Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
JozkoMrkvicka
Mentor
Mentor
Jump to solution

MDS migration from R77.30 to R80.20

Hello guys,

I would like to test how migration works if I want to migrate all CMAs inside R77.30 MDS to the R80.20 MDS.

I have working R77.30 MDS with around 5 CMAs (clusters + VSXs).

It is possible to run R80.20 Check Point Pre-Upgrade Verifier tool from R77.30 MDS level ? I mean, to verify all CMAs at once to check if I have any errors and/or warnings.

The syntax of PUV is as follows:

[Expert@MDS:0]# ./pre_upgrade_verifier

This is Check Point Pre-Upgrade Verifier for version R80.20.

Usage: pre_upgrade_verifier -p SecurityManagementPath -c CurrentVersion -t TargetVersion [-u | -a][-f FileName] [-w]
Or: pre_upgrade_verifier -p SecurityManagementPath -c CurrentVersion -i [-f FileName] [-w]
-p Path of the installed Security Management Server (FWDIR).
-c Currently installed version.
-t Target version.
-i Check originality of Inspect files only.
-u Perform plug-in related checks.
-a Skip main train version checks, perform plug-in related checks only.
-f Output in file.
-w Web format file.

I have used "-p" argument to choose exact CMA path. There is no way how to say R80.20 PUV that I would like to run it for all CMAs found on R77.30 MDS ?

Once all R77.30 CMAs are "green" based on R80.20 PUV, what is the correct way to move all R77.30 CMAs to the new R80.20 MDS ? Using "migrate export" I can export only 1 CMA, or ?

Check Point has so many tools available (migrate, upgade, mds_backup, cma_migrate) for specific scenarios that I am confused which one is for what purpose...

Thanks for every comment.

Kind regards,
Jozko Mrkvicka
1 Solution

Accepted Solutions
Ofir_Shikolski
Employee
Employee

You meant to mds_export and mds-import

it is part of the upgrade guide Upgrading one Multi-Domain Server 

This one : Upgrading one Multi-Domain Server with Advanced Upgrade  

View solution in original post

10 Replies
Ofir_Shikolski
Employee
Employee

You can use cpuse to verify it Smiley Happy

To do the upgrade, I will recommend to collect backup on a remote site and to upgrade all at once.

In order to use pre_upgrade_verifier , I think that is should be done as follow: please check if this R80.20 

extract the migrate_tool , chmod 777 * OR chmod +x pre_upgrade_verifier

source $MDS_CPDIR/tmp/.CPprofile.sh

source $MDS_SYSTEM/shared/bin_definitions.sh

TMOUT=0 ; export TMOUT

COLUMNS=256 ; export COLUMNS

#For MDMS (CMAs) 

for CMA in $($MDSVERUTIL AllCMAs | sort ); do

mdsenv "$CMA"

mcd tmp

/home/admin/migrate_tool/pre_upgrade_verifier -p $FWDIR -c R77 -t R80.20

done

# for MDM (MDS)

mdsenv

mcd tmp

/home/admin/migrate_tool/pre_upgrade_verifier -p $FWDIR -c R77 -t R80.20

JozkoMrkvicka
Mentor
Mentor

Nice idea to create script to check all CMAs

Just want to mention that I dont want to upgrade MDS. I have one R77.30 MDS and I would like to move all R77.30 CMAs to the freshly installed R80.20 MDS.

I will try "mds_backup" on R77.30 and "mds_restore" on R80.20, but I am almost 100% sure it will fail because the version is not the same...

Kind regards,
Jozko Mrkvicka
0 Kudos
Ofir_Shikolski
Employee
Employee

You meant to mds_export and mds-import

it is part of the upgrade guide Upgrading one Multi-Domain Server 

This one : Upgrading one Multi-Domain Server with Advanced Upgrade  

JozkoMrkvicka
Mentor
Mentor

Exactly what I was looking for

I will check it and do accordingly.

Thank you very much !

Kind regards,
Jozko Mrkvicka
AlekseiShelepov
Advisor
0 Kudos
JozkoMrkvicka
Mentor
Mentor

In facf all the steps for R80.20 are provided in link mentioned by ofirsea040d26-f1f2-3b12-9fc6-5c89debaf56c‌:

Installation and Upgrade Guide R80.20 

To sum it up:

  1. Transfer R80.20 ISO to the R77.30 MDS
  2. Mount R80.20 ISO
  3. Run "<MOUNT_POINT>/linux/p1_install/mds_setup" script
  4. Follow on-screen wizard to create report (what are errors or warnings) and/or export itself
  5. Transfer export from R77.30 MDS to the R80.20 MDS
  6. Run command "$MDSDIR/scripts/mds_import.sh /var/log/exported_mds.<DATE>.tgz" on R80.20 MDS
  7. Go for coffee (better lunch), as the import took around 3 hours in my case  

The script "mds_setup" will check all created CMAs for possible errors and warning, including Global Policy.

Here is report from R80.20 mds_import.sh tool:

Summary of Upgrade operation:

=====================================================================

Import operation started at: Fri Sep 28 21:51:45 CEST 2018

Multi-Domain Server databases - Success
Import operation for Multi-Domain Server finished at: Fri Sep 28 22:16:04 CEST 2018
Domain Management Server cma_VPN database - Success
Import operation for cma_VPN finished at: Fri Sep 28 22:24:34 CEST 2018
Domain Management Server cma_test database - Success
Import operation for cma_test finished at: Fri Sep 28 22:33:16 CEST 2018
Domain Management Server cma_VSX database - Success
Import operation for cma_VSX finished at: Fri Sep 28 22:42:02 CEST 2018
Domain Management Server cma_imported database - Success
Import operation for cma_imported finished at: Fri Sep 28 23:57:47 CEST 2018

=====================================================================

--------------------------------------------------------------------------------
Import operation ended successfully.
The Multi-Domain Server can be started now.
Please note that first startup takes considerably longer than subsequent starts.
--------------------------------------------------------------------------------
DONE.

Kind regards,
Jozko Mrkvicka
JozkoMrkvicka
Mentor
Mentor

Well, the migration from R77.30 MDS to R80.20 MDS went smoothly (relatively).

At the moment, I have problem that after migration I cannot login into R80.20 SmartConsole, because following error:

API is also not working, because:

[Expert@MDS_R8020:0]# api status

API Settings:
---------------------
Accessibility: Require ip 127.0.0.1
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 23177
CPM Started 6839 Check Point Security Management Server is running and ready
FWM Started 17075
APACHE Started 4964

Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443


--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test FAILED. The server is down and unable to receive connections!

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

Once I want to add new Administrator from "mdsconfig", it shows that "Authentication to Server 127.0.0.1 failed.".

It is worth to mention, that my R77.30 MDS has leading IP address 192.168.135.10, but my R80.20 has 192.168.135.99.

During migration process, I was asked to change IP:

Multi-Domain Server IP address is 192.168.135.10 while your machines IP is 192.168.135.99.
Would you like to change your Multi-Domain Server IP address to 192.168.135.99 [yes/no] ? yes

Not sure if this can be somehow related ... I can do fresh install on R80.20 and configure it to use the same IP as my R77.30 MDS.

Kind regards,
Jozko Mrkvicka
0 Kudos
Ofir_Shikolski
Employee
Employee

I'm using the same IP on my MDM.

Might be interesting to check How to change the IP address of a Multi Domain Management Server 

Also, did you check if there is a license issue? # mdsenv ; cplic print

0 Kudos
JozkoMrkvicka
Mentor
Mentor

OK, I did test and I have created new R80.20 MDS with the same hostname, the same IP address.

After FTW on R80.20 MDS I didnt put licenses.

Once migration was completed, I see that I have licenses from migrated R77.30 MDS and all is working correctly from now on.

During my first try I have put eval licenses on R80.20 MDS. After migration has been completed, I have removed the old licenses with wrong IP addresses. There were 2 lics assigned to IP 192.168.135.10 and 2 lics assigned to 192.168.135.99.

I will validate it further.

Kind regards,
Jozko Mrkvicka
JozkoMrkvicka
Mentor
Mentor

Hi ofirsea040d26-f1f2-3b12-9fc6-5c89debaf56c‌,

The original issue with "Authentication to Server 127.0.0.1 failed." was solved by How to change the IP address of a Multi Domain Management Server .

It may be also related to the fact that I have MDS HA available and Primary MDS has IP 192.168.135.10 and Secondary MDS has IP 192.168.135.99. I did migration from 192.168.135.10 to .99, which might cause some troubles, because at the moment I have both MDSs with the same IP

Anyway, you helped a lot and I would like to thank you !

Kind regards,
Jozko Mrkvicka
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events