- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hello everyone, I have an old management server running on R75 which will be end of life soon. I have purchased a new management server and I need assistance to migrate all the rules, policies, objects and everything to the new management server running on R77. Any help please?
Easy option - get Checkpoint professional services
Otherwise read R77 installation and upgrade guide, Advanced upgrade section. It's a fairly straight forward job - you run export tool in old R75 Mgmt server and then important it in freshly built R77.
Do you have some SK's I can refer to especially the how to run the export tool?
It's in the R77 documentation package: "Installation and Upgrade Guide" > section "Advanced Upgrade and Database Migration". It's a step by step guide covering
This was the error I received when I followed the process in the document "Installation and Upgrade Guide" > section "Advanced Upgrade and Database Migration" using CLI.
[Expert@cpmgt1]# ./migrate export scremy.tgz
Migrating from the current management version is not supported.
For information on what platforms are supported for upgrade
please refer to the release notes.
Execution finished with errors. See log file '/opt/CPshrd-R75/log/migrate-Wed_Jan_10_15-52-53_2018.log' for further details
Which version of R75 are you running? SPLAT or GAIA?
This appendix shows upgrade path CP_R77.30_Appendix_ReleaseNotes.pdf
If you are running version prior to R75.40 you will need to upgrade to R77 first, but read the release notes
I am running SPLAT on the old management server. DOes that mean that I will be required to upgrade the old server to GAIA R77 before I can export the configuration files and import into the new management server?
No, you start new server as R77, do export from old using R77 tools and then upgrade new server from R77 to R77.30
Also a valid approach.
Personally I would go with a clean R77.30 install from the beginning, which includes "support for SHA-256 based certificates for all blades / features". Maybe some more good fixes included from the beginning, should be easier. Just another option.
Prince Osei Wiafe, and remember about snapshot, if decide to upgrade the old server as a middle step.
Well, usually people get paid for that kind of help... I believe you should contact your Check Point partner or Check Point itself.
For now this information is not enough. There are several options to get this done depending on your current OS and software versions, enabled blades, hardware platform, and desired software version (I believe it should be Gaia R77.30). There could be some minor issues in the policy which should be fixed before the migration.
You will need these things for sure:
Gaia R77 Installation and Upgrade Guide PDF | Gaia R77 Installation and Upgrade Guide WEB
After a quick look I think that general steps should be:
If you're running R75 GA, then you will need to upgrade to an intermediary release first.
Plug your exact situation into the Upgrade Wizard in SupportCenter.
You'll get something like the following with appropriate download links.
Note upgrading to an intermediary release from your existing SPLAT management can be done in-place, whereas going to Gaia and R80.10 must be done with migrate export/import.
I also echo the sentiment that you should involve Professional Services (either from your partner or Check Point) to ensure your upgrade is smooth.
Hi Dameon, from your approach, does that mean that the old appliance which will be decommissioned be upgraded first to R77.30 using the steps before the migration can be done onto the new appliance?
If you upgrade on old appliance you lose ability for quick rollback - make sure that you make the snapshot before you start.
I would do export from old R75 to new appliance R77 and the upgrade new appliance to R77.30. But in this case you won't have "clean" R77.30 on the new box, but very quick rollback possibility
You can do R75 to R77 upgrade on the old appliance, then do export and upgrade new to R77.30 (slow rollback!) So you don't need to upgrade old to R77.30 to answer your question. Just the intermediate part - R77.
If you are familiar with VMWare Player/Workstation, you can spin up R77 VM on your laptop and perform intermediate upgrade there: export R75 to VM R77, then export VM R77 to new R77.30 appliance. This way rollback is fast and you have "clean" new R77.30
Clear as a mud!
But it sounds like you would be better off with professional help
Thanks Kaspars, this approach will help. The good thing is that I will quickly setup the the VM and try what you proposed above.
Kaspars, so i tried with the first option following the instructions in the guide as instructed.
I also downloaded migration tools for r77 as sugeested.
The following errors were encountered.
[11 Jan 15:17:48] [ExecCommandGetOutput] Going to execute command: '"/opt/Check_Point_migration_tools_R77/pre_upgrade_verifier" -p "/opt/CPsuite-R75/fw1" -c 6.0.2.0 -t
6.0.4.0'
[11 Jan 15:17:48] [ExecCommandGetOutput] ERR: Command completed with error code -1
[11 Jan 15:17:48] .<-- ExecCommandGetOutput
[11 Jan 15:17:48] [PreupgradeVerifierRunner::exec] ERR: Preupgrade verifier had failed
[11 Jan 15:17:48] [PreupgradeVerifierRunner::exec] Preupgrade verifier's output:
-------------------------------------
"/opt/Check_Point_migration_tools_R77/pre_upgrade_verifier" -p "/opt/CPsuite-R75/fw1" -c 6.0.2.0 -t 6.0.4.0: Permission denied
-------------------------------------
[11 Jan 15:17:48] <-- PreupgradeVerifierRunner::exec
[11 Jan 15:17:48] [ActivitiesManager::exec] ERR: Activity 'PreupgradeVerifierRunner' failed
[11 Jan 15:17:48] [ActivitiesManager::exec] WRN: Activities execution finished with errors
[11 Jan 15:17:48] [ActivitiesManager::exec] WRN: Activities 'PreupgradeVerifierRunner' have failed
[11 Jan 15:17:48] [ActivitiesManager::exec] Designated exit code is 1
[11 Jan 15:17:48] --> CleanupManager::Instance
[11 Jan 15:17:48] <-- CleanupManager::Instance
[11 Jan 15:17:48] --> CleanupManager::DoCleanup
[11 Jan 15:17:48] [CleanupManager::DoCleanup] Starting to perform cleanup
[11 Jan 15:17:48] .--> DirCleaner::exec
[11 Jan 15:17:48] [DirCleaner::exec] Going to remove directory '/opt/CPsuite-R75/fw1/tmp/migrate/'
[11 Jan 15:17:48] .<-- DirCleaner::exec
[11 Jan 15:17:48] [CleanupManager::DoCleanup] Completed the cleanup
[11 Jan 15:17:48] <-- CleanupManager::DoCleanup
[Expert@cpmgt1]# /opt/Check_Point_migration_tools_R77/migrate export /scremy.tgz
Execution finished with errors. See log file '/opt/CPshrd-R75/log/migrate-Thu_Jan_11_15-25-37_2018.log' for further details
[Expert@cpmgt1]#
Is this normal?
Think I made a head way... Database migration was successful on the source machine
[Expert@cpmgt1]#
[Expert@cpmgt1]#
[Expert@cpmgt1]# ./upgrade_export /scremy.tgz
You are required to close all clients to Security Management Server
or execute 'cpstop' before the Export operation begins.
Do you want to continue? (y/n) [n]? y
Copying required files...
Compressing files...
The operation completed successfully.
Location of archive with exported database: /scremy.tgz
.
I've helped customers go from R70 to R77.30 and R75 to R77.30. In both cases, I had to do a couple of "hops". (R70->R75->R77->R77.30) I used upgrade_import/upgrade_import for both and used clean hop systems. (i.e. I would NOT try this as an upgrade in place. If it goes south, you have no fallback.) We also had to go from SPLAT to Gaia. As Phoneboy mentions, you'll need migrate_import for the R80 step, but it's pretty much the same. But, this is the step that I would be most worried about since so many things have changed between R77 and R80. I would definitely prototype that with your production database to make sure it works. And, have that fallback - very important. It's a delicate process although simple in concept. If possible, I would do one hop at a time and test before moving on to the next. (If possible - it's not a showstopper if you can't)
And, at the risk of breaking rules here on the boards (Let me know if I'm out of line here Dameon), I am a Check Point partner who can do this for you or provide a "second pair of eyes" and guidance.
Thanks Michael. I will share the problems I encounter then you can advise on them.
Hi Prince,
If I understand your requirement correctly, you have a management server running on R75 Splat and you wanted to upgrade the configuration to R77 version.
- I suggest you to go for R77.30, as the versions prior R77.30 are already out of support.
Below procedure may be a bit lengthly but it will be the safest one to avoid any coflicts. I have personally performed this(nearly a triple digit times) when assisting my customers.
1. Generate a upgrade_export on the existing Management server and take it out of the device(you can use winscp tool to take the file out of device).
- Refer SK54100 for procedure.
Example :
#cd $FWDIR/bin/upgrade_tools/
#./upgrade_export prince
2. Install a R75 splat Management server on a VMware/Virtual box with the same hostname and IP address as of live Management server.
3. Import the configuration(upgrade_import) on the Lab Management server which is created as per step-2.(Here you
need to import the configuration file which is generated as per step-1).
Example :
- Copy the configuration file(prince.tgz) under $FWDIR/bin/upgrade_tools/
- You can use winscp
#cd $FWDIR/bin/upgrade_tools/
#./upgrade_import prince.tgz
4. Login to smart dashboard and cross check the configuration.
5. Copy the R77 Gaia migration tools on the lab management server which is installed as per step-2.
Migration tools link.
https://supportcenter.checkpoint.com/supportcenter/portal/role/supportcenterUser/page/default.psml/m...
MD5sum : 3002b2227d91e1a40a8bb2db69905475
- Copy this migration tools files under $FWDIR/bin/upgrade_tools/
- Extract it
#tar -zxvf Check_Point_migration_tools_R77_B059.Linux_SecurePlatform_Gaia.tgz
6. Generate a upgrade_export and take it out of the device.
- Refer SK54100 for procedure.
Example :
#cd $FWDIR/bin/upgrade_tools/
#./upgrade_export filename
7. Fresh install one more Management server on a VMware/Virtual box with R77 Gaia OS with the same hostname and IP address as of live server.
Fresh installation image link.
https://supportcenter.checkpoint.com/supportcenter/portal/role/supportcenterUser/page/default.psml/m...
MD5sum : 61615c1e07bd7624eb240c172e0d8783
8. Import the configuration file which is generated as per step-6. Login to Smart dashboard and cross check the configuration.
Example :
#cd $FWDIR/bin/upgrade_tools/
#./upgrade_import filename.tgz
9. Download & copy the migration tools of R77.30 Gaia.
Migration tools link.
MD5sum : 43d74fac8bb8e5d73b3c9c277acdbea1
10. Generate a upgrade_export.
Example :
#cd $FWDIR/bin/upgrade_tools/
#./upgrade_export Vishnu
11. Fresh install the new live management server with R77.30 Gaia with the same hostname and IP address as of old live server.
**********************************************************
Pay attention which choosing the R77.30 fresh installation image, you need to choose the relevant image as per sk114513.
**********************************************************
12. Import the configuration which is generated as per step-10.
Example :
#cd $FWDIR/bin/upgrade_tools/
#./upgrade_import Vishnu.tgz
13. Login to Smart dashboard and cross check the configuration.
14. Once successful, establish SIC with Firwall(s) and install policy.
NOTES.
- Cross check the md5sum value of all the images which are part of this activity to avoid conflicts.
- Once you are done with this activity, install the latest jumbo hotfix take.
- You should configure the hostname and IP address which is configured on current live server.
- While you export or import the configuration, the proceduce consumes more space under root(/) and /var/log partition so assign the disk space accordingly. There are many instances where the import/export failed running out of disk space.
Good luck !!!!
Regards,
Vishnu.
https://www.linkedin.com/in/vishnu-vardhan-reddy-99776379/
Thanks so much Vishnu. I will follow the procedure below and update you. It is very helpful.
Hi Vishnu, this might sound weird but I need to ask:
I was able to transfer files from my laptop to the management server running in the VM using WINSCP. Unfortunately, after I exported the configuration, I am not able to copy them from the VM using the same WINSCP application. The copying times out after it starts copying. What could be the issue here?
Please note that I change the shell to /bin/bash.
Hi, Prince, I created some perl script you can use to import the rule from R77 to R80.10. anche some advices for the objects..
if you need ask me and I can explain you how to use it. or you can upgrade step by step your environment.
let me know
Kindly share the script with me
Hello Prince
look here...
community.checkpoint.com/docs/DOC-2177
I am not really sure what the issue is here - i have always been able to do migrate export file transfer from VMs using WinSCP. So i can only wish you good luck !
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY