the upgrade guide - check point software › ... › upgrade_guide.pdfselecting a manual upgrade or...

The Upgrade Guide

NG with Application Intelligence (R55)

For additional technical information about Check Point products, consult Check Point’s SecureKnowledge at

http://support.checkpoint.com/kb/

See the latest version of this document in the User Center at:

http://www.checkpoint.com/support/technical/documents/docs_r55.html

IMPORTANTCheck Point recommends that customers stay up-to-date with the latest

service packs and versions of security products, as they contain security enhancements and protection against new and changing attacks.

Part Number 700724November 2003

http://support.checkpoint.com/kb/http://www.checkpoint.com/support/technical/documents/docs_r55.html

© 2003-2004 Check Point Software Technologies Ltd.All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:Check Point, the Check Point logo, ClusterXL, ConnectControl, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FireWall-1 SmallOffice, FireWall-1 VSX, FireWall-1 XL, FloodGate-1, INSPECT, INSPECT XL, IQ Engine, MultiGate, Open Security Extension, OPSEC, Provider-1, SecureKnowledge, SecurePlatform, SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartView Tracker, SmartConsole, TurboCard, Application Intelligence, SVN, UAM, User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Net, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 SmallOffice and VPN-1 VSX are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners.The products described in this document are protected by U.S. Patent No. 6,496,935, 5,606,668, 5,699,431 and 5,835,726 and may be protected by other U.S. Patents, foreign patents, or pending applications.

THIRD PARTIES:Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and other countries. Entrust’s logos and Entrust product and service names are also trademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporate certificate management technology from Entrust.

Verisign is a trademark of Verisign Inc.

The following statements refer to those portions of the software copyrighted by University of Michigan. Portions of the software copyright © 1992-1996 Regents of the University of Michigan. All rights reserved. Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due credit is given to the University of Michigan at Ann Arbor. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. This software is provided “as is” without express or implied warranty. Copyright © Sax Software (terminal emulation only).

The following statements refer to those portions of the software copyrighted by Carnegie Mellon University.Copyright 1997 by Carnegie Mellon University. All Rights Reserved.Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

The following statements refer to those portions of the software copyrighted by The Open Group.THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY

CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

The following statements refer to those portions of the software copyrighted by The OpenSSL Project. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The following statements refer to those portions of the software copyrighted by Eric Young. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright © 1998 The Open Group.The following statements refer to those portions of the software copyrighted by Jean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.3. This notice may not be removed or altered from any source distribution.

The following statements refer to those portions of the software copyrighted by the Gnu Public License. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

The following statements refer to those portions of the software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expat maintainers. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Check Point Software Technologies Ltd.

U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, [email protected] Headquarters: 3A Jabotinsky Street, Ramat Gan, 52520, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com

Table Of Contents

Chapter 1 Introduction to the Upgrade Process Before You Begin 11Upgrading Successfully 12

Chapter 2 Planning Your Upgrade Recommended Upgrade Flows 13

Deployments 13

Chapter 3 SmartCenter Upgrade Before You Begin 17

Terminology 17Tools 18Built in Safety Measures and Tips 18

Planning SmartCenter Upgrades 19Select the Basic or the Advanced Upgrade Method 19Maintaining Backward Compatibility 20

SecurePlatform 20backup 20

Syntax 20Parameters 21

Using the “Patch” Utility to Upgrade Itself 21Using TFTP 21Not Using TFTP 21

Upgrading SecurePlatform via the Patch Utility 22Using the CD 22Without the CD 22

Basic SmartCenter Upgrade Procedure 23Basic Upgrade Steps 23

Advanced SmartCenter Upgrade 24Motivations for Performing Advanced Upgrade 24Selecting a Manual Upgrade or an Automatic Upgrade 25Advanced Upgrade Steps 26Tools for Upgrading SmartCenters 27

Pre-Upgrade Verification 27Action Items before the Upgrade 29Action Items after the Upgrade 29Information Messages 29Advanced Upgrade on a Spare Machine Using the Command Line Interface 30Export and Import Commands 32SecurePlatform’s Update Utility 32

Upgrading to a Different IP Address or Domain Name 33

Table of Contents 3

Notes, Exceptions and Limitations 37After Performing an Advanced Upgrade 37

Upgrading with Management High Availability 38

Chapter 4 Check Point Gateway Upgrades Before You Begin 39

Terminology 39Tools for Gateway Upgrades 40

Planning a Check Point Gateway Upgrade 40SecurePlatform 40Upgrading to Windows 2003 Server from pre-2003 Server 40

Upgrading Modules with SecurePlatform 41backup 41

Syntax 41Parameters 41

Using the “Patch” Utility to Upgrade the “Patch” Utility Itself 42Using TFTP 42Not Using TFTP 42

Upgrading SecurePlatform via the Patch Utility 42Using the CD 42Without the CD 43Using TFTP 43Without TFTP 43

Using SmartUpdate to Upgrade SecurePlatform 43Upgrading Check Point Gateways with SmartUpdate 44

Prerequisites for SmartUpdate Upgrade 44Requirements for Upgrading Gateways from Version 4.1 SP2 44Requirements for Upgrading Gateways from NG 44Configuring the SmartCenter Server so that you can use SmartUpdate 44Using SmartUpdate to Add Products to the Product Repository 45

Using SmartUpdate to Upgrade Remote Check Point Gateways 45Updating All Products on a Check Point Gateway 45

Using SmartUpdate to Upgrade IPSO 46Upgrading a Single Product on a Check Point Gateways 46

Upgrading Check Point Gateways In Place 47First Upgrade your Operating System 47Special Considerations for Manual Check Point Gateway Upgrade 47

Configuring OPSEC for Check Point Gateways 47Automatic Update 48Manual Update 49

Chapter 5 ClusterXL Upgrade Before You Begin 51

Terminology 51Tools for Gateway Upgrades 52

Planning a Cluster Upgrade 52Working with a Mixed Cluster 53Upgrading OPSEC Certified Third Party Clusters Products 53

4

Performing a Minimal Effort Upgrade on a ClusterXL Cluster 53Performing a Zero Down Time Upgrade on a ClusterXL Cluster 54

Supported Modes 54Planning your Zero Down Time Upgrade 54

Upgrade All But One of the Cluster Members 54Upgrade the Final Cluster Member 56

Performing a Full Connectivity Upgrade on a ClusterXL Cluster 57Understanding a Full Connectivity Upgrade 57Supported Modes 57Terminology 57

Pre-Requisite for using the Full Connectivity Upgrade 57Full Connectivity Upgrade Limitations 57

Implementing a Full Connectivity Upgrade 59Upgrading a cluster with 2 members 59Upgrading a cluster with 3 or more members 59Monitoring the Full Connectivity Upgrade 60

Reverting to Old Version of SVN Foundation, FireWall-1 or FloodGate-1 61Nokia - Safely Removing NG 61Other Product Roll Backs 62

Chapter 6 SmartView Reporter Upgrade Before you begin 63

Terminology 63Tools 64

How to back up your reports 64How to stop log consolidator 64How to backup the database 65How to re-establish SIC between SmartCenter and SmartView Reporter 65

Safety 66Planning 66Performing a Basic SVR Upgrade 66

Stand Alone configuration 66Distributed configuration 67

Performing an Advanced Upgrade 67General notes on advanced upgrade 67Standalone configuration 68Distributed configuration 68

More Upgrade Configurations 69Advance upgrade from one version of NG with Application Intelligence to another 69Upgrade SmartCenter but leave SmartView Reporter in a previous version 69

NG with Application Intelligence (R54) 69NG FP3 69

Upgrading the SQL Database 70

Chapter 7 Log Server Upgrade Log Server Upgrades 73

SecurePlatform 73

Table of Contents 5

Chapter 8 Upgrading SmartLSM Before You begin 75

Terminology 75Tools 76

Export 76LSM CLI 76

Safety 76Planning 76

Upgrade your ROBO Gateways 76Adding a ROBO Gateway Upgrade Package to the SmartUpdate Package Repository 77Upgrading a ROBO Gateway Using SmartLSM 77

Upgrading a VPN-1 Express/Pro ROBO Gateway 77Full Upgrade 78Specific Install 78Upgrading a VPN-1 Edge ROBO Gateway 79Upgrading a VPN-1 ROBO Gateway Using the LSM CLI 79

Upgrading a VPN-1 Express/Pro ROBO GatewayUsing the LSM CLI 79

Upgrading a VPN-1 Edge ROBO Gateway Using the LSM CLI 81Using the LSMcli in Scripts 81Upgrading a VPN-1 Express/Pro ROBO Gateway In Place 82

Chapter 9 Upgrading Provider-1 Introduction 83

Scope 83Before You Begin 83Supported Platforms 84Supported Versions for Upgrade 84Summary of Sections in this Chapter 85

Provider-1/SiteManager-1 Upgrade Tools 85Pre-Upgrade Verifiers and Fixing Utilities 85Installation Script 86

Pre-Upgrade Verification Only 87Upgrade 87Backup 87

cma_migrate 87Usage 88Example 88

migrate_assist 89Usage 89Example 90

migrate_global_policies 90Usage 90

Backup and Restore 91mds_backup 91

Usage 92mds_restore 92

Usage 92

6

Provider-1/SiteManager-1 Upgrade Practices 92In-place Upgrade 92

Upgrading your Operating System 93Replicate and Upgrade 93Gradual Upgrade on the same machine - Version 4.1 94

Preparations 94Gradually Upgrading the Primary MDS 95Upgrade Steps 96Gradually Upgrading Additional MDSes 97

Gradual Upgrade to Another Machine 98Upgrade steps 99Gradual Upgrade with Global VPN Considerations 99

Migrating from Stand Alone installation to CMA 100Terminology 100An Overview of the Stand Alone Installation to CMA Migration Procedure 101From a Version 4.1 Installation 102From NG (All Feature Pack) Installation 106

Upgrading in a Multi MDS Environment 109Pre-Upgrade Verification and Tools 109

Upgrading a Version 4.1 System with an Additional MDS 109Upgrading an NG with Application Intelligence Multi-MDS System 110

MDS High Availability 110Before the Upgrade 110CMA High Availability 111

Restoring your Original Environment 111Before the Upgrade 111Restoring your original environment 111

Renaming Customers 112Identifying Non-Compliant Customer Names 112High-Availability Environment 112Automatic Division of Non-compliant Names 112Resolving the Non-compliance 113

Additional options menu 113High-Availability 114

Advanced Usage 114Changing MDS IP address and External Interface 115

IP Address Change 115Interface Change 115

Appendix A Behavioral Changesin FireWall-1

Introduction to Behavioral Changes in FireWall-1 117Behavioral Changes In Stateful Inspection 118

TCP Connection reuse 118Section Summary 118

Version 4.1 SP5 Solution 118NG with Application Intelligence Solution 119TCP Connection Establishment (three-way handshake) 119

Table of Contents 7

TCP Sequence Verification 120Connections Recovery After Policy Installation 121First TCP Packet 122Stateless Checks 124Default session timeouts 125Section Summary 125

Behavioral Changes in NAT 126Improvements in HIDE NAT Address 126

Version 4.1 SP5 Solution 126NG with Application Intelligence Solution 126

IP Pools 127Version 4.1 SP5 Solution 127NG with Application Intelligence Solution 127

Transparent Server Connection (under NAT) 127Improvements in Static NAT 128New NAT properties in FireWall-1 NG 128

Allow Bidirectional NAT 128Automatic ARP configuration 129

Behavioral Changes for Services Features 129Match for Any 129Time-out 130Protocol Type 130DNS Enforcement is Used by Default 130Dynamic Port Negotiation Inspection (Well Known Port) 130X11 Drop 131

New Service Features 131Keep Connections During Policy Reload 131Dropping X11 Traffic 132SSHv2 and SSLv3 132FTP Behavioral Changes 132

FTPbidir 132FTPbasic 132FTPnew Enforcement 133FTP Passive and FTP Port 133

Behavioral Changes in INSPECT 133NAT Rule-Match Performance 133SmartCenter Behind NAT 133Client-Side Translation 133NAT for Dynamic Objects 134Disable NAT Inside the VPN Community 134

Behavioral Changes in INSPECT 134Backward compatibility note 134Unknown established TCP packet 135

Description 135Solution in Version 4.1 135Solution in NG with Application Intelligence 136

FTP Related INSPECT Solutions 136FTP control NewLine enforcement 136

Description 136

8

Version 4.1 solution 137Solution with NG with Application Intelligence 138

Changes to FTP control connection timeout 138Description 138Solution in Version 4.1 138Solution in NG with Application Intelligence 139

Preventing FTP data connection failures on server port check 139Description 139Solution in Version 4.1 140Solution in NG with Application Intelligence 140

Using FTP on non-standard ports 141Description 141Solution in Version 4.1 141Solution in NG with Application Intelligence 142

Backward Compatibility 142Bi-direction FTP data connection 143

Solution in Version 4.1 143Solution in NG with Application Intelligence 144

Authentication related INSPECT solutions 144Preventing re-authentication when a policy is installed. 144

Description 144Version 4.1 Solution 144Solution in NG with Application Intelligence 144

Removing RADIUS/LDAP/TACACS from Control Connections 145Description 145Solution in Version 4.1 145Solution in NG with Application Intelligence 147

Services Related INSPECT Solutions 147Increasing services session timeout 147


Backward Compatibility Issues for Services 148Custom INSPECT Services 149

Overview 149What to change 149

prologue 149match 149

H.323 New service 150Version 4.1 Solution 150Solution in NG with Application Intelligence 150

GRE inspection 150Version 4.1 Solution 150Solution in NG with Application Intelligence 151

RSH STDERR back connections with ports lower than 601 151Description 151Version 4.1 Solution 152Solution in NG with Application Intelligence 152

DNS Verification 152

Table of Contents 9


INSPECT Accounting solutions 153Description 153

Version 4.1 Solution no. 1 153Version 4.1 Solution no 2 155Solution in NG with Application Intelligence 156

Restricting Account Logging to the Account Log Viewer only 156Description 156Version 4.1 Solution 156NG with Application Intelligence Solution 156

INSPECT and Load Balancing 157Changes to persistency timeouts 157

Description 157Version 4.1 Solution 157NG with Application Intelligence Solution 157

INSPECT Tuning solutions 157Changes to the connections table size 157

Description 157Version 4.1 solution 157NG with Application Intelligence solution 158

Changes to Kernel memory settings 158Description 158Solution in Version 4.1 158Solution in NG with Application Intelligence 160

10

CHAPTER 1

Introduction to the Upgrade Process

In This Chapter

Before You BeginWelcome to the Upgrade Guide. We created this guide to explain all available upgrade paths for Check Point products from Versions 4.1 SP5 forward. This document is specifically geared towards upgrading to NG with Application Intelligence (R55).

Before you begin please:

• Backup everything you will be upgrading.

• Make sure that you have the latest version of this document in the User Center at

http://www.checkpoint.com/support/technical/documents/docs_r55.html

• It is a good idea to have the latest version of the NG with Application Intelligence (R55) Release Notes handy. Download them from:

http://www.checkpoint.com/techsupport/ng_application_intelligence/release_notes.html

• If you are wondering what new features are available in NG with Application Intelligence (R55), read the “What’s New Guide”: http://www.checkpoint.com/techsupport/ng_application_intelligence/r55_whatsnew.html

• You can upgrade to NG only from Version 4.1 SP5 and higher. If you are running a version prior to 4.1 SP5, then proceed as follows:

• Upgrade from that version to Version 4.1 SP5.

• Upgrade from Version 4.1 SP5 to NG with Application Intelligence.

Before You Begin page 11

Upgrading Successfully page 12

11

http://www.checkpoint.com/support/technical/documents/docs_r55.htmlhttp://www.checkpoint.com/techsupport/ng_application_intelligence/release_notes.htmlhttp://www.checkpoint.com/techsupport/ng_application_intelligence/r55_whatsnew.htmlhttp://www.checkpoint.com/eap/ngaiR55/secured/downloads/whatsnew.pdf

Upgrading Successfully

Upgrading SuccessfullyAll successful upgrades begin with a solid game plan and a full understanding of the steps you need follow in order to succeed. This book provides graphics, tips and instructions to make the upgrade process as clear as possible.

It is not necessary to read the entire book. In fact, there may be large portions of the book that do not apply to you because you do not own the product covered. The book is structured to show you common scenarios and then to provide the steps necessary for achieving your unique upgrade.

We hope that your upgrade goes smoothly but in the event that you run into unexpected snags, please contact your Reseller or our SecureKnowledge support center at: https://support.checkpoint.com/login/login.jsp

12

https://support.checkpoint.com/login/login.jsp

CHAPTER 2

Planning Your Upgrade

In This Chapter

Recommended Upgrade FlowsSuccessful upgrading begins with a comprehensive upgrade plan, good organizational oversight and understanding your products. The purpose of this chapter is to provide you with a broad understanding of how your upgrade deployment fits into Check Point’s products. After reading this short chapter, you will have a clearer idea of how to conceptualize and proceed with your upgrade.

Deployments

What follows are four separate graphics depicting four Check Point upgrade deployments. In all four deployment, we suggest proceeding as follows:

1 Upgrade your management products: SmartCenter Server (and SmartConsole), SmartLSM or Provider-1 then SmartView Reporter and Log Server

2 Upgrade your enforcement products: Check Point gateways (individual modules or ClusterXL, ROBO Gateways)

Below, find the graphic that most closely resembles your enterprise’s deployment and follow the instructions in each of the corresponding chapters in this “Upgrade Guide”.

“Recommended Upgrade Flows” on page 13

13

Recommended Upgrade Flows

FIGURE 2-1 Upgrade a SmartCenter with Gateway(s)

FIGURE 2-2 Upgrade a SmartCenter Server with SmartView Reporter, Gateway(s) and Cluster(s)

14

Deployments

FIGURE 2-3 Provider-1 Upgrade

FIGURE 2-4 Upgrade a SmartCenter Server with SmartLSM, Gateway(s) and Cluster(s)and ROBO Gateways

Chapter 2 Planning Your Upgrade 15

Recommended Upgrade Flows

16

CHAPTER 3

SmartCenter Upgrade

In This Chapter

Before You BeginThis chapter first goes through the steps to perform a basic upgrade, then goes through the steps to perform an advanced upgrade.

Terminology

Here are some useful terms that you need to be familiar with in order to continue reading this chapter:

Security Policy - A Security Policy is created by the system administrator in order to regulate the incoming and outgoing flow of communication.

Enforcement module - An Enforcement module is the engine of VPN-1 Pro which actively enforces the Security Policy of the organization.

SmartCenter Server - The SmartCenter Server is the server used by the system administrator to manage the Security Policy. The databases and policies of the organization are stored on the SmartCenter Server, and are downloaded from time to time to the Enforcement module.


Planning SmartCenter Upgrades page 19

SecurePlatform page 20

Basic SmartCenter Upgrade Procedure page 23

Advanced SmartCenter Upgrade page 24

17

Before You Begin

SmartConsole Clients - The SmartConsole Clients are different GUI applications which are used to manage different aspects of the Security Policy. For instance SmartView Tracker is a SmartConsole which manages logs.

SmartDashboard - SmartDashboard is a SmartConsole which is used by the system administrator to create and manage the Security Policy.

Tools

Pre-Upgrade Verifier - The Pre-Upgrade verifier is a tool that provides you with a report. Three types of results are displayed in the report:

• Action items to perform before the upgrade

• Action items to perform after the upgrade

• Information Messages

• This tool is automatically run before both basic and advanced upgrades and can be run in preparation for upgrading. Further details regarding this tool are located in “Pre-Upgrade Verification” on page 27.

Built in Safety Measures and Tips

1 Automatic pre-upgrade verification runs by default during your SmartCenter upgrade. The pre-upgrade verification notifies you of important adjustments to make before upgrading.

If you prefer, you can run the pre-upgrade verification from the CD separately from the upgrade in order to prepare yourself for your upgrade. You will be provided with a report. Three types of results can be displayed in the report:

• action items before the upgrade,

• action items after the upgrade and

• information.

Detailed explanations of these reports are outlined in “SmartCenter Upgrade”. We have also provided you with sample output from a pre-upgrade verification. It can be found in “Pre-Upgrade Verification” on page 27.

2 During the process of upgrading your SmartCenter, an optional automatic online check is performed that confirms that your SmartCenter has the most current upgrade information available. Before running the online check, you are prompted to confirm that you want to run it.

3 To add even more safety measures, upgrade your SmartCenter Server on a second machine. Then either:

18

Select the Basic or the Advanced Upgrade Method

• make the spare machine your production management machine or

• migrate back to the original machine.

The steps for performing either of these types of upgrades are detailed in “Advanced SmartCenter Upgrade” on page 24.

4 Upgrades can be performed incrementally. You do not have to upgrade SmartCenter Server and all its modules all at once.

A First upgrade the SmartCenter Server.

B After the upgrade, you can still manage your modules from your SmartCenter Server.

C At your convenience, the modules can be upgraded one-by-one. A module that has not been upgraded, will not yet have the latest features.

5 If for any reason you are not pleased with the results, restore your prior work environment.

6 If you have an upgrade that you would like to distribute from a central server, use SmartUpdate.

Instructions for using SmartUpdate for upgrading are located in Chapter 4, “Upgrading Your Gateway using SmartUpdate”.

7 When upgrading SmartCenter Server, the database is adjusted to the format of the new version. This includes the formats for policies, objects, the global properties, etc. In addition, system objects which come with the new version are added to your database. The files containing these elements are not simply copied so you cannot copy these files from a previous version to a newer version.

Planning SmartCenter Upgrades

Select the Basic or the Advanced Upgrade Method

First choose the type of upgrade that is right for you:

• Basic Upgrade: Perform the upgrade directly on to the production SmartCenter Server or

• Advanced Upgrade: Perform the upgrade on a spare machine, while the production SmartCenter Server is fully operational. Test the full functionality of the spare machine and either:

• replace the old server with the new or

• migrate the upgraded server back to replace the old server.

Chapter 3 SmartCenter Upgrade 19

SecurePlatform

Both the basic and advanced upgrade can be performed automatically from the Check Point CD.

Maintaining Backward Compatibility

Backwards Compatibility for management of:

• VPN-1 modules and

• FireWall-1 modules

Is automatically built into NG with Application Intelligence’s SmartCenter Server installation.

SecurePlatformUpgrade of a SecurePlatform SmartCenter Server and all the Check Point products installed on it is done by simply applying the SecurePlatform upgrade package, which can be found either on the Singe CD containing the new version, or as a separate package downloadable from the download center:

http://www.checkpoint.com/techsupport/downloads.jsp

backup

Before upgrading the SecurePlatform system, back up your system configuration using the backup utility:

Syntax

backup(system | cp | all) [tftp ]

20


Using the “Patch” Utility to Upgrade Itself

Parameters

Using the “Patch” Utility to Upgrade Itself

If you upgrade SecurePlatform from a version prior to NG with Application Intelligence (R54), you need to upgrade the Patch utility before using it to upgrade the SecurePlatform machine:

Using TFTP

1 Download the Patch utility upgrade package from the download center:


2 Copy this file to a TFTP server.

3 3. Logon to the SecurePlatform machine (using Console or SSH access). Issue the following command line command:

is the of the TFTP Server’s IP address and is the name of the package downloaded.

Not Using TFTP



2 Logon to the SecurePlatform machine (using Console or SSH access). Enter the Expert shell.

3 Use FTP to transfer the Patch utility upgrade package to the SecurePlatform machine.

TABLE 3-1 Parameters for SecurePlatform backup

parameter meaning

system backup system configuration

cp backup Check Point products configuration

all backup all of the configuration

name name of backup (to be restored to)

[tftp ] IP address of tftp server on which the configuration will be backed up

patch add tftp


http://www.checkpoint.com/techsupport/downloads.jsphttp://www.checkpoint.com/techsupport/downloads.jsp

SecurePlatform

4 Issue the following command line command:

where is the exact filename (including full path) of the upgrade package.

Upgrading SecurePlatform via the Patch Utility

Using the CD

If you have the CD of the new version you want to upgrade to, do the following:

1 Insert the CD into the CD ROM Drive on the SecurePlatform machine.

2 Logon to the SecurePlatform machine (using Console or SSH Access).


4 Choose the SecurePlatform upgrade package, and follow the upgrade process instructions.

Without the CD

If you do not have the CD, you need to download the SecurePlatform upgrade package from the download center:


Using TFTP

1 Copy the upgrade package file to a TFTP server.

2 Logon to the SecurePlatform machine (using Console or SSH access). Issue the following command line command:


3 Follow the upgrade process instructions.

Without TFTP


patch add

patch add cd

patch add tftp

22


Basic Upgrade Steps

2 Use FTP to transfer the SecurePlatform upgrade package to the SecurePlatform machine.



Follow the upgrade process instructions.

Basic SmartCenter Upgrade ProcedureThe Basic SmartCenter upgrade upgrades your installed products in order to replace your prior version of SmartCenter with NG with Application Intelligence.

This upgrade automatically performs the pre-upgrade verification before upgrading.

Further information on the pre-upgrade verification is offered later in the “Pre-Upgrade Verification”” section.

Select Basic Upgrade if your goal is to upgrade installed products in place.

Basic Upgrade Steps

1 Access your Check Point CD.

2 Run setup

3 Select Upgrade from the Upgrade Options Screen.

4 You are presented with three upgrade options:

A Download Most Updated Upgrade Utilities (recommended method)This download provides the most recent upgrade code available.

B I have already downloaded and extracted the Upgrade Utilities. The files are on my local disk.

This option is useful in two cases:

• When the SmartCenter is not connected to the Internet (for security or other reasons). Download the package from another machine and copy it to the SmartCenter.

patch add


Advanced SmartCenter Upgrade

• When you have already downloaded the package then you can use the package from the disk instead of downloading again. Always check to make sure that the downloaded version is the most recent version available. To check:

http://www.checkpoint.com/techsupport

C Use the CD version. This option can be used in two cases:

• if there are no updates for the upgrade package or

• if there are updates, but you prefer not to update. This is not the recommended method since using the most updated upgrade version is the safest choice.

5 The pre-upgrade verification recommendation appears. This is so that you can verify that your pre-upgrade meets the pre-conditions of the new software(see “Pre-Upgrade Verification”” below).

6 Once the pre-upgrade verification completes, proceed with any suggested repairs.

7 Select Upgrade again from the Upgrade Options Screen. Another verification will run.

8 If prompted, reboot your SmartCenter Server.

9 Install SmartConsole Clients on your GUI Client machine.

If you have a previous SmartConsole installed select either to:

• maintain the previous version of SmartConsole Clients or

• to overwrite the previous SmartConsole Clients.

Advanced SmartCenter UpgradeMoving to a new spare machine during an upgrade with the same IP address and DNS name can be done automatically and smoothly. Like the Basic Upgrade, the Advanced Upgrade automatically performs pre-upgrade verification before upgrading.

Motivations for Performing Advanced Upgrade

There are two key motivations for performing an advanced upgrade:

1 Moving to a spare machine that will become the primary server because:

Note - A backwards compatibility package for managing 4.1 Check Point Gateways is installed automatically with the installation wrapper.

24

http://www.checkpoint.com/techsupport

Selecting a Manual Upgrade or an Automatic Upgrade

• perhaps you have a newer server and/or

• a more powerful server and/or

• a server with a different operating systemPlatform and Operating System SwitchingWhile upgrading SmartCenter, you can switch platforms and operating systems.ExampleIf you were running a 4.1 SP5 SmartCenter Server on a Windows operating system, you can upgrade to NG with Application Intelligence on SecurePlatform. For more platform specific information see “Platform Specific Upgrade Notes”.

or

2 To ensure that your production machine is always up and safe you have decided to upgrade a spare machine and then you plan to migrate back to the original machine.

Both of these types of advanced upgrades begin with the same steps as presented in TABLE 3-2 on page 26.

Selecting a Manual Upgrade or an Automatic Upgrade

Any upgrade that you can do automatically via SmartCenter (Chapter 3, “SmartCenter Upgrade” on page 17) can also be run from the command line. However, for the sake of ease, performing your upgrade from the command line is not recommended when you can use the Automatic Upgrade.

There are two types of upgrades that cannot be performed automatically and some valid reasons you may need to consider a manual upgrade:

• If your SmartCenter Server is IPSO or

• If you upgraded a spare system and want to migrate your upgraded SmartCenter Server back to your original SmartCenter Server.



Advanced Upgrade Steps

TABLE 3-2 Steps for performing an Advanced upgrade on another SmartCenter Server

machine to perform steps on

steps to follow...

Old SmartCenter Server 1. Insert the CD into SmartCenter Server.2. Select Export in Upgrade Options

3. You are presented with three upgrade options:

A Download Most Updated Upgrade Utilities (recommended method)Files are not upgraded they are updated. This download provides the most recent upgrade code available.

B I have already downloaded and extracted the Upgrade Utilities. The files are on my local disk.

This option is useful:

• When the SmartCenter is not connected to the Internet (for security or other reasons). Download the package from another machine and copy it to the SmartCenter.

• When you have already downloaded the package then you can use the package from the disk instead of downloading again. Always check to make sure that the downloaded version is the most recent version available. To check, visit:

https://support.checkpoint.com/downloads/bin/autoupdate/ut/r55/index.html

C Use the CD version. This option can be used in two cases:

• if there are no updates for the upgrade package or

• if there are updates, but you prefer not to update. This is not the recommended method since using the most updated upgrade version is the safest choice.

26

https://support.checkpoint.com/downloads/bin/autoupdate/ut/r55/index.htmlhttps://support.checkpoint.com/downloads/bin/autoupdate/ut/r55/index.html

Tools for Upgrading SmartCenters


Pre-Upgrade Verification

During basic or either of the two phases of advanced upgrades, a pre-upgrade verification is automatically performed. If you prefer, you can run the pre-upgrade verification from the CD separately from the upgrade in order to prepare yourself for your upgrade. Pre-upgrade verification provides you with a report. Three types of results can be displayed in the report and are listed below.

Old SmartCenter Server(cont...)

4. Select the destination path of the configuration (.tgz) file.5. Wait while exporting database files.6. Copy the exported .tgz file to the spare machine.

spare machine 7. Insert the CD into the spare machine.8. Select Installation using Imported Configuration in the

Installation Options. This option prompts you for the location of the imported configuration file (.tgz) file and then automatically installs the new software and utilizes the imported .tgz configuration file.

Warning - The configuration file (.tgz) file contains your security configuration. It is highly recommended to delete it after completing the import process.

Migrating back or changing IP address and DNS name

• Steps for migrating back to your new server can be found in “Upgrading to a Different IP Address or Domain Name” on page 33.

• If you want to change the IP address and DNS name of the SmartCenter during the upgrade see “Upgrading to a Different IP Address or Domain Name” on page 33”.

TABLE 3-2 Steps for performing an Advanced upgrade on another SmartCenter Server


steps to follow...



Pre Upgrade-Verifier CLI Commands

Usage:

Where the currently installed version is one of the following:

4.1

NG

NG_FP1

NG_FP2

NG_FP3

NG_AI

The target version is one of the following:

NG_FP1

NG_FP2

NG_FP3

NG_AI

NG_AI_R55 (NG_AI represents Next Generation with Application Intelligence) and -f redirects the standard output to a file.

pre_upgrade_verifier.exe -p SmartCenterPath -c CurrentVersion-t TargetVersion [-f FileName] [-w]

or

pre_upgrade_verifier.exe -p SmartCenterPath -c CurrentVersion-i[-f FileName][-w]

-p Path of the installed SmartCenter Server (FWDIR) -c Currently installed version -t Target version

-i Check originality of INSPECT files only -f Output in file -w Web format file

28


Sample output from an actual pre-upgrade verification test can be found in “Sample of Pre-Upgrade Verifier Output” on page 31.

Action Items before the Upgrade

errors–Items that must be repaired before performing the upgrade. If you proceed with the upgrade while errors exist, your upgrade will fail.

warning–Items that you should consider repairing before performing the upgrade.

Action Items after the Upgrade

These items should be fixed once the upgrade is completed before the first policy installation.

errors–Items that must be repaired after performing the upgrade.

warning–Items that you should consider repairing after performing the upgrade.

Information Messages

Items that should be noted.



Advanced Upgrade on a Spare Machine Using the Command Line Interface

TABLE 3-3 Steps for performing an Advanced upgrade on another SmartCenter Server via the command line interface

If you wish to migrate back to your original SmartCenter Server continue with the following steps:

TABLE 3-4 Command Line Steps to Migrate Back to your Old SmartCenter Server


steps to follow...

Old SmartCenter Server 1. Download the most recent files.2. Run the Pre-upgrade Verifier tool and fix the relevant issues(see “Pre Upgrade-Verifier CLI Commands” on page 28).3. Run the Export tool(see “Export Usage” on page 32).4. Copy the exported files to the spare machine.

spare machine 5. Install the NG with Application Intelligence versions of the exact same products that you had on your old SmartCenter Server.

6. Copy the exported file from SmartCenter Server into the spare machine.

7. Run the Import tool.(see “Import Usage” on page 32)


steps to follow...

spare machine 8. Run the Export tool(see “Export Usage” on page 32)9. Copy the exported file to the original machine.

Old SmartCenter Server 10.Update the software by using the CD Installation Wrapper to select Import from the Upgrade Options Screen or use the command line as explained in the “Check Point Individual Installations Guide”. If you install products individually, install the NG with Application Intelligence versions of the exact same products that you had on your old configuration.

11.Run the Import tool(see “Import Usage” on page 32)

30


Sample of Pre-Upgrade Verifier Output

Action items before the upgrade

Errors: Correct the following problems in order to have a working environment.

Duplicated Objects

Description: The object appears more than once in the database.

Impacts: Using duplicate objects will cause problems in the SmartDashboard.

To do: Rename one of the objects before starting the upgrade process.

This problem will occur in the following objects

"shilog" appears twice under “network_objects” and “services”.

--------------------------------------------------------------------------------

Warnings: It is recommended to resolve the following problems.

Cluster New Module

Description: From FP3 we have centralized the cluster data. Many attributes that were taken from the members are now taken from the cluster object.

Impacts: In the upgrade process the cluster data will be taken from one of the cluster members, if the data is not similar on all members it can lead to problems.

Todo: Make sure that all members of a cluster are identical. Make sure the following attributes appear: SYNDefender properties, Authentication properties (next http proxy configuration), SAM properties, NAT IP Pools properties, SMTP properties.

--------------------------------------------------------------------------------

Information:

Embedded Devices

Description: This type of Embedded Device is not supported any more.

Impacts: After upgrade the objects will appear as 4.0 modules with the same name. The objects will still be visible via SmartDashboard (as 4.0 modules), but Install Policy on these modules will be blocked.

Todo: Not applicable.

This problem will occur in the following Embedded Devices:

"Chicago-Dallas-FW"

"Dallas-Chicago-FW"



Export and Import Commands

Import and Export tools are located under $FWDIR/bin/upgrade_tools.

Export Usage

Where:

- the path to export the DB (default-local path)

-d - prints debug information

-h - prints this usage

-v - prints the version

Import Usage

Where: - The location of the exported file

-v - Prints the version

-d - Prints debug information

-h - Prints this usage

SecurePlatform’s Update Utility

Upgrades to SecurePlatform can be done In Place using the Update utility. The upgrade process upgrades the SecurePlatform Operating System and all Check Point components are automatically installed.

Upgrading individual components, such as upgrading only FloodGate-1, is not a supported feature on SecurePlatform.

Using the Local Patch utility

The Update utility uses a package in the CD:

1 Login to the SecurePlatform machine, and enter the expert command to enter Expert mode. Issue the following command line command:

In this case is the name of the package downloaded.

upgrade_export [-d] [-h] [-v]

upgrade_import [-d] [-h]

patch add cd

32

Upgrading to a Different IP Address or Domain Name


This method of upgrading SecurePlatform uses a package downloaded from the download center:


1 Download the package to another computer that has a TFTP server running on it.

2 Logon to the SecurePlatform machine. Issue the following command line command:


Using the Patch Utility to Upgrade Itself

The patch utility can upgrade itself:

1 Upgrade the patch utility itself by using the patch upgrade package.

2 Upgrade the SecurePlatform machine (by using the SecurePlatform upgrade package).

Using Advanced Upgrade Utilities (Pre-Upgrade Verifier, Export and Import)

These utilities are available for SecurePlatform’s use only through the local update utility.

From a Pre-NG with Application Intelligence machine

Run the patch add cd ... command and choose to update SecurePlatform. The Upgrade wrapper will appear and all the utilities will be available.

From a NG with Application Intelligence machine

Run the update wrapper command to get access to the Upgrade Wrapper (that's already installed on your machine).

From an Image File

If you want to import an image you have exported from another computer, install SecurePlatform. During the First Time Installation Wizard runs, you'll get the option to import an image instead of specifying which packages to install.


This section specifies the steps that should be taken in case the spare machine has a different IP address or host name or you migrate back with a different IP address.

patch add tftp




TABLE 3-5 Advanced Upgrade Options for Different IP Address or Domain Name


steps to follow...

SmartCenter Server 1. Add rules that will allow the new spare machine to access the modules it is managing. Do this by creating a SmartCenter Object that includes the spare machine's IP address according to your software version:

• 4.1 - From the Policy Editor:

Manage > Network Objects > New…> Workstation and mark it as a Management Station.

• NG FP1 - From the Policy Editor: Manage > Network Objects > New... > Workstation and mark it as a Secondary Management.

• NG FP2 or higher - From SmartDashboard (Policy Editor)

Manage > Network Objects > New… > Check Point > Host/Gateway and mark it as Secondary SmartCenter.

• If this object already exists

Make sure it is marked as a Management.

2. Create a rule, on the SmartCenter Server, which allows FireWall-1 and CPD (NG only) services from the above object you have just created, to go to all managed gateways.

3. Install the rule on all managed gateways.4. Delete the rule once you have completed this process:Via the Wrapper:

AInsert the CD into SmartCenter Server.B.Select Export configuration to another machine.C.Select the destination path of the configuration (.tgz) file.D.Copy the exported file to the spare machine.

Via the Command Line:AUse steps 1-4 in TABLE 3-3 on page 30.

Spare Machine Via the Wrapper:AInsert the CD into the spare machine.B.Select Advanced Upgrade This option prompts you for the location of the imported configuration file (.tgz) file and then automatically installs the new software and utilizes the imported .tgz configuration file.

34


Spare Machine(cont...)

Via the Command Line: Use steps 5-7 in TABLE 3-3 on page 30.1. Reboot2. If you are using a spare machine and plan on migrating back to your

original SmartCenter Server skip to TABLE 3-6 on page 36.3. From the UserCenter move your licenses from the original

SmartCenter Server. The license of the SmartCenter should be updated with the new IP Address. If central licenses are used for the modules they should also be updated to the new IP Address. This can be done via the User Center at:

http://www.checkpoint.com/usercenter

by choosing the action License / Move IP / Activate Support and Subscription

4. Start the SmartCenter Server on the spare machine by applying the cpstart command

5. Connect to the SmartDashboard (Policy Editor)6. If you upgraded from:

• 4.1- Replace all occurrences of the production object with the newly created spare machine object. You can find all occurrences with the Where Used…utility (right-click on the object to choose the command). If your SmartCenter is Stand Alone then:

1 After upgrading, open the Spare Machine object and select VPN-1.

2 Manually set all VPN-1 settings.

3 Define the Traditional Mode configuration so that Backwards Compatibility to Version 4.1 is selected.

4 Create Internal CA using cpconfig and create IKE certificates for all modules.

• NG-Update the primary SmartCenter object, with its IP Address and topology to match its new configuration.

7. Remove the object you created in TABLE 3-3 on page 30.

DNS Server 8. If you are using a spare machine and plan on migrating back to your original SmartCenter Server you are done. Otherwise see “Upgrading to a Different IP Address or Domain Name” on page 33.

9. On the DNS Server map the Primary SmartCenter Server’s DNS to the new IP Address.


steps to follow...


http://www.checkpoint.com/usercenter


If you wish to migrate back to your original SmartCenter Server (that has the original IP Address) continue with the following steps:

TABLE 3-6 Migrating back to your original SmartCenter Server


steps to follow...

SmartCenter Server 1. Add rules that will allow the new spare machine to access the modules it is managing. Do this by creating a SmartCenter Object that includes the spare machine's IP address according to your software version:

• 4.1 - From the Policy Editor:

Manage > Network Objects > New…> Workstation and mark it as a Management Station.

• NG FP1 - From the Policy Editor: Manage > Network Objects > New... > Workstation and mark it as a Secondary Management.

• NG FP2 or higher - From SmartDashboard (Policy Editor)

Manage > Network Objects > New…> Check Point > Host/Gateway and mark it as Secondary SmartCenter.

• If this object already exists

Make sure it is marked as a Management.

2. Create a rule, on the SmartCenter Server, which allows FireWall-1 and CPD (NG only) services from the above object you have just created, to go to all managed gateways.

3. Install the rule on all managed gateways.4. Delete the rule once you have completed this process.5. Use steps 1-4 in TABLE 3-3 on page 30.

Spare Machine 6. Use steps 5-7 in TABLE 3-3 on page 30.7. Reboot8. Start the SmartCenter Server on the spare machine by applying the

cpstart command9. Connect to the SmartDashboard (Policy Editor)10.Update the primary SmartCenter Object, with its IP Address and

topology to match its new configuration.11.Remove the object you created in Step 1 in this section.

36

Notes, Exceptions and Limitations

Notes, Exceptions and Limitations

1 Adjust masters and log servers for each module before installing a policy on it. You should add the spare machine's object to the masters list, and if needed, add it to the log servers list on each module.

2 Re-establish trust with any 4.1 module by using the putkey command.

3 If both SmartCenter Servers are used simultaneously and have two IP addresses, and changes are done to both, these changes cannot be merged automatically. To synchronize them, manually apply all changes to objects and policies.

4 Special care should be given to operations that involve Check Point internal CA modifications, like issuing or revoking certificates. These changes cannot be merged, even manually, and will result in different CA databases on both servers. For example, revoking a certificate on one SmartCenter Server will add it to the CRL on that SmartCenter Server, but there is no way to add this certificate to the other CRL. It is highly recommended not to perform any such changes as long as both SmartCenter Servers are in use.

After Performing an Advanced Upgrade

Checking to make sure your Database Works Properly

1 Install the Security Policy on all Modules

Fetch information is removed during upgrade. After upgrading, you must start SmartConsole and install the Security Policy on all modules, even if there has been no change in the Security Policy. Otherwise the module will try to fetch an old policy from the SmartCenter Server and after the upgrade, the module will not have a policy to fetch.

2 Open the two Check Point monitoring clients:

• SmartView Status - to check that your connections with modules is correct and

• SmartView Tracker - to check that you are receiving logs from modules correctly.

Flush ARP Tables

After swapping the machines, flush the ARP tables on the router (if it is a gateway) and on other hosts that communicate with the new machine. Otherwise it can take a few minutes until the ARP entries are renewed and subsequently, connectivity is resumed.


Upgrading with Management High Availability

Upgrading with Management High AvailabilityTo upgrade the Check Point software on a group of High Availability SmartCenter Servers, proceed as follows:

1 Synchronize all the SmartCenter Servers(from Global Properties > Management High Availability).

2 Upgrade the Management Server software on all the SmartCenter Servers.

3 Open the Check Point’s SmartConsole Client on one of the SmartCenter Servers.

4 In the General page of each of the other SmartCenter Server’s Gateway Properties window, set the correct Check Point Products Version.

5 Once again, synchronize all the SmartCenter Servers (from Global Properties > Management High Availability).

38

CHAPTER 4

Check Point Gateway Upgrades

In This Chapter

Before You Begin

Terminology

Check Point Gateway - otherwise known as an Enforcement module or sometimes module is the VPN-1 Pro engine that actively enforces your organizations Security Policy.

SmartUpdate - SmartUpdate allows you to centrally upgrade and manage Check Point software and licenses.

Product Repository - This is a SmartUpdate repository on the SmartCenter Server that stores uploaded products (like VPN-1 Pro or FloodGate-1). These products are then used by SmartUpdate to perform upgrades of Check Point Gateways.

In Place - In Place upgrades are upgrades performed directly on a product without the benefit of SmartUpdate. SmartUpdate is the recommended Check Point upgrade tool.


Planning a Check Point Gateway Upgrade page 40

Upgrading Check Point Gateways with SmartUpdate page 44

Upgrading Modules with SecurePlatform page 41

Upgrading Check Point Gateways In Place page 47

Configuring OPSEC for Check Point Gateways page 47

39

Planning a Check Point Gateway Upgrade

ClusterXL - There is a separate “ClusterXL Upgrade” chapter if you have clusters to upgrade. ClusterXL is a software-based load sharing or high availability solution for Check Point gateway deployments.

Tools for Gateway Upgrades

SmartUpdate is the primary tool used for upgrading Check Point Gateways. Within SmartUpdate, there are some features and tools for your convenience:

1 SmartUpdate’s Upgrade All Products Feature - This feature allows you to upgrade all products installed on a gateway. For IPSO and SecurePlatform, this feature also allows you to upgrade your Operating System as a part of your upgrade.

2 SmartUpdate’s Add New Product Tools - SmartUpdate provides three tools for adding products to the Product Repository:

• Add From Download Center - an online download

• Add From CD - add a new product from the Check Point CD

• Import File - add a new product that you have stored locally.

3 SmartUpdate’s Get Check Point Gateway Data - This tool updates SmartUpdate with the current Check Point or OPSEC third party products installed on a specific gateway or for your entire enterprise.

Planning a Check Point Gateway UpgradeThere are two options available to you when upgrading a Check Point Gateway:

• SmartUpdate - SmartUpdate is the recommended upgrade procedure because it allows you to centrally upgrade your Check Point Gateways quickly and safely.

• In Place - If you did not purchase SmartUpdate, you can upgrade your Check Point Gateways in place by performing a local upgrade on each individual Check Point Gateway.

SecurePlatform

If you use SecurePlatform, please go directly to the “Upgrading Modules with SecurePlatform” instructions.

Upgrading to Windows 2003 Server from pre-2003 Server

If you are upgrading either a Check Point FireWall-1 Module or a Stand Alone implementation from pre-Windows 2003 Server to a Windows 2003 Server, proceed as follows:

40

backup

1 Upgrade Check Point software to NG with Application Intelligence (R55) without upgrading your operating system.

2 Then upgrade your Operating System to Windows 2003.

3 Switch to the %FWDIR%\boot\modules directory.

4 Run the following command on the Check Point module machine:

fwkern.exe -update CP_FW1MP %FWDIR%\boot\modules\netfw1xpm.inf

Upgrading Modules with SecurePlatformUpgrade of a SecurePlatform module machine (and all the Check Point products installed on it) is done by simply applying the SecurePlatform upgrade package, which can be found either on the Singe CD containing the new version, or as a separate package downloadable from the download center:


backup

Before upgrading the SecurePlatform system, back up your system configuration using the backup utility:

Syntax

Parameters

If you purchased SmartUpdate, the simplest way to upgrade your SecurePlatform based Check Point Gateway is through the “Upgrade All Products” feature in SmartUpdate. “Upgrading Check Point Gateways with SmartUpdate” on page 44. If you prefer not to use SmartUpdate, access the SecurePlatform machine via Console or SSH and upgrade it through the Patch utility.

backup(system | cp | all) [tftp ]

TABLE 4-1 Parameters for SecurePlatform backup

parameter meaning

system backup system configuration

cp backup Check Point products configuration

all backup all of the configuration

name name of backup (to be restored to)

[tftp ] IP address of tftp server on which the configuration will be backed up

Chapter 4 Check Point Gateway Upgrades 41


Upgrading Modules with SecurePlatform

Using the “Patch” Utility to Upgrade the “Patch” Utility Itself

If you upgrade SecurePlatform from a version prior to NG with Application Intelligence R54, you need to upgrade the Patch utility before using it to upgrade the SecurePlatform machine:

Using TFTP



2 Copy this file to a TFTP server.


is the IP address of the TFTP Server’s IP address and is the name of the package downloaded.

Not Using TFTP




3 Use FTP to transfer the Patch utility upgrade package to the SecurePlatform machine.




Using the CD

If you have the CD of the new version you want to upgrade to, do the following:

1 Insert the CD into the CD ROM Drive on the SecurePlatform machine.

2 Logon to the SecurePlatform machine (using Console or SSH Access).

patch add tftp

patch add

42

http://www.checkpoint.com/techsupport/downloads.jsphttp://www.checkpoint.com/techsupport/downloads.jsp

Using SmartUpdate to Upgrade SecurePlatform


4 Choose the SecurePlatform upgrade package, and follow the upgrade process instructions.

Without the CD

If you do not have the CD, you need to download the SecurePlatform upgrade package from the download center:


Using TFTP

1 Copy the upgrade package file to a TFTP server.


is the IP address of the TFTP Server’s IP address and is the name of the package downloaded.


Without TFTP


2 Use FTP to transfer the SecurePlatform upgrade package to the SecurePlatform machine.




Using SmartUpdate to Upgrade SecurePlatform

Once you are familiar with this chapter outlining the SmartUpdate upgrade process, proceed as follows:

1 Add the SecurePlatform upgrade package to the SmartUpdate repository.

patch add cd

patch add tftp

patch add



Upgrading Check Point Gateways with SmartUpdate

2 Select Products > Upgrade All Products and select the target SecurePlatform machine.


Prerequisites for SmartUpdate Upgrade

For the Check Point Gateways and the SmartCenter Server, obtain licenses from the User Center at http://www.checkpoint.com/usercenter.

Requirements for Upgrading Gateways from Version 4.1 SP2• VPN-1/FireWall-1 4.1 SP2 (or higher).

• An fw putkey connection between the SmartCenter Server and version 4.1 SP2 remote Check Point Gateways.

• CPutil must be installed and configured. This is required for CPRID, which is needed for all remote product operations.The CPutil package and associated Release Notes are available on the “Check Point 2000 CD” and from

http://www.checkpoint.com/techsupport/ng_application_intelligence/r55_updates.html

• In order to establish the CPRID connection with the 4.1 Check Point Gateway, a utility was added to the SmartCenter Server called opsec_putkey. The command should be executed from the utility directory $CPDIR/database/cprid/cprid_util_keys after configuring the CPutil on the remote Check Point Gateway:

Requirements for Upgrading Gateways from NG

Ensure that there is Secure Internal Communication between the SmartCenter Server and the Check Point Gateways to be upgraded.

Reboot your upgraded SmartCenter Server.

Configuring the SmartCenter Server so that you can use SmartUpdate

3 Install the latest version of the SmartConsole, including SmartUpdate.

4 For a new SmartCenter Server installation, install on the SmartCenter Server (using the CPConfig configuration tool or the cplic put command):

• the NG SmartCenter license and

opsec_putkey -ssl -p -port 18208

44

http://www.checkpoint.com/usercenterhttp://www.checkpoint.com/usercenterhttp://www.checkpoint.com/techsupport/ng_application_intelligence/r55_updates.html

Using SmartUpdate to Upgrade Remote Check Point Gateways

• the SmartUpdate license.

The SmartUpdate license is needed for product management capabilities.

5 Define the remote Check Point Gateways in SmartDashboard (for a new SmartCenter Server installation).

6 Make sure that the Administrator SmartUpdate permissions (as defined in the cpconfig configuration tool) are Read/Write. Alternatively, log in as root.

7 To upgrade version NG and above Check Point Gateways, ensure that in SmartDashboard, in the Policy Global Properties window in the FireWall-1 Implied Rules page, Accept CPRID Connections (SmartUpdate) is checked. By default, it is checked.

8 To upgrade version 4.1 Check Point Gateways, add a rule in the SmartDashboard to Accept CPRID Connections (ANY ANY FW1_CPRID Accept)

Using SmartUpdate to Add Products to the Product Repository

Use SmartUpdate to add products to (and delete) products from the Product Repository.

Products can be added to the Repository:

• directly from the Check Point Download Center web site (by selecting Product > New Product > Add From Download Center...),

• by adding them from the Check Point CD (Product > New Product > Add From CD...), and

• by importing a file (Product > New Product > Import File...).

When adding the product to the Product Repository, the product file is transferred to the SmartCenter Server. The Operation Status window opens. Use it to verify the success of the operation. The Product Repository is then updated to show the new product object.

Using SmartUpdate to Upgrade Remote Check Point Gateways

Updating All Products on a Check Point Gateway

All Check Point NG products on a Check Point Gateway, including the operating system for Nokia IPSO and SecurePlatform can be remotely updated to the latest version in a single operation.

1 From SmartUpdate > select Products > Upgrade All Products and select one or more Check Point Gateways.

The requested operation is verified by checking the following:



• The required products of the latest version are in the Product Repository.

• All Check Point products installed on the Check Point Gateways are of the same NG version.

• Verification of the installation logic, sufficient disc space, and a cprid (Check Point Remote Installation Daemon) connection to the Check Point Gateway.

2 If verification is successful, the Upgrade All Products window opens showing the currently installed products and the products to be installed on the chosen Check Point Gateways.

If one or more of the required products are missing from the Product Repository, SmartUpdate will open the Download Products window. You can then download the required product directly to the Product Repository.

Note that the Reboot Check Point Gateway After Installation option (checked by default) is required in order to activate the newly installed product.

3 Click Upgrade.

The Operation Status window opens and shows the progress of the operation. Each operation is represented by a single entry. Double click the entry to open the Operation Details window which shows the operation history.

Using SmartUpdate to Upgrade IPSO

Proceed as follows:

1 Add the Nokia IPSO image package to the SmartUpdate repository. Nokia IPSO images can be obtained from the Nokia website:

http://www.nokia.com

2 Check Point Product Packages for IPSO.

3 Make sure that the $SUDIR/conf/IPSO_VER.txt file on the SmartCenter Server is updated with the IPSO OS Package version you want to install and exists in the repository.

4 Select Products > Upgrade All Products and select the target Nokia machine.

Upgrading a Single Product on a Check Point Gateways

Use this procedure to upgrade version 4.1 SP2 products.

Proceed as follows:

1 Drag and drop the latest version of SVN Foundation from the Product Repository over the Check Point Gateway object in the Products tab.

Follow the progress of the operation in the Operation Status window

46

http://www.nokia.com

First Upgrade your Operating System

2 Drag and drop the latest version of each of the desired Check Point products, one at a time, from the Product Repository over the Check Point Gateway object in the Products tab.

Follow the progress of the operation in the Operation Status window.

Upgrading Check Point Gateways In PlaceUpgrading Check Point’s enforcement Check Point Gateways manually for distributed installations without the benefit of using SmartUpdate requires you to take care of some of the steps that are taken care of automatically by SmartUpdate. This chapter outlines a basic upgrade and includes special steps to use if you are upgrading manually. It also offer some advice for minimizing your downtime during an upgrade.

First Upgrade your Operating System

If you plan to upgrade your operating system, do it before upgrading your Check Point Gateway. Place the CD in your CD ROM drive and follow the straightforward instructions in the installation wizard. Once you have successfully completed the installation, reboot your machine. During an In Place (or SmartUpdate) Check Point Gateway upgrade only the kernel and daemons are replaced, SIC is maintained.

Special Considerations for Manual Check Point Gateway Upgrade

1 If you manually upgrade the Check Point Gateway, update the version of the objects representing the Check Point Gateways in SmartDashboard to NG with Application Intelligence (R55) via the General page of its Check Point Gateway window.

2 SAM (Suspicious Activities Monitoring) dynamic rules are not automatically upgraded from 4.1 to NG with Application Intelligence. Instructions follow:

Configuring OPSEC for Check Point Gateways

This section addresses users who upgraded VPN-1 Pro Check Point Gateways from 4.1 SP5 which have CVP or UFP servers. The CVP or UFP servers may be in a load sharing configuration. The section also addresses users who use the SAM proxy feature.

During the VPN-1 Pro Check Point Gateway upgrade, some of the data contained in the fwopsec.conf is moved or modified. The rest of the data in this file should be either manually or automatically updated in the SmartCenter’s database.


Upgrading Check Point Gateways In Place

Automatic Update

The upgrade_fwopsec tool automatically performs the set of updates that you can read about in detail in the following “Manual Update” section.

The tool works on the fwopsec.v4x file. This is a backup of the original fwopsec.conf file before it is modified by the VPN-1 Pro Check Point Gateway upgrade.

1 Make sure that the SmartDashboard application is closed before running upgrade_fwopsec.

2 Confirm that SIC communication is established between the SmartCenter Server and the VPN-1 Pro Check Point Gateway.

3 Run upgrade_fwopsec on the SmartCenter Server

Sample command run from SmartCenter where SIC has been established:

Explanation of Sample Command:

This command fetches $FWDIR/conf/fwopsec.v4x from the Check Point Gateway and updates SmartCenter's database. The program will print the operations and the results.

4 Install the policy on the Check Point Gateway.

TABLE 4-2 upgrade_fwopsec options

upgrade_fwopsec -fw -fetch -f conf/fwopsec.v4x

parameter meaning

-mgmt mgmt_host The name of the SmartCenter Server (default is localhost).

-u user The administrator’s name. The administrator must have write permission.

-p password The user’s password (the password used for the GUI Management Client).

48

Manual Update

Manual Update

The data that needs manual updating are as follows:

• CVP and UFP backwards compatibility communication methods. The lines in the file begin with server. This data should be moved to the relevant CVP or UFP OPSEC application object.

• SAM backwards compatibility communication methods. The lines in the file begin with server. There will also be a line that begins with sam_allow_remote_request This data should be moved to the SAM tab in the SmartDashboard for the relevant VPN-1 Pro Check Point Gateway’s object.

• CVP and UFP load sharing definitions. The relevant blocks contain the word load_sharing.These load sharing definitions should be migrated into new objects of type CVP or UFP Collection objects. If Collection members are not defined, they should be created.

• Modify the Resource objects that referenced the old CVP or UFP load sharing objects to referencing to the new Collection objects.

[-fwm fw_obj_name [-fetch]]

fw_obj_name is the name of the Check Point Gateway object (as specified in the VPN-1/FireWall-1 SmartDashboard) to which the configuration information applies. If -fetch is specified, then the information will be retrieved from fwopsec_file on the Check Point Gateway; otherwise upgrade_fwopsec will retrieve it from the SmartCenter Server (the local machine on which this command is run).

-f fwopsec_file The path to the file containing the configuration information, usually “fwopsec.v4x”. If the -fetch option is used, then fwopsec_file specifies the file’s path relative to the remote Check Point Gateway’s $FWDIR.

[-log log_file | -nolog] Log the upgrade process to log_file (default is$FWDIR/tmp/.upg_opsec.log). If nolog is specified, the log will be directed to stderr. If the upgrade is successful, the log will be appended to$FWDIR/tmp/mgmt.upg_opsec.log.

parameter meaning


Upgrading Check Point Gateways In Place

50

CHAPTER 5

ClusterXL Upgrade

In This Chapter

Before You Begin

Terminology

module - otherwise known as an Enforcement module or sometimes module is the VPN-1 Pro engine that actively enforces your organization’s Security Policy.

SmartUpdate - SmartUpdate allows you to centrally upgrade and manage Check Point software and licenses.

Product Repository - This is a SmartUpdate repository on the SmartCenter Server that stores uploaded products (like VPN-1 Pro or FloodGate-1). These products are then used by SmartUpdate to perform upgrades of Check Point Gateways.

In Place - In Place upgrades are upgrades performed directly on a product without the benefit of SmartUpdate. SmartUpdate is the recommended Check Point upgrade tool.

ClusterXL - ClusterXL is a software-based load sharing and high availability solution for Check Point gateway deployments. It distributes traffic between clusters of redundant gateways so that the computing capacity of multiple machines may be combined to increase total throughput. In the event that any individual gateway becomes unreachable, all connections are re-directed to a designated backup without


Planning a Cluster Upgrade page 52

Performing a Minimal Effort Upgrade on a ClusterXL Cluster page 53

Performing a Zero Down Time Upgrade on a ClusterXL Cluster page 54

Performing a Full Connectivity Upgrade on a ClusterXL Cluster page 57

51

Planning a Cluster Upgrade

interruption. Tight integration with Check Point's SmartCenter management and enforcement point solutions ensures that ClusterXL deployment is a simple task for FireWall-1, VPN-1, and FloodGate-1 administrators.

Tools for Gateway Upgrades

1 SmartUpdate’s Upgrade All Products Feature - This feature allows you to upgrade all products installed on a gateway. For IPSO and SecurePlatform, this feature also allows you to upgrade your Operating System as a part of your upgrade.

2 SmartUpdate’s Add New Product Tools - SmartUpdate provides three tools for adding products to the Product Repository:

• Add From Download Center - an online download

• Add From CD - add a new product from the Check Point CD

• Import File - add a new product that you have stored locally.

3 SmartUpdate’s Get Check Point Gateway Data - This tool updates SmartUpdate with the current Check Point or OPSEC third party products installed on a specific gateway or for your entire enterprise.

Planning a Cluster UpgradeIn order to upgrade ClusterXL there are three options available to you:

• Minimal Effort Upgrade - Choose this option if you have a period of time during which network downtime is allowed. The minimal effort method is much simpler because the clusters are upgraded as gateways and can be upgraded as individual gateways. Therefore, the instructions for this method are located in the “Check Point Gateway Upgrades” chapter.

• Zero Downtime - Choose this option if your gateway needs to remain active. The zero downtime method assures both inbound and outbound network connectivity at all time during the upgrade. There is always at least one active member that handles traffic.

• Full Connectivity Upgrade - Choose this option if your gateway needs to remain active and your connections must be maintained. Full Connectivity Upgrade with Zero Down Time assures both inbound and outbound network connectivity at all time during the upgrade. There is always at least one active member that handles traffic and open connections are maintained during the upgrade.

52

Working with a Mixed Cluster

Working with a Mixed Cluster

When there are cluster members of different versions on the same synchronization network, the cluster members with the previous version will turn active and the cluster members with the newer version will remain in a special state called Ready. In this state the newer version cluster members do not process any traffic destined for the cluster IP. During the upgrade this behavior is the expected one. If wish to avoid such a situation, for example during downgrade, you should physically (or using ifconfig) disconnect the cluster interfaces and the synchronization network of that cluster member prior to the downgrade process.

Upgrading OPSEC Certified Third Party Clusters Products• When upgrading Nokia clustering (VRRP and IP Cluster) follow either of the

regular procedures (Zero downtime or Minimal effort).

• When upgrading other thir party clustering products it is recommended to use the minimal effort procedure. Zero downtime upgrade (with or without FCU) is not supported using the regular procedure. The third party may supply an alternative upgrade procedure to achieve a zero downtime upgrade. Consult the third party documentation.

• When upgrading from a Version 4.1 SP5 cluster, configure the Synchronization Network from the Synchronization tab. Check the Support Non-sticky Connections check box in the Third Party Configuration tab when the third party solution does not assure full connection stickiness (meaning that packets from client-to-server and from server-to-client pass through the same cluster member), Consult the Third Party Vendor's documentation for information regarding whether or not you should check the boxes: Hide cluster members' outgoing traffic behind the cluster's IP address and Forward cluster's incoming traffic to cluster members' IP address.

Performing a Minimal Effort Upgrade on a ClusterXL Cluster

If it is your intention to perform a Minimal Effort Upgrade, meaning you can afford to have a period of time during which network downtime is allowed, you will basically be treating cluster members as individual gateways. In other words, each cluster member can be upgraded in the same way you upgrade an individual gateway member. Please refer to the “Check Point Gateway Upgrades” chapter for gateway upgrade instructions.

Chapter 5 ClusterXL Upgrade 53

Performing a Zero Down Time Upgrade on a ClusterXL Cluster

Performing a Zero Down Time Upgrade on a ClusterXL Cluster

Supported Modes

Zero Downtime is supported on all modes of ClusterXL including IPSO’s IP clustering and VRRP. For other third party clustering solutions please consult your third party solution’s guide.

Planning your Zero Down Time Upgrade

Assume you have a cluster of several VPN-1 Pro machines (called A, B and C in this example) with any version from 4.1 SP5 to NG with Application Intelligence.

The upgrade is divided into three parts:

1 Upgrade the SmartCenter Server (see the “SmartCenter Upgrade” chapter)

2 Upgrade all but one of the cluster members.

3 Upgrade the last cluster member.

Upgrade All But One of the Cluster Members

1 Run cphaconf set_ccp broadcast on all cluster members. This will turn the clu

the upgrade guide - check point software › ... › upgrade_guide.pdfselecting a manual upgrade or...

Documents