Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Leslie_Chin
Employee
Employee

R80.10 MDS -> R80.10 MDS with new Hostname, new Domain names and new IP addresses (OH MY!)

Hello,

I am working on documenting a procedure, if even possible, to perform a R80.10 MDS "migration" to R80.10 MDS with a new hostname, new domain names, and new IP addresses for the domains. 

Global objects are being used in the Domains added for good measure

In theory, I think the steps would be:

  1. migrate export the MDS from the source
  2. migrate_global_policies on the destination
  3. migrate export each CMA from the source
  4. mgmt_cli to create the new domain on the destination (do not start the domain)
  5. cma_migrate to import each domain
15 Replies
Leslie_Chin
Employee
Employee

And I've already run into a failure

migrate_global_policies fails on the destination:

[Expert@DESTINATION_R80:0]# ./migrate_global_policies /var/log/tmp/export/SOURCE_R80_MDS.tgz

Welcome to the Global Policies Migration Utility.


If the Multi-Domain Server is started, it should be stopped now.
Do you want to stop the Multi-Domain Server processes (Domain Management Servers will not be stopped) [yes/no] ? yes
Stopping Multi-Domain Server only

Stop SmartLog Server...
cpwd_admin:
Process SMARTLOG_SERVER terminated
cpwd_admin:
Process FWM terminated
cpwd_admin:
Process FWD terminated
cpwd_admin:
Process CPD terminated
Multi-Domain Server stopped

Error: Failed to stop CPWD. It is not responding. Aborting.

Performing verifications on currently installed version

The messages generated by the verification tools will be available in:
/opt/CPmds-R80/system/pre_upgrade/pre_global_policies_migrate.log
======================================================================
>>> Executing Source Version Upgrade Path Checker

Pre-upgrade verification ended successfully, proceeding with migrate
Starting CPM only
cpWatchDog is already running
CPM Server already running.
CPM Server is running.
CPM server started
Making sure Multi-Domain Server is running...
Preparing database...
Execution finished with errors. See log file '/opt/CPshrd-R80/log/migrate-2019.02.01_11.42.54.log' for further details

Migration not completed.

migrate-2019.02.01_11.42.54.log:

[1 Feb 11:43:00] ..--> CanonicalizePath
[1 Feb 11:43:00] [CanonicalizePath] Canonicalizing path 'bash -c "set -o pipefail; /opt/CPsuite-R80/fw1/bin/upgrade_tools//gzip -d -c /opt/CPmds-R80/tmp//export_db//ren_db.gz | /opt/CPsuite-R80/fw1/bin/psql_client postgres -U postgres --set ON_ERROR_STOP=on"'
[1 Feb 11:43:00] [CanonicalizePath] Resulting path: 'bash -c "set -o pipefail; /opt/CPsuite-R80/fw1/bin/upgrade_tools//gzip -d -c /opt/CPmds-R80/tmp//export_db//ren_db.gz | /opt/CPsuite-R80/fw1/bin/psql_client postgres -U postgres --set ON_ERROR_STOP=on"'
[1 Feb 11:43:00] ..<-- CanonicalizePath
[1 Feb 11:43:00] ..--> ExecCommandGetOutput
[1 Feb 11:43:00] [ExecCommandGetOutput] Going to execute command: 'bash -c "set -o pipefail; /opt/CPsuite-R80/fw1/bin/upgrade_tools//gzip -d -c /opt/CPmds-R80/tmp//export_db//ren_db.gz | /opt/CPsuite-R80/fw1/bin/psql_client postgres -U postgres --set ON_ERROR_STOP=on"'
[1 Feb 11:43:05] [ExecCommandGetOutput] ERR: Command completed with error code 3
[1 Feb 11:43:05] ..<-- ExecCommandGetOutput
[1 Feb 11:43:05] [CommandRunner::exec] Command's output:
-------------------------------------
SET
SET
ERROR: database "cpm" is being accessed by other users
DETAIL: There are 4 other sessions using the database.
-------------------------------------
[1 Feb 11:43:05] [CommandRunner::exec] ERR: Command execution had failed

0 Kudos
Leslie_Chin
Employee
Employee

Hm.  cma_migrate "worked" but none of the local objects or rules that are from the source CMA exist in the destination CMA

[Expert@DESTINATION_R80:0]# mgmt_cli --root true add domain name NEW_DOMAIN_ONE servers.ip-address 192.168.254.41 servers.name NEW_DOMAIN_ONE_Server servers.multi-domain-server DESTINATION_R80 servers.skip-start-domain-server true


---------------------------------------------
Time: [12:26:19] 1/2/2019
---------------------------------------------
"Create Domain: 'NEW_DOMAIN_ONE'" in progress (5%)


---------------------------------------------
Time: [12:28:40] 1/2/2019
---------------------------------------------
"Create Domain: 'NEW_DOMAIN_ONE'" succeeded (100%)
tasks:
- uid: "99366e05-ee50-4743-9ab4-11485efd0eaa"
type: "task"
domain:
uid: "a0eebc99-afed-4ef8-bb6d-fedfedfedfed"
name: "System Data"
domain-type: "mds"
task-id: "f2ee7112-199a-43bb-8ba3-2eabe3acc0d4"
task-name: "Create Domain: 'NEW_DOMAIN_ONE'"
status: "succeeded"
progress-percentage: 100
start-time:
posix: 1549041977737
iso-8601: "2019-02-01T12:26-0500"
last-update-time:
posix: 1549042116756
iso-8601: "2019-02-01T12:28-0500"
suppressed: true
task-details:
- uid: "1b30a41f-cf19-4aba-baa7-9892f0243f6f"
name: null
domain:
uid: "a0eebc99-afed-4ef8-bb6d-fedfedfedfed"
name: "System Data"
domain-type: "mds"
color: "black"
statusCode: "succeeded"
statusDescription: "Update Domain 'NEW_DOMAIN_ONE' succeeded"
taskNotification: "99366e05-ee50-4743-9ab4-11485efd0eaa"
initiator: "WEB_API"
startTime:
posix: 1549041977737
iso-8601: "2019-02-01T12:26-0500"
active: false
domainName: ""
mdsName: ""
mdsIp: ""
cmaIp: ""
cmaName: ""
meta-info:
validation-state: "ok"
last-modify-time:
posix: 1549042116761
iso-8601: "2019-02-01T12:28-0500"
last-modifier: "WEB_API"
creation-time:
posix: 1549041977806
iso-8601: "2019-02-01T12:26-0500"
creator: "WEB_API"
tags: []
icon: "General/globalsNa"
comments: ""
display-name: ""
customFields: null
comments: "Update Domain 'NEW_DOMAIN_ONE' succeeded"
color: "black"
icon: "General/globalsNa"
tags: []
meta-info:
lock: "unlocked"
validation-state: "ok"
last-modify-time:
posix: 1549042116776
iso-8601: "2019-02-01T12:28-0500"
last-modifier: "WEB_API"
creation-time:
posix: 1549041977771
iso-8601: "2019-02-01T12:26-0500"
creator: "WEB_API"
read-only: false

---------------------------------------------
Time: [12:28:42] 1/2/2019
---------------------------------------------
"Publish operation" succeeded (100%)
[Expert@DESTINATION_R80:0]# cma_migrate /var/log/tmp/export/SOURCE_R80_DOMAIN_ONE.tgz /opt/CPmds-R80/customers/NEW_DOMAIN_ONE_Server/CPsuite-R80/fw1/
Starting Multi-Domain Server only
cpWatchDog is already running
CPM Server already running.
CPM Server is running.
Start Search Infrastructure...
index mode was set to true
startsearch: dbsync does not run on Multi-Domain Security Management
cpwd_admin:
Process SOLR is alive, process won't be started again
Starting RFL ...
cpwd_admin:
Process RFL is alive, process won't be started again
Starting SmartView ...
cpwd_admin:
Process SMARTVIEW is alive, process won't be started again
Start Log Indexer...
cpwd_admin:
Process INDEXER is alive, process won't be started again
Start SmartLog Server...
cpwd_admin:
Process SMARTLOG_SERVER is alive, process won't be started again

Multi-Domain Server Started
CPM server started

Are you sure you want to migrate the management at /var/log/tmp/export/SOURCE_R80_DOMAIN_ONE.tgz
into the Domain Management Server /opt/CPmds-R80/customers/NEW_DOMAIN_ONE_Server/CPsuite-R80/fw1/ [yes/no] ? yes

Verifying data before importing. Please wait ...
Source management version detected:
R80.10
======================================================================
>>> Executing Source Version Upgrade Path Checker

======================================================================
>>> Executing Domains Without Management Servers Test

======================================================================
>>> Executing Domains With No Hosting Multi Domain Servers Test

======================================================================
>>> Executing Global Policy on Source Database Detector

======================================================================
>>> Executing Multiple Domain Management Servers with the same ICA Keys Detector

======================================================================
>>> Executing Firmware References Detector

======================================================================
>>> Executing VSX Objects Detector

======================================================================
>>> Executing Domain Servers Missing From Database

======================================================================
>>> Executing Missing Domain Server Directories

Pre-migrate verification ended successfully.
A log file was created: /opt/CPmds-R80/customers/NEW_DOMAIN_ONE_Server/CPsuite-R80/fw1//log/pre_migrate.log

Proceeding with migration.


Migration completed.

0 Kudos
Stuart_Green
Collaborator

It must be the day for it!

I've just posted about this issue too - Importing from SMS into MDS.

You might not be alone in your pain!

PhoneBoy
Admin
Admin

To be fair, what Leslie's doing is not necessarily supported Smiley Happy

Stuart_Green
Collaborator

Can see a need for it, though. HA would be a better option!

0 Kudos
Maarten_Sjouw
Champion
Champion

Leslie,

You could try a different approach:

  1. create a new secondary MDS in your current environment, with the new name
  2. create Backup CMA's on that new MDS with new names
  3. promote all secondaries to primary and remove the originals
Regards, Maarten
Eran_Habad
Employee
Employee

Hi Leslie Chin,

My name is Eran and I'm the manager in Check Point R&D responsible for the core infrastructure of the Management server. Indeed in R80.x we're not yet supporting migration of a Domain Server into another Multi Domain server. My team and I are working to complete this gap these days, and we target to reach EA few months from now. We would be happy to provide you an EA build on top of R80.20 as soon as we're ready so you could install and test it. You're also very welcome to provide your feedback and influence on the usability. Our plan is to integrate the code to an official version later this year. Note that this EA version will probably not include yet the option to change the name of the Domain Server and its IP address, but we'll address it as part of the development.

This is a call for any customer who's waiting for the ability to migrate a Domain Server into another Multi Domain server over R80.20 and above! You're welcome to reply to my comment and register, R&D will approach you in the next few months to provide an EA build on top of R80.20.

Manoj_Kumar2
Contributor

Hello Eran,

I am running into the situation where cma migrate would only be the solution reason being lots of policy packages threat and application policies, VSX environent etc managed under same CMA. I was desperate about the cma migrate in r80.x but your comment really made my day. Hopefully expecting the solution with in next couple of month. 

Peter_Lyndley
Advisor
Advisor

Hi Eran,

I would also be interested in this EA, as we need the functionality now.

thanks

Peter

Soeren_Rothe
Collaborator

Eran Habad

Hi Eran, do you also work on a migration tool from CMA to SMS ? 

Thanks

Sören

0 Kudos
Maarten_Sjouw
Champion
Champion

I thought I made that clear in the other post, 

  1. SMS to DMS
  2. DMS to SMS
  3. DMS to DMS
  4. SMS to SMS

DMS is the new name for CMA.

Regards, Maarten
0 Kudos
Eran_Habad
Employee
Employee

We do, you can read my comment on this post:

https://community.checkpoint.com/thread/11359-importing-from-sms-into-mds 

We are working on migration tool from a Security Management Server to a Domain on a Multi Domain Management machine and vice versa

Eran

Raj_Khatri
Advisor

We are also looking forward to this migration tool.  Going from MDS CMA to SMS on R80.10.

0 Kudos
wilki69
Explorer

Hi Eran,

Is there any update with SMS80.10 to MDS 80.10...does it work with 80.10to 80.40?

Thanks

0 Kudos
G_W_Albrecht
Legend
Legend

Sorry, but i do not understand - your Avatar looks like you are a CP employee, but you post a multi-part lengthy article here about a well-known limitation...
CCSE CCTE CCSM SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events