Re: Is there a way to migrate object and polocy da...

Vasil_Genov · ‎2018-12-10

Hi all,

relatively new to this, so in short, is there a way to export object database and firewall policy database form r77.20 to r80.10. We are replacing old FWs to new ones and we want to keep the same setup. We have new gateways and new management server.

thanks in advance.

G_W_Albrecht · ‎2018-12-10

This is covered in the CP R80.10 Release Notes - Clean install with Advanced Database Migration for the SMS, the GW upgrade method depends on complexity of OS config (if simple, fresh install and config is preferred).

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Lari_Luoma · ‎2018-12-10

1. Download the management Server Migration Tool (R77.x to R80.10) from the below SK:

Check Point R80.10

2. Untar the tgz to a temp directory on your management server

3. Go to your temp directory and run:
./migrate export [name_of_the_export]

4. copy the [name_of_the_export].tgz to a newly installed R80.10 SMS (first time wizard must be run)

5. Run ./migrate import [name_of_the_export].tgz

Done!

Migration will take some time depending on the size of the database.

Once the migration is done it still takes some more time before all processes are up. You can monitor them with the following script:

$CPMDIR/scripts/check_cpm_status.sh

Vasil_Genov · ‎2018-12-12

When I try to do ./migrate export I get

bash: ./migrate: Permission denied

I am using an admin account and am In expert mode.

Vasil_Genov · ‎2018-12-13

Ok, I finally managed to run the ./migrate export comand but I get no file only a error log, in which it staits that there are some rules that need to be changed, to be working on r80, but I never get a file.

thanks again

Lari_Luoma · ‎2018-12-13

Right. We have changed the underlying architecture in R80.x compared to the older versions. That's why you might need to make some changes to configuration before upgrade is allowed.

The same tgz-packet with the migrate-script contains another script called pre_upgrade_verifier. Run that script to get a report of possible problems and how to change them. Syntax is something like ./pre_upgrade_verifier -c R77 -t R80

There are three categories of messages in the PUV-report:
ERROR: Must be fixed before the upgrade can take place

WARNING: Recommended to be fixed before or after the upgrade

INFORMATION: No need for action. Just good to know info.

After fixing the issues, run migrate export again.

Also please review Release Notes and Installation and Upgrade Guide for the relevant version.

Vasil_Genov · ‎2018-12-11

Do I need to use cpstop to do the ./migrate export command ?

The current management server is on the one of the gateways and they are still in prodcution.

Thanks again!

PhoneBoy · ‎2018-12-12

Yes it requires a cpstop.

G_W_Albrecht · ‎2018-12-12

If you need to go from StandAlone Deployment (GW and SMS in one unit) to distributed deployment, i would suggest two steps:

First change the R77.20 to a distributed deployment (see sk61681: How to migrate from Standalone configuration to Distributed or sk44201: How to migrate Full HA environment to Distributed environment). Migration of Full HA environment to Distributed environment is not supported in R80.x

Then use the procedures above to migrate to R80.x0

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Lari_Luoma · ‎2018-12-12

cpstop is recommended, but you can do it without if you just make sure that no SmartConsole clients are connected to the management server when you are running the export.

Danny · ‎2018-12-12

Just install Check Point's disconnect_client utility an execute: ./disconnect_client; migrate export ..

Are you a member of CheckMates?

Is there a way to migrate object and polocy database from r77.20 to r80.10