View Full Version : Moving existing management server into PR1

2006-06-07, 07:33
Does anyone know the procedure for moving and existing Smartcentre management server into Provider1?

Is there some special migration tool which will migrate all rules and objects into a CMA ?


2006-06-07, 10:21
Hi, If you want to migrate a existing SmartCenter Server to a Provider-1 environment, first plan how you gonna implement your provider-1 system (MDS, MLM etc...) When you have installed yor MDS server you run migrate_assist to retrive the data from the SmartCenter to the MDS Server trough FTP access, after that you create a CMA using the MDG, then dont start the CMA (important) and import the data using Cma_migrate into the CMA. Start the CMA and voila you have your original SmartCenter in the CMA (rules, objects, certificates everything).

Very linear process, and the sintaxe of the commands is easy.

You just have to check wich version in the SmartCenter you want to upgrade.


Luis Rocha

2006-06-08, 16:13
Thanks for your reply. I'm PR1 on SPLAT and when I try migrate_assist the command is not available, any ideas ?


2006-06-09, 03:33
Hi, you must run in expert mode..... logon to the SPLAT and then type "expert" if it is the first time, you will be prompted to setup the password for the expert "shell" then you can run the commands

Luis Rocha

2006-06-09, 04:54
you are right, just spotted it !

How do you get from expert mode back to normal mode.

I'm not the best linux/unix guy !

2006-06-09, 06:07
type "exit"

2006-06-11, 17:59
As an alternative to the above method which frankly I don't use...this can be done safely with a few easy commands. It also is the method I use to backup my CMA's.

On the original mgmt station tar up the $FWDIR/conf, $FWDIR/database, $CPDIR/conf, and $CPDIR/database into one tar file.

to make it easy just copy each into another folder like this:

cp -R $FWDIR/conf /etc/home/xfer
cp -R $FWDIR/database /etc/home/xfer
cp -R $CPDIR/conf /etc/home/xfer/cpdir.conf
cp -R $CPDIR/database /etc/home/xfer/cpdir.database
tar -cvf xfer.tar xfer

Note the naming of the cpdir files. This will create the names that CP looks for when importing into a CMA. Once you have this tar file created you can move it to where ever you like. I use a perl script to do this for me twice a month on all my CMA's and FTP them to a backup server.

Restoring them to a CMA or moving them to another manager is really simple at this point. Once you have the file on the server untar it and go through the import from the gui. If you change IP's of the manager which you do in most cases when going to a P1 you may need to do fwm sic_reset from the cma environment:

mdsenv [cma_name]
fwm sic_reset
once that is complete...
mdsconfig -ca [cmaname cmaip]

The other built in utilities work fine I'm sure but I just prefer to do it myself to ensure I have what I want. The point I am trying to make here is there are many ways to do things with the P1 and its good to know more then one.

2006-06-14, 11:18
Great responses guys thank alot

2006-09-15, 08:56
Just wanted to post a possible correction in case others are having difficulty with the info posted above (not trying to slam anyone here).

I am working on moving an existing NG-AI R55 (SPLAT) server to P-1 (on SPLAT) and used the following commands during my attempt to transfer the data:

cp -R $FWDIR/conf /etc/home/xfer
cp -R $FWDIR/database /etc/home/xfer
cp -R $CPDIR/conf /etc/home/xfer/cpdir.conf
cp -R $CPDIR/database /etc/home/xfer/cpdir.database
tar -cvf xfer.tar xfer

The first thing I noticed is that the Checkpoint documentation has conf.cpdir and database.cpdir instead of what is quoted above. Once I got that synax corrected, I discovered that the first command did not grab everything out of the $FWDIR/conf directory (i.e. the Objects.C file was missing along with all the policies) so the cma_migrate command failed.

Another thing I noticed is that FTP is not enabled on SPLAT (or is locked down so tightly it refuses direct connections) and so the migrate_assist command is not very helpful----unless there is a way to start the FTP daemon up that I'm not aware of (b/c I'm not very *nix savvy myself either).

Hope this helps others; please correct me if I have erred.


2006-09-15, 11:43
conf.cpdir is indeed correct, good spotting. You don't have to do $CPDIR/database though, I usually don't.

FTP is not enabled on SPLAT by default. If you really must enable it, then vi /etc/xinetd.d/ftpd, and change the "disable = yes" line to "disable = no", and run service xinetd reload.

But why would you? We've moved on since the 80s, FTP is not the way to move files around, especially sensitive data like your firewall policies. Use scp instead.

I'm not quite sure why cp -R $FWDIR/conf <target_directory> didn't work for you - did you run it as root? You need to be able to read those files to copy them. Maybe you ran the copy as an ordinary user?

And yeah, migrate_assist is pointless - much better to just tar up the directories as outlined here. Probably quicker too.

2006-09-15, 12:22

I'm good with SCP if you have tips to do that on SPLAT for a *nix idiot....LOL....It is essentially a local to local (different routed subnets of a /28 network) so it shouldn't be a problem as far as security is concerned & I could go in and disable it once done. But I'd be happy to learn the SCP method! Will that require enabling the SCP service in a similar fashion or is it enabled by default?

I logged in as expert on the source server (also a SPLAT machine), my supervisor said the same thing about not following the "recursive links" when copying the data? I have no idea....He managed to find the directory where everything is housed and copy it for me; I tarred it up & I've been working with getting the file moved over now to get the import done to a CMA with the same name but different IP address just to see how it works. My SSH sessions are either timing out, or the expert mode timeout is dropping my sessions to the box to which I am trying to FTP from my laptop (initiating FTP from SSH session to SPLAT and then FTP outbound from server to my desktop). Arrgh!

I appreciate your response!

2006-09-15, 12:54
Ah yes, the timeout on SPLAT thing. From within you expert session, enter this: export TMOUT=3600
That will give you an hour before timing out. Default is about 600s I think. Also look at the timeout command.

That aside, I usually use cp -r, not cp -R, but I think it works the same. The -r means recursively go through the directory, copying everything. IF you don't have that option it won't copy everything across like you expect. Expert mode is the right one to be in. Before doing the copy, check what "echo $FWDIR" returns - make sure your environment is set right.

scp means secure copy. It uses the functionality in the sshd server - you run the one server for ssh to login, and to copy files - as opposed to running a telnet server for logging in, and an ftp server for copying files. It uses the same authentication, can use keys, etc. It securely encrypts all data during transfer.

However, Check Point, from about R55 HFA4, tightened it a little. Now, in order to use scp, your username must be in /etc/scpusers. If that file doesn't exist, create it, then run /etc/init.d/sshd restart. Assuming that you can ssh from your desktop to each SPLAT system, but perhaps not between them, you would then do something like this:
* On your desktop, use scp (or pscp if you're on Windows), and do say:
pscp username@r55_server:/path_to_file/tarred_up_files.tar .

* Then copy that file to your NGX server:
pscp tarred_up_files.tar username@ngx_server:/tmp

You can then logon to the NGX server, cd /tmp, tar xvf tarred_up_files.tar, and import it using the MDG.

Any problems, let me know. I've done quite a few migrations in the past, and as it would happen, I'm in the middle of completing another set - last one tomorrrow!

And as an aside, learning the basics of Unix will pay itself back many times over when you are working with firewalls. Even though a lot of stuff is GUI-driven, many are the times you need to get on the command line, run tcpdump, etc, or edit files, or run commands, or grep through stuff. So keep at learning the Unix stuff, it's not that hard once you get your head around the way things work. Lots of good resources out there for helping with specific problems too. You just need to know the general gist of moving around the command line, doing the basics. Learn the basics of vi if you don't already know it.

2006-09-15, 19:49
my bad when i wrote that i was half asleep but the conf.cpdir is the correct naming. FTP if that is indeed necessary can be enabled. you can ftp out from a splat box to another server somewhere in the middle if you want to just get it over with that would be the quickest. Copying the conf directory should have grabbed everything...it has never failed for me. Sorry wish I was more help.

2006-09-15, 20:02
Northlandboy has this absolutely correct. The more *nix you know the easier this will be. And the more migrations you do the more you realize how absurd it is we actually get paid to do this.

another alternative is to use a gui scp program like winscp which is a free download. I keep it around for the quick and dirty migrations where time is an issue and honestly sometimes I just feel like being lazy...this tool can be a little flaky though so don't rely solely on it...learn the command line.

2006-09-18, 12:26
Thank you both! I'll give it a try as soon as I can!

2010-01-19, 14:08
Hi, everyone I have a problem with procedure....
I run export_database /var/tmp -m, this command generate a file, this file I transfer to P1, here I run cma_migrate file cma_customer ... all ok, but process for cma FWM no start...

someone have any idea??
all version are R70.2 and i was try to R70.

| Processes status checking |
| Type| Name | IP address | FWM | FWD | CPD | CPCA |
| MDS | - | | up 9721 | up 9720 | up 9719 | up 9812 |
| CMA |consola | | down | up 11238 | up 11228 | up 11276 |
| CMA |dos | | up 9702 | up 9701 | up 9680 | up 9800 |
| Total customer add-ons checked: 2 1 up 1 down |
| Tip: Run mdsstat -h for legend |

Thanks a lot