I have come across yet another issue with the latest migration tools on Multi-Domain management.
Once upon a time, with R6X it was possible to migrate CMAs between platforms freely, except for VSX case. You had to copy 5 directories: $FWDIR/conf, $FWDIR/database, $CPDIR/conf, $CPDIR/database and $CPDIR/registry from one place to another and then run cma_migrate script from MDG or command line.
It was working like a charm. It does not anymore.
R71 documentation is still talking about similar way of migration. Do not be fooled. The documentation is not exactly correct.
The one and only way of migrating CMAs is described in sk60563. The described procedure works, but with limitations. The limitations are: same name and IP address of the CMA!
I had to learn this the hard way while trying to split one existing CMA for my customer.
There is no migration failure. It all finishes successfully. The fun begins when you start the new migrated CMA.
You can still see it on CLI with mdsstat command. But not in MDG. In fact, it starts showing up there, but then is removed from GUI when started. The reason for it is that in the MGMT DB of the CMA the "old" pre-migration name is used for CMA object. MDG gets confused of having two different CMAs with the same name.
More, it is quite not obvious how to remove this CMA, if you want to roll back. I have ended it with deleting the whole customer folder.
Something so simple and effective got broken with SB versions. The question is, how to fix it? I do not have an answer for the moment.
Yet another Support Call has been opened.
Will keep you posted, folks.
You wrote :
ReplyDeleteR71 documentation is still talking about similar way of migration. Do not be fooled. The documentation is not exactly correct
Can you point me to exact lines, so I could open an internal CR with Technical Writers ?
(Sergei Shir , Check Point Support Escalation Engineer)
Here we go:
ReplyDeleteCommand Line Reference
cma_migrate
Description This command imports an existing Security Management server or CMA into a MDS so that it will become one of its CMAs. If the imported Security Management or CMA is of a version earlier than the MDS to which it is being imported, then the Upgrade process is performed as part of the import.
It is recommended to run cma_migrate to import CMA or Security Management database files created using the export_database tool.
Bear in mind that the source and target platforms may be different. The platform of the source management to be imported can be Solaris, Linux, Windows, SecurePlatform or IPSO.
Usage cma_migrate
Syntax
Argument
Description
source database directory path
The root of the original source database directory; the FWDIR directory, or a copy of it.
target CMA FWDIR directory
The directory of the CMA that you are migrating to.
The target CMA cannot ever have been started before running cma_migrate. There is no need to stop the MDS before running cma_migrate
Further Info. For further information and procedures for using the cma_migrate command, refer to the High End Installation and Upgrade Guide at http://supportcontent.checkpoint.com/documentation_download?ID=8752.