Migration from Check Point from R77.30 to R80.10

Hello colleagues, welcome to the tutorial on migrating Check Point R77.30 to R80.10 databases.

When using Check Point products, sooner or later the task of migrating existing rules and the object database arises for the following reasons:

1. When purchasing a new device, it is necessary to migrate the database from the old device to the new device (to the current version of GAIA OS or higher).
2. You need to upgrade the device from one version of GAIA OS to a higher version on the local machine.

To solve the first task, only the use of a tool called the Management Server Migration Tool or simply the Migration Tool is suitable. To solve problem #2, the CPUSE solution or the Migration Tool can be used.
Next, we consider both methods in more detail.

Update to a new device

Database Migration involves installing the latest version of Management on a new machine and then migrating the database from the existing Security Management server to the new one using the Migration Tool. This method minimizes the risk of updating an existing configuration.

In order to migrate the database using the Migration Tool, you need to match requirements:

1. Free disk space must be 5 times greater than the size of the exported database archive.
2. On the target server, the network settings must match the source server.
3. Creating a backup. The database must be exported to a remote server.
   The GAIA operating system already has the Migration Tool, which can be used when importing a database or for migrating to an operating system version identical to the initial one. In order to migrate the database to a higher version of the operating system, you must download the Migration Tool of the appropriate version from the "Tools" section on the Check Point support site R80.10:
4. Backup and migration of SmartEvent / SmartReporter Server. The 'backup' and 'migrate export' utilities do not include SmartEvent database / SmartReporter database data.
   For backup and migration, you need to use the 'eva_db_backup' or 'evs_backup' utilities.
   Note: CheckPoint knowledge base article sk110173.

Consider what features this tool contains:

Before proceeding directly to data migration, you must first unzip the downloaded Migration Tool to the folder “/opt/CPsuite-R77/fw1/bin/upgrade_tools/ ”, exporting the base should be done using commands from the directory where you unzipped the tool.

Close all SmartConsole clients or run cpstop on the Security Management server before running the export or import command.

That create export file management databases on the source server:

1. Enter expert mode.
2. Run the pre-verifier: pre_upgrade_verifier -p $FWDIR -c R77 -t R80.10. If there are errors, correct them before continuing.
3. Run: ./migrate export filename.tgz. The command exports the contents of the Security Management Server database to a TGZ file.
4. Follow the instructions. The database is exported to the file you named in the command. Make sure you define it as TGZ.
5. If SmartEvent is installed on the source server, export the event database.

Next, we import the security server database that we exported. Before you begin: Install the R80 Security Management Server. I remind you that the network settings of the new Management Server R80.10 must match the settings of the old server.

That import configuration management server:

1. Enter expert mode.
2. Transfer (from FTP, SCP or similar) the exported configuration file to the remote server, built from the source to the new server.
3. Disconnect the source server from the network.
4. Transfer the configuration file from the remote server to the new server.
5. Calculate the MD5 for the migrated file and compare with the MD5 that was calculated on the origin server: # md5sum filename.tgz
6. Import database: ./migrate import filename.tgz
7. Update check.

Upon completion of point 7, we summarize that the database migration was successful using the Migration Tool, in case of failure, you can always turn on the source server, as a result of which the work will not suffer in any way.

It should be noted that migration from a standalone server is not supported.

Local update

CPUSE(Check Point Upgrade Service Engine) allows you to automatically update Check Point products for Gaia OS. Software update packages are divided into categories, namely major releases, minor releases and Hotfixes. Gaia automatically finds and displays available software update packages and images related to the version of the Gaia operating system to which you can upgrade. Using CPUSE, you can do a clean installation of a new version of GAIA OS, or perform a system upgrade with database migration.

To upgrade to a higher version or perform a clean install using CPUSE, the machine must have enough free (unallocated) space - at least the size of the root partition.

The upgrade is performed on the new hard disk partition and the "old" partition is converted to a Gaia Snapshot (the new partition space is taken from the unallocated space on the hard disk). Also, before updating the system, it will be correct to take a snapshot and upload it to a remote server.

The update process:

1. Verify the update package (if you haven't already) - check if this package can be installed without conflicts: right click on the package - click "Verifier".

   The result should be something like this:

   • Installation is allowed
   • Upgrade is allowed
2. Install the package: right-click the package and click "Upgrade":
   CPUSE shows the following warning in Gaia Portal: After this upgrade, there will be an automatic reboot(Existing OS settings and the Check Point Database are preserved).
3. You will see corresponding data migration progress after upgrading to R80.10:
   • Upgrading Products
   • Importing Database
   • Configuring Products
   • Creating SIC Data
   • Stopping Processes
   • Starting Processes
   • Installed, self-test passed
4. The system will automatically reboot
5. Installing the Policy in the SmartConsole

As you can see, everything goes very simply, in case of a problem, you can roll back to the old settings using the snapshot made.

Practice

The presented video lesson contains a theoretical and practical part. The first half of the video duplicates the described theoretical part, and the practical example shows data migration using both methods.

Conclusion

In this lesson, we examined Check Point's solutions for the task of updating and migrating object and rule databases. In the case of a new device, there is no other solution than using the Migration Tool. If you want to upgrade GAIA OS and you have the desire and ability to redeploy the machine, our company advises, based on existing experience, to migrate the database using the Migration Tool. This method minimizes the risk of updating an existing configuration compared to CPUSE. Also, when updating through CPUSE, many unnecessary old files are saved on disk, and an additional tool is required to remove them, which entails additional steps and new risks.

If you do not want to miss future lessons, then subscribe to our group VK, Youtube и Telegram. If for some reason you could not find the document you need or solve your problem with Check Point, then you can safely contact us.

Source: habr.com