Re: Migrating R75 Management Server to New Release

Prince_Osei_Wia · ‎2018-01-10

Hello everyone, I have an old management server running on R75 which will be end of life soon. I have purchased a new management server and I need assistance to migrate all the rules, policies, objects and everything to the new management server running on R77. Any help please?

Kaspars_Zibarts · ‎2018-01-10

Easy option - get Checkpoint professional services

Otherwise read R77 installation and upgrade guide, Advanced upgrade section. It's a fairly straight forward job - you run export tool in old R75 Mgmt server and then important it in freshly built R77.

Prince_Osei_Wia · ‎2018-01-10

Do you have some SK's I can refer to especially the how to run the export tool?

Kaspars_Zibarts · ‎2018-01-10

It's in the R77 documentation package: "Installation and Upgrade Guide" > section "Advanced Upgrade and Database Migration". It's a step by step guide covering

Prince_Osei_Wia · ‎2018-01-10

This was the error I received when I followed the process in the document "Installation and Upgrade Guide" > section "Advanced Upgrade and Database Migration" using CLI.

[Expert@cpmgt1]# ./migrate export scremy.tgz

Migrating from the current management version is not supported.
For information on what platforms are supported for upgrade
please refer to the release notes.

Execution finished with errors. See log file '/opt/CPshrd-R75/log/migrate-Wed_Jan_10_15-52-53_2018.log' for further details

Kaspars_Zibarts · ‎2018-01-10

Which version of R75 are you running? SPLAT or GAIA?

This appendix shows upgrade path CP_R77.30_Appendix_ReleaseNotes.pdf

If you are running version prior to R75.40 you will need to upgrade to R77 first, but read the release notes

Kaspars_Zibarts · ‎2018-01-10

Prince_Osei_Wia · ‎2018-01-10

I am running SPLAT on the old management server. DOes that mean that I will be required to upgrade the old server to GAIA R77 before I can export the configuration files and import into the new management server?

Kaspars_Zibarts · ‎2018-01-10

No, you start new server as R77, do export from old using R77 tools and then upgrade new server from R77 to R77.30

PhoneBoy · ‎2018-01-10

Also a valid approach.

AlekseiShelepov · ‎2018-01-10

Personally I would go with a clean R77.30 install from the beginning, which includes "support for SHA-256 based certificates for all blades / features". Maybe some more good fixes included from the beginning, should be easier. Just another option.

Prince Osei Wiafe, and remember about snapshot, if decide to upgrade the old server as a middle step.

AlekseiShelepov · ‎2018-01-10

Well, usually people get paid for that kind of help... I believe you should contact your Check Point partner or Check Point itself.

For now this information is not enough. There are several options to get this done depending on your current OS and software versions, enabled blades, hardware platform, and desired software version (I believe it should be Gaia R77.30). There could be some minor issues in the policy which should be fixed before the migration.

You will need these things for sure:

Upgrade Wizard

Check Point Upgrade Map

R77.30 Release Notes

Gaia R77 Installation and Upgrade Guide PDF | Gaia R77 Installation and Upgrade Guide WEB

R77.30 Migration tools

After a quick look I think that general steps should be:

Upgrade current device to R75.40
Install clean Gaia R77.30 on the new device
Use R77.30 migration tools to migrate policies (think about logs too)
Install the latest CPUSE and Jumbo Hotfix Accumulator on the new server

PhoneBoy · ‎2018-01-10

If you're running R75 GA, then you will need to upgrade to an intermediary release first.

Plug your exact situation into the Upgrade Wizard in SupportCenter.

You'll get something like the following with appropriate download links.

Note upgrading to an intermediary release from your existing SPLAT management can be done in-place, whereas going to Gaia and R80.10 must be done with migrate export/import.

I also echo the sentiment that you should involve Professional Services (either from your partner or Check Point) to ensure your upgrade is smooth.

Prince_Osei_Wia · ‎2018-01-11

Hi Dameon, from your approach, does that mean that the old appliance which will be decommissioned be upgraded first to R77.30 using the steps before the migration can be done onto the new appliance?

Kaspars_Zibarts · ‎2018-01-11

If you upgrade on old appliance you lose ability for quick rollback - make sure that you make the snapshot before you start.

I would do export from old R75 to new appliance R77 and the upgrade new appliance to R77.30. But in this case you won't have "clean" R77.30 on the new box, but very quick rollback possibility

You can do R75 to R77 upgrade on the old appliance, then do export and upgrade new to R77.30 (slow rollback!) So you don't need to upgrade old to R77.30 to answer your question. Just the intermediate part - R77.

If you are familiar with VMWare Player/Workstation, you can spin up R77 VM on your laptop and perform intermediate upgrade there: export R75 to VM R77, then export VM R77 to new R77.30 appliance. This way rollback is fast and you have "clean" new R77.30

Clear as a mud!

But it sounds like you would be better off with professional help

Prince_Osei_Wia · ‎2018-01-11

Thanks Kaspars, this approach will help. The good thing is that I will quickly setup the the VM and try what you proposed above.

Prince_Osei_Wia · ‎2018-01-11

Kaspars, so i tried with the first option following the instructions in the guide as instructed.

I also downloaded migration tools for r77 as sugeested.

The following errors were encountered.

[11 Jan 15:17:48] [ExecCommandGetOutput] Going to execute command: '"/opt/Check_Point_migration_tools_R77/pre_upgrade_verifier" -p "/opt/CPsuite-R75/fw1" -c 6.0.2.0 -t
6.0.4.0'
[11 Jan 15:17:48] [ExecCommandGetOutput] ERR: Command completed with error code -1
[11 Jan 15:17:48] .<-- ExecCommandGetOutput
[11 Jan 15:17:48] [PreupgradeVerifierRunner::exec] ERR: Preupgrade verifier had failed
[11 Jan 15:17:48] [PreupgradeVerifierRunner::exec] Preupgrade verifier's output:
-------------------------------------
"/opt/Check_Point_migration_tools_R77/pre_upgrade_verifier" -p "/opt/CPsuite-R75/fw1" -c 6.0.2.0 -t 6.0.4.0: Permission denied

-------------------------------------
[11 Jan 15:17:48] <-- PreupgradeVerifierRunner::exec
[11 Jan 15:17:48] [ActivitiesManager::exec] ERR: Activity 'PreupgradeVerifierRunner' failed
[11 Jan 15:17:48] [ActivitiesManager::exec] WRN: Activities execution finished with errors
[11 Jan 15:17:48] [ActivitiesManager::exec] WRN: Activities 'PreupgradeVerifierRunner' have failed
[11 Jan 15:17:48] [ActivitiesManager::exec] Designated exit code is 1
[11 Jan 15:17:48] --> CleanupManager::Instance
[11 Jan 15:17:48] <-- CleanupManager::Instance
[11 Jan 15:17:48] --> CleanupManager::DoCleanup
[11 Jan 15:17:48] [CleanupManager::DoCleanup] Starting to perform cleanup
[11 Jan 15:17:48] .--> DirCleaner::exec
[11 Jan 15:17:48] [DirCleaner::exec] Going to remove directory '/opt/CPsuite-R75/fw1/tmp/migrate/'
[11 Jan 15:17:48] .<-- DirCleaner::exec
[11 Jan 15:17:48] [CleanupManager::DoCleanup] Completed the cleanup
[11 Jan 15:17:48] <-- CleanupManager::DoCleanup

[Expert@cpmgt1]# /opt/Check_Point_migration_tools_R77/migrate export /scremy.tgz
Execution finished with errors. See log file '/opt/CPshrd-R75/log/migrate-Thu_Jan_11_15-25-37_2018.log' for further details
[Expert@cpmgt1]#

Is this normal?

Prince_Osei_Wia · ‎2018-01-11

Think I made a head way... Database migration was successful on the source machine

[Expert@cpmgt1]#
[Expert@cpmgt1]#
[Expert@cpmgt1]# ./upgrade_export /scremy.tgz

You are required to close all clients to Security Management Server
or execute 'cpstop' before the Export operation begins.

Do you want to continue? (y/n) [n]? y

Copying required files...
Compressing files...

The operation completed successfully.

Location of archive with exported database: /scremy.tgz

.

Michael_Lawrenc · ‎2018-01-10

I've helped customers go from R70 to R77.30 and R75 to R77.30. In both cases, I had to do a couple of "hops". (R70->R75->R77->R77.30) I used upgrade_import/upgrade_import for both and used clean hop systems. (i.e. I would NOT try this as an upgrade in place. If it goes south, you have no fallback.) We also had to go from SPLAT to Gaia. As Phoneboy mentions, you'll need migrate_import for the R80 step, but it's pretty much the same. But, this is the step that I would be most worried about since so many things have changed between R77 and R80. I would definitely prototype that with your production database to make sure it works. And, have that fallback - very important. It's a delicate process although simple in concept. If possible, I would do one hop at a time and test before moving on to the next. (If possible - it's not a showstopper if you can't)

And, at the risk of breaking rules here on the boards (Let me know if I'm out of line here Dameon), I am a Check Point partner who can do this for you or provide a "second pair of eyes" and guidance.

Prince_Osei_Wia · ‎2018-01-11

Thanks Michael. I will share the problems I encounter then you can advise on them.

Vishnu_Vardhan_ · ‎2018-01-11

Hi Prince,

If I understand your requirement correctly, you have a management server running on R75 Splat and you wanted to upgrade the configuration to R77 version.

- I suggest you to go for R77.30, as the versions prior R77.30 are already out of support.

Below procedure may be a bit lengthly but it will be the safest one to avoid any coflicts. I have personally performed this(nearly a triple digit times) when assisting my customers.

1. Generate a upgrade_export on the existing Management server and take it out of the device(you can use winscp tool to take the file out of device).
- Refer SK54100 for procedure.

Example :
#cd $FWDIR/bin/upgrade_tools/
#./upgrade_export prince

2. Install a R75 splat Management server on a VMware/Virtual box with the same hostname and IP address as of live Management server.

3. Import the configuration(upgrade_import) on the Lab Management server which is created as per step-2.(Here you

need to import the configuration file which is generated as per step-1).
Example :
- Copy the configuration file(prince.tgz) under $FWDIR/bin/upgrade_tools/
- You can use winscp

#cd $FWDIR/bin/upgrade_tools/
#./upgrade_import prince.tgz

4. Login to smart dashboard and cross check the configuration.

5. Copy the R77 Gaia migration tools on the lab management server which is installed as per step-2.

Migration tools link.
https://supportcenter.checkpoint.com/supportcenter/portal/role/supportcenterUser/page/default.psml/m...

MD5sum : 3002b2227d91e1a40a8bb2db69905475

- Copy this migration tools files under $FWDIR/bin/upgrade_tools/
- Extract it
#tar -zxvf Check_Point_migration_tools_R77_B059.Linux_SecurePlatform_Gaia.tgz

6. Generate a upgrade_export and take it out of the device.

- Refer SK54100 for procedure.

Example :
#cd $FWDIR/bin/upgrade_tools/
#./upgrade_export filename

7. Fresh install one more Management server on a VMware/Virtual box with R77 Gaia OS with the same hostname and IP address as of live server.

Fresh installation image link.
https://supportcenter.checkpoint.com/supportcenter/portal/role/supportcenterUser/page/default.psml/m...

MD5sum : 61615c1e07bd7624eb240c172e0d8783

8. Import the configuration file which is generated as per step-6. Login to Smart dashboard and cross check the configuration.

Example :
#cd $FWDIR/bin/upgrade_tools/
#./upgrade_import filename.tgz

9. Download & copy the migration tools of R77.30 Gaia.

Migration tools link.

https://supportcenter.checkpoint.com/supportcenter/portal/role/supportcenterUser/page/default.psml/m...

MD5sum : 43d74fac8bb8e5d73b3c9c277acdbea1

10. Generate a upgrade_export.

Example :
#cd $FWDIR/bin/upgrade_tools/
#./upgrade_export Vishnu

11. Fresh install the new live management server with R77.30 Gaia with the same hostname and IP address as of old live server.

**********************************************************
Pay attention which choosing the R77.30 fresh installation image, you need to choose the relevant image as per sk114513.
**********************************************************

12. Import the configuration which is generated as per step-10.

Example :
#cd $FWDIR/bin/upgrade_tools/
#./upgrade_import Vishnu.tgz

13. Login to Smart dashboard and cross check the configuration.

14. Once successful, establish SIC with Firwall(s) and install policy.

NOTES.
- Cross check the md5sum value of all the images which are part of this activity to avoid conflicts.
- Once you are done with this activity, install the latest jumbo hotfix take.
- You should configure the hostname and IP address which is configured on current live server.
- While you export or import the configuration, the proceduce consumes more space under root(/) and /var/log partition so assign the disk space accordingly. There are many instances where the import/export failed running out of disk space.

Good luck !!!!

Regards,
Vishnu.
https://www.linkedin.com/in/vishnu-vardhan-reddy-99776379/

Prince_Osei_Wia · ‎2018-01-11

Thanks so much Vishnu. I will follow the procedure below and update you. It is very helpful.

Prince_Osei_Wia · ‎2018-01-16

Hi Vishnu, this might sound weird but I need to ask:

I was able to transfer files from my laptop to the management server running in the VM using WINSCP. Unfortunately, after I exported the configuration, I am not able to copy them from the VM using the same WINSCP application. The copying times out after it starts copying. What could be the issue here?

Please note that I change the shell to /bin/bash.

Gabriele_Di_Gia · ‎2018-01-12

Hi, Prince, I created some perl script you can use to import the rule from R77 to R80.10. anche some advices for the objects..

if you need ask me and I can explain you how to use it. or you can upgrade step by step your environment.

let me know

Prince_Osei_Wia · ‎2018-01-16

Kindly share the script with me

Gabriele_Di_Gia · ‎2018-01-17

Hello Prince

look here...

community.checkpoint.com/docs/DOC-2177

G_W_Albrecht · ‎2018-02-08

I am not really sure what the issue is here - i have always been able to do migrate export file transfer from VMs using WinSCP. So i can only wish you good luck !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Are you a member of CheckMates?

Migrating R75 Management Server to New Release