This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MladenAntesevic
Collaborator
‎2021-05-01 06:18 AM
Jump to solution

R80.10 to R81 migration and licences

Hello,

I have a SMS version R80.10 running on a Smart-1 410 appliance (and a pair of R80.10 gateways running on 5600 appliances). I want to do an advanced upgrade with migration and I will do it for my SMS first. Since this is quite complex two steps process, doing first R80.10 - -> R80.40 with old ./migrate export tools and R80.40 - -> R81 with new ./migrate_server tools as a second step, I want to do it offline, to migrate my database to R81 virtual machine, assure that I can load my existing policy in R81 version before deploying it in my production network. So, in other words, my plan is to do all the migration offline, check if my policy is loading in R81 version and prepare ./migrate_server export from R81. If everything runs OK, I will reinstall Smart-1 410 from the scratch with R81 ISOMorphic tool and do ./migrate_server import owith already prepared database.

R80.10 - - > R80.40 went fine, but when I try export R80.40 - -> R81 I run into some troubles with licences. After the ./migrate_server import on a brand new R81 virtual machine, I do not see my licences, even trial 15-day licences are not valid any more. It seems that old migrate export tool always contains the license of the time of the DB export from SMS, but it is not the case for the new ./migrate_server tool. I tried it several times, and each time I got this message trying to connect with SmartConsole (see attached picture).

Is there some possibility to also transfer the licences with the new ./migrate_server tools as it was the case with old ./migrate tools?

 

Preview file
27 KB
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2021-05-01 09:28 AM
Jump to solution

If you’re doing this in a VM based on what’s coming from a physical Check Point appliance, the license is only valid for that specific appliance, not in a VM.
You can confirm the licenses came over by doing a cplic print from the CLI.
If no licenses came over (I.e. cplic print is empty), that’s a bug and the TAC should be engaged.
You can apply an All-In-One Eval license to your VM after you perform the migration to confirm the rest of the configuration came over correctly. 

View solution in original post

10 Replies
PhoneBoy
Admin
Admin
‎2021-05-01 09:28 AM
Jump to solution

If you’re doing this in a VM based on what’s coming from a physical Check Point appliance, the license is only valid for that specific appliance, not in a VM.
You can confirm the licenses came over by doing a cplic print from the CLI.
If no licenses came over (I.e. cplic print is empty), that’s a bug and the TAC should be engaged.
You can apply an All-In-One Eval license to your VM after you perform the migration to confirm the rest of the configuration came over correctly. 

MladenAntesevic
Collaborator
‎2021-05-01 10:09 AM
In response to PhoneBoy
Jump to solution

Thanks @PhoneBoy  for you explanation, you are right, I took the migrate export from the physical CheckPoint appliance and tried ./migrate_server import into a VM. I now understand the reason why it does not work. I have checked cplic print, it only shows trial license, so real licences are not valid here. Thanks for your help, I will try to do an upgrade with the All-In-One Eval license.

the_rock
MVP Gold
MVP Gold
‎2021-05-01 10:25 AM
In response to MladenAntesevic
Jump to solution

Wait a second...if you did ./migrate export and import, that always imports the licenses from original server. I had done it many times and that was always the result. Are you saying it did NOT move over original licenses to a new server?

Best,
Andy
G_W_Albrecht
MVP Silver
MVP Silver
‎2021-05-01 11:43 PM
In response to the_rock
Jump to solution

As stated above by PhoneBoy: the export from an appliance can not include licenses valid for VMs, only licenses for an appliance with the same MAC address.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
the_rock
MVP Gold
MVP Gold
‎2021-05-02 05:19 AM
In response to G_W_Albrecht
Jump to solution

Ok, I see what you are saying...never really paid attention to that before, but I guess it makes sense : )

Best,
Andy
0 Kudos
_Val_
Admin
Admin
‎2021-05-02 11:50 PM
In response to G_W_Albrecht
Jump to solution

Technically, no. MAC is an ID of your appliance licenses, but they are enforced by IP address. Running appliance license or an open server/VM is still a violation of your service agreement though.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-05-01 08:08 PM
In response to MladenAntesevic
Jump to solution

FYI, you don’t apply the eval license after the migrate_server import.

0 Kudos
MladenAntesevic
Collaborator
‎2021-05-01 11:53 PM
In response to PhoneBoy
Jump to solution

Thanks @PhoneBoy  I will apply the eval license first.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-05-02 10:15 AM
In response to MladenAntesevic
Jump to solution

Actually, I had that incorrect: you do it after. 😬

MladenAntesevic
Collaborator
‎2021-05-02 11:36 PM
In response to PhoneBoy
Jump to solution

I got it, thanks @PhoneBoy 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events