This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
fjulianom
Advisor
Thursday

MDS migration to new machine

Hi guys,

 

My customer wants to upgrade the MDS to latest version (from R81.10 to R81.20), and because in the past it had several issues and some fixes, he wants to start with a new clean machine. I have been reviewing and I think the best approach is "Upgrade with migration", which means to do a R81.20 fresh-install in an new machine, and then migrate the database from the old MDS to the new MDS. The process is explaine here. It seems quite simple, but:

 

1. What about this step

step5.PNG

My new MDS will have the same IP of the old MDS. Do I need a new license? If not, how can I export the current license to the new MDS?

 

2. In the last steps I will turn off the old MDS and turn on the new MDS (both are VMs):

laststep.PNG

Is that simple? No SIC problems or anything else?

 

3. I see the process quite simple, and with Check Point always there are surprises. Anything else to consider? All is migrated? Log Exporter, licenses, etc.

 

Any tip will be highly appreciated.

 

Regards,

Julián

 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
Thursday

If the IP of the new system is the same, then you do not need a new license.
You also do not need to re-establish SIC.

Not sure if the Log Exporter configuration is included in migrate_server output if it was configured in the CLI (versus in SmartConsole).

emmap
Employee
Employee
Thursday
In response to PhoneBoy

Log exporter config from CLI is included in the migration but should be reviewed and tested as part of step 10.

Otherwise yes it really is that simple.

fjulianom
Advisor
yesterday
In response to PhoneBoy

Hi,

 

Then the process of licensing is automatic because the license is bound to the IP adress in SmartUpdate and the IP is the same?

 

Regards,

Julián

0 Kudos
PhoneBoy
Admin
Admin
yesterday
In response to fjulianom

The existing license is included in the migrate_server export output.
Since the IP of the new server is the same, that license will still be valid.
If the IP were different, you would have to generate new licenses, possibly with the help of Account Services.

Amir_Senn
Employee
Employee
Thursday

In my honest opinion I think you should try to convince them to use CPUSE anyway. If there's no specific reason to perform clean install, CPUSE is the best way to upgrade MDS. If they encountered issues in the past we need to rebuild their confidence in CPUSE upgrade. Doing the advance upgrade migration will not necessarily avoid issues, it all depends on what the issue is. Worst case scenario we have ways to revert back quickly and efficiently.

If they insist on advanced upgrade I have a few more pointers:

a. Make sure to use the -x flag - it will take significantly more time depends on the amount of logs and indexes but you definitely want to keep them.

b. Make sure to cancel/prolong timeout on your SSH session before export/import

Kind regards, Amir Senn
fjulianom
Advisor
yesterday
In response to Amir_Senn

Hi guys,

 

Thank you very much for your replies. About these points:

 

a. Make sure to use the -x flag - it will take significantly more time depends on the amount of logs and indexes but you definitely want to keep them.

      a1. --> One issue the MDS has now is with logs and indexes. If the indexes are bad and you export them... is not a good idea to export logs without indexes and then in the new machine index them? What will the process be for indexing them? Will it be to run command with -l option and after follow sk111766? Do I need to remove FetchedFiles?

      a2. --> According to this post there is also the possibility of copying all log files to an external storage, do the migrate without logs, and then when the new server is running, copy log files to and index them. Is this the previous point? I mean, run command "migrate_server" with -l option and after that index the logs.

b. Make sure to cancel/prolong timeout on your SSH session before export/import --> What is this for?

 

Regards,

Julián

0 Kudos
Amir_Senn
Employee
Employee
yesterday
In response to fjulianom

a1. If you have an issue with indexes it might be the indexer itself or something in the query process, not with indexes themselves. You can try using dr-log to debug. Anyway, you can definitely export logs only with -l flag and re-index them with the SK you suggested.

a2. It is possible but there's more room for error if you're no well acquainted with this. I suggest using dedicated tool for migration to do it.

b. If you're using SSH to reach the server and you're doing import it may take some time. During this time you will probably won't touch anything so the session could theoretically timeout. The operation will continue but you won't be able to see status, respond to request to start the processes and might miss errors that will happen during import. Use TMOUT=0 .

Kind regards, Amir Senn
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events