Wednesday, August 10, 2011

CMA migration is blocked on R71 if done on the same MDS

I have come across yet another issue with the latest migration tools on Multi-Domain management.

Once upon a time, with R6X it was possible to migrate CMAs between platforms freely, except for VSX case. You had to copy 5 directories: $FWDIR/conf, $FWDIR/database, $CPDIR/conf, $CPDIR/database and $CPDIR/registry from one place to another and then run cma_migrate script from MDG or command line.

It was working like a charm. It does not anymore.

R71 documentation is still talking about similar way of migration.  Do not be fooled. The documentation is not exactly correct.

The one and only way of migrating CMAs is described in sk60563. The described procedure works, but with limitations. The limitations are: same name and IP address of the CMA!

I had to learn this the hard way while trying to split one existing CMA for my customer.

There is no migration failure. It all finishes successfully. The fun begins when you start the new migrated CMA.

You can still see it on CLI with mdsstat command. But not in MDG. In fact, it starts showing up there, but then is removed from GUI when started. The reason for it is that in the MGMT DB of the CMA the "old" pre-migration name is used for CMA object. MDG gets confused of having two different CMAs with the same name.

More, it is quite not obvious how to remove this CMA, if you want to roll back. I have ended it with deleting the whole customer folder.

Something so simple and effective got broken with SB versions. The question is, how to fix it? I do not have an answer for the moment.

Yet another Support Call has been opened.

Will keep you posted, folks.


  1. You wrote :
    R71 documentation is still talking about similar way of migration. Do not be fooled. The documentation is not exactly correct

    Can you point me to exact lines, so I could open an internal CR with Technical Writers ?

    (Sergei Shir , Check Point Support Escalation Engineer)

  2. Here we go:

    Command Line Reference

    Description This command imports an existing Security Management server or CMA into a MDS so that it will become one of its CMAs. If the imported Security Management or CMA is of a version earlier than the MDS to which it is being imported, then the Upgrade process is performed as part of the import.

    It is recommended to run cma_migrate to import CMA or Security Management database files created using the export_database tool.

    Bear in mind that the source and target platforms may be different. The platform of the source management to be imported can be Solaris, Linux, Windows, SecurePlatform or IPSO.

    Usage cma_migrate


    source database directory path
    The root of the original source database directory; the FWDIR directory, or a copy of it.
    target CMA FWDIR directory
    The directory of the CMA that you are migrating to.
    The target CMA cannot ever have been started before running cma_migrate. There is no need to stop the MDS before running cma_migrate
    Further Info. For further information and procedures for using the cma_migrate command, refer to the High End Installation and Upgrade Guide at