Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sanjay_S
Advisor

Upgrade MDS from R80.10 to R80.30

Hi All,

Please let me know the pre-requisites to upgrade the MDS from R80.10 to R80.30 directly?

Also installation guide suggests clean install, but we do not want to go with Clean install and then migrate all the domains one by one. 

Instead of clean install can we go with CPUSE to upgrade?

Wish to get the response as soon as possible please.

Regards,

Sanjay S

5 Replies
Maarten_Sjouw
Champion
Champion

There is no need to do a per CMA migration, when you checkout the upgrade documentation you will see there is a method using mds_setup, this will do a single full export and you import that afterwards.
The reason for doing a clean install is that you will get the benefit of the new filesystem.
Next to that you have a much easier fall-back scenario.
It has already been discussed multiple times here, but here is a simple plan:
run an mds_setup and export the MDS
on the old MDS server run mdsstop
then run cpconfig and disable startup of the product
change the IP on the old MDS to a free IP
install a new VM with R80.30 MDS
before you run the First Time Wizard setup the original IP of your old MDS on the new server
run the FTW.
copy the export file from the old MDS on it's new IP
Import the exported file.
Regards, Maarten
Sanjay_S
Advisor

Hi Maarten,
Thank you for helping on this.
We are not migrating it from one server to the other server. We need to upgrade the same MDS which we are running on R80.10 currently.
Tommy_Forrest
Advisor

Make backups.

When you're done making backups, make a few more for good luck.

Take a snapshot of both MDSen and offload them.

Take an mds_backup and offload that backup.

If you're using autoprovision for Azure/AWS, backup that file.

If you're using user.def to tweak VPN domains, backup that file.

If you have access to a virtual environment, recreate your production environment in VM and practice the upgrade.

In my case, after all this work, the upgrade hosed my primary MDS.  The system would try to reboot and just hang.

Thankfully, we had snapshots and the upgrade took a snapshot that we were ultimately able to restore from.

We're going with a clean install this weekend.  Which I am NOT thrilled about.

Have you gotten all of your backups taken yet? 

Take a few more!

 

Sanjay_S
Advisor

Sure Tommy,
I will add these above important points in my action plan before upgrade.
Sanjay_S
Advisor

Below is what i got after did some reading. Please let me know if any corrections in this plan.
>>>>> BackUp
Take Snapshot of MDS
Take backup of MDS
Take cpinfo (sk92739, sk125092(DiagnosticsView Tool))

Transfer the CPinfo file, snapshot, backup files and exported database files to external storage devices. Make sure to transfer the files in the binary mode.

mds_backup and mds_restore

Take the Gaia snapshot.
Collect the backup with the migrate export command.

>>>>> Check Prerequisites.
Required Disk Space for Security Management Server:
Before installation or upgrade, CPUSE verifies that enough free disk space is available.
If the amount of available disk space is not sufficient, a message shows what is required.

This table shows the free disk space required for some packages:

>>R80.30 Installation TYPE
Clean Install
Major Upgrade
>>Required Disk Space:
The minimum required unpartitioned disk space is the highest value of one of these:
Size of the current root partition.
The used space in the current root partition plus 3 GB.
If the used space is more than 90% of the root partition, then 110% of the size of the current root partition.
If you do not have enough free disk space, you can use the Logical Volume Manager (LVM) to increase the disk space of logical volumes on Gaia.
This space is taken from the unallocated disk space, which is usually used for snapshots and upgrades. For more details see sk95566.

Required Disk Space for R80.30 Multi-Domain Servers Server:
Before you run a clean install of R80.30 Multi-Domain Servers, make sure that at least 10 GB of free disk space in the root partition is available.
For an environment with many Domain Management Servers, more than 10 GB of free disk space is often required.

>>Open Server Minimal Hardware Requirements:
Processor: Intel Pentium IV,2.6 GHz or equivalent
Total CPU cores: 8
Memory: 32 GB RAM
Free Disk Space: 1 TB (Installation includes OS)

===========================THIS IS NOT REQUIRED I BELIEVE, NEED YOUR ASSISTANCE HERE============
>>Delete all unused Threat Prevention Profiles on the Global Domain:
On R80.x Multi-Domain Server:
Connect with SmartConsole to the Global Domain.
From the left navigation panel, click Security Policies.
Open every policy.
In the top section, click Threat Prevention.
In the bottom section Threat Tools, click Profiles.
Delete all unused Threat Prevention Profiles.
Publish the session.
Close SmartConsole.

>>Disable the Staging Mode for IPS protections (see sk142432):
>Connect with SmartConsole to every Domain.
>From the left navigation panel, click Security Policies.
>Open every policy.
>In the top section, click Threat Prevention.
>In the bottom section Threat Tools, click Profiles.
>Edit every profile.
>From the left tree, click IPS > Updates.
>Clear the box Set activation as staging mode (Detect).
>Click OK.
>Publish the session.
>Close SmartConsole.
===============================================================================================
Required Disk Space:
The size of the /var/log/ partition on the target Management Server or Log Server must be at least 25% of the size of the /var/log/ partition on the source Management Server or Log Server.
For Advanced Upgrade or Migration procedure, the hard disk on the Management Server or Log Server must be at least 5 times the size of the exported database.

>>>>>In R80 and above, examine the SmartConsole sessions:
Connect with the SmartConsole to each Domain Management Server.
From the left navigation panel, click Manage & Settings > Sessions > View Sessions.
You must publish or discard all sessions, for which the Changes column shows a number greater than zero.
Right-click on such session and select Publish or Discard.

>>>>>THIS IS NOT ENABLED IN OUR ENVIRONMENT:
In Multi-Domain Server R80 or R80.10 with enabled vSEC Controller:

Connect with SmartConsole to the Global Domain.
Delete all global Data Centers objects.
Assign the modified Global Policies.

>>>>>You must close all GUI clients (SmartConsole applications) connected to the source Multi-Domain Server.

=======================================================================================================================================================================
UPGRADE PROCEDURE:

WORKFLOW:
1>Upgrade the Multi-Domain Server with CPUSE
2>Install the R80.30 SmartConsole
3>Install the management database
4>Upgrade the Multi-Domain Log Server, dedicated Log Servers, and dedicated SmartEvent Servers
5>Upgrade the attributes of all managed objects in all Domain Management Servers
6>Test the functionality


1>INSTALLATION:

Local => You use the CPUSE (sk92449) on each Gaia computer to install the applicable packages.

Central => You use the Central Deployment Tool (sk111158) on the Management Server to deploy the applicable packages to the desired managed Security Gateways and Clusters.
https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve...

Or Use Upgrade Wizard:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doShowupgradewizard

These above steps are to get the Upgrade file to the MDS server using any one of the methods.

2>UPGRADE SMARTCONSOLE TO R80.30
Download and install using the below link:
http://supportcontent.checkpoint.com/solutions?id=sk144293

 

3>INSTALL MANAGEMNT DATABASE ON EACH DOMAIN FOLLOW THE BELOW STEPS:
Connect with SmartConsole to each Domain Management Server.
In the top left corner, click Menu > Install database.
Select all objects.
Click Install.
Click OK


4>UPGRADE THE MULTI-DOMAIN LOG SERVER, DEDICATED LOG SERVER and DEDICATED SMARTEVENT SERVERS:
We use the MDS as our log server, so nothing to do here.


5>UPGRADE ATTRIBUTES OF ALL MANAGED OBJECTS in ALL DOMAIN MANAGEMENT SERVERS:
Connect to the command line on the R80.30 Multi-Domain Server.
Log in with the superuser credentials.
Log in to the Expert mode.
Make sure that on all Domain Management Servers, none of the required daemons (FWM, FWD, CPD, and CPCA) are in the state "down" (the "pnd" state is acceptable):
[Expert@MDS:0]# mdsstat
If some of the required daemons on a Domain Management Server are in the state "down", wait for 5-10 minutes, restart that Domain Management Server and check again. Run these three commands:
[Expert@MDS:0]# mdsstop_customer <IP Address or Name of Domain Management Server>
[Expert@MDS:0]# mdsstart_customer <IP Address or Name of Domain Management Server>
[Expert@MDS:0]# mdsstat
Go to the main MDS context:
[Expert@MDS:0]# mdsenv
Upgrade the attributes of all managed objects in all Domain Management Servers at once:
[Expert@MDS:0]# $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL
OR USE THE BELOW COMMAND SO THAT YES PROMPT CAN BE IGNORED:
[Expert@MDS:0]# yes | $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL OR
[Expert@MDS:0]# $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL -n <Name of Multi-Domain Server>


6>TEST THE FUNCTIONALITY:
Connect with SmartConsole to the R80.30 Multi-Domain Server.
Make sure the management database and configuration were upgraded correctly.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events