Knowledge Search


×
 

[NSM] How to export and import the NSM database

  [KB11731] Show Article Properties


Summary:

Beginning with NSM 2007.1R3, the method by which database versions are stored has changed. Occasionally, it may be necessary to remove older database versions, because these older versions can cause disk space issues.

This article describes how to remove the old database versions from NSM 2007.1R3 or later. This method can also be used to decrease the size of the database. This process is also used to migrate from Solaris to RedHat. 

 

Symptoms:

NSM servers that have been upgraded from old NSM versions experience poor performance such as slow startup time or slow job execution.

 

Cause:

Over time, the NSM database grows and takes up large amounts of disk space, which contains old versions of the database. In older versions of NSM, these could just be deleted, but since the release of NSM 2007.1R1, the versions have been lumped in with the database files.

Also over time, the database becomes cluttered with references to deleted objects. These references are not shown in NSM, but they make the database larger. This procedure removes those entries and makes the database smaller and faster.

 

Solution:

Important Note For NSM 2012.2R13/R13a only:

Prior to exporting/importing, consult: PR1263606  Export/Import process will discard data in rare conditions. Upgrade to 2012.2R14 or Contact Support for a patch.


 

This procedure is recommended for NSM servers that are upgraded from old NSM versions that are experiencing poor performance such as slow startup time or slow job execution.

Notes:

  • This procedure applies to NSM 2007.1R3 or later.

  • It is recommended to log your CLI session; this makes it possible to troubleshoot errors encountered during this procedure.

  1. Stop NSM processes by using the following commands:

    Standalone NSM

    /etc/init.d/haSvr stop
    /etc/init.d/devSvr stop
    /etc/init.d/guiSvr stop

    HA NSM

    Note: You should perform these steps on one server; this should be the system that was last active. The database will be deleted and re-replicated to the other system.

    Stop both NSM GUI servers, stopping the standby system first to prevent failover. Use /usr/netscreen/HaSvr/utils/haStatus to determine which system is in standby:

    /etc/init.d/haSvr stop

  2. Back up your current database and move the backup to the /var/tmp directory by using the following command:

    /usr/netscreen/GuiSvr/utils/tech-support.sh db

    Move the created file to a safe location; the created file varies, depending on the NSM version:

    mv /usr/netscreen/GuiSvr/var/GuiSvrDB.tar.gz /var/tmp/

  3. If you are running NSM 2008.2 or later, change to nsm user with the following command:

    su - nsm

  4. (Optional) To reduce database size, it is recommended to delete the AuditLog, Job Manager, and Policy Lookup history. To view the removed data, if required, load the backup made before this process on a lab NSM system that is running the same NSM version.

    Remove AuditLogs:

    rm -rf /var/netscreen/GuiSvr/xdb/init/auditlog.init
    rm -rf /var/netscreen/GuiSvr/xdb/init/auditlogDetails.init
    rm -rf /var/netscreen/GuiSvr/xdb/data/auditlog
    rm -rf /var/netscreen/GuiSvr/xdb/data/auditlogDetails

    Remove Job Manager History:

    rm -rf /var/netscreen/GuiSvr/xdb/init/directive.init
    rm -rf /var/netscreen/GuiSvr/xdb/data/directive

    Policy Lookup data (used for Goto Policy in log viewer, and Zone/NSM Rule Number data [ScreenOS only]. Update each device to regenerate Policy Lookup data after import export process):

    rm -rf /var/netscreen/GuiSvr/xdb/init/policylookup.init
    rm -rf /var/netscreen/GuiSvr/xdb/data/policylookup

  5. Run the exporter by using the following command on a single line:

    Command syntax:
    /usr/netscreen/GuiSvr/utils/xdbExporter.sh <NSM xdb location> <Export file path>

    Default command:
    /usr/netscreen/GuiSvr/utils/xdbExporter.sh /var/netscreen/GuiSvr/xdb /tmp/nsmdb.xdif

    Review the export output:

    1. Confirm that the total number of containers to be exported matches the number of exported containers.
    2. Ensure that there are no errors from exporting:

      <Loading all containers output removed>
      [Warning] ---------------------------------------------------------------
      [Warning] Total 183 containers to be exported...
      [Warning] ---------------------------------------------------------------
      [Warning] Exporting containers:
      [Warning] 0: <name removed>
      <List of all containers removed>
      [Warning] 183: <name removed, number of containers may vary between versions>
      [Warning] ---------------------------------------------------------------
      [Notice] Stopping Xdb and release all database resources ...
      <Releasing all containers output removed>

  6. Run the Importer by using the following command on a single line:

    Command syntax:
    /usr/netscreen/GuiSvr/utils/xdifImporter.sh <Exported File Path> <NSM init path>

    Default command:
    /usr/netscreen/GuiSvr/utils/xdifImporter.sh /tmp/nsmdb.xdif /var/netscreen/GuiSvr/xdb/init

    Example of import output:

    Check for errors between start of import and Finished importing <filename>:

    Importing /tmp/nsmdb.xdif into /var/netscreen/GuiSvr/xdb/init now...
    [08:08:38] INFO [main] XdifToXdbConverter - Start Time: 1335366518830
    [08:08:38] INFO [main] XdifToXdbConverter - Converting Xdif to Xdb ...
    [08:08:38] INFO [main] XdifToXdbConverter - <name removed>
    <List of all containers removed>
    [08:08:44] INFO [main] XdifToXdbConverter - Finished reading file /tmp/nsmdb.xdif
    [08:08:44] INFO [main] XdifToXdbConverter - End time: 1335366524171
    [08:08:44] INFO [main] XdifToXdbConverter - Total time spent: 5 seconds
    Finished importing /tmp/nsmdbactual.xdif into XDB init directory /var/netscreen/GuiSvr/xdb/init
    <Recent NSM versions will initialize containers>

    This example is from an empty NSM database. The time spent will be longer for your database.

  7. Exit from the NSM user's shell to become root again:

    exit

  8. Start the NSM processes by using the following commands:

    Standalone NSM

    /etc/init.d/guiSvr start
    /etc/init.d/devSvr start
    /etc/init.d/haSvr start

    NSM HA

    1. Start the NSM HaSvr process on the first GuiSvr:

      /etc/init.d/haSvr start

    2. Log in to NSM, confirm a recent change or two, and run a delta config on a few devices. Start the other NSM GuiSvr (/etc/init.d/haSvr start) and ensure that the replication is in sync (this will take some time to replicate):

      /usr/netscreen/HaSvr/utils/haStatus

  9. If NSM is used to manage IDP within an SRX device, then you must perform an attack database update because the Junos Attack Database version is not retained after an export/import operation. 

    - Log in to NSM Client as superuser or with admin user having Attack Database update privileges.
    - Navigate to Tools > View/Update NSM Attack Database.
    - Perform an Attack Database update even if the attack Database version to be updated is the most recent one.

Notes:

  • The database is initialized when the GuiSvr is started for the first time after performing the Importer step mentioned above. The GuiSvr will also take a little longer to start than a normal start, as it is initializing the database.

  • From the GUI menu, in Tools > Select Domain Version, the old domain versions will still be listed, but no data will be available in the database.

 

Modification History:

2018-12-12: Updated the step: "Start the NSM HaSvr process on the first GuiSvr" in the Solution section to provide clarification about starting the first guiSvr by using the haSvr start command

 

Related Links: