Professional Documents
Culture Documents
Migration Workflow
Migrate Command Reference
https://sc1.checkpoint.com/documents/R77/CP_R77_Non_Gaia_Installation_and_Upgrade_Guide/16535.htm 1/18
3/20/2018 Advanced Upgrade and Database Migration
IPv6 addresses to an Environment that contains only IPv4 addresses
Solaris
Although Solaris is a legacy platform (unsupported for new installations), you can migrate the Solaris
database to Windows and SecurePlatform and Gaia. But only from Check Point versions in the supported
upgrade path. See the R77 Release Notes.
The database migration procedure for Solaris is the same as for SecurePlatform and Gaia, as
described in this chapter.
For SmartDomain Manager
To export the SmartDomain Manager database from a legacy platform, use the R77 SecurePlatform
DVD. Only two menu options are available:
preupgrade verification
mds export
Migration Workflow
In this section:
General Workflow
https://sc1.checkpoint.com/documents/R77/CP_R77_Non_Gaia_Installation_and_Upgrade_Guide/16535.htm 2/18
3/20/2018 Advanced Upgrade and Database Migration
This section includes a procedural overview for database migration and continues with detailed procedures
for each platform. Also included are special procedures for migrating:
Migration Workflow
General Workflow
First read the Release Notes to make sure that your upgrade path is supported.
If the target Security Management Server will not use the IP address of the source, prepare the
environment to recognize the new IP address. Do this before you do the steps below.
Important - Put all extracted files in the same directory, and run the tools from this
directory.
3. Make sure the files have executable permissions. For example, In the temporary directory, run
chmod 777 *
4. Run fw logswitch to close the SmartView Tracker log files and the SmartLog data. Only closed logs
are migrated.
5. Close all Check Point GUI clients that are connected to the Security Management Server.
Alternatively, if this is a computer that is not in production, run cpstop on the source computer.
Important - If you do not close the GUI clients or run cpstop, the exported management
database can become corrupted.
https://sc1.checkpoint.com/documents/R77/CP_R77_Non_Gaia_Installation_and_Upgrade_Guide/16535.htm 3/18
3/20/2018 Advanced Upgrade and Database Migration
6. Make sure the source server and the target server have network access.
The source and target servers must be connected to a network.
The connected network interface must have an IP address.
On SecurePlatform, the ifconfig command output must show that the interface is UP.
On Windows, the interface must be enabled in the Network Connections window.
9. If the target server must have a different IP address than the source server, make the necessary
changes on the source server.
2. Get the most updated migration tools package for the target platform (recommended) or use the
installed migration tools in $FWDIR/bin/upgrade_tools on Unix platforms or
%FWDIR%\bin\upgrade_tools on Windows.
3. Import the management database from the source server to the target.
If SmartReporter is installed on the source server, import the Log Consolidation database.
If SmartEvent is installed on the source server, import the SmartEvent Events database.
4. If the target server has a different IP address than the source server, make the necessary changes to
the license and target computer.
If the target server is a different platform that the source server, edit the database.
There are additional steps for a Security Management Server that manages VSX Gateways in these
configurations:
From a Security Management Server to a new Domain Server or Security Management Server
From a Domain Server to a new Domain Server
1. Create a new host object in SmartDashboard with the IP address of the target Security Management
Server.
2. Define a Firewall rule that lets this new Security Management Server connect to Security Gateways.
https://sc1.checkpoint.com/documents/R77/CP_R77_Non_Gaia_Installation_and_Upgrade_Guide/16535.htm 4/18
3/20/2018 Advanced Upgrade and Database Migration
CPD (TCP 18191)
1. Define the previous Firewall rule again for the VSX policy.
When migrating from a Security Management Server with only IPv4 addresses to:
Security Management Server with only Follow the normal migration process.
IPv4 addresses
Security Management Server with only Enable IPv6 on the Source Operating System
IPv6 addresses before exporting the database
After importing the database, change the IP
address of the management
Security Management Server with a Enable IPv6 on the Source Operating System
mixture of IPv4 and IPv6 addresses. before exporting the database
After importing the database, add the IPv6
addresses
Domain Server with IPv4 addresses Follow the normal migration process.
Domain Server with a mixture of IPv4 Enable IPv6 on the Source Operating System
and IPv6 addresses before exporting the database
After importing the database, add the IPv6
addresses
When migrating from a Security Management Server with only IPv6 addresses to:
Security Management Server with only After importing the database, change the IPv6 address
IPv4 addresses of the management to IPv4
Security Management Server with only Follow the normal migration procedure
https://sc1.checkpoint.com/documents/R77/CP_R77_Non_Gaia_Installation_and_Upgrade_Guide/16535.htm 5/18
3/20/2018 Advanced Upgrade and Database Migration
IPv6 addresses
Security Management Server with a After importing the database, add the IPv4 addresses
mixture of IPv4 and IPv6 addresses.
Domain Server with IPv4 addresses After importing the database, remove IPv6 addresses
from the management object in SmartDashboard and
add IPv4
When migrating from a Security Management Server with a mixture of IPv4 and IPv6 addresses to:
Security Management Server with only After importing the database, remove the IPv4 address
IPv6 addresses from the management
Domain Server with IPv4 addresses After importing the database, remove the IPv6 address
from the management object in SmartDashboard
Domain Server with a mixture of IPv4 Follow the normal migration procedure
and IPv6 addresses
Domain Server
When migrating from a Domain Server with only IPv4 addresses to:
Security Management Server with only Follow the normal migration procedure
IPv4 addresses
Domain Server with IPv4 addresses Follow the normal migration procedure
https://sc1.checkpoint.com/documents/R77/CP_R77_Non_Gaia_Installation_and_Upgrade_Guide/16535.htm 6/18
3/20/2018 Advanced Upgrade and Database Migration
Enable IPv6 on the Operating System
Add IPv6 Addresses
When migrating from a Domain Server with a mixture of IPv4 and IPv6 addresses to:
Security Management Server with only Disable IPv6 on the source Operating System
IPv4 addresses before exporting the database
After importing the database, change the IP
address of the management to IPv4
Security Management Server with only After importing the database, remove the IPv4 address
IPv6 addresses from the management.
Domain Server with IPv4 addresses Disable IPv6 on the source Operating System
before exporting the database
Remove the IPv6 address from the target
Domain Server object in SmartDashboard
Domain Server with a mixture of IPv4 Follow the normal migration procedure
and IPv6 addresses
Alternatively, you can get the migration tools package from the target computer.
Use FTP, SCP or similar. The source directory can be anywhere, such as /var/tmp.
The migration tool files are contained in a compressed package. The files in the package are:
migrate
migrate_conf
migrate export
migrate import
Action Items
Errors - Issues that must be resolved before you can continue with the upgrade. If you proceed
without correcting these errors, the upgrade may fail, or you may have problems after upgrade.
Warnings - Issues that are recommended to resolve before or after the upgrade.
4. Do the instructions shown on the screen. This creates the <exported database name>.tgz file.
5. You are prompted to create a backup image for automatic revert. There is no need to create a
backup image now because exporting the management database does not change the system.
https://sc1.checkpoint.com/documents/R77/CP_R77_Non_Gaia_Installation_and_Upgrade_Guide/16535.htm 8/18
3/20/2018 Advanced Upgrade and Database Migration
8. From the Security Management Upgrade Option screen, select Export Security Management
configuration. Press N to continue.
10. If the Pre-Upgrade Verification fails, correct the errors and restart this procedure from the step 2.
Otherwise, press N to continue.
11. In the Export window, press N to continue. The management database is saved in
/var/tmp/cpexport.tgz.
On IPSO
2. Run:
<path to migration tools directory>/migrate export <exported database name>.tgz.
3. Do the instructions shown on the screen. This creates the <exported database name>.tgz file.
On Windows - CLI
3. Do the instructions shown on the screen. This creates the <exported database name>.tgz file.
If the wizard does not start automatically, run setup.exe from the DVD.
5. Select Export.
6. Use one of these options to get the upgrade utilities.
Download the most recent upgrade utilities from the Support center.
Use the upgrade utilities that you downloaded to your local disk.
https://sc1.checkpoint.com/documents/R77/CP_R77_Non_Gaia_Installation_and_Upgrade_Guide/16535.htm 9/18
3/20/2018 Advanced Upgrade and Database Migration
Use the upgrade utilities on the DVD.
7. When prompted, do not disable the Perform Pre-Upgrade verification now option.
8. If there are pre-upgrade verification errors, correct them and start this procedure again from step 3.
Otherwise, click Next to continue.
9. Enter path and management database export file name. The default is:
c:\temp\cp_db_configuration.tgz.
2. Copy the management database file that you exported from the source computer to a directory of
your choice on the target computer. Use FTP, SCP or similar.
3. Run:
<path to migration tools directory>/migrate import <path to the file>/<exported database
name>.tgz.
To IPSO
2. Run:
<path to migration tools directory>/migrate import <path to the file>/<exported database
name>.tgz.
To Windows
https://sc1.checkpoint.com/documents/R77/CP_R77_Non_Gaia_Installation_and_Upgrade_Guide/16535.htm 10/18
3/20/2018 Advanced Upgrade and Database Migration
1. Copy the management database file that you exported from the source computer to a directory of
your choice on the target computer. Use FTP, SCP or similar.
If the primary Security Management Server is not available, convert the secondary Security
Management Server to a primary Security Management Server. To get assistance with this step,
contact Check Point Technical Support or your vendor.
3. Import the management database file to the new primary Security Management Server.
6. Synchronize the new secondary Security Management Server with the new primary Security
Management Server.
1. Update the Security Management Server licenses with the new IP address. If you use central
licenses, they must also be updated with the new IP Address.
2. Run cpstop
3. Run cpstart
1. Remove the host object and the rule that you created before migration.
2. Update the primary Security Management Server object to make the IP Address and topology
match the new configuration.
6. On the DNS, map the target Security Management Server host name to the new IP address.
https://sc1.checkpoint.com/documents/R77/CP_R77_Non_Gaia_Installation_and_Upgrade_Guide/16535.htm 11/18
3/20/2018 Advanced Upgrade and Database Migration
After migration:
1. Connect with the SmartDashboard to the target Security Management Server.
Example:
Tools
Use the evs_backup utility to backup the SmartEvent and SmartReporter database and configuration
files, and place them in a compressed file. Use the version suitable for the target platform. Download
it from the Support Center, or from the $RTDIR/bin directory on the target Unix platform.
Use the evs_backup_extractor utility to restore the backup file.
Use the migration tools to backup and restore the Security Management database and files. Use the
version suitable for the target platform. Download it from the Support Center, or from
$FWDIR/bin/upgrade_tools/ directory on the target Unix platform.
Backup Procedure
Run the following commands in Expert mode. Use different file name for each of the utilities:
# cd $FWDIR/bin/upgrade_tools/
# cd $RTDIR/bin
Restore Procedure
Copy the backup files to the target platform and run these commands in Expert mode:
# cd $FWDIR/bin/upgrade_tools/
# ./migrate import <file name 1>
https://sc1.checkpoint.com/documents/R77/CP_R77_Non_Gaia_Installation_and_Upgrade_Guide/16535.htm 12/18
3/20/2018 Advanced Upgrade and Database Migration
# cd $RTDIR/bin
Use this procedure to back up reports from a Windows platform or to a Windows platform.
For example:
:generation_result_location ("/var/opt/CPrt-R77/Results")
3. Create an archive of the files in the directory specified by this entry. In this example:
/var/opt/CPrt-R77/Results .
We will refer to this directory as <results dir>.
cd <results dir>
tar zcvf /var/tmp/results.tgz <results dir>
1. If the target server has a newer version than the source server, create a new directory with the same
name as <results dir>:
mkdir –p <results dir>
The database migration procedure automatically migrates the SmartReporter management database to the
target server. However, it does not migrate the SmartReporter consolidation database. If you have
SmartReporter installed on the source server, you must do several additional steps to migrate the database
to the target.
Starting R75.40VS and R75.45, SmartReporter can have MySQL or PostgreSQL as the underlying database
for consolidated records data. MySQL is still used for upgrades, and PostgreSQL is used in new installations.
To export and import the SmartReporter database, use the procedure that is appropriate for the underlying
database: MySQL or PostgreSQL.
https://sc1.checkpoint.com/documents/R77/CP_R77_Non_Gaia_Installation_and_Upgrade_Guide/16535.htm 13/18
3/20/2018 Advanced Upgrade and Database Migration
To create the SmartReporter MySQL database export file on the source server:
1. Run cpstop.
2. Find and open the MySQL configuration file using a text editor:
On SecurePlatform: $RTDIR/Database/conf/my.cnf.
On Windows: %RTDIR%\Database\conf\my.ini
Use this file to locate directory names for use in the next steps.
4. Create the database export file. Assign the name datadir.tgz to this file.
1. Go to the directory specified by the datadir= <xxx> parameter in the MySQL configuration file.
2. Use GNU tar/gzip utilities to create an archive file containing all files in the directory specified
by the datadir=<xxx> setting. For example on SecurePlatform use:
tar zcvf datadir.tgz <datadir setting>
5. Backup these items to a different device (USB drive, DVD, FTP server, network location, etc.):
The datadir export file (datadir.tgz).
The MySQL configuration file (my.cnf or my.ini). After copying the file to a backup device,
rename the file by appending a .old suffix to the file name. For example, rename file my.cnf
to my.cnf.old. (Import scripts require this suffix.)
Company logo image files located in the $RTDIR/bin (%RTDIR%\bin on Windows) directory.
Custom distribution scripts located in $RTDIR/DistributionScripts
(%RTDIR%\DistributionScripts on Windows).
2. Run cpstop.
3. Copy:
For SecurePlatform: my.cnf.old to $RTDIR/Database/conf/
For Windows: my.ini.old to %RTDIR%\Database\conf.
Note - If you are migrating to a platform where the name of configuration file is
different (for example, migrating from Windows to SecurePlatform) rename the
configuration file accordingly.
4. Copy these files from the backup device to the target server:
The SmartReporter exported database file (datadir.tgz) to the one of these locations:
SecurePlatform: $RTDIR/bin
Windows: %RTDIR%\bin
Company logo image files to the $RTDIR/bin (%RTDIR%\bin on Windows) directory.
Custom distribution scripts to the $RTDIR/DistributionScripts
(%RTDIR%\DistributionScripts on Windows) directory.
https://sc1.checkpoint.com/documents/R77/CP_R77_Non_Gaia_Installation_and_Upgrade_Guide/16535.htm 14/18
3/20/2018 Advanced Upgrade and Database Migration
1. Run cpstop
2. Run:
cpprod_util CPPROD_SetValue "Reporting Module" DefaultDatabase 1 "MySQL" 1
2. Run:
./EVR_DB_Upgrade -mysql "<absolute path to file>/<SmartReporter database export
file>.tgz"
3. If you are not using the default directory paths, change these fields in the MySQL configuration file to
match the locations of these directories:
datadir=
innodb_log_group_home_dir=
innodb_data_file_path=
4. Run cpstart
6. In SmartReporter, from the Consolidation tab, remove the existing consolidation session and create
a new one.
To create the SmartReporter Postgresql database export file on the source server:
1. Run cpstop
2. On Gaia/SecurePlatform/Linux, run
cd $RTDIR/bin
On Windows, run
cd %RTDIR%\bin
3. On Gaia/SecurePlatform/Linux, run
eva_db_backup.csh -filename <backupfilename> -database EvrDb
On Windows run:
eva_db_backup.bat -filename <backupfilename> -database EvrDb
Where <backupfilename> is the full path and name of the database records backup file. Create the
file in /var/log or another partition or disk with enough space. See the R77 Release Notes for the
database disk space requirements.
https://sc1.checkpoint.com/documents/R77/CP_R77_Non_Gaia_Installation_and_Upgrade_Guide/16535.htm 15/18
3/20/2018 Advanced Upgrade and Database Migration
1. If you have not already done so, install R77 and SmartReporter on the target server.
2. Run cpstop
3. Copy the file backupfilename from the backup device to this directory on the target server:
On Gaia/SecurePlatform/Linux:
/var/$RTDIR
On Windows:
%RTDIR%\bin
However, if you have another unused partition or disk, save it there.
4. On Gaia/SecurePlatform/Linux, run
$RTDIR/bin/eva_db_restore.csh -filename <backupfilename> -database EvrDb
On Windows run:
%RTDIR%/bin/eva_db_restore.bat -filename <backupfilename> -database EvrDb
Where <backupfilename> is the full path and name of the database records backup file.
5. Run cpstart
6. In SmartReporter, from the Consolidation tab, remove the existing consolidation session and create
a new one.
While the database migration procedure automatically migrates the SmartEvent management database to
the target computer, it does not migrate the SmartEvent events database. If you have SmartEvent installed
on the source server, you must do more to migrate the events database to the target.
Note - The Events Database can be very large, and the manual migration take time. These steps explain
how to use the eva_db_backup and eva_db_restore scripts with the default options. By default, the
commands are run without options. You must have write permissions for the current directory.
3. Copy the backup file created by the tool to the destination machine. By default, the name of a backup
file is: <current date>-events_db.backup.
https://sc1.checkpoint.com/documents/R77/CP_R77_Non_Gaia_Installation_and_Upgrade_Guide/16535.htm 16/18
3/20/2018 Advanced Upgrade and Database Migration
On Windows, run: %RTDIR%\bin\eva_db_restore.exe -filename <path to the backup file>
If it has DONE in online_status or background_status attribute of the Database section, delete DONE
and save the file.
7. Run: cpstart
On Destination server:
1. Run: cpstop
If you get an error that the database does not exist, ignore it.
The second action may take a long time, depending on the Source machine database size.
If it shows DONE in the online_status or background_status attribute of the Database section, delete
DONE and save the file.
7. Run: cpstart
Before you run this command for export, close all SmartConsole clients or run cpstop on the Security
Management Server.
Before you run this command for import, run cpstop on the Security Management Server.
https://sc1.checkpoint.com/documents/R77/CP_R77_Non_Gaia_Installation_and_Upgrade_Guide/16535.htm 17/18
3/20/2018 Advanced Upgrade and Database Migration
Syntax:
migrate (export | import) [-l] [-n] <filename>
Parameters:
Value Description
export One of these actions must be used. Make sure services are
import
stopped.
filename Required. Enter the name of the archive file that contains the
Security Management Server database. The path to the
archive must exist.
Top of Page©2014 Check Point Software Technologies Ltd. All rights reserved.Download Complete PDF Send Feedback Print
https://sc1.checkpoint.com/documents/R77/CP_R77_Non_Gaia_Installation_and_Upgrade_Guide/16535.htm 18/18