Checkpoint NGX Upgrade Guide
Transcript of Checkpoint NGX Upgrade Guide
-
7/31/2019 Checkpoint NGX Upgrade Guide
1/194
The Upgrade Guide
NGX (R60)
For additional technical information about Check Point products, consult Check Points SecureKnowledge at
https://secureknowledge.checkpoint.com
See the latest version of this document in the User Center at:http://www.checkpoint.com/support/technical/documents/docs_r60.html
Part Number 701313
August 2005
https://secureknowledge.checkpoint.com/http://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttp://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttps://secureknowledge.checkpoint.com/ -
7/31/2019 Checkpoint NGX Upgrade Guide
2/194
-
7/31/2019 Checkpoint NGX Upgrade Guide
3/194
Check Point Software Technologies Ltd.U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, [email protected] Headquarters: 3A Jabotinsky Street, Ramat Gan, 52520, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com
2003-2005 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyrightand distributed under licensing restricting their use, copying, distribution, anddecompilation. No part of this product or related documentation may be reproduced inany form or by any means without prior written authorization of Check Point. While everyprecaution has been taken in the preparation of this book, Check Point assumes noresponsibility for errors or omissions. This publication and features described herein aresubject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth insubparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause atDFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
2003-2005 Check Point Software Technologies Ltd. All rights reserved.
Check Point, Application Intelligence, Check Point Express, the Check Point logo,AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa,Cooperative Security Alliance, Eventia, Eventia Analyzer, FireWall-1, FireWall-1 GX,FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL,Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy LifecycleManagement, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge,
SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate,SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security,SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView,SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker,SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM,User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge,VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1VSX, VPN-1 XL, Web Intelligence, ZoneAlarm, ZoneAlarm Pro, Zone Labs, and the ZoneLabs logo, are trademarks or registered trademarks of Check Point SoftwareTechnologies Ltd. or its affiliates. All other product names mentioned herein aretrademarks or registered trademarks of their respective owners. The products describedin this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935 and6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending
applications.
THIRD PARTIES:
Entrust is a registered trademark of Entrust Technologies, Inc. in the United States andother countries. Entrusts logos and Entrust product and service names are alsotrademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly ownedsubsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporatecertificate management technology from Entrust.
Verisign is a trademark of Verisign Inc.
The following statements refer to those portions of the software copyrighted by Universityof Michigan. Portions of the software copyright1992-1996 Regents of the University of
Michigan. All rights reserved. Redistribution and use in source and binary forms arepermitted provided that this notice is preserved and that due credit is given to theUniversity of Michigan at Ann Arbor. The name of the University may not be used toendorse or promote products derived from this software without specific prior writtenpermission. This software is provided as is without express or implied warranty.CopyrightSax Software (terminal emulation only).
The following statements refer to those portions of the software copyrighted by CarnegieMellon University.
Copyright 1997 by Carnegie Mellon University. All Rights Reserved.
Permission to use, copy, modify, and distribute this software and its documentation forany purpose and without fee is hereby granted, provided that the above copyright noticeappear in all copies and that both that copyright notice and this permission notice appear
in supporting documentation, and that the name of CMU not be used in advertising orpublicity pertaining to distribution of the software without specific, written priorpermission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, INNO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT ORCONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROMLOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR INCONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The following statements refer to those portions of the software copyrighted by The OpenGroup.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANYCLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THESOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
The following statements refer to those portions of the software copyrighted by TheOpenSSL Project. This product includes software developed by the OpenSSL Project foruse in the OpenSSL Toolkit (http://www.openssl.org/).
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY *EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANYTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THEUSE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE.
The following statements refer to those portions of the software copyrighted by EricYoung. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANYEXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANYTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THEUSE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE. Copyright1998The Open Group.The following statements refer to those portions of the software copyrighted by Jean-loupGailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. Thissoftware is provided 'as-is', without any express or implied warranty. In no event will theauthors be held liable for any damages arising from the use of this software. Permissionis granted to anyone to use this software for any purpose, including commercial
applications, and to alter it and redistribute it freely, subject to the following restrictions:1. The origin of this software must not be misrepresented; you must not claim that youwrote the original software. If you use this software in a product, an acknowledgment inthe product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not bemisrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.
The following statements refer to those portions of the software copyrighted by the GnuPublic License. This program is free software; you can redistribute it and/or modify itunder the terms of the GNU General Public License as published by the Free SoftwareFoundation; either version 2 of the License, or (at your option) any later version. Thisprogram is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;without even the implied warranty of MERCHANTABILITY or FITNESS FOR APARTICULAR PURPOSE. See the GNU General Public License for more details.Youshould have received a copy of the GNU General Public License along with this program;if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,USA.
The following statements refer to those portions of the software copyrighted by ThaiOpen Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expatmaintainers. Permission is hereby granted, free of charge, to any person obtaining acopy of this software and associated documentation files (the "Software"), to deal in theSoftware without restriction, including without limitation the rights to use, copy, modify,merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permitpersons to whom the Software is furnished to do so, subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies orsubstantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUTWARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITEDTO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS ORCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHERLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USEOR OTHER DEALINGS IN THE SOFTWARE.GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions of the code MUSTreference the author, and include any and all original documentation. Copyright. BruceVerderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998,1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999,
2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999,
-
7/31/2019 Checkpoint NGX Upgrade Guide
4/194
2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001,2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 JohnEllson ([email protected]). Portions relating to gdft.c copyright 2001, 2002 John Ellson([email protected]). Portions relating to JPEG and to color quantization copyright2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999,2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of theIndependent JPEG Group. See the file README-JPEG.TXT for more information.Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Vanden Brande. Permission has been granted to copy, distribute and modify gd in anycontext without fee, including a commercial application, provided that this notice ispresent in user-accessible supporting documentation. This does not affect your
ownership of the derived work itself, and the intent is to assure proper credit for theauthors of gd, not to interfere with your productive use of gd. If you have questions, ask."Derived works" includes all programs that utilize the library. Credit must be given inuser-accessible documentation. This software is provided "AS IS." The copyright holdersdisclaim all warranties, either express or implied, including but not limited to impliedwarranties of merchantability and fitness for a particular purpose, with respect to thiscode and accompanying documentation. Although their code does not appear in gd 2.0.4,the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue SoftwareCorporation for their prior contributions.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use thisfile except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
The curl license
COPYRIGHT AND PERMISSION NOTICECopyright (c) 1996 - 2004, Daniel Stenberg, .All rights reserved.
Permission to use, copy, modify, and distribute this software for any purpose
with or without fee is hereby granted, provided that the above copyright
notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OROTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OROTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWAREOR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Except as contained in this notice, the name of a copyright holder shall not be used inadvertising or otherwise to promote the sale, use or other dealings in this Softwarewithout prior written authorization of the copyright holder.
The PHP License, version 3.0
Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, ispermitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list ofconditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list ofconditions and the following disclaimer in the documentation and/or other materialsprovided with the distribution.
3. The name "PHP" must not be used to endorse or promote products derived from thissoftware without prior written permission. For written permission, please [email protected].
4. Products derived from this software may not be called "PHP", nor may "PHP" appearin their name, without prior written permission from [email protected]. You may indicatethat your software works in conjunction with PHP by saying "Foo for PHP" instead ofcalling it "PHP Foo" or "phpfoo"
5. The PHP Group may publish revised and/or new versions of the license from time totime. Each version will be given a distinguishing version number. Once covered code hasbeen published under a particular version of the license, you may always continue to useit under the terms of that version. You may also choose to use such covered code underthe terms of any subsequent version of the license published by the PHP Group. No oneother than the PHP Group has the right to modify the terms applicable to covered codecreated under this License.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
"This product includes PHP, freely available from ".
THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' ANDANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR APARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHPDEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ORSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OROTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVENIF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This software consists of voluntary contributions made by many individuals on behalf ofthe PHP Group. The PHP Group can be contacted via Email at [email protected].
For more information on the PHP Group and the PHP project, please see . This product includes the Zend Engine, freely available at .
This product includes software written by Tim Hudson ([email protected]).
Copyright (c) 2003, Itai Tzur
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, arepermitted provided that the following conditions are met:
Redistribution of source code must retain the above copyright notice, this list ofconditions and the following disclaimer.
Neither the name of Itai Tzur nor the names of other contributors may be used toendorse or promote products derived from this software without specific prior writtenpermission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS ANDCONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AREDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENTOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; ORBUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCEOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd
Permission is hereby granted, free of charge, to any person obtaining a copy of thissoftware and associated documentation files (the "Software"), to deal in the Softwarewithout restriction, including without limitation the rights to use, copy, modify, merge,publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons
to whom the Software is furnished to do so, subject to the following conditions: Theabove copyright notice and this permission notice shall be included in all copies orsubstantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHTHOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHERIN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF ORIN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS INTHE SOFTWARE.
Copyright 2003, 2004 NextHop Technologies, Inc. All rights reserved.
Confidential Copyright Notice
Except as stated herein, none of the material provided as a part of this document may becopied, reproduced, distrib-uted, republished, downloaded, displayed, posted ortransmitted in any form or by any means, including, but not lim-ited to, electronic,mechanical, photocopying, recording, or otherwise, without the prior written permission ofNextHop Technologies, Inc. Permission is granted to display, copy, distribute anddownload the materials in this doc-ument for personal, non-commercial use only,provided you do not modify the materials and that you retain all copy-right and otherproprietary notices contained in the materials unless otherwise stated. No materialcontained in this document may be "mirrored" on any server without written permission ofNextHop. Any unauthorized use of any material contained in this document may violatecopyright laws, trademark laws, the laws of privacy and publicity, and communicationsregulations and statutes. Permission terminates automatically if any of these terms orcondi-tions are breached. Upon termination, any downloaded and printed materials must
be immediately destroyed.Trademark Notice
The trademarks, service marks, and logos (the "Trademarks") used and displayed in thisdocument are registered and unregistered Trademarks of NextHop in the US and/or othercountries. The names of actual companies and products mentioned herein may beTrademarks of their respective owners. Nothing in this document should be construed asgranting, by implication, estoppel, or otherwise, any license or right to use any Trademarkdisplayed in the document. The owners aggressively enforce their intellectual propertyrights to the fullest extent of the law. The Trademarks may not be used in any way,including in advertising or publicity pertaining to distribution of, or access to, materials in
this document, including use, without prior, written permission. Use of Trademarks as a"hot" link to any website is prohibited unless establishment of such a link is approved inadvance in writing. Any questions concerning the use of these Trademarks should bereferred to NextHop at U.S. +1 734 222 1600.
-
7/31/2019 Checkpoint NGX Upgrade Guide
5/194
U.S. Government Restricted Rights
The material in document is provided with "RESTRICTED RIGHTS." Software andaccompanying documentation are provided to the U.S. government ("Government") in atransaction subject to the Federal Acquisition Regulations with Restricted Rights. TheGovernment's rights to use, modify, reproduce, release, perform, display or disclose are
restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software andNoncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of theCommer-cial
Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987).
Use of the material in this document by the Government constitutes acknowledgment ofNextHop's proprietary rights in them, or that of the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043.Use, duplication, or disclosure by the Government is subject to restrictions as set forth inapplicable laws and regulations.
Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty
THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIESOF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLEPURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRANTIES,
EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIEDWARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR
ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THISDOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THEUSE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USEOF, OR OTHERWISE RESPECTING, THE MATERIAL IN THIS DOCUMENT.
Limitation of Liability
UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT,INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING,BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, ORTHE INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOPOR A NEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THEPOSSIBILITY OF SUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THISDOCUMENT RESULTS IN THE NEED FOR SERVICING, REPAIR OR CORRECTIONOF EQUIPMENT OR DATA, YOU ASSUME ANY COSTS THEREOF. SOME STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL ORCONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAYNOT FULLY APPLY TO YOU.
Copyright ComponentOne, LLC 1991-2002. All Rights Reserved.
BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC"))
Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release
PCRE LICENCE
PCRE is a library of functions to support regular expressions whose syntax andsemantics are as close as possible to those of the Perl 5 language. Release 5 of PCREis distributed under the terms of the "BSD" licence, as specified below. Thedocumentation for PCRE, supplied in the "doc" directory, is distributed under the sameterms as the software itself.
Written by: Philip Hazel
University of Cambridge Computing Service, Cambridge, England. Phone:
+44 1223 334714.
Copyright (c) 1997-2004 University of Cambridge All rights reserved.
Redistribution and use in source and binary forms, with or without modification, arepermitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list ofconditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list ofconditions and the following disclaimer in the documentation and/or other materialsprovided with the distribution.
* Neither the name of the University of Cambridge nor the names of its contributors maybe used to endorse or promote products derived from this software without specific priorwritten permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS ANDCONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AREDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORSBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENTOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; ORBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OFLIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDINGNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THISSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
7/31/2019 Checkpoint NGX Upgrade Guide
6/194
-
7/31/2019 Checkpoint NGX Upgrade Guide
7/194
Table of Contents 7
Table Of Contents
Chapter 1 Introduction to the Upgrade ProcessUpgrading Successfully 11
Documentation 12
NGX License Upgrade 13
Supported Upgrade Paths and Interoperability 14
Obtaining Software Installation Packages 15Terminology 15
Upgrade Tools 17
Chapter 2 Upgrading VPN-1 Pro/Express LicensesOverview of NGX License Upgrade 20
Introduction to License Upgrade in VPN-1 Express/Pro Environments 20
Software Subscription Requirements 20
Licensing Terminology 21The License_Upgrade Tool 22
Tool Location 22
Tool Options 22
Simulating the License Upgrade 23
Performing the License Upgrade 25
License Upgrade Methods 25
Deployments with Licenses Managed Centrally Using SmartUpdate 27
Deployments with Licenses Managed Locally 33
Trial Licenses 36Troubleshooting License Upgrade 37
Error: License version might be not compatible 37
Evaluation Licenses Created in the User Center 38
Evaluation Licenses Not Created in the User Center 38
Licenses of Products That Are Not Supported in NGX 39
License Enforcement on Module is now on Management 39
License Not in Any Of Your User Center Accounts 40
User Does Not Have Permissions on User Center Account 41
SKU Requires Two Licenses in NG and One License in NGX 41
SmartDefense Licenses 42
License Upgrade Partially Succeeds 42
Upgraded Licenses Do Not Appear in the Repository 43
Cannot Connect to the User Center 43
Chapter 3 Backup and Revert for VPN-1 Pro/ExpressIntroduction 45
Backup your Current Deployment 46Restore a Deployment 46
-
7/31/2019 Checkpoint NGX Upgrade Guide
8/194
8
SecurePlatform Backup and Restore Commands 47
Backup 47
Restore 48
SecurePlatform Snapshot Image Management 49
Snapshot 49
Revert 50
Revert to your Previous Deployment 52
Chapter 4 Upgrading a Distributed VPN-1 Pro/Express DeploymentIntroduction 55
Pre-Upgrade Considerations 56
License Upgrade to NGX R60 56
Web Intelligence License Enforcement 56
Upgrading Products on a SecurePlatform Operating System 57
VPN-1 Edge/Embedded Gateways Prior to Version 5.0 57
Reverting to your Previous Software Version 57
Upgrading the SmartCenter Server Component 58
Using the Pre Upgrade Verification Tool 59
Upgrading a SmartCenter High Availability Deployment 60
SmartCenter Upgrade on a Windows Platform 61
SmartCenter Upgrade on SecurePlatform R54, R55 and Later Versions 62SmartCenter Upgrade on SecurePlatform NG FP2, FP3, or FP3 Edition 2 63
SmartCenter Server Upgrade on a Solaris Platform 64
SmartCenter Upgrade on an IPSO Platform 65
Migrate your Current SmartCenter Configuration and Upgrade 68
Upgrading the Enforcement Module 71
Upgrading a Clustered Deployment 71
Upgrading the Enforcement Module Using SmartUpdate 72
Enforcement Module Upgrade Process on a Windows Platform 76
Enforcement Module Upgrade on SecurePlatform R54, R55 and Later Versions 77Enforcement Module Upgrade on SecurePlatform NG FP2, FP3, or FP3 Edition 2 78
Enforcement Module Upgrade on a Solaris Platform 80
Enforcement Module Upgrade on an IPSO Platform 81
Chapter 5 Upgrading a Standalone VPN-1 Pro/Express DeploymentIntroduction 85
Pre-Upgrade Considerations 86
License Upgrade to NGX 87Upgrading Products on a SecurePlatform Operating System 87
Reverting to your Previous Software Version 87
Using the Pre-Upgrade Verification Tool 87
Standalone VPN-1 Gateway Upgrade on a Windows Platform 89
Standalone VPN-1 Gateway Upgrade on SecurePlatform R54, R55 and Later Versions 90
Standalone VPN-1 Gateway Upgrade on SecurePlatform NG FP2, FP3, FP3 Edition 2 91
Standalone VPN-1 Gateway Upgrade on a Solaris Platform 92
Standalone VPN-1 Gateway Upgrade on an IPSO Platform 93
Migrate your Current VPN-1 Gateway Configuration and Upgrade 96
-
7/31/2019 Checkpoint NGX Upgrade Guide
9/194
Table of Contents 9
Chapter 6 Upgrading ClusterXLLicense Upgrade to NGX 97
Tools for Gateway Upgrades 97
Planning a Cluster Upgrade 99Permanent Kernal Global Variables 99
Ready state during Cluster Upgrade/Downgrade operations 99
Upgrading OPSEC Certified Third Party Clusters Products 101
Performing a Minimal Effort Upgrade on a ClusterXL Cluster 101
Performing a Zero Down Time Upgrade on a ClusterXL Cluster 101
Supported Modes 101
Performing a Full Connectivity Upgrade on a ClusterXL Cluster 104
Understanding a Full Connectivity Upgrade 104
Supported Modes 104Terminology 104
Implementing a Full Connectivity Upgrade 105
Chapter 7 Upgrading Provider-1Introduction 110
Scope 110
Before You Begin 110
Supported Platforms 111Supported Versions for Upgrade 111
Summary of Sections in this Chapter 111
Provider-1/SiteManager-1 Upgrade Tools 113
Pre-Upgrade Verifiers and Fixing Utilities 113
Installation Script 114
pv1_license_upgrade 115
license_upgrade 116
cma_migrate 117
migrate_assist 119
migrate_global_policies 119
Backup and Restore 120
Provider-1/SiteManager-1 License Upgrade 122
Overview of NGX License Upgrade 123
Introduction to License Upgrade in Provider-1 Environments 124
Software Subscription Requirements 124
Understanding Provider-1/SiteManager-1 Licenses 124
Before License Upgrade 126Choosing The Right License Upgrade Procedure 131
License upgrade of Entire System Before Software Upgrade 133
License Upgrade of Entire System Using Wrapper 136
License upgrade of Entire System After Software Upgrade 137
License Upgrade for a Single CMA 140
License Upgrade Using the User Center 146
SmartUpdate Considerations for License upgrade 146
Troubleshooting License Upgrade 147
Provider-1/SiteManager-1 Upgrade Practices 152In-place Upgrade 152
-
7/31/2019 Checkpoint NGX Upgrade Guide
10/194
10
Replicate and Upgrade 154
Gradual Upgrade to Another Machine 155
Migrating from a Standalone Installation to CMA 158
MDS Post Upgrade Procedures 162
Upgrading in a Multi MDS Environment 163
Pre-Upgrade Verification and Tools 163
Upgrading an NG with Application Intelligence Multi-MDS System 163
Restoring your Original Environment 166
Before the Upgrade 166
Restoring your Original Environment 167
Renaming Customers 167
Identifying Non-Compliant Customer Names 167
High-Availability Environment 168Automatic Division of Non-compliant Names 168
Resolving the Non-compliance 168
Advanced Usage 169
Changing MDS IP address and External Interface 171
IP Address Change 171
Interface Change 172
Chapter 8 Upgrading SmartLSM ROBO GatewaysPlanning the ROBO Gateway Upgrade 173Adding a ROBO Gateway Upgrade Package to SmartUpdate Repository 174
License Upgrade for a ROBO Gateway 174
Using SmartLSM to Attach the Upgraded Licenses 174
License Upgrade on Multiple ROBO Gateways 175
Upgrading a ROBO Gateway Using SmartLSM 175
Upgrading a VPN-1 Express/Pro ROBO Gateway 175
Full Upgrade 176
Specific Installation 176Upgrading a VPN-1 Edge ROBO Gateway 177
Upgrading a VPN-1 Express/Pro ROBO Gateway In Place 178
Using the Command Line Interface 179
SmartLSM Upgrade Tools 179
Upgrading a VPN-1 Express/Pro ROBO Gateway Using LSMcli 180
Upgrading a VPN-1 Edge ROBO Gateway Using LSMcli 181
Using the LSMcli in Scripts 182
Chapter 9 Upgrading VSX SmartCenter ManagementBefore You begin 185
License Upgrade 186
Tools for Upgrading a SmartCenter 186
Supported VSX Upgrade Paths 188
Upgrading VSX NG AI to NGX R60 SmartCenter 188
Upgrading VSX NG AI R2 to NGX R60 SmartCenter 189
Supported VSX Upgrade Procedures 190
Advanced Upgrade Procedures 190
Export and Import Commands 191
-
7/31/2019 Checkpoint NGX Upgrade Guide
11/194
11
CHAPTER 1
Introduction to the
Upgrade Process
In This Chapter
Upgrading Successfully
All successful upgrades begin with a solid game plan and a full understanding of the
steps you need to follow in order to succeed. This book provides tips and instructions
to make the upgrade process as clear as possible.
It is not necessary to read the entire book. In fact, there may be large portions of this
guide that may not apply to you. The guide is structured to sections of typicaldeployments for easy navigation.
We hope that your upgrade goes smoothly but in the event that you run into
unexpected snags, please contact your Reseller or our SecureKnowledge support center
at: https://secureknowledge.checkpoint.com
Upgrading Successfully page 11
Documentation page 12NGX License Upgrade page 13
Supported Upgrade Paths and Interoperability page 14
Obtaining Software Installation Packages page 15
Terminology page 15
Upgrade Tools page 17
https://secureknowledge.checkpoint.com/https://secureknowledge.checkpoint.com/ -
7/31/2019 Checkpoint NGX Upgrade Guide
12/194
Documentation
12
Documentation
This guide was created to explain all available upgrade paths for Check Point products
from VPN-1/FireWall-1 NG forward. This guide is specifically geared towards
upgrading to NGX R60.
Before you begin please:
Make sure that you have the latest version of this document in the User Center at
0http://www.checkpoint.com/support/technical/documents/docs_r60.html
It is a good idea to have the latest version of the NGX R60 Release Notes handy.
Download them from:
http://www.checkpoint.com/support/technical/documents/docs_r60.htmlFor a new features list refer to the NGX R60 Whats New Guide:
http://www.checkpoint.com/support/technical/documents/docs_r60.html
http://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttp://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttp://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttp://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttp://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttp://www.checkpoint.com/support/technical/documents/docs_r60.html -
7/31/2019 Checkpoint NGX Upgrade Guide
13/194
Chapter 1 Introduction to the Upgrade Process 13
NGX License Upgrade
To upgrade to NGX R60, you must first upgrade licenses for all NG products. NGX
R60 with licenses from previous versions will not function.
The license upgrade procedure can be performed if you have purchased any of the
Enterprise Software Subscription services. License upgrade will fail for products and
accounts for which you do not have software subscription. Login to
http://usercenter.checkpoint.com to manage your accounts, licenses, and Enterprise
Support Programs coverage (under Support Programs).
License upgrade is performed by means of an easy to use tool that automatically
upgrades both locally and centrally managed licenses. Using the tool you can upgradeall licenses in the entire managed system. License upgrade can also be done manually,
per license, in the User Center.
The automatic license upgrade tool allows you to:
1 View the status of the currently installed licenses. On a SmartCenter server (or a
CMA, for Provider-1), you can also view the licenses in the SmartUpdate license
repository.
2 Simulate the license upgrade process.
3 Perform the actual license upgrade process.
During the license upgrade, all eligible licenses are gathered and sent in SSL encrypted
format to the User Center. Upgraded licenses are returned from the User center, and
automatically installed. The license upgrade process adds only NGX licenses. Old
licenses and non-eligible licenses (e.g., evaluation licenses, or licenses that pertain to IPaddresses no longer used) remain untouched.
When running on a SmartCenter Server (or a CMA, for Provider-1), the license
upgrade process also handles licenses in the SmartUpdate license repository. After the
software upgrade, SmartUpdate is used to attach the new NGX licenses to the gateways.
License upgrade for VPN-1 Pro/Express deployments is described in chapter 2,
Upgrading VPN-1 Pro/Express Licenses on page 19.
License upgrade for Provider-1 deployments is described in
Provider-1/SiteManager-1 License Upgrade on page 122.
License upgrade for SmartLSM deployments is described in License Upgrade for a
ROBO Gateway on page 174.
It is recommended to check
http://www.checkpoint.com/techsupport/ngx/license_upgrade.html for up to date
information and downloads regarding NGX license upgrade.
http://usercenter.checkpoint.com/http://usercenter.checkpoint.com/http://usercenter.checkpoint.com/http://www.checkpoint.com/techsupport/ngx/license_upgrade.htmlhttp://www.checkpoint.com/techsupport/ngx/license_upgrade.htmlhttp://usercenter.checkpoint.com/ -
7/31/2019 Checkpoint NGX Upgrade Guide
14/194
Supported Upgrade Paths and Interoperability
14
Supported Upgrade Paths and Interoperability
Upgrading to NGX R60 is supported on the following versions:
NG NG FP1
NG FP2
NG FP3
NG With Application Intelligence R54
NG With Application Intelligence R55
NG R55W GX 2.5
VSX NG AI
VSX NG AI Release 2
Backward compatibility to NGX R60 is supported on the following versions:
NG FP3
NG With Application Intelligence R54
NG With Application Intelligence R55
NG R55W
GX 2.5
VSX NG AI
VSX NG AI Release 2
Upgrading from versions prior to NG (4.0-4.1) is not supported. In order to upgrade
FireWall-1 versions 4.0-4.1, upgrade the installed version to VPN-1 NG R55 (refer to
the NG with Application Intelligence R55 Upgrade Guide). Once the VPN-1 NG R55
upgrade is complete, perform an upgrade to NGX R60.
-
7/31/2019 Checkpoint NGX Upgrade Guide
15/194
Chapter 1 Introduction to the Upgrade Process 15
Obtaining Software Installation Packages
NGX R60 software installation packages for Solaris, Windows, Linux and
SecurePlatform are available on the product CD.
NGX R60 software packages for Nokia IPSO 3.9 are available at the online download
center in the following location:
http://www.checkpoint.com/techsupport/downloads.jsp
Terminology
Security Policy - A Security Policy is created by the system administrator in order toregulate the incoming and outgoing flow of communication.
Enforcement Module - An Enforcement module is the VPN-1 Pro engine which
actively enforces the Security Policy of the organization.
SmartCenter Server - The SmartCenter Server is used by the system administrator to
manage the Security Policy. The databases and policies of the organization are stored on
the SmartCenter Server, and are downloaded from time to time to the Enforcement
modules.
SmartConsole Clients - The SmartConsole Clients are GUI applications which are
used to manage different aspects of the Security Policy. For instance SmartView Trackeris
a GUI client used to view logs.
SmartDashboard - a GUI client that is used to create Security Policies.
Check Point Gateway - otherwise known as an Enforcement module or sometimes
module is the VPN-1 Pro engine that actively enforces your organizations Security
Policy.
SmartUpdate - allows you to centrally upgrade and manage Check Point software and
licenses.
Package Repository - This is a SmartUpdate repository on the SmartCenter Server
that stores uploaded Packages. These packages are then used by SmartUpdate to
perform upgrades of Check Point Gateways.
Standalone Deployment - A Standalone deployment is performed when the Check
Point components that are responsible for the management of the Security Policy (the
SmartCenter Server and the Enforcement Module) are installed on the same machine.
Distributed Deployment - A Distributed deployment is performed when the
Enforcement Module and the SmartCenter Server are deployed on different machines.
http://www.checkpoint.com/techsupport/downloads.jsphttp://www.checkpoint.com/techsupport/downloads.jsp -
7/31/2019 Checkpoint NGX Upgrade Guide
16/194
Terminology
16
Advanced Upgrade - In order to avoid unnecessary risks, it is possible to migrate the
current configuration to a spare server. Once this is completed an upgrade process
should be performed on the migrated server, leaving the production server intact.
In Place Upgrade - In Place upgrades are upgrades performed locally.
ClusterXL- is a software-based load sharing and high availability solution for Check
Point gateway deployments. It distributes traffic between clusters of redundant gateways
so that the computing capacity of multiple machines may be combined to increase total
throughput. In the event that any individual gateway becomes unreachable, all
connections are re-directed to a designated backup without interruption. Tight
integration with Check Point's SmartCenter management and enforcement point
solutions ensures that ClusterXL deployment is a simple task for VPN-1 Pro
administrators.
ROBO Gateways - A Remote Office/Branch Office Gateway.
ROBO Profile - An object that you define to represent properties of multiple ROBO
Gateways. Profile objects are version dependent; therefore, when you plan to upgrade
ROBO Gateways to a new version, first define new Profile objects for your new
version. In general, you will want to keep the Profile objects of the previous versionsuntil all ROBO Gateways of the previous version are upgraded to the new version. For
further information about defining a ROBO Profile see the Defining Policies for the
Gateway Profile Objects chapter in the SmartLSM Guide.
LSM - Large Scale Manager. SmartLSMenables enterprises to easily scale, deploy and
manage VPNs and security for thousands of remote locations.
Management Virtual System (MVS) is a default Virtual System created by the VSXinstallation process during installation. The MVS:
Handles provisioning and configuration of Virtual Systems and Virtual Routers.
Manages Gateway State Synchronization when working with clusters.
Virtual Routers are independent routing domains within a VSX Gateway that
function like physical routers.
VSX Clustering involves connecting two or more VSX Gateways in such a way thatif one fails, another immediately takes its place. A single VSX Gateway contains
multiple Virtual Routers and Virtual Systems.
Virtual System is a routing and security domain featuring firewall and VPN
capabilities supported by a standard Check Point Gateway. Multiple Virtual Systems can
run concurrently on a single VSX Gateway, isolated from one another by their use of
separate system resources and data storage.
-
7/31/2019 Checkpoint NGX Upgrade Guide
17/194
Chapter 1 Introduction to the Upgrade Process 17
Upgrade Tools
Various upgrade tools are provided for migration and compatibility verification of your
current deployment. These tools will help you successfully upgrade to NGX R60.
The upgrade tools can be found in the following locations:
in the NGX R60 $/FWDIR/bin/upgrade_tools directory.
http://www.checkpoint.com/techsupport/ngx/utilities.html
d l
http://www.checkpoint.com/techsupport/ngx/utilities.htmlhttp://www.checkpoint.com/techsupport/ngx/utilities.html -
7/31/2019 Checkpoint NGX Upgrade Guide
18/194
Upgrade Tools
18
-
7/31/2019 Checkpoint NGX Upgrade Guide
19/194
19
CHAPTER 2
Upgrading VPN-1Pro/Express Licenses
In This Chapter
Overview of NGX License Upgrade page 20
Introduction to License Upgrade in VPN-1 Express/Pro Environments page 20Software Subscription Requirements page 20
Licensing Terminology page 21
The License_Upgrade Tool page 22
Simulating the License Upgrade page 23
Performing the License Upgrade page 25
Trial Licenses page 36
Troubleshooting License Upgrade page 37
Overview of NGX License Upgrade
-
7/31/2019 Checkpoint NGX Upgrade Guide
20/194
Overview of NGX License Upgrade
20
Overview of NGX License Upgrade
To upgrade to NGX R60, you must first upgrade licenses for all NG products. NGX
R60 with licenses from previous versions will not function.
The license upgrade procedure can be performed if you have purchased any of the
Enterprise Software Subscription services. License upgrade will fail for products and
accounts for which you do not have software subscription. Login to
http://usercenter.checkpoint.com to manage your accounts, licenses, and Enterprise
Support Programs coverage (under Support Programs).
License upgrade is performed by means of an easy to use tool that automatically
upgrades both locally and centrally managed licenses. Using the tool you can upgradeall licenses in the entire managed system.
License upgrade can also be done manually, per license, in the User Center. For
instructions, see the Step by Step guide to the User Center at
https://usercenter.checkpoint.com/pub/usercenter/faq_us.html.
For instructions on upgrading license for Provider-1 and SmartLSM deployments, see
Provider-1/SiteManager-1 License Upgrade on page 122. License Upgrade for a ROBO Gateway on page 174.
For the latest information and downloads regarding NGX license upgrade, check
http://www.checkpoint.com/techsupport/ngx/license_upgrade.html.
Introduction to License Upgrade in VPN-1 Express/Pro
EnvironmentsLicenses are required for the SmartCenter Server and for the enforcement modules. Nolicense is required for the SmartConsole management clients.
The license upgrade procedure uses the license_upgrade command line tool that
makes it simple to automatically upgrade licenses without having to do so manually
through the Check Point User Center Web site https://usercenter.checkpoint.com.
Version 4.1 licenses cannot be upgraded directly to NGX. You must first upgrade thelicense to NG and then to NGX. License upgrade from version 4.1 to NG can be done
only from User Center web site. It is not supported by the upgrade tool.
Software Subscription Requirements
The license upgrade procedure can be performed if you have purchased any of the
Enterprise Software Subscription services. License upgrade will fail for products and
accounts for which you do not have software subscription.
http://usercenter.checkpoint.com/http://usercenter.checkpoint.com/http://usercenter.checkpoint.com/https://usercenter.checkpoint.com/pub/usercenter/faq_us.htmlhttp://www.checkpoint.com/techsupport/ngx/license_upgrade.htmlhttps://usercenter.checkpoint.com/https://usercenter.checkpoint.com/pub/usercenter/faq_us.htmlhttp://www.checkpoint.com/techsupport/ngx/license_upgrade.htmlhttp://usercenter.checkpoint.com/https://usercenter.checkpoint.com/ -
7/31/2019 Checkpoint NGX Upgrade Guide
21/194
Chapter 2 Upgrading VPN-1 Pro/Express Licenses 21
You can see exactly the products and accounts for which you have software subscription
by looking in your User Center account at https://usercenter.checkpoint.com. In the
Accounts page, Enterprise Contract column, and in the Products page, Subscription and
Support column, if the account or product is covered, the expiration date is shown.Otherwise, the entry says Join Now, with a link to get a quote for purchasing Enterprise
Support.
You can purchase an Enterprise Software Subscription for the whole account, in which
case all the products in the account will be covered, or you can purchase Enterprise
Software Subscription for individual products.
Licensing TerminologyThe license upgrade procedures use specialized licensing terminology. It is important to
understand the terminology in order to successfully perform the license upgrade.
License Upgrade is the process of upgrading version NG licenses to NGX.
Software Upgrade is the process of upgrading Check Point software to version
NGX.
License Repository is a repository on the SmartCenter Server that stores licensesfor Check Point products. It is used by SmartUpdate to install and manage licenses
on Check Point Gateways.
Wrapper is the wizard application on the Check Point CD that allows you to
install and upgrade Check Point products and upgrade licenses.
The License_Upgrade Tool
https://usercenter.checkpoint.com/https://usercenter.checkpoint.com/ -
7/31/2019 Checkpoint NGX Upgrade Guide
22/194
pg
22
The License_Upgrade Tool
The license_upgrade tool allows you to:
1 View the status of the currently installed licenses. On a SmartCenter server (or aCMA, for Provider-1), you can also view the licenses in the SmartUpdate license
repository.
2 Simulate the license upgrade process.
3 Perform the actual license upgrade process.
During the license upgrade, all eligible licenses are gathered and sent in SSL encrypted
format to the User Center. Upgraded licenses are returned from the User center, andautomatically installed. The license upgrade process adds only NGX licenses. Old
licenses and non-eligible licenses (e.g., evaluation licenses, or licenses that pertain to IP
addresses no longer used) remain untouched.
When running on a SmartCenter Server (or a CMA, for Provider-1), the license
upgrade tool also handles licenses in the SmartUpdate license repository. After using the
tool, SmartUpdate is used to attach the new NGX licenses in the license repository to
the gateways.
Tool Location
The license_upgrade tool can be found in one of the following locations:
On the NGX product CD at \
In the Check Point Download site at
http://www.checkpoint.com/techsupport/ngx/license_upgrade.html. It is also part of the NGX installation, located at $CPDIR/bin.
Tool Options
The license_upgrade command line tool has a number of options. To see all the
options, run:
license_upgrade
Tool Options
http://www.checkpoint.com/techsupport/ngx/license_upgrade.htmlhttp://www.checkpoint.com/techsupport/ngx/license_upgrade.htmlhttp://www.checkpoint.com/techsupport/ngx/license_upgrade.html -
7/31/2019 Checkpoint NGX Upgrade Guide
23/194
Chapter 2 Upgrading VPN-1 Pro/Express Licenses 23
The options are:
Simulating the License UpgradeBefore performing the license upgrade, it is recommended to simulate the License
Upgrade. Do this in order to find and solve potential problems in upgrading specific
licenses. The simulation is an exact replica of the license upgrade process. It sends
existing licenses to User Center Web site to verify that the upgrade is possible, however,
no actual upgrade is done and no new licenses are returned. If the actual license
upgrade will fail for some reason, error messages are displayed and available in a log file,
which can be used for troubleshooting.
1 Copy the license_upgrade tool from \ on the NGX
product CD, or from the Check Point Download site athttp://www.checkpoint.com/techsupport/ngx/license_upgrade.html.
2 Place the license_upgrade tool on the NG machine.
3 To simulate the license upgrade, run the license_upgrade tool option
[S] Simulate the license upgrade.
TABLE 2-1 license_upgrade tool options
Option Meaning[L] View the licenses installed on your machine.
[S] Sends existing licenses to User Center Web site to simulate the license
upgrade in order to verify that it can be performed. No actual upgrade is
done and no new licenses are returned
[U] Sends existing licenses to the User Center Web site to perform upgrade
and (by default, in online mode) installs them on the machine.[C] Reports whether or not there are licenses on the machine that need to be
upgraded.
[O] Perform license upgrade on a license file that was generated on a machine
with no Internet access to the User Center.
[V] View log of last license upgrade or last upgrade simulation.
Note - License upgrade simulation can only be performed on a machine with Internetconnectivity to the Check Point User Center.
Simulating the License Upgrade
http://www.checkpoint.com/techsupport/ngx/license_upgrade.htmlhttp://www.checkpoint.com/techsupport/ngx/license_upgrade.html -
7/31/2019 Checkpoint NGX Upgrade Guide
24/194
24
4 Be sure to deal with all the reported issues, so that the actual license upgrade will
succeed for all licenses.
For further assistance:
See Troubleshooting License Upgrade on page 37.
Refer to SecureKnowledge at https://secureknowledge.checkpoint.com .
License Upgrade Methods
https://secureknowledge.checkpoint.com/https://secureknowledge.checkpoint.com/ -
7/31/2019 Checkpoint NGX Upgrade Guide
25/194
Chapter 2 Upgrading VPN-1 Pro/Express Licenses 25
Performing the License Upgrade
In This Section
License Upgrade Methods
There are two methods of upgrading licenses to NGX in a VPN-1 Pro/Expressdeployment. The right method to use depends on how you manage your licenses:
Centrally, from the SmartCenter Server by means of SmartUpdate, or
Locally at the Check Point machine.
If you use SmartUpdate to manage your licenses, you can update all licenses in your
entire managed system in a single procedure.
For both methods, the upgrade is performed using the license_upgrade tool.
For each method the actual procedure that is used depends on whether or not the
machine on which the license upgrade is to be run is online or offline. An online
machine is one with Internet connectivity to the Check Point User Center.
It is highly recommended to perform the license upgrade beforeperforming any software
upgrade. This ensures that the products will continue to function after the software
upgrade. However, if necessary, the software upgrade can be done first.
License Upgrade Methods page 25
Deployments with Licenses Managed Centrally Using SmartUpdate page 27
Deployments with Licenses Managed Locally page 33
Note - Version 4.1 licenses cannot be upgraded directly to NGX. You must first upgradesoftware and licenses to version NG.
Performing the License Upgrade
-
7/31/2019 Checkpoint NGX Upgrade Guide
26/194
26
The following table shows the Check Point licenses that are upgraded for each license
upgrade method:
What Next?
Now choose the right procedure for you:
Deployments with Licenses Managed Centrally Using SmartUpdate on page 27
Deployments with Licenses Managed Locally on page 33
LicenseManagementmethod
License Upgrade for License that are upgraded
Centrally managed
using SmartUpdate
Entire managed System
(Run upgrade tool on
SmartCenter Server)
Local machine licenses
(for SmartCenter)
License Repository
(for enforcement
modules)Locally managed Enforcement module Local machine licenses
SmartCenter Server Local machine licenses
Standalone Gateway
deployment, containing both
a SmartCenter and an
enforcement module.
(that manages no remote
enforcement modules)
Local machine licenses
(for SmartCenter and
enforcement module).
Deployments with Licenses Managed Centrally Using SmartUpdate
-
7/31/2019 Checkpoint NGX Upgrade Guide
27/194
Chapter 2 Upgrading VPN-1 Pro/Express Licenses 27
Deployments with Licenses Managed Centrally UsingSmartUpdate
In This Section
Introduction to Using SmartUpdate
In distributed deployments with multiple enforcement modules, SmartUpdate must be
used to distribute licenses from the SmartCenter to the enforcement modules after
performing the license upgrade.
With SmartUpdate, you can manage all licenses for Check Point packages throughout
the organization that are managed by the SmartCenter Server. SmartUpdate provides a
global view of all available and installed licenses, and allows you to perform operations
on Check Point Gateways such as adding new licenses, attaching licenses and deletingexpired licenses.
After the SmartCenter Server is upgraded, SmartUpdate must be used to complete the
License Upgrade process. When SmartUpdate is opened, the upgraded licenses areimported into the license repository and are Assigned to the appropriate enforcement
module.
1. License Upgrade for an Online SmartCenter
Use this procedure to upgrade the licenses of the entire distributed deployment to
NGX beforethe software upgrade, for a deployment with an online SmartCenter Server.
An online SmartCenter Server is one with Internet connectivity to the Check PointUser Center Web site https://usercenter.checkpoint.com.
Introduction to Using SmartUpdate on page 27
1. License Upgrade for an Online SmartCenter on page 27
2. License Upgrade for an Offline SmartCenter on page 30
Note - SmartUpdate license management capabilities are free of charge.
Note - If the license upgrade is performed before the software upgrade, Check Pointproducts will generate warning messages until all the software on the machine has been
upgraded. See Error: License version might be not compatible on page 37 for details.
Performing the License Upgrade
https://usercenter.checkpoint.com/https://usercenter.checkpoint.com/ -
7/31/2019 Checkpoint NGX Upgrade Guide
28/194
28
1 At the SmartConsole GUI machine, open SmartUpdate, connect to the
SmartCenter Server, and select Licenses > Get all licenses. This ensures that the
License Repository is updated.
2 Copy the license_upgrade tool from \ on the NGXproduct CD, or from the Check Point Download site at
http://www.checkpoint.com/techsupport/ngx/license_upgrade.html.
3 Place the license_upgrade tool on the SmartCenter NG machine.
4 On the Smartcenter Server, perform the license upgrade procedure by running
license_upgrade tool (on SecurePlatform, you must be in expert mode).
5 Choose the [U] option. This does the following:
Collects all the licenses that exist on the machine.
Fetches updated licenses from the User Center. Installs new licenses on the local machine.
On the SmartCenter machine, if Management High Availability licenses exist,
they are upgraded.
6 Perform the software upgrade to NGX on the SmartCenter machine andon the
SmartConsole GUI machine.
7 At the SmartConsole GUI machine, open SmartUpdate, and connect to theSmartCenter Server. The updated licenses are displayed as Assigned. Use the Attach
assigned licenses option to Attach the Assigned licenses to enforcement modules.
8 Perform the software upgrade to NGX on the enforcement module machine(s).
9 Delete obsolete licenses from NGX modules. At the SmartConsole GUI machine,
open SmartUpdate and connect to the SmartCenter Server. In the License
Repository, sort by the State column, select all the Obsolete licenses, Detach them,and then Delete them.
Note - License upgrade using the CD Wrapper does not work for SmartCenter machines onWindows platforms with via-proxy Internet connectivity.
Deployments with Licenses Managed Centrally Using SmartUpdate
http://www.checkpoint.com/techsupport/ngx/license_upgrade.htmlhttp://www.checkpoint.com/techsupport/ngx/license_upgrade.html -
7/31/2019 Checkpoint NGX Upgrade Guide
29/194
Chapter 2 Upgrading VPN-1 Pro/Express Licenses 29
License Statuses in SmartUpdate
SmartUpdate shows whether a license isAttachedorUnattached, and the license State.
An:
Attached license is associated with the enforcement module in License Repository,and is installed on the remote enforcement module. In order for the NGX software
to work, a valid NGX license must be Attached.
Unattached license is not installed on any enforcement module.
A license can be in one of the following States:
Assigned is an NGX license that is associated with the enforcement module in
License Repository, but is not yet installed on the module as a replacement for anexisting NG license.
Obsolete is an NG license for which a replacement NGX license is installed on an
NGX enforcement module.
Requires Upgrade is an NG license that is installed on an NGX machine, and for
which no replacement upgraded license exists.
No NGX license is an NG license that does not need to be upgraded, or one for
which the license upgrade failed.
Performing the License Upgrade
-
7/31/2019 Checkpoint NGX Upgrade Guide
30/194
30
2. License Upgrade for an Offline SmartCenter
Use this procedure to upgrade the licenses of the entire distributed deployment before
the software upgrade, where the SmartCenter Server is offline.
An offline SmartCenter Server is one that does nothave Internet connectivity to the
Check Point User Center Web site https://usercenter.checkpoint.com.
1 At the SmartConsole GUI machine, open SmartUpdate and connect to theSmartCenter Server. Select Licenses > Get all licenses. This ensures that the License
Repository is updated.
2 Copy the license_upgrade tool from \ on the NGX CD,
or from the Check Point Download site at
http://www.checkpoint.com/techsupport/ngx/license_upgrade.html.
3 Place the license_upgrade tool on the offline SmartCenter Server NG.
4 At the offline SmartCenter, run
license_upgrade
On SecurePlatform, run the option in expert mode.
5 From the menu of options choose:
[U] to run the upgrade operation.
[N] to specify that you dont have an internet connection.
[E] to copy the licenses to a license file.
Enter the name of the license package file that will be created.
[Q] to quit the license upgrade tool.
6 Copy the license package file from the offline SmartCenter to any online machine.
The online machine does not need to be a Check Point-installed machine.
7 Copy the license_upgrade tool to the online machine from the location specified
in step 2.
8 Run the license_upgrade tool at the online machine:
[O] to run the upgrade operation in offline mode.
Enter the name of the exported file with the location of the package file that is
the result ofstep 5.
Note - If the license upgrade is performed before the software upgrade, Check Pointproducts will generate warning messages until all the software on the machine has been
upgraded. See Error: License version might be not compatible on page 37 for details.
Deployments with Licenses Managed Centrally Using SmartUpdate
https://usercenter.checkpoint.com/http://www.checkpoint.com/techsupport/ngx/license_upgrade.htmlhttp://www.checkpoint.com/techsupport/ngx/license_upgrade.htmlhttps://usercenter.checkpoint.com/ -
7/31/2019 Checkpoint NGX Upgrade Guide
31/194
Chapter 2 Upgrading VPN-1 Pro/Express Licenses 31
Enter the name of the file that will be created with all the upgraded licenses
(output file name).
Press [Y] when asked Is this machine connected to the Internet?.
Press [Y] if you are connected to the internet via a proxy and supply the proxyIP port and username password.
Press [N] if you are not connected via proxy and continue with the upgrade.
Enter the user and password of your User Center Account.
This fetches new licenses from the User Center and puts them in a cache file.
9 Copy the cache file (with the new licenses) to the offline SmartCenter. Copy the
file to the same directory as the license upgrade tool.
10 Run license_upgrade tool on the offline SmartCenter.
Press [U] to run the Upgrade operation.
Press [N] when asked Is this machine connected to the Internet?.
Press [I] to import the output file with all the upgraded licenses back to the
SmartCenter.
Enter the output file name with all the upgraded licenses.
11 Return to the main menu and press
[C] Check if currently installed licenses have been upgraded.
This shows the number of upgraded licenses on the machine and whether the
original NG licenses have a replacement NGX license.
12 Perform the software upgrade to NGX on the SmartCenter machine andon the
SmartConsole GUI machine.
13 At the SmartConsole GUI machine, open SmartUpdate and connect to the
SmartCenter Server. The updated licenses are displayed as Assigned. Use the Attach
assigned licenses option to Attach the Assigned licenses to enforcement modules.
14 Perform the software upgrade to NGX on the enforcement module machine(s).
15 Delete obsolete licenses from NGX modules. At the SmartConsole GUI machine,open SmartUpdate and connect to the SmartCenter Server. In the License
Repository, sort by the State column, select all the Obsolete licenses, Detach them,
and then Delete them.
Performing the License Upgrade
-
7/31/2019 Checkpoint NGX Upgrade Guide
32/194
32
License Statuses in SmartUpdate
SmartUpdate shows whether a license isAttachedorUnattached, and the license State.
An:
Attached license is associated with the enforcement module in License Repository,and is installed on the remote enforcement module. In order for the NGX software
to work, a valid NGX license must be Attached.
Unattached license is not installed on any enforcement module.
A license can be in one of the following States:
Assigned is an NGX license that is associated with the enforcement module in
License Repository, but is not yet installed on the module as a replacement for anexisting NG license.
Obsolete is an NG license for which a replacement NGX license is installed on an
NGX enforcement module.
Requires Upgrade is an NG license that is installed on an NGX machine, and for
which no replacement upgraded license exists.
No NGX license is an NG license that does not need to be upgraded, or one for
which the license upgrade failed.
Deployments with Licenses Managed Locally
-
7/31/2019 Checkpoint NGX Upgrade Guide
33/194
Chapter 2 Upgrading VPN-1 Pro/Express Licenses 33
Deployments with Licenses Managed Locally
In This Section
3. License Upgrade for an Online Machine
Use this procedure to upgrade the licenses on a single online NG machine beforethe
software upgrade.
An online machine is one with Internet connectivity to the Check Point User Center
Web site https://usercenter.checkpoint.com.
The single machine can be a
SmartCenter Server.
Enforcement module.
Standalone Gateway containing a SmartCenter Server and an enforcement module.
1 Copy the license_upgrade tool from \ on the NGX CD,
or from the Check Point Download site at
http://www.checkpoint.com/techsupport/ngx/license_upgrade.html.2 Place the license_upgrade tool on the online NG machine.
3 At the online machine, perform the license upgrade procedure by running
license_upgrade tool (on SecurePlatform, you must be in expert mode).
4 Choose the [U] option. This does the following:
Collects all the licenses that exist on the machine.
Fetches updated licenses from the User Center.
Installs new licenses on the local machine.
On a SmartCenter machine, if Management High Availability licenses exist, theyare upgraded.
3. License Upgrade for an Online Machine on page 33
4. License Upgrade for an Offline Machine on page 34
Note - If the license upgrade is performed before the software upgrade, Check Pointproducts will generate warning messages until all the software on the machine has been
upgraded. See Error: License version might be not compatible on page 37 for details.
Note - License upgrade using the CD Wrapper does not work for SmartCenter machines onWindows platforms with via-proxy Internet connectivity.
Performing the License Upgrade
https://usercenter.checkpoint.com/http://www.checkpoint.com/techsupport/ngx/license_upgrade.htmlhttp://www.checkpoint.com/techsupport/ngx/license_upgrade.htmlhttps://usercenter.checkpoint.com/ -
7/31/2019 Checkpoint NGX Upgrade Guide
34/194
34
5 Perform the software upgrade to NGX.
6 Find out which license on the machine are obsolete. Run
cplic print
7 Delete the obsolete licenses from the machine: For each obsolete license, run
cplic -del
4. License Upgrade for an Offline Machine
Use this procedure to upgrade the licenses for a single offline machine beforethe
software upgrade.
An offline machine is one that does nothave Internet connectivity to the Check PointUser Center Web site https://usercenter.checkpoint.com.
The single machine can be a
SmartCenter Server.
Enforcement module.
Standalone Gateway containing a SmartCenter Server and an enforcement module.
1 Copy the license_upgrade tool from \ on the NGX CD,
or from the Check Point Download site at
http://www.checkpoint.com/techsupport/ngx/license_upgrade.html.
2 Place the license_upgrade tool on the offline machine.
3 At the offline machine, run
license_upgrade
On SecurePlatform, run the option in expert mode.
4 From the menu of options choose:
[U] to run the upgrade operation.
[N] to specify that you dont have an internet connection.
[E] to copy the licenses to a license file.
Enter the name of the license package file that will be created.
[Q] to quit the license upgrade tool.
5 Copy the license package file from the offline machine to any online machine. The
online machine does not need to be a Check Point-installed machine.
Note - If the license upgrade is performed before the software upgrade, Check Pointproducts will generate warning messages until all the software on the machine has been
upgraded. See Error: License version might be not compatible on page 37 for details.
Deployments with Licenses Managed Locally
h l h l h h l l d
https://usercenter.checkpoint.com/http://www.checkpoint.com/techsupport/ngx/license_upgrade.htmlhttp://www.checkpoint.com/techsupport/ngx/license_upgrade.htmlhttps://usercenter.checkpoint.com/ -
7/31/2019 Checkpoint NGX Upgrade Guide
35/194
Chapter 2 Upgrading VPN-1 Pro/Express Licenses 35
6 Copy the license_upgrade tool to the online machine. The tool is located at the
location specified in step 1.
7 Run the license_upgrade tool at the online machine:
[O] to run the upgrade operation in offline mode.
Enter the name of the exported file with the location of the package file that is
the result ofstep 5.
Enter the name of the file that will be created with all the upgraded licenses
(output file name).
Press [Y] when asked Is this machine connected to the Internet?.
Press [Y] if you are connected to the internet via a proxy and supply the proxyIP port and username password.
Press [N] if you are not connected via proxy and continue with the upgrade.
Enter the user and password of your User Center Account.
This fetches new licenses from the User Center and puts them in a cache file.
8 Copy the cache file (with the new licenses) to the offline machine. Copy the file to
the same directory as the license_upgrade tool.
9 Run license_upgrade tool on the offline machine.
Press [U] to run the Upgrade operation.
Press [N] when asked Is this machine connected to the Internet?.
Press [I] to import the output file with all the upgraded licenses back to the
SmartCenter.
Enter the output file name with all the upgraded licenses.
10 Return to the main menu and press
[C] Check if currently installed licenses have been upgraded.
This shows the number of upgraded licenses on the machine and whether the
original NG licenses have a replacement NGX license.
11 Perform the software upgrade to NGX on the offline machine.
12 Find out which license on the machine are obsolete. Run
cplic print
13 Delete the obsolete licenses from the machine: For each obsolete license, run
cplic -del
Trial Licenses
Trial Licenses
-
7/31/2019 Checkpoint NGX Upgrade Guide
36/194
36
Trial Licenses
Every Check Point product comes with a Trial License that allows unrestricted use of
the product for 15 days.
After the software upgrade, the Trial License continues to work for the remaining days
of the license. There is no need to upgrade the Trial License.
The Trial License does not work if you migrate your current SmartCenter
configuration to a new machine, and then upgrade the new machine to NGX.
Error: License version might be not compatible
Troubleshooting License Upgrade
-
7/31/2019 Checkpoint NGX Upgrade Guide
37/194
Chapter 2 Upgrading VPN-1 Pro/Express Licenses 37
Troubleshooting License Upgrade
License upgrade is a smooth and easy process. There are a few predictable cases where
you may come across some problems. Use this section to solve those license upgrade
problems.
In This Section
Error: License version might be not compatible
SecureKnowledge solution sk30478
Symptoms Error: Warning: Can't find .... in cp.macro. License version might be
not compatible
Error occurs with commands such as cplic print, cpstop, cpstart, and fw ver.
The error occurs when a license upgrade is performed before a software upgrade.
The error appears in any situation where a licensed version is not compatible with
the version installed on a machine, for example, an NGX license on an NG
machine.
Cause
License on the target machine was upgraded to NGX before the software was upgraded
from a previous NG version to NGX.
Error: License version might be not compatible page 37
Evaluation Licenses Created in the User Center page 38
Evaluation Licenses Not Created in the User Center page 38
Licenses of Products That Are Not Supported in NGX page 39
License Enforcement on Module is now on Management page 39
License Not in Any Of Your User Center Accounts page 40
User Does Not Have Permissions on User Center Account page 41
SKU Requires Two Licenses in NG and One License in NGX page 41
SmartDefense Licenses page 42
License Upgrade Partially Succeeds page 42
Upgraded Licenses Do Not Appear in the Repository page 43
Cannot Connect to the User Center page 43
Troubleshooting License Upgrade
If the license upgrade is performed before the software upgrade Check Point products
-
7/31/2019 Checkpoint NGX Upgrade Guide
38/194
38
If the license upgrade is performed before the software upgrade, Check Point products
will generate warning messages until all the software on the machine has been
upgraded. Refer to License Upgrade Methods on page 25 to determine the upgrade
path that best applies to your current configuration.
Resolution
Upgrade the software to version NGX. Errors will not appear after the upgrade.
Note that these errors do not affect the functionality of the version NG software.
Evaluation Licenses Created in the User Center
Symptoms
User Center message (Error code: 106):
Cause
Evaluation licenses are not entitled to a license upgrade.
Resolution
Evaluation licenses cannot be upgraded. If you dont need the evaluation license, delete
it. If you do need it, contact Account Services at US +1 817 606 6600, option 7 or
e-mail [email protected].
Evaluation Licenses Not Created in the User Center
Symptoms
User Center message (Error code: 151):
Cause
These evaluation licenses do not exist in the User Center. Evaluation licenses are not
entitled to a license upgrade.
An evaluation license can be identified by examining the license string. Evaluation
licenses may contain one of the following strings in the Features description:
CK-CP
or
No license upgrade is available for evaluation product.
Your license contains a Certificate Key (CK) which is not found inUser Center.
Licenses of Products That Are Not Supported in NGX
CK-CHECK-POINT-INTERNAL-USE-ONLY
-
7/31/2019 Checkpoint NGX Upgrade Guide
39/194
Chapter 2 Upgrading VPN-1 Pro/Express Licenses 39
Resolution
Evaluation licenses cannot be upgraded. If you dont need the evaluation license, delete
it. If you do need it, contact Account Services at US +1 817 606 6600, option 7 or
e-mail [email protected].
Licenses of Products That Are Not Supported in NGX
Symptoms
User Center Message (Error code: 154):
Cause
VPN-1 Net and VPN-1 SmallOffice are not supported in NGX. Therefore, if an
attempt is made to upgrade the license for these products, the User Center generates an
error message. The affected SKUs are:
VPN-1 Net Family SKUs: CPVP-VNT and LS-CPVP-VNT families
SmallOffice family SKUs: CPVP-VSO and LS- CPVP-VSO families
Resolution
Contact Account Services at US +1 817 606 6600, option 7 or e-mail
License Enforcement on Module is now on Management
Symptoms
User Center Message (Error code: 132):
Cause
The enforcement of NG module features is now performed by the NGX management.
For example, the licensing model of QOS (formerly FloodGate-1) for VPN-1 Express
was changed in NGX, and VPN-1 Express NGX modules with QoS require an
This product is not upgradeable to NGX version and therefore alicense upgrade is not needed. The product continues to besupported in its NG Release
The license enforcement of NG gateway is now performed by the NGX
management server. Perform Change IP operation in User Center andinstall the NGX license on the management server
Troubleshooting License Upgrade
appropriate license to be installed on the management. License Upgrade in this scenario
-
7/31/2019 Checkpoint NGX Upgrade Guide
40/194
40
pp p g pg
is not handled automatically by the license upgrade. The affected SKU family for QoS
is: CPXP-QOS
Resolution
If you have an NG Express gateway with a QoS (FloodGate-1) license, and in any other
case where this problem occurs, proceed as follows:
1 Perform a license upgrade at the User Center web site to generate a new license.
2 Install the new, upgraded license on the NGX management machine (even if you
do not upgrade the gateway).
3 Upgrade the gateway.
4 Delete the unneeded license from the gateway in one of two ways:
Run the command line command at the gateway:
cplic del
Using SmartUpdate, select the unneeded license, Detach it, and then Delete it.
License Not in Any Of Your User Center Accounts
Symptoms
User Center Message (Error Code 17):
Cause
This specific license does not exist in any of the accounts that belong to this user.
Resolution
Run the tool again with the appropriate username.
Note that each time you run the tool with a different username, upgraded licenses fromthe User Center are added to a cache file located on your machine. This file contains
the successfully upgraded licenses from previous runs.
If the partially successful license upgrade was performed via the Wrapper, then after the
Wrapper has finished, run the license upgrade again via the command line, with the
appropriate username.
This license is not in any of your accounts. Run the licenseupgrade again with the username that owns this license in the User
Center.
User Does Not Have Permissions on User Center Account
User Does Not Have Permissions on User Center Account
-
7/31/2019 Checkpoint NGX Upgrade Guide
41/194
Chapter 2 Upgrading VPN-1 Pro/Express Licenses 41
Symptoms
User Center Message (Error Code 19):
Cause
This user is not authorized to change this license in the User Center.
Resolution
Run the tool again with the appropriate username.
Note that each time you run the tool with a different username, upgraded licenses from
the User Center are added to a cache file located on your machine. This file contains
the successfully upgraded licenses from previous runs.
If the partially successful license upgrade was performed via the Wrapper, then after theWrapper has finished, run the license upgrade again via the command line, with the
appropriate username.
SKU Requires Two Licenses in NG and One License in NGX
Symptoms
User Center Message (Error code: 135):
Cause
The NG version of SecureClient requires two licenses: one license for the module and
one for the management. In NGX only the management license is needed. The modulelicense (CPVP-VPS-1-NG) is no longer needed because it is incorporated in the
VPN-1 Pro license. The relevant SKU families are:
CPVP-VSC,
LS- CPVP-VSC,
CPVP-VMC,
LS-CPVP-VMC,
CPVP-VSC-100-DES-NG
This license is in your account but you are not authorized toupgrade licenses in this account because you have just view-onlypermissions. Run license upgrade again with a username that isauthorized to change the license in the User Center.
This license is no longer needed in the version you are upgradingto. It can be safely removed from the machine after the softwareupgrade.
Troubleshooting License Upgrade
Resolution
-
7/31/2019 Checkpoint NGX Upgrade Guide
42/194
42
After the software upgrade, delete the unneeded module license from the machine. Do
this in one of two ways:
Using the command line: Runcplic del
Using SmartUpdate: Select the unneeded license, Detach it, and then Delete it.
SmartDefense Licenses
Symptoms
User Center Message (Error code: 902):
Cause
In NGX, enforcement of SmartDefense licenses is handled by the User Center. The
SKU families for which this issue is relevant are SU-SMRD and SU-SMDF.
Resolution
Delete the unneeded license from the machine.
License Upgrade Partially Succeeds
Symptoms
License upgrade fails for some of the licenses but succeeds for others.
Cause
License upgrade may fail for some licenses and succeed for others. A license may fail to
upgrade for a number of reasons. For example, you may not have an Enterprise
Subscription contract for these licensed product. See some of the other items in
Troubleshooting License Upgrade on page 37 for more reasons why license upgrade
may fail.
Resolution
After solving all or some of the licensing problems referred to in the error log, run the
license_upgrade tool. This will upgrade the licenses for which the problem has been
solved.
The tool can be found in one of the following locations
On the CD at
SmartDefense License is not needed on the gateway.
Upgraded Licenses Do Not Appear in the Repository
In the Check Point Download site at
h // h k i / h / /li d h l
http://www.checkpoint.com/techsupport/ngx/license_upgrade.htmlhttp://www.checkpoint.com/techsupport/ngx/license_upgrade.html -
7/31/2019 Checkpoint NGX Upgrade Guide
43/194
Chapter 2 Upgrading VPN-1 Pro/Express Licenses 43
http://www.checkpoint.com/techsupport/ngx/license_upgrade.html.
When the license_upgrade tool is run several times, the results are cumulative. This
means that if the upgrade of some licenses failed and the tool is run again: Licenses that were successfully upgraded to NGX remain unchanged.
Licenses that failed to upgrade in a previous