Installation and Upgrade Guide

Internet Security Product Suite Version R70

703617 August 13, 2009

© 2003-2009 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:
Please refer to http://www.checkpoint.com/copyright.html for a list of our trademarks For third party notices, see http://www.checkpoint.com/3rd_party_copyright.html.

Contents

Installation Section
Chapter 1 Introduction
Welcome......................................................................................................... 15 Who Should Use This Guide.............................................................................. 16 R70 Documentation......................................................................................... 16 New Terms...................................................................................................... 17 Related Documentation .................................................................................... 18 For New Check Point Customers........................................................................ 19 Endpoint Security Integration............................................................................ 20 More Information ............................................................................................. 20 Feedback ........................................................................................................ 20

Chapter 2

Getting Started
Terminology .................................................................................................... 22 Provider-1/SiteManager-1 Terminology............................................................... 23 Hardware and Software Requirements................................................................ 24 Compatibility Tables ........................................................................................ 25 Product Notes ............................................................................................ 25 Platform Notes ........................................................................................... 26 Supported Upgrade Paths and Interoperability .................................................... 27 Upgrade Paths and Interoperability............................................................... 27 Upgrading Security Management Servers....................................................... 27 Backward Compatibility For Gateways ........................................................... 27 IPS-1 Upgrade Paths and Interoperability...................................................... 28 Licensing R70................................................................................................. 29 Licensing R70 ............................................................................................ 29 Licensing Provider-1/SiteManager-1 ............................................................. 30 Licensing IPS-1 .......................................................................................... 31 Licensing Eventia Suite ............................................................................... 31

Chapter 3

Setup and Installation
Overview ......................................................................................................... 34 Installing on SecurePlatform ............................................................................. 35 Installing SecurePlatform Using the CD ........................................................ 35 Installing SecurePlatform from the Network................................................... 37 Initially Configuring SecurePlatform.............................................................. 41 Installing R70 Products on SecurePlatform ................................................... 42

Table of Contents

5

Configuring SecurePlatform Using WebUI ..................................................... 43 Installing on Windows ...................................................................................... 44 Installing on Solaris or Linux............................................................................. 46 Installing on Nokia........................................................................................... 48 Before Installing ......................................................................................... 48 Upgrading IPSO 4.x to IPSO 6.0.7 ............................................................... 48 Configuring R70 ......................................................................................... 50 Initially Configuring Products ............................................................................ 51 Configuration Tool Overview ......................................................................... 51 Using the Configuration Tool on Windows Systems ......................................... 52 Using the Configuration Tool on Unix Systems ............................................... 54 Logging In for the First Time........................................................................ 55 Where To From Here?....................................................................................... 58

Chapter 4

Installing Provider-1
Overview ......................................................................................................... 60 Creating the Provider-1 Environment ................................................................. 61 Setting Up Provider-1 Networking ................................................................ 61 Install the Gateways .................................................................................... 62 Installing and Configuring the Primary MDS .................................................. 62 Installing SmartConsole and MDG Clients ..................................................... 70 Using the MDG for the First Time ...................................................................... 71 Launching the MDG .................................................................................... 71 Adding Licenses using the MDG ................................................................... 72 Where To From Here?....................................................................................... 75

Chapter 5

Installing Eventia Suite
Eventia Suite Installation.................................................................................. 78 Standalone Installation vs. Distributed Installation.............................................. 79 Installing Eventia Suite on Multiple Versions of Security Management Server Management............................................................................................ 79 Standalone Installation..................................................................................... 80 Windows Platform ....................................................................................... 80 Solaris & Linux Platforms ............................................................................ 81 SecurePlatform........................................................................................... 81 Distributed Installation..................................................................................... 82 Windows Platform ....................................................................................... 82 Solaris and Linux and SecurePlatform........................................................... 83 Enabling Connectivity Through a Firewall ........................................................... 84 Preparing Eventia Suite in Security Management server....................................... 85 Preparing Eventia Suite on Provider-1 MDS........................................................ 86 For Provider-1/SiteManager-1 Version R55 .................................................... 86 For Provider-1/SiteManager-1 Version R60 .................................................... 88 For Provider-1/SiteManager-1 Version R61 and Up ........................................ 89

Chapter 6

IPS-1 Setup and Installation
Overview ......................................................................................................... 92

6

.............................................................................................. 128 Terminology ........................... 143 On a Windows Platform ..................................................................... 129 Upgrade Tools .......................... 142 Installing a Contract File on a Gateway ......................................... 108 Initial Configuration of IPS-1 Sensors ..................................... 115 Completing IPS-1 Sensor Setup ....... 111 IPS-1 Management Dashboard Installation ............................................................................................................... 143 Table of Contents 7 .................................. 134 Installing a Contract File on Security Management server.......................IPS-1 System Architecture..... 98 Installation of IPS-1 Management Servers ........................................................................................................................................................................................................................................................... 95 IPS-1 Management Installation and Setup ................................................ 135 On SecurePlatform. 103 Introduction ... 114 Configuring NTP on SecurePlatform......... 94 IPS-1 Sensor Deployment ............................................ 131 Upgrading Successfully .............................................. 133 Working with Contract Files ............. 109 Initial Configuration of IPS-1 Power Sensor ........................................................................................................................................................................................................................................................................... 119 Where To From Here?................................................................................ 128 Obtaining Software Installation Packages ........................................... 131 Chapter 8 Service Contract Files Introduction .............................................. Linux....................................................................................... 134 On a Windows Platform ..................................................................... 98 IPS-1 Sensor Appliances .......................................................................................................................................... 103 IPS-1 Sensor Installation...................................... 92 Platforms .......... 139 On IPSO .................................................................... 93 IPS-1 Deployment............................................................................................................................. 114 Completing IPS-1 Management Setup............................... 126 Contract Verification ............................................................................... and Solaris ....................................... 122 Upgrade Section Chapter 7 Introduction to the Upgrade Process Documentation ........................................................................ 103 IPS-1 Sensor Appliance Models ....... 126 Supported Upgrade Paths and Interoperability ...................................................................................................................................................................................................................... 108 Connecting to IPS-1 Sensors... 113 Post-Installation Steps ....... 127 Upgrading Management Servers .................................................................................................................. 94 IPS-1 Management Deployment ..................................... 127 Backward Compatibility For Gateways ....................................................................................................................................................................................................................................................... 108 Installing SecurePlatform and IPS-1 Sensors..............

................................................... 161 Web Intelligence License Enforcement.......................................... 191 SecurePlatform Snapshot Image Management ..................................................................................................................................................... 203 8 ............................................ 200 Pre-Upgrade Considerations.............................. 189 Restore ............... 163 Security Management Server Upgrade on a Windows Platform................................................ 160 Pre-Upgrade Considerations................................................................................. 202 Standalone Security Gateway Upgrade on a Windows Platform ................................................................ 186 Backing Up Your Current Deployment ....................................................................................... 201 Upgrading Products on a SecurePlatform Operating System .................................................................................................................................................. 162 Upgrading the Security Management Server ...................................................................................................................5 ............................................................................................................................................................... 183 Chapter 10 Backup and Revert for Security Gateways Introduction ........................ 161 Pre-upgrade Verification .......... 187 Restoring a Deployment......... 155 Updating Contracts .......................................................................................... 176 Gateway Upgrade Process on a Windows Platform .....................................On SecurePlatform................ 161 Upgrading Products on a SecurePlatform Operating System .............................. 169 Security Management Server Upgrade on a Linux Platform.......................... 158 Chapter 9 Upgrading a Distributed Deployment Introduction ............................................................ 150 On IPSO ..................................................... 163 Using the Pre-Upgrade Verification Tool ............................. 194 Reverting to Your Previous Deployment ............................. 188 SecurePlatform Backup and Restore Commands ......... and Linux .......... 173 Upgrading the Gateway .... 162 UTM-1 Edge Gateways Prior to Firmware Version 7..................................................... 171 Security Management Server Upgrade on an IPSO Platform ....................................................................... 195 Chapter 11 Upgrading a Standalone Deployment Introduction ........................................................ 201 Reverting to Your Previous Software Version ................................................................................................................................................ 182 Gateway Upgrade on an IPSO Platform .......................................... 175 Upgrading the Gateway Using SmartUpdate ............................................................................................ 168 Security Management Server Upgrade on a Solaris Platform........................................ 189 Backup ................................................................................ 193 Revert...................................................................................................... 166 Gateway Upgrade on a UTM-1/Power-1 Appliance .......................................................................................................... 154 Managing Contracts with SmartUpdate ......... 192 Snapshot .............................................................. 180 Gateway Upgrade on SecurePlatform ......... 155 Managing Contracts ....................................................... 175 Upgrading a Clustered Deployment .................................... 201 Using the Pre-Upgrade Verification Tool ............................................ 165 Security Management Server Upgrade on SecurePlatform ..........................................

......... 221 Chapter 13 Advanced Upgrade of Management servers & Standalone Gateways Introduction .......................................................... 244 Advanced Upgrade on SecurePlatform ........... 252 Supported Versions and Platforms ............................................................................ 216 Full Connectivity Upgrade on a ClusterXL Cluster .................................................................. 235 Advanced Upgrade on a Solaris Platform ........................................................................................................ 210 Chapter 12 Upgrading ClusterXL Deployments Tools for Gateway Upgrades .......................................... 227 Introduction ....................................................................... 214 Permanent Kernel Global Variables ................................................................................................................ 253 Pre-Upgrade Verifiers and Fixing Utilities ........... 215 Upgrading OPSEC Certified Third-Party Cluster Products .............................................................................................. 227 Advanced Upgrade on a Windows Platform . 214 Ready State During Cluster Upgrade/Rollback Operations .................................................................................................................................................................................................................................................................................................Standalone Security Gateway Upgrade on SecurePlatform............. 228 Advanced Upgrade on a Linux Platform............................................. 226 Migrate Your Current Management Configuration and Upgrade ............................................................................................................................................................................................................ 219 Supported Modes............. 220 Performing a Full Connectivity Upgrade .... 252 Provider-1 Upgrade Tools .............................................................. 247 Advanced Upgrade on an IPSO Platform .......................................................................................................................................... 216 Zero Downtime Upgrade on a ClusterXL Cluster .............. 215 Minimal Effort Upgrade on a ClusterXL Cluster ......................... 207 Upgrading Through Voyager .................... 204 Uninstalling Packages ....... 205 Standalone Upgrade on a UTM-1/Power-1 Appliance........ 252 Before You Begin .................. 207 Before Installing ......................................................................... 207 Upgrading Through the CLI..................... 206 Uninstalling Packages ...................................................... 209 Uninstalling Previous Software Packages.............................. 206 Standalone Gateway Upgrade on an IPSO Platform ........................... 216 Supported Modes................................................... 242 Advanced Upgrade on a Linux Platform........................................................... 237 Migration to a New Machine with a Different IP Address .................................... 229 Advanced Upgrade on SecurePlatform ........................................................ 254 Table of Contents 9 .......................................................................... 233 Advanced Upgrade on an IPSO Platform ...... 213 Planning a Cluster Upgrade .................................................................................................................................................................... 248 Chapter 14 Upgrading Provider-1 Introduction ................................................ 219 Understanding a Full Connectivity Upgrade ........................................................................................................................................................... 242 Advanced Upgrade on a Windows Platform ............................................ 253 Installation Script ......................... 240 Migrate Your Current Gateway Configuration & Upgrade.........................................

......... 287 License Upgrade for a VPN-1 Power/UTM ROBO Gateway ......... 273 Pre-Upgrade Verification and Tools ................................. 291 Upgrading a VPN-1 Power/UTM ROBO Gateway In Place ................................................. 283 IP Address Change......................................................................................................................................................................................................................................................................................................................... 293 SmartLSM Upgrade Tools ................................... 289 Upgrading a UTM-1 Edge ROBO Gateway............................................................................................................................................................................................... 278 Before the Upgrade......................................................................................... 279 Automatic Division of Non-Compliant Names............... 292 Using the Command Line Interface............................................. 274 Restarting CMAs ................................................................................ 264 Backup and Restore ................................................................................ 270 Upgrading in a Multi-MDS Environment ............................export_database.................... 268 Migrating from Security Management to a CMA ...................................................................................................................... 277 Restoring Your Original Environment............................................................................................................................................... 284 Chapter 15 Upgrading SmartLSM ROBO Gateways Planning the ROBO Gateway Upgrade .......................................................... 283 Interface Change .................................................. 293 Upgrading a VPN-1 Power/UTM ROBO Gateway Using LSMcli............................................................................. 283 IPS in Provider-1 ................................................................. 279 Resolving Non-Compliance ........................................ 300 10 ............................................................. 259 migrate_global_policies ............................................................................ 264 Provider-1 Upgrade Practices................................................. 273 Upgrading a Multi-MDS System ................................................................... 297 Chapter 16 Upgrading Eventia Overview .................................................................. 300 Upgrading Eventia Reporter ...................................................................... 296 Using the LSMcli in Scripts .... 288 Upgrading a ROBO Gateway Using SmartProvisioning......................... 287 License Upgrade on Multiple ROBO Gateways .................................. 257 migrate_assist ....................................................................................................................................................................................... 267 Gradual Upgrade to Another Machine .. 280 Advanced Usage . 266 In-Place Upgrade............ 255 merge_plugin_tables ........................................................................................ 295 Upgrading a UTM-1 Edge ROBO Gateway Using LSMcli ......................... 266 Replicate and Upgrade ................................ 281 Changing the MDS IP Address and External Interface....................... 278 Renaming Customers ............ 258 cma_migrate ............................................................................................................... 286 ROBO Gateway Upgrade Package to SmartUpdate Repository.................................................................................................................................. 279 Identifying Non-Compliant Customer Names..................................... 287 Using SmartProvisioning to Attach the Upgraded Licenses............................................................................................................................ 279 High Availability Environment .............................. 289 Upgrading a VPN-1 Power/UTM ROBO Gateway .................... 278 Restoring Your Original Environment..................

............................................................................................. 314 320C.................................... 313 100C and 200C ............................................................... 303 Enabling Eventia Analyzer after Upgrading Reporter .................... 315 500F (post-Jan 2006)................................................................................. 310 Upgrading IPS-1 Management Servers ....................................................1 to R65........................... 314 500C (pre-Jan 2006) ...........................................................................2 ................................................................................................ 314 500C (post-Jan 2006) ............................................................................................................................................................................................................................................................................................................................................................................. 301 Advanced Eventia Reporter Upgrade .................................. 310 Upgrading from R65..................................................... 315 500F (pre-Jan 2006) . 311 Remotely Upgrading an IPS-1 Power Sensor.............................. 306 Verifying the Events Database Has Been Moved .......................................... 306 Upgrading Eventia Analyzer to R70 ............... 314 310C....................... 310 Upgrading IPS-1 Sensors.............. 308 Chapter 17 Upgrading IPS-1 IPS-1 Upgrade Paths ..................... 315 Table of Contents 11 ............................For Standalone Deployments............................................................................. 314 200F ........................................ 311 Reinstalling an IPS-1 Power Sensor ............................................................................................................................................. 312 Upgrading Legacy Sensor Appliances.............................. 311 Upgrading IPS-1 Power Sensors .............................................................................................................. 300 For Distributed Deployments .......................... 314 320F ................................................................................................................................... 308 Enabling Eventia Reporter .............. 305 Upgrading Eventia Analyzer ...............................................................................................

12 .

Installation Section This section covers installing the current version .

14 .

Check Point also delivers worldwide technical services including educational.Chapter Introduction In This Chapter Welcome Who Should Use This Guide R70 Documentation Related Documentation For New Check Point Customers Endpoint Security Integration More Information Feedback 1 page 15 page 16 page 16 page 18 page 19 page 20 page 20 page 20 Welcome Thank you for choosing Check Point’s Internet Security Product Suite. Certified Support Partners. and Check Point technical support personnel to ensure that you get the most out of your security investment. and support services through a network of Authorized Training Centers. 15 . professional. Check Point products provide your business with the most up to date and secure solutions available today. We hope that you will be satisfied with this solution and our support services.

.

Table 1: Product and Technology Names Versions NG and NGX Products and Technologies Firewall-1 Integrity Version R70 Products and Technologies Firewall Endpoint Security Chapter 1 Introduction 17 .New Terms New Terms The following product and technology names have been changed for this version.

Explains all upgrade paths for Check Point products specifically geared towards upgrading to the current version. Security Management Server Administration Guide Firewall Administration Guide IPS Administration Guide Virtual Private Networks Administration Guide 18 . URL Filtering (UFP) applications. and how to optimize Application Intelligence with capabilities such as Content Vectoring Protocol (CVP) applications.Related Documentation Related Documentation The current release includes the following documentation. including hardware and software requirements and licensing requirements. managing. Describes how to control and secure network access and VoIP traffic. TABLE P-1 Check Point Documentation Title Internet Security Installation and Upgrade Guide High-End Installation and Upgrade Guide Description Contains detailed installation instructions for Check Point network security products. Describes how to use IPS to protect against attacks. This guide provides solutions for control over configuring. and monitoring security deployments. Describes the basic components of a VPN and provides the background for the technology that comprises the VPN infrastructure. Explains Security Management solutions. how to use integrated web security capabilities. Explains the available upgrade paths from versions R60-65 to the current version. Contains detailed installation instructions for the Provider-1 and VSX products.

SecurePlatform/ SecurePlatform Pro Administration Guide Provider-1/SiteManager-1 Administration Guide For New Check Point Customers New Check Point customers can access the Check Point User Center in order to: • • • • • Manage users and accounts Activate products Get support offers Open service requests Search the Technical Knowledge Base To access the Check Point User Center.html. Explains the Provider-1 security management solution. This guide provides details about a three-tier. and generate detailed or summarized reports in the format of your choice (list.com/pub/usercenter/get_started.checkpoint. vertical bar. go to: https://usercenter. pie chart etc.For New Check Point Customers TABLE P-1 Check Point Documentation (continued) Title Eventia Reporter Administration Guide Description Explains how to monitor and audit traffic. multi-policy management architecture and a host of Network Operating Center oriented features that automate time-consuming repetitive tasks common in Network Operating Center environments. SecureClient and IPS. Explains how to install and configure SecurePlatform. Chapter 1 Introduction 19 .) for all events logged by Check Point Security Gateways. This guide will also teach you how to manage your SecurePlatform machine and explains Dynamic Routing (Unicast and Multicast) protocols.

checkpoint. Feedback Check Point is engaged in a continuous effort to improve its documentation.com 20 . Please help us by sending your comments to: cp_techpub_feedback@checkpoint.Endpoint Security Integration Endpoint Security Integration For in-depth documentation of Provider-1/Security Management server integration with Check Point Endpoint Security products. consult Check Point’s SecureKnowledge at http://support.com. refer to: • • Endpoint Security Installation Guide R70 Security Management Server Administration Guide More Information • • For additional technical information about Check Point products. To view the latest version of this document in the Check Point User Center.com. go to: http://support.checkpoint.

21 .Chapter Getting Started In This Chapter Terminology Provider-1/SiteManager-1 Terminology Hardware and Software Requirements Compatibility Tables Supported Upgrade Paths and Interoperability Licensing R70 2 page 22 page 23 page 24 page 25 page 27 page 29 This chapter contains information and terminology related to installing R70.

Terminology Terminology The following terms are used throughout this chapter: • • • • Distributed Deployment: When the gateway and the Security Management server are installed on separate machines. For example. Gateway: The software component that enforces the organization’s security policy and acts as a security enforcement point. • • • 22 . SmartView Tracker is a SmartConsole application that manages logs. Security Management server: The server used by the system administrator to manage the security policy. SmartDashboard: A SmartConsole GUI application that is used by the system administrator to create and manage the security policy. SmartConsole: GUI applications that are used to manage various aspects of security policy enforcement. Standalone Deployment: When Check Point components responsible for the management of the security policy (the Security Management server and the gateway) are installed on the same machine. The organization’s databases and security policies are stored on the Security Management server and downloaded to the gateway. Security Policy: The policy created by the system administrator that regulates the flow of incoming and outgoing communication.

that manages specific parts of the Provider-1 system. an administrator creates security policies and manages customer gateways. Multi-Domain Server (MDS): A server that houses Provider-1 system information. UTM-1 Edge appliances or other Check Point compatible firewalls. Customer Log Module (CLM): A log server for a single Customer. • Chapter 2 Getting Started 23 . • • • • • • An MDS can be a Manager. Customer Superuser: Manages all administrators (with lower permission levels). Using the CMA. such as the Provider-1 MDG. Each CMA has its own ICA to secure its customer’s management domain. Multi-Domain Log Module (MLM): An MDS Container dedicated to collecting and storing logs. the ICA creates and manages X.509 compliant certificates for Secure Internal Communication (SIC) between security gateways. Customers and customer networks. a Container or both. Internal Certificate Authority (ICA): In addition to authenticating administrators and users. Customers and customer networks. Container: Holds the Customer Management Add-ons (CMAs). administrators (with all permission levels). and other SmartConsole applications. Administrators can be assigned one of the following four permission levels: • Provider-1 Superuser: Manages the entire Provider-1 system. administrators. The Customer’s security policies and network access are managed using Provider-1/SiteManager-1. An MLM is a Container of Customer Log Modules (CLMs). Provider-1 Administrator: A security administrator. The MDS has an ICA that secures the Provider-1 management domain. assigned with granular permissions. The MDS contains information on Provider-1 deployment. and customer management.Provider-1/SiteManager-1 Terminology Provider-1/SiteManager-1 Terminology The following Provider-1/SiteManager-1 terms are used throughout this chapter. which includes all MDS servers. Customer Management Add-on (CMA): The Provider-1 equivalent of the Security Management server for a single Customer. • Customer: A business entity or subdivision of a business entity whose networks are protected by security gateways. The MDS has two modes: • • • Manager: Runs the Provider-1 deployment and is the administrator’s entry point into the Provider-1 environment. GUI Client: A computer running Check Point GUI interfaces.

With access to Global SmartDashboard.com 24 . see the latest version of the relevant Release Notes at: http://support.checkpoint. • • Hardware and Software Requirements For all hardware and software requirements for each product and platform.Hardware and Software Requirements • Global Manager: A new type of administrator account in the MDG. a Global Manager is capable of managing global policies and global objects. Administrators with this permission level can use the MDG application. None: Manages customer networks for specific Customers. but cannot access the MDG application. For a Global Manager to have additional access to CMA policies. Customer Manager: Manages customer networks for specific Customers. read-write or partial access rights must be specifically assigned. but they can only view and manage their assigned customers.

2. 10. Eventia Analyzer Server.Compatibility Tables Compatibility Tables If the existing Check Point implementation contains products that are not supported by R70.x. the R70 installation process terminates. 9.0 kernel 2.x Product Notes 1.6. Anti-Virus and Web Filtering are included on SecurePlatform. and Eventia Analyzer Correlation Unit. Table 2-1 Supported Products by Platform Software Blade / Product Check Point Secure Platform Platform and Operating System RHEL 5.x. 12. Eventia Suite includes Eventia Reporter Server.18 Windows Server 2003 (SP1-2) 32bit X X Server 2008 32bit X X Nokia IPSO 6.0.x. 11.7 Crossbeam X-Series Solaris UltraSPARC 8. Table 2-1 and Table 2-2 lists supported Check Point products and VPN clients by platform. Chapter 2 Getting Started 25 . 10 Security Gateway Security Management Provider-1/SiteManager-1 Server (MDS) Performance Pack Advanced Routing Management Portal Reporting and Event Correlation Clustering (ClusterXL) CoreXL Provisioning Enabled SmartLSM Gateways Provisioning Enabled Management SSL Network Extender Server Endpoint Security Server VSX Security Gateway OSE Supported Routers X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X (IPSO 5) X Cisco OS Versions: 9.

4 Mac Linux OS 10. 26 . 4.5-2. you must have Microsoft Installer 3. Platform Notes 1.1 Server 2003 (SP1-2) Vista (SP1) Server 2008 Mac OS 10. UserAuthority is not supported on Nokia flash-based platforms. ClusterXL is supported only in third party mode with VRRP or IP Clustering. UTM-1 Edge devices cannot be managed from a Security Management running on a Nokia IPSO platform.0.0. The maxiumum number of cluster members is eight. Microsoft Installer support is required for installation of Endpoint Security clients. 2.0 installed. Table 2-2 Supported Clients by Platform Check Point Product 2000 Server / 2000 Pro (SP1-4) Advanced Server (SP1-4) Platform and Operating System Windows XP Home & Pro (SP3) Mobile 2003 2003SE 5.Platform Notes 3. 4. Management Portal is supported on the following Web browsers: Internet Explorer 6 and 7.5 SmartConsole Provider-1/SiteManager-1 MDG SecuRemote SecureClient SecureClient Mobile SSL Network Extender Endpoint Security Client Endpoint Connect Client X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Notes to Supported by Platform Table 1. Only UltraSPARC 64-bit is supported. 6. 6. and Mozilla Firefox 1. for Security Management only (not for gateways). To run SmartConsole applications on Windows 2000. 2. HA Legacy mode is not supported on Windows Server 2003.0. 3.

Consult Table 2-3 and Table 2-4 to determine which versions of your management server and gateways can be upgraded to R70. R65 (R65. R62. R61. R60A.4 not supported) R65 with HFA 30 with the Connectra NGX R66 Plug-in R65 with Messaging Security R65 with the VPN-1 Power VSX NGX R65 Management Plug-in R65 with the SmartProvisioning Plug-in R65 UTM-1 R65 Power-1 Backward Compatibility For Gateways R70 Security Management server supports the following gateway versions: Chapter 2 Getting Started 27 .Supported Upgrade Paths and Interoperability Supported Upgrade Paths and Interoperability In This Section: Upgrade Paths and Interoperability Upgrading Security Management Servers Backward Compatibility For Gateways IPS-1 Upgrade Paths and Interoperability page 27 page 27 page 27 page 28 Upgrade Paths and Interoperability Security Management servers and security gateways exist in a wide variety of deployments. Upgrading Security Management Servers The following Security Management server versions can be upgraded to R70: Table 2-3 Security Management server Upgrade Paths Release NGX Version R60.

R62CM. Interoperability Management components of the current release. R65 NGX R60 NGX R61. such as IPS-1 Management Server. and IPS-1 Power 1000 and 2000 Sensors. of versions 5. are compatible with Sensors of versions 4.R70 cannot manage gateway versions NG. R60A. R62. Alerts Concentrators and Management Dashboard) must always be of the same version. Alerts Concentrators and IPS-1 Management Servers. completely reinstall.5. From earlier versions. or NG FP2 IPS-1 Upgrade Paths and Interoperability Upgrade Paths Non-Power Sensors installed on SecurePlatform cannot be upgraded to the current version. including NFR Sentivist Servers and Enterprise Servers. NG FP1. 28 .IPS-1 Upgrade Paths and Interoperability Table 2-4 Backward Compatibility for Gateways Release NGX InterSpect Connectra UTM-1 Edge Endpoint Security Version R60. R66 7. R61. The different management components (IPS-1 Management Server. Alerts Concentrators and Management Dashboard.1 onwards. A new installation is required. can be upgraded to the current version.x and above Note . R62.x.

warning messages are sent to the console.checkpoint. Generate a license key for your products/evaluations by selecting Accounts & Products > Products. Select your product(s) and click Activate License. If the maximum number of users is reached. Read and accept the End Users License Agreement. No license is required for SmartConsole management clients. The certificate key is used to generate a license key for products that you want to evaluate or purchase. The selected product(s) evaluations have been assigned license keys. Obtaining a License Key To obtain a license key from the Check Point User Center: 1. or US +1 972-444-6600. Complete the installation and configuration process by doing the following: a. Licensing R70 Licenses are required for the Security Management server and security gateways.Licensing R70 Licensing R70 Most of the software on this CD is automatically enabled for a 15-day evaluation period.com Customers new to the Check Point User Center should go to: https://usercenter. contact Account Services at: AccountServices@checkpoint. go to the Check Point User Center at: https://usercenter. Chapter 2 Getting Started 29 . 2. To obtain a permanent license.checkpoint. option 5. Add the required Check Point products/evaluations to your User Center account by selecting Accounts & Products > Add Products.com/pub/usercenter/get_started. 3. contact your reseller. which is located on the back of the software media pack. The Check Point software is activated using a certificate key. To purchase Check Point products. or to extend the evaluation period.html For further licensing assistance.com. Check Point gateways enforce the license installed on the gateway by counting the number of users that have crossed the gateway.

With the exception of Provider-1 Enterprise Edition licenses. only the Combined Manager and Container license. Manager: A license for the administrator's entry point into the Provider-1/SiteManager-1 environment. These purchase packages are called Pro Add-ons for MDS. In the case of SiteManager-1 licenses. Combined Manager and Container: These licenses combine a Manager license with a Container license for a specific number of CMAs. can be purchased in bulk. Combined Manager and Container. which makes it easy to automatically upgrade licenses. which means that: • • • The new license remains valid even if the IP address of the Check Point gateway changes. The Multi-Domain GUI (MDG) and the Global SmartDashboard tools can connect only to MDS servers with this license. Licensing Provider-1/SiteManager-1 Provider-1/SiteManager-1 licenses are associated with the IP address of the licensed entity. A license can be detached from one Check Point gateway and assigned to another. Upgrading Licenses The upgrade procedure is free of charge to purchasers of the Software Subscription service (Enterprise Base Support). there are no separate Manager and Container versions available. Licenses are imported using the Check Point Configuration Tool or SmartUpdate. 30 . multiple container licenses can be added together on one container to enable the container to hold up to a maximum of 250 CMAs. or Multi-Domain Log Manager (MLM). CMA Pro Add-on licenses. The license upgrade procedure runs the license_upgrade command. Container. SmartUpdate allows you to centrally upgrade and manage Check Point software and licenses. Import the product license key. In addition. Container: A license that defines the maximum number of CMAs running on the MDS machine. Only one IP address is needed for all licenses.Licensing Provider-1/SiteManager-1 b. each CMA requires its own CMA license. allowing additional management features at the CMA level. The certificate keys associate the product license with the Security Management server. The Provider-1 Multi-Domain Server (MDS) license is based on the server type: Manager.

the Alerts Concentrator shares the IPS-1 Management Server’s license. Provider-1 licenses can be imported using the Check Point command-line licensing tool or Provider-1's MDG. refer to the Provider-1/SiteManager-1 Administration Guide. Correlation Units are licensed by the number of units that are attached to the Eventia Analyzer Server. Each gateway requires its own license. All licenses are stored on the IPS-1 Management Server and must have been generated according to the IPS-1 Management Server’s IP address. Licenses are determined according to the number of computing devices (nodes) protected by the gateway. The IPS-1 Management Dashboard does not require a license. obtain and add licenses. defined with the ability to manage a fixed maximum number of Sensors. In a Combined installation where the Alerts Concentrator installed together with the IPS-1 Management Server. Licensing Eventia Suite All Eventia Suite licenses are installed on the Eventia Suite Server (not on the Security Management server). For additional information. without a licensed IPS-1 Management Server. However.Licensing IPS-1 MLM: A comprehensive license that includes the Customer Log Modules (CLMs) it hosts. For any separate Alerts Concentrators and for all Sensors. Licensing IPS-1 The IPS-1 Management Server requires a license. A CLM hosted on an MDS server requires its own CLM license. There is no need for a separate CLM license if CLMs are hosted on an MLM. the IPS-1 Dashboard will function only in Demo mode. Licenses are added using IPS-1’s Management Dashboard. chanfe Chapter 2 Getting Started 31 .

Licensing Eventia Suite 32 .

Chapter Setup and Installation In This Chapter Overview Installing on SecurePlatform Installing on Windows Installing on Solaris or Linux Installing on Nokia Initially Configuring Products Where To From Here? 3 page 34 page 35 page 44 page 46 page 48 page 51 page 58 33 .

and the log server). Distributed Deployment: The Security gateway and the Security Management server are installed on different machines. 34 . Install one or more SmartConsole clients to manage different aspects of the deployment. Any number of SmartConsole GUI applications can be installed on the same machine Note . and operational before you begin the installation process. • In both deployments. the security gateway. For upgrading an existing installation. SmartConsole can be installed on any machine by performing the following steps: • • Install the components that manage or enforce the security policy (for example. the Security Management server. For example. Check Point products can be installed in the following two types of deployments: • Standalone Deployment: Check Point components that are responsible for the management of the security policy (the Security Management server and the gateway) are installed on the same machine. SmartDashboard is used by the system administrator to manage and create the security policy.Overview Overview Check Point software is designed to work across multiple platforms and pre-configured appliances.The TCP/IP network protocol must be installed. Each installation differs depending on the product and the platform. properly configured. see the upgrade section.

The installation program is loaded. the Devices menu opens. but the hardware does not function properly. the Welcome message appears. Add Driver: When selected. 3. A list of software blades is displayed: • • • • • • Security Gateway Security Management server Eventia Suite Endpoint Security (CD2) Performance Pack Management Portal Chapter 3 Setup and Installation 35 . Alternatively. and boot the computer from the CD. the computer boots from the hard drive. The Add Driver option enables you to add the missing driver during the installation process. If you do not press Enter within 90 seconds. the Hardware Scan Details menu displays. Select OK. Sometimes updated hardware is incompatible with the previous version’s driver and you receive an error message during installation because the operating system could not find the appropriate hard disk driver. Insert CD1 from the media pack into the CD drive. The following options are displayed: • • Device List: When selected.Installing on SecurePlatform Installing on SecurePlatform In This Section: Installing SecurePlatform Using the CD Installing SecurePlatform from the Network Initially Configuring SecurePlatform Installing R70 Products on SecurePlatform Configuring SecurePlatform Using WebUI page 35 page 37 page 41 page 42 page 43 Installing SecurePlatform Using the CD To install SecurePlatform using the CD: 1. After booting. To continue. the installation may be complete. 2.

9. 12. Select a keyboard type. Warning . Use the space bar to select the appropriate products and select OK. 10. 8. and install SecurePlatform software blades.The formatting procedure erases all information located on your hard drive. 5. From the HTTPS Server Configuration menu. A message confirms that you are about to format your hard drive.If you intend to deploy remote access or Endpoint Security software. From the Network Interface Configuration menu. Note . select a port other than 443. Select OK. Continue to “Initially Configuring SecurePlatform” on page 41. The Keyboard Selection menu opens. 36 . remove the installation CD from the drive. enable or disable web-based configuration using SecurePlatform’s WebUI. define the • • IP address of the management interface Netmask and Default gateway for the first network interface (eth0 on most systems). When the Installation Complete message appears. copy files. Select OK to: • • • • Format your hard drive Extract. Perform post install configuration Install the boot loader The installation process can take several minutes to complete. Select the type of system to install: • • SecurePlatform SecurePlatform Pro (which includes the advanced dynamic routing suite) 6. 7. and select OK to reboot the system.Installing SecurePlatform Using the CD 4. 11.

using TFTP. 7.Installing SecurePlatform from the Network Installing SecurePlatform from the Network In This Section General Workflow Client Setup Server Setup page 37 page 38 page 38 General Workflow The client’s requirements are minimal. 2. 6. using the PXE network loader. A TFTP daemon. 3. 5. The client boots from the network. Then: 1. 4. Only PXE is required. The kernel is run. and executes it. The PXE boot loader. The Installer is executed. using the BOOTP protocol. to which to download the PXE boot loader. The PXE boot loader downloads a PXE configuration file from the server. The kernel The ramdisk. Chapter 3 Setup and Installation 37 . The client sends a broadcast request. On the server. 8. using ramdisk as its environment. you must install: • • • • • A DHCP daemon. The client downloads the PXE Boot Loader. The server responds to the client. 9.0 by default). The PXE boot loader downloads the kernel and the ramdisk. At this point the installation can be configured to load files from the FTP server. by providing the client’s assigned IP address and a filename (pxelinux. containing the names of the kernel and the ramdisk that the client requires.

i386.6-34.Installing SecurePlatform from the Network Client Setup On the client machine.rpm on the Checkpoint CDROM) TFTP daemon (/SecurePlatform/RPMS/tftp-server-0.4cp.To access files on Check Point CDROM. insert the CDROM into the CDROM drive and enter the command: # mount/mnt/cdrom 38 .i386.32-5cp.i386. on SecurePlatform) Xinetd (/SecurePlatform/RPMS/xinetd-2. (It sometimes appears as DHCP.11-4cp. using PXE.3.rpm) TCP-Wrappers package (/SecurePlatform/RPMS/tcp_wrappers-7. from the BIOS setup.) Server Setup In This Section Required Packages DHCP Daemon Setup TFTP and FTP Daemon Setup Hosting Installation Files page 38 page 39 page 40 page 41 Required Packages The following packages are required for server setup: • • • • • DHCP daemon (located on the Checkpoint CDROM and installed.3. by default. enable the network boot.i386.rpm) • • Kernel (can be found on the SecurePlatform CD at /SecurePlatform/kernel) Ramdisk (can be found on the SecurePlatform CD at /SecurePlatform/ramdisk-pxe) Note .4cp.3-118.rpm) FTP server (/SecurePlatform/RPMS/ftpd-0.

PXELINUX will search for its config file on the boot server in the following way: 1.2. for 192. Assuming the kernel and ramdisk files are named kernel and ramdisk.2. C0. a default configuration file. C00. Chapter 3 Setup and Installation 39 . in that order. As an example. perform the following procedure: 1.i386. PXELINUX will try C000025B.g. the configuration file name depends on the IP address of the booting machine. PXELINUX will search for its config file.91. 192. in upper case hexadecimal.0. Enter the sysconfig utility and enable the DHCP server.Installing SecurePlatform from the Network PXELINUX Configuration Files /SecurePlatform/RPMS/tftp-server-0. which will serve these to all clients.cfg) that will serve the kernel and ramdisk to any host.rpm includes a default configuration file (located under /tftpboot/pxelinux. C0000. Because more than one system may be booted from the same server. C000025. 2. will look like this: default bootnet label bootnet kernel kernel append initrd=ramdisk lang= devfs=nomount \ ramdisk_size=80024 console=tty0 DHCP Daemon Setup To setup the DHCP Daemon. If that file is not found.32-4cp. C000.91 -> C000025B. C00002. using its own IP address. C. PXELINUX will try looking for a file named default (in lower case).0. respectively. Ultimately. e. PXELINUX will remove one hex digit and try again. and default.

32-5cp. perform the following procedure: 1. configuration should include a host declaration.255.11-4cp.rpm. Install the TFTP Daemon RPM: # rpm -i/SecurePlatform/RPMS/tftp-server-0. The configuration file should include a subnet declaration for each subnet.3. Install the FTP Daemon RPM: # rpm -i/SecurePlatform/RPMS/ftpd-0.3-118.Installing SecurePlatform from the Network 2.6-34. } TFTP and FTP Daemon Setup To setup the TFTP and FTP Daemons. (The xinetd package is a prerequisite for the tftp-server and ftpd.rpm 5.93. # The file to upload filename "/pxelinux. In addition. Edit the daemon’s configuration file.4cp. the DHCP server is connected to.i386.255.i386.3.i386. found at /etc/dhcpd.i386. Install /SecurePlatform/RPMS/xinetd-2.conf.92.4cp. for each host that will use this server for remote installation.93. # The IP address that will be assigned to the # client by this server fixed-address 192.0 netmask 255.rpm (The TCP wrappers package) 2.0".) 3.92. Force xinted to reread its configuration: # service xinetd restart 40 . A sample configuration file follows: subnet 192.rpm 4. Install /SecurePlatform/RPMS/tcp_wrappers-7.0 { }host foo { # The client’s MAC address hardware ethernet xx:xx:xx:xx:xx:xx.32.

removes. The following Network Configuration menu options are displayed: Option Host Name Domain Name Domain Name Servers Network Connections Routing Purpose Sets and displays the host name Sets and displays the Domain name Adds. or HTTP servers. Log in using admin as your username and password. change the default username and password. From the SecurePlatform boot menu. 3. you will be asked to supply the IP of the installation server. removes. Sets and shows a default gateway 7.Initially Configuring SecurePlatform Hosting Installation Files An FTP server installed on SecurePlatform will be used to host the installation files. Ensure that the new password contains more than six characters and has a combination of upper and lower cases letters and numbers. configures. the Administrator's credentials. 5. You can also use different FTP servers. When prompted. Supply the IP of the SecurePlatform installation server. 6. Initially Configuring SecurePlatform After the operating system installation is complete and the computer has rebooted: 1. displays network connections. and the path to the SecurePlatform packages. Press n to proceed to the next menu. run: cpconfig. During the installation process. 4. to host SecurePlatform installation files. and the path to the installation packages. Start in normal mode. 2. On the command line. and displays a Welcome message. Use the menu options to configure: • • The host name The domain name and at least one DNS server Chapter 3 Setup and Installation 41 . the credentials on that server. displays Domain name servers Adds. A first-time configuration wizard for the SecurePlatform device opens.

.

If you selected Security Management server.Configuring SecurePlatform Using WebUI 5. 6. decide whether it should be installed as a primary or secondary Security Management server and whether a Chapter 3 Setup and Installation 43 . Select the appropriate products and press n.

The windows displayed during installation differ depending on the installed Check Point components. Confirm installation of selected products. Select the products you wish to install and click Forward. The selected products are installed. To perform a new installation on a Windows platform: 1. Accept the terms of the End Users License Agreement. 7. Review the Evaluation Options then click Forward. If you selected Security Management server. decide whether it should be installed as a primary or secondary Security Management server and whether a Log server should also be installed. see: “Advanced Upgrade on a Windows Platform” on page 242. Click Forward. 3. 8. 5.Installing on Windows Installing on Windows The installation on a Windows platform is GUI based. Log on as Administrator and insert the CD. 2. A list of products is displayed: 6. If you selected Installation Using Imported Configuration. 4. Click Forward. The installation wizard automatically starts and a Congratulations message displays. you are prompted to provide the location of the imported configuration file. Select one of the following installation options: • • • Demo installation (SmartConsole only) New installation Installation using an imported configuration (for additional information. For first time installations. the Check Point Configuration Tool runs automatically and prompts you to (for Security Management server): 44 .

Add licenses b. Chapter 3 Setup and Installation 45 . This policy remains in place until you have installed the first Security Policy. except for control connections.Installing on Windows a. 9. for example. Reboot the machine. refer to the “Configuration Tool Overview” on page 51. The default Security Policy forbids all inbound connections. install policy operations. IP forwarding is automatically disabled and a default security policy is applied to the gateway. Specify remote clients from which an administrator can log into Security Management server d. Add administrators c. Initialize the Internal Certificate Authority e. Export the Security Management server fingerprint to a text file For additional information.

the Check Point Configuration tool will prompt for various configuration options. For a Security Management server. beginning the installation wizard. If you selected Security Management server. Read and accept the terms of the End User License Agreement. 9. Mount the CD on the appropriate subdirectory. 2./UnixInstallScript The wrapper welcome message appears.Installing on Solaris or Linux Installing on Solaris or Linux Installation on Linux and Solaris platforms is run from a command line. Select New Installation and press n. A product list is displayed: • • • • • • • Security Gateway User Authority Security Management Eventia Suite Endpoint Security Performance Pack Management Portal 6. with a wizard that guides you through installation. 8. 7. From the root directory of the CD. Confirm the selected products by pressing n. decide whether it should be installed as a primary or secondary Security Management server. 5. Select the products you wish to install and press n. Press n. and whether a Log server should also be installed. 4. Once product installation is complete. To perform a new installation on a Linux or Solaris platform: 1. run: . For SecurePlatform there is a separate installation procedure which is described in “Installing on SecurePlatform” on page 35. 3. the stages are: 46 .

Configure GUI clients (a list of hosts that are able to connect to the Security Management server using SmartConsole). c. Configure the Certificate Authority. The default Security Policy forbids all inbound connections. The recommended way to manage licenses is using SmartUpdate.Installing on Solaris or Linux a. Chapter 3 Setup and Installation 47 . Reboot the machine. IP forwarding is automatically disabled and a default security policy is applied to the gateway. d. b. The Check Point Configuration program only manages local licenses on this machine. 10. Add licenses. except for control connections such as install policy operations. This policy remains in place until you have installed the first security policy. and save the CA’s Fingerprint to a file. Configure group permissions by specifying a group name.

0. The New Image Installation Upgrade window opens.0. 2.x.x): Enter URL to the image location Enter HTTP Realm (for HTTP URLs only) Enter Username (if applicable) Enter Password (if applicable) 4.jsp. Enter the Network Voyager and open a CLI console.Installing on Nokia Installing on Nokia Installation on Nokia platforms is performed from a console or Nokia Network Voyager (a secure web-based network element management application).7 is already installed. Click Apply.R70 is not supported on IPSO 4.x images. You can also use Nokia Horizon Manager to install and configure Check Point components on multiple Nokia appliances simultaneously. If IPSO 6.com/techsupport/downloads. refer to Nokia Horizon Manager documentation on the Nokia Support website: http://support. skip to step 19 on page 49. 48 . Use a console to perform the initial configuration.checkpoint. You are informed that the file download and image installation may take some time.0.com Before Installing • From the Check Point website: http://www.nokia. 3.tgz.7 Note . first upgrade to IPSO 6.x to IPSO 6. download: IPSO_Wrapper_R70.7. For additional information.7 1. Enter the following information (for IPSO 4. • From Nokia. Click System Configuration > Install New IPSO Image.0. If you are using IPSO 4. download: IPSO 6. Upgrading IPSO 4.

14. A message is displayed indicating that the new image installation process has started. click UP > UP > Manage IPSO Images. Chapter 3 Setup and Installation 49 . 12. type newpkg.1 or 4.0.0. In Voyager. 19. select the last downloaded image: IPSO 4.tgz package.7 package.0. and log in. 16.1 or 4. Install the 6. go back to the Network Voyager to verify that the image was set properly.7 package. 22. Type newpkg. 13. Access the CLI console. The IPSO Image Management window opens.7 5. Under the title Select an image for next boot. Install the IPSO_Wrapper_R70 package. Use the FTP menu option to transfer the 6. 17.0.0.7 package. If you are not returned to the last window you were in. Access the CLI console to see when the Reboot is complete. click Refresh and log in. Wait until a message informs you that the process is complete. and press Enter. verify that the 6. 9. On the CLI. 7.Upgrading IPSO 4. Once the Reboot is complete. 6. click System Configuration > Manage IPSO Images. see: “Upgrading Through the CLI” on page 209. To upgrade IPSO images and Check Point releases using the command line interface only. Select Commit testboot and click Apply. Click Test Boot. 10. When you receive a Success message. You should be able to see that the relevant IPSO (4. 21. Activate the 6. Use the FTP menu option to transfer the IPSO_Wrapper_R70. 11. Wait until a message informs you that the process is complete. 15. 20.2) image is selected.2. In the Network Voyager. 8. Type Reboot and press Enter. and press Enter.7 package is turned ON.x to IPSO 6. Click Apply. 18.

11. they can be started later by running cpstart. If you performed a fresh installation of IPSO 6. 12. Note . 4. Configure Group Permissions.7 then there is no need to configure R70. 8.7: 1. Select an installation type. 7. Stand Alone or Distributed. Type randomly until the progress bar is full.0. Start the installed products.x to 6. 10. If you opt not to start the installed products at this time. Configure the GUI clients and hosts which can access the Security Management server using SmartConsole. Add Licenses.0. Specify the Security Management server type as Primary or Secondary Management. Select Security Management server from the selection list. 9. 2. run cpconfig. 3. Configure a pool of characters for use in cryptographic operations. Configure the Certificate Authority. 50 . 5. and save the CA’s Fingerprint to a file.Only relevant for a distributed deployment. 6. From a console connection. Reboot.Configuring R70 Configuring R70 If you upgraded from IPSO 4. Configure an administrator name and password.

you must specify the name of the host where the ICA resides. The administrator must have Read/Write permissions in order to create the first security policy. You may use the default name or provide your own. Fingerprint: Verifies the identity of the Security Management server the first time you log in to SmartConsole.Initially Configuring Products Initially Configuring Products In This Section: Configuration Tool Overview Using the Configuration Tool on Windows Systems Using the Configuration Tool on Unix Systems Logging In for the First Time page 51 page 52 page 54 page 55 Configuration Tool Overview The Configuration Tool runs automatically once the installation process is complete. The configuration options vary according to installed product. such as Windows. The Configuration Tool can also be run manually by running the cpconfig command. Key Hit Session: Creates a random seed for use in various cryptographic operations.checkpoint.domain format. a Fingerprint is displayed. GUI Clients: Creates a list of names or IP addresses for machines that can connect to the Security Management server using SmartConsole. for example. The Configuration Tool is used to configure: • • Licenses: Generates a license for the Security Management server and the gateway. Certificate Authority: Provides definitions that are used to initiate the Internal Certificate Authority. which enables secure communication between the Security Management server and its gateways. For some operating systems. The examples in this chapter are for a Security Management server. Upon SmartConsole login. This Fingerprint must match the Fingerprint shown in the • • • • Chapter 3 Setup and Installation 51 .com. The ICA name should be in the hostname. ica. Administrators: Creates an administrator with Security Management server access permissions.

Click Add. 4. Click Add. Click Next. Open the Configuration Tool by selecting Start > Run > cpconfig. You can add a GUI client using any of the following formats: • IP address: For example. The license(s) that belong to this host are added. From NGX version R60. only one administrator can be added using the Configuration Tool. Additional administrators can be added using SmartDashboard.3. Click OK to add the newly configured license. Click Next. 52 . 6.Using the Configuration Tool on Windows Systems Configuration Tool window in order for authentication to succeed. 8. On the GUI Clients tab. ii.If you do not define at least one GUI client. 7. 3. 2. i. Add an administrator that uses SmartConsole to connect to the Security Management server. The Add License window opens. perform one or both of the following procedures: a. configure the required parameters and click OK. ii. click Add. Note . Configure the appropriate options in the Add License window. select it and click Open. Add a license manually. 5. add a GUI client. iii. 9.4. In the Administrators tab. You may want to export this Fingerprint for verification purposes when you log in to SmartConsole for the first time. Browse to the license file. Fetch one or more licenses from a file. From the Add Administrator window. Click Fetch from File.2. you can only manage the Security Management server from a GUI client that runs on the same machine as the Security Management server. In the Licenses tab. Using the Configuration Tool on Windows Systems To configure using the Configuration Tool on Windows systems: 1. b. 1. Type the GUI client’s name in the Remote hostname field. i.

for example.checkpoint.16. 13.0. Note .10. or between Check Point communicating components and OPSEC applications. click Export to file and save the file. The Fingerprint of the Security Management server displays. Note . or Alice. Any: Any IP address. do the following: a. 192. 12.Using the Configuration Tool on Windows Systems • • • • • IP/netmask: A range of IP addresses.10. 192. for example. SIC certificates authenticate communication between Check Point communicating components.0/255. This option enables you to initialize an Internal Certificate Authority (ICA) on the Security Management server and a Secure Internal Communication (SIC) certificate for the Security Management server. IP1-IP2: A range of IP addresses. 11. From the Fingerprint window. is used to verify the identity of the Security Management server that is being accessed through SmartConsole.Components can communicate with each other only once the Certificate Authority is initialized and each component has received a SIC certificate. 14. Once configuration using the Configuration Tool is complete. <hostname>. 192. b. From SmartConsole.8 192. Machine name: For example.168. The Fingerprint is exported to a text file that can be accessed from the SmartConsole client machine(s) and used to confirm the Fingerprint of the Security Management server.255. The Fingerprint window opens and displays the Fingerprint of the Security Management server.checkpoint.168. Click Next.168. 10. In the Certificate Authority tab.255. Chapter 3 Setup and Installation 53 . for example. Wild cards: For example.10.com.Do not perform a first time connection to the Security Management server from SmartConsole unless the Security Management server Fingerprint is accessible and you can confirm that it matches the Fingerprint displayed in SmartConsole. perform a first time connection to the Security Management server. Ensure that the Security Management server Fingerprint matches the Fingerprint displayed in SmartConsole. add a name using the <hostname>.10. Click Next. Alice. The Fingerprint.com.168.<domain name> format. a text string derived from the Security Management server certificate.

Using the Configuration Tool on Unix Systems 15. To configure using the Configuration Tool on Unix systems: 1.10.2. or Alice. 192. The Configuration Tool can also be run after installation is complete using the cpconfig command.3.168. Alice. Using the Configuration Tool on Unix Systems To complete the installation process. Only one administrator can be added using the Configuration Tool.10.8 192.168. 2.10. Access the Configuration Tool. Add administrators. 192. Additional administrators can be added using SmartDashboard. 54 . Add licenses.4. 192. IP1-IP2: A range of IP addresses. You can add GUI clients using any of the following formats: • • • • • • IP address: For example.0/255.16. Close the Configuration Tool. 1. Define GUI clients.0. IP/netmask: A range of IP addresses. the Configuration Tool runs automatically.For first time installations. 1.checkpoint. Note . for example.com. A license can be added manually or fetched from a file.255. use the Check Point Configuration Tool to configure the Security Management server or security gateway. Any: Any IP address. Initialize the Internal Certificate Authority. Machine name: For example. Wild cards: For example. for example. 3.168. 4.255.10.168. Add an administrator that uses SmartConsole to connect to the Security Management server.

Note . Start the installed products. The fingerprint.Logging In for the First Time This option enables you to initialize an Internal Certificate Authority (ICA) on the Security Management server and a Secure Internal Communication (SIC) certificate for the Security Management server. SIC certificates authenticate communication between Check Point communicating components. After the first login. Authenticating the Administrator To authenticate the administrator: Chapter 3 Setup and Installation 55 . Logging In for the First Time The Login Process Administrators connect to the Security Management server through SmartDashboard using the same process as SmartConsole clients. or between Check Point communicating components and OPSEC applications. a text string derived from the Security Management server certificate. the administrator can create a certificate for subsequent logins. 5. The administrator and the Security Management server are first authenticated (to create a secure channel of communication) and then the selected SmartConsole starts. 6. compare this string to the string displayed in SmartDashboard. For additional information on how to create a certificate. refer to the R70 Security Management server Administration Guide. is used to verify the identity of the Security Management server that is being accessed through SmartConsole. The first time SmartConsole connects to the Security Management server. Export the Security Management server’s fingerprint to a text file.Components can communicate with each other only once the Certificate Authority is initialized and each component has received a SIC certificate.

browse to its location and enter the certificate’s password. Open SmartDashboard by selecting Start > Programs > Check Point SmartConsole > SmartDashboard.Logging In for the First Time 1. If you are using a locally stored certificate to authenticate your connection. Log in using the User Name and Password defined in the Configuration Tool’s Administrators page during the Security Management server installation. Specify the name or IP address of the target Security Management server and click OK. It also gives access to Security Management server when another designated administrator is already connected. 5. 4. Clicking the More Options link enables you to fine tune how SmartDashboard connects to Security Management server. 2. More Options. 56 . 3. • The Change Password button in the Certificate Management area of the dialog enables you to change the password that protects the certificate. This mode enables you to view the current configuration without accidentally changing it. Decide whether to connect in Read Only mode. The certificate’s password can be changed by expanding the More Options link and clicking Change Password.

Select this option to prevent SmartDashboard from displaying the last administrator and Security Management server to which the administrator successfully connected. Select the Plug-in from the Versions drop-down box. For a very large configuration database. Note .This step is only necessary the first time you log in from a given client computer. This option optimizes the connection to Security Management server. By default. Plug-in Demo Mode. Descriptive information entered here populates the Session ID field available in SmartView Tracker’s Audit Mode. • • • 6. the connection to Security Management server is compressed. Do not save recent connections information. Chapter 3 Setup and Installation 57 .Logging In for the First Time • Session Description. since once the Security Management server is authenticated. This option enables SmartDashboard demo mode to display windows and options specific to a particular Plug-in. the Fingerprint is saved in the SmartConsole computer’s registry. SmartDashboard server remembers the last user ID and Security Management server to which a connection was made. Use compressed connection. disabling the compression may help reduce load on the Security Management server. The field can be used to explain why a particular administrator is connecting to Security Management server. Manually authenticate the Security Management server using the Fingerprint provided during the configuration process. By default.

For additional technical information about Check Point products.Where To From Here? Where To From Here? You have now learned the basics that you need to get started.checkpoint.com 58 . consult Check Point’s SecureKnowledge at: http://support.checkpoint. The next step is to obtain more advanced knowledge of your Check Point software.com Be sure to also use the Check Point Online Help when you are working with the Check Point SmartConsole clients. Check Point documentation is available in PDF format on the Check Point CD and the Technical Support download site at: http://support.

Chapter Installing Provider-1 In This Chapter: Overview Creating the Provider-1 Environment Where To From Here? 4 page 60 page 61 page 75 59 .

Overview Overview A typical Management Service Provider (MSP) manages and protects many customer networks. For Provider-1 systems.Depending on your system specifications. They can be installed on the same server or separately. MDG and SmartConsole Applications: Installed on a GUI client (a computer running Check Point GUI) and support centralized system management. Customer Gateways: Protect the customer’s networks. Provider-1 ensures compatibility with a wide range of security schemes and product deployments. CMAs: Installed on a Container MDS. a Provider-1 customer is typically dedicated to serve as the NOC customer. Each CMA manages the network of a single customer domain. 60 . Figure 4-1 Sample Provider-1 Deployment The components of a basic Provider-1 deployment are: • • • • • MDS: Each Provider-1 network must have at least one Manager and one Container. you must decide whether to manage NOC gateways with a standalone Security Management server or with a Provider-1 system. NOC Gateways: Protect the MSP headquarters and network/security operations centers: Note .

An MDS and other MDSs in the system. A GUI client and CMAs/CLMs.Creating the Provider-1 Environment Creating the Provider-1 Environment In This Section Overview Creating the Provider-1 Environment Where To From Here? page 60 page 61 page 75 This section describes the process for provisioning a Provider-1 environment. A CMA and its high availability CMA peer. Chapter 4 Installing Provider-1 61 . The following is a typical workflow: Figure 4-2 Workflow Setting Up Provider-1 Networking The MDS and customer Security Gateways should be TCP/IP ready. A CMA and CLMs of the same customer. A GUI client and MDS managers. An MDS server should contain at least one interface with a routable IP address and should be able to query a DNS server in order to resolve the IP addresses of other machine names. As applicable. ensure that routing is properly configured to allow IP communication between: • • • • • • The CMA/CLM and its managed gateways.

The installation procedure for Secure Platform varies slightly from the other platforms. Container: Hosts the Customer Management Add-Ons (CMAs). he following welcome message appears: 62 .Install the Gateways Install the Gateways Install the Network Operation Center (NOC) gateway and customer gateways using CD1in the Internet Security Product Suite. Manager and Container: Hosts both the manager and container on a single platform. fresh computer. You can install the primary on a Secure Platform.If you define the primary MDS as a Manager only. Insert the Provider-1 Secure Platform Distribution CD into a drive and boot the computer. Installing and Configuring the Primary MDS The next step is to install the primary MDS on a dedicated. you will need to install and configure one or more container MDSs on separate platforms. Refer to the Internet Security Product Suite Installation and Upgrade guide for details. Note . its administrators and customer management information. Linux or Solaris platform. The Multi-Domain Server (MDS) contains Provider-1 system information including details of the Provider-1 deployment. Installing SecurePlatform for Provider-1 To install and configure SecurePlatform for the initial primary MDS: 1. An MDS may be defined as one of the following types: • • • Manager: Hosts the Provider-1 management database and serves as the administrator’s entry point into the Provider-1 environment.

Installing and Configuring the Primary MDS 2.com/products/supported_platforms/recommended/ngx/ind ex.html Adjust your hardware accordingly. which displays a complete list of devices discovered by the hardware scan. select Device List. for example: If a hardware device on the target machine is unsuitable.checkpoint. Press Enter to confirm the installation. Compare this list with the Hardware Compatibility list at: http://www. the reason for this is displayed as part of the Welcome message. Chapter 4 Installing Provider-1 63 . If your hardware is found not to be suitable.

Select the interface to be used by the MDS for accessing the management server and then OK. 4. Select OK to proceed with the installation. The Keyboard Selection window opens. The Network Interface Configuration window opens. 5. The Networking Device window opens.Installing and Configuring the Primary MDS 3. Select a keyboard type from the list. then select OK. 64 .

Select OK to proceed or Cancel to abort the installation process. 7. The Confirmation window opens. Type the appropriate information in the IP address. Enter a host name that is different from the default host name (cpmodule) and select OK.Installing and Configuring the Primary MDS 6. 8. net mask. The following installation operations are performed: • • • Hard drive formatting Package installation Post installation procedures Chapter 4 Installing Provider-1 65 . and optionally. the default gateway fields and select OK. The Host Name Configuration window opens).

Select OK to complete SecurePlatform installation. 9. Ensure that you remove the CD-ROM that you used during the installation process. 10. The system reboots automatically. select 1 . When the Provider-1 Welcome screen appears. 11.Installing and Configuring the Primary MDS This procedure may take 10-12 minutes. 12. Enter the computer name for the MDS host. enter ‘n’ to continue.Host Name. On the Network Configuration screen. 66 . after which the Installation Complete window opens.

Follow the instructions on the screen. 14.solaris or linux. From the mounted directory. On the time and date screen. On the Provider-1 Welcome screen. 2. On the Choose network connections Configure your interfaces and network connections as required. Install the Linux or Solaris operating system on the designated platform (If required). enter ‘n’. When finished. Installing Provider-1 on an MDS To complete installing Provider-1 on the MDS: 1. Run the mds_setup script. Chapter 4 Installing Provider-1 67 .Installing and Configuring the Primary MDS 13. set the time zone. 4. enter ‘e’ and then ‘n’ to proceed to the next screen. 15. and continue with “Installing the MDG” on page 70. navigate to the subdirectory that matches the operating system of your MDS . 3. Log on as a user with superuser privileges. date and time as required. Continue with “Installing the MDG” on page 70 Preparing to Install an MDS on Linux or Solaris To create the first primary MDS on a Linux or Solaris Platform: 1.

68 . select a default base directory when prompted. Specify whether the MDS should start automatically with each reboot (recommended). 5.Installing and Configuring the Primary MDS 2. 3. Enter the name of the primary interface — the interface through which the MDS will communicate with other MDSs in the Provider-1 network. 4. After the installation routine finishes installing packages. If you choose to restart automatically. Enter ‘Y’ in response to “Are you installing the Primary MDS Manager?”. 6. read and accept the license agreement as directed. The first primary MDS must be one of these two types.Any information that you enter after this stage can be modified later using the mdsconfig utility. select the MDS type as either (1) MDS Manager or (3) MDS Manager and Container station. Note . In the following screen.

source /opt/CPshared/5. Optionally. Start the MDS by executing the mdsstart command.0/tmp/. set the source path by running (according to your shell): • • For csh . You can always add licenses later using the MDG.CPprofile. it is recommended to add these lines to your . 12. 10. select an operating system user group that is allowed to access to the MDS files. Chapter 4 Installing Provider-1 69 . Optionally add this administrator to a group. Configure at least one Provider administrator and assign superuser privileges as directed..csh For sh . the root users group is given permissions to the files. Press Enter to initialize the Certificate Authority. Optionally add a Check Point license. 9.sh To avoid running the source path command each time you start the MDS.0/tmp/.cshrc or . 8. 11. If you do not select a users group. 13. /opt/CPshared/5. When the installation utility finishes. profile files.Installing and Configuring the Primary MDS 7. Reboot the computer. respectively.CPprofile.

execute the mds_remove command. 4. Installing the MDG To install the MDG package: 1. To uninstall the MDG and SmartConsole applications: From the Windows Start menu.This command is not available on SecurePlatform. Access the windows/SmartConsole directory on the Provider-1 product CD. 70 . Uninstalling the MDS or the MDG To uninstall an MDS on Linux and Solaris. Installing SmartConsole To install the SmartConsole on Windows platforms: 1. When the installation has completed. Copy the SmartConsole executable to a temporary directory. run the MDG from the Windows Start > Programs > Check Point SmartConsole R70 > Provider-1 menu option. Start the installation by double-clicking the SmartConsole executable. 2. Note . 3. 2.Installing SmartConsole and MDG Clients Installing SmartConsole and MDG Clients The following instructions are used when installing SmartConsole applications on Windows platforms. run SmartConsole applications from the Windows Start > Programs > Check Point SmartConsole R70 > SmartDashboard menu option. Start the installation by double-clicking the Prov1Gui executable. 3. When the installation has completed. Copy the Prov1Gui executable to a temporary directory. 4. Access the windows/MDG directory on the Provider-1 product CD. select Settings > Control Panel > Add/Remove Programs.

the MDG opens. You must be an administrator with appropriate privileges (Superuser. Enter the MDS Manager computer name or IP address to which to you intend to connect. 3. 4. 2. Enter your User Name and Password or browse to your Certificate and enter the password to open the certificate file. use the MDG to configure and manage the Provider-1 deployment. Global Manager.Using the MDG for the First Time Using the MDG for the First Time Once you have set up your primary MDS. or Customer Manager) to run the MDG. showing those network objects and menu commands accessible according to your SecurePlatform permissions. Figure 4-3 MDG before Customers are added Chapter 4 Installing Provider-1 71 . Launching the MDG To start the MDG: 1. Select: Start > Programs > Check Point SmartConsole > Provider-1. After a brief delay. Ensure that you have installed the MDG software on your computer and that your computer is a trusted GUI Client.

Operations performed while in Demo mode are stored in a local database. CMAs. 72 . you can elect to open it in Demo mode. Select the General View and the MDS Contents page. It demonstrates several pre-configured sample customers. which allows you to continue a Demo session from the point at which you left off in a previous session. Adding Licenses using the MDG To add a license to an MDS or MLM using the MDG: 1. Demo mode is used when you want to experiment with different objects and features before you create a real system. This mode does not require authentication or a connection to the MDS. gateways and policies. In the MDG. It is recommended that you use the Demo mode to familiarize yourself with the MDG’s various views and modes.Adding Licenses using the MDG Demo Mode When starting the MDG.

The MDS Configuration window opens. Chapter 4 Installing Provider-1 73 . Select the License tab. Double-click on an MDS or MLM. 3.Adding Licenses using the MDG 2.

b. d. Click Add. select the entire license string (starting with cplic putlic. In the email message that you received from Check Point. and ending with the last SKU/Feature) and copy it to the clipboard. In the Add License window. 74 . In the Open window. providing them with both the validation code contained in the email and the one displayed in this window. click Paste License to paste the license details you have saved on the clipboard into the Add License window. Click Calculate to display your Validation Code. Add License Information Manually a. contact the Check Point licensing center.Adding Licenses using the MDG 4.. If validation fails. Click Fetch From File. c. Compare this value with the validation code that you received in your email. browse to and double-click the desired license file.. b. Install licenses using one of the following methods: Fetch License File a.

com/support/technical/documents.checkpoint. Check Point documentation provides additional information and is available in PDF format on the Check Point CD as well as on the Technical Support download site at: http://www.Where To From Here? Where To From Here? You have now learned the basics that you need to get started. The next step is to obtain more detailed knowledge of your Check Point software. Chapter 4 Installing Provider-1 75 .

Where To From Here? 76 .

Distributed Installation Standalone Installation Distributed Installation Enabling Connectivity Through a Firewall Preparing Eventia Suite in Security Management server Preparing Eventia Suite on Provider-1 MDS 5 page 78 page 79 page 80 page 82 page 84 page 85 page 86 77 .Chapter Installing Eventia Suite In This Chapter Eventia Suite Installation Standalone Installation vs.

Eventia Analyzer. which consists of the Eventia Analyzer Server. Install Eventia Suite. 78 . which consists of the Eventia Reporter Server and the Eventia Reporter Client. 3. For Hardware Requirements and Supported Platforms please refer to the Release Notes document.Eventia Suite Installation Eventia Suite Installation This chapter covers installing Eventia Suite. Eventia Suite is comprised of: • • Eventia Reporter. Correlation Unit and the Eventia Analyzer Client. Prepare Eventia Suite in Security Management server (refer to “Preparing Eventia Suite in Security Management server” on page 85). This installation process consists of three phases: 1. 2. Configuring Eventia Suite (refer to Eventia Analyzer and Eventia Reporter User Guides respectively).

the database must be installed on the log server after the Eventia Suite installation is complete. When working with Provider-1/SiteManager-1 or Security Management server on Nokia.Standalone Installation vs. Note . Eventia must be installed on a separate machine (distributed). A distributed installation requires establishing Secure Internal Communication (SIC) between the two machines. from R54 and up). Chapter 5 Installing Eventia Suite 79 . Distributed Installation Standalone Installation vs.For Eventia Suite to read logs from a distributed log server. The distributed installation is recommended for better performance. while the Eventia Analyzer can only be installed on a “Distributed” installation: • • • Standalone installation — Eventia Reporter is installed on the same machine as Security Management server. Eventia Suite recognizes all the Network Objects in the Security Management server database via an internal process referred to as dbsync. With dbsync Eventia Suite can recognize objects from multiple versions (that is. Distributed Installation Eventia Reporter can be installed in either a “Standalone” installation or a “Distributed” installation. Installing Eventia Suite on Multiple Versions of Security Management Server Management Eventia Suite in a Distributed installation can work with multiple versions of Security Management server Management from R54 and up. Distributed installation — Eventia Reporter and Eventia Analyzer are installed on a machine dedicated to reporting. When installed on a Distributed deployment.

4. From the Products list. If you want a standalone deployment. 5. 3. 6. The Check Point Configuration program. or browse to new location. Security Management server is automatically installed along with Eventia Reporter. Specify the type of Security Management server to install: • • • Primary Security Management server Secondary Security Management server Log Server If you want a distributed deployment. 80 . select Primary Security Management server. select Log Server. 9. CPConfig. Click Next. select Eventia Suite. login as an administrator and launch the wrapper by double-clicking on the setup executable. To install. select Eventia Reporter.Standalone Installation Standalone Installation In This Section: Windows Platform Solaris & Linux Platforms SecurePlatform page 80 page 81 page 81 Windows Platform 1. Security Management server is needed because of its log server component. 2. and accept the terms of the license agreement. Click Next. 10. Select New Installation. Verify the default install directory. opens. Select either: • • Check Point Power Check Point UTM Click Next. and a list of products to install is displayed. 8. 7. From the list of Eventia Suite components.

Select Add and enter the administrator name and password. 3. 14. 4. Launch SmartDashboard. Select Add. SecurePlatform 1. To ensure secure communication between the Eventia Analyzer and Security Management servers. In the mounted directory. Add more GUI Clients if you like. 2. Select whether you would like to perform an upgrade or create a new installation. and then Next. and then select Next. 17. you may use the 15-day evaluation license. Select Add and enter the Product License information provided by Check Point. 3. Continue from step 5 on page 80 in order to complete the installation. Mount the CD on the relevant subdirectory. Read the End-User License Agreement (EULA) and if you accept click Yes. The Administrators window appears. select the Eventia Reporter product from cpconfig or from the SecurePlatform Web GUI. 13. Chapter 5 Installing Eventia Suite 81 . an identical Activation Key must be set on both. To complete the installation of the Eventia Reporter and to continue with the next phase of the installation. Add more administrators if you like. run the script: UnixInstallScript. Alternatively. (Policy>Install) or install the database (Policy>Install Database). Select OK.Solaris & Linux Platforms 11. Continue from step 5 on page 80 in order to complete the installation. Install the Security Policy. 16. After you install SecurePlatform from the CD. Solaris & Linux Platforms 1. Select whether you would like to perform an upgrade or create a new installation. Enter a Secure Internal Communication (SIC) activation key and record it to be entered later on the Security Management server. 2. Return to the wrapper. 12. Type in the IP address for a machine that will run the Eventia Analyzer Client in the Remote Hostname field. 15. Select OK. Select Finish. Then set permissions for the administrator. 5. and then select Next. The GUI Clients window appears. click Next and reboot the machine.

Security Management server is needed because of its log server component. 8. you may use the 15-day evaluation license. 5. Alternatively. 3. 10. and a list of products to install is displayed. Log Consolidator). The Check Point Configuration program. select the components that you want to install (Eventia Analyzer Server. Verify the default install directory. Login as an administrator and launch the wrapper by double-clicking on the setup executable. opens. From the Products list. Eventia Suite and Security Management server are installed on separate machines. Select New Installation. or browse to new location. Select OK. Select Add and enter the Product License information provided by Check Point. Select either: • • Check Point Power Check Point UTM Click Next. and then Next. Click Next. 4. and accept the terms of the license agreement. 6. 7.Distributed Installation Distributed Installation In This Section: Windows Platform Solaris and Linux and SecurePlatform page 82 page 83 In a distributed installation. 2. Windows Platform On the machine that will hold the Eventia Suite: 1. Specify Log Server as the type of Security Management server to install. Eventia Correlation Unit. 11. Click Next. CPConfig. 82 . From the list of Eventia Suite components. 9. select Eventia Suite.

Solaris and Linux and SecurePlatform 12. From the list of Eventia Suite components. Return to the wrapper. Eventia Correlation Unit. The Administrators window appears. Select OK. Add more GUI Clients if you like. 2. 5. 4. 13. Select Finish. and then select Next. create an activation key. click Next and reboot the machine. Chapter 5 Installing Eventia Suite 83 . select the components that you want to install (Eventia Analyzer Server. 3. The GUI Clients window appears. Add more administrators if you like. When prompted. Type in the IP address for a machine that will run the Eventia Analyzer Client in the Remote Hostname field. Remember this key for later. To complete the installation of Eventia Suite and continue with the next phase of the installation. 14. perform a short random keystroke session to collect random data for cryptographic operations. Enter Finish to complete the installation. Solaris and Linux and SecurePlatform 1. 15. Select Add and enter the administrator name and password. Mount the CD from the relevant subdirectory and launch the wrapper. Select Add. Enter a Secure Internal Communication (SIC) activation key and record it to be entered later on the Security Management server. Then set permissions for the administrator. Log Consolidator). 16. an identical Activation Key must be set on both. To ensure secure communication between the Eventia Analyzer and Security Management servers. and then select Next. When prompted.

FW1_ica_push FW1_sam CPD. CPD_amon CPD_seam (TCP/18266) UDP syslog For an R65 level Security Management server (or above) the following rule needs to be added to the Rule Base if a firewall exists between any Eventia Analyzer components and the Management Server: Source Correlation Unit Destination Log Server Service LEA 84 . modify the Rule Base to enable connectivity between components as follows: Table 5-1 Source Eventia Analyzer Client Eventia Reporter Client Management Server Eventia Analyzer Server Eventia Analyzer Server Correlation Unit Third-party devices that issue syslog messages Additions to the Rule Base to Enable Connectivity Destination Eventia Analyzer Server Eventia Reporter Server Eventia Analyzer and Reporter Server Management Server Correlation Unit Eventia Analyzer Server Log Server enabled to receive syslog messages Service CPMI CPMI CPMI. and either of the following conditions apply: • • the management is prior to NGX (R60) the implied rules have been disabled If either of these conditions is true.Enabling Connectivity Through a Firewall Enabling Connectivity Through a Firewall Certain additions to the Rule Base need to be made if a Firewall exists between any Eventia Suite components and the Management Server.

In the Check Point product list. 4. select both SmartView Reporter and Log Server in place of Eventia Analyzer Server or Eventia Correlation Unit. Launch SmartDashboard. select the appropriate Eventia Suite component that you installed on the host that you created in step 2. click Communication and enter the activation key. The version is not automatically entered if the Eventia Suite’s version is newer than Security Management server. Install the Security Policy. Create a new host for each Eventia Suite machine that contains an Eventia Suite component: Manage > Network Object > New > Check Point > Host 3. If the Security Management server version is pre-NGX. Chapter 5 Installing Eventia Suite 85 . (Policy > Install) or install the database (Policy > Install Database) to make the Eventia Suite functional. 2.Preparing Eventia Suite in Security Management server Preparing Eventia Suite in Security Management server 1. select the most recent version available from the Version drop-down list. This must be performed in order for Eventia Analyzer to function as a log server. 6. perform install database in SmartDashboard and select the Eventia server as one of the targets. In the General Properties window. 7. If so. To enable the log server on the Eventia server. 5.

From the File menu. cpstop 86 . 1. install Global Policy on all CMAs participating with Eventia Suite. create a Check Point Host Object. In This Section: For Provider-1/SiteManager-1 Version R55 For Provider-1/SiteManager-1 Version R60 For Provider-1/SiteManager-1 Version R61 and Up page 86 page 88 page 89 For Provider-1/SiteManager-1 Version R55 In Provider-1/SiteManager-1 R55. Note . the following commands from the command ilne of the Eventia machine: a. enter its IP address and enable the product SmartView Reporter. Instead. Select Communication and enter the activation key you created during installation. Refer to the appropriate section below based on your version of Provider-1. name it. 2. Eventia Suite can read the logs of multiple CMAs with the use of putkey operations. To enable the syslog server run. 6. specify the most recent version possible. 4. In the Provider-1/SiteManager-1 Global SmartDashboard. Select Close and OK.Do not run the Get Version operation. and select only the Log Servers and the CMA from which you want the Eventia Suite to read logs.Preparing Eventia Suite on Provider-1 MDS Preparing Eventia Suite on Provider-1 MDS Preparing Eventia Suite on Provider-1 MDS varies according to the version you are currently working with. select Policy > Install Database. For each CMA participating with Eventia Suite. From the MDG. syslog -r b. 3. open its SmartDashboard. 7. Select Initialize to establish communication. select Save. 5.

locate the following two lines: # log export to DB utility (lea client from any SVN host) ANY . Run the command mdsstart.conf. Search for the section [Outbound rules]. ssl .Be sure to insert ssl .Wait a couple of minutes for the objects to synchronize between the MDS and Eventia Analyzer. lea . On the Eventia Suite machine and/or the Correlation Unit machine that will read logs from a CMA.ANY . which is located in the directory $CPDIR/conf. 12. Edit the file sic_policy. ssl 13.For Provider-1/SiteManager-1 Version R55 c. Edit the file sic_policy.ANY . 14. and change the following lines from: # for log_export tool and Abacus analyzer ANY . run the command mdsstop. 9.ANY. run the command cpstart.conf. 10.ANY . On the Eventia Suite machine. before sslca. Chapter 5 Installing Eventia Suite 87 . Eventia Analyzer Provider-1 ANY . 11. lea . ANY. sslca Note . 8. On the Provider-1/SiteManager-1 MDS. sslca Add the following rule after these lines: ANY . run the command cpstop. lea . which is located in the directory $CPDIR/conf. Execute the putkey operation in the following manner: a. In the section [Inbound rules]. run cpstop and fw putkey -p [shared_password] [CMA_IP]. cpstart Note .ANY. sslca to: # for log_export tool. On the Eventia Suite machine. CP_PRODUCT. lea .ANY.

cpstart Note . d. 3. 88 . while in the CMA environment. open its SmartDashboard. Instead. Note . select Policy > Install Database. specify the most recent version possible. enter the command mdsenv. install Global Policy on all CMAs participating with Eventia Suite.Do not run the Get Version operation. 2. 4. Make sure that the products Eventia Reporter is enabled.For Provider-1/SiteManager-1 Version R60 b. run mdsstop_customer [CMA_IP] and fw putkey -p [shared_ password] [Eventia Suite Server_IP Note . cpstop c. and enter its IP address. and select only the Log Servers and the CMA from which you want Eventia Analyzer or Reporter to read logs. Run cpstart on the Eventia Suite machine For Provider-1/SiteManager-1 Version R60 1. syslog -r b. For each CMA participating with Eventia Suite. . 6. create a Check Point Host Object. On the MDS. 7. Select Initialize to establish communication. Run mdsstart_customer [CMA_IP] on the CMA. select Save.Select Close and OK. From the MDG. To return to the MDS environment.Enter the command mdsenv <customer_name> to switch to the appropriate CMA environment.Wait a couple of minutes for the objects to synchronize between the MDS and Eventia Suite. In Global SmartDashboard. From the File menu. To enable the syslog server run the following commands from the command line of the Eventia server: a. Select Communication and enter the activation key you created during installation. 8. c. name it. 5.

Make sure that the appropriate products (Eventia Reporter. In the properties of the new Host object. install Global Policy on all CMAs participating with Eventia Suite. 5. Select Close and OK. Select Communication and enter the activation key you created during installation. specify the most recent version possible. create a Check Point Host Object. 6. In Global SmartDashboard. From the MDG. and select only the Log Servers and the CMA from which you want Eventia Analyzer or Reporter to read logs. open its SmartDashboard. 8. and enable the property Accept Syslog messages. select Save.Do not run the Get Version operation. 3.For Provider-1/SiteManager-1 Version R61 and Up For Provider-1/SiteManager-1 Version R61 and Up 1. and enter its IP address. name it. Eventia Analyzer Server. Eventia Correlation Unit and Log Server) are enabled. 7. From the File menu. Chapter 5 Installing Eventia Suite 89 . select Log and Masters > Additional Logging Configuration. 4. Instead. select Policy > Install Database. Select Initialize to establish communication. For each CMA participating with Eventia Suite. 2. Note .

For Provider-1/SiteManager-1 Version R61 and Up 90 .

6 Chapter IPS-1 Setup and Installation In This Chapter Overview IPS-1 Deployment IPS-1 Management Installation and Setup IPS-1 Sensor Appliances IPS-1 Sensor Installation IPS-1 Management Dashboard Installation Post-Installation Steps Where To From Here? page 92 page 94 page 98 page 103 page 108 page 113 page 114 page 122 91 .

Alerts Concentrator: Manages and receives alerts from a group of Sensors. and analyzing real-time alerts. IPS-1 Management Dashboard: Windows-based remote graphical user interface (GUI) to the IPS-1 Management Server. Receives and correlates relevant alert information from the Alerts Concentrator(s). Alert Browser for viewing. which is included in the IPS-1 Management Server installation. and stores the alerts in a MySQL database (included in the Alerts Concentrator installation). • • There are two deployment configurations for IPS-1: 92 . Multiple IPS-1 Alerts Concentrators can be distributed throughout the network as needed. The IPS-1 Dashboard includes a number of independent interlinked windows.Overview Overview In This Section: IPS-1 System Architecture Platforms page 92 page 93 IPS-1 System Architecture Check Point’s IPS-1 is a dedicated intrusion prevention system (IPS) that delivers: • • • • • Mission-critical protection against known and unknown attacks Unmatched management capabilities Granular forensic analysis Flexible deployment Confidence Indexing An IPS-1 deployment includes the following components: • • IPS-1 Sensor: Detects and prevents internal network attacks. IPS-1 Management Server: The central management server for the entire deployment. tracking. and sends alerts to the Alerts Concentrator. for managing the IPS-1 system and for monitoring alerts. Alert information is stored in a MySQL database. primarily: • • Policy Manager for configuring protections and managing the entire IPS-1 system.

IPS-1 (non-Power) Sensors are supported only on Check Point’s SecurePlatform. The IPS-1 Server can be installed together with a Security Management server for managing security gateways and IPS-1 Sensors from the same platform. In this case. Chapter 6 IPS-1 Setup and Installation 93 .Platforms • • Combined Deployment . For usernames common to both IPS-1 and the Security Management Server. it is possible to log into the IPS-1 Server via the IPS-1 Management Dashboard with a Security Management server administrator username and password. The following diagram illustrates the components of the IPS-1 system architecture with two Alerts Concentrators in a Distributed Deployment: Figure 6-1 The IPS-1 System Platforms The IPS-1 Server and Alerts Concentrator can be installed on Check Point’s SecurePlatform or on other supported operating systems. SecurePlatform is provided with the IPS-1 installation media. Distributed Deployment . the IPS-1 password and privileges override Security Management Server settings.An Alerts Concentrator is installed together with the IPS-1 Management Server on the same computer.The IPS-1 Management Server connects to one or more Alerts Concentrators installed on separate computers.

IPS-1 Deployment

IPS-1 Deployment
In This Section:
IPS-1 Sensor Deployment IPS-1 Management Deployment page 94 page 95

IPS-1 Sensor Deployment
This section covers deploying the IPS-1 Sensor.

Sensor Placement
IPS-1 Sensors should be deployed at natural choke points according to network topology. Usually, Sensors should be just within the network firewall. Placing Sensors outside the firewall is not recommended, because the Sensor is not then protected by the firewall, and the unfiltered traffic places a heavier load on the Sensor. Ideally, network cores should also be protected with Sensors. In most cases, network core topology does not enable these Sensors to be placed inline, in which case the Sensors should be used for intrusion detection in passive mode.

Sensor Topology
In most cases, IPS-1 Sensors should be placed inline, enabling intrusion prevention. In some cases, such as in a complex switching environment in a network core, Sensors need to be used for intrusion detection in passive mode. Sensors’ monitoring interfaces are layer-3 transparent and do not have IP addresses. Each Sensor has a management interface that requires an IP address, routable to and from the Alerts Concentrator. For enhanced security, it is recommended that management be on a separate, out-of-band network. For full information on Sensor modes, see the IPS-1 Administration Guide.

Inline Intrusion Prevention
For intrusion prevention, Sensors should be connected inline, so that all of the traffic to be monitored flows through the IPS-1 Sensor. In this configuration, Sensors can drop traffic containing attacks, according to defined and configurable confidence indexing.

94

IPS-1 Management Deployment

Inline Sensors’ behavior upon failure can be configured to either open, passing through all traffic; or closed, severing the traffic path. Inline Sensors can be set to Bridge (Monitor-Only) mode, to avoid the possibility of false-positive traffic dropping. In bridge mode, you can track what the Sensor would have done in prevention mode. You can fine-tune your prevention settings in bridge mode, and later change to prevention mode.

Passive Intrusion Detection
The IPS-1 Sensor can be placed out of the path of network traffic, in which case it performs intrusion detection only. For the Sensor to monitor traffic, a monitoring interface of the Sensor should be connected to one of the following: • • • A hub’s port A switch’s SPAN (or ‘mirror’) port A network tap

A network tap has advantages over a switch’s SPAN port. For example, the switch could prevent (or be unable to send) some traffic out of the SPAN port. For information on configuring and connecting the switch or tap, see the switch’s or tap’s documentation.

IPS-1 Management Deployment
In This Section:
Required IPS-1 Management Components IPS-1 Management Network Alerts Concentrator High Availability page 95 page 96 page 97

Required IPS-1 Management Components
Every IPS-1 deployment must have exactly one IPS-1 Management Server. At least one installation of the IPS-1 Management Dashboard on a Windows client host is necessary for managing the IPS-1 environment and for viewing and analyzing alerts.

Chapter 6

IPS-1 Setup and Installation

95

IPS-1 Management Deployment

The appropriate number of Alerts Concentrators varies according to the network and to administrative needs. The following rough guidelines should be considered: • • Each Alerts Concentrator is usually capable of handling around ten Sensors. It is not recommended for a single Alerts Concentrator’s database to approach 40 GB; If it does, an additional Alerts Concentrator is recommended.

For a rough estimate of appropriate database size, multiply the volume of monitored traffic (in Gbps) by the number of months of alerts you plan to maintain. The database size (in GB) should approach half of that product. For example, if the Sensors that send alerts to a particular Alerts Concentrator collectively monitor 5Gbps, and you want to maintain six months of back alerts, the database should be 12-15 GB. However, appropriate database size is also dependent on other factors, such as fine-tuning protections for your system to minimize false positives. Optionally, one Alerts Concentrator can be installed together with the IPS-1 Management Server in a Combined installation. This Alerts Concentrator will share a license and some processes with the IPS-1 Management Server, but alert information is stored in separate database tables.

IPS-1 Management Network
For enhanced security, it is recommended that management be on a separate, out-of-band network. TCP connectivity is required as follows: • • • • Connect from the IPS-1 Management Dashboard to the IPS-1 Management Server on port 8443 Connect from the IPS-1 Management Server to any Alerts Concentrators on port 18272 Connect from each Alerts Concentrator to the management interfaces of its IPS-1 Sensors, and vice versa, on port 1968 (optional) Connect from the IPS-1 Management Server to the online update server (ips-packages.checkpoint.com) on port 2013

Make sure the firewalls in between each component are configured to allow this traffic.

96

IPS-1 Management Deployment

Alerts Concentrator High Availability
To ensure continuity of information flow from IPS-1 Sensors to the IPS-1 Management Server in the event of an IPS-1 Alerts Concentrator failure, you can configure an IPS-1 Sensor to report to a secondary IPS-1 Alerts Concentrator. This automatically redirects alerts and event data to the secondary Alerts Concentrator if the active Alerts Concentrator or the Sensor’s connection with it fails. You can deploy the secondary Alerts Concentrator in the same network as the active Alerts Concentrator. For information on configuring Alerts Concentrator High Availability, see the IPS-1 Administration Guide.

Chapter 6

IPS-1 Setup and Installation

97

IPS-1 Management Installation and Setup

IPS-1 Management Installation and Setup
In This Section:
Installation of IPS-1 Management Servers IPS-1 Management Dashboard Installation Completing IPS-1 Management Setup page 98 page 113 page 115

Installation of IPS-1 Management Servers
This section discusses installing the IPS-1 Management Server and Alerts Concentrator. The IPS-1 Management Server and Alerts Concentrator can be installed on Check Point’s SecurePlatform or on other supported operating systems. To install IPS-1 management servers together with a Security Management Server, first install the Security Management Server according to the instructions in “Setup and Installation” on page 33. Then follow the instructions in “Installation on Linux and SecurePlatform” on page 101. To install Check Point’s SecurePlatform, follow the instructions in “Installation of SecurePlatform for IPS-1 Management” on page 98. To install IPS-1 management servers on already installed and configured operating systems, follow the instructions in “Installation on Linux and SecurePlatform” on page 101.

In This Section:
Installation of SecurePlatform for IPS-1 Management Installation on Linux and SecurePlatform Initial Configuration of Management Servers page 98 page 101 page 102

Installation of SecurePlatform for IPS-1 Management
To install SecurePlatform with the IPS-1 Management Server and/or Alerts Concentrator: 1. Insert CD6 from the media pack into the CD drive, and boot the computer from the CD.

98

Installation of IPS-1 Management Servers

After booting, Welcome to Check Point SecurePlatform appears. Make sure to press Enter within 90 seconds. The installation program is loaded. The following options are displayed: • • Device List: When selected, the Hardware Scan Details menu displays. Add Driver: When selected, the Devices menu opens. Sometimes updated hardware is incompatible with the previous version’s driver and you receive an error message during installation because the operating system could not find the appropriate hard disk driver. Alternatively, the installation may be complete, but the hardware does not function properly. The Add Driver option enables you to add the missing driver during the installation process.

2. Select OK to install. The IPS-1 Products window appears. 3. Select Management Server, and OK. 4. Depending on the license you purchased, select one of the following options: • • SecurePlatform SecurePlatform Pro (includes the Advanced Routing Suite and additional enhancements such as RADIUS authentication for administrators)

5. Select a keyboard type. 6. In the Management Interface Configuration window, define the management interface IP address, netmask and default gateway. Select OK. 7. Select OK to format your hard drive, and extract and install SecurePlatform software components. The installation process can take several minutes to complete. 8. Press Enter to reboot. 9. When the computer is finished booting, log in with username: admin , and password: admin. 10. As prompted, change the password and username. 11. Run: sysconfig The first-time system configuration wizard begins. 12. Press n to proceed to the next menu.

Chapter 6

IPS-1 Setup and Installation

99

removes. displays network connections. removes. Press n. Sets and shows a default gateway 13. 100 . Once Network Configuration is complete. For more information. 16.Installation of IPS-1 Management Servers The following Network Configuration menu options are displayed: Option Host Name Domain Name Domain Name Servers Network Connections Routing Purpose Sets and displays the host name Sets and displays the Domain name Adds.Network Time Protocol (NTP) can be configured through the command line interface after the all of the installation procedures are complete. Configure the following: • • • • Time zone Date Local time Show date and time settings 15. see “Configuring NTP on SecurePlatform” on page 114. Use the menu options to configure: • • • • The hostname The domain name and at least one DNS server The computer’s network interfaces The default gateway (if required) Note . Subsequent changing of the hostname will not be reflected in the application. configures. Continue to “Initial Configuration of Management Servers” on page 102. Note . displays Domain name servers Adds. press n to continue to Time and Date Configuration. The IPS-1 software will take this information from the operating system at installation time.Make sure the hostname and IP address are correctly defined at this stage. 14.

/UnixInstallScript on the CD.0. 4.1 localhost localhost. or SecurePlatform) 1. The IPS-1 software will take this information from the operating system at installation time. 2. As a precaution. 3. run: . and mount it on the appropriate subdirectory. Make sure the hostname and IP address are correctly defined in the operating system. Continue here to the following section for the configuration process. Chapter 6 IPS-1 Setup and Installation 101 . For example. Query the IPS-1 rpm for the version number by running: rpm -qa | grep ips1 2./UnixInstallScript [-splat] On SecurePlatform. Reinstalling IPS-1 To reinstall IPS-1: 1. Ensure proper connectivity between IPS-1 Management Dashboard and the IPS-1 Management Server by verifying that there is an /etc/hosts table entry for your IP address and server name. On Linux omit the flag. back up database files by copying the contents of the sdb/data directory to another host. b.0. include the -splat flag. Before an upgrade: a. 6. for Red Hat Linux: 127.24. 3. Stop the IPS-1 processes.localdomain 172. Subsequent changing of the hostname will not take effect. 5. Stop IPS-1 and remove the IPS-1 rpm by running: rpm -e CPips1-Rxx-xx where xx is the version number obtained from the output of the previous command. From the CD’s root directory.4.Installation of IPS-1 Management Servers Installation on Linux and SecurePlatform To install an IPS-1 Management Server and/or Alerts Concentrator on an already installed and configured operating system (Red Hat Enterprise Linux. Install a new IPS-1 by running: .235 linux3 The absence of a server name in the /etc/hosts file will generate mySQL errors. Insert CD6 from the media pack.

Press Enter to scroll down and read the End-User License Agreement. type and then confirm an IPS-1 login password. you are then prompted for the previous installation location. IPS-1 packages are installed. 2. that is an IPS-1 Management Server only. IPS-1 processes start. IPS-1 Alerts Concentrator 4. When installing an Alerts Concentrator. enter and then confirm an activation key with which the Alerts Concentrator will authenticate the IPS-1 Management Server. 102 . Answer whether this is an upgrade (y/n). 3. This completes the installation process. If this is an upgrade.Installation of IPS-1 Management Servers Initial Configuration of Management Servers 1. This may take some time. that is an IPS-1 Management Server with an Alerts Concentrator. When installing an IPS-1 Management Server or Combined installation. This will be the password to use when logging into the IPS-1 Management Server with the IPS-1 Dashboard for the first time with username: admin . b. c. Select whether IPS-1 should start when the computer is booted. The IPS-1 Power Sensor is now configured. 6. IPS-1 Management Server (all components) This installs the IPS-1 Management Server as a Combined Deployment. IPS-1 Management Server (without Alerts Concentrator) This installs the IPS-1 Management Server as a Distributed Deployment. Then press y to accept. You will need this activation key when you add the Alerts Concentrator from the IPS-1 Dashboard. Select an IPS-1 product to install: a. without an Alerts Concentrator. 5. Continue to “Post-Installation Steps” on page 114.

IPS-1 Sensor Appliances

IPS-1 Sensor Appliances
Introduction
This chapter discusses setting up Check Point pre-installed appliances. For third-party hardware, set up the hardware according to the third-party documentation, and then continue to “IPS-1 Sensor Installation” on page 108. For considerations for Sensor location and network topology, see “IPS-1 Sensor Deployment” on page 94.

IPS-1 Sensor Appliance Models
Check Point currently delivers the following Sensor appliances with the interface configurations listed:

IPS-1 Sensor 50C

Front — Two 10/100Mbps copper Ethernet front-panel interfaces used in IPS (inline) mode as an IPS pair with bypass support, or in IDS (passive) mode as two monitoring interfaces Two 10/100/1000Mbps copper Ethernet front-panel interfaces, of which one is the management interface and the other can be used in IDS (passive) mode as an additional monitoring interface

IPS-1 Sensor 200C

Front — Four 10/100/1000Mbps copper Ethernet front-panel interfaces used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as monitoring interfaces

Back — Four 10/100/1000Mbps copper Ethernet back-panel interfaces, of which one is the management interface and the others can be used in IPS (inline) mode as IPS pairs without bypass support, or in IDS (passive) mode as additional monitoring interfaces
Chapter 6 IPS-1 Setup and Installation 103

IPS-1 Sensor Appliance Models

IPS-1 Sensor 200F

Front — Four 10/100/1000Mbps copper Ethernet front-panel interfaces used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as monitoring interfaces Four 1000Mbps Fiber front-panel interface with bypass support

Back — Four 10/100/1000Mbps copper Ethernet back-panel interfaces, of which one is the management interface and the others can be used in IPS (inline) mode as IPS pairs without bypass support, or in IDS (passive) mode as additional monitoring interfaces

IPS-1 Sensor 500C

Front — Eight 0/100/1000Mbps copper Ethernet front-panel interfaces used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as monitoring interfaces

Back — Four 10/100/1000Mbps copper Ethernet back-panel interfaces, of which one is the management interface and the others can be used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as additional monitoring interfaces

IPS-1 Sensor 500F

Front — Four 10/100/1000Mbps copper Ethernet front-panel interfaces used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as monitoring interfaces Four 1000Mbps Fiber front-panel interface with bypass support

104

IPS-1 Sensor Appliance Models

Back — Four 10/100/1000Mbps copper Ethernet back-panel interfaces, of which one is the management interface and the others can be used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as additional monitoring interfaces

IPS-1 Sensor 1000C

Eight 10/100/1000 copper Ethernet back-panel interfaces used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as monitoring interfaces Two 10/100/1000 built-in copper Ethernet back-panel interfaces, of which one is the management interface and the other should remain unused

IPS-1 Sensor 1000F
Note - The interface labels of the 1000F model are the same as the interface labels for the 1000C model. • Eight Gigabit fiber Ethernet back-panel interfaces used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as monitoring interfaces Two 10/100/1000 copper Ethernet back-panel interfaces, of which one is the management interface and the other should remain unused

IPS-1 Power Sensor 1000C/F
Note - For detailed diagram of the Power Sensor interfaces, see
Setting Up Sensor Appliance Network Connections page 107.

Eight 10/100/1000 Mbps copper Ethernet interfaces (C model) or Gigabit fiber Ethernet interfaces (F model), used in IPS (inline) mode as IPS pairs or in IDS (passive) as monitoring interfaces One front-panel 10/100Mbps copper Ethernet front-panel interface for management

IPS-1 Power Sensor 2000C/F
• A Primary chassis unit, including:

Chapter 6

IPS-1 Setup and Installation 105

IPS-1 Sensor Appliance Models

Eight 10/100/1000 Mbps copper Ethernet interfaces (C model), or Gigabit fiber Ethernet interfaces (F model), used in IPS (inline) mode as IPS pairs, or in IDS (passive) as monitoring interfaces One front-panel 10/100Mbps copper Ethernet front-panel interface for management

• •

An Expansion chassis unit, adding processors and RAM

Preparing the Sensor’s Environment
The IPS-1 Sensors require the following: Table 6-1
IPS-1 Sensor Environmental Requirements

50C
Chassis size

200C/F

500C/F

Power C/F 2 chassis units x 2RU, 19”

1 Rack Unit (RU), 19”

Amps AC

6.0/3.0

8.2/4.1

6.7/3.4

4/2 per chassis unit 90-255 0°C to +55°C -10°C to +70°C 10-90%, noncondensin g @35°C

Voltage Input Range Operating Temperature Non-Operating Temperature Non-Operating Relative Humidity

100-240 0°C to +40°C -20°C to +80°C 10-90%, noncondensi ng @ 35°C

100-127/ 200-240 +10°C to +35°C -40°C to +70°C 90%, noncondensi ng @ 35°C

100-127/ 200-240 +10°C to +35°C -40°C to +70°C 90%, noncondensi ng @35°C

Emissions

FCC Class A Device

Mount each unit onto the equipment rack. Connect the power supply. For the Power Sensor, connect two power supplies to each of the two chassis units.

106

IPS-1 Sensor Appliance Models

Setting Up Sensor Appliance Network Connections
Connect the management interface to the management network. On the 50C and Power 2000 models, the management interface is on the front panel. On other models, it should be one of the two built-in interfaces on the rear panel. For working in IDS (passive), any or all of the remaining interfaces can be used as monitoring ports. For working in inline IPS mode, the inline pairs must conform to hardware configuration: • • • For the 50C, the inline pair is marked on the front panel. For the 200 and 500 models, inline pairs are in vertical groupings. For the Power Sensors, inline interfaces are on the rear panel, horizontally paired. For example, in the diagram below, s1.e0 is paired with s1.e1 .

Connecting the Power Sensor Chassis Units With the supplied expansion cable, connect the Primary chassis unit’s Expansion slot A to the Expansion chassis unit’s Expansion slot B:

Chapter 6

IPS-1 Setup and Installation 107

IPS-1 Sensor Installation

IPS-1 Sensor Installation
In This Section:
Connecting to IPS-1 Sensors Installing SecurePlatform and IPS-1 Sensors Initial Configuration of IPS-1 Sensors Initial Configuration of IPS-1 Power Sensor page 108 page 108 page 109 page 111

Connecting to IPS-1 Sensors
You can run commands on the IPS-1 Sensor in one of three ways, depending on hardware configuration: • • A connected keyboard and monitor. A serial console (DTE to DTE), using terminal emulation software such as HyperTerminal (for Windows) or Minicom (for Unix/Linux systems). Connection parameters for Check Point appliances are: • • For a regular (non-Power) IPS-1 Sensor appliance: 9600bps, no parity, 1 stop bit (8N1). For an IPS-1 Power Sensor: 115200bps, 8 bit, no parity, 1 stop bit, no hardware or software (xon/xoff) flow control

For third-party hardware connection parameters, see the third-party documentation. • An SSH connection to the Sensor’s management interface (if sshd is configured).

Installing SecurePlatform and IPS-1 Sensors
The following instructions are for installing IPS-1 Sensor software on third-party hardware, or for reinstalling on a Check Point appliance. IPS-1 (non-Power) Sensors are supported only on Check Point’s SecurePlatform operating system version NGX R65 and above. The IPS-1 Sensor is installed with SecurePlatform in one installation process. You cannot reinstall the Sensor without reinstalling the operating system and formatting the hard disk. To install SecurePlatform and the IPS-1 Sensor:

108

select Open Sensor. follow the instructions in “Initial Configuration of IPS-1 Power Sensor” on page 111. but the hardware does not function properly. For Sensor 1000 models. In the Networking Device window. 4. Chapter 6 IPS-1 Setup and Installation 109 . the Hardware Scan Details menu displays. 2. Select a keyboard type. After booting. Select OK to format your hard drive. netmask and default gateway. and boot the computer from the CD. 5. Select OK. If you are installing on hardware provided by Check Point (or old hardware provided by NFR).Initial Configuration of IPS-1 Sensors 1. Make sure to press Enter within 90 seconds. The Add Driver option enables you to add the missing driver during the installation process. Welcome to Check Point SecurePlatform appears. define the management interface IP address. 9. and extract and install SecurePlatform software components. you should select Open Sensor even though the hardware is supplied by Check Point. Select OK to install. The installation program is loaded. Select OK. Select the type of hardware you are using. 10. and OK. select the management interface. 3. If you are installing on hardware supplied by another vendor. 7. remove the CD. Initial Configuration of IPS-1 Sensors Upon initial boot of an IPS-1 Power Sensor. Alternatively. Select OK. the Devices menu opens. the installation may be complete. The following options are displayed: • • Device List: When selected. select Appliance. 8. Sometimes updated hardware is incompatible with the previous version’s driver and you receive an error message during installation because the operating system could not find the appropriate hard disk driver. The installation process can take several minutes to complete. Select Sensor. When installation is complete. Insert CD6 from the media pack into the CD drive. 6. Press Enter to reboot. Add Driver: When selected. The IPS-1 Products window appears. In the Management Interface Configuration window.

Run: sysconfig The first-time system configuration wizard begins. Configure the following: • • • Date Time and time zone Show date and time settings Enter n. For more information on Alerts Concentrator High Availability.Network Time Protocol (NTP) can be configured through the command line interface after the all of the installation procedures are complete. change the password and (optionally) the username. • Select Next. 110 . 4. When prompted. which you will enter into the IPS-1 Dashboard when adding the Sensor to an Alerts Concentrator. For more information. a character string of your choice.Initial Configuration of IPS-1 Sensors Upon initial boot of a freshly installed IPS-1 Sensor. Log in with username: admin and password: admin . Use the menu options to configure: • • • The hostname The domain name and at least one DNS server The management interface 6. configure it as follows: 1. 3. Configure the following Alerts Concentrator options for the Sensor: • • IP address of primary Alerts Concentrator. Note . see “Configuring NTP on SecurePlatform” on page 114. 7. An Activation Key. press n to continue to Time and Date Configuration. 5. The Network Configuration menu options appear. see the IPS-1 Administration Guide. type an IP address of a second Alerts Concentrator. 2. Once Network Configuration is complete. For Alerts Concentrator High Availability. including a new regular (non-Power) preinstalled appliance. Press n to proceed to the next menu.

all packets are passed through. you may need to define the interface pairs that you will be using. Log in as user ips1 with the displayed password.Initial Configuration of IPS-1 Power Sensor 8. Initial Configuration of IPS-1 Power Sensor Configure a freshly delivered or reinstalled IPS-1 Power Sensor as follows: 1. • Operating Mode .pairs of monitoring interfaces. Inline Pair(s) . Select Next to complete the wizard. fail-closed): inline intrusion prevention. Set a new login password. Set the date and (optional) define an NTP server. For each field. In fault conditions. • • Management Interface . Configure the Operating Mode options. For more information on Sensor modes. In fault conditions. and select the appropriate value. 5. Depending on your hardware. fail-open): inline intrusion prevention. 4.one of the following: • • • • IDS (passive): intrusion detection. all packets are dropped. Packets do not pass from one interface to another. Set the following: Chapter 6 IPS-1 Setup and Installation 111 . The IPS-1 Sensor is now installed and configured. see the IPS-1 Administration Guide. Set the following: • • Hostname and domain name The Sensor’s IP information Select Next. IPS (inline. IPS Monitor-Only (inline. IPS (inline. but without actual prevention. Select Next. Continue to “Post-Installation Steps” on page 114. You can modify the Sensor’s settings at anytime by running the cpconfig command. no prevention. and select Next. 3. 2. select the field with the Enter key.displays (read-only) the IP address configured in the operating system. fail-open): inline bridge mode.

10. The network address for this network is preset to 10. In fault conditions. type: configure system c. For more information about Sensor modes. and. An Activation Key. which you will enter into the IPS-1 Dashboard when adding the Sensor to an Alerts Concentrator. 6. reconfigure the internal network address as follows: a. type: set mccp subset address <address> 112 . The system reboots. all packets are passed through. • Select Next. Select an operation mode and select Next. see the IPS-1 Administration Guide. the IP address of the second Alerts Concentrator. see the IPS-1 Administration Guide. fail-open): inline intrusion prevention. IPS (inline. for an Alerts Concentrator High Availability deployment. Press Enter to see the following available operation modes: • • • • • IDS (passive): intrusion detection. but without actual prevention. For more information on Alerts Concentrator High Availability. fail-open): inline bridge mode. a character string of your choice. At the next prompt. IPS (inline.10.Initial Configuration of IPS-1 Power Sensor • The IP address of the Primary Alerts Concentrator. IPS Monitor-Only (inline. 7. In fault conditions. all packets are dropped. At the prompt. Log into the IPS-1 Power Series appliance as admin .0/24. If this conflicts with your network addressing (for example. fail-closed): inline intrusion prevention. the Alerts Concentrator or Sensor are in a network with that same address). The password is the same as for the nfr user b. no prevention. The IPS-1 Power Sensor uses an internal network between components.

and follow instructions.0) Note . Continue to “Post-Installation Steps” on page 114. But reconfiguring the internal network address is the ony reason you should ever need to login as Admin to a power sensor. The installation files are also located on CD6 of the media pack in: windows\CPipsClient Run the setupwin32 executable.You can modify the Sensor’s settings at any time by logging on as the ips1 user. 192.IPS-1 Management Dashboard Installation where <address> is an available 24-bit network address (For example. The IPS-1 Power Sensor is now configured. IPS-1 Management Dashboard Installation IPS-1 Dashboard is a Java application and is supported on: • • Windows 2000 Professional with SP4 Windows XP Professional with SP2 IPS-1 Dashboard can be installed from CD2.1. Chapter 6 IPS-1 Setup and Installation 113 .168.

Syntax ntp <MD5_secret> <interval> <server1> [<server2>[<server3>]] ntp -n <interval> <server1> [<server2>[<server3>]] Parameters Table 6-2 parameter MD5_secret interval server[1. in seconds IP address or resolvable name of NTP server ntpstop Stop polling the NTP server.2. Configuring NTP on SecurePlatform IPS-1 components rely on Network Time Protocol (NTP) to coordinate the time on each component. Use the following commands to configure and manage NTP.Post-Installation Steps Post-Installation Steps In This Section: Configuring NTP on SecurePlatform Completing IPS-1 Management Setup Completing IPS-1 Sensor Setup page 114 page 115 page 119 Once the IPS-1 components have been installed. polling interval. 114 . one of the following procedures may be required before deploying them in the network. use “-n” when authentication is not required. ntp Configure and start the Network Time Protocol polling client.3 ] ntp Parameters meaning pre-shared secret used to authenticate against the NTP server.

d/ips1 start Chapter 6 IPS-1 Setup and Installation 115 . Run: /etc/init. enter expert mode by typing expert and pressing enter. Use the following command to verify that the IPS-1 Server (or Alerts Concentrator) processes are running: a. b. On other operating systems. Begin managing the IPS-1 system as follows: 1. and the password is the one you entered during the IPS-1 Management Server installation. Syntax ntpstart Completing IPS-1 Management Setup In This Section: First Login The Setup IPS-1 Wizard page 115 page 116 First Login After installation. your initial login user name is: admin .Completing IPS-1 Management Setup Syntax ntpstop ntpstart Start polling the NTP server. On SecurePlatform. login as root.

4. port number is 8443. If you are sure the presented certificate is coming from your IPS-1 Management Server.The default username is admin. 116 . Upon first login. The following sections explain the wizard pages that may appear. Type your username and password. On the client computer. start the IPS-1 Management Dashboard.Completing IPS-1 Management Setup 2. By default. Note . you must add an IPS-1 Management Server license obtained from Check Point’s User Center in order to continue working with IPS-1. the Setup IPS-1 wizard starts after the initial login. If you are trying to connect to the IPS-1 Server through a proxy server. expand the login window by clicking More Options and check Use Proxy. When upgrading from a previous version of IPS-1. Note that for Digest Proxy only HTTP is supported. Type the proxy server’s connection and authentication information. and specify the IPS-1 Server’s IP address or resolvable hostname. The Setup IPS-1 Wizard If additional initial configuration is required. click Trust for the IPS-1 Management Dashboard on the host you are working on to trust this IPS-1 Management Server in the future. All licenses are stored on the IPS-1 Management Server and must have been generated according to the IPS-1 Management Server’s IP address. The default username for prior versions of IPS-1 is nfr. If the trial license has expired. 5. not HTTPS. Manage Licenses A freshly installed IPS-1 Management Server comes with a fifteen day trial license. login with the pre-existing usernames. you are prompted to Verify IPS-1 Management Server Certificate. A login window appears: 3.

Add Alerts Concentrators Alerts Concentrators can be added now or later. Copy your license string. Populate the fields by clicking Paste License. click Next to continue to the Add Alerts Concentrators page. Click OK. 3. In a Distributed Deployment. To add an Alerts Concentrator: 1. click Add. In the License Manager. but you must have at least one to proceed.x. In a Combined Deployment.Completing IPS-1 Management Setup To add a license: 1.x. Chapter 6 IPS-1 Setup and Installation 117 . A license string will include the following: cplic putlic x.x 1Jan2001 xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx CPMP-IPS-5-NGX xx-xxxxxxxxxxx 2. Click New. obtained from Check Point’s user center. the Alerts Concentrator installed with the Server will automatically be added. to the clipboard. The added license appears in the license list.

Note .Completing IPS-1 Management Setup The New Alerts Concentrator window appears: Configure the Alerts Concentrator settings as follows: 2. 4. Type and confirm the activation key that you specified during the Alerts Concentrator installation. 118 . In the Host field. select Use Proxy and type the proxy’s connection and authentication information. 5. If there is a proxy server between the IPS-1 Server and the Alerts Concentrator. log onto the Alerts Concentrator and set the activation key via the set_activation_key command. 3. Make sure Receive Alerts is On. type the Alerts Concentrator’s IP address or resolvable hostname. Note .f you don’t have the activation key.Entering the Alert Concentrator’s IP address is preferred to better protect against DNS spoofing.

The Add New Sensor window appears: 2. add the Sensor to the IPS-1 system. select the Alerts Concentrator to which you are adding the new Sensor and click New Sensor. Chapter 6 IPS-1 Setup and Installation 119 .Completing IPS-1 Sensor Setup 6. Completing IPS-1 Sensor Setup Once the IPS-1 Sensor is installed and configured. When an Alert Browser user right-clicks an alert and selects Alert Details. 7. In Policy Manager’s Sensors and Concentrators tab. If this Alerts Concentrator or the IPS-1 Server’s communication with it might be slower than others. the IPS-1 Server first attempts to retrieve the Help Text from another Alerts Concentrator. The Alerts Concentrator is added. Type the Sensor Name exactly as defined on the Sensor itself. and click Next. In Policy Manager. it needs to be added in the IPS-1 Management Dashboard. select Avoid this server for help text. for it to be managed and monitored by IPS-1 management. as follows: 1. Click OK.

When all of your network addresses are listed in the Selected Host Types. 9. by logging in as the nfr user. 7. Once you have finished modifying the names of the interfaces. 8. 4. The Edit Interface Description window appears: Enter the raw interface name as it is listed in the Sensor. in the case of an IPS-1 Power Sensor. click Next. 120 . 5. and enter the descriptive name that you want to assign to that interface. Type and confirm the Activation Key. Click New to assign descriptive names to your interfaces. remove or change the order of the addresses in list of Selected Host Types. Type the Sensor’s IP address or resolvable Hostname. as defined during Sensor installation or in the Sensor’s Management Menu. type the broadcast address into the field at the bottom of the window and press enter.Completing IPS-1 Sensor Setup 3. If your network does not appear in the Recently Used Values list. Select the Local Broadcast Addresses for the protected networks from the Recently Used Values and use the arrow buttons in the middle of the window to add or remove addresses from the list of Selected Host Types. click Next. Click Next. type the network address and netmask information into the field at the bottom of the window and press enter. Select the Local Network Addresses that you want the IPS-1 Sensor to protect from the list of Recently Used Values and use the arrow buttons in the middle of the window to add. Click OK. When all of your broadcast addresses are listed in the Selected Host Types. 6. Note . press Finish to add the new Sensor to the Alerts Concentrator.You can reset the Activation key on the Sensor with the cpconfig command. or. If your broadcast address does not appear in the Recently Used Values list.

For configuring protections and other settings. click Install Policy. To apply the changes. Chapter 6 IPS-1 Setup and Installation 121 .Completing IPS-1 Sensor Setup 10. see the IPS-1 Administration Guide.

consult Check Point’s SecureKnowledge at: http://support.com Be sure to also use the Check Point Online Help when you are working with the Check Point SmartConsole clients. The next step is to obtain more advanced knowledge of your Check Point software. For additional technical information about Check Point products. Information regarding configuration and deployment of IPS-1 can be found in the Check Point IPS-1 Administration Guide.checkpoint.checkpoint. Check Point documentation is available in PDF format on the Check Point CD and the Technical Support download site at: http://support.com 122 .Where To From Here? Where To From Here? You have now learned the basics that you need to get started.

Upgrade Section This section covers upgrading to the current version .

124 .

7 Chapter Introduction to the Upgrade Process In This Chapter Documentation Contract Verification Supported Upgrade Paths and Interoperability Obtaining Software Installation Packages Terminology Upgrade Tools Upgrading Successfully page 126 page 126 page 127 page 128 page 129 page 131 page 131 Note .Only versons NGX R60 and above can be upgraded to R70. 125 .

checkpoint.com Contract Verification Contract verification is now an integral part of the Check Point licensing scheme. 126 . refer to the “R70 What’s New Guide”: http://support. Before upgrading to the latest version.com For a new features list. See: “Service Contract Files” on page 133” for more information.checkpoint. Download them from: http://support.checkpoint. your licensing agreements are verified through the User Center.com • It is a good idea to have the latest version of the R70 Release Notes handy. Before you begin: • Make sure that you have the latest version of this document by checking in the User Center at: http://support.Documentation Documentation This guide covers all available upgrade paths for Check Point products from NGX R60 forward.

Consult Table 7-1and Table 7-2 to determine which versions of your management server and gateways can be upgraded to R70.Supported Upgrade Paths and Interoperability Supported Upgrade Paths and Interoperability Management servers and gateways exist in a wide variety of deployments. Upgrading Management Servers The following management versions can be upgraded to Security Management server R70: Table 7-1 Upgradeable management versions Release NGX Version R60. R62. R60A. R65 (R65.4 not supported) R65 with HFA 30 with the Connectra NGX R66 Plug-in R65 with Messaging Security R65 with the VPN-1 Power VSX NGX R65 Management Plug-in R65 with the SmartProvisioning Plug-in R65 UTM-1 R65 Power-1 Chapter 7 Introduction to the Upgrade Process 127 . R61.

5. Obtaining Software Installation Packages • R70 software installation packages for: • • • • Solaris Windows Linux UTM-1/Power-1 appliances (SecurePlatform) are available on the product CD.Backward Compatibility For Gateways Backward Compatibility For Gateways R70 supports backward compatibility for the following gateway versions: Table 7-2 Supported gateways Release NGX InterSpect Connectra UTM-1 Edge Endpoint Security Version R60.R70 is only supported on IPSO 6.0 128 . R62. R65 NGX R60 NGX R61. or NG FP2. R61.com/techsupport/downloads. NG FP1. R62CM.jsp Note . • R70 software packages for Nokia are available from: http://www.checkpoint. R62. R66 7. R60A.R70 cannot manage gateway versions NG.x and above Note .

therefore. SmartProvisioning: Enables enterprises to easily scale. first define new Profile objects for your new version. refer to the CheckPoint SmartProvisioning Administration Guide. Tight integration with Check Point's Security Management server and security gateway solutions ensures that ClusterXL deployment is a simple task for security gateway administrators. The upgrade process is then performed on the migrated server. it is recommended that you keep the Profile objects of the previous versions until all ROBO Gateways of the previous version are upgraded to SmartLSM Security gateways. SmartLSM Security Gateway: A Remote Office/Branch Office Gateway. (formerly ROBO gateway) ROBO Profile: An object that you define to represent properties of multiple ROBO gateways. when you plan to upgrade ROBO gateways to a new version. Package Repository: This is a SmartUpdate repository on the Security Management server that stores uploaded packages. ClusterXL: A software-based load sharing and high availability solution for Check Point gateway deployments. In the event that any individual gateway becomes unreachable. leaving the production server intact. For further information about defining a ROBO Profile. These packages are then used by SmartUpdate to perform upgrades of Check Point Gateways. and manage VPNs and security for thousands of remote locations. Profile objects are version dependent. Gateway or Check Point Gateway: A gateway is the software component which actively enforces the Security Policy of the organization. it is possible to migrate the current configuration to a spare server. It distributes traffic between clusters of redundant gateways so that the computing capacity of multiple machines may be combined to increase total throughput. Security Policy: A Security Policy is created by the system administrator in order to regulate the incoming and outgoing flow of communication. all connections are re-directed to a designated backup without interruption. Chapter 7 Introduction to the Upgrade Process 129 . In general. In Place Upgrade: In Place upgrades are upgrades performed locally. Distributed Deployment: A distributed deployment is performed when the gateway and the Security Management server are deployed on different machines. deploy.Terminology Terminology Advanced Upgrade: In order to avoid unnecessary risks.

Terminology Security Management server: The Security Management server is used by the system administrator to manage the Security Policy. SmartConsole Clients: The SmartConsole Clients are the GUI applications that are used to manage different aspects of the Security Policy. The databases and policies of the organization are stored on the Security Management server. and are downloaded from time to time to the gateways. Standalone Deployment: A standalone deployment is performed when the Check Point components that are responsible for the management of the Security Policy (the Security Management server and the gateway) are installed on the same machine. 130 . SmartDashboard: A GUI client that is used to create Security Policies. SmartView Tracker is a GUI client used to view logs. For example. SmartUpdate: A tool that enables you to centrally upgrade and manage Check Point software and licenses.

SmartDefense profiles will remain in effect on pre-R70 gateways and can be managed from the IPS tab. The gateway will continue to enforce the previously configured SmartDefense profile. and later want to uninstall R70 (rollback to NGX R65).checkpoint. You can apply an R70 IPS profile to the upgraded gateway at any time. When upgrading a VPN-1 gateway to R70. These tools help you successfully upgrade to R70. The presence of any other Plug-in will cause the upgrade process to fail. http://www. When upgrading NGX R65.Upgrade Tools Upgrade Tools Various upgrade tools are provided for migration and compatibility verification of your current deployment.com/downloads/quicklinks/utilities/ngx/utilities. VSX.com/solutions?id=sk37252) to avoid potential problems. only the following Plug-ins may be present: Connectra. SmartProvisioning. remember to change the gateway's object in SmartDashboard to version R70. but the inspection will be conducted using the new IPS inspection engine. Warning .checkpoint.checkpoint. If you encounter unforeseen obstacles during the upgrade process. The upgrade tools can be found in the following locations: • • in the R70 $FWDIR/bin/upgrade_tools directory.html Upgrading Successfully Note that: • • Check Point Suite Products before version NGX R60 cannot be upgraded to NGX R70. follow the instructions in sk37252 (http://supportcontent. • • When upgrading a SmartCenter server to R70. and Messaging Security. contact your Reseller or consult the SecureKnowledge support center at: https://secureknowledge.If you upgrade from NGX R65 (with Plug-ins) to R70.com Chapter 7 Introduction to the Upgrade Process 131 .

Upgrading Successfully 132 .

133 . the contract file enables you to easily remain compliant with current Check Point licensing standards. By verifying your status with the User Center.Chapter Service Contract Files In This Chapter Introduction Working with Contract Files Installing a Contract File on Security Management server Installing a Contract File on a Gateway Managing Contracts with SmartUpdate 8 page 133 page 134 page 134 page 143 page 155 Introduction Before upgrading a gateway or Security Management server to R70. you need to have a valid support contract that includes software upgrade and major releases registered to your Check Point User Center account. The contract file is stored on Security Management server and downloaded to security gateways during the upgrade process.

Installing a Contract File on Security Management server The following section covers obtaining and installing the contract file for Security Management server: • • • On a Windows Platform On SecurePlatform.Multiple user accounts at the User Center are supported. Linux and Solaris On IPSO 134 . Once the management has been successfully upgraded and contains a contract file. the contract file is transferred to a gateway when the gateway is upgraded (the contract file is retrieved from the management).Working with Contract Files Working with Contract Files As in all upgrade procedures. first upgrade your Security Management server or Provider-1/SiteManager-1 before upgrading the gateways. Note .

the main options for obtaining a contract are displayed: You can: • Download a contracts file from the User Center If you have Internet access and a valid user account. i. the upgrade process checks to see whether a contract file is already present on the server. The contract file obtained through the user center conforms with the terms of your licensing agreements. The contract file obtained through the user center contains contract information for all of your accounts at the User Center. If not. Chapter 8 Service Contract Files 135 .On a Windows Platform On a Windows Platform When upgrading Security Management server. Click Next. you may download a contract file directly from the User Center.

Once the upgrade is complete.com/usercenter/index. • Import a local contract file If the server being upgraded does not have Internet access. 136 . If the connection succeeds but the downloaded contract file does not cover the Security Management server. On a machine with Internet access. Browse to Support.checkpoint.On a Windows Platform ii. Log in to the User Center iii. a message informs you that the Security Management server is not eligible for upgrade. browse to: https://usercenter. contact your local support provider to obtain a valid contract. However. then: i. the absence of a valid contract file will not prevent the upgrade from taking place.jsp ii. Enter your User Account credentials.

you can then browse to the location where you stored the contract file: Chapter 8 Service Contract Files 137 . in the Service Contract File Download section. After selecting Import a local contracts file. On the Additional Services page. click Download Now: v. Transfer the downloaded file to the management server.On a Windows Platform iv.

contact your local support provider to obtain a valid contract. 138 . see: “Managing Contracts with SmartUpdate” on page 155. vi.On a Windows Platform If the contract file does not cover the Security Management server. you may be in violation of your Check Point Licensing Agreement. as shown in the final message of upgrade process: For more information. the absence of a valid contract file will not prevent the upgrade from taking place. Note that at this point your gateway is not strictly eligible for an upgrade. However. a message informs you that the Security Management server is not eligible for upgrade. Once the upgrade is complete. Click Next to continue with the upgrade process • Continue without contract information Select this option if you intend to obtain and install a valid contract file at a later date.

On SecurePlatform. Linux. The contract file obtained through the user center conforms with the terms of your licensing agreements. If you choose to download contract information from the User Center. and Solaris On SecurePlatform. the upgrade process checks to see whether a contract file is already present on the server. then download a contract file directly from the User Center. you are prompted to enter your: • • User name Password Chapter 8 Service Contract Files 139 . and Solaris When upgrading Security Management server. If not. the main options for obtaining a contract are displayed: You can: • Download a contracts file from the User Center If you have Internet access and a valid user account. Linux.

com/usercenter/index. Download a valid contract at a later date using SmartUpdate (see: “Managing Contracts with SmartUpdate” on page 155 for more information on using SmartUpdate). Log in to the User Center iii.On SecurePlatform.jsp ii. browse to: https://usercenter. a message informs you that the Security Management server is not eligible for upgrade. then: i. the absence of a valid contract file will not prevent the upgrade from taking place. and Solaris • Proxy server address (if applicable): If the contract file does not cover the Security Management server. However. Browse to Support 140 . Linux. • Import a local contract file If the server being upgraded does not have Internet access. On a machine with Internet access.checkpoint.

click Download Now: Transfer the downloaded file to the management server. After selecting Import a local contracts file. enter the full path to the location where you stored the file: If the contract file does not cover the Security Management server. and Solaris iv. However. Download a valid contract at a later date using SmartUpdate (see: “Managing Contracts with SmartUpdate” on page 155 for more information on using SmartUpdate). in the Service Contract File Download section. the absence of a valid contract file will not prevent the upgrade from taking place. a message informs you that the Security Management server is not eligible for upgrade. • Continue without contract information Chapter 8 Service Contract Files 141 .On SecurePlatform. Linux. On the Downloads page.

the upgrade process will check to see if there is a valid contract already present on the Security Management server. obtain a valid contract file from the Check Point user center. the upgrade process proceeds as normal. it is recommended that you obtain a contract file via SmartUpdate (Licenses & Contracts menu -> Update Contracts). Note that at this point your gateway is not strictly eligible for an upgrade. you may be in violation of your Check Point Licensing Agreement.On IPSO Select this option if you intend to obtain and install a valid contract file at a later date.checkpoint. While the absence of a contract file does not prevent this upgrade. the following message is displayed: The upgrade process requires a valid contract file in order to verify that your gateway complies with Check Point licensing agreements. For further details see: http://www. 142 . After successfully upgrading the gateway. On IPSO Contract verification on IPSO is not interactive. as shown in the final message of the upgrade process: For more information. If a contract is not present. see: “Managing Contracts with SmartUpdate” on page 155.com/ngx/upgrade/contract/ At the earliest opportunity. When upgrading an IPSO Security Management server to R70.

the following message is displayed: Chapter 8 Service Contract Files 143 .Installing a Contract File on a Gateway Installing a Contract File on a Gateway The following section covers obtaining and installing the contract file for gateways: • • • On a Windows Platform On SecurePlatform. Linux and Solaris On IPSO On a Windows Platform After accepting the End User License Agreement (EULA).

the upgrade process checks to see if a valid contract file is installed on the gateway.On a Windows Platform After clicking Next. 144 . then download a contract file directly from the User Center. The contract file obtained through the user center conforms with the terms of your licensing agreements. If no contract file exists. the upgrade process attempts to retrieve a contract file from the Security Management server that manages the gateway. the main options for obtaining a contract file for the gateway are displayed: You can: • Download a contracts file from the User Center If you have Internet access and a valid user account. If a contract file cannot be retrieved from Security Management server.

this will not prevent the upgrade from taking place.On a Windows Platform i. Chapter 8 Service Contract Files 145 . Enter your User Account credentials. If the connection succeeds but the downloaded contract file does not cover the gateway. the following message appears: However.

On a machine with Internet access. browse to: https://usercenter. Log in to the User Center iii. the upgrade process continues.On a Windows Platform If a valid contract is available. the following message is displayed: ii. • Import a local contract file If the server being upgraded does not have Internet access. Browse to Support 146 . After clicking Next.jsp ii.com/usercenter/index. then: i.checkpoint.

Chapter 8 Service Contract Files 147 . Click Next.On a Windows Platform iv. in the Service Contract File Download section. you can then browse to the location where you stored the file: vi. After selecting Import a local contracts file. click Download Now: v. On the Downloads page. Transfer the downloaded file to the gateway.

On a Windows Platform If the local contract file does not cover the gateway. this will not prevent the upgrade from taking place. the following message is displayed: vii. the following message is displayed: However. Click Next to continue with the upgrade process 148 . If the contract file covers the gateway.

On a Windows Platform • Continue without contract information Select this option if you intend to obtain and install a valid contract file at a later date. see: “Managing Contracts with SmartUpdate” on page 155. Note that at this point your gateway is not strictly eligible for an upgrade. as shown in the final message of upgrade process: For more information. you may be in violation of your Check Point Licensing Agreement. Chapter 8 Service Contract Files 149 .

If a valid contract is not located.On SecurePlatform. the main options for obtaining a contract file for the gateway are displayed: 150 . and Linux On SecurePlatform. the following message is displayed: The upgrade process searches for a valid contract on the gateway. and Linux After accepting the End User License Agreement (EULA). If a valid contract file is not located on the Security Management server. the upgrade process attempts to retrieve the latest contract file from the Security Management server that manages the gateway.

On SecurePlatform. and Linux You can: • Download a contracts file from the User Center If you have Internet access and a valid user account. If you choose to download contract information from the User Center. then download a contract file directly from the User Center. The contract file obtained through the user center conforms with the terms of your licensing agreements. you are prompted to enter your: • • • User name Password Proxy server address (if applicable): Chapter 8 Service Contract Files 151 .

152 . your gateway is not eligible for upgrade. and Linux If. according to information gathered from your User Center account. the following message is displayed: You may still upgrade the gateway but are advised to download a valid contract at a later date using SmartUpdate (see: “Managing Contracts with SmartUpdate” on page 155 for more information on using SmartUpdate).On SecurePlatform.

click Download Now: Transfer the downloaded file to the gateway.checkpoint.jsp ii. On a machine with Internet access.On SecurePlatform. Log in to the User Center iii. in the Service Contract File Download section. On the Downloads page. After selecting Import a local contracts file. browse to: https://usercenter. and Linux • Import a local contract file If the server being upgraded does not have Internet access. enter the full path to the location where you stored the file: Chapter 8 Service Contract Files 153 . Browse to Support iv.com/usercenter/index. then: i.

as shown in the final message of the upgrade process: For more information. On IPSO Contract verification on IPSO is not interactive. • Continue without contract information Select this option if you intend to obtain and install a valid contract file at a later date. While the absence of a contract file does not prevent this upgrade. you may be in violation of your Check Point Licensing Agreement. it is recommended that you obtain a contract file via SmartUpdate (Licenses & Contracts menu -> Update Contracts). a message informs you that the gateway is not eligible for upgrade. Once the upgrade is complete. 154 . see: “Managing Contracts with SmartUpdate” on page 155.checkpoint. When upgrading an IPSO gateway to R70. After successfully upgrading the gateway. the following message is displayed: The upgrade process requires a valid contract file in order to verify that your gateway complies with Check Point licensing agreements. the absence of a valid contract file will not prevent the upgrade from taking place. the upgrade process proceeds. For further details see: http://www. obtain a valid contract file from the Check Point user center. the upgrade process will check to see if there is a valid contract available on the Security Management server that manages the gateway. If none is available. contact your local support provider to obtain a valid contract. However. Note that at this point your gateway is not strictly eligible for an upgrade.On IPSO If the contract file does not cover the gateway.com/ngx/upgrade/contract/ At the earliest opportunity.

From the License management window.Managing Contracts with SmartUpdate Managing Contracts with SmartUpdate Once you have successfully upgraded Security Management server. it is possible to see whether a particular license is associated with one or more contracts: Managing Contracts The license Repository window in SmartUpdate displays contracts as well as regular licenses: Chapter 8 Service Contract Files 155 . you can use SmartUpdate to display and manage your contracts.

Managing Contracts Clicking on a specific license shows the properties of the license: Clicking Show Contracts displays the contracts associated with this license: 156 .

such as contract ID and expiration date as well as which licenses are covered by the contract: Chapter 8 Service Contract Files 157 .Managing Contracts Selecting a specific contract. then Properties displays the contract’s properties.

Updating Contracts Updating Contracts Licenses & Contracts on the File menu has enhanced functionality for handling contracts: • Licenses & Contracts > Update Contracts This option installs contract information on Security Management server. use this option to make sure the new contract is displayed in the license repository: • Licenses & Contracts > Get all Licenses a. Each time you purchase a new contract. Collects licenses of all gateways managed by the Security Management server b. Updates the contract file on the server if the file on the gateway is newer 158 .

Chapter Upgrading a Distributed Deployment In This Chapter Introduction Upgrading the Security Management Server Upgrading the Gateway 9 page 160 page 163 page 175 159 .

R62. R62. R65 NGX R60 NGX R61. In some cases. A distributed deployment consists of at least one Security Management server and one or more gateways. however. The Security Management server and gateway do not reside on the same physical machine. R60A. R66 7. new features may not be available on earlier versions of the gateway. Since backward compatibility is supported. a Security Management server that has been upgraded to R70 can enforce and manage gateways from previous versions.x and above R70 is not backwardly compatible with: • • • VPN-1 Pro/Express NG VPN-1 Pro/Express NG FP1 VPN-1 Pro/Express NG FP2 160 . R62CM.Introduction Introduction This chapter describes the process of upgrading a distributed deployment to R70. The R70 Security Management server can manage the following gateways: Release NGX InterSpect Connectra UTM-1 Edge Endpoint Security Version R60.5. R61.

The Pre-Upgrade verification tool produces a detailed report indicating the appropriate actions that should be taken before performing an upgrade to R70 (refer to “Using the Pre-Upgrade Verification Tool” on page 163). Chapter 9 Upgrading a Distributed Deployment 161 .5 page 161 page 161 page 162 page 162 Pre-upgrade Verification Use of the Pre-Upgrade verification tool can reduce the risk of incompatibility with the deployment to R70. Web Intelligence License Enforcement A gateway or gateway cluster requires a Web Intelligence license if it enforces one or more of the following protections: • • • • • • • • • Malicious Code Protector LDAP Injection SQL Injection Command Injection Directory Listing Error Concealment ASCII Only Request Header Rejection HTTP Methods The actual license required depends on the number of Web servers protected by the gateway or gateway cluster. if the correct license is not installed. It is used to test the current gateway prior to upgrading to R70.Pre-Upgrade Considerations Pre-Upgrade Considerations In This Section Pre-upgrade Verification Web Intelligence License Enforcement Upgrading Products on a SecurePlatform Operating System UTM-1 Edge Gateways Prior to Firmware Version 7. For NGX R60 and later versions. it is not possible to install a Policy on a gateway.

In a text editor.Pre-Upgrade Considerations Upgrading Products on a SecurePlatform Operating System When you upgrade from R60 (and above) to R70.5. The change takes effect without running the commands cpstop and cpstart. 162 . UTM-1 Edge Gateways Prior to Firmware Version 7. By default. To upgrade products installed on SecurePlatform.ini file for Solaris. Enabling Policy Enforcement on UTM-1 Edge Gateways Pre-Firmware version 7. features new to R70 may not be available on the gateway. or c:\Program Files\CheckPoint\Edgecmp\R70\SofawareLoader. it is recommended that UTM-1 Edge gateways should be at least version 7. the following workaround is needed: Note .5 Before you upgrade your deployment to R70. add the following: TopologyOldFormat=1 3.5 To enforce policies on earlier versions of UTM-1 Edge gateways. open the: • • /var/opt/CPEdgecmp/conf/SofawareLoader.5 and above. both the SecurePlatform operating system and software components are upgraded. Save and close the file. refer to the “Security Management Server Upgrade on SecurePlatform” on page 166.ini file in Windows. In the [Server] section. No further upgrades are required.Once the workaround is complete. 1. Security Management server R70 is compatible with UTM-1 Edge gateways 7. 2. The process upgrades all of the installed components (Operating System and software packages) in a single upgrade process.

• Migrate and Upgrade to a New Security Management server Perform a migration process (refer to “Migrate Your Current Gateway Configuration & Upgrade” on page 242) of the currently installed version to a new server. Using the Pre-Upgrade Verification Tool Pre-upgrade verification runs automatically (or manually if desired) during the upgrade process. It is used to test the current Security Management server prior to upgrading to R70. running the patch add cd command presents three options. even though the gateways may not support the new features. Once the Security Management server is upgraded. indicating appropriate actions that should be taken before and after the upgrade process. There are two upgrade methods available for the Security Management server: • Upgrade your Production Security Management server Perform the upgrade process on the production Security Management server (refer to the procedures in this section). Pre-upgrade verification performs a compatibility analysis of the currently installed Security Management server and its current configuration. you can still manage gateways from the previous version. and upgrade the migrated system. one of which is: Run the pre-upgrade verification script. Upgrades can be performed incrementally so that you do not have to upgrade the Security Management server and all of the gateways at the same time. Use of the Pre-Upgrade verification tool can reduce the risk of incompatibility with the deployment to R70. A detailed report is provided. On SecurePlatform and Linux.Upgrading the Security Management Server Upgrading the Security Management Server This section describes how to upgrade a Security Management server to R70. Chapter 9 Upgrading a Distributed Deployment 163 . You can upgrade the gateways at your convenience. The Pre-Upgrade verification tool produces a detailed report indicating the appropriate actions that should be taken before performing an upgrade to R70 (refer to “Using the Pre-Upgrade Verification Tool” on page 163).

Action Items Before and After the Pre-Upgrade Process • • errors . warnings .exe -p SmartCenterPath -c CurrentVersion -i[-f FileName][-w] -p -c -t -i -f -w Path of the installed SmartCenter Server (FWDIR) Currently installed version Target version Check originality of INSPECT files only Output in file Web format file Where the currently installed version is one of the following: For Release NGX Version is: NGX_R65 NGX_R62 NGX_R61 NGX_R60A NGX_R60 The target version is: R70.Items that you should consider repairing before and after performing the upgrade. 164 . the upgrade will fail.exe -p SmartCenterPath -c CurrentVersion -t TargetVersion [-f FileName] [-w] or pre_upgrade_verifier.Upgrading the Security Management Server Usage: pre_upgrade_verifier.Items that must be repaired before and after performing the upgrade. If you proceed with the upgrade while errors exist.

A detailed report is provided. refer to: “Backup and Revert for Security Gateways” on page 185. From the Upgrade Options screen. 3. It is recommended to back up your current configuration before you perform the upgrade process. When prompted. Uninstalling Packages Uninstall Check Point packages on the Windows platform using the Add/Remove applet in the Control Panel. it should be the last package uninstalled. Chapter 9 Upgrading a Distributed Deployment 165 . Access your R70 CD. 7. select whether or not the Pre-upgrade verification tool should be executed (refer to “Using the Pre-Upgrade Verification Tool” on page 163). select Upgrade. see: “Installing a Contract File on Security Management server” on page 134 4. If a situation arises in which a revert to your previous configuration is required. Check Point packages need to be uninstalled in the opposite order to which they were installed. since CPsuite is the first package installed. reboot your Security Management server. The tool can be used manually as well. indicating appropriate actions that should be taken before and after the upgrade process. For more information on contracts. refer to “Revert” on page 194 for details. 5. After accepting the EULA. For example. From the Upgrade Options screen. Execute the Installation package. select Upgrade again. To perform an upgrade on a Windows platform: 1. For additional information. Another verification is run. 6. When the pre-upgrade verification recommendation appears. Pre-upgrade verification performs a compatibility analysis of the currently installed Security Management server and of its current configuration. 2. verify your contract information.Upgrading the Security Management Server Security Management Server Upgrade on a Windows Platform This section describes the upgrade process using the R70 CD.

For more information on contracts. refer to “Reverting to Your Previous Deployment” on page 195 for details. At the command prompt. see: “On SecurePlatform. and Linux” on page 150 166 . Select SecurePlatform R70 Upgrade Package (CPspupgrade_<version_number>. The welcome message is displayed. When prompted.Creating the snapshot image can take up to twenty minutes. Note . 6. Refer to the CheckPoint R70 SecurePlatform/SecurePlatformPro Administration Guide for additional information.tgz). Enter y to accept the checksum calculation. The procedure in this section applies to the NGX management versions: • • • • • R65 R62 R61 R60A R60 The process described in this section upgrades all of the components (Operating System and software packages) in a single upgrade process. If a situation arises in which a revert to your previous configuration is required. and verify your contract information. Accept the license agreement. create a backup image for automatic revert. during which Check Point products are stopped. 4. 5. Enter n. Insert CD1 of the R70 media kit into the CD drive.Upgrading the Security Management Server Security Management Server Upgrade on SecurePlatform Upgrading to R70 on a SecurePlatform operating system requires updating both the operating system and the installed software products using the WebUI. enter patch add cd. 7. 3. No further upgrades are required. To perform an upgrade on a SecurePlatform: 1. 2.

Select one of the following: • • • • Enter [L] to view the licenses installed on your machine. 9.Upgrading the Security Management Server 8. Repeat the process until you see Your configuration is ready for upgrade. Three upgrade options are displayed: • • • Upgrade Export the configuration Perform pre-upgrade verification only i. it should be the last package uninstalled. Uninstalling Packages Check Point packages need to be uninstalled in the opposite order to which they were installed. The license upgrade process also handles gateway licenses in the SmartUpdate License Repository. Select a source for the upgrade utilities. Upgrade the installation. Run the pre-upgrade verification script. The exported configuration is automatically imported during the upgrade process. Export the configuration. For example. Chapter 9 Upgrading a Distributed Deployment 167 . 11. • • 10. since CPsuite is the first package installed. Enter c to agree to the license upgrade. Run the rpm -e <package name> to view a list of all the installed packages. iii. Enter [S] to simulate the license upgrade. or generate a license file that can be used to upgrade licenses on a machine with no Internet access to the User Center. Enter [O] to perform the license upgrade on a license file that was generated on machine with no Internet access to the User Center. Either download the most updated files from the Check Point website or use the upgrade tools contained on the CD. Enter [Q] to quit. Enter [C] to check if currently installed licenses have been upgraded. ii. Enter [U] to perform the license upgrade. and follow the recommendations contained in the pre-upgrade verification results. Open SmartUpdate and attach new licenses to the gateways.

Uninstalling Packages Check Point packages need to be uninstalled in the opposite order to which they were installed. an image is created of the system and is used to revert to in the event the upgrade is not successful. The Current Upgrade File on Appliance section displays the information of the current upgrade. Click Upload and wait until the package uploads 6. Click Upload upgrade package to appliance. click Start. Click Start Upgrade. 5. it will be the last package uninstalled. Browse to the upgrade (tgz) file and select it. If no login takes place within the configured amount of time. Click Next. displays the image information. Click Next. the system will revert to the saved image. To upgrade your appliance using the WebUI: 1. 3.Upgrading the Security Management Server Gateway Upgrade on a UTM-1/Power-1 Appliance Upgrading to R70 can only be done using the WebUI. 2. Download an upgrade package. To begin the upgrade. In the Safe Upgrade section. select Safe upgrade to require a successful login after the upgrade is complete. Select the upgrade package file. Run the rpm -e <package name> to view a list of all the installed packages. The Upload Package to Appliance window opens. 7. 9. 10. 4. as directed. The Save an Image before Upgrade page. since CPsuite is the first package installed. 168 . For example. 8. Before the upgrade begins.

The pre-upgrade verification process runs automatically. View the results and follow any recommendations. The products are upgraded. refer to “Revert” on page 194 for details. The wrapper welcome message is displayed. To perform the upgrade. If a situation arises in which a revert to your previous configuration is required. Run UnixInstallScript. To install additional products. Although the R70 upgrade utilities are on the R70 CD. Enter n to validate the products to install. and verify your contract information. Wait until the successful message is displayed. This message is displayed: The pre-Upgrade Verification was completed successfully. (It is also possible to upgrade using an imported configuration. see: “On SecurePlatform. Select upgrade. Your configuration is ready for upgrade. For more information on contracts.html 8. Chapter 9 Upgrading a Distributed Deployment 169 .com/downloads/quicklinks/utilities/ngx/utilities.Upgrading the Security Management Server Security Management Server Upgrade on a Solaris Platform This section describes the upgrade process using the R70 CD. To perform an upgrade on a Solaris machine in a production environment: 1. and mount the CD. 2. 3. it is recommended to download the latest tools from the Check Point website at: http://www. Enter n. and Linux” on page 150 5. select Upgrade installed products. 7. It is recommended that you back up your current configuration before you perform an upgrade process. You are prompted to select the products from a list. refer to: “Backup and Revert for Security Gateways” on page 185. Enter n. run the pre-upgrade verifier again. Enter n. For additional information.checkpoint. 10. select Upgrade installed products and install new products. 9.) 6. Insert CD3 of the R70 media kit into the CD drive. Select a source for the upgrade utilities. 4. Enter y to agree to the End-user License Agreement. Then.

170 . Uninstalling Packages Check Point packages need to be uninstalled in the opposite order to which they were installed. Since CPsuite is the first package installed. it will be the last package uninstalled. Enter e to exit. Reboot. 12. Run the pkgrm command to view a list of the installed packages.Upgrading the Security Management Server 11.

Enter y to agree to the End-user License Agreement. Then. 12. 6. run UnixInstallScript. Although the R65 upgrade utilities are on the R70 CD. and verify your contract information. The products are upgraded. 10. Reboot. It is recommended that you back up your current configuration. 2. and enter n. it is recommended to download the latest tools from the Check Point website: http://www. The wrapper welcome message is displayed. To perform an in-place upgrade: 1. before you perform an upgrade process. select the products. To perform the upgrade. For more information on contracts.com/downloads/quicklinks/utilities/ngx/utilities. The pre-upgrade verification process runs automatically. Insert CD1 of the R70 media kit into the CD drive.html 8. 3.Upgrading the Security Management Server Security Management Server Upgrade on a Linux Platform This section describes the upgrade process using the R70 CD. Enter n to validate the products to install. Enter e to exit. run the pre-upgrade verifier again. Chapter 9 Upgrading a Distributed Deployment 171 . From the root directory. Your configuration is ready for upgrade. Select a source for the upgrade utilities. see: “On SecurePlatform. Enter n. This message is displayed: The pre-Upgrade Verification was completed successfully. Select upgrade. and Linux” on page 150 5. specify Upgrade installed products. select Upgrade installed products and install new products. 9. 4. 7.checkpoint. View the results and follow any recommendations. Enter n. 11. To install new products.

it should be the last package uninstalled. Run the rpm -e <package name> to view a list of the installed packages.Upgrading the Security Management Server Uninstalling Packages Check Point packages need to be uninstalled in the opposite order to which they were installed. 172 . Since CPsuite is the first package installed.

IPSO has its own backup and restore facility.tgz 2.checkpoint. The New Image Installation Upgrade window opens. refer to “Reverting to Your Previous Deployment” on page 195 for details. Click System Configuration > Install New IPSO Image (Upgrade). For additional information. Enter the Network Voyager and open a CLI console.html For details on using the PUV. If a situation arises in which a revert to your previous configuration is required. refer to “Using the Pre-Upgrade Verification Tool” on page 163. To perform an upgrade on an IPSO Platform: 1.0 • 3. You are informed that the file download and image installation may take some time. 6. refer to the Nokia Network Voyager Reference Guide. download the R70 upgrade package: IPSO_Wrapper_<version_number>. Click Apply. you must first install IPSO 6. Note .For R70. Enter the following information: Enter URL to the image location Enter HTTP Realm (for HTTP URLs only) Enter Username (if applicable) Enter Password (if applicable) 5. Chapter 9 Upgrading a Distributed Deployment 173 .Upgrading the Security Management Server Security Management Server Upgrade on an IPSO Platform Before beginning the upgrade process: • It is recommended that you back up your current configuration. Download and run the pre-upgrade verifier (PUV) for IPSO from: http://www. 4. Click Apply. From the Check Point website.com/downloads/quicklinks/utilities/ngx/utilities. in case the upgrade process is unsuccessful.

8. 11. the previous packages can be activated through the Network Voyager. click System Configuration > Manage IPSO Images. 14.tgz package. Type newpkg -S -m LOCAL -n <CPsuite package path> -o $FWDIR and press Enter. Once the Reboot is complete. For more information on contracts. 15. Note . 13. When the process is complete. see: “On IPSO” on page 154. click the link to the IPSO Image Management page. click Refresh and log in. The IPSO Image Management window opens. go back to the Network Voyager to verify that the image was set properly. In the Network Voyager. Access the CLI console to see when the Reboot is complete.Upgrading the Security Management Server 7. The new image installation process begins. 10. Start the installed products by running cpstart. 9. When the upgrade is complete. Click the provided link to get the upgrade status. you should receive a message indicating that the process was successful. 18. Access the CLI console and log in. Log off the console connection. Under the title Select an image for next boot.The previous Check Point packages remain installed but deactivated. Perform an FTP using bin mode to transfer the IPSO_Wrapper_<version_number>. select the last downloaded image. 17. 19. Select Commit testboot and click Apply. Finds the upgrade tools in $FWDIR and performs an import/export operation to preserve the previous configuration. 12. Should the need arise. If you are not returned to the last window you were in. This command: • • Deactivates previous Check Point packages but does not delete them. and then log back on to set the environment variables. Click Test Boot. 16. 174 . along with a reminder to update your contract information. You should be able to see that the relevant IPSO Image is selected.

Chapter 9 Upgrading a Distributed Deployment 175 . The zero downtime method assures both inbound and outbound network connectivity at all times during the upgrade. refer to “Upgrading ClusterXL Deployments” on page 213. Local Upgrade: Performs a local upgrade on the gateway itself. Zero Downtime: Select this option if network activity is required during the upgrade process.Upgrading the Gateway Upgrading the Gateway There are two upgrade methods available: • • SmartUpdate Upgrade: Allows you to centrally upgrade and manage Check Point software and licenses. The minimal effort method is much simpler because the clusters are upgraded as gateways and therefore can be upgraded as individual gateways. when upgrading a Clustered deployment: • Minimal Effort Upgrade: Select this option if you have a period of time during which network downtime is allowed. In This Section Upgrading a Clustered Deployment Upgrading the Gateway Using SmartUpdate Gateway Upgrade Process on a Windows Platform Gateway Upgrade on SecurePlatform Gateway Upgrade on an IPSO Platform page 175 page 176 page 180 page 182 page 183 Upgrading a Clustered Deployment You can select one of the following options. • For additional information. There is always at least one active member that handles traffic.

In addition. In R70.Upgrading the Gateway Upgrading the Gateway Using SmartUpdate SmartUpdate is an optional module that automatically distributes software packages and remotely performs upgrades of gateways and various OPSEC products. this feature also allows you to upgrade your operating system as a part of your upgrade.e. which could otherwise be performed only by experts. It provides a centralized means to guarantee that the latest software versions are used throughout the enterprise network. and turns them into simple point and click operations. "Upgrade All" is the recommended method. SmartUpdate takes time-consuming tasks.. From File: Adds a package that you have stored locally. SmartUpdate's “Upgrade all Packages” supports HFAs. it will suggest upgrading the gateway with the latest HFA if a HFA package is available in the Package Repository. The following features and tools are available in SmartUpdate: • Upgrade All Packages: This feature allows you to upgrade all packages installed on a gateway. For IPSO and SecurePlatform. Add Package to Repository: SmartUpdate provides three “helper” tools for adding packages to the Package Repository: • • From CD: Adds a package from the Check Point CD. there is an advanced method to install (distribute) packages one by one. • 176 . i. The following products can be upgraded to R70: • • • • • • • • • • NGX level Gateways SecurePlatform Performance Pack SmartView Monitor (as part of the R70 software package) Eventia Reporter UserAuthority Server PolicyServer (as part of the R70 software package) QoS (as part of the R70 software package) Nokia OS UTM-1/Power-1 SmartUpdate Options SmartUpdate is the primary tool used for upgrading Check Point gateways.

make sure that Policy Global Properties > FireWall > Firewall Implied Rules > Accept SmartUpdate Connections (SmartUpdate) is selected. Install the latest version of SmartConsole. To enable SmartUpdate connections to the gateways. including SmartUpdate. locates the latest HFA on the Check Point Download Center. Chapter 9 Upgrading a Distributed Deployment 177 . and adds it to the Package Repository. SmartUpdate’s Get Check Point Gateway Data: This tool updates SmartUpdate with the current Check Point or OPSEC third-party packages installed on a specific gateway or for your entire enterprise. • Configuring the Security Management Server for SmartUpdate To configure the Security Management server for SmartUpdate: 1. 3. 2. Define the remote Check Point gateways in SmartDashboard (for a new Security Management server installation). Verify that the Administrator SmartUpdate permissions (as defined in the cpconfig configuration tool) are Read/Write. By default. 5.Upgrading the Gateway • • From Download Center: Adds a package from the Check Point Download Center. Verify that your Security Management server contains the correct license to use SmartUpdate. Check for Updates: This feature. it is selected. available from the SmartDashboard Tools menu. 4.

. and in the Upgrade Verification list you can see which gateways can or cannot be upgraded...Upgrading the Gateway Add Packages to the Package Repository Use SmartUpdate to add packages to and delete packages from the Package Repository: • • • directly from the Check Point Download Center website (Packages > Add > From Download Center. select the relevant gateway and click the Details button. option (selected by default) is required in order to activate the newly installed packages. Verification for sufficient disk space..).. The Upgrade All Packages window opens. The following operations are performed during the installation process: • • 178 The Check Point Remote Installation Daemon connects to the Check Point gateway.. From SmartUpdate > Packages > Upgrade All Packages select one or more gateways and click Continue. Note .. When the Operation Status window opens. by importing a file (Packages > Add > From File. From the list provided. Gateway Upgrade Process Using SmartUpdate To update a gateway using SmartUpdate: 1. • • To see a list of which packages will be installed on the gateways that can be upgraded. 2.The Allow reboot.). Double click the entry to open the Operation Details window. which shows the operation history.. Each operation is represented by a single entry. . For an explanation as to why a gateway cannot be upgraded. select the gateways that can be upgraded and click Upgrade. The Package Repository is then updated to show the new package object.). the package file is transferred to the Security Management server. The Operation Status pane opens and shows the progress of the installation. select the gateway and click the Details button. When adding the package to the Package Repository. you can verify the success of the operation. by adding them from the Check Point CD (Packages > Add > From CD.

The installed packages are updated in SmartUpdate.Upgrading the Gateway • • • • • • • Verification of the package dependencies. Enforcement policies are compiled for the new version. The package is installed on the gateway. Chapter 9 Upgrading a Distributed Deployment 179 . The gateway is rebooted if the Allow Reboot... option was selected and the package requires it. The package is transferred to the gateway if it is not already there. The gateway version is updated in SmartDashboard.

7. indicating the appropriate actions that should be taken before and after the upgrade process. Another verification is run. 2. This method is useful when Internet access is not available from the Security Management server machine. 3. From the Upgrade Options screen. select Upgrade again. 4.Upgrading the Gateway Gateway Upgrade Process on a Windows Platform This section describes the upgrade process using the R70 Installation CD. 5. The files are on my local disk. From the Upgrade Options screen. 6. Select one of the following upgrade options: • Download Most Updated Upgrade Utilities (recommended method). This option should be used when software packages have been previously downloaded. • I have already downloaded and extracted the Upgrade Utilities. To upgrade a gateway in a Windows platform: 1. Access your R70 CD. 180 . When the pre-upgrade verification recommendation appears. select Upgrade. • Use the CD version. The Pre-upgrade verification tool performs a compatibility analysis of the currently installed gateway and its current configuration. Execute the Installation package. The tool can be used manually as well. This download provides the most recent upgrade code available. reboot the gateway. A detailed report is provided. select whether or not the Pre-upgrade verification tool should be executed (refer to the “Using the Pre-Upgrade Verification Tool” on page 163). When prompted.

Chapter 9 Upgrading a Distributed Deployment 181 . Open the gateway object properties window that represents the upgraded gateway and change the version to R70. c.Upgrading the Gateway 8. Using SmartDashboard. do the following: a. Perform Install Policy on the upgraded gateway. b. refer to “Reverting to Your Previous Deployment” on page 195 for details. When the upgrade process is complete. If a situation arises in which a revert to your previous configuration is required. log in to the R70 Security Management server that controls the upgraded gateway.

it automatically reverts to the Safe Upgrade image. Log in to SecurePlatform (expert mode is not necessary). 182 . No further upgrades are required. A Safe Upgrade will be performed. Refer to the CheckPoint R70 SecurePlatform/SecurePlatformPro Administration Guide for additional information. hardware incompatibility). The single upgrade package contains all necessary software items.tgz) 4.Upgrading the Gateway Gateway Upgrade on SecurePlatform Upgrading to R70 on a SecurePlatform operating system requires updating both operating system and software products installed. 5. create a backup image for automatic revert. When prompted. Apply the SecurePlatform R70 upgrade package: # patch add cd. Upgrading SecurePlatform Using a CD ROM This section describes how to upgrade SecurePlatform using a CD ROM drive. Enter y to accept the MD5 checksum calculation. SecurePlatform users should follow the relevant SecurePlatform upgrade process. The upgrade process is supported for: • • • • • R65 R62 R61 R60A R60 The process described in this section upgrades all components (Operating System and software packages) in a single upgrade process. Safe Upgrade automatically takes a snapshot of the entire system so that the entire system (operating system and installed products) can be restored if something goes wrong during the Upgrade process (for example. If the Upgrade process detects a malfunction. Select the SecurePlatform upgrade package (CPspupgrade_<version_number>. If a situation arises in which a revert to your previous configuration is required. 3. To upgrade SecurePlatform using a CD: 1. 2. refer to “Reverting to Your Previous Deployment” on page 195 for details.

Chapter 9 Upgrading a Distributed Deployment 183 . upon reboot you are given the option to manually start the SecurePlatform operating system using the upgraded version image or using the image created prior to the Upgrade process. 6. c. b. After you complete the upgrade process. See: “Standalone Gateway Upgrade on an IPSO Platform” on page 207. Using SmartDashboard.Upgrading the Gateway When the Upgrade process is complete. do the following: a. Gateway Upgrade on an IPSO Platform The procedure is the same as for a standalone Gateway upgrade. Open the gateway object properties window for the upgraded gateway and change the version to R70. log in to the R70 Security Management server that controls the upgraded gateway. Perform Install Policy on the upgraded gateway.

Upgrading the Gateway 184 .

Chapter Backup and Revert for Security Gateways In This Chapter Introduction Backing Up Your Current Deployment Restoring a Deployment SecurePlatform Backup and Restore Commands SecurePlatform Snapshot Image Management Reverting to Your Previous Deployment 10 page 186 page 187 page 188 page 189 page 192 page 195 185 .

rules. in the event that the upgrade process is unsuccessful. 186 . objects. you should back up your current configuration.Introduction Introduction Before you perform an upgrade process. network configuration) are not exported. and users) and can be used to restore your previous configuration if the upgrade process fails.Operating system level configurations (for example. Note . use the Export utility tool of the version for which you are creating a backup file. If you are performing an upgrade process on SecurePlatform. The restoration procedure restores the configuration in effect when the backup procedure was executed. and to restore it if necessary. To back up your configuration. The backup file contains your current system configuration (for example. you do not have to back up your configuration using the Export utility. The purpose of the backup process is to back up the entire configuration. SecurePlatform provides the option of backing up your configuration during the Upgrade process. for example.

the configuration file is created in the chosen destination path in a tar gzipped format (. Once the Export utility process is complete. or use the Export tool located in the relevant operating system directory on the product CD. Select the Export option in the installation wizard. It is highly recommended to delete it after completing the import process. insert the product CD for the version you are backing up.tgz). 2.tgz) contains your product configuration. Chapter 10 Backup and Revert for Security Gateways 187 . Warning . In the original Security Management server.The configuration file (.Backing Up Your Current Deployment Backing Up Your Current Deployment To back up your current deployment: 1.

tgz file to the target Security Management server. Copy the exported. Using the available options. In the Security Management server.Restoring a Deployment Restoring a Deployment To restore a deployment: 1. insert the product CD for the version being restored. perform an installation using an imported configuration file. 3. 2. 188 .

saved locally. The backup utility can store backups either locally on the SecurePlatform machine hard drive. The backup command.tgz). The backup files are kept in tar gzipped format (.SecurePlatform Backup and Restore Commands SecurePlatform Backup and Restore Commands In This Section Backup Restore page 189 page 191 SecurePlatform provides a command line or Web GUI capability for conducting backups of your system settings and products configuration. uses default backup settings and performs a local backup. or remotely to a TFTP server or an SCP server. Backup This command is used to back up the system configuration. Syntax backup [-h] [-d] [-l] [--purge DAYS] [--sched [on hh:mm <-m DayOfMonth> | <-w DaysOfWeek>] | off] [[--tftp <ServerIP> [-path <Path>] [<Filename>]] | [--scp <ServerIP> <Username> <Password> [-path <Path>][<Filename>]] | [--file [-path <Path>][<Filename>]] Chapter 10 Backup and Revert for Security Gateways 189 . are kept in /var/CPbackup/backups. or it can be scheduled to take place at set intervals. Expert permissions are required to perform the backup and restore procedures. Backup files. The restore utility is used for restoring SecurePlatform settings and/or product configurations from backup files. when run by itself without any additional flags. The backup can be performed on request. You can also copy backup files to a number of SCP and TFTP servers for improved backup robustness.

on which the configuration is to be backed up.disable schedule List of IP addresses of TFTP servers. VPN logs are not backed up. and optionally the filename List of IP addresses of SCP servers. the username and password used to access the SCP server.) Deletes old backups from previous backup attempts Schedule interval at which backup is to take place • • --tftp <ServerIP> [-path <Path>][<Filename>] --scp <ServerIP> <Username> <Password>[-path <Path>] [<Filename>] --file [-path <Path>]<Filename> On . and optionally the filename When the backup is performed locally.Backup Parameters Table 10-1 Backup Parameters Parameter -h -d -l --purge DAYS [--sched [on hh:mm <-m DayOfMonth> | <-w DaysOfWeek>] | off] Meaning obtain usage debug flag Enables VPN log backup (By default. or day of month Off . on which the configuration is to be backed up. specify an optional filename 190 .specify time and day of week.

the username and password used to access the SCP server.Restore Restore This command is used to restore the system configuration. from which the configuration is restored. refer to the System Commands section in the CheckPoint R65 SecurePlatform/SecurePlatformPro Administration Guide. Syntax restore [-h] [-d][[--tftp <ServerIP> <Filename>] | [--scp <ServerIP> <Username> <Password> <Filename>] | [--file <Filename>]] Parameters Table 10-2 Parameter -h -d --tftp <ServerIP> [<Filename>] --scp <ServerIP> <Username> <Password> [<Filename>] --file <Filename> Meaning obtain usage debug flag IP address of TFTP server. from which the configuration is restored. Chapter 10 Backup and Revert for Security Gateways 191 . and the filename Specify a filename for restore operation. and the filename IP address of SCP server. performed locally For additional information about the backup and restore utilities.

see “Reverting to Your Previous Deployment” on page 195. the Snapshot and Revert features ensure easy maintenance and management. The snapshot and revert commands can use a TFTP server or an SCP server to store snapshots. A snapshot of the system can be taken manually using the snapshot command or automatically during an upgrade procedure using the SafeUpgrade option. Similar to Backup and Restore. 192 . snapshots can be stored locally. Alternatively.SecurePlatform Snapshot Image Management SecurePlatform Snapshot Image Management In This Section Snapshot Revert page 193 page 194 SecurePlatform provides the option of backing up the entire SecurePlatform operating system and all of its products using the snapshot command. even if a situation arises that demands that you undo an upgrade and revert to a previous deployment. If you are using another platform. Note .The snapshot and revert commands are relevant only for reverting R70 to a previous version on SecurePlatform. Having a snapshot of the entire operating system enables you to restore SecurePlatform if needed. because this involves reverting the entire platform.

specify a filename Chapter 10 Backup and Revert for Security Gateways 193 .Snapshot Snapshot This command creates an image of SecurePlatform. uses the default backup settings and creates a local snapshot. run by itself without any additional flags. The snapshot command. Syntax snapshot [-h] [-d] [[--tftp <ServerIP> <Filename>] | [--scp <ServerIP> <Username> <Password> <Filename>] | [--file <Filename>]] Parameters Table 10-3 Snapshot Parameters Parameter -h -d --tftp <ServerIP> <Filename> --scp <ServerIP> <Username> <Password> <Filename> --file <Filename> Meaning obtain usage debug flag IP address of the TFTP server. the username and password used to access the SCP server. and the filename of the snapshot When the snapshot is made locally. as well as the filename of the snapshot IP address of the SCP server. from which the snapshot is taken. from which the snapshot is taken.

from which the snapshot is rebooted. revert [-h] [-d] [[--tftp <ServerIP> <Filename>] | [--scp <ServerIP> <Username> <Password> <Filename>] | [--file <Filename>]] Parameters Table 10-4 Revert Parameters Parameter -h -d --tftp <ServerIP> <Filename> --scp <ServerIP> <Username> <Password> <Filename> --file <Filename> Meaning obtain usage debug flag IP address of the TFTP server. The revert command. and the filename of the snapshot When the snapshot is made locally. and reboots the system from a local snapshot. uses default backup settings. the username and password used to access the SCP server. reverting the machine to a previous deployment. from which the snapshot is rebooted. specify a filename The revert command functionality can also be accessed from the Snapshot image management boot option. as well as the filename of the snapshot IP address of the SCP server. 194 . run by itself without any additional flags.Revert Revert This command restores SecurePlatform from a snapshot file.

or • If you are reverting to an NG version that requires an earlier IPSO version: 1. 3. and leave the previously installed version as the now-active version. On the IPSO Image Management page in Network Voyager. Chapter 10 Backup and Revert for Security Gateways 195 . 2. When you revert to the earlier image. perform the uninstall procedure described in this section. IPSO automatically reverts to the saved configuration set associated with that image. • If you are reverting to an NG or NGX version that is compatible with your current IPSO version: 1. This will uninstall the last active version only.Make sure to remove all R70 products and compatibility packages before removing the R70 CPsuite. Reactivate the previous product versions. do one of the following. according to the platform you have. To an Earlier Version on a Nokia Platform To revert to a prior software version on a Nokia platform. Note . Deactivate the R70 products.Reverting to Your Previous Deployment Reverting to Your Previous Deployment In This Section To an Earlier Version on a Nokia Platform To an Earlier Version on a Windows Platform To an Earlier Version on a Solaris Platform To an Earlier Version on a Linux Platform ICA Considerations page 195 page 196 page 196 page 196 page 197 If you are deploying on SecurePlatform. To revert to a version that was active before it was upgraded to R70. select the earlier IPSO image and reboot. see: “SecurePlatform Snapshot Image Management” on page 192. Deactivate the previous suite version last of all.

On flash-based platforms. and the previous version is active. To an Earlier Version on a Windows Platform To revert to a prior software version on a Windows platform: 1. To an Earlier Version on a Linux Platform To revert to a prior software version on a Linux platform: 1. run the command: rpm -e <file>-R70-00. 2. 2. The latest version is uninstalled. other than CPSuite. select Check Point <product> R70. Run the command: pkgrm CPsuite-R70. Note . Run the command: rpm –e CPsuite-R70-00. other than CPSuite. To an Earlier Version on a Solaris Platform To revert to a prior software version on a Solaris platform: 1. confirm that the previous versions of Check Point packages are enabled and the R70 versions are disabled. and the previous version is active. The latest version is uninstalled. 2. The latest version is uninstalled. In Add/Remove Programs. On the Manage Packages page. For each installed package. and the previous version is active. the R70 packages no longer appear in the Manage Packages page since they were never part of the previous configuration set. For each installed package.Reverting to Your Previous Deployment 2. 196 . Click Remove. run the command: pkgrm <file>-R70.

crl files (located in the $FWDIR/conf directory) and all *. they cannot be processed by the Internal CA. 3. the InternalCA.crl files (located in the $FWDIR/conf/crl directory) from the version prior to R70 to a suitable location. Chapter 10 Backup and Revert for Security Gateways 197 . For additional information. certificates issued during the use of R70 remain valid.NDB file must be converted after it is copied to the reverted environment. Once the Revert process is complete. the subject to which a specific certificate was issued may no longer exist. ICA. run the ‘cpca_dbutil d2u’ command line from the reverted environment. While these certificates are valid.crl and the *. you may want to revoke the specific certificate. 2.Reverting to Your Previous Deployment ICA Considerations Once the Revert process is complete. refer to The Internal Certificate Authority (ICA) and the ICA Management Tool chapter in the Security Management Server Administration Guide.If the Upgrade process was performed on a machine that runs a different operating system than the original machine.NDB.crl files (located in the $FWDIR/conf directory) from the current R70 version and use them to overwrite the files in the location specified in step 1 (in the $FWDIR/conf directory).NDB and ICA. To resume management of older certificates after the Revert process: 1. Back up the InternalCA. Copy the R70 InternalCA. use the ICA Management Tool to review certificates created using R70 in the reverted environment. In such a case. To do this. Note . For example.

Reverting to Your Previous Deployment 198 .

Chapter Upgrading a Standalone Deployment In This Chapter Introduction Pre-Upgrade Considerations Standalone Security Gateway Upgrade on a Windows Platform Standalone Security Gateway Upgrade on SecurePlatform Standalone Upgrade on a UTM-1/Power-1 Appliance Standalone Gateway Upgrade on an IPSO Platform 11 page 200 page 201 page 203 page 204 page 206 page 207 199 .

R65 NGX R60 NGX R61. NG FP1. R62. R61. Since backward compatibility is supported. In some cases. The R70 Security Management server can manage the following gateways: Release NGX InterSpect Connectra UTM-1 Edge Endpoint Security Version R60. R62CM. A standalone deployment consists of the Security Management server and gateway installed on the same system. or NG FP2. R60A. however. R66 7.R70 cannot manage gateway versions NG. new features may not be available on earlier versions of the gateway. R62.Introduction Introduction This chapter describes the process of upgrading a standalone deployment to R70. a Security Management server that has been upgraded to R70 can enforce and manage gateways from previous versions.x and above Note . 200 .5.

Reverting to Your Previous Software Version Before you perform an upgrade process you should back up your current SecurePlatform configuration. Warning .Pre-Upgrade Considerations Pre-Upgrade Considerations In This Section Upgrading Products on a SecurePlatform Operating System Reverting to Your Previous Software Version page 201 page 201 Upgrading Products on a SecurePlatform Operating System Upgrading to R70 on a SecurePlatform operating system requires upgrading both the operating system and the installed software products. once it is complete. and to restore it if necessary. This process upgrades all the installed components (Operating System and software packages) in a single upgrade process. an R70 upgrade cannot be reverted to its previous version. for example. use the SecurePlatform snapshot and revert commands (for additional information. refer to “SecurePlatform Backup and Restore Commands” on page 189). To back up your configuration. The purpose of the back up process is to back up the entire SecurePlatform configuration. No further upgrades are required. refer to Standalone Security Gateway Upgrade on SecurePlatform. To upgrade products installed on SecurePlatform.For all operating systems except SecurePlatform.” Chapter 11 Upgrading a Standalone Deployment 201 . in the event that the Upgrade process is unsuccessful.

This tool can also be used manually.Items that must be repaired before and after performing the upgrade. Usage: pre_upgrade_verifier. Pre-upgrade verification performs a compatibility analysis of the currently installed deployment and its current configuration.exe -p SmartCenterPath -c CurrentVersion -t TargetVersion [-f FileName] [-w] or pre_upgrade_verifier. the upgrade will fail. indicating the appropriate actions that should be taken before and after the upgrade process.Items that you should consider repairing before and after performing the upgrade. 202 . Action Items Before and After the Pre-Upgrade Process • • errors . warnings . If you proceed with the upgrade while errors exist. A detailed report is provided.exe -p SmartCenterPath -c CurrentVersion -i[-f FileName][-w] -p -c -t -i -f -w Path of the installed SmartCenter server (FWDIR) Currently installed version Target version Check originality of INSPECT files only Output in file Web format file Where the currently installed version is one of the following: For Release NGX Version is: NGX_R65 NGX_R62 NGX_R61 NGX_R60A NGX_R60 The target version is: R70.Pre-Upgrade Considerations Using the Pre-Upgrade Verification Tool Pre-upgrade verification runs automatically (or manually if desired) during the upgrade process.

Standalone Security Gateway Upgrade on a Windows Platform

Standalone Security Gateway Upgrade on a Windows Platform
It is recommended that before you perform an upgrade process, you should back up your current configuration, in case the upgrade process is unsuccessful. For additional information, refer to Backing Up Your Current Deployment page 187. Warning - For all operating systems except SecurePlatform, an R70 upgrade cannot be
reverted to its previous version once it is complete.

To perform an upgrade on a Windows platform: 1. Access your R70 CD. 2. Execute the Installation package. 3. Agree to the EULA and verify your contract information. For more information on contracts, “On a Windows Platform” on page 143 4. From the Upgrade Options screen, select Upgrade. 5. When the pre-upgrade verification recommendation appears, select whether or not the Pre-upgrade verification tool should be executed (refer to “Using the Pre-Upgrade Verification Tool” on page 202). Pre-upgrade verification performs a compatibility analysis of the currently installed gateway and its current configuration. A detailed report is provided, indicating appropriate actions that should be taken before and after the upgrade process. The tool can be used manually as well. 6. From the Upgrade Options screen, select Upgrade again. Another verification is run. 7. Reboot when prompted.

Uninstalling Packages
Uninstall Check Point packages on the Windows platform using the Add/Remove applet in the Control Panel. Check Point packages need to be uninstalled in the opposite order to which they were installed. Since CPsuite is the first package installed, it should be the last package uninstalled.

Chapter 11

Upgrading a Standalone Deployment 203

Standalone Security Gateway Upgrade on SecurePlatform

Standalone Security Gateway Upgrade on SecurePlatform
Upgrading to R70 on a SecurePlatform operating system requires updating both the operating system and the installed software products. The procedure in this section applies to the following gateway versions: • • • • • R65 R62 R61 R60A R60

The process described in this section upgrades all of the components (Operating System and software packages) in a single upgrade process. No further upgrades are required. The single upgrade package contains all necessary software items. Warning - For all operating systems except SecurePlatform, an R70 upgrade cannot be reverted to its previous version once it is complete. To perform an upgrade on a SecurePlatform server: 1. Insert CD1 of the R70 media kit into the CD drive. 2. At the command prompt, enter patch add cd. 3. Select SecurePlatform R70 Upgrade Package (CPspupgrade_<version_number>.tgz). 4. Enter y to accept the checksum calculation. 5. When prompted, create a backup image for automatic revert. Note - Creating the snapshot image can take up to twenty minutes, during which time Check Point products are stopped. 6. The welcome message is displayed. Enter n. 7. Accept the license agreement, and verifying your contract information. For more information on contracts, “On SecurePlatform, and Linux” on page 150 8. Three upgrade options are displayed:
204

Standalone Security Gateway Upgrade on SecurePlatform

• • •

Upgrade Export the configuration Perform pre-upgrade verification only i. Run the pre-upgrade verification script, and follow the recommendations contained in the pre-upgrade verification results. Repeat the process until you see Your configuration is ready for upgrade.

ii. Export the configuration. iii. Upgrade the installation. 9. Enter c to agree to the license upgrade. The license upgrade process also handles gateway licenses in the SmartUpdate license repository. Select one of the following: • • • • Enter [L] to view the licenses installed on your machine. Enter [C] to check if currently installed licenses have been upgraded. Enter [S] to simulate the license upgrade. Enter [U] to perform the license upgrade, or generate a license file that can be used to upgrade licenses on a machine with no Internet access to the User Center. Enter [O] to perform the license upgrade on a license file that was generated on machine with no Internet access to the User Center. Enter [Q] to quit.

• •

10. Select a source for the upgrade utilities Either download the most updated files from the Check Point website for use the upgrade tools contained on the CD. The exported configuration is automatically imported during the upgrade process. 11. Open SmartUpdate and attach the new licenses to the gateways.

Uninstalling Packages
Check Point packages need to be uninstalled in the opposite order to which they were installed. Since CPsuite is the first package installed, it should be the last package uninstalled. Run the rpm -e <package name> to view a list of the installed packages.

Chapter 11

Upgrading a Standalone Deployment 205

Standalone Upgrade on a UTM-1/Power-1 Appliance

Standalone Upgrade on a UTM-1/Power-1 Appliance
Upgrading to R70 can only be done using the WebUI. To upgrade your appliance using the WebUI: 1. Download an upgrade package, as directed. 2. Select the upgrade package file. 3. Click Upload upgrade package to appliance. The Upload Package to Appliance window opens. 4. Browse to the upgrade (tgz) file and select it. 5. Click Upload and wait until the package uploads 6. Click Start Upgrade. 7. Before the upgrade begins, an image is created of the system and is used to revert to in the event the upgrade is not successful. The Save an Image before Upgrade page, displays the image information. Click Next. 8. In the Safe Upgrade section, select Safe upgrade to require a successful login after the upgrade is complete. If no login takes place within the configured amount of time, the system will revert to the saved image. Click Next. 9. The Current Upgrade File on Appliance section displays the information of the current upgrade. 10. To begin the upgrade, click Start..

Uninstalling Packages
Check Point packages need to be uninstalled in the opposite order to which they were installed. For example, since CPsuite is the first package installed, it should be the last package uninstalled. Run the rpm -e <package name> to view a list of the installed packages.

206

Standalone Gateway Upgrade on an IPSO Platform

Standalone Gateway Upgrade on an IPSO Platform
This section describes the upgrade process on an IPSO Platform. It is recommended that you back up your current configuration, before you perform an upgrade process, for example, in the event that the upgrade process is unsuccessful. IPSO has its own back up and restore facility. For additional information, refer to the Nokia Network Voyager Reference Guide. If a situation arises in which a revert to your previous configuration is required refer to “Reverting to Your Previous Deployment” on page 195 for details.

Before Installing
• From the Check Point website: http://www.checkpoint.com/techsupport/downloads.jsp. download: IPSO_Wrapper_R70.tgz. • From Nokia, download: IPSO 6.0.7 Note - R70 is not supported on IPSO 4.x images. If you are using IPSO 4.x, first upgrade to IPSO 6.0.7. If IPSO 6.0.7 is already installed, skip to step 19 on page 208.

Upgrading Through Voyager
Upgrading IPSO 4.x to IPSO 6.0.7
1. Enter the Network Voyager and open a CLI console. 2. Click System Configuration > Install New IPSO Image. The New Image Installation Upgrade window opens. 3. Enter the following information (for IPSO 4.x): Enter URL to the image location Enter HTTP Realm (for HTTP URLs only) Enter Username (if applicable) Enter Password (if applicable) 4. Click Apply.
Chapter 11 Upgrading a Standalone Deployment 207

Standalone Gateway Upgrade on an IPSO Platform

You are informed that the file download and image installation may take some time. 5. Click Apply. A message is displayed indicating that the new image installation process has started. 6. When you receive a Success message, click UP > UP > Manage IPSO Images. The IPSO Image Management window opens. 7. Under the title Select an image for next boot, select the last downloaded image: IPSO 4.1 or 4.2. 8. Click Test Boot. 9. Access the CLI console to see when the Reboot is complete. Once the Reboot is complete, go back to the Network Voyager to verify that the image was set properly. 10. In the Network Voyager, click Refresh and log in. 11. If you are not returned to the last window you were in, click System Configuration > Manage IPSO Images. You should be able to see that the relevant IPSO (4.1 or 4.2) image is selected. 12. Select Commit testboot and click Apply. 13. Access the CLI console, and log in. 14. Type newpkg, and press Enter. 15. Use the FTP menu option to transfer the 6.0.7 package. 16. Install the 6.0.7 package. Wait until a message informs you that the process is complete. 17. Activate the 6.0.7 package. 18. In Voyager, verify that the 6.0.7 package is turned ON. 19. On the CLI, type newpkg, and press Enter. 20. Use the FTP menu option to transfer the IPSO_Wrapper_R70.tgz package. 21. Install the IPSO_Wrapper_R70 package. Wait until a message informs you that the process is complete. 22. Type Reboot and press Enter.

208

10.tgz image. Configure an administrator name and password. 8. run cpconfig. and save the CA’s Fingerprint to a file. Configure a pool of characters for use in cryptographic operations. Configure the GUI clients and hosts which can access the Security Management server using SmartConsole.7: 1. 2. 9.0. If you opt not to start the installed products at this time. Select the Install from local file system option. Note . Upgrading Through the CLI IPSO images and Check Point releases can be upgraded from the command line interface. If you performed a fresh installation of IPSO 6.7 1. Reboot. 12. Verify that you are in /var/emhome/admin directory. Select Security Management server from the selection list.7 then there is no need to configure R70. transfer IPSO6. Start the installed products. 3. 2. Type randomly until the progress bar is full. 5.0. 7. Upgrading IPSO 4.Only relevant for a distributed deployment. Run: newimage -ik 4. Configure Group Permissions.x to 6. 6. From a console connection.Standalone Gateway Upgrade on an IPSO Platform Configuring R70 If you upgraded from IPSO 4. 5. 11. 3. 4. they can be started later by running cpstart. Add Licenses.0. Enter the pathname to the packages Chapter 11 Upgrading a Standalone Deployment 209 . Select an installation type.2 to IPSO 6. Specify the Security Management server type as Primary or Secondary Management. Stand Alone or Distributed. Configure the Certificate Authority. Using FTP.

" for the current directory. When you revert to the earlier image. 6. making sure to deactivate the previous suite version last of all. Select the IPSO_Wrapper_R70.tgz) Wait for the upgrade process to complete and the machine reboot. Upgrading NGX R65 to R70: After verifying that IPSO 6. Run newpkg. Run: show image current. and press Enter. 6. Run fw ver and fwm ver to verify that R70 is the current version. Then.Standalone Gateway Upgrade on an IPSO Platform Or enter ". 9. 7. deactivate the R70 products. Using FTP. 8. 7.7 should be the current IPSO image.0.tgz package and press Enter. Select the Install from local file system option.tgz pkg name. tranfer IPSO_Wrapper_R70. enter package you are upgrading from (IPSO_wrapper_R65. The upgrade process completes.tgz to the /opt/packages directory. and the machine reboots. 6. 2. Enter the Ipso. Enter pathname to the packages Or enter ". Move to /opt/packages. If you are reverting to an NG version that requires an earlier IPSO version: 1. Remove all other packages except IPSO_Wrapper_R70.0. select the earlier IPSO image and reboot. reactivate the previous product versions. IPSO automatically reverts to using the saved configuration set associated with that image. Uninstalling Previous Software Packages If you are reverting to an NG or NGX version that is compatible with your current IPSO version. From the IPSO Image Management page in the Network Voyager.7 is the current image: 1.tgz. 210 . When prompted. 3." for the current directory. 5. 4.

Note .Standalone Gateway Upgrade on an IPSO Platform 2.On flash-based platforms. On the Manage Packages page. confirm that the previous versions of Check Point packages are enabled and the R70 versions are disabled. Chapter 11 Upgrading a Standalone Deployment 211 . the R70 packages will no longer appear in the Manage Packages page since they were never part of the previous configuration set.

Standalone Gateway Upgrade on an IPSO Platform 212 .

From File: Adds a package that you have stored locally. From Download Center: Adds a package from the Check Point Download Center. SmartUpdate’s Add Package to Repository: SmartUpdate provides three tools for adding packages to the Package Repository: • • • From CD: Adds a package from the Check Point CD. For IPSO and SecurePlatform. this feature also allows you to upgrade your Operating System as a part of your upgrade. 213 • .Chapter Upgrading ClusterXL Deployments In This Chapter Tools for Gateway Upgrades Planning a Cluster Upgrade Minimal Effort Upgrade on a ClusterXL Cluster Zero Downtime Upgrade on a ClusterXL Cluster Full Connectivity Upgrade on a ClusterXL Cluster 12 page 213 page 214 page 216 page 216 page 219 Tools for Gateway Upgrades • SmartUpdate’s Upgrade All Packages Feature: This feature allows you to upgrade all packages installed on a gateway.

the following options are available to you: • Minimal Effort Upgrade: Select this option if you have a period of time during which network downtime is allowed. The zero downtime method assures both inbound and outbound network connectivity at all time during the upgrade. refer to “Full Connectivity Upgrade on a ClusterXL Cluster” on page 219 and the R70 Release Notes.Full Connectivity Upgrade is supported between minor versions only. The minimal effort method is much simpler because the clusters are upgraded as gateways and therefore can be upgraded as individual gateways. verify that changes to permanent kernel global variables are not lost (see: sk26202). Planning a Cluster Upgrade When upgrading ClusterXL. • • Note . Full Connectivity Upgrade: Choose this option if your gateway needs to remain active and your connections must be maintained. Permanent Kernel Global Variables When upgrading each cluster member. Full Connectivity Upgrade with Zero Down Time assures both inbound and outbound network connectivity at all time during the upgrade.Planning a Cluster Upgrade • SmartUpdate’s Get Check Point Gateway Data: This tool updates SmartUpdate with the current Check Point or OPSEC third party packages installed on a specific gateway or throughout your entire enterprise. then verify these values remain unchanged after the upgrade. There is always at least one active member that handles traffic. 214 . Zero Downtime: Select this option if network activity is required during the upgrade process. There is always at least one active member that handles traffic and open connections are maintained during the upgrade. For further information. if “fwha_mac_magic” and “fwha_mac_forward_magic” were set to values other than the default values. For example.

zero downtime or minimal effort). In this state. This behavior is the expected behavior during the upgrade process. Upgrading OPSEC Certified Third-Party Cluster Products • • When upgrading Nokia clustering (VRRP and IP Cluster). The third party may supply an alternative upgrade procedure to achieve a zero downtime upgrade. refer to the third-party vendor documentation before performing the upgrade process. To avoid such behavior during an upgrade or rollback. the cluster members with the new version do not process any traffic destined for the cluster IP address. it is recommended that you use the minimal effort procedure. Zero downtime upgrade is not supported using the regular procedure. follow either one of the available procedures (that is. • For a complete understanding of the upgrade procedure. cluster members of the previous version become active while cluster members of the new (upgraded) version remain in a special state called Ready.Planning a Cluster Upgrade Ready State During Cluster Upgrade/Rollback Operations When cluster members of different versions are present on the same synchronization network. disconnect the cluster interfaces and the synchronization network of that cluster member before beginning. Chapter 12 Upgrading ClusterXL Deployments 215 . When upgrading other third-party clustering products. physically or using ifconfig.

Attach the previously upgraded licenses to all cluster members (A. Run cphaconf set_ccp broadcast on all cluster members. no reboot is required. Suppose that cluster member A is the active member. Ensure that the previously upgraded NGX licenses are attached to members B and C. randomly choose one of the cluster members to upgrade last. This changes the cluster control protocol to broadcast instead of multicast and ensures that during the upgrade the new upgraded members stay in the Ready state as long as a previous version member is active. first upgrade all but one of the cluster members.Minimal Effort Upgrade on a ClusterXL Cluster Minimal Effort Upgrade on a ClusterXL Cluster If you choose to perform a Minimal Effort Upgrade. To perform a zero downtime upgrade. In Load Sharing mode. Zero Downtime Upgrade on a ClusterXL Cluster Supported Modes Zero Downtime is supported on all modes of ClusterXL. In previous versions. consult your third-party solution’s guide. For additional instructions. 2. 3. This message should be ignored. a message prompts you to reboot the cluster members in order to fully activate the change. meaning you can afford to have a period of time during which network downtime is allowed. including IPSO’s IP clustering and VRRP. each cluster member can be upgraded in the same way as you would upgrade an individual gateway member. and members B and C are standby members. For additional third-party clustering solutions. each cluster member is treated as an individual gateway. In other words. To upgrade all but one of the cluster members: 1. refer to “Upgrading a Distributed Deployment” on page 159. B and C) as follows: 216 .

The policy will be successfully installed on cluster members B and C. Use the Attach assigned licenses option to Attach the Assigned licenses to the cluster members. Installing the policy: Be aware that policy installation on the old Check Point gateway may cut connections for services that do not survive the policy installation. b. Upgrade cluster members B and C in one of the following ways: • • Using SmartUpdate In Place When the upgrade of B and C is complete. because it is no longer communicating with other cluster members. 7. For complete instructions. if it fails do not install at all option located under the Install on each selected Module independently option. Chapter 12 Upgrading ClusterXL Deployments 217 . • If you are running SmartUpdate. Install the security policy on the cluster. The updated licenses are displayed as Assigned. The remaining cluster members will have a Ready status. For example. if the cluster is running in New High Availability mode.Zero Downtime Upgrade on a ClusterXL Cluster • On the SmartConsole GUI machine. From the Policy Installation window. and connect to the Security Management server. The status Active Attention is given if member A’s synchronization interface reports that its outbound status is down. click the help button in the Connection Persistence tab. Using the cphaprob stat command (executed on a cluster member). 5. 6. verify that the status of cluster member A is Active or Active Attention. If you are upgrading from a previous version. do not change it to Load Sharing. Changes can be made after the upgrade process is complete.Do not change any cluster parameters from the current policy at this time. open SmartUpdate. SmartUpdate compiles and installs an updated policy on the new member. This can be avoided by configuring the Check Point Gateway > Advanced > Connection Persistence tab to either Keep all connections or Keep data connections. perform the following steps: a. and will fail on member A. Note . install on all the members. clear the For Gateway Clusters. skip to step 7. once it is rebooted. reboot both of them. • 4.

Upgrade cluster member A by either: • • Using SmartUpdate In Place 2. Run cphaconf set_ccp multicast followed by cphastart on all cluster members. Run cpstop on the old Check Point gateway. Execute the cphastop command on cluster member A. Install the policy. Machines B and/or C start to process traffic (depending on whether this is a Load Sharing or High Availability configuration). Note . c.Zero Downtime Upgrade on a ClusterXL Cluster 8. 9. Run fw ctl set int fwha_conf_immediate 1 on all new Check Point gateways.It is recommended that you minimize the time in which cluster members are running different versions. b. 3. If you must install a new policy. To upgrade the final cluster member: 1. perform the following steps: a. Reboot cluster member A. It is recommended that you do not install a new policy on the cluster until the last member has been upgraded. This step can be skipped if you prefer to remain working with the cluster control protocol in the broadcast mode. 218 . This returns the cluster control protocol to multicast (instead of broadcast).

These cluster members are in an “active state” and carry all the traffic. Chapter 12 Upgrading ClusterXL Deployments 219 . cluster members are divided into two categories: • • New Members (NMs): Cluster members that have already been upgraded. Old Members (OMs): Cluster members that have not yet been upgraded. Connections that have been opened on the old cluster member will continue to “live” on the new cluster member.Full Connectivity Upgrade on a ClusterXL Cluster Full Connectivity Upgrade on a ClusterXL Cluster ClusterXL clusters can be upgraded while at the same time maintaining full connectivity between the cluster members. Understanding a Full Connectivity Upgrade The Full Connectivity Upgrade (FCU) method assures that synchronization is possible from old to new cluster members without losing connectivity. In discussing connectivity. A full connectivity upgrade is only supported from R70 to a future minor version that specifically supports FCU. NMs are in the “non-active” state.

For other third-party support. Full Connectivity Upgrade Limitations • This upgrade procedure is equivalent to a failover in a cluster where both members are of the same version. it is not possible to perform an FCU from a Check Point Gateway that has Floodgate-1 installed to a newer Check Point Gateway that does not have Floodgate-1 installed. Full Connectivity Upgrade Prerequisites Make sure that the new member (NM) and the old member (OM) contain the same firewall policy and product installation. Legacy High Availability is not supported in FCU. Therefore. An example output on the NM: Registered connections modules: No. will not survive a Full Connectivity Upgrade. Name Newconn Packet End Reload Dup Type Dup Handler 0: Accounting 00000000 00000000 d08ff920 00000000 Special d08fed58 1: Authentication d0976098 00000000 00000000 00000000 Special d0975e7c 00000000 00000000 d0955370 00000000 Special d0955520 3: NAT 4: SeqVerifier d091e670 00000000 00000000 d091e114 Special d091e708 6: Tcpstreaming d0913da8 00000000 d09732d8 00000000 None 7: VPN 00000000 00000000 d155a8d0 00000000 Special d1553e48 Verify that the list of Check Point Gateway names is the same for both cluster members. whatever would not normally survive failover. For example. Make sure that the upgraded version is at least NGX or higher. 220 . During the upgrade. do not change the policy from the last policy installed on the Check Point Gateway prior to its upgrade. Verify the installed products by running the command fw ctl conn on both cluster members.Full Connectivity Upgrade on a ClusterXL Cluster Supported Modes FCU is supported on all modes of ClusterXL. refer to the third-party documentation. including IPSO’s IP clustering and VRRP. This includes: • • • • Security servers and services that are marked as non-synced Local connections TCP connections that are TCP streamed The exact same products must be installed on the OM and on the NM.

following the steps outlined in “Zero Downtime Upgrade on a ClusterXL Cluster” on page 216.1).0. or Chapter 12 Upgrading ClusterXL Deployments 221 .Full Connectivity Upgrade on a ClusterXL Cluster • All the Gateway configuration parameters should have the same values on the NM and the OM. The same rule applies to any other local configurations you may have set. Performing a Full Connectivity Upgrade The procedure for updating a cluster with full connectivity varies according to the number of members in the cluster. Failure to do this may cause some of the connections that rely on proxy ARP to fail and may cause other connections that rely on proxy ARP not to open until the upgrade process completes.16. however. • A cluster that performs static NAT using the gateway’s automatic proxy ARP feature requires special considerations: cpstop the old Check Point Gateway right after running cphastop.g. having the attribute block_new_conns with different values on the NM and on the OM might cause the FCU to fail since gateway behavior cannot be changed during the upgrade. Before you get to step 8 on page 218 (executing cphastop). fw fcu 172. For example. Note. run the following command on all the upgraded members: fw fcu <other member ip on sync network> then continue with step 8 on page 218 on the single OM. Upgrade the two NMs. Then continue with step 8 on page 218. that running cpstop on the old Check Point Gateway rules out the option to rollback to the OM while maintaining all live connections that were originally created on the OM. Before you get to step 8 on page 218 (executing cphastop). To upgrade a cluster with two members: Follow the steps outlined in “Zero Downtime Upgrade on a ClusterXL Cluster” on page 216. Running cphastop is part of the upgrade procedure described in “Zero Downtime Upgrade on a ClusterXL Cluster” on page 216. run the following command on the upgraded member: fw fcu <other member ip on sync network>(e. To upgrade a cluster with three or more members: Choose one of the following two methods: 1.

For additional information..Full Connectivity Upgrade on a ClusterXL Cluster 2...... For more than three members... Run this command on the new member..... 78 --> 0xF98EFFD0 (sip_state) 8158 --> 0xF9872070 (connections) Global handlers ... following the steps outlined in “Zero Downtime Upgrade on a ClusterXL Cluster” on page 216.... run the following command on all the upgraded members: fw fcu <other member ip on sync network>.. depending on configuration) Table handlers .. divide the upgrade of your members so that the active cluster members can handle the amount of traffic during the upgrade......... Then continue with step 8 on page 218 on all remaining OMs.... Once cphastop is executed...... Connection module map: The output reveals a translation map from the OM to the NM... 23 Connection module map (remote -->local) 0 --> 0 (Accounting) 1 --> 1 (Authentication) 2 --> 3 (NAT) 3 --> 4 (SeqVerifier) 4 --> 5 (SynDefender) 5 --> 6 (Tcpstreaming) 6 --> 7 (VPN) Table id map (remote->local)...... First upgrade only one member. Number of connection modules: Safe to ignore. yes Number of connection modules... do not run cpstart or cphastart again or reboot the machine. Monitoring the Full Connectivity Upgrade Displaying Upgrade Statistics (cphaprob fcustat) cphaprob fcustat displays statistical information regarding the upgrade process...... 222 . Note . (none or a specific list. Typical output looks like this: During FCU.... Before you get to step 8 on page 218 (executing cphastop)..cphastop can also be executed from the Cluster object in the SmartConsole.. refer to “Full Connectivity Upgrade Limitations” on page 220.. In all other cases it should be “no”.. none The command output includes the following parameters: During FCU: This should be “yes” only after running the fw fcu command and before running cphastop on the final OM........

unlimited entries -s . refer to the “Command Line Interface” Book.Not all connections are synchronized. Making Adjustments After Checking the Connection Table It is safe to run the fw fcu command more than once. Be sure to run both cpstop and cpstart on the NM before re-running the fw fcu command. local connections and services that are marked as non-synched. In a security gateway configuration. For example.table -u . Table handlers: This should include a sip_state and connection table handlers.(optional) summary of the number of connections For further information on the fw tab -t connections command. Chapter 12 Upgrading ClusterXL Deployments 223 . Display the Connections Table (fw tab -t connections -u [-s]) This command displays the “connection” table. If everything was synchronized correctly the number of entries in this table and the content itself should be approximately the same in the old and new cluster members. The reason for running cpstop and cpstart is that the table handlers that deal with the upgrade are only created during policy installation (cpstart installs policy). Note .Full Connectivity Upgrade on a ClusterXL Cluster Table id map: This shows the mapping between the gateway’s kernel table indices on the OM and on the NM. Having a translation is not mandatory. Options -t . Global handlers: Reserved for future use. a VPN handler should also be included. This is an approximation because between the time that you run the command on the old and new members new connections may have been created or perhaps old connections were deleted.

Full Connectivity Upgrade on a ClusterXL Cluster 224 .

Chapter Advanced Upgrade of Management servers & Standalone Gateways In This Chapter Introduction Migrate Your Current Management Configuration and Upgrade Migrate Your Current Gateway Configuration & Upgrade 13 page 226 page 227 page 242 225 .

Warning . it is vital that the target machine has the same exact configuration as the source machine. A products mismatch may result in a corrupt database. to a new Security Management server. for example if you need to: • • • Upgrade to R70 while replacing the Operating System on which the current Security Management Server is installed. 226 .When performing an advanced upgrade using the import-export tool. it is possible to migrate the current configuration of the production Security Management server.Introduction Introduction There are a number of reasons for performing an advanced upgrade. To avoid unnecessary risks. Upgrade to R70 while avoiding unnecessary risks to the production Security Management server in case of failure during the upgrade process. Upgrade to R70 while migrating to a new server. For example. the same products should be installed on both.

or: Performing a new installation and upgradingthrough the wrapper. Security Management server is installed on the second (destination) machine and the configuration of the first machine (the source) is imported. the destination server should have the same IP configuration as the original Security Management server. the destination. The first machine is the working production machine. The second machine. Advanced upgrade on all platforms except IPSO involves: • • Performing a new installation. When migrating to a new Security Management server.Migrate Your Current Management Configuration and Upgrade Migrate Your Current Management Configuration and Upgrade In This Section Introduction Advanced Upgrade on a Windows Platform Advanced Upgrade on a Linux Platform Advanced Upgrade on SecurePlatform Advanced Upgrade on an IPSO Platform Advanced Upgrade on a Solaris Platform Migration to a New Machine with a Different IP Address page 226 page 228 page 229 page 233 page 235 page 237 page 240 Introduction This section describes the advanced upgrade procedure for Security Management Server. and the upgrade_import process. The advanced upgrade procedure involves two machines. and only contains the operating system of the latest release. the source. is off-line. in this case R70. If you are migrating to a new machine with a different IP address. see: See “Migration to a New Machine with a Different IP Address” on page 240. The wrapper automatically performs the install. and manually importing a previously exported configuration. Chapter 13 Advanced Upgrade of Management servers & Standalone Gateways 227 .

Do one of the following: • Perform a fresh install of Security Management server and import the configuration file. select Installation using Imported Configuration. 2. Wait until the database files are exported. 4. Insert the R70 CD into the target Security Management server. 9. 5.tgz configuration file and then automatically installs the new software and utilizes the imported . Under Upgrade Options. See “Advanced Eventia Reporter Upgrade” on page 303 for how to remove the consolidation session. you must first remove Eventia Reporter’s consolidation session. Accept the license agreement and click next. Copy the exported.tgz configuration file. To manually import the Security Management Server database: • 228 . This option prompts you for the location of the imported . When prompted. make sure you are using the R70 Export tool. download the most recently updated upgrade utilities from the Check Point website. select Export. If this is not possible. 7. The upgrade_export tool is located on the product CD under the windows directory. If you are deploying Eventia Reporter. and manually import the configuration file using the upgrade_import tool on the R70 CD.tgz) file. 6. Select the destination path for the configuration (. Advanced Upgrade on a Windows Platform To perform an advanced upgrade on a Windows platform: 1. 8. When prompted. Perform a fresh install of Security Management server. Perform the Pre-Upgrade Verification. before you perform an advanced upgrade of Security Management server.tgz file to the new Security Management server. Insert the R70 CD into the production Security Management server. select Use the upgrade utilities from the CD.Migrate Your Current Management Configuration and Upgrade Warning: An advanced upgrade of Security Management server influences the behavior of the Eventia Reporter Server in regard to consolidation sessions. If you opt to perform the Export procedure manually. 3.

iv. From the list of products. Run the upgrade_import tool: upgrade_import <new database name>. Enter n. 6.The configuration file (. 7. v. Copy upgrade_export tool to the same directory on the source machine. select Security Management.tgz) file contains your security configuration. Insert CD1 of the R70 media kit into the CD drive. Chapter 13 Advanced Upgrade of Management servers & Standalone Gateways 229 . locate the upgrade_export tool in the $FWDIR/bin/upgrade_tools directory. Enter n. Open SmartDashboard and edit the properties of the Security Management server network object. Enter y to agree to the End-user License Agreement. (Before doing this. removing the IP address of the source machine and replacing it with the new one. Transfer the . 4. The wrapper welcome message is displayed. it is recommended to preserve the old upgrade tools by renaming them.tgz The database is imported.tgz file to the R70 $FWDIR/bin/upgrade_tools folder. It is highly recommended to delete it after completing the upgrade process. 5. vi. Select New installation as the installation option. 8. 2. vii. ii.) iii. Reboot the Security Management server. 3. and mount the CD. Warning . On the R70 Security Management server. Run UnixInstallScript.tgz file. Advanced Upgrade on a Linux Platform To perform a new installation and manually import the configuration: 1. Run the upgrade_export tool: upgrade_export <new database name> The upgrade_export tool creates a <new database name>. Enter n.Migrate Your Current Management Configuration and Upgrade i.

After product installation. Configure group permissions: Specifies a group name. Specify the Security Management Server type to install: • • • Primary Security Management Secondary Security Management Log server 10. Add licenses: The Check Point Configuration Program only manages local licenses on this machine. Transfer the exported configuration to the new Solaris installation. Enter c to continue. Start the installed products. The license upgrade wrapper runs. Configure a pool of characters: For use in cryptographic operations. 11. Configure GUI clients: A list of hosts which will be able to connect to this Security Management server using SmartConsole. c. 14. Log in again to the root account to set the new environment variables. 19. or q to quit. taken from the installation CD or downloaded from the Check Point website: http://www. Run . Use the Check Point Configuration program to: a. f. Type randomly until the progress bar is full.checkpoint. 18.tgz> 17.html 16. Configure the Certificate Authority: Saves the CA’s Fingerprint to a file.com/downloads/quicklinks/utilities/ngx/utilities. d. Enter n to validate the products to install. Enter y to restart Check Point Services. Enter n. The recommended way of managing licenses is through SmartUpdate. 13. the Check Point Configuration Program opens. e. 12. 230 . 15. b. Change directory to /opt/CPsuite-R70/fw1/bin/upgrade tools Verify that the upgrade tools in this directory are the R70 upgrade tools. for example through FTP. Wait for the message: upgrade_import finished successfully! 20. Enter y to stop all Check Point services./upgrade_import <name_of_exported_configuration_file.Migrate Your Current Management Configuration and Upgrade 9.

Chapter 13 Advanced Upgrade of Management servers & Standalone Gateways 231 . The license upgrade wrapper runs. 2. Enter c to continue.Migrate Your Current Management Configuration and Upgrade Performing a New Installation To perform a new installation and upgrade using the Wrapper: 1. 8. 5. The pre-upgrade verification process runs automatically. and mount the CD. The wrapper welcome message is displayed. 9. View the results and follow the recommendations. and name of. 13. or q to quit. Enter n. 10. Enter n. For the installation option. 14. Run UnixInstallScript. Enter n. To import a Security Management Server configuration and upgrade it. 4. Insert CD1 of the R70 media kit into the CD drive. While the R65 upgrade utilities are on the R70 CD.com/downloads/quicklinks/utilities/ngx/utilities. it is recommended to download the latest tools from the Check Point website: http://www. Enter y to agree to the End-user License Agreement. Enter n to validate the products to install. select Installation Using Imported Configuration. 12. Select a source for the upgrade utilities. Specify an upgrade option: • • Upgrade installed products Upgrade installed products and install new products 15. enter the path to. Enter n.html 11. 16. Select products: • • Check Point Power for headquarters and branch offices Check Point UTM for medium-sized businesses 6. Enter n. the compressed file that contains the exported configuration.checkpoint. 3. Enter n. 7.

To start Check Point Services.Migrate Your Current Management Configuration and Upgrade 17. c. e. Type randomly until the progress bar is full. f. Add licenses: The Check Point Configuration Program only manages local licenses on this machine. Reboot. b. After product installation. 19. 232 . Start the installed products. Configure a pool of characters: For use in cryptographic operations. Configure group permissions: Specifies a group name. Use the Check Point Configuration program to: a. Configure GUI clients: A list of hosts which will be able to connect to this Security Management server using SmartConsole. the Check Point Configuration Program opens. 18. d. Configure the Certificate Authority: Saves the CA’s Fingerprint to a file. Log in again to the root account to set the new environment variables. The recommended way of managing licenses is through SmartUpdate. 20. run: cpstart.

create a backup image for automatic revert. 6. 8. Enter [U] to perform the license upgrade. The license upgrade process also handles gateway licenses in the SmartUpdate license repository. Three upgrade options are displayed: • • • Upgrade Export the configuration Perform pre-upgrade verification only i. Export the configuration iii. 7. At the command prompt. ii. Run the pre-upgrade verification script. 5. Enter [C] to check if currently installed licenses have been upgraded. Repeat the process until you see Your configuration is ready for upgrade. Select SecurePlatform R70 Upgrade Package (CPsupgrade_R70.tgz). Select one of the following: • • • • Enter [L] to view the licenses installed on your machine. Insert CD1 of the R70 media kit into the CD drive. Enter n. The welcome message is displayed. Enter c to agree to the license upgrade. 3. 4. during which time Check Point products are stopped. Enter [S] to simulate the license upgrade. Accept the license agreement. Chapter 13 Advanced Upgrade of Management servers & Standalone Gateways 233 . Enter y to accept the checksum calculation. 2. Upgrade the installation 9.Creating the snapshot image can take up to twenty minutes.Migrate Your Current Management Configuration and Upgrade Advanced Upgrade on SecurePlatform To perform an advanced upgrade on SecurePlatform using the wrapper: 1. or generate a license file that can be used to upgrade licenses on a machine with no Internet access to the User Center. and follow the recommendations contained in the pre-upgrade verification results. enter patch add cd. Note . When prompted.

Open SmartUpdate and attach the new licenses to the gateways. Reboot the Security Management server. Either download the most updated files from the Check Point website or use the upgrade tools contained on the CD. Copy upgrade_export tool to the same directory on the source machine. it is recommended to preserve the old upgrade tools by renaming them. On the R70 Security Management server. removing the IP address of the source machine and replacing it with the new one.Migrate Your Current Management Configuration and Upgrade • • Enter [O] to perform the license upgrade on a license file that was generated on machine with no Internet access to the User Center. 234 . 2.tgz file. The exported configuration is automatically imported during the upgrade process. To perform an advanced upgrade on SecurePlatform by manually importing the database: 1. Enter [Q] to quit. Run the upgrade_export tool: . 8./upgrade_import <new database name>. Open SmartDashboard and edit the properties of the Security Management server network object. 5.tgz 7. Run the upgrade_import tool: .) 3. 10. Select a source for the upgrade utilities. 11. 6. 9. The database is imported. locate the upgrade_export tool in the $FWDIR/bin/upgrade_tools directory.tgz file to the R70 $FWDIR/bin/upgrade_tools folder. Transfer the . The upgrade_export tool creates a <new database name>./upgrade_export <new database name> 4. (Before doing this.

Configure a pool of characters for use in cryptographic operations.Migrate Your Current Management Configuration and Upgrade Advanced Upgrade on an IPSO Platform Advanced upgrade involves performing a new installation and manually importing a previously exported configuration. off-line machine. 17. run upgrade_export. download from the Check Point website the R70 upgrade package: IPSO_Wrapper_<version_number>. Configure the Certificate Authority.) 2. 13.tgz> The package and products are installed but not activated. 12. 16. 7. off line machine. run: newpkg –S –m LOCAL –n <path_to>/IPSO_Wrapper_<version_number>. 6. 11. Select the installation type: Stand Alone or Distributed. 4. Reboot. Chapter 13 Advanced Upgrade of Management servers & Standalone Gateways 235 . On the production machine. download the latest R70 upgrade tools. 8. Configure an administrator name and password. Select Security Management Server from the list. Add Licenses. (You need the latest R70 upgrade tools to perform the export operation. 10. On the production machine. 3. From the command prompt. Select a product: • • Check Point Power for headquarters and branch offices Check Point UTM for medium-sized businesses 9. 14. From a console connection. Type randomly until the progress bar is full. Configure the GUI clients and hosts which can access the Security Management server management component. On the second. Transfer the resulting . Configure Group Permissions. and save the CA’s Fingerprint to a file.tgz file to the second. To perform an advanced upgrade on an IPSO platform: 1.tgz 5. and transfer them to $FWDIR/bin/upgrade_tools. Specify the Security Management Server type as Primary or Secondary. 15. run cpconfig.

Start the installed products by running cpstart. 20. 19. 236 . From $FWDIR/bin/upgrade_tools. When prompted. run upgrade_import.Migrate Your Current Management Configuration and Upgrade 18. 21. do not start the installed products. Reboot.

The wrapper welcome message is displayed. Enter n. Enter n. d. 12. 8. Insert CD3 of the R70 media kit into the CD drive. Select New installation as the installation option. c. Chapter 13 Advanced Upgrade of Management servers & Standalone Gateways 237 . 5. 7. Enter n. Type randomly until the progress bar is full. Enter n to validate the products to install. b. Add licenses: The Check Point Configuration Program only manages local licenses on this machine. Log in again to the root account to set the new environment variables. 6. Specify the Security Management Server type to install: • • • Primary Security Management Secondary Security Management Log server 10. Use the Check Point Configuration program to: a. 2. select Security Management. and mount the CD. 11. e. Configure a pool of characters: For use in cryptographic operations. the Check Point Configuration Program opens. Configure group permissions: Specifies a group name. Run UnixInstallScript. Enter n. From the list of products. Configure GUI clients: A list of hosts which will be able to connect to this Security Management server using SmartConsole. f. Enter y to agree to the End-user License Agreement. 9. 4.Migrate Your Current Management Configuration and Upgrade Advanced Upgrade on a Solaris Platform To perform an advanced upgrade on a Solaris platform: 1. 3. Start the installed products. After product installation. Configure the Certificate Authority: Saves the CA’s Fingerprint to a file. 13. The recommended way of managing licenses is through SmartUpdate.

it is recommended to download the latest tools from the Check Point website. or q to quit. 5. While the upgrade utilities are on the R70 CD. 4. Enter n. 18. Enter n. 3. 6. Enter y to restart Check Point Services. using FTP. select Installation Using Imported Configuration. 8. The license upgrade wrapper runs. Insert CD2 of the R70 media kit into the CD drive. Wait for the message: upgrade_import finished successfully! 20. Enter c to continue. 9. or q to quit. 238 . Enter c to continue. The license upgrade process may take some since. Enter y to stop all Check Point services. Change the directory to /opt/CPsuite-R70/fw1/bin/upgrade tools. For the installation option. 7. Enter n.Migrate Your Current Management Configuration and Upgrade 14. Run UnixInstallScript. Run . Select a source for the upgrade utilities. 16. Verify that the upgrade tools in this directory are the R70 upgrade tools taken from the installation CD or downloaded from the Check Point website. as all the licenses are gathered and sent in SSL-encrypted format to the Check Point User Center. the compressed file that contains the exported configuration./upgrade_import <name_of_exported_configuration_file. for example. Enter y to agree to the End-user License Agreement. Transfer the exported configuration to the new Solaris installation. enter the path to. To import a Security Management Server configuration and upgrade it. 2. and mount the CD. Performing a Solaris Installation and Upgrade To perform a new Solaris installation and upgrade using the wrapper: 1. 19.tgz> 17. The wrapper welcome message is displayed. and name of. 15. The license upgrade wrapper runs.

View the results and follow the recommendations. 16. The recommended way of managing licenses is through SmartUpdate. The pre-upgrade verification process runs automatically. run: cpstart.Migrate Your Current Management Configuration and Upgrade 10. 12. 17. Use the Check Point Configuration program to: a. Configure the Certificate Authority: Saves the CA’s Fingerprint to a file. 11. Specify an upgrade option: • • Upgrade installed products Upgrade installed products and install new products 13. Chapter 13 Advanced Upgrade of Management servers & Standalone Gateways 239 . the Check Point Configuration Program opens. b. Enter n to validate the products to install. Reboot. After product installation. 18. To start Check Point Services. Type randomly until the progress bar is full. e. Log in again to the root account to set the new environment variables. 15. 14. Configure GUI clients: A list of hosts which will be able to connect to this Security Management server using SmartConsole. Configure group permissions: Specifies a group name. Enter n. d. f. Enter n. c. Add licenses: The Check Point Configuration Program only manages local licenses on this machine. Start the installed products. Configure a pool of characters: For use in cryptographic operations.

3. when migrating your current Security Management Server configuration. On the original Security Management server. and FW1_CPRID (TCP 18208) services to originate from the new Security Management server whose destination is all available gateways. create a firewall rule that allows FW1 (TCP 256). Update the Security Management Server licenses with the new IP address. Perform the appropriate process to migrate your original Security Management server. Before Migrating Your Original Security Management Server To prepare to migrate a Security Management server to a new machine: 1.Migrate Your Current Management Configuration and Upgrade Migration to a New Machine with a Different IP Address Due to the nature of licenses (which are associated with IP addresses). 4. CPD (TCP 18191) services. The following two sections explain the steps that should be performed when the new Security Management Server has a different IP address. On the original Security Management server. Use the cpstart command to start the new Security Management Server. Install the new security policy on all. add rules that will allow the new Security Management Server to access the gateways it will manage. If central licenses are used they should also be updated with the new IP Address. verify that the destination server has the same IP configuration as the original. 3. 2. After Migrating Your Original Security Management Server To complete the process of migrating a Security Management server to a new machine: 1. To do this create a Security Management Server object that represents the new Security Management Server’s IP address: Manage > Network Objects > New… > Check Point > Host/Gateway and in the General Properties tab select Secondary Security Management server in the software blades section. Access the new Security Management Server using SmartDashboard. 2. 240 .

map the Security Management Server’s DNS to the new IP address. Chapter 13 Advanced Upgrade of Management servers & Standalone Gateways 241 . 6. remove the object you created to represent the new Security Management Server’s IP address. 5. On the DNS.Migrate Your Current Management Configuration and Upgrade 4. On the new Security Management Server. On the new Security Management Server update the primary Security Management Server object so that its IP Address and topology match its new configuration.

3. Under Upgrade Options. The second machine is off-line. 4. Perform the Pre-Upgrade Verification. Insert the R70 CD into the target Security Management server. If you opt to perform the Export procedure manually.tgz) file. 8. Select the destination path for the configuration (. The Security Management server is freshly installed on the second machine and the configuration of the first machine is imported. Insert the R70 CD into the production Gateway. select Use the upgrade utilities from the CD. The first machine is the working production machine. Do one of the following: 242 . and only contains the operating system. Copy the exported. The advanced upgrade procedure involves two machines. Advanced Upgrade on a Windows Platform To perform an advanced upgrade on a Windows platform: 1. download the most updated upgrade utilities from the Check Point website. Wait until the database files are exported. The upgrade_export tool is located on the product CD under the Windows directory. select Export. Accept the license agreement and click Next.tgz file to the new Security Management server. 5. When prompted. 9. 6. If this is not possible.Migrate Your Current Gateway Configuration & Upgrade Migrate Your Current Gateway Configuration & Upgrade In This Section: Advanced Upgrade on a Windows Platform Advanced Upgrade on a Linux Platform Advanced Upgrade on SecurePlatform Advanced Upgrade on an IPSO Platform page 242 page 229 page 247 page 248 This section covers the advanced upgrade procedure for security gateways. 7. 2. make sure that you are using the R70 Export tool.

When prompted.The configuration file (. It is highly recommended to delete it after completing the import process. This option prompts you for the location of the imported . select Installation using Imported Configuration. Perform a fresh install of security gateway. and manually import the configuration file using the upgrade_import tool on the R70 CD.tgz configuration file and then automatically installs the new software and utilizes the imported . Chapter 13 Advanced Upgrade of Management servers & Standalone Gateways 243 .tgz configuration file. and import the configuration file.tgz) file contains your security configuration.Migrate Your Current Gateway Configuration & Upgrade • Perform a fresh install of the security gateway. • Warning .

From the list of products. the Check Point Configuration Program opens. 8. Use the Check Point Configuration program to: a. Add licenses: The Check Point Configuration Program only manages local licenses on this machine. Configure GUI clients: A list of hosts which will be able to connect to this Security Management server using SmartConsole. The wrapper automatically performs the install. or: Performing a new installation and upgrade through the wrapper. and mount the CD. Enter n. Enter n. 244 . 7.Migrate Your Current Gateway Configuration & Upgrade Advanced Upgrade on a Linux Platform Advanced upgrade involves either: • • Performing a new installation. and the upgrade_import process. Run UnixInstallScript. Configure group permissions: Specifies a group name. 2. The wrapper welcome message is displayed. 6. 4. Enter n. b. Insert CD2 of the R70 media kit into the CD drive. c. Enter y to agree to the End-user License Agreement. 11. and manually importing a previously exported configuration. Enter n. 3. 9. After the installation is complete. Enter n to validate the products to install. Select New installation as the installation option. 5. select Security Management Server and Security gateway. The recommended way of managing licenses is through SmartUpdate. Specify the Security Management Server type to install: • • • Primary Security Management Secondary Security Management Log server 10. To perform a new installation and manually import the configuration: 1. 12.

Select Installation Using Imported Configuration. enter the path to. 2. and name of. The license upgrade wrapper runs. 15. Wait for the message: upgrade_import finished successfully! 20. Select a source for the upgrade utilities. The wrapper welcome message is displayed. and mount the CD. Configure the Certificate Authority: Saves the CA’s Fingerprint to a file. 16. To perform a new installation and upgrade using the wrapper: 1. or q to quit. for example through FTP. e. Enter y to agree to the End-user License Agreement. 7. 4. Enter c to continue. Type randomly until the progress bar is full. Enter y to stop all Check Point services. f. 14.tgz> 17. 5.Migrate Your Current Gateway Configuration & Upgrade d. Transfer the exported configuration to the new solaris installation. 3. Run UnixInstallScript. Configure a pool of characters: For use in cryptographic operations./upgrade_import <name_of_exported_configuration_file. Enter n. or q to quit. Insert CD2 of the R70 media kit into the CD drive. The license upgrade wrapper runs. Change directory to /opt/CPsuite-R70/fw1/bin/upgrade tools Make sure that the upgrade tools in this directory are the R70 upgrade tools. it is recommended to download the latest tools from the Check Point website: Chapter 13 Advanced Upgrade of Management servers & Standalone Gateways 245 . 19. To import a Security Management Server configuration and upgrade it. While the R65 upgrade utilities are on the R70 CD. Run . Log in again to the root account to set the new environment variables. 18. 13. Start the installed products. 8. Enter c to continue. Enter n. Enter y to restart Check Point Services. taken from the installation CD or downloaded from the Check Point website. 6. for the installation option. the compressed file that contains the exported configuration.

e. After the installation is complete. Enter n to validate the products to install. To start Check Point Services. 11. 18. 16. 14. 12. run: cpstart. c.com/downloads/quicklinks/utilities/ngx/utilities. Enter n. Configure group permissions: Specifies a group name. d. The recommended way of managing licenses is through SmartUpdate. Type randomly until the progress bar is full. 17.html 9. Log in again to the root account to set the new environment variables. Reboot. Configure GUI clients: A list of hosts which will be able to connect to this Security Management server using SmartConsole. View the results and follow the recommendations. Enter n. 10. 15.Migrate Your Current Gateway Configuration & Upgrade http://www. Configure the Certificate Authority: Saves the CA’s Fingerprint to a file. f. Specify an upgrade option: • • Upgrade installed products Upgrade installed products and install new products 13. b. The pre-upgrade verification process runs automatically. Enter n. the Check Point Configuration Program opens. Use the Check Point Configuration program to: a. Configure a pool of characters: For use in cryptographic operations. 246 . Add licenses: The Check Point Configuration Program only manages local licenses on this machine. Start the installed products.checkpoint.

or generate a license file that can be used to upgrade licenses on a machine with no Internet access to the User Center. 4. 6. 2. 9. When prompted. create a backup image for automatic revert. Enter [C] to check if currently installed licenses have been upgraded. Enter c to agree to the license upgrade. during which time Check Point products are stopped. The license upgrade process also handles gateway licenses in the SmartUpdate license repository. Three upgrade options are displayed: • • • Upgrade Export the configuration Perform pre-upgrade verification only i. Select SecurePlatform R70 Upgrade Package (CPsupgrade_R70. At the command prompt.Migrate Your Current Gateway Configuration & Upgrade Advanced Upgrade on SecurePlatform To perform an advanced upgrade on SecurePlatform: 1. Enter y to accept the checksum calculation. Enter y to agree to the license agreement. iii. Upgrade the installation. 8. 3. ii. Select one of the following: • • • • Enter [L] to view the licenses installed on your machine. 5.Creating the snapshot image can take up to twenty minutes. Repeat the process until you see Your configuration is ready for upgrade. and follow the recommendations contained in the pre-upgrade verification results. Insert CD1 of the R70 media kit into the CD drive. 7.tgz). enter patch add cd. Export the configuration. The welcome message is displayed. Enter [U] to perform the license upgrade. Note . Chapter 13 Advanced Upgrade of Management servers & Standalone Gateways 247 . Enter [S] to simulate the license upgrade. Enter n. Run the pre-upgrade verification script.

To perform an advanced upgrade on an IPSO platform: 1. Advanced Upgrade on an IPSO Platform Advanced upgrade involves performing a new installation and manually importing a previously exported configuration.) 2. On the production machine. 3. Reboot. The exported configuration is automatically imported during the upgrade process. Select a source for the upgrade utilities. 9. 6. and transfer them to $FWDIR/bin/upgrade_tools. 12. From a console connection. Configure an administrator name and password. Transfer the resulting. Either download the most updated files from the Check Point website or use the upgrade tools contained on the CD. 8. Specify the Security Management Server type as Primary or Secondary. run: newpkg –S –m LOCAL –n <path_to>/IPSO_Wrapper_<version_number>. On the second. (You need the latest R70 upgrade tools to perform the export operation. From the command prompt.tgz 5. download from the Check Point website the R70 upgrade package: IPSO_Wrapper_<version_number>. run cpconfig.tgz file to the second. 10. Select Security Management Server Security and Security gateway from the selection list. download the latest R70 upgrade tools. Enter [Q] to quit. 11. 11. 10. Add Licenses. 7. Open SmartUpdate and attach the new licenses to the gateways. off-line machine. 248 . off line machine.Migrate Your Current Gateway Configuration & Upgrade • • Enter [O] to perform the license upgrade on a license file that was generated on machine with no Internet access to the User Center.tgz> The package and products are installed but not activated. 4. Select the installation type: Stand Alone. run upgrade_export. On the production machine.

16. Type randomly until the progress bar is full. Configure the Certificate Authority. run upgrade_import. Start the installed products by running cpstart. 18. Configure the GUI clients and hosts that can access the Security Management server management component. 15. do not start the installed products. From $FWDIR/bin/upgrade_tools. Reboot.Migrate Your Current Gateway Configuration & Upgrade 13. and save the CA’s Fingerprint to a file. 17. When prompted. Configure Group Permissions. Chapter 13 Advanced Upgrade of Management servers & Standalone Gateways 249 . 20. Configure a pool of characters for use in cryptographic operations. 14. 19.

Migrate Your Current Gateway Configuration & Upgrade 250 .

Chapter Upgrading Provider-1 In This Chapter Introduction Provider-1 Upgrade Tools Provider-1 Upgrade Practices Upgrading a Multi-MDS System Restarting CMAs Restoring Your Original Environment Renaming Customers Changing the MDS IP Address and External Interface IPS in Provider-1 14 page 252 page 253 page 266 page 274 page 277 page 278 page 279 page 283 page 284 251 .

If you are upgrading a multi-MDS environment refer.com. 252 . it is recommended that you read the current version Release Notes at http://support.com.checkpoint. to “Upgrading a Multi-MDS System” on page 274”.checkpoint. Before You Begin Before performing a Provider-1 upgrade. In This Section Supported Versions and Platforms Before You Begin page 252 page 252 Supported Versions and Platforms The direct upgrade of the MDS to the current version is supported from the following versions: Release NGX Version R65 R62 R61 R60A R60 The latest information regarding supported platforms is always available in the Check Point Release Notes at http://support.Introduction Introduction This chapter describes methods and utilities for upgrading Provider-1 to the current version.

and explains when and how each of them is used.Provider-1 Upgrade Tools Provider-1 Upgrade Tools This section describes the different upgrade and migrate utilities. The output of the utilities is also saved to a log file. For example. Warnings are left for the user to check and conclude whether they should be fixed or not. • • Chapter 14 Upgrading Provider-1 253 . a message indicates that this change is going to occur. The utilities search for well known upgrade problems that might be present in your existing installation. but in most cases the fixes are done manually from SmartDashboard. when a specific object type that is no longer supported is found in your database and is converted during the upgrade process. Information messages: This section includes items to be noted. In this case. In some cases. which are to be handled after the upgrade. mds_setup. you must rename the policy. In This Section Pre-Upgrade Verifiers and Fixing Utilities Installation Script export_database migrate_assist cma_migrate migrate_global_policies Backup and Restore page 253 page 254 page 255 page 258 page 259 page 264 page 264 Pre-Upgrade Verifiers and Fixing Utilities Before performing the upgrade the Provider-1 upgrade script. Errors have to be repaired before the upgrade. An example of an error to be fixed before the upgrade is when an invalid policy name is found in your existing installation. Action items after the upgrade: These include errors and warnings. Three types of messages are generated by the pre-upgrade utilities: • Action items before the upgrade: These include errors and warnings. it is suggested that fixing utilities should be run during the pre-upgrade check. runs a list of pre-upgrade utilities.

Browse to either the Solaris or Linux directory. Do not run the mds_setup script directly.When installing MDS on SecurePlatform. 5. Note . Exit all shell sessions. For additional information. 4. To run mds_setup: 1./mds_setup. Mount the Provider-1 CD from the relevant subdirectory. 3. it first checks for an existing installation of MDS: • • If no such installation exists. refer to “Provider-1 Upgrade Practices” on page 266. the installation is performed using the SecurePlatform installer on the CD. depending on the operating system of your MDS machine. Upgrade or Backup) listed below.Installation Script Installation Script Use the mds_setup installation script for MDS. mds_setup asks you to confirm a fresh installation of MDS. 254 . 2. you are prompted to select one of the following options (Pre-Upgrade Verification Only. Run the installation script: . Open a new shell in order for the new environment to be set. Change the directory to the mounted directory. When mds_setup is executed. If a previous version of MDS is detected.

export_database

Pre-Upgrade Verification Only
Pre-Upgrade Verification Only enables you to run pre-upgrade verification without upgrading your existing installation. No fixing utilities are executed. Use this option at least once before you upgrade. It provides you with a full report on upgrade issues, some of which should be handled before the upgrade. In a multi-MDS environment, the pre-upgrade verification must be run on all MDSes (and MLMs) before upgrading the first MDS.

Upgrade
When the upgrade option is used, mds_setup runs the Pre-Upgrade Verifier and if no errors are found, the upgrade process proceeds. In case of errors, mds_setup stops the installation until all the errors are fixed. In some cases, mds_setup suggests automatically fixing the problem using a fixing utility. Fixing utilities that affect the existing installation can also be run from the command line. You can choose to stop the installation and run the fixing utility from the command line. There are two important things to remember after changing your existing installation: • • Verify your changes in the existing installation before you upgrade. Synchronize global policies. If you make changes in global policies, reassign these global policies to customers. If you have a multi-MDS environment: • • • Synchronize databases between MDSs in High Availability. Synchronize databases between CMAs in High Availability. Install the database on CLMs.

Backup
Prior to performing an upgrade, back up your MDS. The backup option from mds_setup runs the mds_backup process (refer to mds_backup). Backup is also used for replication of your MDS to another machine. Manual operations are necessary if you are switching IP addresses or network interface names. For additional information, refer to “Changing the MDS IP Address and External Interface” on page 283.

export_database
The export_database utility allows you to export an entire database into one .tgz file that can be imported into a different MDS machine. The following files can be exported:

Chapter 14

Upgrading Provider-1 255

export_database

• • •

An entire CMA database An entire Security Management database An MDS Global Policy database

This tool can be used instead of migrate_assist, which exports the database remotely, file by file, whereas export_database creates one comprehensive file on the source machine. The export_database tool is supported on LInux and Solaris 2. If you are running other platforms, use migrate_assist to export all files, including the global policy. Before using the export_database utility, you must: 1. Copy the export tool .tgz file for your operating system to the source CMA or Security Management server. The export tool files can be found on your installation CD or on the Check Point support website, http://support.checkpoint.com. 2. Unntar the export tool .tgz file to some path in the source machine. A directory called export_tools is extracted. 3. Run the export_database commands from the export_tools directory. After exporting the databases using export_database, transfer the .tgz files to the target machine. Import the CMA or Security Management files using cma_migrate and import the Global Policy file using the migrate_global_policies command.

Usage
• Exporting a CMA:

./export_database.sh <path for the output file> –c <name of CMA>
• Exporting a Security Management server:

./export_database.sh <path for the output file>
• Exporting an MDS global database:

./export_database.sh <fully qualified path for the output file> –g

256

merge_plugin_tables

Other flags: Table 14-1 export_database flags Flag -h -b -l -m Meaning Display usage Batch mode Include the log database Include the SmartMap database

Example
• To export the database of a CMA, CMA1, including its log database to a file path, /var/tmp, use the following command: ./export_database.sh /var/tmp –c CMA1 -l • To export a Security Management database, including its Smartmap database, to a file path, /var/tmp, use the following command: ./export_database.sh /var/tmp -m • To export an MDS’s Global Policy to a file path, /var/for_export, use the following command:
./export_database.sh /var/for_export –g

merge_plugin_tables
The merge_plugin_tables utility is included in the export_database utility. It searches for all CMA or Security Management Plug-ins and merges the Plug-in tables with the CMA or Security Management tables. In Linux and Solaris 2, the merge_plugin_tables tool runs automatically when you run the export_database tool and its output becomes part of the CMA database .tgz file. If you have a Security Management server running on FreeBSD, IPSO 6, or WIN32 you can and should use merge_plugin_tables to consolidate your Plug-in information before exporting files using migrate_assist.

Chapter 14

Upgrading Provider-1 257

migrate_assist

Before using the merge_plugin_tables utility, you must: 1. Copy the export tool .tgz file for your operating system to the source CMA or Security Management server. The export tool files can be found on your installation CD or on the Check Point support website, http://support.checkpoint.com. 2. Unntar the export tool .tgz file to some path in the source machine. A directory called export_tools is extracted. 3. Run the merge_plugin_tables command from the export_tools directory.

Usage
merge_plugin_tables <-p conf_dir> [-s] [-h]
where <-p conf_dir> is the path of $FWDIR directory of the CMA/Security Management, -s performs the utility in silent mode (default is interactive mode), and -h displays usage.

Example
To merge the Plug-in tables of a CMA, CMA1, run the following commands:
mdsenv cma1 merge_plugin_tables -p "$FWDIR"

migrate_assist
This utility is a helper utility for cma_migrate. It can be used to pull the original management directories to the current disk storage using FTP. When you finish running migrate_assist, it is possible to run cma_migrate (refer to “cma_migrate” on page 259), the input directory of which will be the output directory of migrate_assist. You can use export_database instead of migrate_assist to export a CMA, Security Management, or Global Policy database if your source machine is running on LInux 30 or Solaris 2. See “export_database” on page 255 for more information. Note - Before running migrate_assist, stop source management processes and merge
Plug-in tables.

258

cma_migrate

Usage
migrate_assist <source machine name/ip> <source FWDIR folder> <user name> <password> <target folder> <source CPDIR folder>

Example
To import a Security Management server with the IP address 192.168.0.5 of version NGX R60, use the following command:

migrate_assist 192.168.0.5 /opt/CPsuite-R60/fw1 FTP-user FTPpass /EMC1 /opt/CPshrd-R60
Where /EMC1 is the name of the directory created on the MDS server machine, migrate_assist accesses the source machine and imports the source FWDIR and CPDIR folders to the specified target folder according to the structure described above. The user name and password are needed to gain access to the remote machine via FTP.

Note - When the source management is a Security Management version R70 or higher,
running on Windows, the following procedure should be done before running

migrate_assist:
1. Run the command: cpprod_util CPPROD_GetInstalledPlugIns > plugins.txt. 2. Copy the resulting file (plugins.txt) to %FWDIR%\conf directory. 3. If you have Plug-ins installed, run merge_plugin_tables before running migrate_assist.

cma_migrate
This utility is used to import an existing Security Management server or CMA into a Provider-1 MDS so that it will become one of its CMAs. If the imported Security Management or CMA is of a version earlier than the MDS to which it is being imported, then the Upgrade process is performed as part of the import. The available versions are listed in “Supported Versions and Platforms” on page 252. It is recommended to run cma_migrate to import CMA or Security Management database files created using the export_database tool. Bear in mind that the source and target platforms may be different. The platform of the source management to be imported can be Solaris, Linux, Windows, SecurePlatform or IPSO.

Chapter 14

Upgrading Provider-1 259

cma_migrate

Before running cma_migrate, create a new customer and a new CMA. Do not start the CMA, or the cma_migrate will fail. If you are migrating a CMA to a new CMA with a different IP address, follow the instructions in “Migration to a New Machine with a Different IP” in the Check Point Internet Security Products Upgrade Guide. The source database’s subdirectories to be migrated are conf, database, registry, and log. The $CPDIR/conf directory should be named conf.cpdir and placed inside <old source database directory path> to avoid overwriting the $FWDIR/conf directory.

Note - The registry directory is required only if you are upgrading from version R70 or
higher.

When the source management is a Security Management version R70 or higher, running on Windows, the following procedure should be done before creating <source management directory path>: 1. Run: cpprod_util CPPROD_GetInstalledPlugIns > plugins.txt. 2. Copy the resulting file (plugins.txt) to %FWDIR%\conf directory.

Usage
cma_migrate <source management directory path> <target CMA FWDIR directory>

260

Additional Information When running cma_migrate.cma_migrate Example cma_migrate /tmp/exported_smc.cpdir registry The second argument (<target CMA FWDIR directory>) is the FWDIR of the newly created CMA. If no errors are found. changes must be performed on the original Security Management server. right-click a CMA and select Import Customer Management Add-on from the menu. Table 14-2 Source Management Structure directory conf contents This directory contains the information that resides in $FWDIR/conf of the source management. This directory contains the information that resides in$FWDIR/log of the source management or is empty if you do not wish to maintain the logs. This directory contains the information that resides in $CPDIR/conf of the source management.To run the cma_migrate utility from the MDG. This directory is required only if you are upgrading from version R70 or higher. Note . then the migration continues. This directory contains the information that resides in $FWDIR/database of the source management. If errors are found. You can also run mdscmd migratecma to import files to an MDS.22Jul2007-224020. Set the structure under the source management directory as described in Table 14-2. pre-upgrade verification takes place. database log conf. where the data of the source management data resides.tgz /opt/CPmds-FLO/customers/cma2/CPsuite-FLO/fw1 The first argument (<source management directory path>)specifies a path on the local MDS machine. Use migrate_assist to build this source directory or build it manually. Chapter 14 Upgrading Provider-1 261 . It contains the information that resides in $CPDIR/registry of the source management.

For additional information on putkey. Run the command: mdsstart_customer <CMA NAME> For further information. This means that the Security Management server that was migrated using cma_migrate should not re-generate certificates to gateways and SIC should continue to work with gateways.checkpoint.com/solutions?id=sk17197 262 . refer to the Check Point Command Line Interface documentation. Run: mdsenv <CMA NAME> 3. Remove the current Internal Certificate Authority by executing the fwm sic_reset command. This may require some preparation that is described in detail from the command prompt and also in the Secure Knowledge solution sk17197. then putkey should be repeated between the CMA and entities that connect to it using putkey information. Create a new Internal Certificate Authority by executing: mdsconfig -ca <CMA NAME> <CMA IP> 5. reinitialize their Internal Certificate Authority so that only one of the new CMAs employs the original ICA: To reinitialize a CMA’s Internal Certificate Authority: 1. However.cma_migrate Certificate Authority Information The original Certificate Authority and putkey information is maintained when using cma_migrate. If your intent is to split a CMA into two or more CMAs. refer to SK17197 at the following link: http://supportcontent. if the IP of the CMA is different than that of the original management. Run: mdsstop_customer <CMA NAME> 2. 4. Use putkey -n to re-establish trust.

when such a gateway presents its IKE certificate to its peer. the FQDN will contain the host name of the original management. Revoke the IKE certificate for the gateway(s) and create a new one. an issue with the IKE certificates arises. the peer gateway uses the FQDN of the certificate to retrieve the host name and IP address of the Certificate Authority that issued the certificate. The new certificate will contain the FQDN of the CMA. Chapter 14 Upgrading Provider-1 263 .cma_migrate Resolving Issues with IKE Certificates When migrating a management database that contains a gateway object that takes part in a VPN tunnel with an externally managed third-party gateway. and failing to do so will not accept the certificate. There are two ways to resolve this issue: • • Update the DNS server on the peer side to resolve the host name of the original management to the IP address of the relevant CMA. If the IKE certificate was issued by a Check Point Internal CA. After migration. the peer gateway will try to contact the original management for the CRL information. In this case.

The CMAs can remain up and running. it is okay to view data but do not write using MDGs. During backup. 264 . migrate_global_policies aborts. including all the CMAs that it maintains. and to restore it when necessary. refer to “Changing the MDS IP Address and External Interface” on page 283” for instructions on how to adjust the restored MDS to the new machine.When executing the migrate_global_policies utility. Note . Do not to create and assign any Global Policy to a Customer before you run migrate_global_policies. If the Provider-1 system consists of several MDSes. it should be performed on all MDSes concurrently. are located.Migrate_global_policies fails if there is a global policy assigned to a Customer.migrate_global_policies migrate_global_policies The migrate_global_policies command transfers (and upgrades. The backup saves both user data and binaries. to another machine. Likewise. if your intention is to upgrade by replicating your MDS for testing purposes. When performing a restoration to another machine. Usage migrate_global_policies <path global policies conf database> <path global policies conf database>: Specifies the fully qualified path to the directory where the global policies files. if necessary) a global policies database from one MDS to another. Note . This is done to ensure that the Global Policy used at the Customer's site is not deleted. if the machine’s IP address or interface has changed. GUIs or other clients. originally exported from the source MDS ($MDSDIR/conf). Backup and Restore The purpose of the backup/restore utility is to back up an MDS as a whole. the backup procedure takes place manually on all the MDSes concurrently. If the global policies database on the target MDS has polices that are assigned to customers. Restoration can be performed on the original machine or. The restoration procedure brings the MDS to the state it was when the backup procedure was executed. the MDS will be stopped. Backup and restore cannot be used to move the MDS installation between platforms. when the restoration procedure takes place.

dat ($MDSDIR/conf) file. mds_restore requires a fresh installation of an MDS from the same version of the MDS to be restored. For correct operation. Usage mds_restore <backup file> $MDSDIR/bin/set_mds_info -b -y Chapter 14 Upgrading Provider-1 265 . except from files that are specified in mds_exclude.Backup and Restore mds_backup This utility stores binaries and data from your MDS installation. For example: 13Sep2002-141437.tgz. followed by the extension . The collected information is wrapped in a single zipped tar file.mdsbk.mdsbk.tgz. thus it is important not to run mds_backup from one of the directories that is to be backed up. The name of the created backup file comprises the date and time of the backup. Usage mds_backup mds_restore Restores an MDS that was previously stored with mds_backup. The file is placed in the current working directory. Any extra information located under these directories is backed up. Running mds_backup requires superuser privileges. This utility runs the gtar command on the root directories of data and binaries.

use mds_setup (See “Installation Script” on page 254). retest using the sub-steps in step 3 above. 3. For SecurePlatform. Test your changes as follows: a. Perform the in-place upgrade.When upgrading Provider-1. Note . 266 . 2. After the upgrade completes. and if you have High Availability. The MDS with all CMAs are upgraded during a single upgrade process. 1. Install policies to CMAs c. Verify logging using SmartView Tracker d. View status using the MDG or SmartView Monitor 4. • • For Solaris or Linux. Run the Pre-upgrade verification only option from mds_setup. run patch add cd (See “Upgrading to R70 on SecurePlatform” on page 267). Assign the global policy b. 6. perform the required synchronizations.Provider-1 Upgrade Practices Provider-1 Upgrade Practices In This Section In-Place Upgrade Replicate and Upgrade Gradual Upgrade to Another Machine Migrating from Security Management to a CMA page 266 page 267 page 268 page 270 In-Place Upgrade The in-place upgrade process takes place on the existing MDS machine. 5. all SmartUpdate packages on the MDS (excluding SofaWare firmware packages) are deleted from the SmartUpdate Repository. perform this step on all MDSes (refer to “Upgrading in a Multi-MDS Environment” on page 273 for details). Make the changes required by the pre-upgrade verification. Back up your system either by selecting the backup options in mds_setup or by running mds_backup. In a multi-MDS environment.

Replicate and Upgrade Upgrading to R70 on SecurePlatform This section describes how to upgrade SecurePlatform using a CD ROM drive. To restore your existing MDS. Back up your existing MDS. You are prompted to verify the MD5 checksum. 4. This can be done by running mds_backup or by running mds_setup and selecting the Backup option. Replicate and Upgrade Choose this type of upgrade if you intend to change hardware as part of the upgrade process or if you want to test the upgrade process first. To perform the Replicate and Upgrade process: 1. 3. it automatically reverts to the Safe Upgrade image. Install a fresh MDS on the target machine. Note . 2. Log in to SecurePlatform (expert mode is not necessary). To perform an upgrade on SecurePlatform: 1. Safe Upgrade automatically takes a snapshot of the entire system so that the entire system (operating system and installed products) can be restored if something goes wrong during the Upgrade process (for example. a Safe Upgrade is performed. Answer the following question: Do you want to create a backup image for automatic revert? Yes/No If you select Yes. If the Upgrade process detects a malfunction. upon reboot you are given the option to start the SecurePlatform operating system using the upgraded version image or using the image prior to the Upgrade process. 2.The target machine should be on an isolated network segment so that gateways connected to the original MDS are not affected until you switch to the target machine. Chapter 14 Upgrading Provider-1 267 . When the Upgrade process is complete. hardware incompatibility). first install a fresh MDS on the target machine that is the exact same version as your existing MDS. Apply the SecurePlatform upgrade package: # patch add cd. The existing MDS installation is copied to another machine (referred to as the target machine) by using the mds_backup and mds_restore commands.

the following information is not retained: • Provider-1 Administrators To do: Redefine and reassign to customers after the upgrade. CMAs are transferred to another current version MDS one CMA at a time. Test to confirm that the replication has been successful: a) Start the MDS. hme0 and hme1). c) Connect to CMAs using SmartDashboard. refer to “In-Place Upgrade” on page 266). 5. To do: execute the command: 268 . 4.C file to the same location ion the destination MDS. In a gradual upgrade. Restore the MDS on the target machine. Copy the file created by the backup process to the target machine and run mds_restore. • Global Communities statuses. If your target machine and the source machine have different IP addresses. Upgrade your MDS. • Policy assignment to customers To do: Assign policies to customers after the upgrade. Start the MDS.g. Gradual Upgrade to Another Machine In a gradual upgrade. b) Verify that all CMAs are running and that you can connect to the MDS with MDG and Global SmartDashboard. If your target machine and the source machine have different interface names (e. 8. Copy the /opt/CPmds-R70/conf/mdsdb/cp-admins.Gradual Upgrade to Another Machine 3. 7. follow the steps listed in “Interface Change” on page 283 to adjust the restored MDS to the new interface name. follow the steps listed in “IP Address Change” on page 283 to adjust the restored MDS to the new IP address. • Provider-1 SmartConsole Clients To do: Redefine and reassign to customers after the upgrade. or run mds_setup and select the Restore option. 6. Stop the MDS on the target machine and employ an In-Place Upgrade (for additional information.

license. Copy the following file to the target MDS: $CPDIR/conf/lic_cache. Gradual Upgrade with Global VPN Considerations A gradual upgrade process in an MDS configuration that uses the Global VPN Communities (GVC) is not fundamentally different from the gradual upgrade process described above. For additional information. Use cma_migrate to import the CMA. you have at least one non-existing customer.tgz file and transfer the file from the source machine to the destination machine. If this occurs: Chapter 14 Upgrading Provider-1 269 . fwm mds rebuild_global_communities_status all To perform a gradual upgrade: 1. To test for non-existing customers. assign this Global Policy to a customer. create a customer and CMA but do not start the CMA. If some of your CMAs have already been migrated and some have not and you would like to use the Global Policy. refer to “cma_migrate” on page 259. 6. When gradually upgrading a GVC environment. Use the export_database utility to export the CMA database into a . If the assignment operation fails and the error message lists problematic gateways.Gradual Upgrade to Another Machine mdsenv. make sure that it does not contain gateways of non-existing customers. 3.C All CMA and MDS licenses reside in cp. 5. Install MDS of the target version onto the target machine. refer to “export_database” on page 255. Global VPN community setup involves the Global database and the CMAs that are managing gateways participating in the global communities. and all licenses appear in the cache. On the target MDS. This process transfers the licenses for both the CMA and the CMA repository. 2. Start the CMA and run: mdsenv mdsstart 7. Use migrate_global_policies to import the global policies. split the upgrade into two parts: • • one for all the CMAs that do not participate in the GVC one for CMAs that do participate with the GVC 2. with the following exceptions: 1. For additional information. 4.

right-click a gateway and select Disable Global Use.If you want the option to later undo the separation process. From the MDG’s General View. Make sure that: 270 . the Global Communities are overridden by the migrated database. Make sure that no problematic gateways are in use. First. When issuing the command: migrate_global_policies where the existing Global Policy contains Global Communities. ii. remove_globally_used_gw <Global name of the gateway> 3. the resulting Global Policy contains: • • the globally used gateways from the existing database the globally used gateways from the migrated database As a result of the migration. therefore. Run the where used query from the Global SmartDashboard > Manage > Network Objects > Actions to identify where the problematic gateway(s) are used in the Global Policy. The gradual upgrade does not restore the Global Communities statuses. and edit or delete list items as necessary. some adjustments are required: 1. and then execute the command: mdsenv. back up the standalone gateway before migrating. and then manage the standalone gateway (as a gateway only) from the CMA. b. 4. If the globally used gateway refers to a gateway of a customer that was not migrated. The gateways must be disabled from global use: i. reset the statuses from the command line (with MDS live): mdsenv. you can remove the gateway from the global database by issuing a command line command. fwm mds rebuild_global_communities_status all Migrating from Security Management to a CMA This section describes how to migrate the management part of a standalone gateway to a CMA. Review the result set. Before migrating the management part of the standalone gateway to the target CMA. if either the existing or the migrated Global Policy contains Global Communities. make sure that the Global SmartDashboard is not running. Note .Migrating from Security Management to a CMA a.

remove it from the community and erase its certificate. 13. If the standalone gateway already has Check Point Security Gateway installed: • Clear the Firewall option in the Check Point Products section of the gateway object. 3. Use cma_migrate or the import operation from the MDG. 5. 7. 8. Create an object representing the gateway on the standalone machine (From New > Check Point > Gateway). • 12. start the CMA and launch SmartDashboard. 4. • 6. Edit the Primary Management Object and remove all interfaces (Network Object > Topology > Remove). locate: • An object with the Name and IP address of the CMA primary management object (migrated). specifying as an argument the database location you used as <target_dir> in the migrate_assist command. Add an object representing the CMA (name and IP address) and define it as a Secondary Security Management server. If the standalone gateway participates in a VPN community.Migrating from Security Management to a CMA • FTP access is allowed from the MDS machine (on which the target CMA is located) and the standalone machine. in the IPSec VPN tab. and: Chapter 14 Upgrading Provider-1 271 . Note these changes in order to undo them after the migration. Save and close SmartDashboard. Delete all objects or access rules created in steps 1 and 2. run: migrate_assist <Standalone_GW_NAME><Standalone_GW_FWDIR><username> <password><target_dir><Standalone_GW_CPDIR> command. but do not start it. To configure the CMA after migration.) The target CMA is able to communicate with and install policy on all gateways. (This is only necessary if you plan to use migrate_assist. Migrate the exported database into the CMA. under Network Objects. To migrate the management part to the CMA. In SmartDashboard. 11. Previous references to the standalone management object now refer to this object. Do not install policy. Create a new CMA on the MDS. You may have to first remove it from the Install On column of your rulebase (and then add it again). An object for each gateway managed previously by Security Management. Install policy on all managed gateways. 10. • 2. 9.

in each location. except for the standalone gateway. 20. You may see warning messages about this gateway because it is not yet configured. Install a gateway only on the previous standalone machine. edit the gateway object created in step 12 and establish trust with that gateway. Select the appropriate Check Point version. On the same object. From the CMA SmartDashboard. 272 . Install the policy on all gateways. Uninstall the standalone gateway. Do not initialize communication. 15. define the gateway's topology. 18. 16. These messages can be safely ignored. consider changing to the new gateway object. Run Where Used on the primary management object and. Select the appropriate Check Point Products you have installed. 17. add it back. Install the Policy on the gateway. 14. 19. If the object previously belonged to a VPN Community.Migrating from Security Management to a CMA • • • • • Assign a Name and IP address for the gateway.

High Availability helps to reduce down-time during an upgrade. or combinations of the two. In general. refer to “Pre-Upgrade Verifiers and Fixing Utilities” on page 253). it explains the order of upgrade and synchronization issues.Upgrading in a Multi-MDS Environment Upgrading in a Multi-MDS Environment In This Section Pre-Upgrade Verification and Tools Upgrading a Multi-MDS System page 273 page 274 Multi-MDS environments may contain components of High Availability in MDS or at the CMA level. containers. Chapter 14 Upgrading Provider-1 273 . only after you have fixed all the errors and reviewed all the warnings on all your MDSes. Start upgrading the first MDS. It may also contain different types of MDSes: managers. This section provides guidelines for performing an upgrade in a multi-MDS environment. Pre-Upgrade Verification and Tools Run pre-upgrade verification on all MDSes before applying the upgrade to a specific MDS by choosing the Pre-Upgrade Verification Only option from mds_setup (for additional information. Specifically.

Upgrade your second Manager MDS. there is a period of time when the Container MDSes are not accessible. All other containers are managed from the other Manager MDS. While containers do not accept Security Management connections. Note . follow these steps: 1. Upgrade all container MDSes. 274 . 2. Each Container MDS that you upgrade is managed from the already upgraded Manager MDS. If more than one Manager MDS exists. 3. Following these steps promises continuous manageability of your container MDS. Upgrade one Manager MDS.Upgrading a Multi-MDS System Upgrading a Multi-MDS System In This Section MDS High Availability Before the Upgrade After the Upgrade CMA High Availability page 274 page 275 page 275 page 276 MDS High Availability Communication between Multi-Domain Servers can only take place when the Multi-Domain Servers are of the same version. In a system with a single Manager MDS.MLMs in a multi-MDS system need to be upgraded to the same version as the Manager and Container MDSs. you can still connect to the CMAs that reside on it. the CMAs on the container MDSes do. This means that even if you cannot perform global operations on the container MDS.

run the mdsenv command on each MDS after upgrading all MLMs/MDSs to set the shell for MDS level commands. when using SmartDashboard to connect to a CMA after the upgrade. In this case. Note . use the mdsstat command to verify that all MDS processes are running and that all active CMAs are up and running with valid licenses. Then. then the global policy should be reassigned to the relevant customers. then. then if it exists after modifying the CMA database. additional CMA/CLMs are displayed with the previous version. To update all CLM/CMA objects.When synchronizing. make sure to have only one active MDS and one active CMA for each customer. Before updating the CLM/CMA objects to the most recent version. synchronize the mirror CMA. 4. the following scenario takes place: A complete database installation from the CMA on the CLM does not take place and as result. run: $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL To update CLM/CMA objects that are located on a specific MLM/MDS.Upgrading a Multi-MDS System Before the Upgrade 1. After the Upgrade After upgrading an MDS or an MLM in a multi MDS environment. 2. Modify the active MDS/CMA and synchronize to Standby. If a modification is required at the CMA level. 3. If the CMA identifies the CLM version as earlier then the current CLM version. Also. Perform pre-upgrade verification for all MDSes. If the pre-upgrade verifier requires a modification to the global database. (in case other MDSs were not yet upgraded) run: Chapter 14 Upgrading Provider-1 275 . the CMA/CLM object versions (located in the CMA database) are not updated. If this modification affects a global policy that is assigned to customers. all other MDSes should be synchronized. install the database on the CLM to verify that the modification is applied to the CLM as well. IP addresses and services are not completely resolved by the CLM. If the customer also has a CLM (on MLM). confirm that SmartDashboard is not connected. in order to repair the error in the CMA databases. after modifying the global database.

Note . To migrate a CMA/Security Management High Availability deployment. (See “cma_migrate” on page 259). others MDSs can continue to manage gateways. see the High Availability chapter in the Check Point Provider-1/SiteManager-1 Administration Guide). the High Availability status of the CMAs appears as Collision. During the synchronization process. CMA High Availability CMA High Availability can help minimize the period of management downtime during upgrade. The database to import is the database belonging to the primary CMA/Security Management Server. continue with a High Availability deployment (for more information. its CMAs can become Active management servers for the duration of time required to upgrade the others. Also perform these steps if you want to migrate your current High Availability environment to a CMA High Availability on a different MDS. While upgrading one of the MDS containers in a High Availability configuration. use the migrate utility. The CMAs hosted on these MDSs need to be synchronized and defined as Active in order to do so. Then. Before importing.Before migrating. remember to synchronize all standby CMAs/Security Management backups. all the objects representing the secondary management should be deleted from the primary Security Management server. To resolve this. every CMA High Availability pair needs to be synchronized. If policy changes are made on both CMAs during the upgrade process. After successfully upgrading one of the MDS containers. After the upgrade is completed on all the MDS containers. after the upgrade one of the configurations overrides another and the collisions need to be resolved manually. 276 . changes from one of the CMAs override the changes made to another.Upgrading a Multi-MDS System $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL -n <MLM/MDS name> After running this utility. The synchronization between the two CMAs in a High Availability configuration takes place only after MDS containers hosting both of them are upgraded. verify that the database has been synchronized.

Chapter 14 Upgrading Provider-1 277 . CMAs should be started sequentially using the command mdsstart -s.Restarting CMAs Restarting CMAs After completing the upgrade process.

If the installation stopped or failed before its completion. Prepare a backup as the first step of the upgrade process and prepare a second backup right after the Pre-Upgrade Verifier successfully completes with no further suggestions. keep the changes you made as a result of the pre-upgrade verification. 278 . If the installation finished successfully. after the pre-upgrade verification stage. Prepare a backup of your current configuration using the mds_backup utility from the currently installed version. It may be easier for you to remove all Check Point installed packages and a perform fresh installation of the original version. execute the mds_remove utility from the new version. In some cases. Even if you decide to restore your original environment. manually remove the new software packages. you are required to change your database before the actual upgrade can take place or the Pre-Upgrade Verifier suggests you execute utilities that perform the required changes automatically.Restoring Your Original Environment Restoring Your Original Environment In This Section Before the Upgrade Restoring Your Original Environment page 278 page 278 Before the Upgrade Pre-upgrade utilities are an integral part of the upgrade process. Restoring Your Original Environment To restore your original environment: 1. Removing the new installation: a. This restores your original environment just before the upgrade. b. 2. Perform mds_restore using the backup file.

Since this is non-compliant. Chapter 14 Upgrading Provider-1 279 . it is displayed on the screen. The current version does not permit this. Automatic Division of Non-Compliant Names If the number of customers with non-compliant names is large. When a non-compliant customer name is detected. such as spaces and certain keyword prefixes. One of the tests is a test for customer names compliance with the current naming restrictions. By default. an error message is issued. detailing the reason why the name was rejected. If all customer names comply with the restrictions.Renaming Customers Renaming Customers In This Section Identifying Non-Compliant Customer Names High Availability Environment Automatic Division of Non-Compliant Names Resolving Non-Compliance Advanced Usage page 279 page 279 page 279 page 280 page 281 Earlier Provider-1 versions allowed customer names or CMA names in to contain illegal characters. no message is displayed. all the intermediate work is saved. Identifying Non-Compliant Customer Names The mds_setup utility performs several tests on the existing installation before an upgrade takes place. the translation task may automatically divide into several sessions. High Availability Environment In an MDS High Availability environment. non-compliance is detected on the first MDS you upgrade. It is necessary to rename customer and CMA names to comply the current version naming restrictions. The mds_setup utility identifies non-compliant names as more than a single MDS.

Note . after selecting Option 2 . Choose this option to edit a customer name that was already translated.Nothing is changed in the existing installation when translating customer names. If the session is exited before all the translations are done. Translation prompt . The translation prompt is only displayed if a non-compliant name is detected. To return to the tool. or any other customer name.The customer names are presented in alphabetical order. Return to translation prompt . High Availability After completing the translations on the first MDS. Quit session and throw away recent translations . Any changes are applied only to the upgraded installation. The upgrade cannot take place until all non-compliant customer names are translated. simply run mds_setup again and choose Option 2 . The new name is checked for naming restrictions compliance and is not accepted until you enter a compliant name. Additional Options Menu Edit another name .Choose this option if you want to save all the work that was done in this session and resume later. no additional work is required. 280 . Note .Resolving Non-Compliance Resolving Non-Compliance During the upgrade procedure. the resolution of compliant names is performed. Skip this name .The pre-upgrade tool allows only non-compliant customer names to be translated.Choose this option if you want to abort the session and undo all the translations that you entered during this session. If the MDSes are properly synchronized. the mds_setup utility exits with an error message stating that the MDS verification failed. Quit session and save recent translations .Choose this option if you are not sure what to do with this name and want to come back to it later. copy the following files to the other MDSes.Upgrade to R70.Choose this option if you want to return to the customer name you were prompted with when you entered '-'.Enter a name to replace the non-compliant name. or enter the '-' sign to get a menu of additional options.Upgrade to R70 on the mds_setup menu.

Existing non-compliant name. otherwise it will be rejected. + A translation for the preceding '-' line. Any line that does not obey the syntax causes the file to be rejected with an appropriate message. the customer names that have already been translated are shown before the first non-compliant name is displayed. Advanced Usage An advanced user may choose to directly edit the translation file.The file is structured line-wise. This is also the case when running on an additional MDS. Must exactly match an existing non-compliant name. Table 14-3 Line Prefixes Line Prefix # Meaning A comment line.md5 When running the tool a second time. If the entry does not comply with the naming restrictions. In this case. Chapter 14 Upgrading Provider-1 281 . all the translations are verified when mds_setup is run again. Each line's meaning is indicated by its first character. it is ignored. Comment May be inserted anywhere. Translations file format .txt. An empty line is ignored.txt /var/opt/CPcustomers_translated.Advanced Usage Files to be copied: /var/opt/CPcustomers_translated. /var/opt/CPcustomers_translated.

This option reads the file. Ignore the translations file and generate a new one . 2. 282 . Use the translations file anyway . Quit and leave the translations file as it is .Choose this option to overwrite the contents of the file. Run mds_setup again when you are sure that option 1 or option 2 is suitable.Choose this option to exit mds_setup and leave the translations file as is for now. the file is rejected.Choose this option only if an authorized person modified it. Otherwise.Advanced Usage The '-' and '+' lines must form pairs. the mds_setup detects it and displays the following menu: 1. If the translations file is manually modified. verifies its content and uses the translations therein. 3.

Change the interface name in file $MDSDIR/conf/external. 2. repeat steps 1 to 4 on each MDS/MLM for the MDS/MLM for which you changed the IP. To change the IP address: 1. Change the IP address in $MDSDIR/conf/LeadingIP file to the new IP address. Stop the MDS by running mdsstop. 4. Find the MDS object that has the source MDS IP address and change its IP address to the new IP address. Chapter 14 Upgrading Provider-1 283 . 2. follow the steps listed below it to adjust the restored MDS to the new IP address.conf. The MDS must be stopped. To change the interface: 1. For multiple MDS/MLM environments. Do not change the name of the MDS. hme0 and hme1).g. Edit the $MDSDIR/conf/mdsdb/mdss.. 3. For each CMA. Install a new license on the target MDS with the new MDS IP address.Changing the MDS IP Address and External Interface Changing the MDS IP Address and External Interface In This Section IP Address Change Interface Change page 283 page 283 IP Address Change If your target machine and the source machine have different IP addresses.C file. replace the interface name in $FWDIR/conf/vip_index.if to the new interface name. follow the steps listed below to adjust the restored MDS to the new interface name. 5. Interface Change If your target machine and the source machine have different interface names (e.

To do so. See the Global Policy Chapter of the Provider-1 R70 Administration Guide for detailed information. and enable Create database version. 284 . the previous IPS configuration of the Customer is overridden on the first Global Policy Assign. go to Customer Configuration window > Assign Global Policy tab. • Customers who are upgrading to Provider-1 R70 should note that the IPS subscription has changed.IPS in Provider-1 IPS in Provider-1 • When upgrading to R70. • • All customers subscribed to IPS are automatically assigned to an “Exclusive” subscription “Override” and “Merge” subscriptions are no longer supported. from the MDG. It is recommended to save each Customer’s Security Policy so that the settings can be restored after upgrade.

15 Chapter Upgrading SmartLSM ROBO Gateways In This Chapter Planning the ROBO Gateway Upgrade ROBO Gateway Upgrade Package to SmartUpdate Repository License Upgrade for a VPN-1 Power/UTM ROBO Gateway Upgrading a ROBO Gateway Using SmartProvisioning Using the Command Line Interface page 286 page 287 page 287 page 289 page 293 285 .

refer to “ROBO Gateway Upgrade Package to SmartUpdate Repository” on page 287. it does not send it to any gateway. This chapter describes how to upgrade your ROBO gateways. 286 . For additional information. When upgrading VPN-1 Power/UTM ROBO gateways. in SmartDashboard. The compiled policy is automatically fetched later by the relevant ROBO gateways. the upgrade process removes the initial Plug & Play license from your gateway. 3. This Install Policy operation only compiles the policy. but this gateway will not be able to load the correct policy after the upgrade. For VPN-1 Power/UTM ROBO gateways.Planning the ROBO Gateway Upgrade Planning the ROBO Gateway Upgrade When you upgrade your Security Management server. it is recommended to upgrade the ROBO gateways managed by SmartProvisioning so that they are compatible with the latest features and functionalities. Make sure that all gateways have valid permanent NG and NGX licenses installed before the upgrade. 2. Trying to perform a remote upgrade on a gateway without a valid NGX license will succeed. Upgrade your ROBO Gateways in one of the following ways: • • Using SmartProvisioning (refer to “Upgrading a ROBO Gateway Using SmartProvisioning” on page 289) Using the SmartLSM Command Line Interface (refer to “Upgrading a VPN-1 Power/UTM ROBO Gateway Using LSMcli” on page 295). The general workflow for upgrading ROBO gateways comprises the following steps: 1. following their upgrade. Add the upgrade package to the SmartUpdate package repository. define new SmartLSM Profile objects for the new version and install the respective policies on these objects.

UTM-1 Edge Firmware packages are added the same way. Open SmartProvisioning. 2. Add those licenses that are assigned to this ROBO from the SmartLSM License Repository to the Licenses window. All licenses that are attached to this ROBO gateway are shown. The first way is easier: • • Click Add these licenses to the list. and select the Licenses tab. License Upgrade for a VPN-1 Power/UTM ROBO Gateway The general workflow for upgrading ROBO gateway licenses to N70 comprises the following steps: 1. one ROBO at a time. Click Add. 2. the window will report that: There are un-attached licenses that are assigned to this ROBO. 3. add the packages needed for the upgrade to the SmartUpdate package repository.ROBO Gateway Upgrade Package to SmartUpdate Repository ROBO Gateway Upgrade Package to SmartUpdate Repository Once you have launched SmartUpdate. Upgrade the software on the ROBO Gateway. Chapter 15 Upgrading SmartLSM ROBO Gateways 287 . Using SmartProvisioning to Attach the Upgraded Licenses To attach the upgraded licenses: 1. open the Edit VPN-1 Power/UTM ROBO Gateway window. If the license upgrade succeeded. refer to the SmartUpdate chapter of the R70 Security Management Server Administration Guide. and then select those licenses that are assigned to this ROBO. You can do this by performing one of the following two options. For details on how to add packages to the Package Repository. as described in “Upgrading a ROBO Gateway Using SmartProvisioning” on page 289. Use SmartProvisioning to Attach the upgraded licenses to each ROBO Gateway. For each ROBO Gateway.

Click OK to attach the Assigned Licenses to this ROBO. 288 .License Upgrade on Multiple ROBO Gateways The added assigned licenses are shown grayed-out because they are not yet attached. refer to “Example: License Upgrade on Multiple ROBO Gateways” on page 298. The NG license is useful because if you need to downgrade the Gateway version. 5. The ROBO gateway now has both NG and NGX licenses. the Gateway will keep on working. The Licenses window shows that the NGX license is Attached. meaning that it is no longer needed. For additional information. and the NG license is Obsolete. 4. Repeat from step 2 for each ROBO gateway. License Upgrade on Multiple ROBO Gateways You can use scripting to upgrade licenses on multiple ROBO gateways.

Full Upgrade This method automatically performs all the required checks and actions for you. When it successfully completes. Chapter 15 Upgrading SmartLSM ROBO Gateways 289 . This selection can also be done through the right-click menu. Click the Continue button. Select Allow reboot if required. When it completes. showing you the verification results.Upgrading a ROBO Gateway Using SmartProvisioning Upgrading a ROBO Gateway Using SmartProvisioning In This Section Upgrading a VPN-1 Power/UTM ROBO Gateway Upgrading a UTM-1 Edge ROBO Gateway Upgrading a VPN-1 Power/UTM ROBO Gateway In Place page 289 page 291 page 292 Upgrading a VPN-1 Power/UTM ROBO Gateway There are two methods for upgrading a VPN-1 Power/UTM Gateway. and select the appropriate new SmartLSM Profile from the list. Select Actions > Packages > Upgrade All Packages. select the line representing the VPN-1 Power/UTM ROBO Gateway to be upgraded. the Full Upgrade and the Specific Install. Select Change to a new Profile after upgrade. The upgrade process begins with a verification stage. or the Upgrade All Packages icon in the toolbar. 2. 3. 4. From SmartProvisioning. checking which version is currently installed on the gateway and whether the required packages exist in your Package Repository. 5. the upgraded ROBO Gateway is ready for use. To perform a full upgrade: 1. a Verification Details window opens. This is the recommended method to upgrade VPN-1 Power/UTM ROBO Gateways.

In the Distribute Package window. 3. in case the installation does not succeed. 4. To perform a specific installation: 1. select the package you want to install. manually reboot the gateway from its console. Specific Installation This method can be used to install a specific product on a ROBO Gateway. do not select Allow Reboot if required.Upgrading a VPN-1 Power/UTM ROBO Gateway The Upgrade process begins. Note . and select Distribute Package…. The Allow Reboot if required option should be selected only when upgrading VPN-1. and select Action History). 6. When upgrading the VPN-1 Power/UTM ROBO gateway. 2. The gateway is rebooted after the package installation is completed. If the operating system is SecurePlatform. The option Change to a new profile after install lets you select the SmartLSM Profile that will be assigned to the package upon installation. select the line representing the VPN-1 Power/UTM ROBO gateway you want to upgrade. Select Actions > Packages > Distribute Package… or right-click menu. The entire progress report can be seen at any time by viewing the Action History (right-click on the respective line in the Action Status pane. you can select Backup image for automatic revert. Its stages and completion status can be seen in the Action Status pane. or click the icon in the toolbar. From SmartLSM. This window displays the relevant packages from the Package Repository that can be installed on your VPN-1 Power/UTM ROBO gateway. If you do not select this option. you must provide a suitable SmartLSM 290 . 7. The Distribute Package window opens. Select Actions > Packages > Get Gateway Data to fetch information about Packages currently installed on the VPN-1 Power/UTM ROBO gateway.If you are doing a step-by-step upgrade. You can then select one of the following actions: • • • Distribute and install packages Only distribute packages (install later) Install previously distributed packages 5. at the bottom of SmartLSM.

Upgrading a UTM-1 Edge ROBO Gateway To upgrade the gateway: 1. and choose Edit > Edit ROBO gateway… This selection can also be done through the right-click menu. The Install process begins. Chapter 15 Upgrading SmartLSM ROBO Gateways 291 . or the Edit ROBO gateway icon in the toolbar. 9. In order for the firmware upgrade to take effect immediately. Select the Firmware tab. Click the Start button. and select Action History).Upgrading a UTM-1 Edge ROBO Gateway Profile from the target version. 8.You can verify if the installation will succeed before actually upgrading the ROBO Gateway by choosing Actions > Packages > Verify Installation. 3. restart the ROBO Gateway by selecting Actions > Restart gateway. and click OK. The whole progress report can be seen at any time by viewing the Action History (right-click on the respective line in the Action Status pane. Note . The UTM-1 Edge ROBO gateway fetches and installs the new firmware the next time it automatically checks for updates. at the bottom of SmartLSM. or by double-clicking the ROBO line. select the desired firmware from the list. If you are installing a package that does not require changing the SmartLSM Profile of the VPN-1 Power/UTM ROBO gateway. From SmartLSM. Its stages and completion status can be seen in the Action Status pane. this field remains disabled. Select the Use the following firmware option. 2. select the line representing the UTM-1 Edge ROBO gateway you want to upgrade.

From the Version menu. select a new SmartLSM Profile for the upgraded gateway. and select a new SmartLSM Profile for the gateway. 5. 292 . The Edit window opens in the General tab. 3. Click OK to close the window. update the new version on the SmartLSM side. The policy and properties of the new SmartLSM Profile are applied on the ROBO Gateway the next time it automatically checks for updates.Upgrading a VPN-1 Power/UTM ROBO Gateway In Place Upgrading a VPN-1 Power/UTM ROBO Gateway In Place You can upgrade a ROBO gateway In Place (from the ROBO gateway's console). select the line representing the VPN-1 Power/UTM ROBO gateway you just upgraded. just like an In Place upgrade of a regular gateway. From the Profile menu. From SmartLSM. 2. restart the ROBO Gateway by selecting Actions > Restart Gateway. or double-click the ROBO line. and select Edit > Edit ROBO gateway… or right-click the Edit ROBO gateway icon in the toolbar. 4. To upgrade a gateway In Place: 1. Following the upgrade. select the new version of the upgraded gateway. In order for the SmartLSM Profile change to take effect immediately.

Chapter 15 Upgrading SmartLSM ROBO Gateways 293 . Use the same Operating System as the Security Management server.Using the Command Line Interface Using the Command Line Interface In This Section SmartLSM Upgrade Tools Upgrading a VPN-1 Power/UTM ROBO Gateway Using LSMcli Upgrading a UTM-1 Edge ROBO Gateway Using LSMcli Using the LSMcli in Scripts page 293 page 295 page 296 page 297 SmartLSM Upgrade Tools LSMcli The LSM Command Line Interface (LSMcli) is an alternative to SmartLSM. LSMcli provides the ability to perform SmartLSM operations from a command line or through a script. When used in scripts it allows you to perform batch upgrades. or it can be copied to and run on another host with the same operating system. Reachable through the network from the Security Management server. but it must be: • • • Defined on the Security Management server as a GUI Client. The host does not need to be a Check Point-installed machine. The LSMcli tool is contained in the management installation package on the Security Management server machine. type the command LSMcli --help. It also enables you to upgrade a ROBO Gateway. It can be run on your Security Management server. For general usage and help.

-boot (Optional) Use this option only when upgrading VPN-1. (Optional) The SmartLSM Profile name the ROBO Gateway will be mapped to after a successful upgrade. The firmware version of the UTM-1 Edge ROBO Gateway. The username and password of a Security Management Server Administrator. To view the list of packages available in the repository.SmartLSM Upgrade Tools The LSMcli command line arguments are fully described in the Command Line Reference chapter of the R70 SmartProvisioning Administration Guide. A partial list of arguments is shown in Table 15-1. (Command usage is described in the R70 SmartProvisioning Administration Guide). manually reboot the gateway from its console. (Optional) Install previously distributed packages. use the ShowRepository LSMcli command. -DoNotDistribute Product Vendor Version SP Export The export tool is located in your SmartLSM application. This is not necessary when installing Hotfixes or other packages. 294 . under File > Export to File. Use this tool to export a ROBO Gateway’s properties into a text file that you can turn into a script in order to perform batch upgrades. You must specify the new SmartLSM Profile when upgrading the VPN-1 version. The IP or hostname of the Security Management server. Table 15-1 LSMcli Command line arguments for upgrades Argument -d Server User Password ROBO -F Firmware -P=Profile Meaning (Optional) Run the command with debug output. The name of the ROBO Gateway to be upgraded. which lists only the arguments that are important for performing upgrades. If you do not use this option.

execute: LSMcli [-d] <Server> <User> <Password> Install <ROBO> <Product> <Vendor> <Version> <SP> [-P=Profile] [-boot] [-DoNotDistribute] To only distribute a package. To verify that a Full Upgrade of a ROBO Gateway will succeed.Upgrading a VPN-1 Power/UTM ROBO Gateway Using LSMcli Upgrading a VPN-1 Power/UTM ROBO Gateway Using LSMcli For descriptions of the command line arguments for the following commands. refer to Table 15-1 on page 294. execute: LSMcli [-d] <Server> <User> <Password> GetCandidates <ROBO> To get data about a specific ROBO gateway. execute: LSMcli [-d] <Server> <User> <Password> Distribute <ROBO> <Product> <Vendor> <Version> <SP> To view a list of packages that can be installed on a specific ROBO gateway. execute: LSMcli [-d] <Server> <User> <Password> VerifyUpgrade <ROBO> To perform a Full Upgrade of a ROBO gateway. execute: LSMcli [-d] <Server> <User> <Password> Upgrade <ROBO> [-P=Profile] [-boot] To see which product packages are available in your package repository. Chapter 15 Upgrading SmartLSM ROBO Gateways 295 . execute: LSMcli [-d] <Server> <User> <Password> ShowRepository To verify that a Specific Install on a ROBO gateway will succeed. execute: LSMcli [-d] <Server> <User> <Password> VerifyInstall <ROBO> <Product> <Vendor> <Version> <SP> To perform a Specific Install on a ROBO gateway. execute: LSMcli [-d] <Server> <User> <Password> GetInfo <ROBO> Note .It is recommended to use the Full Upgrade method to upgrade VPN-1 Power/UTM ROBO Gateways.

Upgrading a UTM-1 Edge ROBO Gateway Using LSMcli Example: Upgrading a Single VPN-1 Power/UTM ROBO Gateway % LSMcli MyServer John mypassword VerifyUpgrade ROBO17 % LSMcli MyServer John mypassword Upgrade ROBO17 -P=MyNewProfile Where: MyServer = the name of my Security Management server. John = the administrator’s name. execute: LSMcli [-d] <Server> <User> <Password> ModifyROBO VPN1Edge <ROBO> [-P=Profile] [-F=Firmwarename] If you want the firmware update to take effect immediately. VerifyUpgrade = the Full Upgrade verification command. Upgrading a UTM-1 Edge ROBO Gateway Using LSMcli For descriptions of the command line arguments for the following commands. execute: LSMcli [-d] <Server> <User> <Password> ShowRepository To upgrade a UTM-1 Edge ROBO gateway. execute: LSMcli [-d] <Server> <User> <Password> Restart <ROBO> 296 . MyNewProfile = the new SmartLSM Profile that ROBO17 will be mapped to after the upgrade. Upgrade = the Full Upgrade command. ROBO17 = the VPN-1 Power/UTM ROBO Gateway to be upgraded. refer to Table 15-1 on page 294. mypassword = the administrator’s password. To see which product packages are available in your package repository.

Using the LSMcli in Scripts Example: Upgrading a Single UTM-1 Edge ROBO Gateway % LSMcli MyServer John mypassword ModifyROBO VPN1Edge ROBO101-P=EdgeNewProfile -F=4. Using the LSMcli in Scripts Scripting can be very handy when you want to upgrade multiple ROBO Gateways in batches. ROBO101 = the Edge ROBO Gateway to be upgraded.0.0. Example: Using the LSM CLI to write a script to upgrade multiple ROBO Gateways Create the following script and run it: LSMcli MyServer John mypassword Upgrade ROBO17 -P=MyNewProfile LSMcli MyServer John mypassword Upgrade ROBO18 -P=MyNewProfile LSMcli MyServer John mypassword Upgrade ROBO19 -P=MyOtherProfile Chapter 15 Upgrading SmartLSM ROBO Gateways 297 .23 = the name of the new Firmware package. ModifyROBO VPN1Edge = the command to modify a property on a UTM-1 Edge ROBO gateway.23 % LSMcli MyServer John mypassword Restart ROBO101 Where: MyServer = the name of my Security Management server. EdgeNewProfile = the new SmartLSM Profile that ROBO101 will be mapped to after the upgrade (optional). 4. Restart = the command to restart the gateway. mypassword = the administrator's password. John = the administrator's name.

Using the LSMcli in Scripts Example: License Upgrade on Multiple ROBO Gateways To upgrade licenses on multiple ROBO Gateways. The command is: LSMcli [-d] <Server> <User> <Password> AttachAssignedLicenses VPN1 <ROBO> For example: LSMcli MyServer John mypassword AttachAssignedLicenses VPN1 ROBO17 LSMcli MyServer John mypassword AttachAssignedLicenses VPN1 ROBO18 LSMcli MyServer John mypassword AttachAssignedLicenses VPN1 ROBO19 298 . create a script that runs the LSMcli command with the AttachAssignedLicenses option on all ROBO Gateways. The AttachAssignedLicenses option is equivalent to doing step 3 and step 4 on page 288 in SmartLSM.

Chapter Upgrading Eventia In This Chapter Overview Upgrading Eventia Reporter Upgrading Eventia Analyzer 16 page 300 page 300 page 306 299 .

as shown on the management view > database maintenance > Database capacity details. 300 . 3.0 and higher can be upgraded to R70. this upgrade results in a smaller sized database. login as an administrator and launch the wrapper by double-clicking on the setup executable. note that: • • Eventia Reporter of version R56 and higher can be upgraded to R70. The instructions that appear will differ according to your deployment. Continue following the instructions. Select Upgrade and click Forward. the MySQL4 database is upgraded to MySQL5. In order to begin the installation. Eventia Analyzer of version 1. 4. To upgrade Eventia Reporter in a Standalone Deployment perform the following steps: In This Section Windows Platform Solaris / Linux Platform SecurePlatform page 300 page 301 page 301 Windows Platform 1. Agree to the License Agreement and click Forward.Overview Overview When upgrading products of the Eventia suite. Upgrading Eventia Reporter During the upgrade procedure. For Standalone Deployments A Standalone Deployment upgrade refers to a previous Eventia Reporter version that is installed on a Security Management server. Due to a more efficient way of handling the data. 2.

Click Next and reboot the machine in order to complete the installation of the Eventia Reporter and to continue with the next phase of the installation. Verify the default directory. Depending on the components that you have chosen to install. Read the End-User License Agreement (EULA) and if you accept click Yes. In the mounted directory. Solaris / Linux Platform 1. Install the Security Policy. Continue from step 3 on page 300 in order to complete the process. 6.For Distributed Deployments 5. 3. Chapter 16 Upgrading Eventia 301 . mount the CD on the relevant subdirectory and launch the wrapper as follows: 2. 2. select the Eventia Reporter product from cpconfig or from the SecurePlatform Web GUI. 7. or browse to new location in which the output files created by Eventia Reporter’s output will be generated. Indicate whether to add new products by selecting the Add new products option and click Forward. In order to begin the installation. SecurePlatform 1. Verify the default directory. Continue from step 3 on page 300 in order to complete the process. or browse to new location in which Eventia Reporter will be installed. Launch SmartDashboard. 4. run the script: UnixInstallScript. 9. 8. (Policy > Install) or install the database (Policy > Install Database) in order to make the Eventia Reporter fully functional. A list of the products that will be upgraded appears. Click Forward. After you install SecurePlatform from the CD. For Distributed Deployments A Distributed Deployment upgrade refers to a previous Eventia Reporter version that is installed on a dedicated machine and an Eventia Reporter Add-on installed on a Security Management server or MDS (for versions prior to R63). you may need to take additional steps (such as installing other components and/or license management).

Copy the script evr_addon_export from the directory $RTDIR/conf in the R65 Eventia Reporter Server to the Security Management Server or MDS Server. To migrate the add-on to the Eventia Server: 1. Copy evr_addon_tables. Run cpstop on both the target machine (Eventia Reporter) and the original machine (the Add-on machine). To do this run cpconfig and select GUI Clients. 4. 3.After upgrading Eventia Reporter. Upgrade Eventia Reporter to the new R70 1. On the Eventia Reporter Server run svr_install --import evr_addon_tables.tgz in the same location as evr_addon_export. 6. 302 . Install R70 on the previous Reporter Server.For Distributed Deployments To upgrade Eventia Reporter in a distributed deployment. 5. Go to Management > Consolidation > Sessions and stop all consolidations sessions by selecting Stop > Terminate. Migrate the Add-on to the Eventia Reporter Server To upgrade from versions prior to R63. export and import Add-On. Prior Eventia Reporter Add-on version that contain Eventia Reporter definitions and statuses should be copied to the machine on which Eventia Reporter is installed. Open the Eventia Reporter client and start the Consolidation Sessions if needed. install R70 on the old Reporter Server and migrate the previous add-on from the Security Management server to the Reporter Server. This generates a file called evr_addon_tables. Verify that all the consolidation sessions have a Stopped status before closing Eventia Reporter.tgz.tgz to the $RTDIR/bin directory on the target R65 Eventia Reporter Server. open the Eventia Reporter client. Note . Run cpstart on both the target and original machine. 7. 4. 3. Invoke evr_addon_export on the Security Management Server or MDS Server. the GUI client must be defined on the Eventia Reporter Server. Run cpstop and wait till the mysql and log_consolidator processes stop. 2. Before upgrading. 2.

ii. install the required version of Eventia Reporter.Advanced Eventia Reporter Upgrade Note . Select the Consolidation session. Using a text editor. Click Remove.tgz>. select Consolidation. 2. To do this select Tools > Customer Activation in the Eventia Reporter client. Remove the contents of the directory pointed to by innodb_log_group_home_dir iv. Open the Eventia Reporter client. b. run cpstop.cnf (for all other platforms).ini (Windows) or my. c. stop all consolidation sessions: a. Save the Reporter database: i. Chapter 16 Upgrading Eventia 303 . d. On the source machine. select the relevant customers and click OK. Click Stop > Terminate e. Perform a full export that includes all of the Eventia Reporter data: a. Advanced Eventia Reporter Upgrade On the destination machine.tgz) containing all the files in this directory using the command: gtar -zcvf <xxxx.After upgrading Eventia Reporter in a Provider-1 environment you should select a customer(s) that will initiate a synchronization with the CMA of the selected customer. open the mysql configuration file located in $RTDIR/Database/conf/. In the Management view. b. Locate the values of the following strings: innodb_log_group_home_dir=<xxx> datadir=<xxx> innodb_data_file_path=<xxx> iii. Move to the directory pointed to by datadir. 1. On the source machine. and create a compressed tar file (. The location of the database data files is specified in the mysql configuration file my.

The innodb_data_file_path variable contains a list of files.cnf (or my. Export the database by running: upgrade_export <yyyy. Copy any company logo image file(s) in $RTDIR/bin. 304 . then you backup the my. If the upgrade is from R65. 9. 6. if the source machine is Solaris you have a my.ini. Copy any custom distribution scripts in $RTDIR/DistributionScripts to a backup location. Copy the my. On the target machine run: upgrade_import <yyyy.old (or my. If Reporter is installed in a distributed configuration: a.tgz>.old).cnf.old) in the $RTDIR/Database/conf/ directory of the target machine. d.cnf file. From inside the $RTDIR/bin directory run: svr_install -import tables. 5. On the target machine. b.cnf. to a backup location. locate these files and include them in the compressed tar file. c.cnf suffix should be added to the file according to target platform.old (or my.tgz on the target machine in $RTDIR/bin.Advanced Eventia Reporter Upgrade v. b.ini) file located in $RTDIR/Database/conf to a backup location and rename it to my. 3. Place the file my. c.ini. the name should be my. d.tgz> as described in “Advanced Upgrade of Management servers & Standalone Gateways” on page 225. If the target machine is UNIX.tgz is created. run: cpstop. For example. Copy the evr_addon_export script located in $RTDIR/conf on the target machine.cnf file as my. place the evr_addon_export script on the management machine. For versions prior to NGX R65.tgz file <yyyy.ini. A file named tables. and: i.tgz> to the target machine and save it in $FWDIR/bin/upgrade_tools.The . Copy the created .old. If there is more than one entry (separated by commas) in the innodb_data_file_path variable.cnf. If the source Reporter resides on a management machine: a.ini or . Note .old.tgz. If the target machine is Windows. Place tables. When prompted to run cpstart. place the script on the Reporter machine. select: no. Run evr_addon_export. 7. 8. 4. ii.

To enable the Eventia Analyzer components (analyzer or correlation unit) as well. cpstart Chapter 16 Upgrading Eventia 305 . Run cpstart.tgz" 13. run: EVR_DB_Upgrade -mysql "$RTDIR/tmp/R60_Backup. 14. 11.tgz in $RTDIR/tmp. Run: EVR_DB_Upgrade -mysql "<path of <xxxx. if you chose to place R60_Backup. evconfig While running evconfig.tgz>>" For example. run: 1. only the Eventia Reporter components will be enabled. Copy the compressed database files <xxxx.Enabling Eventia Analyzer after Upgrading Reporter 10. enable Analyzer Server or the Correlation Unit. Enter the installation directory on the target machine: • • For Windows: C:\Program Files\CheckPoint\EventiaSuite\R70\bin Other platforms: /opt/CPrt-R70/bin 12. cpstop 2.tgz> file/<xxxx. If necessary. modify the following fields in the mysql configuration file to match the locations of the database data files: • • • datadir= innodb_log_group_home_dir= innodb_data_file_path= The locations were copied in step 2 on page 303. Enabling Eventia Analyzer after Upgrading Reporter After upgrading Eventia Reporter from a previous version.tgz> to the target machine. 3.

If you wish to upgrade from version 2. 2.pdf Prerequisites Before upgrading to Analyzer R70. where $RTDIR is a variable that contains the path of the previous Eventia Analyzer installation. note the path to the current database file: $RTDIR/events_db/events. the default path: • • For Windows is C:\Program Files\CheckPoint\EventiaSuite\R63 For Unix platforms is /opt/CPrt-R63 This path is changed during the upgrade process. 306 . The Welcome message is displayed. Upgrading Analyzer on SecurePlatform 1. b. In R63. and then to R65. Confirm the MDS checksum. Insert the R65 installation CD into the disk drive and run patch add cd.sql. If you wish to upgrade from version 1. 3.0. 4. first upgrade to R63 then to R65 For more detailed information on upgrading to R63.0.Upgrading Eventia Analyzer Upgrading Eventia Analyzer The process consists of: • • • Upgrading Eventia Analyzer to R65 Verifying that the events database has been successfully moved to its new location Enabling Eventia Reporter (optional) Upgrading Eventia Analyzer to R70 Eventia Analyzer can be upgraded to R70: • • Directly from version NGX R63 Indirectly from any version prior to NGX R63 a. then upgrade to R63. Select whether to create a backup image for automatic revert (recommended). see the CheckPoint_R63_EventiaSuite_UpgradeGuide.0. first upgrade to version 2.

3. 9. Decide whether to copy log files now or manually copy them later. 10. reboot. Select Upgrade Installed Products.Upgrading Eventia Analyzer to R70 5. Select a source for the R70 upgrade utilities. 8. Select upgrade option. Validate the products in the products list. 10. 7. Download or import a service contract file. 12. Download or import a service contract file. Chapter 16 Upgrading Eventia 307 . 6. Download or import a service contract file. Select a source for the R70 upgrade utilities. 6. or choose to continue without one. 2. Upgrading Analyzer on Solaris and Linux 1. Insert the R70 installation CD into the disk drive. Select a source for the R70 upgrade utilities. 4. 5. 11. 11. Select the upgrade option. 5. Read and accept the license agreement. 7. Select a destination location. 8. 7. Once the upgrade has completed. Run: UnixInstallScript. or choose to continue without one. Insert the R70 Installation disk into the disk drive. If necessary. 3. Reboot once the upgrade is complete. upgrade your license. Validate the products in the products list. or choose to continue without one. Select the first option: upgrade. Upgrading Analyzer on a Windows Platform 1. 9. Perform the pre-upgrade verification check. Read and accept the license agreement. Select to upgrade installed products. Decide whether to install additional Check Point products. 4. 6. Read and Accept the license agreement. 2.

The events. 9. so there is no need to run upgradeDB. from R63 $RTDIR/events_db/ to R65 $RTDIR/events_db/. The events. evconfig 3. 3. Run: cpstop. Once upgrade has completed. login again to the root account. move the database manually Moving the Events Database To manually move the events database: 1. 10. Enable Eventia Reporter 4. Move the file events. Run cpstart to activate the installed products.sql database file should no longer exist in this directory 2. Navigate to the R65 $RTDIR/events_db/ directory.Verifying the Events Database Has Been Moved 8. To enable all components of Eventia Reporter run: 1. Enabling Eventia Reporter After upgrading Eventia Analyzer from a previous version. Run: cpstart. Validate the products in the products list. 2. the events database is moved (not copied) from its R63 location to a new R65 location. Navigate to the R63 $RTDIR/events_db/. only the Eventia Analyzer components (Analyzer or correlation unit) will be enabled. This should occur automatically during the upgrade process.sql should be here If the move has failed. Verifying the Events Database Has Been Moved When upgrading from R63 to R65. cpstop 2. To verify that the database has been correctly moved: 1.sql manually. cpstart 308 .

Chapter Upgrading IPS-1 In This Chapter IPS-1 Upgrade Paths Upgrading from R65.1 to R65.2 Upgrading IPS-1 Management Servers Upgrading IPS-1 Sensors Upgrading IPS-1 Power Sensors Upgrading Legacy Sensor Appliances 17 page 310 page 310 page 310 page 311 page 311 page 313 309 .

2. Move to the resulting ips1_r65_hfa1 directory. and log in using an IPS-1 HFA1 level Dashboard. For non-SPLAT systems. From the Check Point Suport Center. Restart the IPS-1 application. follow the instructions in the IPS-1 Management Server Backup and Migration chapter of the IPS-1 Administration Guide. use the GNU tar located in: /opt/CPips1-R65/bin/gtar. 6. To upgrade IPS-1 Management from a previous version according to supported upgrade paths. Upgrading IPS-1 Management Servers Upgrading IPS-1 Management is integrated into the installation process.2./install_ips1_r65_hfa1.x. 7. of versions 5. • • For earlier versions: reinstall. 3.1 to R65. can be upgraded to the current version. Copy the compressed tar file onto the target system. Note . Upgrading from R65.2 If you are upgrading from R65. Run: . follow the relevant steps in the installation instructions.tar.1 to R65. 4. and IPS-1 Power 1000 and 2000 Sensors. including NFR Sentivist Servers and Enterprise Servers. For Non-Power Sensors installed on SecurePlatform: reinstall. for both SecurePlatform and Solaris: 1. To upgrade IPS-1 Management onto a new hardware platform. On a stand-alone Alerts Concentrator. download ips1_r65_hfa1.sh If IPS-1 is running the script will stop it.IPS-1 Upgrade Paths IPS-1 Upgrade Paths IPS-1 Management Servers. the upgrade process will fail. 5. 310 .gz. Unzip and untar the file.Alerts Concentrators do not require an upgrade. Login root (or admin).

If the Alerts Concentrator is running on SecurePlatform. Mount the CD on the appropriate subdirectory on the Alerts Concentrator. run: . see “IPS-1 Upgrade Paths” on page 310. see Installing SecurePlatform and IPS-1 Sensors.tar> <Sensor_name> Chapter 17 Upgrading IPS-1 311 . From the root directory of the CD. The remote upgrade is performed from the IPS-1 Alerts Concentrator. For instructions on how to install an IPS-1 Sensor. including formatting the hard disk. Full Upgrade: Formats the hard disk and completely reinstalls the operating system and software. follow the instructions in “Remotely Upgrading an IPS-1 Power Sensor” on page 311 .Upgrading IPS-1 Sensors Upgrading IPS-1 Sensors The only way to upgrade a regular (non-Power) Sensor is to completely reinstall it. Upgrading IPS-1 Power Sensors There are two kinds of upgrades: • • Remote Upgrade: Performed from the Alerts Concentrator. 3. follow the instructions for reinstallation in the “Reinstalling an IPS-1 Power Sensor” on page 312. and replaces only changed packages. Switch to the ips1 user account. using a newer version of the installation source./upgrade_sensor -d $IPS1DIR/alcr -u <upgrade_file.ips1 Note . to switch to the ips1 user you will need to be in expert mode. For a Remote Upgrade. 2. For a Full Upgrade. by running: su . as follows: 1. Remotely Upgrading an IPS-1 Power Sensor For information on possible upgrade paths.

and extract the Power-Sensor . if you haven’t set one. The main ROM menu appears. or any other key to auto boot. the upgrade fails. transfer the necessary files from the IPS-1 Sensor CD to the Sensor and tell it to complete the upgrade. If you are going to be installing from a network server (not from an LDP). When the next menu appears. An IPS-1 Power Sensor installation source directory on a network server. it will be running a new version of the IPS-1 Sensor software. Connect to the IPS-1 Power Sensor with a Serial Console. 312 . • To reinstall (or perform a Full Upgrade): 1. 2. When it comes back up. When prompted for the ROM menu password. 3. During disk initialization.<version_number>. select (Re)Install System (manual).tar file to a network server accessible from the Power Sensor’s management interface by FTP.. 4. Select Boot in Rescue Mode.Reinstalling an IPS-1 Power Sensor The upgrade_sensor script will verify that the given IPS-1 Sensor is upgradeable. The installation can be from one of two kinds of sources: • A Local Distribution Partition (LDP) image on the Power Sensor’s hard disk. HTTP. Boot the Power Sensor. for some reason. Use this type of installation to perform a Full Upgrade. If. Reinstalling an IPS-1 Power Sensor The procedure described in this section formats the hard disk and completely reinstalls the operating system and software. 6. press ESC twice. just press Enter. Seconds Remaining until Auto Boot: 5 Within 5 seconds. 5.. obtain a Check Point IPS-1 Power Sensor installation CD. or NFS. you may need to do a full re-installation of the IPS-1 Sensor. Use an LDP image to reinstall the existing version of the software. you will see the following: Press ESC twice to enter the ROM Menu. An LDP image is created during installation and so should exist on your Power Sensor.. If the upgrade_sensor script finishes without any errors. the IPS-1 Sensor will reboot itself.

Something like: /root/Power-Sensor. b. Upgrading Legacy Sensor Appliances Customers upgrading legacy hardware to this version should note that the interface ordering may differ from previous versions of the IPS-1 Sensor software. Type the IP address of the installation source. For example: mysensor. do not create a local installation image.7/Install f. 8. 11. In a network installation. Chapter 17 Upgrading IPS-1 313 . select to install to the Multiple Disk Array. Optionally. When finished. The system installs the packages and reboots twice.example. nfs. Available LDP images are listed. d. In most cases. 9. Type the path on the installation source computer to the directory containing NR-INSTALL-DIRECTORY .com c. with their software version and build numbers. Set IP information for the Power Sensor’s management interface.5. In most cases. The illustrations below identify the names of the interfaces on each legacy appliance. as prompted. Depending on the selected protocol. Select to install to the root partition. Wait for the system to complete formatting the partition. Set the various date and time values. Select an LDP image number. Then confirm the date and time.ftp. you may be prompted for additional information. the system is at the same state as when shipped. or n to install from a network source. 10. Select the installation type. set a host and domain name. you will be prompted for network information to enable the installation.0. Type the default gateway address. Continue setting up the Sensor by following the instructions in Initial Configuration of IPS-1 Power Sensor. Select n. 12. There should be only one choice (1). or http. e. as follows: a. Type the protocol to be used .Upgrading Legacy Sensor Appliances 7.

100C and 200C 100C and 200C 200F 310C 320C 320F 500C (pre-Jan 2006) 314 .

500C (post-Jan 2006) 500C (post-Jan 2006) 500F (pre-Jan 2006) 500F (post-Jan 2006) Chapter 17 Upgrading IPS-1 315 .

500F (post-Jan 2006) 316 .