- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Migrate MDS from R77.10 to R80.10
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Migrate MDS from R77.10 to R80.10
Hi all,
I would like to ask some question regarding MDS. Basically, I still new in deployment VSX and MDS. My task is to migrate MDS from version R77.10 to R80.10. The old MDS box is running using version R77.10 and I need to export all the policy to migrate to new MDS box that running using version R80.10. Is there any tools or step that I can do to migrate policy from R77.10 to R80.10?
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Muhammad,
For the purposes of your test migration to a lab environment. Your CMA can be migrated by following the below. The below excerpt has been copied from the "Installation and Upgrade Guide R80.10". I would recommend reading the guide specifically the section "Upgrading an R77.xx Multi-Domain Security Management with Migration" of the guide before proceeding with the lab environment so that the full process is understood before proceeding.
Installation and Upgrade Guide R80.10
"To import from R77.xx Domain Management Server to R80.10:
- On the Multi-Domain Server with the active global policy, get the Upgrade Tools from the R80.10 CD or ISO.
- Extract the tools.
Extraction makes the
subdirectory.upgrade_tools
In this path, extract the Multi-Domain Security Management tools -
p1_upgrade_tools.tgz
For example:
Install from CD:
# gtar xvfz /mnt/cdrom/linux/upgrade_tools/linux/p1_upgrade_tools.tgz -C /var/opt/export_tools
Install from DVD:
# gtar xvfz /mnt/cdrom/Linux/linux/upgrade_tools/linux/p1_upgrade_tools.tgz -C /var/opt/export_tools
- Go to the context of the Domain Management Server. Run:
IP address or Name of Domain Management Server# mdsenv <
>
- Run:
full path to migrate command># cd <
<output file># ./migrate export [-l]
- The
migrate
command exports one Domain Management Server database to a TGZ file.export
- The output file must be specified with the fully qualified path. Make sure there is sufficient disk space for the output file.
- The optional
flag includes closed log files and SmartLog data from the source Domain Management Server in the output archive.–l
- The
- On the R80.10 Multi-Domain Server, run these API commands to create a new Domain and a new Domain Management Server (without starting it):
# mgmt_cli --root true add domain name <my_domain_name> servers.ip-address <my_IP_address> servers.name <my_domain_server_name> servers.multi-domain-server <R80.10_multi-domain-server_Name> servers.skip-start-domain-server true
Important! - After you create the new Domain with this command, do not change the Domain IP address until you run the
command.cma_migrate
- Copy the TGZ file from the source Domain Management Server to the R80.10 Multi-Domain Server. Import the exported database:
# unset TMOUT
# cma_migrate <source management tgz file> <target Domain Management Server $FWDIR directory>
For example:
|
This command updates the database schema before it imports. First, the command runs pre-upgrade verification. If no errors are found, migration continues. If there are errors, you must change the source Domain Management Server according to instructions in the error messages. Then do this procedure again."
Source: Installation and Upgrade Guide R80.10 > Upgrading an R77.xx Multi-Domain Security Management with Migration
As per previous recommendations to ensure that the migration goes smoothly and there are no issues during or after I would recommend the professional services route as previously mentioned.
Regards
Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Muhammad,
For migration to R80.10 MDS the follow link should detail all the required steps and pre-req's.
Installation and Upgrade Guide R80.10
Topic: 158379 within the link. Couldn't link directly to the page.
I would recommend a good plan and also run through in a lab if you have time to build one.
Regards
Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Mark Mitchell,
Thank you for the link. Basically, I will export out MDS and import to Lab environment before deployment. Another question, how we want to export CMA that running version R77.10 to R80.10? Is the step same like copy migration tools R80.10 > put inside R77.10 > and run ./migrate export ? or other solution ?
Regards,
Muhammad
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Muhammad,
For the purposes of your test migration to a lab environment. Your CMA can be migrated by following the below. The below excerpt has been copied from the "Installation and Upgrade Guide R80.10". I would recommend reading the guide specifically the section "Upgrading an R77.xx Multi-Domain Security Management with Migration" of the guide before proceeding with the lab environment so that the full process is understood before proceeding.
Installation and Upgrade Guide R80.10
"To import from R77.xx Domain Management Server to R80.10:
- On the Multi-Domain Server with the active global policy, get the Upgrade Tools from the R80.10 CD or ISO.
- Extract the tools.
Extraction makes the
subdirectory.upgrade_tools
In this path, extract the Multi-Domain Security Management tools -
p1_upgrade_tools.tgz
For example:
Install from CD:
# gtar xvfz /mnt/cdrom/linux/upgrade_tools/linux/p1_upgrade_tools.tgz -C /var/opt/export_tools
Install from DVD:
# gtar xvfz /mnt/cdrom/Linux/linux/upgrade_tools/linux/p1_upgrade_tools.tgz -C /var/opt/export_tools
- Go to the context of the Domain Management Server. Run:
IP address or Name of Domain Management Server# mdsenv <
>
- Run:
full path to migrate command># cd <
<output file># ./migrate export [-l]
- The
migrate
command exports one Domain Management Server database to a TGZ file.export
- The output file must be specified with the fully qualified path. Make sure there is sufficient disk space for the output file.
- The optional
flag includes closed log files and SmartLog data from the source Domain Management Server in the output archive.–l
- The
- On the R80.10 Multi-Domain Server, run these API commands to create a new Domain and a new Domain Management Server (without starting it):
# mgmt_cli --root true add domain name <my_domain_name> servers.ip-address <my_IP_address> servers.name <my_domain_server_name> servers.multi-domain-server <R80.10_multi-domain-server_Name> servers.skip-start-domain-server true
Important! - After you create the new Domain with this command, do not change the Domain IP address until you run the
command.cma_migrate
- Copy the TGZ file from the source Domain Management Server to the R80.10 Multi-Domain Server. Import the exported database:
# unset TMOUT
# cma_migrate <source management tgz file> <target Domain Management Server $FWDIR directory>
For example:
|
This command updates the database schema before it imports. First, the command runs pre-upgrade verification. If no errors are found, migration continues. If there are errors, you must change the source Domain Management Server according to instructions in the error messages. Then do this procedure again."
Source: Installation and Upgrade Guide R80.10 > Upgrading an R77.xx Multi-Domain Security Management with Migration
As per previous recommendations to ensure that the migration goes smoothly and there are no issues during or after I would recommend the professional services route as previously mentioned.
Regards
Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Mark Mitchell,
Thank you for the guide. I will perform the lab testing and update back if I got the issue. Thank again. About the global object, before I do the migrate from R77.10 to R80.10 I need to remove the global object from local policy layer right?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Muhammad,
You can also migrate the global policy database also using the "migrate_global_policies" command.
However the Multi Domain Server and Domain Servers will be stopped whilst this is completed.
Regards
Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Muhammad,
Upgrading or migrating MDS with VSX is one of the most complex tasks there is, so I am hesitant to recommend any steps for you to follow in order to achieve this.
Unless you are familiar with these products, you may not even realize the limitations that the R80+ version imposes on MDS. Please search this forum for the threads pertaining to this subject, there are quite a few of them.
I strongly suggest engaging Check Point professional services to aid you with this project. Even with them taking a lead it may not be a trivial undertaking.
Regards,
Vladimir
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As far as see, one needs to rebuilt completely VSX at some point. Although with vsx provision utility it can be done in a short period of time, I second the suggestion of engaging external consulting to plan and perform the migration.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Valeri,
when upgrading MDS, there is no need to recreate the VSX, as the version of the VSX stays the same, and the object in the mgmt DB are updated as part of the mgmt upgrade, similar to SGW objects.
when upgrading the VSX itself, there is also no need to recreate the VSX. the procedure should be:
1. upgrade the mgmt db using vsx_util upgrade
2. run cpuse upgrade on the gw (if you have a vsx cluster, use CU procedre to preserve connections between the members)
both vsx_util upgrade and cpuse upgrade preserve the existing configurations
if the migration preserve the same domain names and IPs, the new mgmt will work seemly with the old VSX. if there is a change in domain name or IP, you can recreate the VSX automatically with the vsx_util reconfigure command from the new domain
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The topic starter mentioned export of policies. I assume the story is about per domain gradual migration. If so, it is not possible to do today by standard tools with VSX in place.
If this is one shot advanced upgrade of the whole MDS, I do agree with you, there is a standard procedure to do so, regardless of VSX.
In my comment I was addressing the first scenario only.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Completely agree with Vladimir Yakovlev if you are new to both products VSX and MDS engage with your preferred Check Point Partner and/or Check Point professional services.
Regards
Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would use the export_mds script to create a export of the R77.10 MDS and use the mds_import on the R80.10 MDS to get this migration done.
The only thing would be to make sure you have enough disc space on the R77.10 machine to be able to store the export file.
The main advantage of this method is you can first run a dry run on a test VM R80.10 MDS.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Maarten Sjouw,
Sorry for late reply. Do you mean that you export config R77.10 using export_mds script R80.10 and import to MDS R80.10? Do you encounter any error while export R77.10 using script R80.10?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, I have not done this myself yet, I will be doing this in a couple of months with a set of 3 MDS's with around 150 CMA's on them.