This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
‎2023-08-30 02:13 PM

Migration/Update of SMS CP Gaia OS

Hello, people.

 

Currently we want to install from 0 a CP in Standalone R81.10, in OPEN SERVER (On ESXi).

 

We have now a CP in Standalone in version R80.30 that is damaged.

 

We want to use the migrate_server to export the database of the damaged CP, and import it in the new CP with version R81.10.

 

Here, we have a doubt.

Once we have "installed" the new R81.10, should we simply import the R80.30 policy package, with the "Migrate_server import"?

 

Or do we have to take into consideration something else before importing the policy package?

 

Cheers.

0 Kudos
12 Replies
the_rock
Legend
Legend
‎2023-08-30 06:40 PM

Its been a while since I did that method, but I dont see why it would not work, as mgmt part is half of standalone : - )

So technically, migrate server process should work.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2023-08-30 06:50 PM

As long as you specify the target version upon export, I believe it should work.
See: https://support.checkpoint.com/results/sk/sk135172 

0 Kudos
Matlu
Advisor
‎2023-08-31 07:47 AM
In response to PhoneBoy

Hello,

My doubt is basically because of the following:

The documentation shared, is clear, but there is a point in the SK, that mentions to download the Upgrade Tools package (I attach the image), and this is where my doubt appears, this step #2 I understand, that is "optional", right?

UP.png


Our idea is to INSTALL FROM 0 a new VM in the ESXi, from GAIA OS in Standalone deployment, which will work in R81.10 version, and we just want to "import" the rules database, from the VM that is damaged (which works in R80.30, but we already have a Backup, that we managed to obtain with the migrate_server export).

So, this step #2, in our scenario, if it can be OMITTED?

Simply, it would be to have the GAIA OS R81.10, up, and import the R80.30 policy package, with the "migrate_server import", is that correct?

Thanks for your comments.

0 Kudos
the_rock
Legend
Legend
‎2023-08-31 07:48 AM
In response to Matlu

Thats it, just make sure you follow examples given in the sk.

Andy

0 Kudos
Matlu
Advisor
‎2023-08-31 12:25 PM
In response to the_rock

Hi, Bro

In a standalone deployment environment, is it normal that when I try to generate the "export" of the team's policy database, the services are "stopped"?

CPSA.png

Is it not possible to generate the export of the policy package, without affecting the equipment?

Cheers 🙂

0 Kudos
the_rock
Legend
Legend
‎2023-08-31 12:27 PM
In response to Matlu

Sadly, I dont think its possible. As IM sure you know already, when cpstop is issued, it will unload the policy, so I strongly recommend doing this after hours. See, thats huge downside in my mind about standalone setup...no separate management server, which is very inconvenient when you have to perform any such similar operation.

Andy

0 Kudos
Matlu
Advisor
‎2023-08-31 12:34 PM
In response to Matlu

So, is it natural, then, that the process of "exporting" package policies, in the standalone environment, affects the customer's overall services?

But it is 100% that the equipment, when applying the CPSTOP, during the export process, when it returns to "lift", has generated me the BACKUP of the policy package?

0 Kudos
the_rock
Legend
Legend
‎2023-08-31 12:36 PM
In response to Matlu

Yes and yes. Again, that is HUGE downside of standalone, not having separate management server to do these things in the middle of the day.

Correct, it will get you the backup of the policy, but do it AFTER HOURS, as it will totally remove the policy package until its cpstarted again.

Andy

0 Kudos
Matlu
Advisor
‎2023-08-31 05:08 PM
In response to the_rock

Hello,

I am having recurring problems when trying to export the policy package.

I keep getting the same error over and over again.

Am I applying the correct command for the export?

I already have CPUSE updated.
I am in the cd $FWDIR/scripts folder.
I apply the command: ./migrate_server export -v R81.10 /var/log/tmp/CPR81X.tgz (On my Standalone)

But the export stays at 3% and I get the following message in Putty.

ERR.png

Is this normal?

Am I applying the correct command in the "migrate_server export"?

That parameter, "-v R81.10" is correct? Or should it go there, "-v R80.30"?

My environment right now, is in R80.30.

Cheers 🙂

0 Kudos
the_rock
Legend
Legend
‎2023-08-31 05:46 PM
In response to Matlu

Just follow SK example bro. If issues, I would work with TAC.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-09-01 07:30 AM
In response to Matlu

How long does it take before you get that message?
I suspect the SSH session is timing out because the process is taking so long.
TAC may need to assist here also.

An alternative approach to using migrate_server is: https://community.checkpoint.com/t5/API-CLI-Discussion/Python-tool-for-exporting-importing-a-policy-...

Unlike a migrate_server, this won’t require an outage on your existing gateway.
Unlike migrate_export, some rules and objects will have to be recreated (those without API support).

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2023-08-30 11:31 PM

Also please refer to:

Upgrading a Security Management Server or Log Server from R80.20 and higher with Migration

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Installation_and_Upgrade_Gui...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events