Migrating from Check Point from R77.30 to R80.10
Hello colleagues, welcome to the Check Point R77.30 database migration lesson on R80.10.
When using Check Point products, sooner or later the task arises of migrating existing rules and the object database for the following reasons:
- When purchasing a new device, you must migrate the database from the old device to the new device (to the current version of GAIA OS or higher).
- You must upgrade your device from one version of GAIA OS to a higher version on the local machine.
To solve the first problem, only using a tool called the Management Server Migration Tool or just the Migration Tool is suitable. To solve problem No. 2, the CPUSE or Migration Tool solution can be used.
Next, we consider in more detail both methods.
Update to a new device
Database Migration involves installing the latest version of Management on a new machine, and then migrating the database from the existing Security Management server to the new one using the Migration Tool. This method minimizes the risk of updating for an existing configuration.
In order to migrate the database through the Migration Tool, you must meet the requirements :
- Free disk space should be 5 times larger than the archive size of the exported database.
- On the target server, the network settings must match the source server.
- Creating a backup. Export the database to a remote server.
The GAIA operating system already has the Migration Tool; it can be used when importing a database or to migrate to a version of the operating system that is identical to the initial one. In order to migrate the database to a higher version of the operating system, you need to download the Migration Tool of the corresponding version from the "Tools" section on the Check Point R80.10 support site:
- Backup and migration of SmartEvent / SmartReporter Server. The backup and migrate export utilities do not include SmartEvent database / SmartReporter database.
For backup and migration you need to use the utilities 'eva_db_backup' or 'evs_backup'.
Note: article sk110173 in the CheckPoint Knowledge Base.
Let's consider what functions this tool contains:
Before proceeding directly to data migration, you must first unzip the downloaded Migration Tool into the folder “/ opt / CPsuite-R77 / fw1 / bin / upgrade_tools /
Before running the command for export or import, close all SmartConsole clients or run cpstop on the Security Management server.
To create a management database export file on the source server:
- Enter expert mode.
- Run the pretest tool: pre_upgrade_verifier -p $ FWDIR -c R77 -t R80.10. If there are errors, correct them before continuing.
- Run: ./migrate export filename.tgz. The command exports the contents of the Security Management Server database to a TGZ file.
- Follow the instructions. The database is exported to the file that you named in the command. Make sure you identify it as TGZ.
- If SmartEvent is installed on the source server, export the event database.
Next, import the security server databases that you exported. Before you begin: Install R80 Security Management Server. I remind you that the network settings of the new Management Server R80.10 must match the settings of the old server.
To import a management server configuration :
- Enter expert mode.
- Transfer (from FTP, SCP, or the like) the exported configuration file to a remote server collected from the source on the new server.
- Disconnect the source server from the network.
- Transfer the configuration file from the remote server to the new server.
- Calculate MD5 for the transferred file and compare with MD5, which was calculated on the source server: # md5sum filename.tgz
- Import Database: ./migrate import filename.tgz
- Check for updates.
Upon completion of paragraph 7, we summarize that the database migration was successful using the Migration Tool, in case of failure, you can always turn on the source server, as a result of which the work will not be affected.
It is worth noting that migration from standalone server is not supported.
CPUSE (Check Point Upgrade Service Engine) automatically updates Check Point products for Gaia. Software update packages are categorized, namely major releases, minor releases and Hotfixes. Gaia automatically finds and displays available software update packages and images related to the version of the Gaia operating system that you can upgrade to. Using CPUSE, you can make a clean install of the new version of GAIA OS, and perform a system upgrade with database migration.
To upgrade to a higher version or perform a clean installation using CPUSE, the machine must have enough free (unallocated) space - at least the size of the root partition.
The transition to the new version is performed on the new partition of the hard drive, and the “old” partition is converted to Gaia Snapshot (the new partition space is taken from the unallocated space on the hard drive). Also, before upgrading the system, it will be correct to make a snapshot and upload it to a remote server.
Update process :
- Check the service pack (if you have not already done so) - check if you can install this package without conflicts: right-click on the package - click "Verifier".
The result should be something like this:
- Installation is allowed
- Upgrade is allowed
- Install the package: right-click the package and click “Upgrade”:
CPUSE shows the following warning in Gaia Portal: After this upgrade, there will be an automatic reboot (Existing OS settings and the Check Point Database are preserved).
- You will see the corresponding progress in data migration after upgrading to R80.10:
- Upgrading products
- Importing database
- Configuring Products
- Creating SIC Data
- Stopping processes
- Starting processes
- Installed, self-test passed
- The system will reboot automatically
- Installing a policy in SmartConsole
As you can see, everything goes very simply, in case of a problem, you can roll back to the old settings using snapshot.
The video tutorial presented contains a theoretical and practical part. The first half of the video duplicates the theoretical part described, and in a practical example data migration is shown using both methods.
In this lesson, we examined Check Point solutions for updating and migrating databases of objects and rules. In the case of a new device, there are no other solutions than using the Migration Tool. If you want to upgrade GAIA OS and you have the desire and the opportunity to re-deploy the machine, our company advises, based on existing experience, to migrate the database using the Migration Tool. This method minimizes the risk of updating for an existing configuration compared to CPUSE. Also, when updating via CPUSE, many unnecessary old files are saved on disk, and an additional tool is required to delete them, which entails additional actions and new risks.
If you don’t want to miss future lessons, then subscribe to our VK group ,Youtube and Telegram . If for any reason you could not find the document you need or solve your problem with Check Point, then you can feel free to contact us .