clients and to stop all Check Point services on the Management Server (cpstop)." is for an SMS, and not MDS, although at the top says Product: Multi-Domain Security Management, Quantum Security Management.

And there are also a couple of things, when running the command migrate_server export, in the message (that I don't receive in an R81.20 MDS) "You are required to close all clients to Security Management Server or execute 'cpstop' before the Export operation begins.":

1. It says OR and not AND. It seems if you close all clients, you don't need to execute cpstop. So executing cpstop is for making sure all clients are closed.

2. It says cpstop, in an MDS cpstop doesn't exists but mdsstop.

 

I have made test in lab and these are some results:

a. In an R81.20 SMS, the ./migrate_server export command triggers the message "You are required to close all clients to Security Management Server or execute 'cpstop' before the Export operation begins.". If you don't close all the clients or do cpstop, the export fails.

b. In an R81.20 MDS, the ./migrate_server export command works with no problem. If you even have SmartConsole clients, you can see in them "export process is in progress" in the botton left bar.

c. In an R80.20 MDS, the ./migrate_server export command kicks the message "The export operation will eventually stop all Check Point services (mdsstop). Do you want to continue (yes/no) [n]?".

So it seems in all this process affects if is run on a SMS, or MDS, and also the version. Check Point documentation is ambiguous. What do you think?

 

Regards,

Julián

0 Kudos
G_W_Albrecht
Legend Legend
Legend
a week ago
In response to fjulianom

Why not open an informative SR# with CP TAC ?

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
fjulianom
Advisor
a week ago
In response to G_W_Albrecht

Hi,

 

Many times they say if your question is not a technical issue is out of TAC's scope.

 

Regards,

Julián

0 Kudos
G_W_Albrecht
Legend Legend
Legend
a week ago
In response to fjulianom

Why should this be no technical issue ? It is purely informational, so should be kept on severity low, and you should explain why the answer is important for you.

I have looked into the migrate_server script and the upgrade_client script that it calls, but i only could see that FWM is is killed and SMS / MDS are treated much differently.

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
a week ago

It’s my experience that migrate_server and the old migrate command it replaced will stop all related management processes (at the CMA level for MDS).

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events