Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Instruction to migrate SMS to CMA in R80.40

Jump to solution

Hi CheckMates.

According to previous post https://community.checkpoint.com/t5/General-Management-Topics/Issue-in-Importing-Management-Server-M..., we should have the possibility to migrate, export and import SMS and CMA in different directions in R80.40.

I need to migrate SmartCenter server to CMA, where both source and destination is running R80.40. However, I cannot find the instructions to accomplish this in the documentation.

In "sk156072 - Domain Migration in R80.x" there is a section with "Migrating from Security Management Server to Domain Management Server", but these instructions are not working on a SmartCenter server.

Can anyone guide me to the instructions on how to migrate an R80.40 SmartCenter to a CMA on a R80.40 Multi-Domain Server?

Thanks in advance!

Best Regards

Peter Sode

1 Solution

Accepted Solutions
Highlighted
Val,
The only thing wrong with the SK is that they are saying to Login via API to the domain, it would be much more usefull to change the actual command to:
Run: #mgmt_cli - r true -d "System Data" migrate-export-domain file-path <full path/filename.tgz> include-logs <true|false>

This way all doubts are gone and the command just works.
Regards, Maarten

View solution in original post

0 Kudos
19 Replies
Highlighted
So what you are saying is that you cannot run:
mgmt_cli migrate-export-domain file-path /var/log/exportsms.tgz include-logs false
Regards, Maarten
0 Kudos
Highlighted

Hi Maarten.

Correct, this command fails on my SmartCenter Server (SMS).

If I need to be logged in to System Data Domain, I don't know how to do this on a SMS??

 

Output:

[Expert@demo-mgmt-01:0]# mgmt_cli migrate-export-domain file-path /var/log/tmp/exportsms.tgz include-logs false
Username: fwadmin
Password:
code: "generic_error"
message: "Runtime error: Could not load domain 41e821a0-3720-11e3-aa6e-0800200c9fde, make sure you are logged in to System Data domain."

[Expert@demo-mgmt-01:0]# cpinfo -y all

This is Check Point CPinfo Build 914000202 for GAIA
[CPFC]
No hotfixes..

[MGMT]
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 38

[IDA]
No hotfixes..

[FW1]
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 38

FW1 build number:
This is Check Point Security Management Server R80.40 - Build 019
This is Check Point's software version R80.40 - Build 082

[SecurePlatform]
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 38

[CPinfo]
No hotfixes..

[AutoUpdater]
No hotfixes..

[DIAG]
No hotfixes..

[SmartLog]
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 38

[Reporting Module]
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 38

[CPuepm]
No hotfixes..

[VSEC]
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 38

[R7520CMP]
No hotfixes..

[R7540CMP]
No hotfixes..

[R76CMP]
No hotfixes..

[SFWR77CMP]
No hotfixes..

[SFWR80CMP]
No hotfixes..

[R77CMP]
No hotfixes..

[R75CMP]
No hotfixes..

[NGXCMP]
No hotfixes..

[SFWCMP]
No hotfixes..

[FLICMP]
No hotfixes..

[SFWR75CMP]
No hotfixes..

[MGMTAPI]
No hotfixes..

[CPDepInst]
No hotfixes..

[CPUpdates]
BUNDLE_INFRA_AUTOUPDATE Take: 25
BUNDLE_R80_40_JUMBO_HF_MAIN Take: 38
BUNDLE_DEP_INSTALLER_AUTOUPDATE Take: 13


[Expert@demo-mgmt-01:0]#

Best Regards

Peter

0 Kudos
Highlighted
try it using: mgmt_cli -r true migrate-export-domain ....
Regards, Maarten
0 Kudos
Highlighted

Same result. but this time without having to authenticate:

[Expert@demo-mgmt-01:0]# mgmt_cli -r true migrate-export-domain file-path /var/log/tmp/exportsms.tgz include-logs false
code: "generic_error"
message: "Runtime error: Could not load domain 41e821a0-3720-11e3-aa6e-0800200c9fde, make sure you are logged in to System Data domain."

 

Br.

Peter

0 Kudos
Highlighted
Add the following to the command and try again: -d system
If it still fails I would open a case with TAC.
Regards, Maarten
0 Kudos
Highlighted

Hi Peter,

 

Unless i'm missing something , to run the migrate export from an SMS, you'd just use the migrate export command as usual , its only when exporting from a CMA (i.e the other way around) that you'd need a migrate-export-domain command.

Please let me know

 

thanks

Peter

0 Kudos
Highlighted

From the SK mentioned:

Export Security Management Server:

Make sure all processes are up and running, using the "cpwd_admin list" command.
Run fw logswitch to close the active log files. Only closed logs are migrated.
Log in via API command to "System Data" domain and run migrate export to create a database archive file.
Run: #mgmt_cli migrate-export-domain file-path <full path to file> include-logs <true|false>

The line starting with 'Log in via API' says to use the domain System Data so to make sure you use that add -d "System Data" 

Regards, Maarten
0 Kudos
Highlighted
Admin
Admin

It seems the SK is not OK. I have raised a ticket with the SK owner to fix.

"migrate-export-domain" API seems to be relevant to MDSM environment only.

Did you try to use the regular migrate export command on SMS and then import with MGMT CLI on MDSM side?


0 Kudos
Highlighted
Val,
The only thing wrong with the SK is that they are saying to Login via API to the domain, it would be much more usefull to change the actual command to:
Run: #mgmt_cli - r true -d "System Data" migrate-export-domain file-path <full path/filename.tgz> include-logs <true|false>

This way all doubts are gone and the command just works.
Regards, Maarten

View solution in original post

0 Kudos
Highlighted
Admin
Admin

Correct, already reported to SK owner.

0 Kudos
Highlighted

Please pay attention, it is wrong to use "-r true" or "--root true" in API commands in environments running in production with multiple administrators. Any command invoked with this parameter will be initiated from built-in system administrator account and not from the actual administrator running this command, so audit logs will display generic admin name and operation will not be registered in audit logs with actual admin name.

0 Kudos
Highlighted
Anton,

I agree that for audit purposes the usage should be avoided, however in this case you are working on shutting down the original system. So who will be logging into the old system to see who was doing the export?
In our case we have about 20 super admins, however there are a maximum of 2 people who would be running these type of commands. In these cases I would not have any problem using the -root true option. And as you may have seen the TS did not use it in the end.
Regards, Maarten
0 Kudos
Highlighted
@Maarten_Sjouw Maybe no one will, however "-r" flag is not recommended.
0 Kudos
Highlighted

Still not working with "-d system":

[Expert@demo-mgmt-01:0]# mgmt_cli -r true -d system migrate-export-domain file-path /var/log/tmp/exportsms.tgz include-logs false
Error: Failed to login to the management server
[Expert@demo-mgmt-01:0]# mgmt_cli -d system migrate-export-domain file-path /var/log/tmp/exportsms.tgz include-logs false
Username: fwadmin
Password:
code: "generic_error"
message: "Runtime error: Domain 'system' not found!"

 

@Peter_Lyndley  - Normally I would agree with you. However, the issue is that there are no way to import a "normal" migrate export into a CMA on Multi-Domain-Server in R80.40.

 

I have created SR# 6-0001990466 for this issue, and will post the result.

 

Thanks all,

 

Br.

Peter

0 Kudos
Highlighted

Thanks @Maarten_Sjouw - the last command did the trick for the export 🙂

 

[Expert@demo-mgmt-01:0]# mgmt_cli -d "System Data" migrate-export-domain file-path /var/log/tmp/exportsms.tgz include-logs false
Username: fwadmin
Password:


---------------------------------------------
Time: [12:49:26] 4/5/2020
---------------------------------------------
"Export Domain SMC User" in progress (10%)
.
.
.
---------------------------------------------
Time: [12:56:20] 4/5/2020
---------------------------------------------
"Export Domain SMC User" in progress (66%)


---------------------------------------------
Time: [12:56:30] 4/5/2020
---------------------------------------------
"Export Domain SMC User" succeeded (100%)
tasks:
- uid: "a3009941-5f3b-4149-b466-f465c98e643a"
type: "task"
domain:
uid: "a0eebc99-afed-4ef8-bb6d-fedfedfedfed"
name: "System Data"
domain-type: "mds"
task-id: "a3009941-5f3b-4149-b466-f465c98e643a"
task-name: "Export Domain SMC User"
status: "succeeded"
progress-percentage: 100
start-time:
posix: 1588589365714
iso-8601: "2020-05-04T12:49+0200"
last-update-time:
posix: 1588589783763
iso-8601: "2020-05-04T12:56+0200"
suppressed: false
task-details: []
comments: "Export succeeded."
color: "black"
icon: "General/globalsNa"
tags: []
meta-info:
lock: "unlocked"
validation-state: "ok"
last-modify-time:
posix: 1588589783785
iso-8601: "2020-05-04T12:56+0200"
last-modifier: "System"
creation-time:
posix: 1588589365719
iso-8601: "2020-05-04T12:49+0200"
creator: "System"
read-only: false

[Expert@demo-mgmt-01:0]#

 

I will now test the import into CMA and post the result.

Br.

Peter Sode

0 Kudos
Highlighted
Admin
Admin

The command should include -d "System Data" to run correctly on SMS.

0 Kudos
Highlighted

Hi Peter,

Please refer to "Installation and Upgrade Guide R80.40" . Detailed instructions inside the link.

Edited:

Make sure to invoke migrate-export-domain command when logged in to SystemDomain. (with "-u <username> -p <password> -d SystemData" parameters)

Example: 

mgmt_cli migrate-export-domain file-path "/var/log/SecMgmtServer_Export.tgz" include-logs "false" -u <username> -p <password> -d SystemData

 

0 Kudos
Highlighted
Admin
Admin

@Anton_Pluzharov I would agree with you, but the guide also has the same issue. The recommended command there is missing System Default domain reference:

mgmt_cli migrate-export-domain file-path "/var/log/SecMgmtServer_Export.tgz" include-logs "false"

 Hence it will fail the same manner, as already discussed. I have actually tested that one on my side.

Highlighted
Thank you, adding this to my comment.
0 Kudos