Solved: Re: R77.30 to R80.10 SMS Migration

Rakesh_Dhanda · ‎2019-02-27

Hi All,

I am going to upgrade our SMS from R77.30 to R80.10, can anyone please share the procedure how to do that .

Nick_Doropoulos · ‎2019-02-28

Hi Rakesh,

Below is the migration workflow I have followed:

Migration Workflow

Prepare the source Security Management Server for export.
1. Ensure that the latest DA agent is installed.
2. Ensure that the latest hotfixes are installed.
3. Fix all validation errors if any.
4. Verify all firewall policies.
5. Take backups, snapshots and copies of the existing configuration.

Export the management database from source Security Management Server.
1. Get the migration tools package.
  You need to use the Migration tools for the version you wish to upgrade to, not the version you are upgrading from.
  For example, if you want to migrate your R77.30 management to R80.10, you need to use the R80.10 version of migration tools.
2. Extract the downloaded package.

Important - Put all extracted files in the same directory, and run the tools from this directory.

Make sure the files have executable permissions. For example, In the temporary directory, run
chmod 777 *
Run fw logswitch to close the SmartView Tracker log files and the SmartLog data. Only closed logs are migrated.
Close all Check Point GUI clients that are connected to the Security Management Server.
Alternatively, if this is a computer that is not in production, run cpstop on the source computer.

Important - If you do not close the GUI clients or run cpstop, the exported management database can become corrupted.

[Expert@MGMT:0]# who (to see who is logged in)
[Expert@MGMT:0]# pkill -KILL -u [user] (to disconnect a specific user)
[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/

[Expert@MGMT:0]# ./pre_upgrade_verifier -p $FWDIR -c R77 -t R80 -f /opt/puv

The above command should result in a html file inside the /opt/puv path. Correct all errors before proceeding.
[Expert@MGMT:0]# yes | nohup ./migrate export [options] /<full path>/<name of exported file without any extension> (to survive a closed/timed-out SSH session)
Extract the exported database with WinSCP and transfer it to a safe location.
Create a hash of the database on https://md5file.com/calculator.

Install the R77 Security Management Server or a standalone deployment on the target server.

Import the management database to the target Security Management Server.
1. Create a hash of the exported database once again and ensure it matches the previous one.
2. [Expert@MGMT:0]# unset TMOUT (so you won’t get locked out half way through the process as it might take some time)
3. [Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
4. [Expert@MGMT:0]# yes | nohup ./migrate import [options] /<full path>/<name of exported file>.tgz (to survive a closed/timed-out SSH session)
5. [Expert@MGMT:0]# watch -n1 $FWDIR/scripts/cpm status.sh (until it says "the security management server is running and ready")
6. Verify that all security policies are correct.

I hope it helps.

View solution in original post

peter_schumache · ‎2019-02-27

It depends on how your SMS is deployed today. Ideally, it runs as a virtual machine. Then you clone it and keep the original for a rollback. On the clone, you can perform a new installation or an inline upgrade. See the R80.10 Upgrade and installation docs for more details.

I personally prefer the new installation, since you get rid of all old and unwanted crap on your SMS.

Independent of your deployment, first you run the R80.10 migration tool pre_upgrade_verifier on your curent SMS to check if the DB is clean and R80.10 compliant.

Then you cleanup the DB if required.

Then you do the migrate export on your current SMS and migrate import on your fresh installation of R80.10 SMS.

If anything goes wrong with it, you can easily switch back to your old SMS by activating the old VM.

Hope this helps

Vincent_Bacher · ‎2019-02-27

Yes, upgrading using migration tools is always the best way, imho.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

PhoneBoy · ‎2019-02-27

Migrate to R80.20 TechTalk‌

Nick_Doropoulos · ‎2019-02-28

Hi Rakesh,

Below is the migration workflow I have followed:

Migration Workflow

Prepare the source Security Management Server for export.
1. Ensure that the latest DA agent is installed.
2. Ensure that the latest hotfixes are installed.
3. Fix all validation errors if any.
4. Verify all firewall policies.
5. Take backups, snapshots and copies of the existing configuration.

Export the management database from source Security Management Server.
1. Get the migration tools package.
  You need to use the Migration tools for the version you wish to upgrade to, not the version you are upgrading from.
  For example, if you want to migrate your R77.30 management to R80.10, you need to use the R80.10 version of migration tools.
2. Extract the downloaded package.

Important - Put all extracted files in the same directory, and run the tools from this directory.

Make sure the files have executable permissions. For example, In the temporary directory, run
chmod 777 *
Run fw logswitch to close the SmartView Tracker log files and the SmartLog data. Only closed logs are migrated.
Close all Check Point GUI clients that are connected to the Security Management Server.
Alternatively, if this is a computer that is not in production, run cpstop on the source computer.

Important - If you do not close the GUI clients or run cpstop, the exported management database can become corrupted.

[Expert@MGMT:0]# who (to see who is logged in)
[Expert@MGMT:0]# pkill -KILL -u [user] (to disconnect a specific user)
[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/

[Expert@MGMT:0]# ./pre_upgrade_verifier -p $FWDIR -c R77 -t R80 -f /opt/puv

The above command should result in a html file inside the /opt/puv path. Correct all errors before proceeding.
[Expert@MGMT:0]# yes | nohup ./migrate export [options] /<full path>/<name of exported file without any extension> (to survive a closed/timed-out SSH session)
Extract the exported database with WinSCP and transfer it to a safe location.
Create a hash of the database on https://md5file.com/calculator.

Install the R77 Security Management Server or a standalone deployment on the target server.

Import the management database to the target Security Management Server.
1. Create a hash of the exported database once again and ensure it matches the previous one.
2. [Expert@MGMT:0]# unset TMOUT (so you won’t get locked out half way through the process as it might take some time)
3. [Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
4. [Expert@MGMT:0]# yes | nohup ./migrate import [options] /<full path>/<name of exported file>.tgz (to survive a closed/timed-out SSH session)
5. [Expert@MGMT:0]# watch -n1 $FWDIR/scripts/cpm status.sh (until it says "the security management server is running and ready")
6. Verify that all security policies are correct.

I hope it helps.

Rakesh_Dhanda · ‎2019-04-03

Thnaks Nicholas_Doropo for your support and explanation..

Are you a member of CheckMates?

R77.30 to R80.10 SMS Migration