A Step-by-Step Guide to Migrating Check Point Management Server from R80.20 to R81.10

Last updated: 27-01-2026

Introduction

This article explains how to migrate a Check Point Security Management Server from R80.20 to R81.10 using the official migrate_server export and import method.

This approach is recommended when performing a clean installation of R81.10 on a new server, rather than an in-place upgrade. The migration preserves management objects, policies, administrator accounts, and SIC trust.

This guide applies to a Security Management Server (SMS). MDS and Log Server migrations are not covered.

Prerequisites and Planning

General Requirements

  • Source server must be running Check Point R80.20
  • Target server must be a clean installation of R81.10 (Same IP same Hostname, it will be down state while exporting the backup)
  • All SmartConsole changes must be published
  • Ensure sufficient disk space for the export file
  • Take a snapshot or backup of the R80.20 Management Server

If the R81.10 Management Server uses a different IP address, licenses may need to be re-attached after migration.

Software Requirements

  • SmartConsole R81.10 must be installed on your administrative workstation to access the migrated Management Server
  • Download the latest Deployment Agent from sk92449
  • Download the R81.10 Upgrade Tools package from sk135172
  • Download the Web SmartConsole package from sk170314 (optional but recommended)

Hardware Requirements

Important: Based on your infrastructure, upgrade the CPU, RAM, and Disk resources accordingly. Latest versions always require higher hardware configuration due to enhanced features, improved threat prevention, advanced logging capabilities, and AI-powered analytics introduced in R81.10.

R81.10 Management Server Minimum Requirements:

Component R80.20 R81.10 Minimum Recommended
CPU Cores 4 cores 6 cores 8+ cores for large environments
RAM 8 GB 16 GB 32 GB for large environments
Hard Disk 200 GB 500 GB 1 TB (SSD recommended)
Network 1 Gbps 1 Gbps 10 Gbps for large deployments

Disk Space Requirements

On R80.20 Management Server:

  • /var/log partition: At least 5-10 GB free for export file storage
  • Export file size varies based on:
    • Number of policies and objects (typically 2-5 GB)
    • Database size and configuration complexity
    • Session history and logs (if included)
  • Verify available space before export: 
    df -h /var/log

On R81.10 Management Server:

  • /opt partition: At least 15-20 GB free for upgrade tools and import process
  • /var/log partition: At least 50 GB free for logs and SmartConsole operations
  • /var partition: At least 100 GB free for database growth and future updates
  • Total recommended free space: 200 GB across all partitions
  • Verify available space: 
    df -h

Gateway Compatibility

  • R81.10 Management Server supports gateways running R77.30 and above
  • Recommended gateway versions:
    • R80.40 and higher for full feature support
    • R81.10 gateways for optimal compatibility and latest features
  • Limited support for older gateways:
    • R77.30 - R80.10: Basic features only, advanced threat prevention may not be available
    • Some features like TLS inspection, advanced logging require gateway upgrade
  • Document all current gateway versions before migration:
    • From SmartConsole: Gateways & Servers → Right-click gateway → PropertiesGeneral
    • Plan gateway upgrades after successful management migration

Best Practice: Keep gateways within 2 major versions of the Management Server (e.g., R81.10 Management can manage R80.40+ gateways optimally).

Pre-Migration Checklist

  • Publish all changes in SmartConsole - no unpublished sessions should exist
  • Close all SmartConsole sessions to avoid database locks
  • Create a snapshot or backup of the R80.20 Management Server (VM snapshot recommended)
  • Document current configuration:
    • Management Server hostname and IP address
    • All administrator accounts and permissions
    • Current gateway versions and SIC status
    • Active licenses and contract information
    • Custom scripts or third-party integrations
  • Verify network connectivity:
    • DNS resolution working correctly
    • NTP server reachable (time synchronization is critical)
    • Internet access for downloading packages (if required)
  • Schedule migration window:
    • Estimated time: 2-4 hours (depending on database size)
    • Plan for extended window in case of issues
    • Notify all administrators and stakeholders

Access Requirements

  • Expert mode access to both R80.20 and R81.10 Management Servers
  • SSH/Console access for CLI operations
  • SmartConsole R81.10 installed on administrative workstation
  • HTTPS access to Management Server for Web SmartConsole (post-migration)
  • File transfer capability (SCP/WinSCP) between R80.20 and R81.10 servers

Additional Recommendations

  • Test the migration in a lab environment if possible before production migration
  • Review Check Point Release Notes for R81.10 to understand new features and changes
  • Plan for gateway upgrades post-management migration to leverage new R81.10 features
  • Keep R80.20 server available for at least 7 days after migration for rollback if needed
  • Update documentation with new server details after successful migration

R80.20 Management Server

Download and Install the Latest Deployment Agent

  • Download the latest Deployment Agent package from sk92449.
  • Copy the package to the Management Server (for example, /var/tmp/).
  • Install the Deployment Agent from the CLI (Gaia clish):
clish
installer agent install /var/tmp/DeploymentAgent_<build>.tgz

After installation, the Deployment Agent service restarts automatically and the clish session is terminated. This is expected behavior.

Installing the latest Deployment Agent is mandatory before importing the R81.10 Upgrade Tools and ensures compatibility with the migration process.

Example output after a successful Deployment Agent installation:

MGMT> installer agent install /var/tmp/DeploymentAgent_000002208_1.tgz
INFO Installing Deployment Agent package - /var/tmp/DeploymentAgent_000002208_1.tgz ...
INFO After the installation is complete, the Deployment Agent restarts and the CLISH session is terminated
Interactive mode is enabled. Press CTRL + C to exit (This will not stop the operation)
INFO Installation succeeded. Leaving CLISH
[Expert@MGMT:0]#

MGMT> show installer status
Agent:              Enabled
Build number:       2208 (agent build is up to date)
Network connection: Could not connect to the Check Point Cloud. Check your connection settings (Default Gateway, DNS and Proxy)
Update from cloud:  Last updated on Tue Jan 27 13:27:10 2026
License:            The trial license is currently active and will expire on Thu Feb 26 03:44:10 2026
MGMT>

Import and Install Upgrade Tools for R81.10

  • Download the R81.10 Upgrade Tools package from sk135172.
  • Copy the package to the Management Server (for example, /var/tmp/).
  • Import and install the Upgrade Tools using CPUSE:
clish
installer import local /var/tmp/ngm_upgrade_wrapper_<build>.tgz

Example output after a successful Upgrade Tools installation:

MGMT> installer import local /var/tmp/ngm_upgrade_wrapper_996000412_1.tgz
Preparing package for import. This operation might take a few moments
Note: The selected package will be copied into CPUSE repository
Info: Initiating import and install of ngm_upgrade_wrapper_996000412_1.tgz...
Interactive mode is enabled. Press CTRL + C to exit (this will not stop the operation)
Result: Package ngm_upgrade_wrapper_996000412_1.tgz was installed successfully.
MGMT> exit
[Expert@MGMT:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R81.10 BuildNumber 1
996000412
[Expert@MGMT:0]#
  • Verify the installed Upgrade Tools build number:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81.10 BuildNumber 1
Make sure the Upgrade Tools build number matches the build number of the upgrade package you imported. For example, if the package is ngm_upgrade_wrapper_996000412_1.tgz, the output of cpprod_util CPPROD_GetValue CPupgrade-tools-R81.10 BuildNumber 1 should be 996000412.

Verify Migration Readiness

The verification process checks database integrity, object compatibility, and known upgrade blockers. 

$FWDIR/scripts/migrate_server verify -skip_upgrade_tools_check -v R81.10

Proceed only if the output shows: The verify operation finished successfully. This confirms that the R80.20 database and objects are compatible with R81.10 and ready for import.

Export the Management Database

The export process creates a compressed archive containing all management configuration data. 

$FWDIR/scripts/migrate_server export -skip_upgrade_tools_check -v R81.10 /var/log/R8020_to_R8110.tgz

Verify the integrity of the exported file:

md5sum /var/log/R8020_to_R8110.tgz

Copy the exported file to your local system using SCP or WinSCP before shutting down the R80.20 server.

R81.10 Management Server – Migration Steps

Copy and Verify Exported File

  • Transfer the R80.20 exported file to the R81.10 Management Server.
  • Verify the file integrity using md5sum:
md5sum /opt/CPsuite-R81.10/fw1/bin/upgrade_tools/R8020_to_R8110.tgz

Always place the exported file in /opt/CPsuite-R81.10/fw1/bin/upgrade_tools/ (or $FWDIR/scripts/, which points to the same directory), as this is the default path expected by the Upgrade Tools.

Run Import Command

  • From Expert mode, navigate to $FWDIR/scripts/ and execute the import command:
./migrate_server import -v R81.10 -skip_upgrade_tools_check /opt/CPsuite-R81.10/fw1/bin/upgrade_tools/R8020_to_R8110.tgz

Proceed only if the import completes successfully without errors and the management database installation prompt is displayed.

  • After a successful import, install the management database and policies.

Web SmartConsole Installation (R81.10)

Web SmartConsole provides browser-based access to the Management Server without requiring the desktop client. This section covers installation, verification, and access.

Download the Web SmartConsole Package

  • Download the Web SmartConsole package from sk170314.
  • Copy the package to the Management Server (for example, /var/tmp/).

Install Web SmartConsole

  • From Expert mode, run the following command to install the package:
/opt/AutoUpdater/latest/bin/autoupdatercli install /var/tmp/Check_Point_WEBCONSOLE_AUTOUPDATE_Bundle_T59_AutoUpdate.tar

Monitor Installation Status

  • Check installation progress using the log file:
tail -f /opt/CPInstLog/AutoUpdateLogs/web_console

Proceed only if the installation completes successfully without errors.

Access Web SmartConsole

After installation, open a web browser and access Web SmartConsole using the Management Server IP: 

https://<Management_Server_IP>/smartconsole

Ensure that HTTPS access to the Management Server is allowed from your administrative network.

Post-Migration Verification

  • Log in to SmartConsole and verify that all objects and policies are present.
  • Install the management database if prompted.
  • Install policies to all gateways.
  • Verify SIC status with all managed gateways.
  • Confirm that licenses are correctly attached and active.

This is a Example of Check Point Management Server Migrate Export and Import

[Expert@MGMT:0]# fw ver
R80.20 - Build 255
[Expert@MGMT:0]# clish
MGMT> installer agent install /var/tmp/DeploymentAgent_000002208_1.tgz
INFO Installing Deployment Agent package - /var/tmp/DeploymentAgent_000002208_1.tgz ...
INFO After the installation is complete, the Deployment Agent restarts and the CLISH session is terminated
Interactive mode is enabled. Press CTRL + C to exit (This will not stop the operation)
INFO Installation succeeded. Leaving CLISH
[Expert@MGMT:0]#
[Expert@MGMT:0]# clish

MGMT> show installer status
Agent:              Enabled
Build number:       2208 (agent build is up to date)
Network connection: Could not connect to the Check Point Cloud. Check your connection settings (Default Gateway, DNS and Proxy)
Update from cloud:  Last updated on Tue Jan 27 13:27:10 2026
License:            The trial license is currently active and will expire on Thu Feb 26 03:44:10 2026
MGMT>
MGMT> installer import local /var/tmp/ngm_upgrade_wrapper_996000412_1.tgz
Preparing package for import. This operation might take a few moments
Note: The selected package will be copied into CPUSE repository
Info: Initiating import and install of ngm_upgrade_wrapper_996000412_1.tgz...
Interactive mode is enabled. Press CTRL + C to exit (this will not stop the operation)
Result: Package ngm_upgrade_wrapper_996000412_1.tgz was installed successfully.
MGMT> exit
[Expert@MGMT:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R81.10 BuildNumber 1
996000412
[Expert@MGMT:0]# 
[Expert@MGMT:0]# $FWDIR/scripts/migrate_server verify -skip_upgrade_tools_check -v R81.10
The verify operation finished successfully.
[Expert@MGMT:0]# $FWDIR/scripts/migrate_server export -skip_upgrade_tools_check -v R81.10 /var/log/R8020_to_R8110.tgz
Export operation completed successfully.
[Expert@MGMT:0]# md5sum /var/log/R8020_to_R8110.tgz
55acceab326cebfb5b6af2bece24e9cb

[Expert@MGMT:0]# fw ver
R81.10 - Build 883
[Expert@MGMT:0]# md5sum /opt/CPsuite-R81.10/fw1/bin/upgrade_tools/R8020_to_R8110.tgz
55acceab326cebfb5b6af2bece24e9cb
[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server import -v R81.10 -skip_upgrade_tools_check /opt/CPsuite-R81.10/fw1/bin/upgrade_tools/R8020_to_R8110.tgz
Import finished successfully.

[Expert@MGMT:0]# fw ver
R81.10 - Build 883
[Expert@MGMT:0]# /opt/AutoUpdater/latest/bin/autoupdatercli install /var/tmp/Check_Point_WEBCONSOLE_AUTOUPDATE_Bundle_T59_AutoUpdate.tar
Installation succeeded for Web SmartConsole
[Expert@MGMT:0]# tail -f /opt/CPInstLog/AutoUpdateLogs/web_console
Web SmartConsole CheckHealth finished successfully

Conclusion

Migrating the Check Point Management Server from R80.20 to R81.10 using the export and import method is a safe and supported approach. Proper preparation, verification, and post-migration checks ensure a smooth and reliable upgrade.