This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Peter_Janum_Sod
Participant
‎2020-05-04 12:35 AM
Jump to solution

Instruction to migrate SMS to CMA in R80.40

Hi CheckMates.

According to previous post https://community.checkpoint.com/t5/General-Management-Topics/Issue-in-Importing-Management-Server-M..., we should have the possibility to migrate, export and import SMS and CMA in different directions in R80.40.

I need to migrate SmartCenter server to CMA, where both source and destination is running R80.40. However, I cannot find the instructions to accomplish this in the documentation.

In "sk156072 - Domain Migration in R80.x" there is a section with "Migrating from Security Management Server to Domain Management Server", but these instructions are not working on a SmartCenter server.

Can anyone guide me to the instructions on how to migrate an R80.40 SmartCenter to a CMA on a R80.40 Multi-Domain Server?

Thanks in advance!

Best Regards

Peter Sode

1 Solution

Accepted Solutions
Maarten_Sjouw
Champion
Champion
‎2020-05-04 04:38 AM
In response to _Val_
Jump to solution

Val,
The only thing wrong with the SK is that they are saying to Login via API to the domain, it would be much more usefull to change the actual command to:
Run: #mgmt_cli - r true -d "System Data" migrate-export-domain file-path <full path/filename.tgz> include-logs <true|false>

This way all doubts are gone and the command just works.
Regards, Maarten

View solution in original post

0 Kudos
19 Replies
Maarten_Sjouw
Champion
Champion
‎2020-05-04 12:54 AM
Jump to solution

So what you are saying is that you cannot run:
mgmt_cli migrate-export-domain file-path /var/log/exportsms.tgz include-logs false
Regards, Maarten
0 Kudos
Peter_Janum_Sod
Participant
‎2020-05-04 01:38 AM
In response to Maarten_Sjouw
Jump to solution

Hi Maarten.

Correct, this command fails on my SmartCenter Server (SMS).

If I need to be logged in to System Data Domain, I don't know how to do this on a SMS??

 

Output:

[Expert@demo-mgmt-01:0]# mgmt_cli migrate-export-domain file-path /var/log/tmp/exportsms.tgz include-logs false
Username: fwadmin
Password:
code: "generic_error"
message: "Runtime error: Could not load domain 41e821a0-3720-11e3-aa6e-0800200c9fde, make sure you are logged in to System Data domain."

[Expert@demo-mgmt-01:0]# cpinfo -y all

This is Check Point CPinfo Build 914000202 for GAIA
[CPFC]
No hotfixes..

[MGMT]
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 38

[IDA]
No hotfixes..

[FW1]
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 38

FW1 build number:
This is Check Point Security Management Server R80.40 - Build 019
This is Check Point's software version R80.40 - Build 082

[SecurePlatform]
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 38

[CPinfo]
No hotfixes..

[AutoUpdater]
No hotfixes..

[DIAG]
No hotfixes..

[SmartLog]
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 38

[Reporting Module]
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 38

[CPuepm]
No hotfixes..

[VSEC]
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 38

[R7520CMP]
No hotfixes..

[R7540CMP]
No hotfixes..

[R76CMP]
No hotfixes..

[SFWR77CMP]
No hotfixes..

[SFWR80CMP]
No hotfixes..

[R77CMP]
No hotfixes..

[R75CMP]
No hotfixes..

[NGXCMP]
No hotfixes..

[SFWCMP]
No hotfixes..

[FLICMP]
No hotfixes..

[SFWR75CMP]
No hotfixes..

[MGMTAPI]
No hotfixes..

[CPDepInst]
No hotfixes..

[CPUpdates]
BUNDLE_INFRA_AUTOUPDATE Take: 25
BUNDLE_R80_40_JUMBO_HF_MAIN Take: 38
BUNDLE_DEP_INSTALLER_AUTOUPDATE Take: 13


[Expert@demo-mgmt-01:0]#

Best Regards

Peter

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-05-04 01:43 AM
In response to Peter_Janum_Sod
Jump to solution

try it using: mgmt_cli -r true migrate-export-domain ....
Regards, Maarten
0 Kudos
Peter_Janum_Sod
Participant
‎2020-05-04 02:25 AM
In response to Maarten_Sjouw
Jump to solution

Same result. but this time without having to authenticate:

[Expert@demo-mgmt-01:0]# mgmt_cli -r true migrate-export-domain file-path /var/log/tmp/exportsms.tgz include-logs false
code: "generic_error"
message: "Runtime error: Could not load domain 41e821a0-3720-11e3-aa6e-0800200c9fde, make sure you are logged in to System Data domain."

 

Br.

Peter

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-05-04 02:39 AM
In response to Peter_Janum_Sod
Jump to solution

Add the following to the command and try again: -d system
If it still fails I would open a case with TAC.
Regards, Maarten
0 Kudos
Peter_Lyndley
Advisor
Advisor
‎2020-05-04 02:52 AM
In response to Maarten_Sjouw
Jump to solution

Hi Peter,

 

Unless i'm missing something , to run the migrate export from an SMS, you'd just use the migrate export command as usual , its only when exporting from a CMA (i.e the other way around) that you'd need a migrate-export-domain command.

Please let me know

 

thanks

Peter

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-05-04 03:42 AM
In response to Peter_Lyndley
Jump to solution

From the SK mentioned:

Export Security Management Server:

Make sure all processes are up and running, using the "cpwd_admin list" command.
Run fw logswitch to close the active log files. Only closed logs are migrated.
Log in via API command to "System Data" domain and run migrate export to create a database archive file.
Run: #mgmt_cli migrate-export-domain file-path <full path to file> include-logs <true|false>

The line starting with 'Log in via API' says to use the domain System Data so to make sure you use that add -d "System Data" 

Regards, Maarten
0 Kudos
_Val_
Admin
Admin
‎2020-05-04 04:10 AM
In response to Maarten_Sjouw
Jump to solution

It seems the SK is not OK. I have raised a ticket with the SK owner to fix.

"migrate-export-domain" API seems to be relevant to MDSM environment only.

Did you try to use the regular migrate export command on SMS and then import with MGMT CLI on MDSM side?


0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-05-04 04:38 AM
In response to _Val_
Jump to solution

Val,
The only thing wrong with the SK is that they are saying to Login via API to the domain, it would be much more usefull to change the actual command to:
Run: #mgmt_cli - r true -d "System Data" migrate-export-domain file-path <full path/filename.tgz> include-logs <true|false>

This way all doubts are gone and the command just works.
Regards, Maarten
0 Kudos
_Val_
Admin
Admin
‎2020-05-04 04:46 AM
In response to Maarten_Sjouw
Jump to solution

Correct, already reported to SK owner.

0 Kudos
Anton_Pluzharov
Employee
Employee
‎2020-05-04 04:47 AM
In response to Maarten_Sjouw
Jump to solution

Please pay attention, it is wrong to use "-r true" or "--root true" in API commands in environments running in production with multiple administrators. Any command invoked with this parameter will be initiated from built-in system administrator account and not from the actual administrator running this command, so audit logs will display generic admin name and operation will not be registered in audit logs with actual admin name.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-05-04 05:06 AM
In response to Anton_Pluzharov
Jump to solution

Anton,

I agree that for audit purposes the usage should be avoided, however in this case you are working on shutting down the original system. So who will be logging into the old system to see who was doing the export?
In our case we have about 20 super admins, however there are a maximum of 2 people who would be running these type of commands. In these cases I would not have any problem using the -root true option. And as you may have seen the TS did not use it in the end.
Regards, Maarten
0 Kudos
Anton_Pluzharov
Employee
Employee
‎2020-05-04 05:57 AM
In response to Maarten_Sjouw
Jump to solution

@Maarten_Sjouw Maybe no one will, however "-r" flag is not recommended.
0 Kudos
Peter_Janum_Sod
Participant
‎2020-05-04 03:45 AM
In response to Peter_Lyndley
Jump to solution

Still not working with "-d system":

[Expert@demo-mgmt-01:0]# mgmt_cli -r true -d system migrate-export-domain file-path /var/log/tmp/exportsms.tgz include-logs false
Error: Failed to login to the management server
[Expert@demo-mgmt-01:0]# mgmt_cli -d system migrate-export-domain file-path /var/log/tmp/exportsms.tgz include-logs false
Username: fwadmin
Password:
code: "generic_error"
message: "Runtime error: Domain 'system' not found!"

 

@Peter_Lyndley  - Normally I would agree with you. However, the issue is that there are no way to import a "normal" migrate export into a CMA on Multi-Domain-Server in R80.40.

 

I have created SR# 6-0001990466 for this issue, and will post the result.

 

Thanks all,

 

Br.

Peter

0 Kudos
Peter_Janum_Sod
Participant
‎2020-05-04 04:00 AM
In response to Peter_Janum_Sod
Jump to solution

Thanks @Maarten_Sjouw - the last command did the trick for the export 🙂

 

[Expert@demo-mgmt-01:0]# mgmt_cli -d "System Data" migrate-export-domain file-path /var/log/tmp/exportsms.tgz include-logs false
Username: fwadmin
Password:


---------------------------------------------
Time: [12:49:26] 4/5/2020
---------------------------------------------
"Export Domain SMC User" in progress (10%)
.
.
.
---------------------------------------------
Time: [12:56:20] 4/5/2020
---------------------------------------------
"Export Domain SMC User" in progress (66%)


---------------------------------------------
Time: [12:56:30] 4/5/2020
---------------------------------------------
"Export Domain SMC User" succeeded (100%)
tasks:
- uid: "a3009941-5f3b-4149-b466-f465c98e643a"
type: "task"
domain:
uid: "a0eebc99-afed-4ef8-bb6d-fedfedfedfed"
name: "System Data"
domain-type: "mds"
task-id: "a3009941-5f3b-4149-b466-f465c98e643a"
task-name: "Export Domain SMC User"
status: "succeeded"
progress-percentage: 100
start-time:
posix: 1588589365714
iso-8601: "2020-05-04T12:49+0200"
last-update-time:
posix: 1588589783763
iso-8601: "2020-05-04T12:56+0200"
suppressed: false
task-details: []
comments: "Export succeeded."
color: "black"
icon: "General/globalsNa"
tags: []
meta-info:
lock: "unlocked"
validation-state: "ok"
last-modify-time:
posix: 1588589783785
iso-8601: "2020-05-04T12:56+0200"
last-modifier: "System"
creation-time:
posix: 1588589365719
iso-8601: "2020-05-04T12:49+0200"
creator: "System"
read-only: false

[Expert@demo-mgmt-01:0]#

 

I will now test the import into CMA and post the result.

Br.

Peter Sode

0 Kudos
_Val_
Admin
Admin
‎2020-05-04 04:16 AM
In response to Peter_Janum_Sod
Jump to solution

The command should include -d "System Data" to run correctly on SMS.

0 Kudos
Anton_Pluzharov
Employee
Employee
‎2020-05-04 04:27 AM
Jump to solution

Hi Peter,

Please refer to "Installation and Upgrade Guide R80.40" . Detailed instructions inside the link.

Edited:

Make sure to invoke migrate-export-domain command when logged in to SystemDomain. (with "-u <username> -p <password> -d SystemData" parameters)

Example: 

mgmt_cli migrate-export-domain file-path "/var/log/SecMgmtServer_Export.tgz" include-logs "false" -u <username> -p <password> -d SystemData

 

0 Kudos
_Val_
Admin
Admin
‎2020-05-04 05:46 AM
In response to Anton_Pluzharov
Jump to solution

@Anton_Pluzharov I would agree with you, but the guide also has the same issue. The recommended command there is missing System Default domain reference:

mgmt_cli migrate-export-domain file-path "/var/log/SecMgmtServer_Export.tgz" include-logs "false"

 Hence it will fail the same manner, as already discussed. I have actually tested that one on my side.

Anton_Pluzharov
Employee
Employee
‎2020-05-04 06:58 AM
In response to _Val_
Jump to solution

Thank you, adding this to my comment.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events