Friday, March 31, 2023

Migrate Export and Migrate Import - Checkpoint Management Server

Process for Migrating to new MGMT appliances:
  

Pre-Requisites

The Firewall Gaia version and JumboHotFix JHF Take of the Checkpoint Primary Management Server where the migrate export is taken from MUST be the same as the  Firewall Gaia version and JumboHotFix JHF Take of the NEW Checkpoint Primary Management Server

The Secondary Management server must ALSO be the same as the  Firewall Gaia version and JumboHotFix JHF Take of the NEW Checkpoint Primary Management Server. It will sync automatically with primary once the name of IPs are the same. 
  • Take a Migrate Export/Backup of the existing Primary
  • Run through the configuration Wizards, set one up as Primary, set one up as a Secondary (use same hostnames and IPs)
  • Do a Migrate Import on the new Primary
  • Swap the cables from the existing Primary with the new Primary* (make sure it says DB synchronized)
  • Power off old Secondary
  • Power on new Secondary
  • Re-establish SIC and make sure DBs synchronize

On Old/Existing Checkpoint Primary Management Server
[Expert@MGMT:0]#cd $FWDIR/bin/upgrade_tools
[Expert@MGMT:0]#yes | nohup ./migrate export /home/admin/bos0105fwm01-033123.tgz 


On NEW Checkpoint Primary Management Server (same Gaia Version and JHF and original FWM). Copy bos0105fwm01-033123.tgz  from old FWM to new FWM

[Expert@MGMT:0] cpstop
[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
[Expert@MGMT:0]# yes | nohup ./migrate import  /home/admin/bos0105fwm01-033123.tgz 
[Expert@MGMT:0]# cpstart


Below are the command I ran on the test management server MGMT (100.115.22.22) and the output is  CPMGMT011-090622.tgz                                                       


[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools
[Expert@MGMT:0]# pwd
/opt/CPsuite-R80.40/fw1/bin/upgrade_tools
[Expert@MGMT:0]# cd $HOME
[Expert@MGMT:0]# yes | nohup ./migrate export /home/admin/CPMGMT011-090622.tgz  
nohup: appending output to 'nohup.out'
[Expert@MGMT:0]#

[Expert@MGMT:0]]# ls -lt
total 2180396
-rw-rw---- 1 admin root  1026123583 Sep  6 10:48 CPMGMT011-090622.tgz
[Expert@MGMT:0]# 

The operations will look like this:
 
# cpstop
# cd /opt/CPsuite-R77/fw1/bin/upgrade_tools
# ./migrate export /var/log/migrate-export/sms-mig-export-20160414
 
You are required to close all clients to Security Management Server
or execute 'cpstop' before the Export operation begins.
 
Do you want to continue? (y/n) [n]?
 
Copying required files...
Compressing files...
 
The operation completed successfully.
 
Location of archive with exported database: /var/log/migrate-export/sms-mig-export-20160414.tgz
 
#cpstart
 


Run through the configuration Wizards, set one up as Primary, set one up as a Secondary (use same hostnames and IPs)

  • Connect your laptop RJ45 connection to the Checkpoint Appliance Mgmt Interface. By default, this IP address is 192.168.1.1/24.
  • Add and IPv4 IP address to the RJ45 adaptor on your laptop to 192.168.1.2 and subnet mask 255.255.255.0
  • From your laptop you should be able to ping the 192.168.1.1 and from the Checkpoint Appliance you should be able to ping the laptop IP address 192.168.1.2. 
  • If you cannot ping you may want to connect your laptop USB to Serial connection to Checkpoint appliance and login to the appliance. By default the login username and password is admin 
  • Open browser and go to https://192.168.1.1



 



Reference

Migrate Export    sk133312 - How to run a 'migrate export' or 'migrate import' command that survives a closed/timed-out SSH session

Abstract

When you run a 'migrate export' or 'migrate import' command, the command is tied to the current CLI session. When the current CLI session ends (the SSH connection times out, or is closed), the 'migrate' process is halted/canceled. 

This can also happen when the exported management database is very large (30GB or more): for example, the export of a management database of 30GB can take 3 to 4 hours to complete. This means that the CLI session (SSH session) must stay active for 3 to 4 hours.

Solution

To make sure the 'migrate export' command survives these scenarios and continues to run successfully in the background, run the command with the following syntax:


[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
[Expert@MGMT:0]# yes | nohup ./migrate export [options] /<full path>/<name of exported file without any extension>

To make sure the 'migrate import' command survives these scenarios and continues to run successfully in the background, run it with the following syntax:

[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
[Expert@MGMT:0]# yes | nohup ./migrate import [options] /<full path>/<name of exported file>.tgz


Migrate Export
cd $FWDIR/bin/upgrade_tools
yes | nohup ./migrate export /home/admin/bos0105fwm01-033123.tgz 

Migrate Import
cpstop
cd $FWDIR/bin/upgrade_tools/
yes | nohup ./migrate import [options] /<full path>/<name of exported file>.tgz
yes | nohup ./migrate import  /home/admin/bos0105fwm01-033123.tgz 
cpstart




In Boston DC … Upgrade Checkpoint Firewall bos0102fwm01 from R80.40 to 81.10 
1.      Snapshot back up of Firewall Management Primary  bos0102fwm01
2.      Export snapshots
3.      Migrate Export - 
3.      Install - Fresh Install and upgrade packages R80.40 to 81.10
4.      Verify Update package / Fix errors if any.
5.      Once successfully verify.
6.      Select Upgrade (not Install update)
7.      After R81.10 install completes,
8.      Run Deployment Agent - DeploymentAgent_000002205_1
9.      Install JHF – 64  (Will be installed after secondary is upgraded)
10.     Push policy –  to   Internet Firewalls, VPN etc


Posted by at