Migrate R80.10 SmartCenter to R80.10 Domain Server

Martijn · ‎2017-08-15

Hi,

I am running into problems when migrating a R77.30 SmartCenter to a R80.10 Domain Server on Multi Domain.

Pre-upgrade Verifier is not reporting any problems, so this should work. But is does not.

Strange thing is: a migration from R77.30 SmartCenter to R80.10 SmartCenter is working fine.

So I want to migrate this R80.10 SmartCenter into a R80.10 Domain Server on Multi Domain. But this fails right away.

I am not sure this type of migration is supported. I think it should, because you can have customers that want to migrate from R80.10 SmartCenter to a Domain Server.

I will not post the whole migration log, but some errors from the logs are posted below:

--------

[15 Aug 11:32:14] [CanonicalizePath] Canonicalizing path '"/opt/CPmds-R80/bin/ip_migrate_fix" x.x.x.x'
[15 Aug 11:32:14] [CanonicalizePath] Resulting path: '"/opt/CPmds-R80/bin/ip_migrate_fix" x.x.x.x'
[15 Aug 11:32:14] ...<-- CanonicalizePath
[15 Aug 11:32:14] ...--> ExecCommandGetOutput
[15 Aug 11:32:14] [ExecCommandGetOutput] Going to execute command: '"/opt/CPmds-R80/bin/ip_migrate_fix" x.x.x.x'
[15 Aug 11:32:14] [ExecCommandGetOutput] ERR: Command completed with error code -1
[15 Aug 11:32:14] ...<-- ExecCommandGetOutput
[15 Aug 11:32:14] [CommandRunner::exec] Command's output:
-------------------------------------
CCpmDbUtils::login> Failed to get login to ngm server using domain id '80fe2c11-a2ee-4e6b-adf7-09cf16384fe8' (80041d8a)
CCpmDbUtils::login> Failed to log-in into CPM server.
Failed to login to CPM server!
-------------------------------------
[15 Aug 11:32:14] [CommandRunner::exec] ERR: Command execution had failed
[15 Aug 11:32:14] ..<-- CommandRunner::exec
[15 Aug 11:32:14] .<-- CmaMigrateFixRunner::exec
[15 Aug 11:32:14] <-- ConditionalExecutor::exec
[15 Aug 11:32:14] [ActivitiesManager::exec] ERR: Activity 'ConditionalExecutor' failed
[15 Aug 11:32:14] [ProgressUpdater::UpdateProgressToGaia] Progress Updated to '71.7949
[15 Aug 11:32:14] [ActivitiesManager::exec] WRN: Activities execution finished with errors
[15 Aug 11:32:14] [ActivitiesManager::exec] WRN: Activities 'ConditionalExecutor' have failed
[15 Aug 11:32:14] [ActivitiesManager::exec] Designated exit code is 1
[15 Aug 11:32:14] --> CleanupManager::Instance
[15 Aug 11:32:14] .--> CleanupManager::CleanupManager
[15 Aug 11:32:14] .<-- CleanupManager::CleanupManager
[15 Aug 11:32:14] <-- CleanupManager::Instance
[15 Aug 11:32:14] --> CleanupManager::DoCleanup
[15 Aug 11:32:14] [CleanupManager::DoCleanup] Starting to perform cleanup
[15 Aug 11:32:14] [CleanupManager::DoCleanup] Completed the cleanup
[15 Aug 11:32:14] <-- CleanupManager::DoCleanup

I have a case with support, but maybe some of you had a simular issue. I am using the latest migration tools for R80.10.

Regards,

Martijn.

Lesley_Willems · ‎2017-08-16

Hi,

Should be supported. On SMS you did a 'upgrade_export'? On Multi Domain Server create dms with same name and IP as sms. You can create a new Domain Management Server and then import the export file with the GUI or CLI.

Cheerz,

Lesley

Martijn · ‎2017-08-16

Hi,

Yes, I have run the migrate export with the R80.10 tools on the R80.10 SmartCenter.

On the Multi Domain Server I have created a new Domain Server with the same name (did not start the Domain Server) and import the export file with cma_migratie.

This is the error I see in the console:

Pre-migrate verification ended successfully.
A log file was created: /opt/CPmds-R80/customers/sms/CPsuite-R80/fw1//log/pre_migrate.log

Proceeding with migration.

Execution finished with errors. See log file '/opt/CPmds-R80/customers/sms/CPshrd-R80/log/migrate-2017.08.15_11.32.10.log' for further details

Migration not completed.
Failed to login

Restart the Multi-Domain Server processes
[Expert@mdm:0]#

I have a case with Check Point support and they talked to R&D. It seems the procedure I want to perform is not supported.

Regards,

Martijn.

Daniel_Lavi · ‎2017-08-16

Did you create the DMS through mgmt_cli? If so, did you use the flag to not start it when created? In previous version that should have been done through smart domain but in R80 it can only be done through the API.

PhoneBoy · ‎2017-08-24

It looks like this is a documented limitation.

From Installation and Upgrade Guide R80.10:

Migration from standalone Security Management Server to Domain Management Server is supported only from pre-R80 to R80.10.

This limitation is expected to be removed in later releases.

Jonathan_Pitt · ‎2017-11-14

I raised this query at London CPX last week during the Ask Me Anything breakout section.

I have requirements to migrate R80.10 Smartcenters into R80.10 MDS and also CMA migrations from R80.10 MDS to different R80.10 MDS platforms (not least to enable an effective and granular backup strategy that doesn't rely on mds_backup). It appears that at present any R80.10 CMA's / Databases I hold on my management platform are locked in place with no opportunity for useful release e.g. should one of my clients decide to leave my MDS platform I am not in a position to give them a working copy of their policy/config for them to deploy elsewhere if they choose.

I was advised there may be tools available but as yet I am unable to find them. Anyone able to expand on this please?

Thanks

PhoneBoy · ‎2017-11-14

There are a couple tools available to migrate objects and rules in Developers (Code Hub)‌ between different installations.

Python tool for exporting/importing a policy package or parts of it‌
CLI API Example for exporting, importing, and deleting different objects using CSV files (v 00.25.01...

There may be other tools in there as well.

Improving backups and exportability is something I know is in the plans for later releases.

Ben_Dunkley · ‎2018-02-21

Is R80.x to R80.10 migration still unsupported?

The reason that I ask is that the R80.10 page does now list R80.10 migration tools, with the attached instructions stating:

"This Migration Tool can be used for Gaia OS migration of an R80.10 Database to a different R80.10 server."

(The R80.10 install/upgrade guide still says it's not supported, and the release notes don't include advanced migration as a possible R80/R80.10 to R80.10 upgrade path)

PhoneBoy · ‎2018-02-21

I think previously there wasn't a tool to do it, which is why the docs say "unsupported."

With a tool existing to do it, I think it's safe to say it's supported.

https://community.checkpoint.com/people/rzeld8aed3bb-2b5a-3786-8ec1-61093ba6a9c8‌ can help get the docs updated.

StellaShteinbuk · ‎2018-02-26

As for today, only in place upgrade with CPUSE from R80 to R80.10 management is supported, the description of Migration tool is correct

Robert_Decker · ‎2018-03-15

https://community.checkpoint.com/docs/DOC-2745-migrating-r8010-smartcenter-to-r8010-cma-meet-your-be...

Lari_Luoma · ‎2018-12-11

This limitation seems to be still in place for R80.10 to R80.20 upgrades.The challenge with the Python tool is that it won't migrate the ICA, so the SIC must be reset. What is the plan to allow migrations between minor R80.x versions? Dameon Welch-Abernathy Tomer Sole

PhoneBoy · ‎2018-12-12

The mechanism that we are using for R80.20.M1 upgrades will, in the future, also allow for these sorts of migrations.

Not sure of the exact timing of this.

Are you a member of CheckMates?

Migrate R80.10 SmartCenter to R80.10 Domain Server