This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
MVP Platinum
MVP Platinum
‎2023-09-21 05:54 PM
Jump to solution

Migrate_server issue on Azure CP management server

Hey guys,

Apologies I dont have exact error I received when doing migrate_server verification and then export (will update tomorrow when on my corporate laptop), but I wanted to confirm something. Are there any limitations when doing this process on CP management server in Azure? I dont believe there would be, as I followed exactly what below sk outlines.

https://support.checkpoint.com/results/sk/sk135172

I downloaded R81.20 upgrade tools tgz package (though when I tried installing it on R81 Azure server, said newest package was already there) and idea is to do migrate export on R81 and import it into my R81.20 lab mgmt server.

I will upload logs and file as soon as I have access to it, but if anyone knows of any limitations doing this process on Azure side, please be free to share it in the meantime.

Its also worth mentioning I had done this many times for onprem mgmt server and never had an issue, but never on Azure, this was the first time.

Thanks a lot as always!

Andy

Best,
Andy
0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Platinum
MVP Platinum
‎2023-09-22 05:38 AM
Jump to solution

This is the command that worked, will see if it imports into R81.20 lab

Andy

[Expert@prd9cpmgmt01:0]# $MDS_FWDIR/scripts/migrate_server export -skip_upgrade_tools_check --ignore_warnings -v R81.20 /var/log/Export_for_Upgrade_from_R81_to_R8120.tgz

Best,
Andy

View solution in original post

0 Kudos
9 Replies
the_rock
MVP Platinum
MVP Platinum
‎2023-09-22 05:32 AM
Jump to solution

Quick update. I looked over generated html file and showed below, so I used the flag mentioned to see if it works (running it now)

Pre-Export Verifications Succeeded with Warnings

To export the database, address all the warnings or run the --ignore_warnings flag

 

  •       Upgrade Tools

    • Upgrade Tools Build Number  R81.20 997000713

  •       Logs

    • There are no upgrade logs because pre-export verifications detected configuration issues. Export cannot start until you fix these issues.

     

    [Expert@prd9cpmgmt01:0]# grep -i fail /opt/CPsuite-R81/fw1/log/upgrade_report-2023.09.21_20.08.21.html
    <h1 id="status">Failed to Load the Report</h1>
    statusHeader.innerHTML = "Failed to parse the upgrade data";
    (isOperationFinished(phases.import, dataAllDomains.status)) && isOperationFailed(phases.export, dataAllDomains) )
    // export verification in failed
    // export failed
    statusHeader.innerHTML = "Database Export Failed";
    let failedDomainExport = getFailedDomain(phases.export)[1];
    if (failedDomainExport != "") {
    openBtnsQueue.push(failedDomainExport + getPhaseWithUppercase(phases.export));
    // import verification in failed
    //import failed
    statusHeader.innerHTML = Upgrade_or_Migration + " Failed";
    // open failed domain section by default
    let failedDomainImport = getFailedDomain(phases.import)[1];
    if (failedDomainImport != "") {
    openBtnsQueue.push(failedDomainImport + getPhaseWithUppercase(phases.import));
    // upgrade failed
    domainFailedName = getFailedDomain(phase)[0];
    if (domainFailedName == "") {
    return getDescriptionForGeneralFail(dataAllDomains.description);
    return `Failed: ` + Upgrade_or_Migration + ` of "` + domainFailedName + `".<br>For more details see upgrade logs below`;
    // find the domain in which upgrade had failed
    function getFailedDomain(phase) {
    let isFailedDomain = !isOperationSucceeded(phase, dataPerDomain) && (isOperationFinished(phase, dataPerDomain.status) ||
    if (isFailedDomain) {
    function getDescriptionForGeneralFail(description) {
    description = description.replace(/(failed)/ig, `<span style="color:red;font-weight: bold;">$1</span>`);
    progressText.innerHTML = "Canceled due to a failure in other domain";
    progressText.innerHTML = "Canceled due to a failure in other domain";
    if (isOperationFailed(phase, dataAllDomains)) {
    } else if (dataAllDomains.importPostUpgradeStatus == "IMPORT_POST_UPGRADE_FAILED") {
    // failed
    } else if (dataAllDomains.exportPostUpgradeStatus == "EXPORT_POST_UPGRADE_FAILED") {
    // failed
    if (getFailedDomain(phase)[1] == dataPerDomain.domainId) {
    function isOperationFailed(phase,dataObject) {
    return phase == phases.post_upgrade || phase == phases.info || getFailedDomain(phase)[0] != domainName || ( isEmpty(dataAllDomains.description) && isEmpty(dataPerDomain.description) );
    // in case this is a failed domain and has no end time, show the end time of the general upgrade
    [Expert@prd9cpmgmt01:0]#

     

Best,
Andy
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-09-22 06:07 AM
In response to the_rock
Jump to solution

Maybe run_cpmdoc.sh will tell you more ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-09-22 05:38 AM
Jump to solution

This is the command that worked, will see if it imports into R81.20 lab

Andy

[Expert@prd9cpmgmt01:0]# $MDS_FWDIR/scripts/migrate_server export -skip_upgrade_tools_check --ignore_warnings -v R81.20 /var/log/Export_for_Upgrade_from_R81_to_R8120.tgz

Best,
Andy
0 Kudos
khumbokaunda
Explorer
Friday
In response to the_rock
Jump to solution

Did your R81.20 security management server continue to work properly even after you issued the --ignore_warnings flag? I'm just trying to ensure it won't cause any issues in my environment if I issue it too

0 Kudos
the_rock
MVP Platinum
MVP Platinum
Friday
In response to khumbokaunda
Jump to solution

Yes, it worked just fine, no issues.

Best,
Andy
the_rock
MVP Platinum
MVP Platinum
yesterday
In response to khumbokaunda
Jump to solution

Also, here is one thing you can do. If you navigate to $FWDIR/scripts dir, you can run ./migrate_server -h command and it will show you all the possible flags.

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
yesterday
In response to khumbokaunda
Jump to solution

Like below:


[Expert@CP-MANAGEMENT:0]# cd $FWDIR/scripts
[Expert@CP-MANAGEMENT:0]# ./migrate_server -h

Use the migrate utility to: 1. Verify, export and import the Check Point
Security Management Server database.
2. Migrate_import_domain

1. Verify, export and import

Usage: migrate_server <ACTION> <PARAMETERS> [OPTIONS] <FILE>

ACTION (required parameter):

export - Exports the database of the Management Server or Multi-Domain Server.
import - Imports the database of the Management Server or Multi-Domain Server.
verify - Verifies the database of the Management Server or Multi-Domain Server.
print_installed_tools - returns the upgrade tools installed for a given version.

Parameters (required parameter):

'-v <target version>' Import version.

Options (optional parameters):

'-h' Show this message.
'-skip_upgrade_tools_check' Does not check for updated upgrade tools.
'-force-upgrade-flow' When the source and target servers are on the same major version,
migrate_server uses an accelerated flow to migrate the data.
This flag forces the full migration flow.
Note: if this flag is used, it is mandatory to use it both on export and import.
'-npb, --no_progress_bar' Disable the progress bar.
'-ivw, --ignore_warnings' Perform Export/Import although the pre-verification process raised warnings.
Note: option is valid for import, export and migrate_import_domain modes only.
'-l <N>' Export N last days of logs without log indexes.
'-l' Export/import all logs without log indexes.
'-x <N>' Export N last days of logs with log indexes.
'-x' Export/import all logs with log indexes.
'-n' Run non-interactively.
'--exclude-uepm-postgres-db' skip the backup/restore of PostgreSQL.
'--include-uepm-msi-files' Export/import the uepm msi files.
'--exclude-licenses' skip the restore of licenses.
'-mask' Hide sensitive information in exported DB.
Note: Applicable only when exporting.
'--verify_all_servers' Runs the verification process on all Management Servers and Log Servers.
Notes:
1) This flag is valid only for the 'verify' and 'export' operations.
2) This flag is supported on the versions R81 and higher.
3) List of servers, on which you can run the 'migrate_server verify' / 'migrate_server export'
command with the flag '--verify_all_servers':
- All Security Management Servers
- Multi-Domain Security Management Servers
- Multi-Domain Log Servers
4) List of remote servers, to which the 'migrate_server verify' / 'migrate_server export' command can connect:
- Security Management Servers
- Multi-Domain Security Management Servers
- Multi-Domain Log Servers
- Dedicated Log Servers
- Dedicated SmartEvent Servers
- Security Management Servers configured as a Backup of a Domain Management Server
Note:
Servers that are configured on a specific Domain on a Multi-Domain Security Management Server will be verified
only if there is a Domain Server of that Domain on the current Multi-Domain Security Management Server.
5) The default behavior:
- Only on Primary Management Servers, the 'migrate_server verify' command runs with the '--verify_all_servers' flag.
- On all servers except Primary Management Servers, the 'migrate_server verify' command runs with the '--verify_local_only' flag.
- On all servers without exception, the 'migrate_server export' command runs with the '--verify_local_only' flag.
'--verify_local_only' Runs the verification process locally, only on the current server.
Notes:
1) This flag is valid only for the 'verify' and 'export' operations.
2) The default behavior:
- On all servers except Primary Management Servers, the 'migrate_server verify' command runs with the '--verify_local_only' flag.
- On all servers without exception, the 'migrate_server export' command runs with the '--verify_local_only' flag.
'-skip_tools_check_on_remote' Specifies not to check for updated Upgrade Tools when running the verification process on remote Management Servers (not the current Management Server).
Notes:
1) This flag is valid only for the 'verify' and 'export' operations.
2) This flag is valid only when running the verification process on all Management Servers (not only on current server).

<FILE> (required parameter only for import):

Path to the archived file to export/import the database to/from.
Path to archive should exist.


2. Migrate_import_domain

Usage: migrate_server <ACTION> [OPTIONS] -o <FILE>

ACTION (required parameter):

migrate_import_domain - Imports the database of the Domain Management Server
from a Multi-Domain Server.

Parameters (required parameter):

'-o <FILE>' Path to the archived file to import the database from.

Options (optional parameters):

'-h' Show this message.
'-skip_upgrade_tools_check' Does not check for updated upgrade tools.
'-sn <Domain Server name>' Name of the Domain Management Server.
'-dsi <Domain Server IP address>' IP address of the Management Server.
Default is local machine.
'-skip_logs' Skip import logs (without log indexes).
'-npb, --no_progress_bar' Disable the progress bar.
'-ivw, --ignore_warnings' Perform Export/Import although the pre-verification process raised warnings.
Note: option is valid for import, export and migrate_import_domain modes only.

Note:
Run the utility either from the current directory or use
an absolute path.
[Expert@CP-MANAGEMENT:0]#

 

 

 

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-09-22 06:29 AM
Jump to solution

Was able to import fine into R81.20 lab, just did --ignore_warnings flag again. Thanks guys!

 

Andy

Best,
Andy
0 Kudos
Sanjay_S
Advisor
‎2024-07-01 06:15 AM
In response to the_rock
Jump to solution

Hi All,

Can we use the new IP for the domain as my Lab doesn't have the VLAN extended. Also need to test this first before completely migrate it from MDS to the new SMS. 

> Can we use different IP to the domain we import in the new SMS?

For example if we have the CMA IP: 10.10.1.100 in the existing one. Do we need to use the same IP or can we setup the new one in new SMS.

> Can we rename the CMA name while we import to the new SMS?

Please suggest.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events