Solved: How to migrate Gaia configuration & data to a fres...

ITBbag · ‎2022-06-15

I recently got into administrating our Checkpoint Gaia Firewall which currently is on version R81. I would like to upgrade it to R81.10, however I would like to do it in a fresh virtual machine, not via upgrade.

I tried to do

migrate export FWconfig.tgz

and

migrate import FWconfig.tgz

on the new VM, however it said it can't import anything that was created on a previous Gaia Version. Only same version.

I then found

save/load configuration <filename>

Which looks really good, but that "only" contains the configuration. I would like to have all my objects etc. too

Is there a way to export the configuration and also all the objects - basically everything - from Gaia to a newer Gaia Version?

ITBbag · ‎2022-08-24

I did it with a combination of the answers here. First of all to get the DB, and the Objects and everything, I used:

mkdir -p /tmp/upgrade
$FWDIR/scripts/migrate_server export -v R81.10 /tmp/upgrade/GAIAConfig.tgz

Note: you might need to verify first or/and skip upgrade tools check. Also the --ignore_warnings flag could be useful

$FWDIR/scripts/migrate_server verify -skip_upgrade_tools_check -v R81.10

after this everything is exported and can be copied to somewhere via scp or your other favorite tool.

to import it on the new FW I used:

$FWDIR/scripts/migrate_server import /tmp/import/GAIAConfig.tgz -skip_upgrade_tools_check

This was for all the objects etc.

For the configuration of the FW itself, after the initial setup, I used this:

To export:

save configuration Config.txt

Note: you might want to delete some lines in the exported config file before importing it again. check out what will be set by loading this file and delete everything you don't want

export this too via scp to somewhere and then import it on the new FW

To import:

set clienv on-failure continue
load configuration Config.txt
set clienv on-failure stop
save config

View solution in original post

PhoneBoy · ‎2022-06-15

You are using the legacy migration tools, which are only supported to migrate to/from same version.
These are the new tools to use: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

_Val_ · ‎2022-06-15

To make sure, are you migrating SmartCenter Server or a Security Gateway?

the_rock · ‎2022-06-15

If its ONLY firewall part, then simply do show configuration and copy over the config output to new machine. If its mgmt server, then yes, you can do migrate export, or migrate server starting R80.20.

Vladimir · ‎2022-06-15

@the_rock , bad idea. Copy/paste config can play havoc with migrating Gaia config.

On source GW, save configuration <filename> should be executed.

On destination, you should use:

set clienv on-falure continue

load configuration <filename

when successfully completed (you may see iterating counter as lines are being processed), run

set clienv on-failure stop

then,

save config

the_rock · ‎2022-06-15

With all due respect @Vladimir , I disagree. I had done it way I mentioned countless times and never ever had a single issue. Not saying your way is wrong though : - )

Vladimir · ‎2022-06-15

There is an sk somewhere that describes the process, but I am speaking from experience of actually stepping on this rake myself a few times in the past.

In relatively simple configurations, copy/paste may very well work.

In a more complex ones, you'll be able to paste, but look out for errors processing some of the lines.

It seems that in version R81 (and presumably later), we may actually use "save configuration <filename>" and "load configuration <filename>" without changing clienv settings, but until few months ago, I was still moving large clients from R77.30 using described method.

the_rock · ‎2022-06-15

Thats fair...Im type of mentality "whatever works, as long as nothing breaks" brother : - )

Vladimir · ‎2022-06-15

In my case (many years ago) it did though 🙂

I recall comparing resultant config to the original one and seeing chunks of it missing.

Vladimir · ‎2022-06-15

sk102234 Backing up Gaia system level configuration :

To create the configuration file, use the following procedure:

Log in to the command line on the Security Gateway or Security Management.
Run the following command with the filename of your choice:
HostName > save configuration <filename>

This will create a file with your current system level configuration in the home directory of the current user.
For example, if logged in as "admin", the file will be located in /home/admin.

To load the configuration, use the following procedure:

Run Gaia First time configuration Wizard first when loading the configuration to a Gaia fresh installed device.

Copy the file into the home directory of the user you will log in as.
For example, if you will log in as "admin", put the file in /home/admin.
Log in to the Security Gateway or Security Management server.
Run the following command using the name of the configuration file.
A message will display showing the current progress and any errors that are encountered.
Then save config to commit the changes:

HostName > set clienv on-failure continue
HostName > load configuration <filename>
HostName > set clienv on-failure stop
HostName > save config

_Val_ · ‎2022-06-15

@Vladimir has a point, @the_rock

There are certain things that are locked in a protected mode. When you declare on-failure status, those things can be safely overwritten with new data. Otherwise, as Vladimir mentioned, you may end up in an inconsistent state.

cem82 · ‎2022-08-31

I'd check fwkern.conf as well and see if anything is still relevant / required. Also if running any cron job scripts to copy those off too 🙂

ITBbag · ‎2022-08-24