Migration from Check Point from R77.30 to R80.10

Hello colleagues, welcome to Check Point R77.30 database migration to R80.10.

When using Check Point’s products, sooner or later the task of migrating existing rules and objects database comes up for the following reasons:
')

1. When buying a new device, you need to migrate the database from the old device to the new device (to the current version of GAIA OS or higher).
2. You need to upgrade your device from one version of GAIA OS to a higher version on the local machine.

To solve the first problem, only the use of a tool called the Management Server Migration Tool or simply the Migration Tool is suitable. To solve the problem number 2 can use the solution CPUSE or Migration Tool.
Next, we consider in more detail both methods.

Update to new device

Database Migration involves installing the latest version of Management on a new machine, and then migrating the database from the existing Security Management server to a new one using the Migration Tool. This method minimizes the risk of updating for an existing configuration.

In order to migrate the database using the Migration Tool, you need to meet the requirements :

1. The free space on the disk should be 5 times larger than the size of the archive of the exported database.
2. On the target server, the network settings must match the source server.
3. Creating a backup. Database export must be made to a remote server.
   The GAIA operating system already has the Migration Tool, which can be used when importing a database or for migrating to an operating system version identical to the initial one. In order to migrate the database to a higher version of the operating system, you need to download the Migration Tool of the corresponding version from the “Tools” section of the Check Point support site R80.10:
4. Backup and migration of SmartEvent / SmartReporter Server. The 'backup' and 'migrate export' utilities do not include data from the SmartEvent database / SmartReporter database.
   For backup and migration, you need to use the utilities 'eva_db_backup' or 'evs_backup'.
   Note: Article sk110173 in the CheckPoint Knowledge Base.

Consider what features this tool contains:



Before you directly go to the data migration, you must first unzip the downloaded Migration Tool in the folder “/ opt / CPsuite-R77 / fw1 / bin / upgrade_tools / <your_folder>”, export the database using commands from the directory where you unzipped the tool .

Before running the command to export or import, close all SmartConsole clients or launch cpstop on the Security Management server.

To create a management database export file on the source server:

1. Enter expert mode.
2. Run the pre-check tool: pre_upgrade_verifier -p $ FWDIR -c R77 -t R80.10. If there are errors, correct them before continuing.
3. Run: ./migrate export filename.tgz. The command exports the contents of the Security Management Server database to a TGZ file.
4. Follow the instructions. The database is exported to the file you named in the command. Make sure you define it as TGZ.
5. If SmartEvent is installed on the source server, export the event database.

Next, import the database of the security server that you exported. Before you begin: Install the R80 Security Management Server. I remind you that the network settings of the new Management Server R80.10 must match the settings of the old server.

To import a management server configuration :

1. Enter expert mode.
2. Transfer (with FTP, SCP or similar) the exported configuration file to a remote server collected from a source on a new server.
3. Disconnect the source server from the network.
4. Transfer the configuration file from the remote server to the new server.
5. Calculate MD5 for the transferred file and compare with MD5 that was calculated on the source server: # md5sum filename.tgz
6. Import Database: ./migrate import filename.tgz
7. Check for update.

Upon completion of 7 points, we summarize that the migration of the database was successful using the Migration Tool, in case of failure, you can always turn on the source server, as a result of which the work will not suffer in any way.

It is worth noting that migration from a standalone server is not supported.

Local update

CPUSE (Check Point Upgrade Service Engine) allows you to automatically update Check Point products for Gaia OS. Software update packages are divided into categories, namely major releases, minor releases and Hotfixes. Gaia automatically finds and displays available software update packages and images relevant to the version of the Gaia operating system you can upgrade to. With CPUSE, you can make a clean installation of the new version of GAIA OS, and perform a system update with database migration.

To upgrade to a higher version or perform a clean installation using CPUSE, the machine must have enough free (unallocated) space — at least in the size of the root partition.

The transition to the new version is performed on the new hard disk partition, and the “old” partition is converted to Gaia Snapshot (the new partition space is taken from the unallocated space on the hard disk). Also, before updating the system, it will be correct to make a snapshot and upload it to a remote server.

Update process :

1. Check the update package (if you haven’t already done so) - check if the package can be installed without conflict: right-click on the package - click “Verifier”.
   
   The result should be something like this:
   
   
   • Installation is allowed
   • Upgrade is allowed
2. Install the package: right-click the package and click "Upgrade":
   CPUSE shows the following warning in the Gaia Portal: After this upgrade, there will be an automatic reboot.
3. You will see the corresponding progress on data migration after upgrading to R80.10:
   
   • Upgrading Products
   • Importing database
   • Configuring Products
   • Creating SIC Data
   • Stopping processes
   • Starting Processes
   • Installed, self-test passed
4. System will automatically reboot
5. Installing a policy in SmartConsole

As you can see everything goes very simply, in case of a problem, you can roll back to the old settings using the snapshot made.

Practice

In the presented video tutorial contains the theoretical and practical part. The first half of the video duplicates the theoretical part described, and the practical example shows the data migration using both methods.

Conclusion

In this lesson, we looked at Check Point solutions for updating and migrating objects and rules databases. In the case of a new device, there are no other solutions than using the Migration Tool. If you want to update GAIA OS and you have the desire and the ability to re-deploy the machine, our company advises, based on existing experience, migrate the database using the Migration Tool. This method minimizes the risk of updating for an existing configuration compared to CPUSE. Also, when upgrading via CPUSE, many unnecessary old files are saved to disk, and an additional tool is required to remove them, which entails additional actions and new risks.

If you do not want to miss future lessons, then subscribe to our group VK , Youtube and Telegram . If for any reason you could not find the document you need or solve your problem with Check Point, feel free to contact us .