Support Center > Search Results > SecureKnowledge Details
Domain Migration in versions R80.20 and higher Technical Level
Solution

Table of Contents

  1. Migration of Domain Server between Multi-Domain Management Servers
    1. Migrating a Global Domain
    2. Exporting a non-Global Domain from a Multi-Domain Management Server
    3. Importing a non-Global Domain into a Multi-Domain Management Server
  2. Backing up / Restoring a Domain
    1. Backing up a Domain
    2. Restoring a Domain
  3. Domain migration between Security Management and Multi-Domain Management servers
    1. Before the migration
    2. Migrating from a Security Management Server to a Domain Management Server
    3. Migrating from a Domain Management Server to a Security Management Server
  4. Known Limitations
  5. Troubleshooting

Support for Domain Migration and Domain Backup/Restore is available in:

  • R80.40 and higher

  • R80.30 with R80.30 Jumbo Hotfix Accumulator Take 135 and higher

  • R80.20 with R80.20 Jumbo Hotfix Accumulator Take 117 and higher

Important Notes:

  • Before you export a database, you must:

    1. Update the Application Control signatures

    2. Update Anti-Virus, Anti-Bot, and IPS signatures

    3. Discard or publish all sessions
  • You must use the latest Upgrade Tools package in all types of Domain migrations from sk135172.

    Starting in the R81 version, the Domain migration feature is self-updatable. It allows faster release of features and fixes related to upgrade and migration.

    Security Management Servers / Multi-Domain Management Servers R81 and higher that have online access to checkpoint.com, will get the latest available Upgrade Tools automatically.


(1) Migration of Domain Server between Multi-Domain Management Servers

Important - Migrating a Domain is possible only when the source and the destination Multi-Domain Servers have the same version installed.

(1-A) Migrating a Global Domain:

You must migrate the Global Domain to the target Multi-Domain Management Server before you migrate a local Domain that is assigned to the Global Domain.

Local domain migration will be blocked in the import phase if the global domain version that the domain is assigned to is missing from the target machine. Please reassign global domain to all domains that should be exported before the export of the global domain and the local domains.

Note: When a global domain is migrated - the previous one is deleted. Thus, if there are domains assigned to the previous global domain - the migration will be blocked. A new global domain should not be migrated if the previous one is in use.

(1-B) Exporting a non-Global Domain from a Multi-Domain Management Server:

See the Management API Reference for your Management Server version.

  • On R81.10 and higher, run:

    mgmt_cli export-management domain-name "NAME_of_DOMAIN" file-path "/var/log/<NAME_of_DOMAIN>_exported.tgz" --domain 'System Data' --format json

  • On R81, run:

    mgmt_cli -d "System Data" migrate-export-domain domain <Domain Name> file-path <Full Path to File>.tgz include-logs {true|false}

(1-C) Importing a non-Global Domain into a Multi-Domain Management Server:

See the Management API Reference for your Management Server version.

  • On R81.10 and higher, run:

    mgmt_cli import-management file-path "/var/log/domain1_exported.tgz" --domain 'System Data' --format json

  • On R81, run:

    mgmt_cli -d "System Data" migrate-import-domain file-path <Full Path to File>.tgz include-logs {true|false}

Notes:

  • After the Domain import, you must connect with SmartConsole to this Domain and install the Security Policy on each managed Security Gateway / Cluster / Virtual System / Virtual Router to receive logs from it.

  • If the Domain contains Security Gateway / Clusters you managed with the Provisioning Software Blade:

    • You must install the Security Policy on each SmartLSM Security Profile.

    • If after the migration, the Domain's IP address differs from the IP address before the migration, then after you install the Security Policy on each SmartLSM Security Profile, you must connect to the command line on each managed device and manually fetch the Security Policy with this command:

      fw fetch <IP Address of Domain After Migration>


(2) Backing up / Restoring a Domain

(2-A) Backing up a Domain:

See the Management API Reference for your Management Server version.

  • On R81.10 and higher, run:

    mgmt_cli export-management domain-name "domain1" file-path "/var/log/domain1_backup.tgz" is-domain-backup true --domain 'System Data' --format json

  • On R81, run:

    mgmt_cli backup-domain domain <Domain Name | Domain UID> file-path <Full Path>

(2-B) Restoring a Domain:

See the Management API Reference for your Management Server version.

  1. Restore the Domain:

    • On R81.10 and higher, run:

      mgmt_cli import-management verify-domain-restore "true" file-path "/var/log/exported.tgz" --domain 'System Data' --format json

    • On R81, run:

      mgmt_cli restore-domain file-path <Full Path> verify-only true

  2. Delete the Domain

    • On R81.10 and higher:

      mgmt_cli import-management file-path "/var/log/domain1_backup.tgz" --domain 'System Data' --format json

    • On R81 and lower:

      mgmt_cli restore-domain file-path <Full Path> verify-only false

  3. Restore the Standby Domain servers and Domain Log servers (they must be created with the same name and IP address):

    1. For each Standby Domain server, run:

      mgmt_cli set-domain name <Domain Name | Domain UID> servers.add.ip-address <Domain Server IP Address> servers.add.name <Domain Server Name> servers.add.multi-domain-server <Multi-Domain Server Name> servers.add.backup-file-path <Full Path> --format json

    2. For each Log Server, run:

      mgmt_cli set-domain name <Domain Name | Domain UID> servers.add.ip-address <Domain Server IP Address> servers.add.name <Domain Server Name> servers.add.multi-domain-server <Multi-Domain Server Name> servers.add.backup-file-path <Full Path> --format json servers.add.type "log server"

    3. If there is a Management High Availability between the Domain and a dedicated Security Management Server:

      1. Re-install the Security Management Server.

      2. Reset SIC with the Security Management Server from the Active Domain server.

  4. Add GUI clients and administrators to the Domain.

  5. Install the Security Policy on each managed Security Gateway / Cluster / Virtual System / Virtual Router, to receive all logs from it.


(3) Domain migration between a Security Management Server and Multi-Domain Management servers

(3-A) Before the migration:

  1. Check the Disk Space: The hard disk on the target machine must be at least 5 times the size of the exported database.

  2. Make sure to publish changes you wish to migrate, only published changes are exported.

(3-B) Migrating from a Security Management Server to a Domain Management Server

(3-B-a) Export a Security Management Server:

  1. Make sure all processes are up and running, with the "cpwd_admin list" command.

  2. Run the "fw logswitch" command to close the active log files. Only closed logs are migrated.

  3. If the target server has a different IP address than the source server, you must prepare the source database before the export:

    • Create a new host object in SmartConsole with the IP address of the target Security Management Server.

    • Define an Access Policy rule to each installed policy, that lets the new host connect to Security Gateways:

      Source Destination Service
      New Server Any FW1 (TCP 256)
      CPD (TCP 18191)
      FW1_CPRID (TCP 18208)
    • For VSX, add a rule to VSX policy as well (see sk167639 for specific instructions for migration with VSX).

    • Install the edited Security Policy on all Security Gateways and Clusters.

  4. Log in with the API command to the "System Data" level and export the database:

    See the Management API Reference for your Management Server version.

    • On R81.10 and higher, run:

      mgmt_cli export-management file-path "/var/log/smc_exported.tgz" is-smc-to-mds true --domain 'System Data' --format json

    • On R81 and lower, run:

      mgmt_cli -d "System Data" migrate-export-domain file-path <Full Path to File>.tgz include-logs {true | false}

(3-B-b) Import into a Multi-Domain Management Server:

  1. Install the Multi-Domain Management Server on the target server.

    Note: For an existing Multi-Domain Management Server, create backup prior to importing a new Domain Management Server.

  2. Copy the management database file that you exported from the source server to a directory of your choice on the target server. Use FTP, SCP or similar.

  3. Log in via API command to the "System Data" level and import the database (for R80.20 Jumbo Hotfix Accumulator and R80.30 Jumbo Hotfix Accumulator, add the option "exported-from-mds false"). See the examples below.

    The command will create a new Domain and new Domain Management Server, and import the source database.

    There is no need to create the Domain before the migration.

    Note: Make sure the Domain name you wish to create does not conflict with the existing Domains.

    See the Management API Reference for your Management Server version.

    • On R81.10 and higher, run:

      mgmt_cli import-management domain-name "domain1" domain-server-name "domain1_Server" domain-ip-address "192.0.2.1" file-path "/var/log/smc_exported.tgz" --domain 'System Data' --format json

    • On R81 and R80.40, run:

      mgmt_cli -d "System Data" migrate-import-domain domain-name <Domain Name> domain-server-name <Server Name> domain-ip-address <Server IP Address> file-path <Full Path to File>.tgz include-logs {true | false}

    • On R80.20 with the Jumbo Hotfix Accumulator and R80.30 with the Jumbo Hotfix Accumulator, run:

      mgmt_cli -d "System Data" migrate-import-domain domain-name <Domain Name> domain-server-name <Server Name> domain-ip-address <Server IP Address> file-path <Full Path to File>.tgz include-logs {true | false} exported-from-mds false

  4. Restart Check Point services:

    mdsstop ; mdsstart
  5. Test the target deployment.

  6. Disconnect the source server from the network.

  7. Add GUI Clients.

  8. With the GuiDBedit Tool, edit the value of the parameter hosted_by to see logs - see sk123593.

  9. Install the Security policy on all Security Gateways and Clusters.
    For LSM environment, install the Security policy on all the LSM Security Profiles.

  10. If after the migration, the Domain's IP address differs from the IP address before the migration, and the Domain contains LSM Gateways / Clusters, run this command one time on each of the LSM devices:

    fw fetch <IP Address of Domain After Migration>

  11. If the target server has a different IP address than the source server - Delete the special Access Control rule you added before the migration:

    1. Connect with SmartConsole to the target Domain Management Server.

    2. In each Security Policy, delete the Access Control rule with the new Host object you added on the source Security Management Server before migration.

    3. Delete the Host object you added on the source Security Management Server before migration.

    4. Install the applicable policies on all managed Security Gateways and Clusters.

 

(3-C) Migrating from a Domain Management Server to a Security Management Server

(3-C-a) Export a Domain Management Server:

  1. Make sure all processes are up and running, with the "mdsstat -m" command.

  2. Run the "fw logswitch" command to close the active log files. Only closed logs are migrated.

    Note: Log switch should be executed for the Domain context by running the command "mdsenv <IP Address or Name of Domain Server>

  3. If the target server has a different IP address than the source server, you must prepare the source database before the export.

    Do NOT change the hostname in the import.

    • Create a new host object in SmartConsole with the IP address of the target Security Management Server.

    • Define an Access Policy rule to each installed policy, that lets the new host connect to Security Gateways.

      Source Destination Service
      New Server Any FW1 (TCP 256)
      CPD (TCP 18191)
      FW1_CPRID (TCP 18208)
    • For VSX, add a rule to VSX policy as well (see sk167639 for specific instructions for migration with VSX).

    • Install the edited Security policy on all Security Gateways and Clusters.

  4. Log in with the API command to the "System Data" level and export the database.

    See the Management API Reference for your Management Server version.

    • On R81.10 and higher, run:

      mgmt_cli export-management domain-name "domain1" file-path "/var/log/domain1_exported.tgz" --domain 'System Data' --format json

    • On R81 and lower, run:

      mgmt_cli -d "System Data" migrate-export-domain domain <Domain Name> file-path <Full Path to File>.tgz include-logs {true | false}

(3-C-b) Import into a Security Management Server:

  1. Install the Security Management Server on the target server. If you change the IP address, make sure to use the same hostname and add license for Security Management Server.

  2. Copy the management database file that you exported from the source server to a directory of your choice on the target server. Use FTP, or SCP.

  3. Import the database:

    See the Management API Reference for your Management Server version.

    • On R81 and higher, run:

      $MDS_FWDIR/scripts/migrate_server migrate_import_domain  [-l | -x] /<Full Path>/<Name of Exported File>.tgz

    • On R80.40 and lower, run:

      $MDS_FWDIR/scripts/migrate_import_domain.sh -sn <Server Name> -dsi <Server IP Address>  -o <Path to Export File>

  4. Test the target deployment.

  5. Disconnect the source server from the network.

  6. Add a SmartConsole Administrator with the "cpconfig" command.

  7. Add GUI Client with the "cpconfig" command.

  8. Install the Security policy on all Security Gateways and Clusters.
    For LSM environment, install the Security policy on all of the LSM Security Profiles.

  9. If the Security Management Server IP after migration differs from the exported Domain IP and it contains LSM gateways/clusters, run the following command once on each of the LSM devices:

    fw fetch <IP Address of Management Server>

  10. If the target server has a different IP address than the source server- Delete the special Access Control rule you added before migration:

    1. Connect with SmartConsole to the target Security Management Server.

    2. In each Security Policy, delete the Access Control rule with the new Host object you added on the source Domain Management Server before migration.

    3. Delete the Host object you added on the source Domain Management Server before migration.

    4. Install the applicable policies on all managed Security Gateways and Clusters.


(4)Known Limitations

(4-A) Limitations for:

  • Migration of Domain from one server to another

  • Migration of Domain Server between Multi-Domain Management servers

  • Domain Backup/Restore

Description
Domain Server Backup/Restore is supported only on the same physical Multi-Domain Management machine.
Migration of a domain into an MDS on which the domain already exists (or to another MDS machines in the same HA environment) is not supported.
Migration of the same domain twice into an MDS (or to two different MDS machines in the same HA environment) is not supported.
Domain Backup/Restore is supported only via Management APIs (CLI and REST).
Restoring a Domain with Global Policy is supported only if the assigned Global Domain Revision (while taking the CMA backup) was not purged. 
Multiple Domain backups in different times can be taken and restored, but only the latest changes while taking the backup are restored. Older Revisions are not available. 
After restoring a Domain Server, manually add Administrators and GUI Clients to give them access to the restored Domain Server. 
Hit Count data is not migrated.
Migrating more than one Domain at a time is not supported.
In a High Availability configuration, you must restore all the members, standby Domain servers and Log servers before working on the restored Domain. 
Migrating a Domain is possible only when the source and the destination have the same version installed
The time it takes to migrate a Domain depends on the size of the Domain. It can take up to one hour. Migrating a very large Domain may take more time. 
A backup of a Domain can be taken only from the Multi-Domain Management where the domain is active and primary.
A backup of a Domain is blocked if the domain contains objects related to VSX. Refer to sk167639 for instructions.
Global domain migration is supported only in a Non-HA systems.
Global domain migration will be blocked in the import phase when there are domains assigned to the global in the target machine.
Local domain migration will be blocked in the import phase if the global domain version that the domain is assigned to is missing from the target machine. Please reassign global domain to all domains that should be exported before the export of the global domain and the local domains.
Migrating or restoring the same domain under new IP on the same MDS is not supported below R80.40.
Security Management Server (SMS) to Security Management Server (SMS) is not supported.
While domain backup is running, Logs & Monitor view in Smart Console might show "Problems have occurred during search".
While domain backup is running, Sessions view in Smart Console might show "Error retrieving results".

(4-B) Limitations for a Domain migration between Security Management and Multi-Domain Management servers

Description
Migration of the same security management server twice into an MDS (or to two different MDS machines in the same HA environment) is not supported. 
Migration of two different security management servers into two different MDSs In an HA environment is not supported. 
After migrating a Domain Server, manually add Administrators and GUI Clients to give them access to the restored Domain Server.
Hit Count data is not migrated.
Migrating more than one Domain at a time is not supported.
In a High Availability configuration, only the active Domain Management Server is exported and can be migrated. 
When migrating a domain from Multi-Domain management server to a Security management server (or vice versa), standby domain servers / log servers objects are not being migrated. All references to these objects must be removed before the domain export.
The time it takes to migrate a Domain depends on the size of the Domain. It can take up to one hour. Migrating a very large Domains may take more time. 
Domain migration is blocked if the domain contains objects related to VSX. Refer to sk167639 for instructions.
Migrating a Domain is possible only when the source and the destination has the same major version installed (can be with any take).
Migration of a Domain to a Security Management is not supported if the domain is assigned to the global domain
Exporting Endpoint Management Server is not supported.
An export of a domain can be taken only from the MDS where the domain is active and primary.
Renaming domain server or changing domain server IP during migration is not supported on R80.30 and lower.


(5) Troubleshooting

Error Description

Failed to import: Failed: Failed to get active machine for domain

The export files do not match the import command.

Verify that you use the correct export file and the correct command (import / migrate_import_domain).

Correct usages of the command:

  • Migrate of a Domain Management Server to a Security Management Server, in the SMC use:

    migrate_server migrate-import-domain

  • Migrate from a Multi-Domain Management Server to a Multi-Domain Management Server, on the target Multi-Domain Management Server use:

    migrate_server import

  • Migrate from a Security Management Server to a Security Management Server, on the target Security Management Server use:

    migrate_server import

Failed: null (during the import phase)

Make sure the file we use for the import operation is the correct file, and that it was taken from a server running the same version

Failed to import domain: Failed: Failed to find backup domain meta data file.

Migration from a Security Management Server (SMS) to a Security Management Server (SMS) is not supported.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment