The Upgrade Guide
NG with Application Intelligence (R55)
For additional technical information about Check Point products, consult Check Point’s SecureKnowledge at
http://support.checkpoint.com/kb/
See the latest version of this document in the User Center at:
http://www.checkpoint.com/support/technical/documents/docs_r55.html
IMPORTANTCheck Point recommends that customers stay up-to-date with the latest
service packs and versions of security products, as they contain security enhancements and protection against new and changing attacks.
Part Number 700724November 2003
http://support.checkpoint.com/kb/http://www.checkpoint.com/support/technical/documents/docs_r55.html
© 2003-2004 Check Point Software Technologies Ltd.All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:Check Point, the Check Point logo, ClusterXL, ConnectControl, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FireWall-1 SmallOffice, FireWall-1 VSX, FireWall-1 XL, FloodGate-1, INSPECT, INSPECT XL, IQ Engine, MultiGate, Open Security Extension, OPSEC, Provider-1, SecureKnowledge, SecurePlatform, SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartView Tracker, SmartConsole, TurboCard, Application Intelligence, SVN, UAM, User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Net, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 SmallOffice and VPN-1 VSX are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners.The products described in this document are protected by U.S. Patent No. 6,496,935, 5,606,668, 5,699,431 and 5,835,726 and may be protected by other U.S. Patents, foreign patents, or pending applications.
THIRD PARTIES:Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and other countries. Entrust’s logos and Entrust product and service names are also trademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporate certificate management technology from Entrust.
Verisign is a trademark of Verisign Inc.
The following statements refer to those portions of the software copyrighted by University of Michigan. Portions of the software copyright © 1992-1996 Regents of the University of Michigan. All rights reserved. Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due credit is given to the University of Michigan at Ann Arbor. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. This software is provided “as is” without express or implied warranty. Copyright © Sax Software (terminal emulation only).
The following statements refer to those portions of the software copyrighted by Carnegie Mellon University.Copyright 1997 by Carnegie Mellon University. All Rights Reserved.Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The following statements refer to those portions of the software copyrighted by The Open Group.THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
The following statements refer to those portions of the software copyrighted by The OpenSSL Project. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The following statements refer to those portions of the software copyrighted by Eric Young. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright © 1998 The Open Group.The following statements refer to those portions of the software copyrighted by Jean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.3. This notice may not be removed or altered from any source distribution.
The following statements refer to those portions of the software copyrighted by the Gnu Public License. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
The following statements refer to those portions of the software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expat maintainers. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Check Point Software Technologies Ltd.
U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, [email protected] Headquarters: 3A Jabotinsky Street, Ramat Gan, 52520, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com
Table Of Contents
Chapter 1 Introduction to the Upgrade Process Before You Begin 11Upgrading Successfully 12
Chapter 2 Planning Your Upgrade Recommended Upgrade Flows 13
Deployments 13
Chapter 3 SmartCenter Upgrade Before You Begin 17
Terminology 17Tools 18Built in Safety Measures and Tips 18
Planning SmartCenter Upgrades 19Select the Basic or the Advanced Upgrade Method 19Maintaining Backward Compatibility 20
SecurePlatform 20backup 20
Syntax 20Parameters 21
Using the “Patch” Utility to Upgrade Itself 21Using TFTP 21Not Using TFTP 21
Upgrading SecurePlatform via the Patch Utility 22Using the CD 22Without the CD 22
Basic SmartCenter Upgrade Procedure 23Basic Upgrade Steps 23
Advanced SmartCenter Upgrade 24Motivations for Performing Advanced Upgrade 24Selecting a Manual Upgrade or an Automatic Upgrade 25Advanced Upgrade Steps 26Tools for Upgrading SmartCenters 27
Pre-Upgrade Verification 27Action Items before the Upgrade 29Action Items after the Upgrade 29Information Messages 29Advanced Upgrade on a Spare Machine Using the Command Line Interface 30Export and Import Commands 32SecurePlatform’s Update Utility 32
Upgrading to a Different IP Address or Domain Name 33
Table of Contents 3
Notes, Exceptions and Limitations 37After Performing an Advanced Upgrade 37
Upgrading with Management High Availability 38
Chapter 4 Check Point Gateway Upgrades Before You Begin 39
Terminology 39Tools for Gateway Upgrades 40
Planning a Check Point Gateway Upgrade 40SecurePlatform 40Upgrading to Windows 2003 Server from pre-2003 Server 40
Upgrading Modules with SecurePlatform 41backup 41
Syntax 41Parameters 41
Using the “Patch” Utility to Upgrade the “Patch” Utility Itself 42Using TFTP 42Not Using TFTP 42
Upgrading SecurePlatform via the Patch Utility 42Using the CD 42Without the CD 43Using TFTP 43Without TFTP 43
Using SmartUpdate to Upgrade SecurePlatform 43Upgrading Check Point Gateways with SmartUpdate 44
Prerequisites for SmartUpdate Upgrade 44Requirements for Upgrading Gateways from Version 4.1 SP2 44Requirements for Upgrading Gateways from NG 44Configuring the SmartCenter Server so that you can use SmartUpdate 44Using SmartUpdate to Add Products to the Product Repository 45
Using SmartUpdate to Upgrade Remote Check Point Gateways 45Updating All Products on a Check Point Gateway 45
Using SmartUpdate to Upgrade IPSO 46Upgrading a Single Product on a Check Point Gateways 46
Upgrading Check Point Gateways In Place 47First Upgrade your Operating System 47Special Considerations for Manual Check Point Gateway Upgrade 47
Configuring OPSEC for Check Point Gateways 47Automatic Update 48Manual Update 49
Chapter 5 ClusterXL Upgrade Before You Begin 51
Terminology 51Tools for Gateway Upgrades 52
Planning a Cluster Upgrade 52Working with a Mixed Cluster 53Upgrading OPSEC Certified Third Party Clusters Products 53
4
Performing a Minimal Effort Upgrade on a ClusterXL Cluster 53Performing a Zero Down Time Upgrade on a ClusterXL Cluster 54
Supported Modes 54Planning your Zero Down Time Upgrade 54
Upgrade All But One of the Cluster Members 54Upgrade the Final Cluster Member 56
Performing a Full Connectivity Upgrade on a ClusterXL Cluster 57Understanding a Full Connectivity Upgrade 57Supported Modes 57Terminology 57
Pre-Requisite for using the Full Connectivity Upgrade 57Full Connectivity Upgrade Limitations 57
Implementing a Full Connectivity Upgrade 59Upgrading a cluster with 2 members 59Upgrading a cluster with 3 or more members 59Monitoring the Full Connectivity Upgrade 60
Reverting to Old Version of SVN Foundation, FireWall-1 or FloodGate-1 61Nokia - Safely Removing NG 61Other Product Roll Backs 62
Chapter 6 SmartView Reporter Upgrade Before you begin 63
Terminology 63Tools 64
How to back up your reports 64How to stop log consolidator 64How to backup the database 65How to re-establish SIC between SmartCenter and SmartView Reporter 65
Safety 66Planning 66Performing a Basic SVR Upgrade 66
Stand Alone configuration 66Distributed configuration 67
Performing an Advanced Upgrade 67General notes on advanced upgrade 67Standalone configuration 68Distributed configuration 68
More Upgrade Configurations 69Advance upgrade from one version of NG with Application Intelligence to another 69Upgrade SmartCenter but leave SmartView Reporter in a previous version 69
NG with Application Intelligence (R54) 69NG FP3 69
Upgrading the SQL Database 70
Chapter 7 Log Server Upgrade Log Server Upgrades 73
SecurePlatform 73
Table of Contents 5
Chapter 8 Upgrading SmartLSM Before You begin 75
Terminology 75Tools 76
Export 76LSM CLI 76
Safety 76Planning 76
Upgrade your ROBO Gateways 76Adding a ROBO Gateway Upgrade Package to the SmartUpdate Package Repository 77Upgrading a ROBO Gateway Using SmartLSM 77
Upgrading a VPN-1 Express/Pro ROBO Gateway 77Full Upgrade 78Specific Install 78Upgrading a VPN-1 Edge ROBO Gateway 79Upgrading a VPN-1 ROBO Gateway Using the LSM CLI 79
Upgrading a VPN-1 Express/Pro ROBO GatewayUsing the LSM CLI 79
Upgrading a VPN-1 Edge ROBO Gateway Using the LSM CLI 81Using the LSMcli in Scripts 81Upgrading a VPN-1 Express/Pro ROBO Gateway In Place 82
Chapter 9 Upgrading Provider-1 Introduction 83
Scope 83Before You Begin 83Supported Platforms 84Supported Versions for Upgrade 84Summary of Sections in this Chapter 85
Provider-1/SiteManager-1 Upgrade Tools 85Pre-Upgrade Verifiers and Fixing Utilities 85Installation Script 86
Pre-Upgrade Verification Only 87Upgrade 87Backup 87
cma_migrate 87Usage 88Example 88
migrate_assist 89Usage 89Example 90
migrate_global_policies 90Usage 90
Backup and Restore 91mds_backup 91
Usage 92mds_restore 92
Usage 92
6
Provider-1/SiteManager-1 Upgrade Practices 92In-place Upgrade 92
Upgrading your Operating System 93Replicate and Upgrade 93Gradual Upgrade on the same machine - Version 4.1 94
Preparations 94Gradually Upgrading the Primary MDS 95Upgrade Steps 96Gradually Upgrading Additional MDSes 97
Gradual Upgrade to Another Machine 98Upgrade steps 99Gradual Upgrade with Global VPN Considerations 99
Migrating from Stand Alone installation to CMA 100Terminology 100An Overview of the Stand Alone Installation to CMA Migration Procedure 101From a Version 4.1 Installation 102From NG (All Feature Pack) Installation 106
Upgrading in a Multi MDS Environment 109Pre-Upgrade Verification and Tools 109
Upgrading a Version 4.1 System with an Additional MDS 109Upgrading an NG with Application Intelligence Multi-MDS System 110
MDS High Availability 110Before the Upgrade 110CMA High Availability 111
Restoring your Original Environment 111Before the Upgrade 111Restoring your original environment 111
Renaming Customers 112Identifying Non-Compliant Customer Names 112High-Availability Environment 112Automatic Division of Non-compliant Names 112Resolving the Non-compliance 113
Additional options menu 113High-Availability 114
Advanced Usage 114Changing MDS IP address and External Interface 115
IP Address Change 115Interface Change 115
Appendix A Behavioral Changesin FireWall-1
Introduction to Behavioral Changes in FireWall-1 117Behavioral Changes In Stateful Inspection 118
TCP Connection reuse 118Section Summary 118
Version 4.1 SP5 Solution 118NG with Application Intelligence Solution 119TCP Connection Establishment (three-way handshake) 119
Table of Contents 7
TCP Sequence Verification 120Connections Recovery After Policy Installation 121First TCP Packet 122Stateless Checks 124Default session timeouts 125Section Summary 125
Behavioral Changes in NAT 126Improvements in HIDE NAT Address 126
Version 4.1 SP5 Solution 126NG with Application Intelligence Solution 126
IP Pools 127Version 4.1 SP5 Solution 127NG with Application Intelligence Solution 127
Transparent Server Connection (under NAT) 127Improvements in Static NAT 128New NAT properties in FireWall-1 NG 128
Allow Bidirectional NAT 128Automatic ARP configuration 129
Behavioral Changes for Services Features 129Match for Any 129Time-out 130Protocol Type 130DNS Enforcement is Used by Default 130Dynamic Port Negotiation Inspection (Well Known Port) 130X11 Drop 131
New Service Features 131Keep Connections During Policy Reload 131Dropping X11 Traffic 132SSHv2 and SSLv3 132FTP Behavioral Changes 132
FTPbidir 132FTPbasic 132FTPnew Enforcement 133FTP Passive and FTP Port 133
Behavioral Changes in INSPECT 133NAT Rule-Match Performance 133SmartCenter Behind NAT 133Client-Side Translation 133NAT for Dynamic Objects 134Disable NAT Inside the VPN Community 134
Behavioral Changes in INSPECT 134Backward compatibility note 134Unknown established TCP packet 135
Description 135Solution in Version 4.1 135Solution in NG with Application Intelligence 136
FTP Related INSPECT Solutions 136FTP control NewLine enforcement 136
Description 136
8
Version 4.1 solution 137Solution with NG with Application Intelligence 138
Changes to FTP control connection timeout 138Description 138Solution in Version 4.1 138Solution in NG with Application Intelligence 139
Preventing FTP data connection failures on server port check 139Description 139Solution in Version 4.1 140Solution in NG with Application Intelligence 140
Using FTP on non-standard ports 141Description 141Solution in Version 4.1 141Solution in NG with Application Intelligence 142
Backward Compatibility 142Bi-direction FTP data connection 143
Solution in Version 4.1 143Solution in NG with Application Intelligence 144
Authentication related INSPECT solutions 144Preventing re-authentication when a policy is installed. 144
Description 144Version 4.1 Solution 144Solution in NG with Application Intelligence 144
Removing RADIUS/LDAP/TACACS from Control Connections 145Description 145Solution in Version 4.1 145Solution in NG with Application Intelligence 147
Services Related INSPECT Solutions 147Increasing services session timeout 147
Description 147Version 4.1 Solution 148Solution in NG with Application Intelligence 148
Backward Compatibility Issues for Services 148Custom INSPECT Services 149
Overview 149What to change 149
prologue 149match 149
H.323 New service 150Version 4.1 Solution 150Solution in NG with Application Intelligence 150
GRE inspection 150Version 4.1 Solution 150Solution in NG with Application Intelligence 151
RSH STDERR back connections with ports lower than 601 151Description 151Version 4.1 Solution 152Solution in NG with Application Intelligence 152
DNS Verification 152
Table of Contents 9
Description 152Version 4.1 Solution 152Solution in NG with Application Intelligence 153
INSPECT Accounting solutions 153Description 153
Version 4.1 Solution no. 1 153Version 4.1 Solution no 2 155Solution in NG with Application Intelligence 156
Restricting Account Logging to the Account Log Viewer only 156Description 156Version 4.1 Solution 156NG with Application Intelligence Solution 156
INSPECT and Load Balancing 157Changes to persistency timeouts 157
Description 157Version 4.1 Solution 157NG with Application Intelligence Solution 157
INSPECT Tuning solutions 157Changes to the connections table size 157
Description 157Version 4.1 solution 157NG with Application Intelligence solution 158
Changes to Kernel memory settings 158Description 158Solution in Version 4.1 158Solution in NG with Application Intelligence 160
10
CHAPTER 1
Introduction to the Upgrade Process
In This Chapter
Before You BeginWelcome to the Upgrade Guide. We created this guide to explain all available upgrade paths for Check Point products from Versions 4.1 SP5 forward. This document is specifically geared towards upgrading to NG with Application Intelligence (R55).
Before you begin please:
• Backup everything you will be upgrading.
• Make sure that you have the latest version of this document in the User Center at
http://www.checkpoint.com/support/technical/documents/docs_r55.html
• It is a good idea to have the latest version of the NG with Application Intelligence (R55) Release Notes handy. Download them from:
http://www.checkpoint.com/techsupport/ng_application_intelligence/release_notes.html
• If you are wondering what new features are available in NG with Application Intelligence (R55), read the “What’s New Guide”: http://www.checkpoint.com/techsupport/ng_application_intelligence/r55_whatsnew.html
• You can upgrade to NG only from Version 4.1 SP5 and higher. If you are running a version prior to 4.1 SP5, then proceed as follows:
• Upgrade from that version to Version 4.1 SP5.
• Upgrade from Version 4.1 SP5 to NG with Application Intelligence.
Before You Begin page 11
Upgrading Successfully page 12
11
http://www.checkpoint.com/support/technical/documents/docs_r55.htmlhttp://www.checkpoint.com/techsupport/ng_application_intelligence/release_notes.htmlhttp://www.checkpoint.com/techsupport/ng_application_intelligence/r55_whatsnew.htmlhttp://www.checkpoint.com/eap/ngaiR55/secured/downloads/whatsnew.pdf
Upgrading Successfully
Upgrading SuccessfullyAll successful upgrades begin with a solid game plan and a full understanding of the steps you need follow in order to succeed. This book provides graphics, tips and instructions to make the upgrade process as clear as possible.
It is not necessary to read the entire book. In fact, there may be large portions of the book that do not apply to you because you do not own the product covered. The book is structured to show you common scenarios and then to provide the steps necessary for achieving your unique upgrade.
We hope that your upgrade goes smoothly but in the event that you run into unexpected snags, please contact your Reseller or our SecureKnowledge support center at: https://support.checkpoint.com/login/login.jsp
12
https://support.checkpoint.com/login/login.jsp
CHAPTER 2
Planning Your Upgrade
In This Chapter
Recommended Upgrade FlowsSuccessful upgrading begins with a comprehensive upgrade plan, good organizational oversight and understanding your products. The purpose of this chapter is to provide you with a broad understanding of how your upgrade deployment fits into Check Point’s products. After reading this short chapter, you will have a clearer idea of how to conceptualize and proceed with your upgrade.
Deployments
What follows are four separate graphics depicting four Check Point upgrade deployments. In all four deployment, we suggest proceeding as follows:
1 Upgrade your management products: SmartCenter Server (and SmartConsole), SmartLSM or Provider-1 then SmartView Reporter and Log Server
2 Upgrade your enforcement products: Check Point gateways (individual modules or ClusterXL, ROBO Gateways)
Below, find the graphic that most closely resembles your enterprise’s deployment and follow the instructions in each of the corresponding chapters in this “Upgrade Guide”.
“Recommended Upgrade Flows” on page 13
13
Recommended Upgrade Flows
FIGURE 2-1 Upgrade a SmartCenter with Gateway(s)
FIGURE 2-2 Upgrade a SmartCenter Server with SmartView Reporter, Gateway(s) and Cluster(s)
14
Deployments
FIGURE 2-3 Provider-1 Upgrade
FIGURE 2-4 Upgrade a SmartCenter Server with SmartLSM, Gateway(s) and Cluster(s)and ROBO Gateways
Chapter 2 Planning Your Upgrade 15
Recommended Upgrade Flows
16
CHAPTER 3
SmartCenter Upgrade
In This Chapter
Before You BeginThis chapter first goes through the steps to perform a basic upgrade, then goes through the steps to perform an advanced upgrade.
Terminology
Here are some useful terms that you need to be familiar with in order to continue reading this chapter:
Security Policy - A Security Policy is created by the system administrator in order to regulate the incoming and outgoing flow of communication.
Enforcement module - An Enforcement module is the engine of VPN-1 Pro which actively enforces the Security Policy of the organization.
SmartCenter Server - The SmartCenter Server is the server used by the system administrator to manage the Security Policy. The databases and policies of the organization are stored on the SmartCenter Server, and are downloaded from time to time to the Enforcement module.
Before You Begin page 17
Planning SmartCenter Upgrades page 19
SecurePlatform page 20
Basic SmartCenter Upgrade Procedure page 23
Advanced SmartCenter Upgrade page 24
17
Before You Begin
SmartConsole Clients - The SmartConsole Clients are different GUI applications which are used to manage different aspects of the Security Policy. For instance SmartView Tracker is a SmartConsole which manages logs.
SmartDashboard - SmartDashboard is a SmartConsole which is used by the system administrator to create and manage the Security Policy.
Tools
Pre-Upgrade Verifier - The Pre-Upgrade verifier is a tool that provides you with a report. Three types of results are displayed in the report:
• Action items to perform before the upgrade
• Action items to perform after the upgrade
• Information Messages
• This tool is automatically run before both basic and advanced upgrades and can be run in preparation for upgrading. Further details regarding this tool are located in “Pre-Upgrade Verification” on page 27.
Built in Safety Measures and Tips
1 Automatic pre-upgrade verification runs by default during your SmartCenter upgrade. The pre-upgrade verification notifies you of important adjustments to make before upgrading.
If you prefer, you can run the pre-upgrade verification from the CD separately from the upgrade in order to prepare yourself for your upgrade. You will be provided with a report. Three types of results can be displayed in the report:
• action items before the upgrade,
• action items after the upgrade and
• information.
Detailed explanations of these reports are outlined in “SmartCenter Upgrade”. We have also provided you with sample output from a pre-upgrade verification. It can be found in “Pre-Upgrade Verification” on page 27.
2 During the process of upgrading your SmartCenter, an optional automatic online check is performed that confirms that your SmartCenter has the most current upgrade information available. Before running the online check, you are prompted to confirm that you want to run it.
3 To add even more safety measures, upgrade your SmartCenter Server on a second machine. Then either:
18
Select the Basic or the Advanced Upgrade Method
• make the spare machine your production management machine or
• migrate back to the original machine.
The steps for performing either of these types of upgrades are detailed in “Advanced SmartCenter Upgrade” on page 24.
4 Upgrades can be performed incrementally. You do not have to upgrade SmartCenter Server and all its modules all at once.
A First upgrade the SmartCenter Server.
B After the upgrade, you can still manage your modules from your SmartCenter Server.
C At your convenience, the modules can be upgraded one-by-one. A module that has not been upgraded, will not yet have the latest features.
5 If for any reason you are not pleased with the results, restore your prior work environment.
6 If you have an upgrade that you would like to distribute from a central server, use SmartUpdate.
Instructions for using SmartUpdate for upgrading are located in Chapter 4, “Upgrading Your Gateway using SmartUpdate”.
7 When upgrading SmartCenter Server, the database is adjusted to the format of the new version. This includes the formats for policies, objects, the global properties, etc. In addition, system objects which come with the new version are added to your database. The files containing these elements are not simply copied so you cannot copy these files from a previous version to a newer version.
Planning SmartCenter Upgrades
Select the Basic or the Advanced Upgrade Method
First choose the type of upgrade that is right for you:
• Basic Upgrade: Perform the upgrade directly on to the production SmartCenter Server or
• Advanced Upgrade: Perform the upgrade on a spare machine, while the production SmartCenter Server is fully operational. Test the full functionality of the spare machine and either:
• replace the old server with the new or
• migrate the upgraded server back to replace the old server.
Chapter 3 SmartCenter Upgrade 19
SecurePlatform
Both the basic and advanced upgrade can be performed automatically from the Check Point CD.
Maintaining Backward Compatibility
Backwards Compatibility for management of:
• VPN-1 modules and
• FireWall-1 modules
Is automatically built into NG with Application Intelligence’s SmartCenter Server installation.
SecurePlatformUpgrade of a SecurePlatform SmartCenter Server and all the Check Point products installed on it is done by simply applying the SecurePlatform upgrade package, which can be found either on the Singe CD containing the new version, or as a separate package downloadable from the download center:
http://www.checkpoint.com/techsupport/downloads.jsp
backup
Before upgrading the SecurePlatform system, back up your system configuration using the backup utility:
Syntax
backup(system | cp | all) [tftp ]
20
http://www.checkpoint.com/techsupport/downloads.jsp
Using the “Patch” Utility to Upgrade Itself
Parameters
Using the “Patch” Utility to Upgrade Itself
If you upgrade SecurePlatform from a version prior to NG with Application Intelligence (R54), you need to upgrade the Patch utility before using it to upgrade the SecurePlatform machine:
Using TFTP
1 Download the Patch utility upgrade package from the download center:
http://www.checkpoint.com/techsupport/downloads.jsp
2 Copy this file to a TFTP server.
3 3. Logon to the SecurePlatform machine (using Console or SSH access). Issue the following command line command:
is the of the TFTP Server’s IP address and is the name of the package downloaded.
Not Using TFTP
1 Download the Patch utility upgrade package from the download center:
http://www.checkpoint.com/techsupport/downloads.jsp
2 Logon to the SecurePlatform machine (using Console or SSH access). Enter the Expert shell.
3 Use FTP to transfer the Patch utility upgrade package to the SecurePlatform machine.
TABLE 3-1 Parameters for SecurePlatform backup
parameter meaning
system backup system configuration
cp backup Check Point products configuration
all backup all of the configuration
name name of backup (to be restored to)
[tftp ] IP address of tftp server on which the configuration will be backed up
patch add tftp
Chapter 3 SmartCenter Upgrade 21
http://www.checkpoint.com/techsupport/downloads.jsphttp://www.checkpoint.com/techsupport/downloads.jsp
SecurePlatform
4 Issue the following command line command:
where is the exact filename (including full path) of the upgrade package.
Upgrading SecurePlatform via the Patch Utility
Using the CD
If you have the CD of the new version you want to upgrade to, do the following:
1 Insert the CD into the CD ROM Drive on the SecurePlatform machine.
2 Logon to the SecurePlatform machine (using Console or SSH Access).
3 Issue the following command line command:
4 Choose the SecurePlatform upgrade package, and follow the upgrade process instructions.
Without the CD
If you do not have the CD, you need to download the SecurePlatform upgrade package from the download center:
http://www.checkpoint.com/techsupport/downloads.jsp
Using TFTP
1 Copy the upgrade package file to a TFTP server.
2 Logon to the SecurePlatform machine (using Console or SSH access). Issue the following command line command:
is the of the TFTP Server’s IP address and is the name of the package downloaded.
3 Follow the upgrade process instructions.
Without TFTP
1 Logon to the SecurePlatform machine (using Console or SSH access). Enter the Expert shell.
patch add
patch add cd
patch add tftp
22
http://www.checkpoint.com/techsupport/downloads.jsp
Basic Upgrade Steps
2 Use FTP to transfer the SecurePlatform upgrade package to the SecurePlatform machine.
3 Issue the following command line command:
where is the exact filename (including full path) of the upgrade package.
Follow the upgrade process instructions.
Basic SmartCenter Upgrade ProcedureThe Basic SmartCenter upgrade upgrades your installed products in order to replace your prior version of SmartCenter with NG with Application Intelligence.
This upgrade automatically performs the pre-upgrade verification before upgrading.
Further information on the pre-upgrade verification is offered later in the “Pre-Upgrade Verification”” section.
Select Basic Upgrade if your goal is to upgrade installed products in place.
Basic Upgrade Steps
1 Access your Check Point CD.
2 Run setup
3 Select Upgrade from the Upgrade Options Screen.
4 You are presented with three upgrade options:
A Download Most Updated Upgrade Utilities (recommended method)This download provides the most recent upgrade code available.
B I have already downloaded and extracted the Upgrade Utilities. The files are on my local disk.
This option is useful in two cases:
• When the SmartCenter is not connected to the Internet (for security or other reasons). Download the package from another machine and copy it to the SmartCenter.
patch add
Chapter 3 SmartCenter Upgrade 23
Advanced SmartCenter Upgrade
• When you have already downloaded the package then you can use the package from the disk instead of downloading again. Always check to make sure that the downloaded version is the most recent version available. To check:
http://www.checkpoint.com/techsupport
C Use the CD version. This option can be used in two cases:
• if there are no updates for the upgrade package or
• if there are updates, but you prefer not to update. This is not the recommended method since using the most updated upgrade version is the safest choice.
5 The pre-upgrade verification recommendation appears. This is so that you can verify that your pre-upgrade meets the pre-conditions of the new software(see “Pre-Upgrade Verification”” below).
6 Once the pre-upgrade verification completes, proceed with any suggested repairs.
7 Select Upgrade again from the Upgrade Options Screen. Another verification will run.
8 If prompted, reboot your SmartCenter Server.
9 Install SmartConsole Clients on your GUI Client machine.
If you have a previous SmartConsole installed select either to:
• maintain the previous version of SmartConsole Clients or
• to overwrite the previous SmartConsole Clients.
Advanced SmartCenter UpgradeMoving to a new spare machine during an upgrade with the same IP address and DNS name can be done automatically and smoothly. Like the Basic Upgrade, the Advanced Upgrade automatically performs pre-upgrade verification before upgrading.
Motivations for Performing Advanced Upgrade
There are two key motivations for performing an advanced upgrade:
1 Moving to a spare machine that will become the primary server because:
Note - A backwards compatibility package for managing 4.1 Check Point Gateways is installed automatically with the installation wrapper.
24
http://www.checkpoint.com/techsupport
Selecting a Manual Upgrade or an Automatic Upgrade
• perhaps you have a newer server and/or
• a more powerful server and/or
• a server with a different operating systemPlatform and Operating System SwitchingWhile upgrading SmartCenter, you can switch platforms and operating systems.ExampleIf you were running a 4.1 SP5 SmartCenter Server on a Windows operating system, you can upgrade to NG with Application Intelligence on SecurePlatform. For more platform specific information see “Platform Specific Upgrade Notes”.
or
2 To ensure that your production machine is always up and safe you have decided to upgrade a spare machine and then you plan to migrate back to the original machine.
Both of these types of advanced upgrades begin with the same steps as presented in TABLE 3-2 on page 26.
Selecting a Manual Upgrade or an Automatic Upgrade
Any upgrade that you can do automatically via SmartCenter (Chapter 3, “SmartCenter Upgrade” on page 17) can also be run from the command line. However, for the sake of ease, performing your upgrade from the command line is not recommended when you can use the Automatic Upgrade.
There are two types of upgrades that cannot be performed automatically and some valid reasons you may need to consider a manual upgrade:
• If your SmartCenter Server is IPSO or
• If you upgraded a spare system and want to migrate your upgraded SmartCenter Server back to your original SmartCenter Server.
Chapter 3 SmartCenter Upgrade 25
Advanced SmartCenter Upgrade
Advanced Upgrade Steps
TABLE 3-2 Steps for performing an Advanced upgrade on another SmartCenter Server
machine to perform steps on
steps to follow...
Old SmartCenter Server 1. Insert the CD into SmartCenter Server.2. Select Export in Upgrade Options
3. You are presented with three upgrade options:
A Download Most Updated Upgrade Utilities (recommended method)Files are not upgraded they are updated. This download provides the most recent upgrade code available.
B I have already downloaded and extracted the Upgrade Utilities. The files are on my local disk.
This option is useful:
• When the SmartCenter is not connected to the Internet (for security or other reasons). Download the package from another machine and copy it to the SmartCenter.
• When you have already downloaded the package then you can use the package from the disk instead of downloading again. Always check to make sure that the downloaded version is the most recent version available. To check, visit:
https://support.checkpoint.com/downloads/bin/autoupdate/ut/r55/index.html
C Use the CD version. This option can be used in two cases:
• if there are no updates for the upgrade package or
• if there are updates, but you prefer not to update. This is not the recommended method since using the most updated upgrade version is the safest choice.
26
https://support.checkpoint.com/downloads/bin/autoupdate/ut/r55/index.htmlhttps://support.checkpoint.com/downloads/bin/autoupdate/ut/r55/index.html
Tools for Upgrading SmartCenters
Tools for Upgrading SmartCenters
Pre-Upgrade Verification
During basic or either of the two phases of advanced upgrades, a pre-upgrade verification is automatically performed. If you prefer, you can run the pre-upgrade verification from the CD separately from the upgrade in order to prepare yourself for your upgrade. Pre-upgrade verification provides you with a report. Three types of results can be displayed in the report and are listed below.
Old SmartCenter Server(cont...)
4. Select the destination path of the configuration (.tgz) file.5. Wait while exporting database files.6. Copy the exported .tgz file to the spare machine.
spare machine 7. Insert the CD into the spare machine.8. Select Installation using Imported Configuration in the
Installation Options. This option prompts you for the location of the imported configuration file (.tgz) file and then automatically installs the new software and utilizes the imported .tgz configuration file.
Warning - The configuration file (.tgz) file contains your security configuration. It is highly recommended to delete it after completing the import process.
Migrating back or changing IP address and DNS name
• Steps for migrating back to your new server can be found in “Upgrading to a Different IP Address or Domain Name” on page 33.
• If you want to change the IP address and DNS name of the SmartCenter during the upgrade see “Upgrading to a Different IP Address or Domain Name” on page 33”.
TABLE 3-2 Steps for performing an Advanced upgrade on another SmartCenter Server
machine to perform steps on
steps to follow...
Chapter 3 SmartCenter Upgrade 27
Advanced SmartCenter Upgrade
Pre Upgrade-Verifier CLI Commands
Usage:
Where the currently installed version is one of the following:
4.1
NG
NG_FP1
NG_FP2
NG_FP3
NG_AI
The target version is one of the following:
NG_FP1
NG_FP2
NG_FP3
NG_AI
NG_AI_R55 (NG_AI represents Next Generation with Application Intelligence) and -f redirects the standard output to a file.
pre_upgrade_verifier.exe -p SmartCenterPath -c CurrentVersion-t TargetVersion [-f FileName] [-w]
or
pre_upgrade_verifier.exe -p SmartCenterPath -c CurrentVersion-i[-f FileName][-w]
-p Path of the installed SmartCenter Server (FWDIR) -c Currently installed version -t Target version
-i Check originality of INSPECT files only -f Output in file -w Web format file
28
Tools for Upgrading SmartCenters
Sample output from an actual pre-upgrade verification test can be found in “Sample of Pre-Upgrade Verifier Output” on page 31.
Action Items before the Upgrade
errors–Items that must be repaired before performing the upgrade. If you proceed with the upgrade while errors exist, your upgrade will fail.
warning–Items that you should consider repairing before performing the upgrade.
Action Items after the Upgrade
These items should be fixed once the upgrade is completed before the first policy installation.
errors–Items that must be repaired after performing the upgrade.
warning–Items that you should consider repairing after performing the upgrade.
Information Messages
Items that should be noted.
Chapter 3 SmartCenter Upgrade 29
Advanced SmartCenter Upgrade
Advanced Upgrade on a Spare Machine Using the Command Line Interface
TABLE 3-3 Steps for performing an Advanced upgrade on another SmartCenter Server via the command line interface
If you wish to migrate back to your original SmartCenter Server continue with the following steps:
TABLE 3-4 Command Line Steps to Migrate Back to your Old SmartCenter Server
machine to perform steps on
steps to follow...
Old SmartCenter Server 1. Download the most recent files.2. Run the Pre-upgrade Verifier tool and fix the relevant issues(see “Pre Upgrade-Verifier CLI Commands” on page 28).3. Run the Export tool(see “Export Usage” on page 32).4. Copy the exported files to the spare machine.
spare machine 5. Install the NG with Application Intelligence versions of the exact same products that you had on your old SmartCenter Server.
6. Copy the exported file from SmartCenter Server into the spare machine.
7. Run the Import tool.(see “Import Usage” on page 32)
machine to perform steps on
steps to follow...
spare machine 8. Run the Export tool(see “Export Usage” on page 32)9. Copy the exported file to the original machine.
Old SmartCenter Server 10.Update the software by using the CD Installation Wrapper to select Import from the Upgrade Options Screen or use the command line as explained in the “Check Point Individual Installations Guide”. If you install products individually, install the NG with Application Intelligence versions of the exact same products that you had on your old configuration.
11.Run the Import tool(see “Import Usage” on page 32)
30
Tools for Upgrading SmartCenters
Sample of Pre-Upgrade Verifier Output
Action items before the upgrade
Errors: Correct the following problems in order to have a working environment.
Duplicated Objects
Description: The object appears more than once in the database.
Impacts: Using duplicate objects will cause problems in the SmartDashboard.
To do: Rename one of the objects before starting the upgrade process.
This problem will occur in the following objects
"shilog" appears twice under “network_objects” and “services”.
--------------------------------------------------------------------------------
Warnings: It is recommended to resolve the following problems.
Cluster New Module
Description: From FP3 we have centralized the cluster data. Many attributes that were taken from the members are now taken from the cluster object.
Impacts: In the upgrade process the cluster data will be taken from one of the cluster members, if the data is not similar on all members it can lead to problems.
Todo: Make sure that all members of a cluster are identical. Make sure the following attributes appear: SYNDefender properties, Authentication properties (next http proxy configuration), SAM properties, NAT IP Pools properties, SMTP properties.
--------------------------------------------------------------------------------
Information:
Embedded Devices
Description: This type of Embedded Device is not supported any more.
Impacts: After upgrade the objects will appear as 4.0 modules with the same name. The objects will still be visible via SmartDashboard (as 4.0 modules), but Install Policy on these modules will be blocked.
Todo: Not applicable.
This problem will occur in the following Embedded Devices:
"Chicago-Dallas-FW"
"Dallas-Chicago-FW"
Chapter 3 SmartCenter Upgrade 31
Advanced SmartCenter Upgrade
Export and Import Commands
Import and Export tools are located under $FWDIR/bin/upgrade_tools.
Export Usage
Where:
- the path to export the DB (default-local path)
-d - prints debug information
-h - prints this usage
-v - prints the version
Import Usage
Where: - The location of the exported file
-v - Prints the version
-d - Prints debug information
-h - Prints this usage
SecurePlatform’s Update Utility
Upgrades to SecurePlatform can be done In Place using the Update utility. The upgrade process upgrades the SecurePlatform Operating System and all Check Point components are automatically installed.
Upgrading individual components, such as upgrading only FloodGate-1, is not a supported feature on SecurePlatform.
Using the Local Patch utility
The Update utility uses a package in the CD:
1 Login to the SecurePlatform machine, and enter the expert command to enter Expert mode. Issue the following command line command:
In this case is the name of the package downloaded.
upgrade_export [-d] [-h] [-v]
upgrade_import [-d] [-h]
patch add cd
32
Upgrading to a Different IP Address or Domain Name
Upgrading SecurePlatform via the Patch Utility
This method of upgrading SecurePlatform uses a package downloaded from the download center:
http://www.checkpoint.com/techsupport/downloads.jsp
1 Download the package to another computer that has a TFTP server running on it.
2 Logon to the SecurePlatform machine. Issue the following command line command:
is the of the TFTP Server’s IP address and is the name of the package downloaded.
Using the Patch Utility to Upgrade Itself
The patch utility can upgrade itself:
1 Upgrade the patch utility itself by using the patch upgrade package.
2 Upgrade the SecurePlatform machine (by using the SecurePlatform upgrade package).
Using Advanced Upgrade Utilities (Pre-Upgrade Verifier, Export and Import)
These utilities are available for SecurePlatform’s use only through the local update utility.
From a Pre-NG with Application Intelligence machine
Run the patch add cd ... command and choose to update SecurePlatform. The Upgrade wrapper will appear and all the utilities will be available.
From a NG with Application Intelligence machine
Run the update wrapper command to get access to the Upgrade Wrapper (that's already installed on your machine).
From an Image File
If you want to import an image you have exported from another computer, install SecurePlatform. During the First Time Installation Wizard runs, you'll get the option to import an image instead of specifying which packages to install.
Upgrading to a Different IP Address or Domain Name
This section specifies the steps that should be taken in case the spare machine has a different IP address or host name or you migrate back with a different IP address.
patch add tftp
Chapter 3 SmartCenter Upgrade 33
http://www.checkpoint.com/techsupport/downloads.jsp
Advanced SmartCenter Upgrade
TABLE 3-5 Advanced Upgrade Options for Different IP Address or Domain Name
machine to perform steps on
steps to follow...
SmartCenter Server 1. Add rules that will allow the new spare machine to access the modules it is managing. Do this by creating a SmartCenter Object that includes the spare machine's IP address according to your software version:
• 4.1 - From the Policy Editor:
Manage > Network Objects > New…> Workstation and mark it as a Management Station.
• NG FP1 - From the Policy Editor: Manage > Network Objects > New... > Workstation and mark it as a Secondary Management.
• NG FP2 or higher - From SmartDashboard (Policy Editor)
Manage > Network Objects > New… > Check Point > Host/Gateway and mark it as Secondary SmartCenter.
• If this object already exists
Make sure it is marked as a Management.
2. Create a rule, on the SmartCenter Server, which allows FireWall-1 and CPD (NG only) services from the above object you have just created, to go to all managed gateways.
3. Install the rule on all managed gateways.4. Delete the rule once you have completed this process:Via the Wrapper:
AInsert the CD into SmartCenter Server.B.Select Export configuration to another machine.C.Select the destination path of the configuration (.tgz) file.D.Copy the exported file to the spare machine.
Via the Command Line:AUse steps 1-4 in TABLE 3-3 on page 30.
Spare Machine Via the Wrapper:AInsert the CD into the spare machine.B.Select Advanced Upgrade This option prompts you for the location of the imported configuration file (.tgz) file and then automatically installs the new software and utilizes the imported .tgz configuration file.
34
Upgrading to a Different IP Address or Domain Name
Spare Machine(cont...)
Via the Command Line: Use steps 5-7 in TABLE 3-3 on page 30.1. Reboot2. If you are using a spare machine and plan on migrating back to your
original SmartCenter Server skip to TABLE 3-6 on page 36.3. From the UserCenter move your licenses from the original
SmartCenter Server. The license of the SmartCenter should be updated with the new IP Address. If central licenses are used for the modules they should also be updated to the new IP Address. This can be done via the User Center at:
http://www.checkpoint.com/usercenter
by choosing the action License / Move IP / Activate Support and Subscription
4. Start the SmartCenter Server on the spare machine by applying the cpstart command
5. Connect to the SmartDashboard (Policy Editor)6. If you upgraded from:
• 4.1- Replace all occurrences of the production object with the newly created spare machine object. You can find all occurrences with the Where Used…utility (right-click on the object to choose the command). If your SmartCenter is Stand Alone then:
1 After upgrading, open the Spare Machine object and select VPN-1.
2 Manually set all VPN-1 settings.
3 Define the Traditional Mode configuration so that Backwards Compatibility to Version 4.1 is selected.
4 Create Internal CA using cpconfig and create IKE certificates for all modules.
• NG-Update the primary SmartCenter object, with its IP Address and topology to match its new configuration.
7. Remove the object you created in TABLE 3-3 on page 30.
DNS Server 8. If you are using a spare machine and plan on migrating back to your original SmartCenter Server you are done. Otherwise see “Upgrading to a Different IP Address or Domain Name” on page 33.
9. On the DNS Server map the Primary SmartCenter Server’s DNS to the new IP Address.
machine to perform steps on
steps to follow...
Chapter 3 SmartCenter Upgrade 35
http://www.checkpoint.com/usercenter
Advanced SmartCenter Upgrade
If you wish to migrate back to your original SmartCenter Server (that has the original IP Address) continue with the following steps:
TABLE 3-6 Migrating back to your original SmartCenter Server
machine to perform steps on
steps to follow...
SmartCenter Server 1. Add rules that will allow the new spare machine to access the modules it is managing. Do this by creating a SmartCenter Object that includes the spare machine's IP address according to your software version:
• 4.1 - From the Policy Editor:
Manage > Network Objects > New…> Workstation and mark it as a Management Station.
• NG FP1 - From the Policy Editor: Manage > Network Objects > New... > Workstation and mark it as a Secondary Management.
• NG FP2 or higher - From SmartDashboard (Policy Editor)
Manage > Network Objects > New…> Check Point > Host/Gateway and mark it as Secondary SmartCenter.
• If this object already exists
Make sure it is marked as a Management.
2. Create a rule, on the SmartCenter Server, which allows FireWall-1 and CPD (NG only) services from the above object you have just created, to go to all managed gateways.
3. Install the rule on all managed gateways.4. Delete the rule once you have completed this process.5. Use steps 1-4 in TABLE 3-3 on page 30.
Spare Machine 6. Use steps 5-7 in TABLE 3-3 on page 30.7. Reboot8. Start the SmartCenter Server on the spare machine by applying the
cpstart command9. Connect to the SmartDashboard (Policy Editor)10.Update the primary SmartCenter Object, with its IP Address and
topology to match its new configuration.11.Remove the object you created in Step 1 in this section.
36
Notes, Exceptions and Limitations
Notes, Exceptions and Limitations
1 Adjust masters and log servers for each module before installing a policy on it. You should add the spare machine's object to the masters list, and if needed, add it to the log servers list on each module.
2 Re-establish trust with any 4.1 module by using the putkey command.
3 If both SmartCenter Servers are used simultaneously and have two IP addresses, and changes are done to both, these changes cannot be merged automatically. To synchronize them, manually apply all changes to objects and policies.
4 Special care should be given to operations that involve Check Point internal CA modifications, like issuing or revoking certificates. These changes cannot be merged, even manually, and will result in different CA databases on both servers. For example, revoking a certificate on one SmartCenter Server will add it to the CRL on that SmartCenter Server, but there is no way to add this certificate to the other CRL. It is highly recommended not to perform any such changes as long as both SmartCenter Servers are in use.
After Performing an Advanced Upgrade
Checking to make sure your Database Works Properly
1 Install the Security Policy on all Modules
Fetch information is removed during upgrade. After upgrading, you must start SmartConsole and install the Security Policy on all modules, even if there has been no change in the Security Policy. Otherwise the module will try to fetch an old policy from the SmartCenter Server and after the upgrade, the module will not have a policy to fetch.
2 Open the two Check Point monitoring clients:
• SmartView Status - to check that your connections with modules is correct and
• SmartView Tracker - to check that you are receiving logs from modules correctly.
Flush ARP Tables
After swapping the machines, flush the ARP tables on the router (if it is a gateway) and on other hosts that communicate with the new machine. Otherwise it can take a few minutes until the ARP entries are renewed and subsequently, connectivity is resumed.
Chapter 3 SmartCenter Upgrade 37
Upgrading with Management High Availability
Upgrading with Management High AvailabilityTo upgrade the Check Point software on a group of High Availability SmartCenter Servers, proceed as follows:
1 Synchronize all the SmartCenter Servers(from Global Properties > Management High Availability).
2 Upgrade the Management Server software on all the SmartCenter Servers.
3 Open the Check Point’s SmartConsole Client on one of the SmartCenter Servers.
4 In the General page of each of the other SmartCenter Server’s Gateway Properties window, set the correct Check Point Products Version.
5 Once again, synchronize all the SmartCenter Servers (from Global Properties > Management High Availability).
38
CHAPTER 4
Check Point Gateway Upgrades
In This Chapter
Before You Begin
Terminology
Check Point Gateway - otherwise known as an Enforcement module or sometimes module is the VPN-1 Pro engine that actively enforces your organizations Security Policy.
SmartUpdate - SmartUpdate allows you to centrally upgrade and manage Check Point software and licenses.
Product Repository - This is a SmartUpdate repository on the SmartCenter Server that stores uploaded products (like VPN-1 Pro or FloodGate-1). These products are then used by SmartUpdate to perform upgrades of Check Point Gateways.
In Place - In Place upgrades are upgrades performed directly on a product without the benefit of SmartUpdate. SmartUpdate is the recommended Check Point upgrade tool.
Before You Begin page 39
Planning a Check Point Gateway Upgrade page 40
Upgrading Check Point Gateways with SmartUpdate page 44
Upgrading Modules with SecurePlatform page 41
Upgrading Check Point Gateways In Place page 47
Configuring OPSEC for Check Point Gateways page 47
39
Planning a Check Point Gateway Upgrade
ClusterXL - There is a separate “ClusterXL Upgrade” chapter if you have clusters to upgrade. ClusterXL is a software-based load sharing or high availability solution for Check Point gateway deployments.
Tools for Gateway Upgrades
SmartUpdate is the primary tool used for upgrading Check Point Gateways. Within SmartUpdate, there are some features and tools for your convenience:
1 SmartUpdate’s Upgrade All Products Feature - This feature allows you to upgrade all products installed on a gateway. For IPSO and SecurePlatform, this feature also allows you to upgrade your Operating System as a part of your upgrade.
2 SmartUpdate’s Add New Product Tools - SmartUpdate provides three tools for adding products to the Product Repository:
• Add From Download Center - an online download
• Add From CD - add a new product from the Check Point CD
• Import File - add a new product that you have stored locally.
3 SmartUpdate’s Get Check Point Gateway Data - This tool updates SmartUpdate with the current Check Point or OPSEC third party products installed on a specific gateway or for your entire enterprise.
Planning a Check Point Gateway UpgradeThere are two options available to you when upgrading a Check Point Gateway:
• SmartUpdate - SmartUpdate is the recommended upgrade procedure because it allows you to centrally upgrade your Check Point Gateways quickly and safely.
• In Place - If you did not purchase SmartUpdate, you can upgrade your Check Point Gateways in place by performing a local upgrade on each individual Check Point Gateway.
SecurePlatform
If you use SecurePlatform, please go directly to the “Upgrading Modules with SecurePlatform” instructions.
Upgrading to Windows 2003 Server from pre-2003 Server
If you are upgrading either a Check Point FireWall-1 Module or a Stand Alone implementation from pre-Windows 2003 Server to a Windows 2003 Server, proceed as follows:
40
backup
1 Upgrade Check Point software to NG with Application Intelligence (R55) without upgrading your operating system.
2 Then upgrade your Operating System to Windows 2003.
3 Switch to the %FWDIR%\boot\modules directory.
4 Run the following command on the Check Point module machine:
fwkern.exe -update CP_FW1MP %FWDIR%\boot\modules\netfw1xpm.inf
Upgrading Modules with SecurePlatformUpgrade of a SecurePlatform module machine (and all the Check Point products installed on it) is done by simply applying the SecurePlatform upgrade package, which can be found either on the Singe CD containing the new version, or as a separate package downloadable from the download center:
http://www.checkpoint.com/techsupport/downloads.jsp
backup
Before upgrading the SecurePlatform system, back up your system configuration using the backup utility:
Syntax
Parameters
If you purchased SmartUpdate, the simplest way to upgrade your SecurePlatform based Check Point Gateway is through the “Upgrade All Products” feature in SmartUpdate. “Upgrading Check Point Gateways with SmartUpdate” on page 44. If you prefer not to use SmartUpdate, access the SecurePlatform machine via Console or SSH and upgrade it through the Patch utility.
backup(system | cp | all) [tftp ]
TABLE 4-1 Parameters for SecurePlatform backup
parameter meaning
system backup system configuration
cp backup Check Point products configuration
all backup all of the configuration
name name of backup (to be restored to)
[tftp ] IP address of tftp server on which the configuration will be backed up
Chapter 4 Check Point Gateway Upgrades 41
http://www.checkpoint.com/techsupport/downloads.jsp
Upgrading Modules with SecurePlatform
Using the “Patch” Utility to Upgrade the “Patch” Utility Itself
If you upgrade SecurePlatform from a version prior to NG with Application Intelligence R54, you need to upgrade the Patch utility before using it to upgrade the SecurePlatform machine:
Using TFTP
1 Download the Patch utility upgrade package from the download center:
http://www.checkpoint.com/techsupport/downloads.jsp
2 Copy this file to a TFTP server.
3 Logon to the SecurePlatform machine (using Console or SSH access). Issue the following command line command:
is the IP address of the TFTP Server’s IP address and is the name of the package downloaded.
Not Using TFTP
1 Download the Patch utility upgrade package from the download center:
http://www.checkpoint.com/techsupport/downloads.jsp
2 Logon to the SecurePlatform machine (using Console or SSH access). Enter the Expert shell.
3 Use FTP to transfer the Patch utility upgrade package to the SecurePlatform machine.
4 Issue the following command line command:
where is the exact filename (including full path) of the upgrade package.
Upgrading SecurePlatform via the Patch Utility
Using the CD
If you have the CD of the new version you want to upgrade to, do the following:
1 Insert the CD into the CD ROM Drive on the SecurePlatform machine.
2 Logon to the SecurePlatform machine (using Console or SSH Access).
patch add tftp
patch add
42
http://www.checkpoint.com/techsupport/downloads.jsphttp://www.checkpoint.com/techsupport/downloads.jsp
Using SmartUpdate to Upgrade SecurePlatform
3 Issue the following command line command:
4 Choose the SecurePlatform upgrade package, and follow the upgrade process instructions.
Without the CD
If you do not have the CD, you need to download the SecurePlatform upgrade package from the download center:
http://www.checkpoint.com/techsupport/downloads.jsp
Using TFTP
1 Copy the upgrade package file to a TFTP server.
2 Logon to the SecurePlatform machine (using Console or SSH access). Issue the following command line command:
is the IP address of the TFTP Server’s IP address and is the name of the package downloaded.
3 Follow the upgrade process instructions.
Without TFTP
1 Logon to the SecurePlatform machine (using Console or SSH access). Enter the Expert shell.
2 Use FTP to transfer the SecurePlatform upgrade package to the SecurePlatform machine.
3 Issue the following command line command:
where is the exact filename (including full path) of the upgrade package.
4 Follow the upgrade process instructions.
Using SmartUpdate to Upgrade SecurePlatform
Once you are familiar with this chapter outlining the SmartUpdate upgrade process, proceed as follows:
1 Add the SecurePlatform upgrade package to the SmartUpdate repository.
patch add cd
patch add tftp
patch add
Chapter 4 Check Point Gateway Upgrades 43
http://www.checkpoint.com/techsupport/downloads.jsp
Upgrading Check Point Gateways with SmartUpdate
2 Select Products > Upgrade All Products and select the target SecurePlatform machine.
Upgrading Check Point Gateways with SmartUpdate
Prerequisites for SmartUpdate Upgrade
For the Check Point Gateways and the SmartCenter Server, obtain licenses from the User Center at http://www.checkpoint.com/usercenter.
Requirements for Upgrading Gateways from Version 4.1 SP2• VPN-1/FireWall-1 4.1 SP2 (or higher).
• An fw putkey connection between the SmartCenter Server and version 4.1 SP2 remote Check Point Gateways.
• CPutil must be installed and configured. This is required for CPRID, which is needed for all remote product operations.The CPutil package and associated Release Notes are available on the “Check Point 2000 CD” and from
http://www.checkpoint.com/techsupport/ng_application_intelligence/r55_updates.html
• In order to establish the CPRID connection with the 4.1 Check Point Gateway, a utility was added to the SmartCenter Server called opsec_putkey. The command should be executed from the utility directory $CPDIR/database/cprid/cprid_util_keys after configuring the CPutil on the remote Check Point Gateway:
Requirements for Upgrading Gateways from NG
Ensure that there is Secure Internal Communication between the SmartCenter Server and the Check Point Gateways to be upgraded.
Reboot your upgraded SmartCenter Server.
Configuring the SmartCenter Server so that you can use SmartUpdate
3 Install the latest version of the SmartConsole, including SmartUpdate.
4 For a new SmartCenter Server installation, install on the SmartCenter Server (using the CPConfig configuration tool or the cplic put command):
• the NG SmartCenter license and
opsec_putkey -ssl -p -port 18208
44
http://www.checkpoint.com/usercenterhttp://www.checkpoint.com/usercenterhttp://www.checkpoint.com/techsupport/ng_application_intelligence/r55_updates.html
Using SmartUpdate to Upgrade Remote Check Point Gateways
• the SmartUpdate license.
The SmartUpdate license is needed for product management capabilities.
5 Define the remote Check Point Gateways in SmartDashboard (for a new SmartCenter Server installation).
6 Make sure that the Administrator SmartUpdate permissions (as defined in the cpconfig configuration tool) are Read/Write. Alternatively, log in as root.
7 To upgrade version NG and above Check Point Gateways, ensure that in SmartDashboard, in the Policy Global Properties window in the FireWall-1 Implied Rules page, Accept CPRID Connections (SmartUpdate) is checked. By default, it is checked.
8 To upgrade version 4.1 Check Point Gateways, add a rule in the SmartDashboard to Accept CPRID Connections (ANY ANY FW1_CPRID Accept)
Using SmartUpdate to Add Products to the Product Repository
Use SmartUpdate to add products to (and delete) products from the Product Repository.
Products can be added to the Repository:
• directly from the Check Point Download Center web site (by selecting Product > New Product > Add From Download Center...),
• by adding them from the Check Point CD (Product > New Product > Add From CD...), and
• by importing a file (Product > New Product > Import File...).
When adding the product to the Product Repository, the product file is transferred to the SmartCenter Server. The Operation Status window opens. Use it to verify the success of the operation. The Product Repository is then updated to show the new product object.
Using SmartUpdate to Upgrade Remote Check Point Gateways
Updating All Products on a Check Point Gateway
All Check Point NG products on a Check Point Gateway, including the operating system for Nokia IPSO and SecurePlatform can be remotely updated to the latest version in a single operation.
1 From SmartUpdate > select Products > Upgrade All Products and select one or more Check Point Gateways.
The requested operation is verified by checking the following:
Chapter 4 Check Point Gateway Upgrades 45
Upgrading Check Point Gateways with SmartUpdate
• The required products of the latest version are in the Product Repository.
• All Check Point products installed on the Check Point Gateways are of the same NG version.
• Verification of the installation logic, sufficient disc space, and a cprid (Check Point Remote Installation Daemon) connection to the Check Point Gateway.
2 If verification is successful, the Upgrade All Products window opens showing the currently installed products and the products to be installed on the chosen Check Point Gateways.
If one or more of the required products are missing from the Product Repository, SmartUpdate will open the Download Products window. You can then download the required product directly to the Product Repository.
Note that the Reboot Check Point Gateway After Installation option (checked by default) is required in order to activate the newly installed product.
3 Click Upgrade.
The Operation Status window opens and shows the progress of the operation. Each operation is represented by a single entry. Double click the entry to open the Operation Details window which shows the operation history.
Using SmartUpdate to Upgrade IPSO
Proceed as follows:
1 Add the Nokia IPSO image package to the SmartUpdate repository. Nokia IPSO images can be obtained from the Nokia website:
http://www.nokia.com
2 Check Point Product Packages for IPSO.
3 Make sure that the $SUDIR/conf/IPSO_VER.txt file on the SmartCenter Server is updated with the IPSO OS Package version you want to install and exists in the repository.
4 Select Products > Upgrade All Products and select the target Nokia machine.
Upgrading a Single Product on a Check Point Gateways
Use this procedure to upgrade version 4.1 SP2 products.
Proceed as follows:
1 Drag and drop the latest version of SVN Foundation from the Product Repository over the Check Point Gateway object in the Products tab.
Follow the progress of the operation in the Operation Status window
46
http://www.nokia.com
First Upgrade your Operating System
2 Drag and drop the latest version of each of the desired Check Point products, one at a time, from the Product Repository over the Check Point Gateway object in the Products tab.
Follow the progress of the operation in the Operation Status window.
Upgrading Check Point Gateways In PlaceUpgrading Check Point’s enforcement Check Point Gateways manually for distributed installations without the benefit of using SmartUpdate requires you to take care of some of the steps that are taken care of automatically by SmartUpdate. This chapter outlines a basic upgrade and includes special steps to use if you are upgrading manually. It also offer some advice for minimizing your downtime during an upgrade.
First Upgrade your Operating System
If you plan to upgrade your operating system, do it before upgrading your Check Point Gateway. Place the CD in your CD ROM drive and follow the straightforward instructions in the installation wizard. Once you have successfully completed the installation, reboot your machine. During an In Place (or SmartUpdate) Check Point Gateway upgrade only the kernel and daemons are replaced, SIC is maintained.
Special Considerations for Manual Check Point Gateway Upgrade
1 If you manually upgrade the Check Point Gateway, update the version of the objects representing the Check Point Gateways in SmartDashboard to NG with Application Intelligence (R55) via the General page of its Check Point Gateway window.
2 SAM (Suspicious Activities Monitoring) dynamic rules are not automatically upgraded from 4.1 to NG with Application Intelligence. Instructions follow:
Configuring OPSEC for Check Point Gateways
This section addresses users who upgraded VPN-1 Pro Check Point Gateways from 4.1 SP5 which have CVP or UFP servers. The CVP or UFP servers may be in a load sharing configuration. The section also addresses users who use the SAM proxy feature.
During the VPN-1 Pro Check Point Gateway upgrade, some of the data contained in the fwopsec.conf is moved or modified. The rest of the data in this file should be either manually or automatically updated in the SmartCenter’s database.
Chapter 4 Check Point Gateway Upgrades 47
Upgrading Check Point Gateways In Place
Automatic Update
The upgrade_fwopsec tool automatically performs the set of updates that you can read about in detail in the following “Manual Update” section.
The tool works on the fwopsec.v4x file. This is a backup of the original fwopsec.conf file before it is modified by the VPN-1 Pro Check Point Gateway upgrade.
1 Make sure that the SmartDashboard application is closed before running upgrade_fwopsec.
2 Confirm that SIC communication is established between the SmartCenter Server and the VPN-1 Pro Check Point Gateway.
3 Run upgrade_fwopsec on the SmartCenter Server
Sample command run from SmartCenter where SIC has been established:
Explanation of Sample Command:
This command fetches $FWDIR/conf/fwopsec.v4x from the Check Point Gateway and updates SmartCenter's database. The program will print the operations and the results.
4 Install the policy on the Check Point Gateway.
TABLE 4-2 upgrade_fwopsec options
upgrade_fwopsec -fw -fetch -f conf/fwopsec.v4x
parameter meaning
-mgmt mgmt_host The name of the SmartCenter Server (default is localhost).
-u user The administrator’s name. The administrator must have write permission.
-p password The user’s password (the password used for the GUI Management Client).
48
Manual Update
Manual Update
The data that needs manual updating are as follows:
• CVP and UFP backwards compatibility communication methods. The lines in the file begin with server. This data should be moved to the relevant CVP or UFP OPSEC application object.
• SAM backwards compatibility communication methods. The lines in the file begin with server. There will also be a line that begins with sam_allow_remote_request This data should be moved to the SAM tab in the SmartDashboard for the relevant VPN-1 Pro Check Point Gateway’s object.
• CVP and UFP load sharing definitions. The relevant blocks contain the word load_sharing.These load sharing definitions should be migrated into new objects of type CVP or UFP Collection objects. If Collection members are not defined, they should be created.
• Modify the Resource objects that referenced the old CVP or UFP load sharing objects to referencing to the new Collection objects.
[-fwm fw_obj_name [-fetch]]
fw_obj_name is the name of the Check Point Gateway object (as specified in the VPN-1/FireWall-1 SmartDashboard) to which the configuration information applies. If -fetch is specified, then the information will be retrieved from fwopsec_file on the Check Point Gateway; otherwise upgrade_fwopsec will retrieve it from the SmartCenter Server (the local machine on which this command is run).
-f fwopsec_file The path to the file containing the configuration information, usually “fwopsec.v4x”. If the -fetch option is used, then fwopsec_file specifies the file’s path relative to the remote Check Point Gateway’s $FWDIR.
[-log log_file | -nolog] Log the upgrade process to log_file (default is$FWDIR/tmp/.upg_opsec.log). If nolog is specified, the log will be directed to stderr. If the upgrade is successful, the log will be appended to$FWDIR/tmp/mgmt.upg_opsec.log.
parameter meaning
Chapter 4 Check Point Gateway Upgrades 49
Upgrading Check Point Gateways In Place
50
CHAPTER 5
ClusterXL Upgrade
In This Chapter
Before You Begin
Terminology
module - otherwise known as an Enforcement module or sometimes module is the VPN-1 Pro engine that actively enforces your organization’s Security Policy.
SmartUpdate - SmartUpdate allows you to centrally upgrade and manage Check Point software and licenses.
Product Repository - This is a SmartUpdate repository on the SmartCenter Server that stores uploaded products (like VPN-1 Pro or FloodGate-1). These products are then used by SmartUpdate to perform upgrades of Check Point Gateways.
In Place - In Place upgrades are upgrades performed directly on a product without the benefit of SmartUpdate. SmartUpdate is the recommended Check Point upgrade tool.
ClusterXL - ClusterXL is a software-based load sharing and high availability solution for Check Point gateway deployments. It distributes traffic between clusters of redundant gateways so that the computing capacity of multiple machines may be combined to increase total throughput. In the event that any individual gateway becomes unreachable, all connections are re-directed to a designated backup without
Before You Begin page 51
Planning a Cluster Upgrade page 52
Performing a Minimal Effort Upgrade on a ClusterXL Cluster page 53
Performing a Zero Down Time Upgrade on a ClusterXL Cluster page 54
Performing a Full Connectivity Upgrade on a ClusterXL Cluster page 57
51
Planning a Cluster Upgrade
interruption. Tight integration with Check Point's SmartCenter management and enforcement point solutions ensures that ClusterXL deployment is a simple task for FireWall-1, VPN-1, and FloodGate-1 administrators.
Tools for Gateway Upgrades
1 SmartUpdate’s Upgrade All Products Feature - This feature allows you to upgrade all products installed on a gateway. For IPSO and SecurePlatform, this feature also allows you to upgrade your Operating System as a part of your upgrade.
2 SmartUpdate’s Add New Product Tools - SmartUpdate provides three tools for adding products to the Product Repository:
• Add From Download Center - an online download
• Add From CD - add a new product from the Check Point CD
• Import File - add a new product that you have stored locally.
3 SmartUpdate’s Get Check Point Gateway Data - This tool updates SmartUpdate with the current Check Point or OPSEC third party products installed on a specific gateway or for your entire enterprise.
Planning a Cluster UpgradeIn order to upgrade ClusterXL there are three options available to you:
• Minimal Effort Upgrade - Choose this option if you have a period of time during which network downtime is allowed. The minimal effort method is much simpler because the clusters are upgraded as gateways and can be upgraded as individual gateways. Therefore, the instructions for this method are located in the “Check Point Gateway Upgrades” chapter.
• Zero Downtime - Choose this option if your gateway needs to remain active. The zero downtime method assures both inbound and outbound network connectivity at all time during the upgrade. There is always at least one active member that handles traffic.
• Full Connectivity Upgrade - Choose this option if your gateway needs to remain active and your connections must be maintained. Full Connectivity Upgrade with Zero Down Time assures both inbound and outbound network connectivity at all time during the upgrade. There is always at least one active member that handles traffic and open connections are maintained during the upgrade.
52
Working with a Mixed Cluster
Working with a Mixed Cluster
When there are cluster members of different versions on the same synchronization network, the cluster members with the previous version will turn active and the cluster members with the newer version will remain in a special state called Ready. In this state the newer version cluster members do not process any traffic destined for the cluster IP. During the upgrade this behavior is the expected one. If wish to avoid such a situation, for example during downgrade, you should physically (or using ifconfig) disconnect the cluster interfaces and the synchronization network of that cluster member prior to the downgrade process.
Upgrading OPSEC Certified Third Party Clusters Products• When upgrading Nokia clustering (VRRP and IP Cluster) follow either of the
regular procedures (Zero downtime or Minimal effort).
• When upgrading other thir party clustering products it is recommended to use the minimal effort procedure. Zero downtime upgrade (with or without FCU) is not supported using the regular procedure. The third party may supply an alternative upgrade procedure to achieve a zero downtime upgrade. Consult the third party documentation.
• When upgrading from a Version 4.1 SP5 cluster, configure the Synchronization Network from the Synchronization tab. Check the Support Non-sticky Connections check box in the Third Party Configuration tab when the third party solution does not assure full connection stickiness (meaning that packets from client-to-server and from server-to-client pass through the same cluster member), Consult the Third Party Vendor's documentation for information regarding whether or not you should check the boxes: Hide cluster members' outgoing traffic behind the cluster's IP address and Forward cluster's incoming traffic to cluster members' IP address.
Performing a Minimal Effort Upgrade on a ClusterXL Cluster
If it is your intention to perform a Minimal Effort Upgrade, meaning you can afford to have a period of time during which network downtime is allowed, you will basically be treating cluster members as individual gateways. In other words, each cluster member can be upgraded in the same way you upgrade an individual gateway member. Please refer to the “Check Point Gateway Upgrades” chapter for gateway upgrade instructions.
Chapter 5 ClusterXL Upgrade 53
Performing a Zero Down Time Upgrade on a ClusterXL Cluster
Performing a Zero Down Time Upgrade on a ClusterXL Cluster
Supported Modes
Zero Downtime is supported on all modes of ClusterXL including IPSO’s IP clustering and VRRP. For other third party clustering solutions please consult your third party solution’s guide.
Planning your Zero Down Time Upgrade
Assume you have a cluster of several VPN-1 Pro machines (called A, B and C in this example) with any version from 4.1 SP5 to NG with Application Intelligence.
The upgrade is divided into three parts:
1 Upgrade the SmartCenter Server (see the “SmartCenter Upgrade” chapter)
2 Upgrade all but one of the cluster members.
3 Upgrade the last cluster member.
Upgrade All But One of the Cluster Members
1 Run cphaconf set_ccp broadcast on all cluster members. This will turn the clu
Top Related