Migrate Check Point Security Management Server to new hardware

When upgrading Check Point Security Management Server aka Smartcenter to a newer version I prefer to perform a fresh install and migrate the existing database to new hardware. Refer to the Check Point upgrade map here for valid upgrade paths. In my scenario I was running R71.30 on SecurePlatform (SPLAT) and was only able to directly upgrade R75.20, the procedure below describes the steps performed. Perform these steps in a lab environment to fully test and understand the procedure.

Upgrade the migration tools on the old server

Before exporting the database, the upgrade tools on the existing server need to be upgraded to the version being migrated to.

  1. Download the “Management Server Migration Tools” for R75.20 from the Check Point website.
  2. Extract the contents of “Management Server Migration Tools” .tgz
  3. Use SCP and copy the contents and replace the upgrade_tools directory on the existing R71.30 server /opt/CPSuite-R75.40/fw1/bin/upgrade_tools

Create a management database export file on the existing server

  1. Login to expert mode on the existing server
  2. Type “cd $FWDIR/bin/upgrade_tools
  3. Run the migrate export command

    “./migrate export –l <EXPORTED DATABASE NAME>.tgz”

  1. Once the export has been complete use SCP to copy the export file to a safe location

Install SecurePlatform on new Security Management Server

  1. Login to the CheckPoint Usercenter and download the CheckPoint R75.20 ISO image (Check_Point_R75.20.Splat.iso)
  2. Burn the ISO image to DVD and boot the server with the DVD inserted
  3. Install SecurePlatform, and when prompted use the same IP address as the existing Security Management Server
  4. Once the initial installation has completed and rebooted login to via the console (username: admin and password: admin). When prompted enter a new password and if required username.
  5. Type “cpconfig” to continue the installation
  6. Set the SAME hostname
  7. Set the SAME domain name
  8. Set “time zone”, “date” and “local time”
  9. Do NOT “import file from TFTP server”
  10. When prompted, select “New Installation”
  11. Select “Security Management”, click N

  1. Select “Primary Security Management”, click N
  2. Complete the installation and ensure you select yes to start the services

Import the database to the new Security Management Server

  1. From a client machine connect copy the backup database file to the new server via SCP. For simplicity I copy the database export to the same location as the upgrade tools ($FWDIR/bin/upgrade_tools)

  1. Login to expert mode on the new server
  2. Type “cd $FWDIR/bin/upgrade_tools
  3. Type “./migrate import BACKUPFILENAME.tgz

  1. When prompted to stop all Check Point services, type “Y” – ENTER
  2. Once the import procedure has completed it will prompt to start Check Point services, type “Y” – ENTER
  3. Disconnect the old server from the network
  4. Connect the new server to the network
  5. Connect to the smartcenter using the correct SmartDashBoard version.

Upgrade/migration complete, you should see all your policies, gateways, objects, networks etc. Open SmartView Tracker and after a short period the gateways will start logging to the new server. If no logs appear, install a policy to the gateways. As we migrated the database to a new server the old server remains untouched and can be reverted to in the event of an issue.

Refer to this post here to configure an SCP user account on SecurePlatform.


5 thoughts on “Migrate Check Point Security Management Server to new hardware

  1. Very informative. I have a question also. After the migration, is there a necessity to re-initiate the SIC. If so, recreating SIC in gateways will make a cprestart. please advice.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s