Thank you PhoneBoy, do you mind sharing the document which gives this Advanced Migration information please.

Refer to the Product Documentation: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid... 

Just follow the sk and you may also have to run warnings flag I posted below last year, but might not be needed, its more just FYI

Andy

https://community.checkpoint.com/t5/Management/Migrate-server-issue-on-Azure-CP-management-server/m-...

Hi @PhoneBoy @the_rock 

I went through the documents, the migrate_server option for s single domain is the best option is what i think. But after going through the docs. I have few queries.

> Doc says Migrate_server is an option used when we migrate the Single domain or complete MDS from lower version to higher version. Is it only lower version to higher version or it works to the same version as well?

> Do i need to use the same IP and same domain name for the migration from MDS to SMS? I dont find this in any of the doc. 

But i saw @the_rock has did that in LAB so i need to set it up in lab first and then plan for all the migration process to follow. Lab doesn't have the same VLAN so cant use the same IP, just wanted to understand the same. Also when i migrate from MDS to SMS, MDS is in our internal platform and SMS is in customer platform so i need to change the IP at any cost. So is that possible?

Regards,

Sanjay S

I would say labbing this up is your best bet, for sure. As far as changing IP, should be fine, just make sure routes are in place.

Andy

Thank you very much @the_rock my concern was if it was possible to change the IP at all or not. 

My CMA IP i will change in SMS. This is what we need as per the requirements. Thanks again 🙂

No worries, we are here to help.

Andy

migrate_server can be used to migrate to the same or higher version as the original domain.
If you change the IP after the fact (which is possible) you'll need to update the licenses accordingly.

Great! That makes sense.

I need to setup the lab and i see the Management server is Cloud Guard for VMWare ESX. Is this the image i need to use to setup up the server?

https://support.checkpoint.com/results/download/123218

I am setting it up on VMWare ESXi host. I need to setup Management server.

I usually install from the ISO myself, but yes, this should work also.

Hi All,

I have created the new Management server. I used below command to export.

[Expert@prd9cpmgmt01:0]# $MDS_FWDIR/scripts/migrate_server export -skip_upgrade_tools_check --ignore_warnings -v R81.10 /var/log/Export_for_Migration.tgz

I did not find any command to export specific domain so exported all domains. 

Now in the new Mgmt server i need to import specific domain. Is that possible? If so please suggest me on how to do that?

I tried using the below, but not sure on how to specify the domain.

[Expert@MGMT:0]# cd $FWDIR/scripts/

[Expert@MGMT:0]# ./migrate_server migrate_import_domain -v R81.20 [-skip_upgrade_tools_check] [-l | -x] [/var/log/mdss.json] [--include-uepm-msi-files] [--exclude-uepm-postgres-db] /<Full Path>/<Name of Exported File>.tgz

Please suggest.

Does it not give option to type domain name after migrate import domain?

Andy

[Expert@CP-Test-Mgmt-Server:0]# ./migrate_server migrate_import_domain Test_Management_Server -skip_upgrade_tools_check --ignore_warnings -v R81.10 /var/log/Export_for_Domain_Migration.tgz

Usage:
upgrade_client.sh <ACTION> [OPTIONS] <FILE>

Action (required parameter):

export - exports database of Management Server/ Multi Domain Server.
import - imports database of Management Server/ Multi Domain Server.
verify - verifies database of Management Server/ Multi Domain Server.

Options (optional parameters):

'-h' Show this message.
'-ma <args>' Migrate args. Example: -ma l+d+i
'-revision <all|last>' Export all the revisions or only last revision
'-v <target version>' Version of target release ie. M1, M2, etc.
'-d <output directory>' Output directory (no archiving is performed)
'-non-interactive' Run non-interactively
'-n,--nonlocal' export only Non Local domains.
Default to export entire system.
Note: option is valid for export mode only.
'-i <server IP address>' IP address of Management Server
Default is local machine.
'-mu' run minimal setup postinstall
Note: valid for import mode only
'-do_not_collect_logs' Do not collect debug logs at the end of requested action. Default is to collect debug logs
Note: relevant for export & import only. The log files are archived and put in /var/log/ directory.
-a,--async do not wait will the end of task and print task Id
'-o <path to output file>' Path to output file
By default output file is generated in current working directory.
Note: option is valid for export mode only.
'-fp,--first_phase <phase>' Run miration in phases. Start from phase defined by <phase> argument.
Note: If the phase is not defined migration starts from the begining.
Note: option is valid for import mode only.
'-lp,--last_phase <phase>' Run miration in phases. Finish at phase defined by <phase> argument.
Note: If the phase is not defined migration runs till last migrate phase w/o interruptions
Note: option is valid for import mode only.
'-npb,--no_progress_bar' Disable the progress bar.
'-force-upgrade-flow' When the source and target servers are on the same major version, migrate_server uses an accelerated flow to migrate the data.
This flag forces the full migration flow.
Note: if this flag is used, it is mandatory to use it both on export and import.
'-ivw,--ignore_warnings' Perform Export/Import although the pre-verification process raised warnings.

File (required parameter only for import):

Name of archived file to import.

This is what is happening.

I would check with TAC, not sure how it can be done if option is not there, sorry.

Andy

Hi @the_rock 

I see there is an option and tried it but failed.

[Expert@CP-Test-Mgmt-Server:0]# ./migrate_server

Use the migrate utility to : 1. Verify, export and import the Check Point
Security Management Server database.
2. Migrate_import_domain

1. Verify, export and import

Usage: migrate_server <ACTION> <PARAMETERS> [OPTIONS] <FILE>

ACTION (required parameter):

export - Exports the database of the Management Server or Multi-Domain Server.
import - Imports the database of the Management Server or Multi-Domain Server.
verify - Verifies the database of the Management Server or Multi-Domain Server.
print_installed_tools - returns the upgrade tools installed for a given version.

Parameters (required parameter):

'-v <target version>' Import version.

Options (optional parameters):
'-h' Show this message.
'-skip_upgrade_tools_check' Does not check for updated upgrade tools.
'-force-upgrade-flow' When the source and target servers are on the same major version, migrate_server uses an accelerated flow to migrate the data.
This flag forces the full migration flow.
Note: if this flag is used, it is mandatory to use it both on export and import.
'-npb,--no_progress_bar' Disable the progress bar.
'-ivw,--ignore_warnings' Perform Export/Import although the pre-verification process raised warnings.
Note: option is valid for import and export modes only.
'-l <N>' Export N last days of logs without log indexes.
'-l' Export/import all logs without log indexes.
'-x <N>' Export N last days of logs with log indexes.
'-x' Export/import all logs with log indexes.
'-n' Run non-interactively.
'--exclude-uepm-postgres-db' skip the backup/restore of PostgreSQL.
'--include-uepm-msi-files' Export/import the uepm msi files.
'--exclude-licenses' skip the restore of licenses.
'-mask' Hide sensitive information in exported DB.
Note: Applicable only when exporting.
'--verify_all_servers' Runs the verification process on all Management Servers and Log Servers.
Notes:
1) This flag is valid only for the 'verify' and 'export' operations.
2) This flag is supported on the versions R81 and higher.
3) List of servers, on which you can run the 'migrate_server verify' / 'migrate_server export'
command with the flag '--verify_all_servers':
- All Security Management Servers
- Multi-Domain Security Management Servers
- Multi-Domain Log Servers
4) List of remote servers, to which the 'migrate_server verify' / 'migrate_server export' command can connect:
- Security Management Servers
- Multi-Domain Security Management Servers
- Multi-Domain Log Servers
- Dedicated Log Servers
- Dedicated SmartEvent Servers
- Security Management Servers configured as a Backup of a Domain Management Server
Note:
Servers that are configured on a specific Domain on a Multi-Domain Security Management Server will be verified
only if there is a Domain Server of that Domain on the current Multi-Domain Security Management Server.
5) The default behavior:
- Only on Primary Management Servers, the 'migrate_server verify' command runs with the '--verify_all_servers' flag.
- On all servers except Primary Management Servers, the 'migrate_server verify' command runs with the '--verify_local_only' flag.
- On all servers without exception, the 'migrate_server export' command runs with the '--verify_local_only' flag.
'--verify_local_only' Runs the verification process locally, only on the current server.
Notes:
1) This flag is valid only for the 'verify' and 'export' operations.
2) The default behavior:
- On all servers except Primary Management Servers, the 'migrate_server verify' command runs with the '--verify_local_only' flag.
- On all servers without exception, the 'migrate_server export' command runs with the '--verify_local_only' flag.
'-skip_tools_check_on_remote' Specifies not to check for updated Upgrade Tools when running the verification process on remote Management Servers (not the current Management Server).
Notes:
1) This flag is valid only for the 'verify' and 'export' operations.
2) This flag is valid only when running the verification process on all Management Servers (not only on current server).

<FILE> (required parameter only for import):

Name of the archived file to export/import the database to/from.
Path to archive should exist.

2. Migrate_import_domain
usage: migrate_server <ACTION> [OPTIONS]

ACTION (required parameter):

migrate_import_domain - Imports the database of the Domain Management Server
from a Multi-Domain Server.

Options (optional parameters):

'-sn <Domain Server name>' Name of the Domain Management Server

'-dsi <Domain Server IP address>' IP address of the Management Server
Default is local machine.
'-skip_logs' Skip import logs (without log indexes.)

'-npb, --no_progress_bar' Disable the progress bar.

'-o <path to export file>' Path to export file.

Name of the archived file to import.

Note:
Run the utility either from the current directory or use
an absolute path.

@the_rock 

I tried the below and got this error message.

[Expert@CP-Test-Mgmt-Server:0]# ./migrate_server migrate_import_domain -sn Test_Management_Server -skip_logs -o /var/log/Export_for_Domain_Migration.tgz
Failed to run migrate_server migrate_import_domain. Please verify that you use the correct export file and the correct command (import/migrate_import_domain).

Operation finished at Tue Jul 30 16:10:03 BST 2024

Is it because i am not using the right IP? Domain IP is different from the export than the IP i am using on this new Mgmt server where i am importing? Or is it due to the export was done for all the domains and now using the same export to import specific domain? Any suggestions on this will really help me.

Regards,

Sanjay S

I dont think it has to do with IP, but domains, that would make more sense.

I dont see an option to export single domain at all 😞

Sorry man, probably does not exist 😞

Are you able to open TAC case to confirm 100%?

Andy

This command needs to be done at the domain level to get the specific domain (e.g. mdsenv MyDomain).
Same with the import command...done at the domain level.

Thanks Phoneboy,

But my requirement is exporting from the MDS and importing it to the SMS. So no mdsenv 😞 

Is this migrate_server only does MDS to MDS or even MDS to SMS. Based on what i read and understood it should work both ways.

When you do the export, do it from the domain (not MDS) context.
That should only get the relevant domain.
Then it can be imported into an SMS.

@PhoneBoy Thank you for the response. 

I tried as you suggested and getting the below error.

[Expert@LAB:0]# mdsenv Test_Management_Server

[Expert@LAB:0]# $MDS_FWDIR/scripts/migrate_server export -skip_upgrade_tools_check --ignore_warnings -v R81.10 /var/log/Export_for_Test.tgz
Error: /opt/CPsuite-R81.10/fw1/scripts/migrate_server utility can be executed only in a Multi-Domain environment. Run 'mdsenv' first.

Do one thing...sorry, I had to delete my MDS lab, so cant verify this, but when you go in cma environment, does it give you that same directory for scripts?

Andy

@the_rock i can see the scripts are there in that path and tried doing this.

[Expert@LAB:0]#/opt/CPmds-R81.10/customers/Test_Management_Server/CPsuite-R81.10/fw1/scripts/migrate_server export -skip_upgrade_tools_check --ignore_warnings -v R81.10 /var/log/Export_for_Migration_Sothebys.tgz
Error: /opt/CPmds-R81.10/customers/Test_Management_Server/CPsuite-R81.10/fw1/scripts/migrate_server utility can be executed only in a Multi-Domain environment. Run 'mdsenv' first.

Sorry man, I guess its not possible then just for cma context : - (

Thanks @the_rock @PhoneBoy  for your support as always 🙂

Are you able to open TAC case to confirm this info 100%?

Andy