Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Michael_Goodwin
Participant

R80.10 MDM import

If I'm running a R80.10 MDM, and I am onboarding a new managed customer into this environment from their already existing managment server, it seems the import process that used to work for R77.30 MDM is broken.

We used to be able to take a migrate export from the stand-alone manager and use the CMA import tools to bring this into a new domain within the MDM.

Similarly if the customer used to be on another providers MDM, they could get the migrate export from that MDM and we could import into a new domain.

Reading through the community, I see a few options about API usage, but this would require re-creation of objects which the API cannot support (gateway objects - and therefore SIC etc), so this is certainly more intense than I would like, and is nowhere near as straightforward as it was?

Is there anything I'm missing here?
What's the best practise way to onboard an existing R80.10 customer into an R80.10 MDM?

Thanks
13 Replies
Tomer_Sole
Mentor
Mentor

Hi,

R80 Security Management is a platform change - completely different backend design and a different frontend technology. Many of the R7x scripts are replaced with R8x alternatives. We hope that we can clarify solutions to all our customers' product questions with this community.

For migrating between a SmartCenter and a Multi-Domain we don't have an official tool at the moment. We are working on one and then it will be published. I could offer this procedure, for some of the objects:

1. Upgrade an R7x to R8x SmartCenter using either CPUSE or Advanced Upgrade

2. Export policies and their members using the ExportImportPolicy tool (you can create an export per policy) Python tool for exporting/importing a policy package or parts of it 

3. Create a new R8x Multi-Domain machine

4. Import the policies from step 2

This tool is a Community Tool, not an official Check Point project, and the community generally updates and fixes it based on requests.

This tool currently support security policies and their members, but some of the object types are not fully supported for export and import, like Gateway settings.  In such a case, an appropriate dummy object will be exported instead, and a message will be logged into the log files to notify you of this. In the Check Point SmartConsole you can easily replace each of these objects by searching "export_error" in the search field, see where each object is used, create the necessary object manually, then replace it.

Michael_Goodwin
Participant

Hi Tomer,

 

Thanks for the reply!

 

Is this functionality going to be released as a stand-alone tool or integrated in a future release (80.20 etc?)

 

This is quite a limiting factor when a customer is considering moving into a "Check Point as a Service" model which MDM is great for, but it seems there is no way for them to extract themselves without requiring quite a bit of manual work and likely downtime.

 

And really the only alternative is to continue to use 77.30, but then we don't get any of the nice new features that R80 brings!

 

I'll look again at the Python tool, which will certainly help for object and policy re-creation.

 

Mike

Tomer_Sole
Mentor
Mentor

Plan is shorter release cycles. 

Tomer_Sole
Mentor
Mentor

If the customer uses R77.30 MDM and you just want to gradually migrate his domains to an R80.10 MDM then this is supported and recommended. See https://community.checkpoint.com/thread/5221-is-there-an-easy-way-to-upgrade-large-scale-environment... 

Michael_Goodwin
Participant

In this case, we are talking R80.10 into R80.10.

Also, you should really caveat the recommendation, as if you did have a R77.30 MDM environment and migrated them gradually to a new R80.10 environment, they are then "locked in" to that R80.10 environment with no easy way of getting out, until this new tool is developed and released.

AlekseiShelepov
Advisor

Tomer Sole‌, maybe I don't understand something here, but cannot we use migrate export from R80.10 tools to migrate a single management server to multi-domain server? Does it work only with MDS and CMA now, as described in is there an easy way to upgrade large-scale environments to R80.10? I wasn't aware of that.

Michael Goodwin‌, you can have a temp virtual machine for migrating customers. For example, create a R77.30 MDM on a virtual machine, import there database from customers server as a CMA, and then do cma_migrate to R80.10 production server. Or you can use pre-upgrade verifier on customer's policy on R77.30 virtual machine, upgrade it to R80.10, and then migrate to production server.

0 Kudos
Michael_Goodwin
Participant

https://community.checkpoint.com/people/aleks65d64154-3014-4796-9c66-6b9f4aeee8e8‌, sorry, I think I may have confused matters by mentioning R77.30!

I have two scenarios, a customer with a R80.10 standalone which I'm trying to import into a new R80.10 MDM domain, and also a customer who is in a R80.10 MDM already with another provider, and they want to move from their 80.10 MDM to our 80.10 MDM

Do you think this is something that is possible using a temp VM?

Thanks

Mike

net-harry
Collaborator

Dear Aleksei,

Were you able to get confirmation if it is possible and supported to upgrade a R77.30 single management server to a multi-domain server running R80.10 using migrate export/import?

Thanks for your help!

Harald

John_Fulater
Contributor

I am thinking of something along these lines:  We have a R80.10 MDM and want to move to R80.20.  But to take advantage of the new files systems, I was told to "export" my R80.10 MDM and create a new R80.20 MDM.  I would then like to import my R8010 MDM into it.  

I am concerned that there is limited export /import tools when there is a new release every 6 months.

I also was going to import one cma to a new partition to move the policies - I hope I am missing something.

 

PhoneBoy
Admin
Admin

You are correct that you need to do a fresh install in order to get the benefits of the xfs filesystem. Sadly, that's unavoidable in this particular instance.

You should be able to export/import a CMA at a time, which is no different than how you can migrate from R77.x to R80.x.
0 Kudos
Maarten_Sjouw
Champion
Champion

Currently the only tools available to migrate R80.10 are the MDS Migrate tools, you cannot export a single CMA yet.

This is still work in progress. 

Regards, Maarten
Enrique_Gonzale
Explorer

Hello, any advance in this topic?

We're facing multiple single CMA migrations and we're using the above Python script but it would be much easier with the old "cma_migrate".

I guess still there is no workaround to sk122700 right?

Regards,
0 Kudos
Tomer_Noy
Employee
Employee

We are bringing back the CMA migration capabilities in R80.40.

You will be able to backup, restore a single domain, migrate it between MDS's and also move from SMS to MDS.

 

Would you like to join our R80.40 EA to receive this capability early (and other additional great features)?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events