Support Center > Search Results > SecureKnowledge Details
Domain Migration in R80.x Technical Level
Solution

Table of Contents

  • Migration of Domain Server between Multi-Domain Management servers
  • Domain Backup/Restore
  • Domain migration between Security Management and Multi-Domain Management servers
  • Known Limitations

Domain Migration and Backup/Restore is available in:

  • R80.40 and higher
  • R80.30 Jumbo HFA starting from Take 135
  • R80.20 Jumbo HFA starting from Take 117

Migration of Domain Server between Multi-Domain Management servers

To Export a Domain:

  • Run:
    #mgmt_cli -d "System Data" migrate-export-domain domain <domain name> file-path <full path to file> include-logs <true|false>

     

    To Import into Multi-Domain Management Server:

    • Run:
      # mgmt_cli -d "System Data" migrate-import-domain file-path <full path to file> include-logs <true|false>
    • For each Security Gateway and Cluster in the Domain, install the Security policy to receive all logs from them.

       

      Domain Backup/Restore

      Taking a Backup of a Domain:

      Run the command:
      # mgmt_cli backup-domain domain <domain name | domain uid> file-path <full path>

      Restoring a Domain:

      1. Run:
        # mgmt_cli restore-domain file-path <full path> verify-only true
      2. Delete the Domain
      3. Run:
        # mgmt_cli restore-domain file-path <full path> verify-only false
        (The default value of verify-only is false)
      4. Restore the Standby Domain servers and Domain Log servers (they must be created with the same name and IP address):
        1. For each Standby Domain server, run:
          # mgmt_cli set-domain name <domain name | domain uid> servers.add.ip-address <domain server's IP> servers.add.name <domain server name> servers.add.multi-domain-server <MDS name> servers.add.backup-file-path <full path> --format json
        2. For each log server, run:
          # mgmt_cli set-domain name <domain name | domain uid> servers.add.ip-address <domain server's IP> servers.add.name <domain server name> servers.add.multi-domain-server <MDS name> servers.add.backup-file-path <full path> --format json servers.add.type "log server"
      5. Add GUI clients and administrators to the Domain
      6. For each Security Gateway and Cluster in the Domain, install the Security policy to receive all logs from them.

       

      Domain migration between Security Management and Multi-Domain Management servers

      Before migrating:

      1. Check the Disk Space: The hard disk on the target machine must be at least 5 times the size of the exported database.
      2. Make sure to publish changes you wish to migrate, only published changes are exported.


      Migrating from Security Management Server to Domain Management Server

      Export Security Management Server:

      1. Make sure all processes are up and running, using the "cpwd_admin list" command.
      2. Run the fw logswitch command to close the active log files. Only closed logs are migrated.
      3. If the target server has a different IP address than the source server, you must prepare the source database before the export:
        • Create a new host object in SmartConsole with the IP address of the target Security Management Server.
        • Define an Access Policy rule to each installed policy, that lets the new host connect to Security Gateways:
          Source Destination Service
          New server Any FW1 (TCP 256)
          CPD (TCP 18191)
          FW1_CPRID (TCP 18208) 
        • For VSX, add a rule to VSX policy as well (see sk167639 for specific instructions for migration with VSX)
        • Install the edited Security policy on all Security gateways.
      4. Log in via API command to the "System Data" level and run migrate export to create a database archive file.
        Run:
        #mgmt_cli -d "System Data" migrate-export-domain file-path <full path to file> include-logs <true|false>


      Import to a Multi Domain Management Server:

      1. Install the Multi-domain Management Server on the target server. 
        Note: For an existing Multi-Domain Management Server, create backup prior to importing new Domain Management Server.
      2. Copy the management database file that you exported from the source server to a directory of your choice on the target server. Use FTP, SCP or similar.
      3. Log in via API command to the "System Data" level and run migrate import (for R80.20 JHF and R80.30 JHF, add the option "exported-from-mds false"). See examples below. The command will create a new Domain and new Domain Management Server, and import the source database (There is no need to create the domain prior to the migration).
        Note: Make sure the Domain name you wish to create does not conflict with the existing Domains.
        1. Run for R80.40 :
          # mgmt_cli -d "System Data" migrate-import-domain domain-name <domain name> domain-server-name <server name> domain-ip-address <server ip> file-path <full path to file> include-logs <true|false>
        2. Run for R80.20 JHF and R80.30 JHF:
          # mgmt_cli -d "System Data" migrate-import-domain domain-name <domain name> domain-server-name <server name> domain-ip-address <server ip> file-path <full path to file> include-logs <true|false> exported-from-mds false
      4. Test the target deployment.
      5. Disconnect the source server from the network.
      6. Add GUI Client 
      7. Edit on GuiDBedit hosted_by to see logs sk123593
      8. Install the Security policy on all Security Gateways and Clusters.

       

      Migrating from Domain Management Server to Security Management Server

      Export Domain Management Server:

      1. Make sure all processes are up and running, using the "mdsstat -m" command.
      2. Run the fw logswitch command to close the active log files. Only closed logs are migrated.
        Note: Logswitch should be executed for the Domain context by running the mdsenv <IP Address or Name of Domain Server>
      3. If the target server has a different IP address than the source server, you must prepare the source database before the export. Do not change hostname in the import
        • Create a new host object in SmartConsole with the IP address of the target Security Management Server. 
        • Define an Access Policy rule to each installed policy, that lets the new host connect to Security Gateways.
          Source Destination Service
          New server Any FW1 (TCP 256)
          CPD (TCP 18191)
          FW1_CPRID (TCP 18208)
        • For VSX, add a rule to VSX policy as well (see sk167639 for specific instructions for migration with VSX)
        • Install the edited Security policy on all Security gateways.
      4. Log in via API command to the "System Data" level and run migrate export to create a database archive file.
        Run:
        # mgmt_cli -d "System Data" migrate-export-domain domain <domain name> file-path <full path to file> include-logs <true|false>


      Import to a Security Management Server:

      1. Install the Security Management Server on the target server. If you change the IP make sure use the same hostname and add license for SMS
      2. Copy the management database file that you exported from the source server to a directory of your choice on the target server. Use FTP, SCP or similar.
      3. Run the migrate_import_domain.sh script: 
        # $MDS_FWDIR/scripts/migrate_import_domain.sh -sn <server name> -dsi <server ip>  -o <path to export file>
      4. Test the target deployment.
      5. Disconnect the source server from the network.
      6. Add SmartConsole Administrator via cpconfig
      7. Add GUI Client via cpconfig
      8. Install the Security policy on all Security Gateways and Clusters.

       

      Known Limitations

      Limitations for:

      • Migration of Domain from one server to another
      • Migration of Domain Server between Multi-Domain Management servers
        Domain Backup/Restore
      Domain Server Backup/Restore is supported only on the same physical Multi-Domain Management machine.
      Domain Backup/Restore is supported only via Management APIs (CLI and REST).
      Restoring a Domain with Global Policy is supported only if the assigned Global Domain Revision (while taking the CMA backup) was not purged. 
      Multiple Domain backups in different times can be taken and restored, but only the latest changes while taking the backup are restored. Older Revisions are not available. 
      After restoring a Domain Server, manually edit Admins and GUI Clients to give them access to the restored Domain Server. 
      Hit Count data is not migrated.
      Migrating more than one Domain at a time is not supported.
      In a High Availability configuration, you must restore all the members, standby Domain servers and Log servers before working on the restored Domain. 
      Migrating a Domain is possible only when the source and the destination has the same version installed
      The time it takes to migrate a Domain depends on the size of the Domain. It can take up to one hour. Migrating a very large Domains may take more time. 
      A backup of a Domain can be taken only from the Multi-Domain Management where the domain is active and primary.
      A backup of a Domain is blocked if the domain contains objects related to VSX. Refer to sk167639 for instructions.
      Global domain migration is supported only in a Non-HA systems.
      Global domain migration will be blocked in the import phase when there are domains that assigned to the global in the target machine.
      Local domain migration will be blocked in the import phase if the global domain version that the domain is assigned to is missing from the target machine. Please reassign global domain to all domains that should be exported before the export of the global domain and the local domains.

      Limitation for Domain migration between Security Management and Multi-Domain Management servers

      After migrating a Domain Server, manually edit Admins and GUI Clients to give them access to the restored Domain Server.
      Hit Count data is not migrated.
      Migrating more than one Domain at a time is not supported.
      In a High Availability configuration, only the active Domain Management Server is exported and can be migrated. 
      The time it takes to migrate a Domain depends on the size of the Domain. It can take up to one hour. Migrating a very large Domains may take more time. 
      Domain migration is blocked if the domain contains objects related to VSX. Refer to sk167639 for instructions.
      Migrating a Domain is possible only when the source and the destination has the same version installed
      Migration of a Domain that is assigned to the Global Domain isn’t supported (will be supported in future release)
      Exporting Endpoint Management Server is not supported.
      An export of a domain can be taken only from the MDS where the domain is active and primary.

      Give us Feedback
      Please rate this document
      [1=Worst,5=Best]
      Comment