This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Vladimir
Champion
Champion
‎2018-07-22 05:51 AM

Tools and referenced SKs for R77.30 appliance to VM migration.

Please advise what tool is appropriate for exporting R77.30 MDM from appliance and restoring it on MDM running on VMware.

For upgrades to R80.XX, the recommended tool is mds_setup, run from mounted ISO.

I am looking for definitive instructions to refer a client to in order for them to generate the export file that will subsequently be used to recreate their environment in R77.30 VMs.

There are some references to "export_mds", but the only procedural article is sk66646 (Last modified 08-May-2017 by Christian Hofmann), that is no longer available in the knowledge base that starts with:

Symptoms
Export of MDS fails by running out of disk space or produces extremely big file.
Import of the MDS fails due to running out of disk space or does not import logs.
Cause
There are some glitches in the scripts for export and import:
1. The export script sometimes (preferable when exporting R65) leaves the temporary files from the export in $FWDIR/tmp/migrate
2. The import script sometimes leaves a copy of the imported files in $FWDIR/tmp/migrate
3. The mds_import script on MDM does not import logs even if they are part of the export
4. The export script adds files to the export which are not required when importing to a different release.
All of the above do not cause the export and import fail, but sometimes takes unnecessary amount of disk space. The export and import also takes significantly longer than
needed.

Which does not inspire confidence and seems dated.

The Check_Point_migration_tools_R77.30_T204.Gaia.tgz does not contain "mds_export" and "mds_import", yet it does list Multi Domain Manager / Provider-1 in applicable platforms.

If no such documents available, please share your experience, if you've had to perform the same task I am looking at.

Additionally, please let me know if the mds_setup from the higher version, the one from the mounted ISO, could be used for older versions, i.e. R80.10 or R80.20.M1 ISO for R77.30 to R77.30.

Thank you,

Vladimir

Reply
16 Replies
Tomer_Sole
Mod
Mod
‎2018-07-22 07:15 AM

Hi, your definitive source for upgrade best practices is the admin guide for upgrades.

Is there something in the guide that you find missing?

Installation and Upgrade Guide R80.10 

0 Kudos
Reply
Vladimir
Champion
Champion
‎2018-07-22 07:54 AM
In response to Tomer_Sole

The Install and Upgrade Guide describes steps necessary for the upgrade to R80.XX.

I am trying simply to replicate the environment on R77.30.

So my question is this: Can I use R80.10 or R80.20.M1 mds_setup tool for this purpose or is it performing transforms on the exported data that makes it unsuitable for Import in the source version?

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2018-07-22 09:12 AM
In response to Vladimir

I think you can just use the migrate export/import tools for R77.30 and do it a CMA at a time, similar to the way you can do it to go to R80.x.

You may even be able to do that for the global domain as well. 

0 Kudos
Reply
Vladimir
Champion
Champion
‎2018-07-22 09:19 AM
In response to PhoneBoy

The reason I like the mds_setup option is precisely because it allows a complete MDM export and import with import being granular, if required.

Regardless, I am looking for some unquestionable source document to provide to a client of mine as well as to use for personal references and coming up short.

Can you verify with MDM group if the R80.10 mds_setup could be used for R77.30 to R77.30 migration?

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2018-07-22 09:44 AM
In response to Vladimir

The SK is there but it's marked as Expert level Smiley Happy

At a high level it mentions strategies for reducing the size of the export file to both decrease the time it takes to import the export and increase the chances of success .

This is most likely the approach you'll want to take.

Will see about making this information more widely available.

0 Kudos
Reply
Vladimir
Champion
Champion
‎2018-07-22 09:55 AM
In response to PhoneBoy

Dameon,

Thank you, I've got the sk, but the idea is to actually give client the references to something that does not contain the word "glitches" so that they could produce the export file that I could work with, without tinkering with the scripts.

Since the mds_setup seem to be much more streamlined utility, it would be great if we could use it for these purposes.

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2018-07-22 10:06 AM
In response to Vladimir

As I assume the mds_setup that comes with R80.x is specific to R80.x, it probably won't be applicable to R77.x.

However, the following SK suggests it is on the ISO for R77.x: How to convert Security Management Server to Multi-Domain Server 

All of this begs the question why they're not taking this opportunity to upgrade to R80.x in the process, but we'll save that for a different thread. Smiley Happy

0 Kudos
Reply
Vladimir
Champion
Champion
‎2018-07-22 10:30 AM
In response to PhoneBoy

Thanks! I'm trying to setup a mock environment to give it a shot and see the prompts and the workflow.

The reason for R77.30 to R77.30 migration is this: The only justification for them to be on MDS is the shared IPS policies.

Tomer Sole‌ alluded to shared TP layers being available in R80.20.M1 for SMS, but still requiring individual installation per access policy the layer is attached to.

He have also mentioned that additional functionality, possibly single installation process on all gateways and clusters managed by the same SMS with the same shared TP layers may be possible in R80.20 EA.

So the idea was to actually try and see if either option would work in the PoC lab using same source environment.

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2018-07-22 10:34 AM
In response to Vladimir

Good reason to "copy" to R77.30, carry on then Smiley Happy

0 Kudos
Reply
Maarten_Sjouw
Champion
Champion
‎2018-07-22 02:19 PM

If you want to move the full MDS from one machine to the other, you can use a mds_backup file to do so.

When you do the migration path, per CMA, you will not have any issues regarding IP's of the CMA's and MDS itself. 

With a backup, it is expected to use the same IP's.

Regards, Maarten
Reply
Vladimir
Champion
Champion
‎2018-07-22 02:45 PM
In response to Maarten_Sjouw

Even if I am copying from appliance to VM?

Vladimir Yakovlev

973.558.2738

vlad@eversecgroup.com

0 Kudos
Reply
Maarten_Sjouw
Champion
Champion
‎2018-07-23 03:18 AM
In response to Vladimir

A mds_backup file does not care about the underlying hardware.just the OS version is relevant, however do make sure to have at least the same level of Jumbo installed.

Regards, Maarten
0 Kudos
Reply
Vladimir
Champion
Champion
‎2018-07-23 07:15 AM
In response to Maarten_Sjouw

Thank you Maarten!

I'l give it a shot. Any chance you can point me to the sk or ARTG document that I can reference in regards to the platform independence of the resultant backup file?

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2018-07-23 08:30 AM

FYI sk66646 is now marked as "Advanced" and should be viewable to you Smiley Happy

0 Kudos
Reply
Vladimir
Champion
Champion
‎2018-07-23 08:35 AM
In response to PhoneBoy

Thank you!

So far, in terms of the MDM migration or backup, I've encountered these methods:

mds_setup

mds_backup

mds_export

export_mds

migrate export

database export

Wouldn't be a bad idea for CP to produce a table describing applicable scenarios and specifics of each, similar to that available for SMS.

Reply
PhoneBoy
Admin
Admin
‎2018-07-28 08:20 PM
In response to Vladimir

The documentation for the target version of MDM (specifically the Install and Upgrade guide) should tell you which tools are relevant. 

The difference between "backup" and "export" is backup is meant to be restored on the same version, an export is meant to be restored into a newer "target" version.

mds_setup seems to call multiple tools.

export_mds only seems to be relevant in R77.x releases, for instance, and seems to be a shell script you can edit.

migrate export is relevant insofar as it takes a backup of a given domain, but not the MDS (and it's also relevant for SMS).

0 Kudos
Reply