Upgrade Guide

Version NGX R65

701313 February 13, 2007

© 2003-2007 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications. For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS.

Contents
Preface
Who Should Use This Guide.............................................................................. 12 Related Documentation .................................................................................... 14 More Information ............................................................................................. 17 Feedback ........................................................................................................ 17

Chapter 1

Introduction to the Upgrade Process
Documentation ................................................................................................ 20 NGX License Upgrade ...................................................................................... 21 Contract Verification ........................................................................................ 22 Management Plug-in Infrastructure.................................................................... 22 Supported Upgrade Paths and Interoperability .................................................... 23 Upgrading Management Servers ................................................................... 23 Backward Compatibility For Gateways ........................................................... 24 Obtaining Software Installation Packages ........................................................... 25 Terminology .................................................................................................... 26 Upgrade Tools ................................................................................................. 28 Upgrading Successfully .................................................................................... 28

Chapter 2

Upgrading Licenses for Products Prior to NGX
Overview of NGX License Upgrade ..................................................................... 30 Introduction to License Upgrade ....................................................................... 31 Software Subscription Requirements ................................................................. 32 Licensing Terminology...................................................................................... 33 The License_Upgrade Tool................................................................................ 34 Tool Location ............................................................................................. 34 Tool Options............................................................................................... 35 Simulating the License Upgrade........................................................................ 36 Performing the License Upgrade ....................................................................... 37 License Upgrade Methods............................................................................ 37 Deployment with Licenses Managed Centrally Using SmartUpdate................... 39 Deployment with Licenses Managed Locally .................................................. 44 Trial Licenses ............................................................................................. 47 Troubleshooting License Upgrade ................................................................. 48 Contract Verification ........................................................................................ 57

Chapter 3

Service Contract Files
Introduction .................................................................................................... 59 Working with Contract Files .............................................................................. 60 Installing a Contract File on SmartCenter server.................................................. 60 On a Windows Platform ............................................................................... 61 On SecurePlatform, Linux, and Solaris .......................................................... 65

Table of Contents

5

On IPSO .................................................................................................... 68 Installing a Contract File on a Gateway .............................................................. 69 On a Windows Platform ............................................................................... 69 On SecurePlatform, Linux, and Solaris Gateways............................................ 76 On IPSO .................................................................................................... 81 Managing Contracts with SmartUpdate .............................................................. 82 Managing Contracts .................................................................................... 82 Updating Contracts ..................................................................................... 84

Chapter 4

Upgrading a Distributed Deployment
Introduction .................................................................................................... 86 Pre-Upgrade Considerations.............................................................................. 88 License Upgrade to NGX R65 ...................................................................... 88 Web Intelligence License Enforcement.......................................................... 88 Upgrading Products on a SecurePlatform Operating System ............................ 89 VPN-1 UTM Edge Gateways Prior to Version 5.0 ............................................ 89 Upgrading SmartCenter Server .......................................................................... 91 Using the Pre-Upgrade Verification Tool ........................................................ 91 SmartCenter Upgrade on a Windows Platform ................................................ 94 SmartCenter Upgrade on SecurePlatform ...................................................... 95 Gateway Upgrade on UTM-1 ........................................................................ 97 Gateway Upgrade on UTM-1 using the WebUI ............................................... 98 SmartCenter Upgrade on Pre-R54 Versions of SecurePlatform......................... 99 SmartCenter Server Upgrade on a Solaris Platform ....................................... 103 SmartCenter Upgrade on a Linux Platform................................................... 105 SmartCenter Upgrade on an IPSO Platform ................................................. 107 Upgrading VPN-1 Express CI R57 SmartCenter Server.................................. 109 Upgrading a SmartCenter High Availability Deployment ................................ 110 Upgrading the Gateway .................................................................................. 111 Upgrading a Clustered Deployment ............................................................. 111 Upgrading the Gateway Using SmartUpdate ................................................ 112 Gateway Upgrade Process on a Windows Platform ........................................ 116 Gateway Upgrade on SecurePlatform .......................................................... 118 Upgrade on SecurePlatform NG FP2, FP3, or FP3 Edition 2 ......................... 119 Gateway Upgrade on a Solaris Platform ....................................................... 121 Gateway Upgrade on an IPSO Platform ....................................................... 122 Upgrading the VPN-1 Express CI R57 Component to R65............................ 124

Chapter 5

Backup and Revert for VPN-1 Power/UTM
Introduction .................................................................................................. 126 Backing Up Your Current Deployment .............................................................. 127 Restoring a Deployment.................................................................................. 128 SecurePlatform Backup and Restore Commands ............................................... 129 Backup .................................................................................................... 129 Restore .................................................................................................... 131 SecurePlatform Snapshot Image Management .................................................. 132 Snapshot ................................................................................................. 133 Revert...................................................................................................... 134

6

........ 184 Advanced Upgrade on an IPSO Platform ..................... 164 Advanced Upgrade on SecurePlatform ..................................... 145 Uninstalling Packages ............ 170 Advanced Upgrade on a Solaris Platform ........ 163 Advanced Upgrade on a Linux Platform........................... 159 Chapter 7 Advanced Upgrade of SmartCenter Servers & Standalone Gateways Introduction ........................ 178 Advanced Upgrade on a Linux Platform......................................... 186 Advanced Upgrade on a Solaris Platform ...................................................................................... 140 Pre-Upgrade Considerations ................................................... 159 Upgrading a Standalone Deployment to R65 ..................................................................... 172 Migration to a New Machine with a Different IP Address ................................................................................ 162 Migrate Your Current SmartCenter Configuration and Upgrade.......................................................... 151 Uninstalling Packages ............................................. 194 Tools for Gateway Upgrades ........................................................................ 176 Migrate Your Current VPN-1 Gateway Configuration & Upgrade ......................................................... 156 Uninstalling Previous Software Packages.......................................................................................................... 144 Standalone VPN-1 Gateway Upgrade on SecurePlatform ................................................................................................................................................................ 147 Standalone Upgrade on UTM-1 ........................ 141 Reverting to Your Previous Software Version ............................................................................................................................................................. 150 VPN-1 Gateway Upgrade on Pre-R54 SecurePlatform Versions ............................................................. 197 Table of Contents 7 .................................................................. 168 Advanced Upgrade on an IPSO Platform .................................................................................................... 153 Standalone VPN-1 Gateway Upgrade on a Solaris Platform... 188 Chapter 8 Upgrading ClusterXL Deployments License Upgrade to NGX......... 142 Using the Pre-Upgrade Verification Tool ............................................. 140 Upgrading versions 4........ 163 Advanced Upgrade on a Windows Platform ....Reverting to Your Previous Deployment ................................... 141 License Upgrade to NGX.................... 197 Upgrading OPSEC Certified Third-Party Cluster Products ..................................... 178 Advanced Upgrade on a Windows Platform ...... 196 Ready State During Cluster Upgrade/Rollback Operations ......... 163 Introduction ........... 148 Standalone Upgrade on UTM-1 using the WebUI ......................................................... 142 Standalone VPN-1 Gateway Upgrade on a Windows Platform..................................................1 .......................................................... 196 Permanent Kernel Global Variables ............................................................................................................. 195 Planning a Cluster Upgrade ......................................... 135 Chapter 6 Upgrading a Standalone Deployment Introduction ................. 158 VPN-1 Express CI R57 to NGX R65 on SecurePlatform ......................................................0 and 4............................................................................................................................................................ 154 Standalone VPN-1 Gateway Upgrade on an IPSO Platform .................... 141 Upgrading Products on a SecurePlatform Operating System ......................................................................................................... 180 Advanced Upgrade on SecurePlatform ................

.................................... 202 Supported Modes................................................................................................................................................................................. Before Software Upgrade ........................................................................................... 222 Before License Upgrade .............................................................................. 209 Before You Begin ......................................................................................... 222 Understanding Provider-1/SiteManager-1 Licenses..................... 198 Zero Downtime Upgrade on a ClusterXL Cluster ..................................... 209 Provider-1/SiteManager-1 Upgrade Tools ...................................... 254 Gradual Upgrade to Another Machine ........................... 221 Software Subscription Requirements ............................................................................................... 217 migrate_global_policies .................................................................. 208 Supported Versions and Platforms ......................................... 213 license_upgrade........ 266 Before the Upgrade.. 265 Restoring Your Original Environment.............................................................................................................................................. 210 Installation Script ....................................... 235 System-Wide License Upgrade.. 204 Chapter 9 Upgrading Provider-1 Introduction ................................................................................ 208 Provider-1/SiteManager-1 Terminology.......................................................... 214 migrate_assist .............................. 260 Upgrading in a Multi-MDS Environment ................................................................ 218 Backup and Restore ................. 211 pv1_license_upgrade....................... 229 System-Wide License Upgrade.................................................................................... 239 License Upgrade Using the User Center .................. 210 Pre-Upgrade Verifiers and Fixing Utilities .......................................................................................................... 246 Provider-1/SiteManager-1 Upgrade Practices ................................................................... 199 Full Connectivity Upgrade on a ClusterXL Cluster ................. 213 cma_migrate ........................................................... 246 Troubleshooting License Upgrade ...................................................................................................................................................................................................... 202 Understanding a Full Connectivity Upgrade ................ 220 Overview of NGX License Upgrade .............................................................................................................................................................................................................. 203 Performing a Full Connectivity Upgrade ................................................................................... 266 8 ....... After Software Upgrade.................................................................. 220 Introduction to License Upgrade in Provider-1 Environments......................................................................................... 224 Choosing The Right License Upgrade Procedure ............................. 262 Restarting CMAs ............................................................. 257 MDS Post Upgrade Procedures.......................... 255 Migrating from a Standalone Installation to CMA ........................................................ 251 In-Place Upgrade........ 231 System-Wide License Upgrade Using the Wrapper........ 245 SmartUpdate Considerations for License Upgrade .......................................... 261 Pre-Upgrade Verification and Tools ................................................................................................... 251 Replicate and Upgrade .....................................Minimal Effort Upgrade on a ClusterXL Cluster ........................................................................................ 199 Supported Modes............................... 218 Provider-1/SiteManager-1 License Upgrade ............................. 236 License Upgrade for a Single CMA......... 261 Upgrading a Multi-MDS System ............................................................................................................

.......................................................... 281 Using the Command Line Interface....................................................................................... 268 Advanced Usage .. 274 ROBO Gateway Upgrade Package to SmartUpdate Repository................................................. 276 License Upgrade on Multiple ROBO Gateways ......................................................................... 290 Upgrading Eventia Reporter ................... 271 IP Address Change......................................... 272 Chapter 10 Upgrading SmartLSM ROBO Gateways Planning the ROBO Gateway Upgrade ....................................................................................... 269 Changing the MDS IP Address and External Interface............................. 290 For Standalone Deployments........... 296 Verifying the Events Database Has Been Moved .............................. 267 High Availability Environment . 278 Upgrading a VPN-1 Power/UTM ROBO Gateway ... 271 SmartDefense in Provider-1 ............................................................................................. 267 Resolving Non-Compliance ...................................................... 305 Table of Contents 9 ................................................................................................................................................ 298 Index.................................................... 298 Enabling Eventia Reporter ................................................ 291 Advanced Eventia Reporter Upgrade ........................................................................................................... 290 For Distributed Deployments ................................................................................................................................. 271 Interface Change ............... 276 Using SmartLSM to Attach the Upgraded Licenses...................................................................................... 267 Identifying Non-Compliant Customer Names.......................................................................................... 278 Upgrading a VPN-1 UTM Edge ROBO Gateway ..................................................................................................... 266 Renaming Customers ......... 275 License Upgrade for a VPN-1 Power/UTM ROBO Gateway ..................................... 286 Chapter 11 Upgrading Eventia Overview .................................................................................................... 296 Upgrading Eventia Analyzer to NGX R65 . 277 Upgrading a ROBO Gateway Using SmartLSM ..................... 282 Upgrading a VPN-1 Power/UTM ROBO Gateway Using LSMcli .......................................................................................................... 293 Enabling Eventia Analyzer after Upgrading Reporter ............ 284 Upgrading a VPN-1 UTM Edge ROBO Gateway Using LSMcli ............................................................................................................................................................................. 282 SmartLSM Upgrade Tools ................................................... 294 Upgrading Eventia Analyzer .............................................................................................. 285 Using the LSMcli in Scripts ................. 267 Automatic Division of Non-Compliant Names................. 280 Upgrading a VPN-1 Power/UTM ROBO Gateway In Place .................................................................................................Restoring Your Original Environment..........

10 .

Preface Preface P page 12 page 14 page 17 page 17 In This Chapter Who Should Use This Guide Related Documentation More Information Feedback 11 .

This chapter covers licensing issues as regards NGX. “Upgrading a Standalone Deployment” Chapter 7. where the enforcement points and SmartCenter server are installed on separate machines. “Upgrading a Distributed Deployment” Description This chapter introduces the upgrade process. The underlying operating system. This chapter covers Service Contract Files This chapter covers upgrading a distributed deployment. “Introduction to the Upgrade Process” Chapter 2. where the enforcement point and the SmartCenter server are installed on the same machine. that is. Internet protocols (IP. “Backup and Revert for VPN-1 Power/UTM” Chapter 6. “Advanced Upgrade of SmartCenter Servers & Standalone Gateways” Chapter 8.Who Should Use This Guide Who Should Use This Guide This guide is intended for administrators responsible for maintaining network security within an enterprise. “Upgrading Licenses for Products Prior to NGX” Chapter 3. including policy management and user support. “Upgrading ClusterXL Deployments” 12 . This chapter covers Advanced upgrade procedures for SmartCenter Server and Standalone Gateways. This chapter covers upgrading a standalone deployment. UDP. “Service Contract Files” Chapter 4. and so on). This chapter covers the backup and revert process. This guide assumes a basic understanding of • • • • System administration. This chapter covers upgrade issues relating to ClusterXL. Chapter 5. TCP. Summary of Contents Chapter Chapter 1.

This chapter covers upgrading SmartLSM ROBO Gateways. “Upgrading Provider-1” Chapter 10. This chapter covers upgrading Eventia Reporter. “Upgrading SmartLSM ROBO Gateways” Chapter 11.Who Should Use This Guide Chapter Chapter 9. Preface 13 . “Upgrading Eventia” Description This chapter covers upgrade issues regarding Provider-1.

managing. Upgrade Guide SmartCenter Administration Guide Firewall and SmartDefense Administration Guide Virtual Private Networks Administration Guide 14 . and monitoring security deployments at the perimeter. Licenses.Related Documentation Related Documentation The NGX R65 release includes the following documentation TABLE P-1 VPN-1 Power documentation suite documentation Title Internet Security Product Suite Getting Started Guide Description Contains an overview of NGX R65 and step by step product installation and upgrade procedures. use SmartDefense to protect against network and application level attacks. This guide describes the basic components of a VPN and provides the background for the technology that comprises the VPN infrastructure. This document also provides information about What’s New. the integrated web security capabilities. use Content Vectoring Protocol (CVP) applications for anti-virus protection. and URL Filtering (UFP) applications for limiting access to web sites. etc. Explains all available upgrade paths for Check Point products from VPN-1/FireWall-1 NG forward. Explains SmartCenter Management solutions. This guide is specifically geared towards upgrading to NGX R65. secure VoIP traffic. inside the network. establish network connectivity. use Web Intelligence to protect web servers and applications. at all user endpoints. This guide provides solutions for control over configuring. Describes how to control and secure network access. Minimum hardware and software requirements.

This guide will also teach you how to manage your SecurePlatform and explains Dynamic Routing (Unicast and Multicast) protocols. vertical bar. and generate detailed or summarized reports in the format of your choice (list. SecurePlatform™/ SecurePlatform Pro Administration Guide Provider-1/SiteManager-1 Administration Guide TABLE P-2 Integrity Server documentation Title Integrity Advanced Server Installation Guide Integrity Advanced Server Administrator Console Reference Description Explains how to install. Explains how to install and configure SecurePlatform.) for all events logged by Check Point VPN-1 Power. and maintain the Integrity Advanced Server. Explains how to managing administrators and endpoint security with Integrity Advanced Server. This guide provides details about a three-tier. Provides screen-by-screen descriptions of user interface elements. This document contains an overview of Administrator Console navigation. Provides information about how to integrating your Virtual Private Network gateway device with Integrity Advanced Server. multi-policy management architecture and a host of Network Operating Center oriented features that automate time-consuming repetitive tasks common in Network Operating Center environments. configure. This guide also contains information regarding deploying the unified SecureClient/Integrity client package. pie chart etc. Explains the Provider-1/SiteManager-1 security management solution. including use of the help system. Integrity Advanced Server Administrator Guide Integrity Advanced Server Gateway Integration Guide Preface 15 .Related Documentation TABLE P-1 VPN-1 Power documentation suite documentation (continued) Title Eventia Reporter Administration Guide Description Explains how to monitor and audit traffic. with cross-references to relevant chapters of the Administrator Guide. SecureClient and SmartDefense.

Related Documentation TABLE P-2 Integrity Server documentation (continued) Title Integrity Advanced Server System Requirements Integrity Agent for Linux Installation and Configuration Guide Integrity XML Policy Reference Guide Integrity Client Management Guide Description Provides information about client and server requirements. Explains how to use of command line parameters to control Integrity client installer behavior and post-installation behavior. Provides the contents of Integrity client XML policy files. Explains how to install and configure Integrity Agent for Linux. 16 .

• View the latest version of this document in the User Center at http://www. Please help us by sending your comments to: cp_techpub_feedback@checkpoint. consult Check Point’s SecureKnowledge at https://secureknowledge.checkpoint.com Preface 17 .com/support/technical/documents Feedback Check Point is engaged in a continuous effort to improve its documentation.checkpoint.More Information More Information • For additional technical information about Check Point products.com/.

Feedback 18 .

1 Chapter Introduction to the Upgrade Process In This Chapter Documentation NGX License Upgrade Contract Verification Management Plug-in Infrastructure Supported Upgrade Paths and Interoperability Obtaining Software Installation Packages Terminology Upgrade Tools Upgrading Successfully page 20 page 21 page 22 page 22 page 23 page 25 page 26 page 28 page 28 19 .

Documentation Documentation This guide covers all available upgrade paths for Check Point products from VPN-1/FireWall-1 NG forward.checkpoint. This guide is specifically geared towards upgrading to NGX R65.com/support/technical/documents • It is a good idea to have the latest version of the NGX R65 Release Notes handy.checkpoint.com/support/technical/documents 20 . The R65 release focuses on: • • • • Increased performance End point security Central management Interoperability Before you begin: • Make sure that you have the latest version of this document by checking in the User Center at: http://www.com/support/technical/documents For a new features list. Download them from: http://www. refer to the “NGX R65 What’s New Guide”: http://www.checkpoint.

Upgraded licenses are returned from the User Center.g. per license. View the status of the currently installed licenses.NGX R60 and later products do not require a license upgrade. On a SmartCenter server (or a CMA.checkpoint. in the User Center. Note . and Enterprise Support Programs coverage (under Support Programs from the User Center at: http://usercenter. 2. 3. The license upgrade procedure can be performed if you have purchased any of the Enterprise Software Subscription services. licenses. The new NGX License is available from version NGX R60.. License upgrade will fail for products and accounts for which you do not have software subscription. Perform the actual license upgrade process. During the license upgrade. you can also view the licenses in the SmartUpdate License Repository. evaluation licenses or licenses that pertain to IP addresses no longer in use) remain untouched. Using the tool. The license upgrade process adds only NGX licenses. The automatic license upgrade tool enables you to: 1.NGX License Upgrade NGX License Upgrade To upgrade to NGX R65. You can manage your accounts. Simulate the license upgrade process.com License upgrade is performed by means of an easy to use tool that automatically upgrades both locally and centrally managed licenses. and automatically installed. all eligible licenses are gathered and sent in SSL encrypted format to the User Center. product versions prior to NGX R60 require a new NGX license. Old licenses and non-eligible licenses (e. for Provider-1). License upgrade can also be performed manually. you can upgrade all licenses in the entire managed system. Chapter 1 Introduction to the Upgrade Process 21 .

checkpoint. After the software upgrade. Management Plug-in Infrastructure NGX R65 introduces an additional infrastructure that enables the use of management plug-ins.html Contract Verification Contract verification is now an integral part of the Check Point licensing scheme. The license upgrade process varies according to the type of deployment: • • • License upgrade for VPN-1 Pro/Express deployments is described in Chapter 2.com/downloads/quicklinks/utilities/ngx/license_upgrade. check: http://www. The new plug-ins archetecture introduces the ability to dynamically add new features and support for new products. for Provider-1). 22 . your licensing agreements are verified through the User Center. When upgrading to R65. “Upgrading Licenses for Products Prior to NGX” on page 29. See: “Service Contract Files” on page 59” for more information. the license upgrade process also handles licenses in the SmartUpdate License Repository. Before upgrading to the latest version. License upgrade for SmartLSM deployments is described in: “License Upgrade for a VPN-1 Power/UTM ROBO Gateway” on page 276 For the latest NGX license upgrade information and downloads. which enables the central management of Connectra NGX R62CM gateways. you are given the opportunity to install the Connectra Management NGX plug-in. SmartUpdate is used to attach the new NGX licenses to the gateways. License upgrade for Provider-1 deployments is described in “Provider-1/SiteManager-1 License Upgrade” on page 220.Contract Verification When run on a SmartCenter server (or a CMA.

0.1 VSX NG AI VSX NG AI Release 2 Chapter 1 Introduction to the Upgrade Process 23 .5 VSX 2.Supported Upgrade Paths and Interoperability Supported Upgrade Paths and Interoperability Management servers and gateways exist in a wide variety of deployments. Upgrading Management Servers The following management versions can be upgraded to SmartCenter Server NGX R65: Table 1-1 Upgradeable management versions Release NGX NG Express CI GX VSX Version VPN-1 Power/UTM NGX R62 VPN-1 Pro/Express NGX R61 VPN-1 Pro/Express NGX R60A VPN-1 Pro/Express NGX R60 VPN-1 Pro NG R55W VPN-1 Pro/Express NG With Application Intelligence R55 VPN-1 Pro/Express NG R55P VPN-1 Pro/Express NG With Application Intelligence R54 VPN-1 Pro/Express NG FP3 R57 (Advanced Upgrade only) 2. Consult Table 1-1and Table 1-2 to determine which versions of your management server and gateways can be upgraded to NGX R65.

0 and 4. 2.0.0-4.1) is not supported. upgrade the installed version to VPN-1 NG R55 (refer to the NG with Application Intelligence R55 Upgrade Guide).1 Upgrading from versions prior to NG (4. 24 .Backward Compatibility For Gateways Backward Compatibility For Gateways NGX R65 management supports backward compatibility for the following gateway versions: Table 1-2 Supported gateways Release NGX NG Express CI GX VSX InterSpect Connectra Version VPN-1 Power/UTM NGX R62 VPN-1 Pro/Express NGX R61 VPN-1 Pro/Express NGX R60A VPN-1 Pro/Express NGX R60 VPN-1 Pro NG R55P VPN-1 Pro NG R55W VPN-1 Pro/Express NG With Application Intelligence R55 VPN-1 Pro/Express NG With Application Intelligence R54 VPN-1 Pro/Express NG FP3 R57 2. NGX VSX 2. or NG FP2 Upgrading versions 4.NGX R65 cannot manage gateway versions NG. Once the VPN-1 NG R55 upgrade is complete.0-4.1. perform an upgrade to NGX R65. To upgrade FireWall-1 versions 4.5.5. NG FP1.1 VSX NG AI VSX NG AI Release 2 VSX NGX NGX NGX R62 Note .

Windows. Linux and SecurePlatform are available on the product CD.2 are available from: http://www.1 IPSO 4.checkpoint.Obtaining Software Installation Packages Obtaining Software Installation Packages NGX R65 software installation packages for Solaris.com/techsupport/downloads.jsp Chapter 1 Introduction to the Upgrade Process 25 . NGX R65 software packages for Nokia: • • IPSO 4.

therefore. Tight integration with Check Point's SmartCenter management and enforcement point solutions ensures that ClusterXL deployment is a simple task for VPN-1 administrators. The upgrade process is then performed on the migrated server. deploy. Profile objects are version dependent. it is recommended that you keep the Profile objects of the previous versions until all ROBO Gateways of the previous version are upgraded to the new version. LSM: Large Scale Manager. it is possible to migrate the current configuration to a spare server. ClusterXL: A software-based load sharing and high availability solution for Check Point gateway deployments. leaving the production server intact.Terminology Terminology Advanced Upgrade: In order to avoid unnecessary risks. all connections are re-directed to a designated backup without interruption. Gateway or Check Point Gateway: A gateway is the VPN-1 engine which actively enforces the Security Policy of the organization. It distributes traffic between clusters of redundant gateways so that the computing capacity of multiple machines may be combined to increase total throughput. Distributed Deployment: A distributed deployment is performed when the gateway and the SmartCenter server are deployed on different machines. 26 . Manages Gateway State Synchronization when working with clusters. In the event that any individual gateway becomes unreachable. and manage VPNs and security for thousands of remote locations. ROBO Profile: An object that you define to represent properties of multiple ROBO Gateways. refer to the Defining Policies for the Gateway Profile Objects chapter in the CheckPoint R65 SmartLSM Administration Guide. In Place Upgrade: In Place upgrades are upgrades performed locally. first define new Profile objects for your new version. These packages are then used by SmartUpdate to perform upgrades of Check Point Gateways. SmartLSM enables enterprises to easily scale. For further information about defining a ROBO Profile. Management Virtual System (MVS): A default Virtual System created by the VSX installation process during installation. Package Repository: This is a SmartUpdate repository on the SmartCenter server that stores uploaded packages. when you plan to upgrade ROBO Gateways to a new version. ROBO Gateways: A Remote Office/Branch Office Gateway. The MVS: • • Handles provisioning and configuration of Virtual Systems and Virtual Routers. In general.

VSX Clustering: The connection of two or more VSX Gateways in such a way that if one fails. A single VSX Gateway contains multiple Virtual Routers and Virtual Systems. SmartView Tracker is a GUI client used to view logs. Virtual Routers: Independent routing domains within a VSX Gateway that function like physical routers. Standalone Deployment: A standalone deployment is performed when the Check Point components that are responsible for the management of the Security Policy (the SmartCenter server and the gateway) are installed on the same machine. SmartDashboard: A GUI client that is used to create Security Policies. SmartCenter Server: The SmartCenter server is used by the system administrator to manage the Security Policy. For example. and are downloaded from time to time to the gateways. another immediately takes its place. isolated from one another by their use of separate system resources and data storage. The databases and policies of the organization are stored on the SmartCenter server. Virtual System: A routing and security domain featuring firewall and VPN capabilities supported by a standard Check Point Gateway. SmartConsole Clients: The SmartConsole Clients are the GUI applications that are used to manage different aspects of the Security Policy. Multiple Virtual Systems can run concurrently on a single VSX Gateway. Chapter 1 Introduction to the Upgrade Process 27 . SmartUpdate: A tool that enables you to centrally upgrade and manage Check Point software and licenses.Terminology Security Policy: A Security Policy is created by the system administrator in order to regulate the incoming and outgoing flow of communication.

Upgrade Tools Upgrade Tools Various upgrade tools are provided for migration and compatibility verification of your current deployment.com/downloads/quicklinks/utilities/ngx/utilities.html Upgrading Successfully If you encounter unforeseen obstacles during the upgrade process. The upgrade tools can be found in the following locations: • • in the NGX R65 $FWDIR/bin/upgrade_tools directory.checkpoint. http://www.checkpoint. These tools help you successfully upgrade to NGX R65.com 28 . contact your Reseller or our SecureKnowledge support center at: https://secureknowledge.

Chapter Upgrading Licenses for Products Prior to NGX In This Chapter Overview of NGX License Upgrade Introduction to License Upgrade Software Subscription Requirements Licensing Terminology The License_Upgrade Tool Simulating the License Upgrade Performing the License Upgrade 2 page 30 page 31 page 32 page 33 page 34 page 36 page 37 29 .

checkpoint.html. Using the tool you can upgrade all licenses in the entire managed system. refer to the Step by Step guide to the User Center at: https://usercenter.html 30 .com License upgrade is performed by means of an easy to use tool that automatically upgrades both locally and centrally managed licenses. The license upgrade procedure can be performed if you have purchased any of the Enterprise Software Subscription services. licenses.checkpoint. per license. you must first upgrade licenses for all NG products to NGX licenses. License upgrade can also be performed manually. License upgrade will fail for products and accounts for which you do not have a software subscription. “License Upgrade for a VPN-1 Power/UTM ROBO Gateway” on page 276. in the User Center. refer to: • • “Provider-1/SiteManager-1 License Upgrade” on page 220. check: http://www.Overview of NGX License Upgrade Overview of NGX License Upgrade To upgrade to NGX. NGX products do not require a license upgrade.com/downloads/quicklinks/utilities/ngx/license_upgrade. For instructions on upgrading licenses for Provider-1 and SmartLSM deployments.checkpoint. For the latest NGX license upgrade information and downloads. For instructions. You can manage your accounts.com/pub/usercenter/faq_us. and Enterprise Support Programs coverage (under Support Programs) from the User Center at: http://usercenter.

1 licenses cannot be upgraded directly to NGX R65. You must first upgrade the license to NG and then to NGX.com.Introduction to License Upgrade Introduction to License Upgrade Licenses are required for the SmartCenter server and for the gateways.1 to NG can be done only from the User Center website. License upgrade from version 4. No license is required for the SmartConsole management clients. The license upgrade procedure uses the license_upgrade command line tool. Chapter 2 Upgrading Licenses for Products Prior to NGX 31 . It is not supported by the upgrade tool. making it simple to automatically upgrade licenses without having to perform a manual upgrade through the Check Point User Center at: https://usercenter.checkpoint. Version 4.

if the account or product is covered. In the Accounts page. License upgrade will fail for products and accounts for which you do not have a software subscription. or you can purchase Enterprise Software Subscriptions for individual products.checkpoint. the expiration date is shown.com. You can see exactly the products and accounts for which you have software subscriptions by viewing your User Center account at: https://usercenter. the entry says Join Now. If a product is not covered. in which case all the products in the account will be covered. Enterprise Contract column.Software Subscription Requirements Software Subscription Requirements The license upgrade procedure can be performed if you have purchased any of the Enterprise Software Subscription services. You can purchase an Enterprise Software Subscription for the entire account. 32 . Subscription and Support column. and in the Products page. with a link to get a quote for purchasing Enterprise Support.

It is important to understand the terminology in order to successfully perform the license upgrade. Wrapper: The wizard application on the Check Point CD that allows you to install and upgrade Check Point products and upgrade licenses. License Repository: A repository on the SmartCenter server that stores licenses for Check Point products. • • • License Upgrade: The process of upgrading the license version from NG to NGX. Software Upgrade: The process of upgrading Check Point software to version NGX. • Chapter 2 Upgrading Licenses for Products Prior to NGX 33 .Licensing Terminology Licensing Terminology The license upgrade procedures use specialized licensing terminology. It is used by SmartUpdate to install and manage licenses on Check Point Gateways.

. all eligible licenses are gathered and sent in SSL encrypted format to the User Center.com/downloads/quicklinks/utilities/ngx/license_upgrade.The License_Upgrade Tool The License_Upgrade Tool The license_upgrade tool enables you to: • View the status of the currently installed licenses. • • During the license upgrade. Old licenses and non-eligible licenses (e. Simulate the license upgrade process. you can also view the licenses in the SmartUpdate License Repository. After using the tool. When run on a SmartCenter server (or a CMA. and automatically installed. Upgraded licenses are returned from the User Center. Tool Location The license_upgrade tool can be found in one of the following locations: • • On the NGX product CD at <Specific_platform>\ In the Check Point Download site at: http://www.h tml It is also part of the NGX installation.g. evaluation licenses or licenses that pertain to IP addresses no longer in use) remain untouched. for Provider-1). On a SmartCenter server (or a CMA. SmartUpdate is used to attach the new NGX licenses in the License Repository to the gateways. Perform the actual license upgrade process. located at $CPDIR/bin. for Provider-1). The license upgrade process adds only NGX licenses.checkpoint. the license upgrade tool also handles licenses in the SmartUpdate License Repository. • 34 .

Displays log of last license upgrade or last upgrade simulation. Sends existing licenses to the User Center website to perform an upgrade and (by default. [S] [U] [C] [O] [V] Chapter 2 Upgrading Licenses for Products Prior to NGX 35 . run: license_upgrade Table 2-1 lists the available options: Table 2-1 Option [L] license_upgrade tool options Meaning Displays the licenses installed on your machine. in online mode) installs them on the machine. Sends existing licenses to the User Center website to simulate the license upgrade to verify that it can be performed. Reports whether or not there are licenses on the machine that need to be upgraded.Tool Options Tool Options The license_upgrade command line tool has a number of options. To view all of the options. No actual upgrade is performance and no new licenses are returned. Performs license upgrade on a license file that was generated on a machine with no Internet access to the User Center.

it is recommended to simulate the license upgrade. It sends existing licenses to the User Center website to verify that the upgrade is possible. no actual upgrade is performed and no new licenses are returned. Refer to SecureKnowledge at https://secureknowledge. 3. To simulate the license upgrade.License upgrade simulation can only be performed on a machine with Internet connectivity to the Check Point User Center. so that the actual license upgrade will succeed for all licenses. Copy the license_upgrade tool from <Specific_platform>\ on the NGX product CD. To simulate the license upgrade: 1. Place the license_upgrade tool on the NG machine. or from the Check Point Download site at http://www.com/downloads/quicklinks/utilities/ngx/license_upgrade. For further assistance: • • Refer to “Troubleshooting License Upgrade” on page 48. Be sure to address all reported issues. however. 36 . Note . which can be used for troubleshooting.Simulating the License Upgrade Simulating the License Upgrade Before performing the license upgrade.h tml 2. run the license_upgrade tool option: [S] Simulate the license upgrade. 4.checkpoint.checkpoint.com. The simulation is an exact replica of the license upgrade process. This enables you to find and solve potential problems in upgrading specific licenses. If the actual license upgrade fails for some reason. error messages are displayed and available in a log file.

from the SmartCenter server by means of SmartUpdate. or Locally at the Check Point machine. For each method. An online machine is one with Internet connectivity to the Check Point User Center. This ensures that the products continue to function after the software upgrade. you can update all the licenses in your managed system in a single procedure.Performing the License Upgrade Performing the License Upgrade In This Section License Upgrade Methods Deployment with Licenses Managed Locally Trial Licenses Troubleshooting License Upgrade page 37 page 44 page 47 page 48 Deployment with Licenses Managed Centrally Using SmartUpdate page 39 License Upgrade Methods There are two methods of upgrading licenses to NGX in a VPN-1 Power/UTM deployment. However. Chapter 2 Upgrading Licenses for Products Prior to NGX 37 . the upgrade is performed using the license_upgrade tool. For both methods. You must first upgrade software and licenses to version NG. It is highly recommended to perform the license upgrade before performing any software upgrade. the actual procedure that is used depends on whether or not the machine on which the license upgrade is to be run is online or offline. if necessary. the software upgrade can be performed first. If you use SmartUpdate to manage your licenses.1 licenses cannot be upgraded directly to NGX.Version 4. Note . The right method to use depends on how you manage your licenses: • • Centrally.

containing both a SmartCenter and a gateway(that manages no remote gateways). What Next? Select the right procedure for you: • • “Deployment with Licenses Managed Centrally Using SmartUpdate” on page 39 “Deployment with Licenses Managed Locally” on page 44 38 .License Upgrade Methods Table 2-2 lists the Check Point licenses that are upgraded for each license upgrade method: Table 2-2 License Management Method Centrally managed using SmartUpdate Locally managed License Upgrade for Licenses Upgraded Entire managed System (Run upgrade tool on SmartCenter server) Gateway SmartCenter server Standalone gateway deployment. • • • • • Local machine licenses (for SmartCenter) License Repository (for gateways) Local machine licenses Local machine licenses Local machine licenses (for SmartCenter and gateway).

and deleting expired licenses. throughout the organization. In order for the NGX software to work. SmartUpdate must be used to distribute licenses from the SmartCenter to the gateways after performing the license upgrade. SmartUpdate provides a global view of all available and installed licenses. attaching licenses.Deployment with Licenses Managed Centrally Using SmartUpdate Deployment with Licenses Managed Centrally Using SmartUpdate In This Section Introduction to Using SmartUpdate License Upgrade for an Online SmartCenter License Upgrade for an Offline SmartCenter page 39 page 40 page 41 Introduction to Using SmartUpdate In distributed deployments with multiple gateways. An Unattached license is not installed on any enforcement gateway. • Chapter 2 Upgrading Licenses for Products Prior to NGX 39 . and is installed on the remote enforcement gateway. License Statuses in SmartUpdate SmartUpdate indicates whether a license is Attached or Unattached.SmartUpdate license management capabilities are free of charge. such as adding new licenses. the upgraded licenses are imported into the License Repository and are assigned to the appropriate gateway. you can manage all licenses for Check Point packages that are managed by the SmartCenter server. After the SmartCenter server is upgraded. With SmartUpdate. Note . SmartUpdate must be used to complete the License Upgrade process. and the license State. as follows: • An Attached license is associated with the gateway in License Repository. a valid NGX license must be attached. When SmartUpdate is opened. and enables you to perform operations on Check Point Gateways.

and for which no replacement upgraded license exists. and select Licenses > Get all licenses.Deployment with Licenses Managed Centrally Using SmartUpdate A license can be in one of the following States: • Assigned: An NGX license that is associated with the enforcement gateways in the License Repository. 2. connect to the SmartCenter server.com. Obsolete: An NG license for which a replacement NGX license is installed on an NGX enforcement gateway.h tml 3. To upgrade licenses for an online SmartCenter: 1. but is not yet installed on the gateways as a replacement for an existing NG license. 40 . No NGX license: An NG license that does not need to be upgraded. • • • License Upgrade for an Online SmartCenter Use this procedure to upgrade the licenses of the entire distributed deployment to NGX before the software upgrade. or from the Check Point Download site: http://www. An online SmartCenter server is one with Internet connectivity to the Check Point User Center Web website: https://usercenter. open SmartUpdate. for a deployment with an online SmartCenter server.com/downloads/quicklinks/utilities/ngx/license_upgrade. Note . Requires Upgrade: An NG license that is installed on an NGX machine. or one for which the license upgrade failed. On the SmartConsole GUI machine. Place the license_upgrade tool on the SmartCenter NG machine. This ensures that the License Repository is updated.If the license upgrade is performed before the software upgrade.checkpoint. Refer to “Error: “License version might be not compatible”” on page 48 for details. Copy the license_upgrade tool from <Specific_platform>\ on the NGX product CD. Check Point products generate warning messages until all the software on the machine has been upgraded.checkpoint.

License upgrade using the CD Wrapper does not work for SmartCenter machines on Windows platforms with via-proxy Internet connectivity. Note . Perform the software upgrade to NGX on both the SmartCenter machine and the SmartConsole GUI machine. Check Point products generate warning messages until all the software on the machine has been upgraded. Upgrades any existing Management High Availability licenses on the SmartCenter machine. This does the following: • • • • Collects all the licenses that exist on the machine. An offline SmartCenter server is one that does not have Internet connectivity to the Check Point User Center website: https://usercenter. sort by the State column. you must be in expert mode). For additional information. The updated licenses are displayed as Assigned. Perform the software upgrade to NGX on the gateway machine(s). Note . Delete obsolete licenses from the NGX gateways. where the SmartCenter server is offline. On the SmartConsole GUI machine.com. 7. Installs new licenses on the local machine. Chapter 2 Upgrading Licenses for Products Prior to NGX 41 .Deployment with Licenses Managed Centrally Using SmartUpdate 4. open SmartUpdate and connect to the SmartCenter server. License Upgrade for an Offline SmartCenter Use this procedure to upgrade the licenses of the entire distributed deployment before the software upgrade. perform the license upgrade procedure by running license_upgrade tool (on SecurePlatform.If the license upgrade is performed before the software upgrade. open SmartUpdate. Detach them. Select the [U] option. and connect to the SmartCenter server. 8. and then Delete them. Fetches updated licenses from the User Center.checkpoint. refer to “Error: “License version might be not compatible”” on page 48. select all the Obsolete licenses. 9. 5. Use the Attach assigned licenses option to attach the assigned licenses to the gateways. 6. On the SmartCenter server. In the License Repository. On the SmartConsole GUI machine.

or press [N] if you are not connected via proxy and continue with the upgrade. Enter the username and password of your User Center Account.checkpoint. or from the Check Point Download site at: http://www. Enter the name of the license package file to be created. run license_upgrade. Enter the name of the file to be created with all the upgraded licenses (output file name). 42 . Copy the license_upgrade tool from <Specific_platform>\ on the NGX CD. Copy the license package file from the offline SmartCenter to any online machine. 8. 7.com/downloads/quicklinks/utilities/ngx/license_upgrade. • New licenses are fetched from the User Center and placed in a cache file. Select Licenses > Get all licenses. Copy the license_upgrade tool to the online machine from the location specified in step 2. The online machine does not need to be a Check Point-installed machine. you must be in expert mode. Run the license_upgrade tool on the online machine: • • • • • Press [O] to run the upgrade operation in offline mode. (On SecurePlatform. This ensures that the License Repository is updated. From the menu: • • • • • Press [U] to run the upgrade operation. Place the license_upgrade tool on the offline SmartCenter server NG. Press [Y] if you are connected to the Internet via a proxy and supply the proxy IP port and username password.) 5. 2. Press [N] to specify that you do not have an Internet connection. Press [Y] when asked “Is this machine connected to the Internet?”. Enter the name of the exported file with the location of the package file that is the result of step 5.Deployment with Licenses Managed Centrally Using SmartUpdate To upgrade a license for an offline SmartCenter: 1. On the offline SmartCenter. 6. On the SmartConsole GUI machine. Press [Q] to quit the license upgrade tool. 4. Press [E] to copy the licenses to a license file.html 3. open SmartUpdate and connect to the SmartCenter server.

11.SmartUpdate indicates whether a license is Attached or Unattached. The updated licenses are displayed as Assigned. Detach them. Delete obsolete licenses from NGX gateways. Press [I] to import the output file (with the upgraded licenses) to the SmartCenter. 14. 15. On the SmartConsole GUI machine. Perform the software upgrade to NGX on both the SmartCenter machine and the SmartConsole GUI machine. Copy the cache file (with the new licenses) to the offline SmartCenter. 13. 12. sort by the State column. open SmartUpdate and connect to the SmartCenter server. Copy the file to the same directory as the license upgrade tool. Perform the software upgrade to NGX on the gateway machine(s). open SmartUpdate and connect to the SmartCenter server. This displays the number of upgraded licenses on the machine and whether the original NG licenses have a replacement NGX license. At the SmartConsole GUI machine. 10. return to the main menu and press [C]. and then Delete them. refer to “License Statuses in SmartUpdate” on page 39. Note . To check if currently installed licenses have been upgraded. Use the Attach assigned licenses option to attach the assigned licenses to the gateways. Chapter 2 Upgrading Licenses for Products Prior to NGX 43 . For details. Run the license_upgrade tool on the offline SmartCenter: • • • • Press [U] to run the upgrade operation. In the License Repository.Deployment with Licenses Managed Centrally Using SmartUpdate 9. Enter the output file name with all the upgraded licenses. select all the Obsolete licenses. Press [N] when asked “Is this machine connected to the Internet?”. and the license state.

you must be in expert mode).If the license upgrade is performed before the software upgrade. perform the license upgrade procedure by running the license_upgrade tool (on SecurePlatform. Note . or a standalone gateway containing a SmartCenter server and a gateway. This does the following: • • • Collects all the licenses that exist on the machine. Place the license_upgrade tool on the online NG machine.checkpoint. Fetches updated licenses from the User Center.checkpoint.License upgrade using the CD Wrapper does not work for SmartCenter machines on Windows platforms with via-proxy Internet connectivity. To upgrade licenses for an online machine: 1. a gateway. For additional information. Press [U] to run the upgrade operation. or from the Check Point Download site at: http://www. 4. Installs new licenses on the local machine. 3. Copy the license_upgrade tool from <Specific_platform>\ on the NGX CD. refer to “Error: “License version might be not compatible”” on page 48. Check Point products generate warning messages until all the software on the machine has been upgraded. An online machine is one with Internet connectivity to the Check Point User Center website https://usercenter. The single machine can be a SmartCenter server. On the online machine.h tml 2.com/downloads/quicklinks/utilities/ngx/license_upgrade.com.Deployment with Licenses Managed Locally Deployment with Licenses Managed Locally In This Section License Upgrade for an Online Machine License Upgrade for an Offline Machine page 44 page 45 License Upgrade for an Online Machine Use this procedure to upgrade the licenses on a single online NG machine before the software upgrade. 44 . Note .

An offline machine is one that does not have Internet connectivity to the Check Point User Center website https://usercenter.checkpoint. 6.h tml 2. Run cplic print 7. Find out which license on the machine are obsolete. The single machine can be a: • • • SmartCenter Server Gateway Standalone Gateway containing a SmartCenter Server and a gateway.) 4. 3.com. Check Point products will generate warning messages until all the software on the machine has been upgraded. refer to “Error: “License version might be not compatible”” on page 48. Press [N] to specify that you do not have an Internet connection. Copy the license_upgrade tool from <Specific_platform>\ on the NGX CD. Press [E] to copy the licenses to a license file. For details. Perform the software upgrade to NGX. if Management High Availability licenses exist. Note . Delete the obsolete licenses from the machine. From the menu: • • • Press [U] to run the upgrade operation. or from the Check Point Download site at: http://www. they are upgraded. (On SecurePlatform. run cplic -del <license_signature> License Upgrade for an Offline Machine Use this procedure to upgrade the licenses for a single offline machine before the software upgrade. On the offline machine. To upgrade licenses for an offline machine: 1.Deployment with Licenses Managed Locally • On a SmartCenter machine.checkpoint. 5. run license_upgrade.If the license upgrade is performed before the software upgrade. Chapter 2 Upgrading Licenses for Products Prior to NGX 45 . For each obsolete license.com/downloads/quicklinks/utilities/ngx/license_upgrade. you must be in expert mode. Place the license_upgrade tool on the offline machine.

Enter the output file name with all the upgraded licenses. To check if currently installed licenses have been upgraded. The tool is located at the location specified in step 2. 7. 6. Copy the cache file (with the new licenses) to the offline machine. Copy the license_upgrade tool to the online machine. The online machine does not need to be a Check Point-installed machine. Press [Y] when asked “Is this machine connected to the Internet?”. return to the main menu and press [C]. 11. Run the license_upgrade tool on the offline machine: • • • • Press [U] to run the upgrade operation. 8. Press [N] when asked “Is this machine connected to the Internet?”. and continue with the upgrade. 46 . Press [Y] if you are connected to the Internet via a proxy and supply the proxy IP port and username password. This shows the number of upgraded licenses on the machine and whether the original NG licenses have a replacement NGX license.Deployment with Licenses Managed Locally • • Enter the name of the license package file to be created. Enter the name of the file to be created with all the upgraded licenses (output file name). 5. Copy the file to the same directory as the license_upgrade tool. Press [I] to import the output file (with the upgraded licenses) back to the SmartCenter. Run the license_upgrade tool on the online machine: • • • • • • • Press [O] to run the upgrade operation in offline mode. The new licenses are fetched from the User Center and placed in a cache file. Enter the name of the exported file with the location of the package file that is the result of step 5. 10. Press [Q] to quit the license upgrade tool. Press [N] if you are not connected via proxy. 9. Perform the software upgrade to NGX on the offline machine. Enter the user and password of your User Center Account. Copy the license package file from the offline machine to any online machine.

Trial Licenses 12. the Trial License continues to work for the remaining days of the license. run cplic print. To find out which licenses on the machine are obsolete. There is no need to upgrade the Trial License. For each obsolete license. Chapter 2 Upgrading Licenses for Products Prior to NGX 47 . 13. After the software upgrade. The Trial License does not work if you migrate your current SmartCenter configuration to a new machine and then upgrade the new machine to NGX. Delete the obsolete licenses from the machine. run cplic -del <license_signature> Trial Licenses Every Check Point product comes with a Trial License that allows unrestricted use of the product for 15 days.

This error is also covered in SecureKnowledge solution sk30478. cpstart. in cp.Troubleshooting License Upgrade Troubleshooting License Upgrade License upgrade is usually a smooth and easy process.. Use this section to solve those license upgrade problems. In This Section Error: “License version might be not compatible” Evaluation Licenses Created in the User Center Evaluation Licenses Not Created in the User Center Licenses of Products That Are Not Supported in NGX License Not in Any of Your User Center Accounts User Does Not Have Permissions on User Center Account SKU Requires Two Licenses in NG and One License in NGX SmartDefense Licenses License Upgrade Partially Succeeds Upgraded Licenses Do Not Appear in the License Repository Cannot Connect to the User Center page 48 page 49 page 49 page 50 page 52 page 52 page 53 page 54 page 54 page 55 page 55 License Enforcement on Gateway is Now on SmartCenter Server page 51 Error: “License version might be not compatible” Note . Symptoms • • Error: Warning: Can't find .macro. however.. 48 . and fw ver. there are a few predictable cases where you may encounter problems.. cpstop. License version might be not compatible Error occurs with commands such as cplic print.

an NGX license on an NG machine. Evaluation Licenses Not Created in the User Center Symptoms User Center message (Error code: 151): Your license contains a Certificate Key (CK) which is not found in User Center. Cause Evaluation licenses are not entitled to a license upgrade. Errors should not appear after the upgrade. If you do need it. Resolution Evaluation licenses cannot be upgraded. Evaluation Licenses Created in the User Center Symptoms User Center message (Error code: 106): No license upgrade is available for evaluation product. contact Account Services at US +1 817 606 6600 (option 7) or e-mail AccountServices@ts. delete it. If the license upgrade is performed before the software upgrade. Note that these errors do not affect the functionality of the version NG software. Check Point products generate warning messages until all the software on the machine has been upgraded.Troubleshooting License Upgrade Cause This error occurs in any situation where a licensed version is not compatible with the version installed on a machine.com. Chapter 2 Upgrading Licenses for Products Prior to NGX 49 . Refer to “License Upgrade Methods” on page 37 to determine the upgrade path that best applies to your current configuration. Resolution Upgrade the software to version NGX.checkpoint. If you do not need the evaluation license. This error typically occurs when the license on the target machine is upgraded to NGX before the software is upgraded from a previous NG version to NGX. for example.

checkpoint. contact Account Services at US +1 817 606 6600 (option 7) or e-mail AccountServices@ts.Troubleshooting License Upgrade Cause The evaluation licenses do not exist in the User Center.com. delete it. An evaluation license can be identified by examining the license string. Evaluation licenses are not entitled to a license upgrade. the User Center generates an error message if an attempt is made to upgrade the license for these products. The product continues to be supported in its NG Release Cause VPN-1 Net and VPN-1 SmallOffice are not supported in NGX. 50 .com. Licenses of Products That Are Not Supported in NGX Symptoms User Center Message (Error code: 154): This product is not upgradeable to NGX version and therefore a license upgrade is not needed. Evaluation licenses may contain one of the following strings in the Features description: CK-CP or CK-CHECK-POINT-INTERNAL-USE-ONLY Resolution Evaluation licenses cannot be upgraded. If you do not need the evaluation license.CPVP-VSO families Resolution Contact Account Services at US +1 817 606 6600 (option 7) or e-mail AccountServices@ts. therefore.checkpoint. The affected SKUs are: • • VPN-1 Net Family SKUs: CPVP-VNT and LS-CPVP-VNT families SmallOffice family SKUs: CPVP-VSO and LS. If you do need it.

select the unneeded license. Resolution If you have an NG Express gateway with a QoS (FloodGate-1) license. proceed as follows: 1. 4. the license upgrade is not handled automatically. Chapter 2 Upgrading Licenses for Products Prior to NGX 51 . the licensing model of QOS (formerly FloodGate-1) for VPN-1 UTM was altered in NGX. The affected SKU family for QoS is: CPXP-QOS. Detach it. For example. Upgrade the gateway. upgraded license on the NGX management machine (even if you do not upgrade the gateway). and VPN-1 UTM NGX gateways with QoS require an appropriate license to be installed on the SmartCenter server. Delete the unneeded license from the gateway in one of two ways: • • From the command line. 3. run: cplic del <license_signature> Using SmartUpdate. Perform a license upgrade at the User Center website to generate a new license. and then Delete it.Troubleshooting License Upgrade License Enforcement on Gateway is Now on SmartCenter Server Symptoms User Center Message (Error code: 132): The license enforcement of NG gateway is now performed by the NGX management SmartCenter server. or in any other instance where this problem occurs. In this scenario. Perform Change IP operation in User Center and install the NGX license on the SmartCenter server. 2. Cause The enforcement of NG gateway features is now performed by the NGX Smartcenter server. Install the new.

Resolution Run the tool again with the appropriate username.Troubleshooting License Upgrade License Not in Any of Your User Center Accounts Symptoms User Center Message (Error Code 17): This license is not in any of your accounts. then. Cause This specific license does not exist in any of the accounts that belong to this user. Run the license upgrade again with the username that owns this license in the User Center. If the partially successful license upgrade was performed via the Wrapper. run the license upgrade again via the command line. after the Wrapper has finished. Run license upgrade again with a username that is authorized to change the license in the User Center. using the appropriate username. Cause This user is not authorized to change this license in the User Center. Note that each time you run the tool with a different username. This file contains the successfully upgraded licenses from previous runs. Resolution Run the tool again with the appropriate username. User Does Not Have Permissions on User Center Account Symptoms User Center Message (Error Code 19): This license is in your account but you are not authorized to upgrade licenses in this account because you have just view-only permissions. upgraded licenses from the User Center are added to a cache file located on your machine. 52 .

Do this in one of two ways: • From the command line. upgraded licenses from the User Center are added to a cache file located on your machine. Detach it. This file contains the successfully upgraded licenses from previous runs.Troubleshooting License Upgrade Note that each time you run the tool with a different username. In NGX. using the appropriate username. then.CPVP-VSC CPVP-VMC LS-CPVP-VMC CPVP-VSC-100-DES-NG Resolution After the software upgrade. If the partially successful license upgrade was performed via the Wrapper. only the management license is needed. SKU Requires Two Licenses in NG and One License in NGX Symptoms User Center Message (Error code: 135): This license is no longer needed in the version you are upgrading to. The relevant SKU families are: • • • • • CPVP-VSC LS. run: cplic del <license_signature> • Using SmartUpdate. run the license upgrade again via the command line. select the unneeded license. delete the unneeded gateway license from the machine. after the Wrapper has finished. The gateway license (CPVP-VPS-1-NG) is no longer needed because it is incorporated in the VPN-1 license. Cause The NG version of SecureClient requires two licenses: one license for the gateway and one for the SmartCenter server. Chapter 2 Upgrading Licenses for Products Prior to NGX 53 . and then Delete it. It can be safely removed from the machine after the software upgrade.

The tool can be found in one of the following locations: • • On the CD at <Specific_platform> In the Check Point Download site at: http://www. The affected SKU families are SU-SMRD and SU-SMDF. run the license_upgrade tool.Troubleshooting License Upgrade SmartDefense Licenses Symptoms User Center Message (Error code: 902): SmartDefense License is not needed on the gateway. Cause In NGX. For additional reasons why the license upgrade may fail.h tml 54 . Cause The license upgrade may fail for some licenses and succeed for others. refer to “Troubleshooting License Upgrade” on page 48. you may not have an Enterprise Subscription contract for the licensed product. Resolution Delete the unneeded license from the machine. A license may fail to upgrade for a number of reasons. Resolution After solving some or all of the licensing problems referred to in the error log.checkpoint. This upgrades the licenses for which the problem has been solved.com/downloads/quicklinks/utilities/ngx/license_upgrade. For example. License Upgrade Partially Succeeds Symptoms The license upgrade fails for some of the licenses but succeeds for others. enforcement of SmartDefense licenses is handled by the User Center.

purchase Software Subscription for those products and then run the tool again to fetch the new licenses from the User Center website. The license upgrade was performed on the NGX machine.Troubleshooting License Upgrade When the license_upgrade tool is run several times. However. if the license upgrade failed because there was no Enterprise Software Subscription contract for the licensed product. Resolution Close any SmartUpdate GUI client that is running. Cause The file with the upgraded licenses that was fetched from the User Center cannot be imported into the SmartUpdate License Repository while SmartUpdate is open. the results are cumulative. the license_upgrade tool log indicates that the license upgrade succeeded. Licenses that failed to upgrade in a previous run and were now successfully upgraded are added to the machine. Upgraded Licenses Do Not Appear in the License Repository Symptoms The upgraded license does not appear in the SmartUpdate License Repository. Chapter 2 Upgrading Licenses for Products Prior to NGX 55 . and run license_upgrade import -r The upgraded licenses are imported into the SmartUpdate License Repository. after the software upgrade to NGX. Cannot Connect to the User Center Symptom Failed to connect to the User Center. This means that if the upgrade of some licenses failed and the tool is run again: • • Licenses that have been successfully upgraded to NGX remain unchanged. For example.

56 . For example. Resolution Open port HTTPS-443 in the firewall.Troubleshooting License Upgrade Cause Access to port HTTPS-443 is not allowed through the firewall. open HTTPS-443 in the main gateway for all the branch office gateways behind it. in a deployment with one main firewalled gateway. and other gateways for branch offices within the organization. Access to the User Center requires this port to be open.

Contract Verification Contract Verification Contract verification is an integral part of the Check Point Licensing scheme. See “Service Contract Files” on page 59 for more information. Chapter 2 Upgrading Licenses for Products Prior to NGX 57 .

Contract Verification 58 .

the contract file enables you to easily remain compliant with current Check Point licensing standards. The contract file is stored on SmartCenter Server and downloaded to VPN-1 Power/UTM gateways during the upgrade process. 59 .Chapter Service Contract Files In This Chapter Introduction Working with Contract Files Installing a Contract File on SmartCenter server Installing a Contract File on a Gateway Managing Contracts with SmartUpdate 3 page 59 page 60 page 60 page 69 page 82 Introduction Before upgrading a gateway or SmartCenter server to NGX R65. you need to have a valid support contract that includes software upgrade and major releases registered to your Check Point User Center account. By verifying your status with the User Center.

Multiple user accounts at the User Center are supported. Note . Installing a Contract File on SmartCenter server The following section covers obtaining and installing the contract file for SmartCenter server: • • • On a Windows Platform On SecurePlatform. Once the management has been successfully upgraded and contains a contract file. the contract file is transferred to a gateway when the gateway is upgraded (the contract file is retrieved from the management). first upgrade your SmartCenter server or Provider-1/SiteManager-1 before upgrading the gateways. Linux and Solaris On IPSO 60 .Working with Contract Files Working with Contract Files As in all upgrade procedures.

If not. The contract file obtained through the user center conforms with the terms of your licensing agreements. i. you may download a contract file directly from the User Center. the main options for obtaining a contract are displayed: You can: • Download a contracts file from the User Center If you have Internet access and a valid user account.On a Windows Platform On a Windows Platform When upgrading SmartCenter server. Click Next. Chapter 3 Service Contract Files 61 . the upgrade process checks to see whether a contract file is already present on the server. The contract file obtained through the user center contains contract information for all of your accounts at the User Center.

Browse to Support. If the connection succeeds but the downloaded contract file does not cover the SmartCenter server. the absence of a valid contract file will not prevent the upgrade from taking place. On a machine with Internet access.jsp ii. 62 . browse to: https://usercenter. contact your local support provider to obtain a valid contract. • Import a local contract file If the server being upgraded does not have Internet access.On a Windows Platform ii. However.com/usercenter/index. Enter your User Account credentials. Log in to the User Center iii.checkpoint. then: i. a message informs you that the SmartCenter server is not eligible for upgrade. Once the upgrade is complete.

you can then browse to the location where you stored the contract file: Chapter 3 Service Contract Files 63 . On the Downloads page. Transfer the downloaded file to the management server. click Download Now: v. in the Service Contract File Download section. After selecting Import a local contracts file.On a Windows Platform iv.

see: “Managing Contracts with SmartUpdate” on page 82. contact your local support provider to obtain a valid contract. the absence of a valid contract file will not prevent the upgrade from taking place. Once the upgrade is complete. a message informs you that the SmartCenter server is not eligible for upgrade. you may be in violation of your Check Point Licensing Agreement. Note that at this point your gateway is not strictly eligible for an upgrade. 64 . as shown in the final message of upgrade process: For more information.On a Windows Platform If the contract file does not cover the SmartCenter server. However. Click Next to continue with the upgrade process • Continue without contract information Select this option if you intend to obtain and install a valid contract file at a later date. vi.

the main options for obtaining a contract are displayed: You can: • Download a contracts file from the User Center If you have Internet access and a valid user account. The contract file obtained through the user center conforms with the terms of your licensing agreements. you are prompted to enter your: • • User name Password Chapter 3 Service Contract Files 65 . Linux. If not.On SecurePlatform. Linux. and Solaris On SecurePlatform. and Solaris When upgrading SmartCenter server. then download a contract file directly from the User Center. the upgrade process checks to see whether a contract file is already present on the server. If you choose to download contract information from the User Center.

a message informs you that the SmartCenter server is not eligible for upgrade. • Import a local contract file If the server being upgraded does not have Internet access.On SecurePlatform. and Solaris • Proxy server address (if applicable): If the contract file does not cover the SmartCenter server. However. Log in to the User Center iii. the absence of a valid contract file will not prevent the upgrade from taking place.com/usercenter/index.checkpoint. Download a valid contract at a later date using SmartUpdate (see: “Managing Contracts with SmartUpdate” on page 82 for more information on using SmartUpdate). Browse to Support 66 . Linux. then: i. browse to: https://usercenter. On a machine with Internet access.jsp ii.

Linux. click Download Now: Transfer the downloaded file to the management server. and Solaris iv. After selecting Import a local contracts file.On SecurePlatform. On the Downloads page. enter the full path to the location where you stored the file: If the contract file does not cover the SmartCenter server. a message informs you that the SmartCenter server is not eligible for upgrade. the absence of a valid contract file will not prevent the upgrade Chapter 3 Service Contract Files 67 . in the Service Contract File Download section. However.

Note that at this point your gateway is not strictly eligible for an upgrade. On IPSO Contract verification on IPSO is not interactive.com/ngx/upgrade/contract/ At the earliest opportunity. the upgrade process will check to see if there is a valid contract already present on the SmartCenter server. the upgrade process proceeds as normal. see: “Managing Contracts with SmartUpdate” on page 82. After successfully upgrading the gateway. obtain a valid contract file from the Check Point user center. Download a valid contract at a later date using SmartUpdate (see: “Managing Contracts with SmartUpdate” on page 82 for more information on using SmartUpdate). as shown in the final message of the upgrade process: For more information.checkpoint. 68 . If a contract is not present. While the absence of a contract file does not prevent this upgrade. it is recommended that you obtain a contract file via SmartUpdate (Licenses & Contracts menu -> Update Contracts). • Continue without contract information Select this option if you intend to obtain and install a valid contract file at a later date. you may be in violation of your Check Point Licensing Agreement. When upgrading an IPSO SmartCenter server to NGX R65. For further details see: http://www.On IPSO from taking place. the following message is displayed: The upgrade process requires a valid contract file in order to verify that your gateway complies with Check Point licensing agreements.

Installing a Contract File on a Gateway Installing a Contract File on a Gateway The following section covers obtaining and installing the contract file for gateways: • • • On a Windows Platform On SecurePlatform. the following message is displayed: Chapter 3 Service Contract Files 69 . Linux and Solaris On IPSO On a Windows Platform After accepting the End User License Agreement (EULA).

If no contract file exists. If a contract file cannot be retrieved from SmartCenter server. 70 . The contract file obtained through the user center conforms with the terms of your licensing agreements. the upgrade process checks to see if a valid contract file is installed on the gateway. then download a contract file directly from the User Center. the main options for obtaining a contract file for the gateway are displayed: You can: • Download a contracts file from the User Center If you have Internet access and a valid user account.On a Windows Platform After clicking Next. the upgrade process attempts to retrieve a contract file from the SmartCenter Server that manages the gateway.

On a Windows Platform i. this will not prevent the upgrade from taking place. If the connection succeeds but the downloaded contract file does not cover the gateway. Enter your User Account credentials. the following message appears: However. Chapter 3 Service Contract Files 71 .

the upgrade process continues. the following message is displayed: ii. browse to: https://usercenter.jsp ii. After clicking Next.checkpoint. then: i.On a Windows Platform If a valid contract is available. Browse to Support 72 . • Import a local contract file If the server being upgraded does not have Internet access.com/usercenter/index. Log in to the User Center iii. On a machine with Internet access.

On the Downloads page. in the Service Contract File Download section.On a Windows Platform iv. click Download Now: v. you can then browse to the location where you stored the file: vi. Transfer the downloaded file to the gateway. Chapter 3 Service Contract Files 73 . Click Next. After selecting Import a local contracts file.

Click Next to continue with the upgrade process 74 . the following message is displayed: vii. the following message is displayed: However. If the contract file covers the gateway.On a Windows Platform If the local contract file does not cover the gateway. this will not prevent the upgrade from taking place.

you may be in violation of your Check Point Licensing Agreement. see: “Managing Contracts with SmartUpdate” on page 82. Chapter 3 Service Contract Files 75 .On a Windows Platform • Continue without contract information Select this option if you intend to obtain and install a valid contract file at a later date. Note that at this point your gateway is not strictly eligible for an upgrade. as shown in the final message of upgrade process: For more information.

Linux. If a valid contract file is not located on the SmartCenter server. the main options for obtaining a contract file for the gateway are displayed: 76 . and Solaris Gateways After accepting the End User License Agreement (EULA). Linux. and Solaris Gateways On SecurePlatform.On SecurePlatform. If a valid contract is not located. the following message is displayed: The upgrade process searches for a valid contract on the gateway. the upgrade process attempts to retrieve the latest contract file from the SmartCenter server that manages the gateway.

If you choose to download contract information from the User Center. and Solaris Gateways You can: • Download a contracts file from the User Center If you have Internet access and a valid user account. you are prompted to enter your: • • • User name Password Proxy server address (if applicable): Chapter 3 Service Contract Files 77 . Linux. The contract file obtained through the user center conforms with the terms of your licensing agreements. then download a contract file directly from the User Center.On SecurePlatform.

your gateway is not eligible for upgrade.On SecurePlatform. the following message is displayed: You may still upgrade the gateway but are advised to download a valid contract at a later date using SmartUpdate (see: “Managing Contracts with SmartUpdate” on page 82 for more information on using SmartUpdate). and Solaris Gateways If. Linux. according to information gathered from your User Center account. 78 .

in the Service Contract File Download section. then: i. On the Downloads page.com/usercenter/index. browse to: https://usercenter. Log in to the User Center iii.On SecurePlatform. Linux. and Solaris Gateways • Import a local contract file If the server being upgraded does not have Internet access.checkpoint. Browse to Support iv. On a machine with Internet access.jsp ii. click Download Now: Chapter 3 Service Contract Files 79 .

a message informs you that the gateway is not eligible for upgrade. Linux. However. as shown in the final message of the upgrade process: 80 . • Continue without contract information Select this option if you intend to obtain and install a valid contract file at a later date. the absence of a valid contract file will not prevent the upgrade from taking place. you may be in violation of your Check Point Licensing Agreement. Once the upgrade is complete. enter the full path to the location where you stored the file: If the contract file does not cover the gateway. Note that at this point your gateway is not strictly eligible for an upgrade. and Solaris Gateways Transfer the downloaded file to the gateway.On SecurePlatform. After selecting Import a local contracts file. contact your local support provider to obtain a valid contract.

the upgrade process proceeds. When upgrading an IPSO gateway to NGX R65.com/ngx/upgrade/contract/ At the earliest opportunity. the upgrade process will check to see if there is a valid contract available on the SmartCenter server that manages the gateway. the following message is displayed: The upgrade process requires a valid contract file in order to verify that your gateway complies with Check Point licensing agreements. While the absence of a contract file does not prevent this upgrade. On IPSO Contract verification on IPSO is not interactive. After successfully upgrading the gateway.checkpoint.On IPSO For more information. it is recommended that you obtain a contract file via SmartUpdate (Licenses & Contracts menu -> Update Contracts). If none is available. see: “Managing Contracts with SmartUpdate” on page 82. Chapter 3 Service Contract Files 81 . obtain a valid contract file from the Check Point user center. For further details see: http://www.

you can use SmartUpdate to display and manage your contracts. From the License management window. it is possible to see whether a particular license is associated with one or more contracts: Managing Contracts The license Repository window in SmartUpdate displays contracts as well as regular licenses: Clicking on a specific license shows the properties of the license: 82 .Managing Contracts with SmartUpdate Managing Contracts with SmartUpdate Once you have successfully upgraded SmartCenter server.

such as contract ID and expiration date as well as which licenses are covered by the contract: Chapter 3 Service Contract Files 83 . then Properties displays the contract’s properties.Managing Contracts Clicking Show Contracts displays the contracts associated with this license: Selecting a specific contract.

Updates the contract file on the server if the file on the gateway is newer 84 . Collects licenses of all gateways managed by the SmartCenter server b. use this option to make sure the new contract is displayed in the license repository: • Licenses & Contracts > Get all Licenses a. Each time you purchase a new contract.Updating Contracts Updating Contracts Licenses & Contracts on the File menu has enhanced functionality for handling contracts: • Licenses & Contracts > Update Contracts This option installs contract information on SmartCenter server.

Chapter Upgrading a Distributed Deployment In This Chapter Introduction Upgrading SmartCenter Server Upgrading the Gateway 4 page 86 page 91 page 111 85 .

Introduction Introduction This chapter describes the process of upgrading a distributed deployment to NGX R65.5. A distributed deployment consists of at least one SmartCenter server and one or more gateways.1 VSX VSX NG AI VSX NG AI Release 2 VSX NGX NGX InterSpect NGX R62 Connectra NGX R65 is not backwardly compatible with: • • • VPN-1 Pro/Express NG VPN-1 Pro/Express NG FP1 VPN-1 Pro/Express NG FP2 86 . In some cases. new features may not be available on earlier versions of the gateway. The SmartCenter server and gateway do not reside on the same physical machine. a SmartCenter server that has been upgraded to NGX R65 can enforce and manage gateways from previous versions. however. 2.5. NGX GX VSX 2. The NGX R65 SmartCenter server can manage the following gateways: Release Version VPN-1 Power/UTM NGX R62 NGX VPN-1 Pro/Express NGX R61 VPN-1 Pro/Express NGX R60A VPN-1 Pro/Express NGX R60 VPN-1 Pro NG R55P NG VPN-1 Pro NG R55W VPN-1 Pro/Express NG With Application Intelligence R55 VPN-1 Pro/Express NG With Application Intelligence R54 VPN-1 Pro/Express NG FP3 R57 Express CI 2.0. Since backward compatibility is supported.

1) is not supported. perform an upgrade to NGX R65. Once the VPN-1 NG R55 upgrade is complete.1.Introduction Upgrading from versions prior to NG (4. upgrade the installed version to VPN-1 NG R55 (refer to the NG with Application Intelligence R55 Upgrade Guide). To upgrade FireWall-1 versions 4. Chapter 4 Upgrading a Distributed Deployment 87 .0-4.0-4.

Pre-Upgrade Considerations Pre-Upgrade Considerations In This Section License Upgrade to NGX R65 Web Intelligence License Enforcement Upgrading Products on a SecurePlatform Operating System VPN-1 UTM Edge Gateways Prior to Version 5. If necessary. NGX R65 with licenses from previous versions will not function.0 page 88 page 88 page 89 page 89 License Upgrade to NGX R65 Before upgrading the software. The Pre-Upgrade verification tool produces a detailed report indicating the appropriate actions that should be taken before performing an upgrade to NGX R65 (refer to “Using the Pre-Upgrade Verification Tool” on page 91). refer to Upgrading Licenses for Products Prior to NGX page 29 . It is used to test the current VPN-1 gateway prior to upgrading to NGX R65. the license upgrade can be performed after the software upgrade. Web Intelligence License Enforcement A gateway or gateway cluster requires a Web Intelligence license if it enforces one or more of the following protections: • • • • • • • • • 88 Malicious Code Protector LDAP Injection SQL Injection Command Injection Directory Listing Error Concealment ASCII Only Request Header Rejection HTTP Methods . Use of the Pre-Upgrade verification tool can reduce the risk of incompatibility with the deployment to NGX R65. For details. it is highly recommended to upgrade licenses for all NG products.

refer to the “SmartCenter Upgrade on SecurePlatform” on page 95. Upgrading Products on a SecurePlatform Operating System Upgrading to NGX R65 on a SecurePlatform operating system for versions prior to NGX R60 requires upgrading both the operating system and the installed software products. it is recommended that VPN-1 UTM Edge gateways should be at least version 5. When upgrading. you must perform the following a workaround on the upgraded SmartCenter server.0 and above. To perform the workaround: 1.0 VPN-1 UTM Edge Gateways In order to control and enforce policies on earlier versions of the VPN-1 UTM Edge gateways. Edit the /var/opt/CPEdgecmp/conf/SofawareLoader. be aware of this change of behavior. No further upgrades are required. it is not possible to install a Policy on any gateway. Chapter 4 Upgrading a Distributed Deployment 89 . By default.ini file for Windows.Pre-Upgrade Considerations The actual license required depends on the number of Web servers protected by the gateway or gateway cluster. For additional information. Once the workaround is complete. The process upgrades all of the installed components (Operating System and software packages) in a single upgrade process.ini file for Solaris. new NGX R65 features may not be available to VPN-1 UTM Edge gateways prior to 5.0 Before you upgrade your deployment to NGX R65. if the correct license is not installed. To upgrade products installed on SecurePlatform. refer to the Web Intelligence chapter in the CheckPoint R65 Firewall And SmartDefense Administration Guide. or the %FWDIR%\FW1_EDGE_BC\conf\SofawareLoader. Enabling Policy Enforcement on Pre-version 5.0. VPN-1 UTM Edge Gateways Prior to Version 5.0. For NGX R60 and later versions. SmartCenter NGX R65 is compatible with VPN-1 UTM Edge gateways 5.

add the following: TopologyOldFormat=1 3.Pre-Upgrade Considerations 2. In the [Server] section. 90 . The change takes effect without running the commands cpstop and cpstart. Save and close the file.

even though the gateways may not support the new features. you can still manage gateways from the previous version. It is used to test the current SmartCenter server prior to upgrading to NGX R65. • Migrate and Upgrade to a New SmartCenter Server Perform a migration process (refer to “Migrate Your Current VPN-1 Gateway Configuration & Upgrade” on page 178) of the currently installed version to a new server. Chapter 4 Upgrading a Distributed Deployment 91 . Using the Pre-Upgrade Verification Tool Pre-upgrade verification runs automatically (or manually if desired) during the SmartCenter upgrade. You can upgrade the gateways at your convenience. and upgrade the migrated system. The Pre-Upgrade verification tool produces a detailed report indicating the appropriate actions that should be taken before performing an upgrade to NGX R65 (refer to “Using the Pre-Upgrade Verification Tool” on page 91). Use of the Pre-Upgrade verification tool can reduce the risk of incompatibility with the deployment to NGX R65. indicating appropriate actions that should be taken before and after the upgrade process. There are two upgrade methods available for the SmartCenter server: • Upgrade your Production SmartCenter Server Perform the upgrade process on the production SmartCenter server (refer to the procedures in this section).Upgrading SmartCenter Server Upgrading SmartCenter Server This section describes how to upgrade a SmartCenter server to NGX R65. Once the SmartCenter server is upgraded. Upgrades can be performed incrementally so that you do not have to upgrade the SmartCenter server and all of the gateways at the same time. A detailed report is provided. Pre-upgrade verification performs a compatibility analysis of the currently installed SmartCenter server and its current configuration.

92 .5 VSX_2. -f redirects the standard output to a file.0.exe -p SmartCenterPath -c CurrentVersion -i[-f FileName][-w] -p -c -t -i -f -w Path of the installed SmartCenter Server (FWDIR) Currently installed version Target version Check originality of INSPECT files only Output in file Web format file Where the currently installed version is one of the following: For Release NGX Version is: NGX_R62 NGX_R61 NGX_R60A NGX_R60 NG NG_R55 NG_R55P NG_R55 NG_R54 NG_FP3 NG GX VSX GX_2.1 VSX_NG_AI VSX_NG_AI_Release_2 The target version is: NGX_R65.Upgrading SmartCenter Server Usage: pre_upgrade_verifier.exe -p SmartCenterPath -c CurrentVersion -t TargetVersion [-f FileName] [-w] or pre_upgrade_verifier.

Items that must be repaired before and after performing the upgrade.Upgrading SmartCenter Server Action Items Before and After the Pre-Upgrade Process • • errors . If you proceed with the upgrade while errors exist. the upgrade will fail. warnings .Items that you should consider repairing before and after performing the upgrade. Chapter 4 Upgrading a Distributed Deployment 93 .

The tool can be used manually as well. indicating appropriate actions that should be taken before and after the upgrade process. refer to “Revert” on page 134 for details. Pre-upgrade verification performs a compatibility analysis of the currently installed SmartCenter server and of its current configuration. To perform an upgrade on a Windows platform: 1. For more information on contracts. reboot your SmartCenter server. From the Upgrade Options screen. Check Point packages need to be uninstalled in the opposite order to which they were installed. For additional information. refer to Chapter 3: “Backup and Revert for VPN-1 Power/UTM”. select Upgrade. select whether or not the Pre-upgrade verification tool should be executed (refer to “Using the Pre-Upgrade Verification Tool” on page 91). select Upgrade again. 94 .Upgrading SmartCenter Server SmartCenter Upgrade on a Windows Platform This section describes the upgrade process using the NGX R65 CD. When the pre-upgrade verification recommendation appears. A detailed report is provided. 6. Since CPsuite is the first package installed. 3. 7. Another verification is run. Uninstalling Packages Uninstall Check Point packages on the Windows platform using the Add/Remove applet in the Control Panel. verify your contract information. Access your NGX R65 CD. From the Upgrade Options screen. see: “Installing a Contract File on SmartCenter server” on page 60 4. When prompted. it should be the last package uninstalled. If a situation arises in which a revert to your previous configuration is required. Execute the Installation package. 5. 2. After accepting the EULA. It is recommended to back up your current configuration before you perform the upgrade process.

The welcome message is displayed. Enter y to accept the checksum calculation. 4. Note . Refer to the CheckPoint R65 SecurePlatform/SecurePlatformPro Administration Guide for additional information. The procedure in this section applies to SmartCenter versions: • • • • • • • R62 R61 R60A R60 R55W R55 R54 For details on upgrading SecurePlatform versions prior to R54. When prompted. 7.tgz). refer to “SmartCenter Upgrade on Pre-R54 Versions of SecurePlatform” on page 99. At the command prompt. refer to “Reverting to Your Previous Deployment” on page 135 for details. during which Check Point products are stopped. Accept the license agreement. Select SecurePlatform NGX R65 Upgrade Package (CPspupgrade_R65. The process described in this section upgrades all of the components (Operating System and software packages) in a single upgrade process. Insert CD1 of the NGX R65 media kit into the CD drive. 5. create a backup image for automatic revert. No further upgrades are required. 2. If a situation arises in which a revert to your previous configuration is required. and verify your contract information.Creating the snapshot image can take up to twenty minutes. enter patch add cd. 3. Enter n.Upgrading SmartCenter Server SmartCenter Upgrade on SecurePlatform Upgrading to NGX R65 on a SecurePlatform operating system requires updating both the operating system and the installed software products. To perform an upgrade on a SecurePlatform: 1. Chapter 4 Upgrading a Distributed Deployment 95 . 6.

Run the pre-upgrade verification script. Enter [U] to perform the license upgrade. Three upgrade options are displayed: • • • Upgrade Export SmartCenter configuration Perform pre-upgrade verification only i. it should be the last package uninstalled. Enter [S] to simulate the license upgrade. Enter [Q] to quit. and follow the recommendations contained in the pre-upgrade verification results. Enter c to agree to the license upgrade. Select one of the following: • • • • Enter [L] to view the licenses installed on your machine. Linux. Uninstalling Packages Check Point packages need to be uninstalled in the opposite order to which they were installed. Repeat the process until you see Your configuration is ready for upgrade. and Solaris Gateways” on page 76 8. Upgrade the installation.Upgrading SmartCenter Server For more information on contracts. or generate a license file that can be used to upgrade licenses on a machine with no Internet access to the User Center. 9. Since CPsuite is the first package installed. Open SmartUpdate and attach the new NGX licenses to the gateways. 11. iii. Enter [O] to perform the license upgrade on a license file that was generated on machine with no Internet access to the User Center. ii. 96 . The exported configuration is automatically imported during the upgrade process. The license upgrade process also handles gateway licenses in the SmartUpdate License Repository. Select a source for the upgrade utilities. Enter [C] to check if currently installed licenses have been upgraded. see: “On SecurePlatform. Either download the most updated files from the Check Point website or use the upgrade tools contained on the CD. Export the SmartCenter configuration. • • 10.

The process described in this section upgrades all of the components (Operating System and software packages) in a single upgrade process. Insert CD1 of the NGX R65 media kit into the CD drive. 5.tgz). Enter y to accept the checksum calculation. Note . To perform an upgrade on a SecurePlatform: 1. 6. No further upgrades are required. during which Check Point products are stopped. Enter n. 9.Creating the snapshot image can take up to twenty minutes.Upgrading SmartCenter Server Run the rpm -e <package name> to view a list of all the installed packages. 3. 4. Gateway Upgrade on UTM-1 Upgrading to NGX R65 on a SecurePlatform operating system requires updating both the operating system and the installed software products. The procedure in this section applies to UTM-1. When prompted. Three upgrade options are displayed: • • Upgrade Export SmartCenter configuration Chapter 4 Upgrading a Distributed Deployment 97 . Install an external CD-ROM drive to the appliance by running the following commands: mkdir /mnt/cdrom modprobe usb-storage modprobe usb-uhci mount /dev/scd0/mnmt/cdrom 2. 8. Accept the license agreement. and verify your contract information. create a backup image for automatic revert. At the command prompt. Refer to the CheckPoint R65 SecurePlatform/SecurePlatformPro Administration Guide for additional information. 7. Select SecurePlatform NGX R65 Upgrade Package (CPspupgrade_R65. enter patch add cd. The welcome message is displayed.

iii. • • 11. Download an upgrade package. Enter [U] to perform the license upgrade. ii. 12. 10. Select a source for the upgrade utilities. Select the upgrade package file. you can skip this step. If you already downloaded the file. Enter [S] to simulate the license upgrade. Enter [C] to check if currently installed licenses have been upgraded. The exported configuration is automatically imported during the upgrade process. and follow the recommendations contained in the pre-upgrade verification results. Upgrade the installation. Either download the most updated files from the Check Point website or use the upgrade tools contained on the CD. Export the SmartCenter configuration. or generate a license file that can be used to upgrade licenses on a machine with no Internet access to the User Center. 98 . Enter c to agree to the license upgrade. Click Upload package to appliance. Gateway Upgrade on UTM-1 using the WebUI To upgrade your appliance: 1. Enter [Q] to quit. 3. Click Start Upgrade. Select one of the following: • • • • Enter [L] to view the licenses installed on your machine. Run the pre-upgrade verification script. The license upgrade process also handles gateway licenses in the SmartUpdate License Repository. Enter [O] to perform the license upgrade on a license file that was generated on machine with no Internet access to the User Center. Repeat the process until you see Your configuration is ready for upgrade.Upgrading SmartCenter Server • Perform pre-upgrade verification only i. 2. Open SmartUpdate and attach the new NGX licenses to the gateways. 4. as directed.

SmartCenter Upgrade on Pre-R54 Versions of SecurePlatform Upgrading to NGX R65 on a SecurePlatform operating system requires updating both the operating system and the installed software products. Insert the SecurePlatform NGX R65 CD into the CD drive. Enter the expert mode: # expert. The Current Upgrade File on Appliance section displays the information of the current upgrade. the system will revert to the saved image. 7. The procedure in this section applies to the following SmartCenter versions: • • • • NG NG FP2 NG FP3 NG FP3 Edition 2 For details on upgrading later SecurePlatform versions. If no login takes place within the configured amount of time. click Start. In the Safe Upgrade section. Click Next. select Safe upgrade to require a successful login after the upgrade is complete. refer to “SmartCenter Upgrade on SecurePlatform” on page 95. an image is created of the system and is used to revert to in the event the upgrade is not successful. If a situation arises in which a revert to your previous configuration is required. refer to “Reverting to Your Previous Deployment” on page 135 for details. The process described in this section upgrades all of the components (Operating System and software packages) in a single upgrade process. Chapter 4 Upgrading a Distributed Deployment 99 . displays the image information. Before the upgrade begins. 2. No further upgrades are required. Upgrading pre-R54 versions requires an upgrade of the patch command. To begin the upgrade. To perform an upgrade on pre-R54 versions of SecurePlatform: 1. Click Next. The Save an Image before Upgrade page.Upgrading SmartCenter Server 5. 6.

Upgrade the installation 12. Note . 4. Repeat the process until you see Your configuration is ready for upgrade. Accept the license agreement. The license upgrade process also handles gateway licenses in the SmartUpdate license repository. 100 .tgz). 9. Export the SmartCenter configuration iii. When prompted. 8. Enter y to accept the checksum calculation. and verify your contract information. The welcome message is displayed. Select one of the following: • Enter [L] to view the licenses installed on your machine. and follow the recommendations contained in the pre-upgrade verification results. create a backup image for automatic revert.Upgrading SmartCenter Server 3. 7. Run the pre-upgrade verification script. Enter c to agree to the license upgrade. ii. Three upgrade options are displayed: • • • Upgrade Export SmartCenter configuration Perform pre-upgrade verification only i. 10. For more information on contracts. and Solaris Gateways” on page 76 11. Select SecurePlatform NGX R65 Upgrade Package (CPspupgrade_R65. 5. enter patch add cd. see:“On SecurePlatform. At the command prompt. Insert CD1 of the NGX R65 media kit into the CD drive.Creating the snapshot image can take up to twenty minutes. Enter n. during which Check Point products are stopped. Linux. Mount the CD and upgrade the patch command using the following syntax: # mount /mnt/cdrom # patch add /mnt/cdrom/SecurePlatform/patch/CPpatch_command_*. 6.tgz.

Enter [S] to simulate the license upgrade.Upgrading SmartCenter Server • • • Enter [C] to check if currently installed licenses have been upgraded. • • Chapter 4 Upgrading a Distributed Deployment 101 . Enter [Q] to quit. or generate a license file that can be used to upgrade licenses on a machine with no Internet access to the User Center. Enter [U] to perform the license upgrade. Enter [O] to perform the license upgrade on a license file that was generated on machine with no Internet access to the User Center.

it will be the last package uninstalled. upgrade the installation.Upgrading SmartCenter Server 13. export the SmartCenter configuration. If you select the first option. Note . Run the rpm -e <package name> to view a list of all the installed packages.The "patch add cd" command presents three options: run the pre-upgrade verification script. 102 . Select a source for the upgrade utilities. The exported configuration is automatically imported during the upgrade process. Since CPsuite is the first package installed. Uninstalling Packages Check Point packages need to be uninstalled in the opposite order to which they were installed. To select the second or third options. Open SmartUpdate and attach the new NGX licenses to the gateways. Either download the most updated files from the Check Point website or use the upgrade tools contained on the CD. you need to run the "patch add cd" command again. the command exits after performing the pre-upgrade verification.

refer to “Revert” on page 134 for details. 10. (It is also possible to upgrade using an imported configuration. 4. Wait until the successful message is displayed. Select upgrade. run the pre-upgrade verifier again. 7. and mount the CD. For more information on contracts. and Solaris Gateways” on page 76 5. The wrapper welcome message is displayed. You are prompted to select the products from a list.com/downloads/quicklinks/utilities/ngx/utilities. 11. To perform the upgrade. Enter n to validate the products to install. The products are upgraded. 9. It is recommended that you back up your current configuration before you perform an upgrade process. Run UnixInstallScript. To install additional products. and verify your contract information. To perform an upgrade on a Solaris machine in a production environment: 1. This message is displayed: The pre-Upgrade Verification was completed successfully. Linux.html 8. Insert CD3 of the NGX R65 media kit into the CD drive. Although the NGX R65 upgrade utilities are on the NGX R65 CD. Then. The pre-upgrade verification process runs automatically.checkpoint. 3. 2. Select a source for the upgrade utilities. see: “On SecurePlatform. Enter y to agree to the End-user License Agreement.Upgrading SmartCenter Server SmartCenter Server Upgrade on a Solaris Platform This section describes the upgrade process using the NGX R65 CD. select Upgrade installed products. If a situation arises in which a revert to your previous configuration is required. select Upgrade installed products and install new products. Enter e to exit. For additional information.) 6. Chapter 4 Upgrading a Distributed Deployment 103 . refer to Chapter 3: “Backup and Revert for VPN-1 Power/UTM”. Enter n. Enter n. View the results and follow any recommendations. Your configuration is ready for upgrade. Enter n. it is recommended to download the latest tools from the Check Point website at: http://www.

Run the pkgrm command to view a list of the installed packages. Reboot. Uninstalling Packages Check Point packages need to be uninstalled in the opposite order to which they were installed. Since CPsuite is the first package installed. it will be the last package uninstalled.Upgrading SmartCenter Server 12. 104 .

For more information on contracts. Enter e to exit. see: “On SecurePlatform. 2. Select upgrade. Linux. specify Upgrade installed products. 6. 10. it is recommended to download the latest tools from the Check Point website: http://www. To perform an in-place upgrade: 1. 3. Then. The products are upgraded. and Solaris Gateways” on page 76 5.checkpoint. before you perform an upgrade process. Enter n. select the products. Enter y to agree to the End-user License Agreement. This message is displayed: The pre-Upgrade Verification was completed successfully.Upgrading SmartCenter Server SmartCenter Upgrade on a Linux Platform This section describes the upgrade process using the NGX R65 CD. 12. To install new products. 7. and verify your contract information. Your configuration is ready for upgrade. The pre-upgrade verification process runs automatically. Chapter 4 Upgrading a Distributed Deployment 105 . Select a source for the upgrade utilities. From the root directory. The wrapper welcome message is displayed. 11. 9. run UnixInstallScript. run the pre-upgrade verifier again. It is recommended that you back up your current configuration. View the results and follow any recommendations. Insert CD2 of the NGX R65 media kit into the CD drive. select Upgrade installed products and install new products.html 8. and enter n. To perform the upgrade. Reboot. Enter n to validate the products to install. Although the R65 upgrade utilities are on the NGX R65 CD. Enter n.com/downloads/quicklinks/utilities/ngx/utilities. 4.

106 . it should be the last package uninstalled. Since CPsuite is the first package installed.Upgrading SmartCenter Server Uninstalling Packages Check Point packages need to be uninstalled in the opposite order to which they were installed. Run the rpm -e <package name> to view a list of the installed packages.

com/downloads/quicklinks/utilities/ngx/utilities. Download and run the pre-upgrade verifier (PUV) for IPSO from: http://www. For additional information. 6. You are informed that the file download and image installation may take some time. Enter the following information: Enter URL to the image location Enter HTTP Realm (for HTTP URLs only) Enter Username (if applicable) Enter Password (if applicable) 5. Click System Configuration > Install New IPSO Image (Upgrade).2 • 3. Click the provided link to get the upgrade status. 7. refer to “Using the Pre-Upgrade Verification Tool” on page 91. 4. To perform an upgrade on an IPSO Platform: 1.1. Enter the Network Voyager and open a CLI console. Click Apply.html For details on using the PUV. download the NGX R65 upgrade package: IPSO_Wrapper_R65. you must first install either IPSO 4. refer to “Reverting to Your Previous Deployment” on page 135 for details.tgz 2. From the Check Point website. 4. IPSO has its own backup and restore facility. The New Image Installation Upgrade window opens.For NGX R65. If a situation arises in which a revert to your previous configuration is required. Click Apply. refer to the Nokia Network Voyager Reference Guide. Note .Upgrading SmartCenter Server SmartCenter Upgrade on an IPSO Platform Before beginning the upgrade process: • It is recommended that you back up your current configuration.checkpoint. The new image installation process begins. Chapter 4 Upgrading a Distributed Deployment 107 . in case the upgrade process is unsuccessful.

The IPSO Image Management window opens. In the Network Voyager. You should be able to see that the relevant IPSO Image is selected. 10. Note . 9. 11. 18. select the last downloaded image. Under the title Select an image for next boot. Access the CLI console to see when the Reboot is complete. 14. click Refresh and log in. Perform an FTP using bin mode to transfer the IPSO_Wrapper_R65.tgz package. along with a reminder to update your contract information. When the process is complete. 12. Finds the upgrade tools in $FWDIR and performs an import/export operation to preserve the previous configuration.Upgrading SmartCenter Server 8. go back to the Network Voyager to verify that the image was set properly. Start the installed products by running cpstart. Once the Reboot is complete. see: “On IPSO” on page 81. 17. you should receive a message indicating that the process was successful. click the link to the IPSO Image Management page. If you are not returned to the last window you were in. 108 . 13. and then log back on to set the environment variables. the previous packages can be activated through the Network Voyager. Click Test Boot. Type newpkg -S -m LOCAL -n <CPsuite package path> -o $FWDIR and press Enter. For more information on contracts. Log off the console connection. click System Configuration > Manage IPSO Images. When the upgrade is complete. Access the CLI console and log in. Select Commit testboot and click Apply. Should the need arise. 19.The previous Check Point packages remain installed but deactivated. 16. 15. This command: • • Deactivates previous Check Point packages but does not delete them.

Select Installation using Imported Configuration (Windows) or Advanced Upgrade (Solaris) in the Installation Options. This option prompts you for the location of the imported . Select the destination path of the configuration (.tgz configuration file.) 2. 4. Wait while exporting database files. (The tools are also available on the product CD.Upgrading SmartCenter Server Upgrading VPN-1 Express CI R57 SmartCenter Server A VPN-1 Express CI R57 SmartCenter server upgrade is manually performed using the upgrade_import and upgrade_export tools located on the product CD or in the $FWDIR\bin\upgrade_tools directory.tgz file to the new SmartCenter server. Upgrading SmartCenter Server Component to R65 This section describes how to perform an advanced upgrade on an additional SmartCenter server via a spare machine. Warning . make sure that you are using the NGX R65 Export tool. It is highly recommended to delete it after completing the import process. 5. 3. Select Export in Upgrade Options.tgz) file contains your security configuration.The configuration file (. 6. Chapter 4 Upgrading a Distributed Deployment 109 . Insert the NGX R65 CD into the new SmartCenter server. Copy the exported. If you opt to perform the Export procedure manually. To upgrade a SmartCenter server component: 1.tgz) file. Locate the upgrade_import and upgrade_export tools in the $FWDIR\bin\upgrade_tools directory.tgz configuration file and then automatically installs the new software and utilizes the imported .

6. synchronize all the SmartCenter servers (select Policy > Management High Availability). Once again. Using the SmartDashboard GUI client. Repeat steps 3 and 4 for each additional SmartCenter server. Before you perform the Upgrade process. This can also be done by clicking the Get Version button in the specific objects’ properties page. 3. Perform the Upgrade process on both SmartCenter servers (refer to the relevant upgrade process below). set the correct Check Point Products Version. connect to one of the SmartCenter servers. 4. 5. synchronize all the SmartCenter servers (select Policy > Management High Availability). 110 . In the General page of each of the SmartCenter server's Gateway Properties window.Upgrading SmartCenter Server Upgrading a SmartCenter High Availability Deployment To upgrade a SmartCenter server high availability deployment: 1. 2.

Chapter 4 Upgrading a Distributed Deployment 111 . In This Section Upgrading a Clustered Deployment Upgrading the Gateway Using SmartUpdate Gateway Upgrade Process on a Windows Platform Gateway Upgrade on SecurePlatform Upgrade on SecurePlatform NG FP2. or FP3 Edition 2 Gateway Upgrade on a Solaris Platform Gateway Upgrade on an IPSO Platform page 111 page 112 page 116 page 118 page 119 page 121 page 122 Upgrading a Clustered Deployment You can select one of the following options. refer to “Upgrading ClusterXL Deployments” . • For additional information. Zero Downtime: Select this option if network activity is required during the upgrade process. The zero downtime method assures both inbound and outbound network connectivity at all times during the upgrade.Upgrading the Gateway Upgrading the Gateway There are two upgrade methods available: • • SmartUpdate Upgrade: Allows you to centrally upgrade and manage Check Point software and licenses. when upgrading a Clustered deployment: • Minimal Effort Upgrade: Select this option if you have a period of time during which network downtime is allowed. FP3. The minimal effort method is much simpler because the clusters are upgraded as gateways and therefore can be upgraded as individual gateways. There is always at least one active member that handles traffic. Local Upgrade: Performs a local upgrade on the gateway itself.

"Upgrade All" is the recommended method. In addition. The following features and tools are available in SmartUpdate: • Upgrade All Packages: This feature allows you to upgrade all packages installed on a gateway.e. In NGX R65. For IPSO and SecurePlatform. It provides a centralized means to guarantee that the latest software versions are used throughout the enterprise network. • 112 . there is an advanced method to install (distribute) packages one by one. The following products can be upgraded to NGX R65: • • • • • • • • • • VPN-1 Pro Gateways SecurePlatform Performance Pack SmartView Monitor (as part of the NGX R65 software package) Eventia Reporter UserAuthority Server PolicyServer (as part of the NGX R65 software package) QoS (as part of the NGX R65 software package) Nokia OS UTM-1 SmartUpdate Options SmartUpdate is the primary tool used for upgrading Check Point gateways.Upgrading the Gateway Upgrading the Gateway Using SmartUpdate SmartUpdate is an optional module for VPN-1 that automatically distributes software packages and remotely performs upgrades of gateways and various OPSEC products. SmartUpdate takes time-consuming tasks. SmartUpdate's “Upgrade all Packages” supports HFAs. and turns them into simple point and click operations. it will suggest upgrading the gateway with the latest HFA if a HFA package is available in the Package Repository. Add Package to Repository: SmartUpdate provides three “helper” tools for adding packages to the Package Repository: • • From CD: Adds a package from the Check Point CD. From File: Adds a package that you have stored locally. this feature also allows you to upgrade your operating system as a part of your upgrade. i. which could otherwise be performed only by experts..

Define the remote Check Point gateways in SmartDashboard (for a new SmartCenter server installation). Note . make sure that Policy Global Properties > FireWall > Firewall Implied Rules > Accept SmartUpdate Connections (SmartUpdate) is selected. 3. Verify that the Administrator SmartUpdate permissions (as defined in the cpconfig configuration tool) are Read/Write. including SmartUpdate. • Configuring the SmartCenter Server for SmartUpdate To configure the SmartCenter server for SmartUpdate: 1. 2. To enable SmartUpdate connections to the gateways. 5.Upgrading the Gateway • • From Download Center: Adds a package from the Check Point Download Center. Check for Updates: This feature. and adds it to the Package Repository. Chapter 4 Upgrading a Distributed Deployment 113 . By default. available from the SmartDashboard Tools menu. it is selected. Install the latest version of SmartConsole. 4. Verify that your SmartCenter server contains the correct license to use SmartUpdate. locates the latest HFA on the Check Point Download Center. SmartUpdate’s Get Check Point Gateway Data: This tool updates SmartUpdate with the current Check Point or OPSEC third-party packages installed on a specific gateway or for your entire enterprise.SmartUpdate is available as part of Smartcenter Power.

• • To see a list of which packages will be installed on the gateways that can be upgraded. The Upgrade All Packages window opens. Note ..). When the Operation Status window opens. which shows the operation history.). by adding them from the Check Point CD (Packages > Add > From CD.).The Allow reboot... Each operation is represented by a single entry.. The Operation Status pane opens and shows the progress of the installation. by importing a file (Packages > Add > From File.. select the gateways that can be upgraded and click Upgrade. Verification for sufficient disk space. select the gateway and click the Details button. The Package Repository is then updated to show the new package object... Gateway Upgrade Process Using SmartUpdate To update a gateway using SmartUpdate: 1.. When adding the package to the Package Repository. and in the Upgrade Verification list you can see which gateways can or cannot be upgraded. Double click the entry to open the Operation Details window. select the relevant gateway and click the Details button. . For an explanation as to why a gateway cannot be upgraded. option (selected by default) is required in order to activate the newly installed packages. 2. the package file is transferred to the SmartCenter server. The following operations are performed during the installation process: • • 114 The Check Point Remote Installation Daemon connects to the Check Point gateway. you can verify the success of the operation. From the list provided.Upgrading the Gateway Add Packages to the Package Repository Use SmartUpdate to add packages to and delete packages from the Package Repository: • • • directly from the Check Point Download Center website (Packages > Add > From Download Center. From SmartUpdate > Packages > Upgrade All Packages select one or more gateways and click Continue.

2. The gateway is rebooted if the Allow Reboot. Chapter 4 Upgrading a Distributed Deployment 115 ... Enforcement policies are compiled for the new version.. option was selected and the package requires it. Add the corresponding packages to the Package Repository. The installed packages are updated in SmartUpdate. Right-click the gateway and select Distribute Package. Using SmartUpdate NGX R65 to Upgrade Prior Versions SmartUpdate NGX R65 can be used to upgrade the following pre-R65 versions to R65: • • • • • • • R54 R55 R55W R55P R60 R60A R61 To upgrade a gateway to a pre-R65 version: 1.. The package is installed on the gateway.Upgrading the Gateway • • • • • • • Verification of the package dependencies. R54 and later). The package is transferred to the gateway if it is not already there. Note . Select the relevant package from the list provided and click Distribute. The gateway version is updated in SmartDashboard. 3. Repeat steps 2 to 3 for each package that should be installed on the gateway.It is also possible to use SmartUpdate to install HFAs on gateways from previous versions (for example.

• I have already downloaded and extracted the Upgrade Utilities. To upgrade a gateway in a Windows platform: 1. 5. From the Upgrade Options screen. indicating the appropriate actions that should be taken before and after the upgrade process. 3. A detailed report is provided. Select one of the following upgrade options: • Download Most Updated Upgrade Utilities (recommended method). The tool can be used manually as well. When the pre-upgrade verification recommendation appears. 2. 116 . The files are on my local disk. 4. From the Upgrade Options screen. select Upgrade. The Pre-upgrade verification tool performs a compatibility analysis of the currently installed gateway and its current configuration. • Use the CD version. 6. When prompted. reboot the gateway. This method is useful when Internet access is not available from the SmartCenter server machine. 7. This option should be used when software packages have been previously downloaded. Another verification is run. This download provides the most recent upgrade code available. Access your NGX R65 CD.Upgrading the Gateway Gateway Upgrade Process on a Windows Platform This section describes the upgrade process using the NGX R65 Installation CD. Execute the Installation package. select Upgrade again. select whether or not the Pre-upgrade verification tool should be executed (refer to the “Using the Pre-Upgrade Verification Tool” on page 91).

log in to the NGX R65 SmartCenter server that controls the upgraded gateway. c. do the following: a. If a situation arises in which a revert to your previous configuration is required.Upgrading the Gateway 8. Using SmartDashboard. refer to “Reverting to Your Previous Deployment” on page 135 for details. When the upgrade process is complete. b. Open the gateway object properties window that represents the upgraded gateway and change the version to NGX R65. Chapter 4 Upgrading a Distributed Deployment 117 . Perform Install Policy on the upgraded gateway.

refer to “Reverting to Your Previous Deployment” on page 135 for details. FP3. The process described in this section upgrades all components (Operating System and software packages) in a single upgrade process. Apply the SecurePlatform NGX R65 upgrade package: # patch add cd.Upgrading the Gateway Gateway Upgrade on SecurePlatform Upgrading to NGX R65 on a SecurePlatform operating system requires updating both operating system and software products installed. or FP3 Edition 2” on page 119.tgz) 4. 3. Enter y to accept the MD5 checksum calculation. If a situation arises in which a revert to your previous configuration is required. create a backup image for automatic revert. 118 . 5. No further upgrades are required. Upgrading SecurePlatform Using a CD Rom This section describes how to upgrade SecurePlatform R54 and later versions using a CD ROM drive. 2. SecurePlatform users should follow the relevant SecurePlatform upgrade process. When prompted. Select the SecurePlatform upgrade package (CPspupgrade_R65. Log in to SecurePlatform (expert mode is not necessary). The upgrade process is supported for: • • • • • • • R62 R61 R60A R60 R55W R55 R54 For details on upgrading gateway versions prior to R54. Refer to the CheckPoint R65 SecurePlatform/SecurePlatformPro Administration Guide for additional information. To upgrade SecurePlatform using a CD: 1. refer to “Upgrade on SecurePlatform NG FP2.

After you complete the upgrade process. or FP3 Edition 2. Using SmartDashboard. it automatically reverts to the Safe Upgrade image. Open the gateway object properties window for the upgraded gateway and change the version to NGX R65. Chapter 4 Upgrading a Distributed Deployment 119 . do the following: a. FP3. Insert the SecurePlatform NGX R65 CD into the drive. FP3. 2.tgz. Refer to CheckPoint R65 SecurePlatform/SecurePlatformPro Administration Guide for additional information. hardware incompatibility). This procedure describes how to upgrade SecurePlatform NG FP2. Mount the CD and upgrade the patch command using the following syntax: # mount /mnt/cdrom # patch add /mnt/cdrom/SecurePlatform/patch/CPpatch_command_*. c. FP3. If the Upgrade process detects a malfunction. To upgrade SecurePlatform NG FP2. Upgrade on SecurePlatform NG FP2.Upgrading the Gateway A Safe Upgrade will be performed. SecurePlatform users should perform the relevant SecurePlatform upgrade process. No further upgrades are required. 6. Perform Install Policy on the upgraded gateway. When the Upgrade process is complete. Enter the expert mode: # expert. upon reboot you are given the option to manually start the SecurePlatform operating system using the upgraded version image or using the image created prior to the Upgrade process. or FP3 Edition 2: 1. log in to the NGX R65 SmartCenter server that controls the upgraded gateway. b. 3. or FP3 Edition 2 Upgrading to NGX R65 over a SecurePlatform operating system requires updating both the operating system and the installed software products. The process described in this section upgrades all components (Operating System and software packages) in a single upgrade process. Safe Upgrade automatically takes a snapshot of the entire system so that the entire system (operating system and installed products) can be restored if something goes wrong during the Upgrade process (for example. Upgrading pre-R54 versions requires an upgrade of the patch command.

You are prompted to verify the MD5 checksum. 5. Open the gateway object properties window that represents the upgraded gateway and change the version to NGX R65. Perform Install Policy on the upgraded gateway. 6. refer to “Reverting to Your Previous Deployment” on page 135 for details. it automatically reverts to the Safe Upgrade image. If the Upgrade process detects a malfunction. If a situation arises in which a revert to your previous configuration is required. When the Upgrade process is complete. a Safe Upgrade is performed. upon reboot you are given the option to manually start the SecurePlatform operating system using the upgraded version image or using the image created prior to the Upgrade process. hardware incompatibility). Safe Upgrade automatically takes a snapshot of the entire system so that the entire system (operating system and installed products) can be restored if something goes wrong during the Upgrade process (for example. c.Upgrading the Gateway 4. Answer the following question: Do you want to create a backup image for automatic revert? Yes/No If you select Yes. Using SmartDashboard. b. 120 . log in to the NGX R65 SmartCenter server that controls the upgraded gateway. Apply the SecurePlatform NGX R65 upgrade package using a CD ROM drive with the following command: # patch add cd. After you complete the upgrade process. do the following: a.

Then. 11. To install additional products. Wait until the successful message is displayed.Upgrading the Gateway Gateway Upgrade on a Solaris Platform This section describes the upgrade process using the NGX R65 CD. After you complete the upgrade process. 3. The pre-upgrade verification process runs automatically. Enter n to validate the products to install. The products are upgraded. Select a source for the upgrade utilities. The wrapper welcome message is displayed. Reboot. View the results and follow any recommendations. refer to “Revert” on page 134 for details. Enter n. run the pre-upgrade verifier again. and Solaris Gateways” on page 76 5. Insert CD3 of the NGX R65 media kit into the CD drive. The following message is displayed: The pre-Upgrade Verification was completed successfully. refer to Chapter 3: “Backup and Revert for VPN-1 Power/UTM”. 8. Linux. it is recommended to download the latest tools from the Check Point website. Enter n. 7. For further information on contracts. Select upgrade. Your configuration is ready for upgrade. Enter e to exit 12. 9. select Upgrade installed products and install new products. To upgrade a gateway on a Solaris platform: 1. to agree to the End-user License Agreement and verify your contract information. You are prompted to select the products from a list. see:“On SecurePlatform. For additional information. 2. If a situation arises in which a revert to your previous configuration is required. Enter Y. 10. 4. do the following: Chapter 4 Upgrading a Distributed Deployment 121 . It is recommended that you back up your current configuration before you perform an upgrade process. and mount the CD. 6. Select Upgrade installed products. Enter n. 13. From the root directory of the cd. While the NGX R65 upgrade utilities are on the NGX R65 CD. run UnixInstallScript.

select the last downloaded image. 5.Upgrading the Gateway a. The IPSO Image Management window opens. 6. Using SmartDashboard. log in to the NGX R65 SmartCenter server that controls the upgraded gateway. If a situation arises in which a revert to your previous configuration is required. The New Image Installation Upgrade window opens. Click Apply. 122 . 9. When the upgrade is complete. You are informed that the file download and image installation can take a long time. 8.2 To upgrade a gateway on an IPSO platform: 1. Enter the following information: Enter URL to the image location Enter HTTP Realm (for HTTP URLs only) Enter Username (if applicable) Enter Password (if applicable) 4.1 or 4. Click System Configuration > Install New IPSO Image (Upgrade). b. 3. c. refer to “Reverting to Your Previous Deployment” on page 135 for details. Under the title Select an image for next boot. Click testboot. Gateway Upgrade on an IPSO Platform This section describes the steps that should be performed when performing an upgrade on an IPSO Platform for versions 4. Open the gateway object properties window for the upgraded gateway and change the version to NGX R65. The new image installation process starts. Click Apply. 7. click the link to the IPSO Image Management page. Perform Install Policy on the upgraded gateway. Click the provided link to view the upgrade status. 2. Enter the Network Voyager and open a CLI console.

10. 17. 12. and confirm that the following packages are enabled: • • Check Point VPN-1 Power/UTM NGX R65 Check Point CPinfo 19. You should be able to see that the relevant IPSO Image is selected. you should receive a message indicating that the process was successful.Upgrading the Gateway Testboot is a special reboot process that permits the user to roll back to a previous image should problems arise. Log off from the console connection. 15. Access the CLI console to monitor the reboot process. Note . Access the CLI console and log in. Verify that the older packages are disabled. 18. click Refresh and log in. On flash-based platforms.If you do not commit the testboot within five minutes of the test completing. the platform automatically reboots to the previous image. transfer the package via FTP. 11. If you are not returned to the last window you were in. Type newpkg -S -m LOCAL -n <CPsuite package path> -o $FWDIR and press Enter. return to the Network Voyager and verify that the image was set properly. then log back on to set the environmental variables. 20. Return to the CLI console and type Reboot. 14. 13. This directory is deleted when the upgrade is complete and the system is rebooting. In the window that opens. Using bin mode. select Commit testboot and click Apply. The package is loaded and the products are upgraded. Chapter 4 Upgrading a Distributed Deployment 123 . Nokia recommends creating a directory under /var and downloading the package to it. ensuring that the installation package does not consume flash memory. 16. Once the reboot is complete. When the process is complete. In the Network Voyager. click System Configuration > Manage IPSO Images. Log on to the Network Voyager.

Perform a fresh NGX R65 installation (refer to the CheckPoint R65 Internet Security Products Getting Started Guide). 124 .Upgrading the Gateway Upgrading the VPN-1 Express CI R57 Component to R65 Upgrading a VPN-1 Express CI R57 gateway component to NGX R65 is not supported.

5 Chapter Backup and Revert for VPN-1 Power/UTM In This Chapter Introduction Backing Up Your Current Deployment Restoring a Deployment SecurePlatform Backup and Restore Commands SecurePlatform Snapshot Image Management Reverting to Your Previous Deployment page 126 page 127 page 128 page 129 page 132 page 135 125 .

To back up your configuration.Introduction Introduction Before you perform an upgrade process. 126 . you should back up your current configuration. and users) and can be used to restore your previous configuration if the upgrade process fails. and to restore it if necessary. SecurePlatform provides the option of backing up your configuration during the Upgrade process. Note . use the NG with Application Intelligence Export utility tool. The restoration procedure restores the configuration in effect when the backup procedure was executed. If you are performing an upgrade process on SecurePlatform. rules. if you are backing up NG with Application Intelligence R55. network configuration) are not exported. The backup file contains your current system configuration (for example. For example. you do not have to back up your configuration using the Export utility. in the event that the upgrade process is unsuccessful. for example. objects. use the Export utility tool of the version for which you are creating a backup file.Operating system level configurations (for example. The purpose of the backup process is to back up the entire configuration.

Warning .tgz) contains your product configuration. the configuration file is created in the chosen destination path in a tar gzipped format (. In the original SmartCenter server.The configuration file (. or use the Export tool located in the relevant operating system directory on the product CD. Chapter 5 Backup and Revert for VPN-1 Power/UTM 127 . Once the Export utility process is complete.tgz). 2.Backing Up Your Current Deployment Backing Up Your Current Deployment To back up your current deployment: 1. It is highly recommended to delete it after completing the import process. insert the product CD for the version you are backing up. Select the Export option in the installation wizard.

Copy the exported. 2. perform an installation using an imported configuration file.Restoring a Deployment Restoring a Deployment To restore a deployment: 1. Using the available options. In the SmartCenter server. 128 . 3.tgz file to the target SmartCenter server. insert the product CD for the version being restored.

Syntax backup [-h] [-d] [-l] [--purge DAYS] [--sched [on hh:mm <-m DayOfMonth> | <-w DaysOfWeek>] | off] [[--tftp <ServerIP> [-path <Path>] [<Filename>]] | [--scp <ServerIP> <Username> <Password> [-path <Path>][<Filename>]] | [--file [-path <Path>][<Filename>]] Chapter 5 Backup and Revert for VPN-1 Power/UTM 129 . saved locally. are kept in /var/CPbackup/backups. Expert permissions are required to perform the backup and restore procedures. The backup can be performed on request. The backup utility can store backups either locally on the SecurePlatform machine hard drive. The backup files are kept in tar gzipped format (. uses default backup settings and performs a local backup. Backup files. or it can be scheduled to take place at set intervals.SecurePlatform Backup and Restore Commands SecurePlatform Backup and Restore Commands In This Section Backup Restore SecurePlatform NGX provides a command line or Web GUI capability for conducting backups of your system settings and products configuration. You can also copy backup files to a number of SCP and TFTP servers for improved backup robustness. The backup command. when run by itself without any additional flags.tgz). The restore utility is used for restoring SecurePlatform settings and/or product configurations from backup files. page 129 page 131 Backup This command is used to back up the system configuration. or remotely to a TFTP server or an SCP server.

on which the configuration is to be backed up. or day of month Off .disable schedule --tftp <ServerIP> [-path <Path>][<Filename>] --scp <ServerIP> <Username> <Password>[-path <Path>] [<Filename>] --file [-path <Path>]<Filename> List of IP addresses of TFTP servers. and optionally the filename List of IP addresses of SCP servers. VPN-1 logs are not backed up.) Deletes old backups from previous backup attempts Schedule interval at which backup is to take place • • On . on which the configuration is to be backed up. specify an optional filename 130 .Backup Parameters Table 5-1 Parameter -h -d -l --purge DAYS [--sched [on hh:mm <-m DayOfMonth> | <-w DaysOfWeek>] | off] Backup Parameters Meaning obtain usage debug flag Enables VPN-1 log backup (By default. and optionally the filename When the backup is performed locally. the username and password used to access the SCP server.specify time and day of week.

Chapter 5 Backup and Revert for VPN-1 Power/UTM 131 . refer to the System Commands section in the CheckPoint R65 SecurePlatform/SecurePlatformPro Administration Guide. from which the configuration is restored. and the filename IP address of SCP server.Restore Restore This command is used to restore the system configuration. and the filename Specify a filename for restore operation. from which the configuration is restored. Syntax restore [-h] [-d][[--tftp <ServerIP> <Filename>] | [--scp <ServerIP> <Username> <Password> <Filename>] | [--file <Filename>]] Parameters Table 5-2 Parameter -h -d --tftp <ServerIP> [<Filename>] --scp <ServerIP> <Username> <Password> [<Filename>] --file <Filename> Meaning obtain usage debug flag IP address of TFTP server. performed locally For additional information about the backup and restore utilities. the username and password used to access the SCP server.

snapshots can be stored locally. A snapshot of the system can be taken manually using the snapshot command or automatically during an upgrade procedure using the SafeUpgrade option. 132 . The snapshot and revert commands can use a TFTP server or an SCP server to store snapshots.SecurePlatform Snapshot Image Management SecurePlatform Snapshot Image Management In This Section Snapshot Revert page 133 page 134 SecurePlatform provides the option of backing up the entire SecurePlatform operating system and all of its products using the snapshot command. Alternatively.

from which the snapshot is taken. from which the snapshot is taken. and the filename of the snapshot When the snapshot is made locally. The snapshot command. Syntax snapshot [-h] [-d] [[--tftp <ServerIP> <Filename>] | [--scp <ServerIP> <Username> <Password> <Filename>] | [--file <Filename>]] Parameters Table 5-3 Parameter -h -d --tftp <ServerIP> <Filename> --scp <ServerIP> <Username> <Password> <Filename> --file <Filename> Snapshot Parameters Meaning obtain usage debug flag IP address of the TFTP server. the username and password used to access the SCP server. run by itself without any additional flags. as well as the filename of the snapshot IP address of the SCP server. uses the default backup settings and creates a local snapshot.Snapshot Snapshot This command creates a snapshot file. specify a filename Chapter 5 Backup and Revert for VPN-1 Power/UTM 133 .

the username and password used to access the SCP server. revert [-h] [-d] [[--tftp <ServerIP> <Filename>] | [--scp <ServerIP> <Username> <Password> <Filename>] | [--file <Filename>]] Parameters Table 5-4 Parameter -h -d --tftp <ServerIP> <Filename> --scp <ServerIP> <Username> <Password> <Filename> --file <Filename> Revert Parameters Meaning obtain usage debug flag IP address of the TFTP server. as well as the filename of the snapshot IP address of the SCP server. run by itself without any additional flags. specify a filename The revert command functionality can also be accessed from the Snapshot image management boot option.Revert Revert This command reboots the system from a snapshot file. and the filename of the snapshot When the snapshot is made locally. and reboots the system from a local snapshot. The revert command. from which the snapshot is rebooted. 134 . from which the snapshot is rebooted. uses default backup settings.

do the following: 1.On flash-based platforms. select the earlier IPSO image and reboot. Chapter 5 Backup and Revert for VPN-1 Power/UTM 135 . R65 products and compatibility packages before To an Earlier Version on a Nokia Platform To revert to a prior software version on a Nokia platform: • If you are reverting to an NG or NGX version that is compatible with your current IPSO version. making sure to deactivate VPN-1 Power/UTM last. confirm that the previous versions of Check Point packages are enabled and the NGX R65 versions are disabled. Note . 2. the NGX R65 packages no longer appear in the Manage Packages page since they were never part of the previous configuration set. On the IPSO Image Management page in Network Voyager.Make sure to remove all NGX removing the NGX R65 CPsuite. Note .Reverting to Your Previous Deployment Reverting to Your Previous Deployment In This Section To an Earlier Version on a Nokia Platform To an Earlier Version on a Windows Platform To an Earlier Version on a Solaris Platform To an Earlier Version on a SecurePlatform To an Earlier Version on a Linux Platform ICA Considerations page 135 page 136 page 136 page 136 page 136 page 137 To revert to version active before NGX R65 VPN-1 Power/UTM. perform the relevant procedures described in this section. and then reactivate the previous product versions. On the Manage Packages page. deactivate the NGX R65 products. When you revert to the earlier image. or If you are reverting to an NG version that requires an earlier IPSO version. IPSO automatically reverts to the saved configuration set associated with that image.

Reverting to Your Previous Deployment To an Earlier Version on a Windows Platform To revert to a prior software version on a Windows platform: • In the Add/Remove Programs applet. select Check Point VPN-1 Power/Express NGX R65. To an Earlier Version on a Linux Platform To revert to a prior software version on a Linux platform: • Run the command: rpm –e CPsuite-R65-00. Run the command: rpm –e CPsuite-R65-00. 136 . On SecurePlatform machines. To an Earlier Version on a SecurePlatform To revert to a prior software version on a SecurePlatform: 1. 2. enter expert mode to uninstall the package. To an Earlier Version on a Solaris Platform To revert to a prior software version on a Solaris platform: • Run the command: pkgrm CPsuite-R65.

refer to The Internal Certificate Authority (ICA) and the ICA Management Tool chapter in the R65 SmartCenter Administration Guide. Note .crl files (located in the $FWDIR/conf/crl directory) from the version prior to NGX R65 (for example. To resume management of older certificates after the Revert process: 1.NDB. In such a case. the InternalCA.crl and the *. While these certificates are valid. Chapter 5 Backup and Revert for VPN-1 Power/UTM 137 . Once the Revert process is complete. 2.If the Upgrade process was performed on a machine that runs a different operating system than the original machine. you may want to revoke the specific certificate. they cannot yet be managed by the Internal CA. use the ICA Management Tool to review certificates created using NGX R65 in the reverted environment (for example. Copy the NGX R65 InternalCA.crl files (located in the $FWDIR/conf directory) from the current NGX R65 version and use them to overwrite the files (for example. ICA. the NG with Application Intelligence R55 files) in the location specified in step 1 (in the $FWDIR/conf directory). from NG with Application Intelligence R55) to a location of your choice. the subject to which a specific certificate was issued may no longer exist.Reverting to Your Previous Deployment ICA Considerations Once the Revert process is complete. For additional information.crl files (located in the $FWDIR/conf directory) and all *.NDB file must be converted after it is copied to the reverted environment. For example. Back up the InternalCA. certificates issued during the use of NGX R65 remain valid. run the ‘cpca_dbutil d2u’ command line from the reverted environment.NDB and ICA. To do this. the NG with Application Intelligence R55 environment). 3.

Reverting to Your Previous Deployment 138 .

Chapter Upgrading a Standalone Deployment In This Chapter Introduction Pre-Upgrade Considerations Standalone VPN-1 Gateway Upgrade on a Windows Platform Standalone VPN-1 Gateway Upgrade on SecurePlatform Standalone Upgrade on UTM-1 Standalone Upgrade on UTM-1 using the WebUI VPN-1 Gateway Upgrade on Pre-R54 SecurePlatform Versions Standalone VPN-1 Gateway Upgrade on a Solaris Platform Standalone VPN-1 Gateway Upgrade on an IPSO Platform VPN-1 Express CI R57 to NGX R65 on SecurePlatform 6 page 140 page 141 page 144 page 145 page 148 page 150 page 151 page 154 page 156 page 159 139 .

1. Once the VPN-1 NG R55 upgrade is complete. upgrade the installed version to VPN-1 NG R55 (refer to the NG with Application Intelligence R55 Upgrade Guide). To upgrade FireWall-1 versions 4. 140 .0. A standalone deployment consists of the SmartCenter server and gateway installed on the same system.1 Upgrading from versions prior to NG (4. The NGX R65 SmartCenter server can manage the following gateways: Release Version VPN-1 Power/UTM NGX R62 NGX VPN-1 Pro/Express NGX R61 VPN-1 Pro/Express NGX R60A VPN-1 Pro/Express NGX R60 VPN-1 Pro NG R55P NG VPN-1 Pro NG R55W VPN-1 Pro/Express NG With Application Intelligence R55 VPN-1 Pro/Express NG With Application Intelligence R54 VPN-1 Pro/Express NG FP3 R57 Express CI 2.0-4. 2. however.0 and 4. perform an upgrade to NGX R65. a SmartCenter server that has been upgraded to NGX R65 can enforce and manage gateways from previous versions.5. NG FP1. NGX GX VSX 2.0-4.NGX R65 cannot manage gateway versions NG. Since backward compatibility is supported.5.Introduction Introduction This chapter describes the process of upgrading a VPN-1 standalone deployment to NGX R65. In some cases.1 VSX VSX NG AI VSX NG AI Release 2 VSX NGX NGX InterSpect NGX R62 Connectra Note .1) is not supported. or NG FP2 Upgrading versions 4. new features may not be available on earlier versions of the gateway.

” Upgrading Products on a SecurePlatform Operating System Upgrading to NGX R65 over a SecurePlatform operating system requires upgrading both the operating system and the installed software products. refer to Standalone VPN-1 Gateway Upgrade on SecurePlatform. For details. the license upgrade can be performed after the software upgrade. It is used to test the current VPN-1 gateway prior to upgrading to NGX R65. To upgrade products installed on SecurePlatform. If necessary. Chapter 6 Upgrading a Standalone Deployment 141 . refer to:“Upgrading Licenses for Products Prior to NGX” on page 29. The Pre-Upgrade verification tool produces a detailed report of what should be done before performing an upgrade to NGX R65 (refer to “Using the Pre-Upgrade Verification Tool” on page 142). it is highly recommended to upgrade licenses for all NG products. No further upgrades are required.” Use of the Pre-Upgrade verification tool can reduce the risk of incompatibility with the deployment to NGX R65.Pre-Upgrade Considerations Pre-Upgrade Considerations In This Section License Upgrade to NGX Upgrading Products on a SecurePlatform Operating System Reverting to Your Previous Software Version VPN-1 Express CI R57 to NGX R65 on SecurePlatform page 141 page 141 page 142 page 159 License Upgrade to NGX Before upgrading the software. This process upgrades all the installed components (Operating System and software packages) in a single upgrade process. NGX R65 with licenses from previous versions will not function.

use the SecurePlatform snapshot and revert commands (for additional information. refer to “SecurePlatform Backup and Restore Commands” on page 129). This tool can also be used manually. once it is complete.exe -p SmartCenterPath -c CurrentVersion -i[-f FileName][-w] -p -c -t -i -f -w Path of the installed SmartCenter server (FWDIR) Currently installed version Target version Check originality of INSPECT files only Output in file Web format file 142 .exe -p SmartCenterPath -c CurrentVersion -t TargetVersion [-f FileName] [-w] or pre_upgrade_verifier. Pre-upgrade verification performs a compatibility analysis of the currently installed deployment and its current configuration.Pre-Upgrade Considerations Reverting to Your Previous Software Version Before you perform an upgrade process you should back up your current SecurePlatform configuration. NGX R65 upgrade cannot To back up your configuration. for example. and to restore it if necessary. indicating the appropriate actions that should be taken before and after the upgrade process. The purpose of the back up process is to back up the entire SecurePlatform configuration. A detailed report is provided. in the event that the Upgrade process is unsuccessful. Usage: pre_upgrade_verifier.For all operating systems except SecurePlatform.” Using the Pre-Upgrade Verification Tool Pre-upgrade verification runs automatically (or manually if desired) during the VPN-1 upgrade. Warning . an be reverted to its previous version.

5 VSX_2. Action Items Before and After the Pre-Upgrade Process • • errors .-f redirects the standard output to a file.Items that you should consider repairing before and after performing the upgrade.0. Chapter 6 Upgrading a Standalone Deployment 143 .Items that must be repaired before and after performing the upgrade.Pre-Upgrade Considerations Where the currently installed version is one of the following: For Release NGX Version is: NGX_R62 NGX_R61 NGX_R60A NGX_R60 NG_R55 NG_R55P NG_R55 NG_R54 NG_FP3 NG GX_2. warnings . the upgrade will fail. Note . If you proceed with the upgrade while errors exist.1 VSX_NG_AI VSX_NG_AI_Release_2 NG GX VSX The target version is: NGX_R65.

an be reverted to its previous version once it is complete.Standalone VPN-1 Gateway Upgrade on a Windows Platform Standalone VPN-1 Gateway Upgrade on a Windows Platform It is recommended that before you perform an upgrade process. Pre-upgrade verification performs a compatibility analysis of the currently installed VPN-1 gateway and of its current configuration. Agree to the EULA and verify your contract information. select Upgrade. 3. When the pre-upgrade verification recommendation appears. select Upgrade again. 144 . Execute the Installation package. it should be the last package uninstalled. Check Point packages need to be uninstalled in the opposite order to which they were installed.For all operating systems except SecurePlatform. From the Upgrade Options screen. 5. select whether or not the Pre-upgrade verification tool should be executed (refer to “Using the Pre-Upgrade Verification Tool” on page 142). When prompted. NGX R65 upgrade cannot Uninstalling Packages Uninstall Check Point packages on the Windows platform using the Add/Remove applet in the Control Panel. 2. A detailed report is provided. The tool can be used manually as well. you should back up your current configuration. 7. indicating appropriate actions that should be taken before and after the upgrade process. Another verification is run. Warning . in case the upgrade process is unsuccessful. Access your NGX R65 CD. 6. To perform an upgrade on a Windows platform: 1. refer to Backing Up Your Current Deployment page 127. reboot your VPN-1 server. For additional information. For more information on contracts. From the Upgrade Options screen. “On a Windows Platform” on page 69 4. Since CPsuite is the first package installed.

To perform an upgrade on a SecurePlatform server: 1. an be reverted to its previous version once it is complete. Enter y to accept the checksum calculation. At the command prompt. 5.tgz). The welcome message is displayed. during which time Check Point products are stopped. Enter n. Select SecurePlatform NGX R65 Upgrade Package (CPspupgrade_R65. The procedure in this section applies to the following gateway versions: • • • • • • • R62 R61 R60A R60 R55W R55 R54 For details on upgrading SecurePlatform versions prior to R54. refer to “VPN-1 Gateway Upgrade on Pre-R54 SecurePlatform Versions” on page 151. 6. 2. NGX R65 upgrade cannot Chapter 6 Upgrading a Standalone Deployment 145 .For all operating systems except SecurePlatform. When prompted. The process described in this section upgrades all of the components (Operating System and software packages) in a single upgrade process. No further upgrades are required. 4. Insert CD1 of the NGX R65 media kit into the CD drive.Creating the snapshot image can take up to twenty minutes. 3. create a backup image for automatic revert. enter patch add cd. Warning . Note .Standalone VPN-1 Gateway Upgrade on SecurePlatform Standalone VPN-1 Gateway Upgrade on SecurePlatform Upgrading to NGX R65 on a SecurePlatform operating system requires updating both the operating system and the installed software products.

Enter [C] to check if currently installed licenses have been upgraded. Run the pre-upgrade verification script. Upgrade the installation. and follow the recommendations contained in the pre-upgrade verification results. Enter [Q] to quit. Accept the license agreement. or generate a license file that can be used to upgrade licenses on a machine with no Internet access to the User Center. Enter [O] to perform the license upgrade on a license file that was generated on machine with no Internet access to the User Center. Select a source for the upgrade utilities Either download the most updated files from the Check Point website for use the upgrade tools contained on the CD. The license upgrade process also handles gateway licenses in the SmartUpdate license repository. 11. 9. “On SecurePlatform. iii. Enter [U] to perform the license upgrade. 146 . Open SmartUpdate and attach the new NGX licenses to the gateways. Select one of the following: • • • • Enter [L] to view the licenses installed on your machine. Three upgrade options are displayed: • • • Upgrade Export SmartCenter configuration Perform pre-upgrade verification only i. Linux. For more information on contracts. Enter [S] to simulate the license upgrade. ii.Standalone VPN-1 Gateway Upgrade on SecurePlatform 7. • • 10. Export the SmartCenter configuration. Repeat the process until you see Your configuration is ready for upgrade. The exported configuration is automatically imported during the upgrade process. and Solaris Gateways” on page 76 8. Enter c to agree to the license upgrade. and verifying your contract information.

Since CPsuite is the first package installed. it should be the last package uninstalled. Run the rpm -e <package name> to view a list of the installed packages.Standalone VPN-1 Gateway Upgrade on SecurePlatform Uninstalling Packages Check Point packages need to be uninstalled in the opposite order to which they were installed. Chapter 6 Upgrading a Standalone Deployment 147 .

Enter n. 5. 6. 9. 8. The process described in this section upgrades all of the components (Operating System and software packages) in a single upgrade process.tgz). Three upgrade options are displayed: • • • Upgrade Export SmartCenter configuration Perform pre-upgrade verification only 148 . Insert CD1 of the NGX R65 media kit into the CD drive. The welcome message is displayed. during which Check Point products are stopped.Standalone Upgrade on UTM-1 Standalone Upgrade on UTM-1 Upgrading to NGX R65 on a SecurePlatform operating system requires updating both the operating system and the installed software products. create a backup image for automatic revert. When prompted. No further upgrades are required. Accept the license agreement. 4. At the command prompt. Enter y to accept the checksum calculation. The procedure in this section applies to UTM-1. Refer to the CheckPoint R65 SecurePlatform/SecurePlatformPro Administration Guide for additional information. and verify your contract information. 3. 7. enter patch add cd. Select SecurePlatform NGX R65 Upgrade Package (CPspupgrade_R65. To perform an upgrade on a SecurePlatform: 1. Install an external CD-ROM drive to the appliance by running the following commands: mkdir /mnt/cdrom modprobe usb-storage modprobe usb-uhci mount /dev/scd0/mnmt/cdrom 2.Creating the snapshot image can take up to twenty minutes. Note .

Enter [C] to check if currently installed licenses have been upgraded. ii. Enter [Q] to quit. Enter [S] to simulate the license upgrade. Enter [U] to perform the license upgrade.Standalone Upgrade on UTM-1 i. 10. or generate a license file that can be used to upgrade licenses on a machine with no Internet access to the User Center. Either download the most updated files from the Check Point website or use the upgrade tools contained on the CD. Export the SmartCenter configuration. Enter [O] to perform the license upgrade on a license file that was generated on machine with no Internet access to the User Center. The exported configuration is automatically imported during the upgrade process. Run the pre-upgrade verification script. and follow the recommendations contained in the pre-upgrade verification results. Upgrade the installation. • • 11. Select a source for the upgrade utilities. Repeat the process until you see Your configuration is ready for upgrade. Chapter 6 Upgrading a Standalone Deployment 149 . Enter c to agree to the license upgrade. iii. The license upgrade process also handles gateway licenses in the SmartUpdate License Repository. Open SmartUpdate and attach the new NGX licenses to the gateways. Select one of the following: • • • • Enter [L] to view the licenses installed on your machine.

an image is created of the system and is used to revert to in the event the upgrade is not successful. To begin the upgrade. The Current Upgrade File on Appliance section displays the information of the current upgrade. Click Next. Click Start Upgrade. If you already downloaded the file. 7. Click Next. 2. Click Upload package to appliance. 3. the system will revert to the saved image. Before the upgrade begins.Standalone Upgrade on UTM-1 using the WebUI Standalone Upgrade on UTM-1 using the WebUI To upgrade your appliance: 1. you can skip this step. 5. The Save an Image before Upgrade page. 4. displays the image information. 150 . 6. as directed. In the Safe Upgrade section. Select the upgrade package file. select Safe upgrade to require a successful login after the upgrade is complete. Download an upgrade package. If no login takes place within the configured amount of time. click Start.

At the command prompt. 6. Select SecurePlatform NGX R65 Upgrade Package (CPsupgrade_R65. 5.tgz). 7. Chapter 6 Upgrading a Standalone Deployment 151 . 4. Insert CD2 of the NGX R65 media kit into the CD drive. No further upgrades are required.VPN-1 Gateway Upgrade on Pre-R54 SecurePlatform Versions VPN-1 Gateway Upgrade on Pre-R54 SecurePlatform Versions Upgrading to NGX R65 on a SecurePlatform operating system requires updating both operating system and software products installed. Enter the Expert mode: # expert. Upgrading pre-R54 versions requires an upgrade of the patch command. Mount the CD and upgrade the patch command using the following syntax: # mount /mnt/cdrom # patch add /mnt/cdrom/SecurePlatform/patch/CPpatch_command_*. refer to the R65 SecurePlatform/SecurePlatformPro Administration Guide.Once an NGX R65 upgrade is complete for all operating systems except SecurePlatform it cannot be reverted to its previous versions. The following procedure is for gateway versions: • • • • NG NG FP2 NG FP3 NG FP3 Edition 2 The process described in this section will result with an upgrade of all components (Operating System and software packages) in a single upgrade process. Insert the SecurePlatform NGX R65 CD into the CD drive.tgz. 3. Enter y to accept the checksum calculation. For additional information. enter patch add cd. 2. Warning . To perform an upgrade on pre-R54 versions of SecurePlatform: 1.

and Solaris Gateways” on page 76 11. Export the SmartCenter configuration. create a backup image for automatic revert. Three upgrade options are displayed: • • • Upgrade Export SmartCenter configuration Perform pre-upgrade verification only i. Note . or generate a license file that can be used to upgrade licenses on a machine with no Internet access to the User Center. Enter n. Run the pre-upgrade verification script. The license upgrade process also handles gateway licenses in the SmartUpdate license repository. iii. Enter [S] to simulate the license upgrade. The welcome message is displayed. Enter c to agree to the license upgrade. • • 13. Enter [O] to perform the license upgrade on a license file that was generated on machine with no Internet access to the User Center. Select a source for the upgrade utilities.VPN-1 Gateway Upgrade on Pre-R54 SecurePlatform Versions 8. Enter [C] to check if currently installed licenses have been upgraded. Accept the license agreement. 12. For more information on contracts. 10. Enter [Q] to quit. see: “On SecurePlatform. ii. Upgrade the installation. Linux. and verify your contract information. Select one of the following: • • • • Enter [L] to view the licenses installed on your machine. Enter [U] to perform the license upgrade. and follow the recommendations contained in the pre-upgrade verification results. 9. Repeat the process until you see Your configuration is ready for upgrade.Creating the snapshot image can take up to twenty minutes. during which time Check Point products are stopped. 152 . When prompted.

Open SmartUpdate and attach the new NGX licenses to the gateways. it should be the last package uninstalled.VPN-1 Gateway Upgrade on Pre-R54 SecurePlatform Versions Either download the most updated files from the Check Point website or use the upgrade tools contained on the CD. The exported configuration is automatically imported during the upgrade process. Uninstalling Packages Check Point packages need to be uninstalled in the opposite order to which they were installed. 14. Chapter 6 Upgrading a Standalone Deployment 153 . Run the rpm -e <package name> to view a list of the installed packages. Since CPsuite is the first package installed.

If a situation arises in which a revert to your previous configuration is required. and mount the CD. Enter n. Your configuration is ready for upgrade. 154 . run the pre-upgrade verifier again. Enter n. before you perform an upgrade process. refer to Chapter 3: “Backup and Revert for VPN-1 Power/UTM”. View the results and follow any recommendations. The products are upgraded. For more information on contracts. The wrapper welcome message is displayed. Select upgrade. You are prompted to select the products from a list. 4. Wait until the successful message is displayed. To install additional products. select Upgrade installed products and install new products. Enter n to validate the products to install. and Solaris Gateways” on page 76 5. Reboot. 7. Then. To perform the upgrade. 8. and verify your contract information. 12. Select a source for the upgrade utilities. 2. 6. 3. see: “On SecurePlatform. Enter y to agree to the End-user License Agreement. select Upgrade installed products. Enter e to exit. To perform an upgrade on a Solaris Platform: 1. Run UnixInstallScript. Linux.Standalone VPN-1 Gateway Upgrade on a Solaris Platform Standalone VPN-1 Gateway Upgrade on a Solaris Platform This section describes the upgrade process using the NGX R65 CD. it is recommended to download the latest tools from the Check Point website. 11. Insert CD3 of the NGX R65 media kit into the CD drive. This message is displayed: The pre-Upgrade Verification was completed successfully. refer to “Revert” on page 134 for details. The pre-upgrade verification process runs automatically. Although the NGX R65 upgrade utilities are on the NGX R65 CD. It is recommended that you back up your current configuration. For additional information. 9. Enter n. 10.

Perform Install Policy on the upgraded gateway. log in to the NGX R65 SmartCenter server that controls the upgraded gateway.Standalone VPN-1 Gateway Upgrade on a Solaris Platform 13. After you complete the upgrade process: a. b. Using SmartDashboard. Open the gateway object properties window for the upgraded gateway and change the version to NGX R65. c. If a situation arises in which a revert to your previous configuration is required. refer to “Reverting to Your Previous Deployment” on page 135 for details. Chapter 6 Upgrading a Standalone Deployment 155 .

The New Image Installation Upgrade window opens.tgz 2. You are informed that the file download and image installation may take some time. From the Check Point website. To perform a gateway upgrade on an IPSO platform: 1. Click Apply.1 or 4. Enter the following information: Enter URL to the image location Enter HTTP Realm (for HTTP URLs only) Enter Username (if applicable) Enter Password (if applicable) 5. 156 . If a situation arises in which a revert to your previous configuration is required refer to “Reverting to Your Previous Deployment” on page 135 for details. 4. refer to the Nokia Network Voyager Reference Guide. Note . for example.2 3. For additional information. Click System Configuration > Install New IPSO Image (Upgrade). A message is displayed indicating that the new image installation process has started. Enter the Network Voyager and open a CLI console. When you receive a Success message. click UP > UP > Manage IPSO Images. Click Apply. in the event that the upgrade process is unsuccessful. before you perform an upgrade process. download the NGX R65 upgrade package: IPSO_Wrapper_R65. The IPSO Image Management window opens. you must first install either IPSO 4.Standalone VPN-1 Gateway Upgrade on an IPSO Platform Standalone VPN-1 Gateway Upgrade on an IPSO Platform This section describes the upgrade process on an IPSO Platform. 6. IPSO has its own back up and restore facility. 7. It is recommended that you back up your current configuration.For NGX R65.

16. In the Network Voyager. Perform an FTP using bin mode to transfer the IPSO_Wrapper_R65. a message is displayed indicating that the process was successful. 18. Stand Alone or Distributed. If you are not returned to the last window you were in. Installs NGX R65 products but does not activate them. Type newpkg -S -m LOCAL -n <CPsuite package path> -o $FWDIR and press Enter. 10. Once the process is complete. Under the title Select an image for next boot. 15. You should be able to see that the relevant IPSO Image is selected. 12. Select Commit testboot and click Apply. select the last downloaded image. Select an installation type. Select a product: • • Check Point Power for headquarters and branch offices Check Point UTM for medium-sized businesses 20. This command: • • • Deactivates previous Check Point packages but does not delete them. 23. Click Test Boot. 22.tgz package. 24. From a console connection. 13. 11. go back to the Network Voyager to verify that the image was set properly. 17. 14. Configure an administrator name and password. 19. Chapter 6 Upgrading a Standalone Deployment 157 .Standalone VPN-1 Gateway Upgrade on an IPSO Platform 8. run cpconfig. click System Configuration > Manage IPSO Images. click Refresh and log in. Access the CLI console to see when the Reboot is complete. Finds the upgrade tools in $FWDIR and performs an import/export operation to preserve the previous configuration. 21. 9. Type Reboot and press Enter. Select Enterprise SmartCenter from the selection list. Add Licenses. Specify the SmartCenter type as Primary or Secondary. Once the Reboot is complete. Access the CLI console and log in.

the previous packages can be activated using the Network Voyager. 28. 26. Type randomly until the progress bar is full. If you opt not to start the installed products at this time. select the earlier IPSO image and reboot. confirm that the previous versions of Check Point packages are enabled and the NGX R65 versions are disabled.Standalone VPN-1 Gateway Upgrade on an IPSO Platform 25. Note . 30. Uninstalling Previous Software Packages If you are reverting to an NG or NGX version that is compatible with your current IPSO version. 27. Configure the GUI clients and hosts which can access the SmartCenter server using SmartConsole.On flash-based platforms. When you revert to the earlier image. Note . If you are reverting to an NG version that requires an earlier IPSO version: 1. making sure to deactivate VPN-1 Power/UTM last. the NGX R65 packages will no longer appear in the Manage Packages page since they were never part of the previous configuration set. On the Manage Packages page. 2. “On IPSO” on page 81 for more information.The previous Check Point packages remain installed but deactivated. From the IPSO Image Management page in the Network Voyager. reactivate the previous product versions. Use SmartUpdate to obtain a valid contract. Configure Group Permissions. and save the CA’s Fingerprint to a file. 158 . 29. Configure the Certificate Authority. they can be started later by running cpstart. Start the installed products. IPSO automatically reverts to using the saved configuration set associated with that image. Configure a pool of characters for use in cryptographic operations. Should the need arise. deactivate the NGX R65 products. Then.

(The tools are also available on the product CD. Select Installation using Imported Configuration (Windows) or Advanced Upgrade (Solaris) in the Installation Options. 3.tgz configuration file. Locate the upgrade_import and upgrade_export tools in the $FWDIR\bin\upgrade_tools. If you opt to perform the Export procedure manually.tgz) file. Wait while the database files are exported. This option prompts you for the location of the imported . Insert the NGX R65 CD. Chapter 6 Upgrading a Standalone Deployment 159 .VPN-1 Express CI R57 to NGX R65 on SecurePlatform VPN-1 Express CI R57 to NGX R65 on SecurePlatform Upgrading an existing VPN-1 Express CI R57 requires a manual process using the upgrade_import and upgrade_export tools located on the product CD in the relevant platform directory. Upgrading a Standalone Deployment to R65 This section describes how to perform an advanced upgrade on a spare machine. 5.tgz) contains your security configuration. 6.tgz file. Select Export in Upgrade Options.tgz configuration file Warning . Select the destination path of the configuration (. or in $FWDIR\bin\upgrade_tools. Copy the exported. It then automatically installs the new software and utilizes the imported . To perform an advanced upgrade on a spare machine: 1. make sure that you are using the NGX R65 Export tool.This upgrade from VPN-1 Express CI R57 to NGX R65 is only supported for SecurePlatform. Note .) 2. 4.The configuration file (. It is highly recommended to delete it after completing the import process.

VPN-1 Express CI R57 to NGX R65 on SecurePlatform 160 .

Chapter Advanced Upgrade of SmartCenter Servers & Standalone Gateways In This Chapter Introduction Migrate Your Current SmartCenter Configuration and Upgrade Migrate Your Current VPN-1 Gateway Configuration & Upgrade 7 page 162 page 163 page 178 161 .

for example if you need to: • • • Upgrade to NGX R65 while replacing the Operating System on which the current SmartCenter is installed.Introduction Introduction There are a number of reasons for performing an advanced upgrade. it is possible to migrate the current configuration of the production SmartCenter server. To avoid unnecessary risks. to a new SmartCenter server. Upgrade to NGX R65 while migrating to a new server. Upgrade to NGX R65 while avoiding unnecessary risks to the production SmartCenter server in case of failure during the upgrade process. 162 .

the destination server should have the same IP configuration as the original SmartCenter server. make sure you are using the NGX R65 Export tool. If you are migrating to a new machine with a different IP address. The first machine is the working production machine. The upgrade_export tool is located on the product CD under the windows directory. and only contains the operating system. select Export. 2. The advanced upgrade procedure involves two machines. 3. Chapter 7 Advanced Upgrade of SmartCenter Servers & Standalone Gateways 163 . Under Upgrade Options. Insert the NGX R65 CD into the production SmartCenter server. If you opt to perform the Export procedure manually. The SmartCenter server is freshly installed on the second machine and the configuration of the first machine is imported. When migrating to a new SmartCenter server. Advanced Upgrade on a Windows Platform To perform an advanced upgrade on a Windows platform: 1.Migrate Your Current SmartCenter Configuration and Upgrade Migrate Your Current SmartCenter Configuration and Upgrade In This Section Introduction Advanced Upgrade on a Windows Platform Advanced Upgrade on a Linux Platform Advanced Upgrade on SecurePlatform Advanced Upgrade on an IPSO Platform Advanced Upgrade on a Solaris Platform Migration to a New Machine with a Different IP Address page 162 page 163 page 164 page 168 page 170 page 172 page 176 Introduction This section describes the advanced upgrade procedure for SmartCenter. see: See “Migration to a New Machine with a Different IP Address” on page 176. The second machine is off-line. Accept the license agreement and click next.

It is highly recommended to delete it after completing the import process. download the most recently updated upgrade utilities from the Check Point website.tgz) file contains your security configuration. When prompted. select Installation using Imported Configuration. When prompted. Copy the exported. 6. The wrapper welcome message is displayed. or: Performing a new installation and upgrade through the wrapper. Performing a New Installation (Manually Importing the Configuration) To perform a new installation and manually import the configuration: 1. 7. Run UnixInstallScript. and manually import the configuration file using the upgrade_import tool on the NGX R65 CD.tgz file to the new SmartCenter server. Advanced Upgrade on a Linux Platform Advanced upgrade on a Linux Platform involves one of the following: • • Performing a new installation.tgz configuration file. The wrapper automatically performs the install.Migrate Your Current SmartCenter Configuration and Upgrade 4. Perform a fresh install of SmartCenter server. • Warning .tgz) file. Insert the NGX R65 CD into the target SmartCenter server. select Use the upgrade utilities from the CD.tgz configuration file and then automatically installs the new software and utilizes the imported . and mount the CD. 9. 5. 8. and manually importing a previously exported configuration. Perform the Pre-Upgrade Verification. Wait until the database files are exported. If this is not possible. Do one of the following: • Perform a fresh install of SmartCenter server and import the configuration file.The configuration file (. and the upgrade_import process. 2. Select the destination path for the configuration (. Insert CD2 of the NGX R65 media kit into the CD drive. This option prompts you for the location of the imported . 164 .

13. Enter n. Use the Check Point Configuration program to: a. The recommended way of managing licenses is through SmartUpdate. Configure a pool of characters: For use in cryptographic operations. 14. Enter y to agree to the End-user License Agreement.Migrate Your Current SmartCenter Configuration and Upgrade 3. d. 8. 4. Specify the SmartCenter type to install: • • • Primary SmartCenter Secondary SmartCenter Log server 12. b. Enter n. From the list of products. the Check Point Configuration Program opens. Log in again to the root account to set the new environment variables. Select New installation as the installation option. Enter n to validate the products to install. Chapter 7 Advanced Upgrade of SmartCenter Servers & Standalone Gateways 165 . Enter n. 7. Configure GUI clients: A list of hosts which will be able to connect to this SmartCenter server using SmartConsole. f. 16. 9. Select the products: • • Check Point Power (for headquarters and branch offices) Check Point UTM (for medium-sized businesses) 6. After product installation. Type randomly until the progress bar is full. for example through FTP. Transfer the exported configuration to the new Solaris installation. e. 5. Enter n. c. Configure group permissions: Specifies a group name. Add licenses: The Check Point Configuration Program only manages local licenses on this machine. 10. Start the installed products. Configure the Certificate Authority: Saves the CA’s Fingerprint to a file. 11. Enter n. 15. select SmartCenter.

or q to quit. Enter n. Run . To import a SmartCenter configuration and upgrade it. 2. Change directory to /opt/CPsuite-R65/fw1/bin/upgrade tools Make sure that the upgrade tools in this directory are the R65 upgrade tools. 20. refer to “Upgrading Licenses for Products Prior to NGX” on page 29. refer to “Upgrading Licenses for Products Prior to NGX” on page 29./upgrade_import <name_of_exported_configuration_file.Migrate Your Current SmartCenter Configuration and Upgrade 17. Insert CD2 of the NGX R65 media kit into the CD drive.checkpoint. The license upgrade wrapper runs. 3. 8. If you choose to continue. Wait for the message: upgrade_import finished successfully! 22. If you choose to continue. Enter c to continue. Enter y to stop all Check Point services. and mount the CD. or q to quit. the compressed file that contains the exported configuration. The license upgrade wrapper runs.com/downloads/quicklinks/utilities/ngx/utilities.tgz> 19. 9. and name of. Enter y to restart Check Point Services. For the installation option. Enter c to continue.html 18. Select products: • • Check Point Power for headquarters and branch offices Check Point UTM for medium-sized businesses 6. taken from the installation CD or downloaded from the Check Point website: http://www. 21. 7. Performing a New Installation To perform a new installation and upgrade using the Wrapper: 1. enter the path to. Run UnixInstallScript. 5. 166 . Enter y to agree to the End-user License Agreement. Enter n. 4. Enter n. The wrapper welcome message is displayed. select Installation Using Imported Configuration.

b. 14. Configure the Certificate Authority: Saves the CA’s Fingerprint to a file.Migrate Your Current SmartCenter Configuration and Upgrade 10. While the R65 upgrade utilities are on the NGX R65 CD. Chapter 7 Advanced Upgrade of SmartCenter Servers & Standalone Gateways 167 . 18. 16. d.checkpoint. 12.html 11. After product installation. f. Enter n. The recommended way of managing licenses is through SmartUpdate. Use the Check Point Configuration program to: a. Log in again to the root account to set the new environment variables. the Check Point Configuration Program opens. 17. Enter n. run: cpstart. it is recommended to download the latest tools from the Check Point website: http://www. Enter n to validate the products to install. 19. To start Check Point Services. Enter n. 13. The pre-upgrade verification process runs automatically. Type randomly until the progress bar is full. Select a source for the upgrade utilities. Specify an upgrade option: • • Upgrade installed products Upgrade installed products and install new products 15. e. Configure GUI clients: A list of hosts which will be able to connect to this SmartCenter server using SmartConsole. Configure a pool of characters: For use in cryptographic operations. Reboot. View the results and follow the recommendations. 20. Configure group permissions: Specifies a group name. Start the installed products.com/downloads/quicklinks/utilities/ngx/utilities. c. Add licenses: The Check Point Configuration Program only manages local licenses on this machine.

Three upgrade options are displayed: • • • Upgrade Export SmartCenter configuration Perform pre-upgrade verification only i. enter patch add cd. When prompted. The welcome message is displayed. Upgrade the installation 9. 168 . At the command prompt. Accept the license agreement. Enter c to agree to the license upgrade. 6. Run the pre-upgrade verification script. or generate a license file that can be used to upgrade licenses on a machine with no Internet access to the User Center. The license upgrade process also handles gateway licenses in the SmartUpdate license repository. Export the SmartCenter configuration iii. Insert CD1 of the NGX R65 media kit into the CD drive. 5. 7. 4. Select one of the following: • • • • Enter [L] to view the licenses installed on your machine. during which time Check Point products are stopped. Enter y to accept the checksum calculation. Repeat the process until you see Your configuration is ready for upgrade. 8. and follow the recommendations contained in the pre-upgrade verification results. Note . 3.Migrate Your Current SmartCenter Configuration and Upgrade Advanced Upgrade on SecurePlatform To perform an advanced upgrade on SecurePlatform: 1. Enter [U] to perform the license upgrade. ii. Select SecurePlatform NGX R65 Upgrade Package (CPsupgrade_R65. Enter [S] to simulate the license upgrade. create a backup image for automatic revert. 2.Creating the snapshot image can take up to twenty minutes. Enter [C] to check if currently installed licenses have been upgraded.tgz). Enter n.

Migrate Your Current SmartCenter Configuration and Upgrade • • Enter [O] to perform the license upgrade on a license file that was generated on machine with no Internet access to the User Center. Select a source for the upgrade utilities. 10. Chapter 7 Advanced Upgrade of SmartCenter Servers & Standalone Gateways 169 . Enter [Q] to quit. The exported configuration is automatically imported during the upgrade process. 11. Open SmartUpdate and attach the new NGX licenses to the gateways. Either download the most updated files from the Check Point website or use the upgrade tools contained on the CD.

) 2. Add Licenses. Configure the GUI clients and hosts which can access the SmartCenter server management component.tgz 5. Select the installation type: Stand Alone or Distributed. 16. Configure Group Permissions. off-line machine. Reboot. 6. Select Enterprise SmartCenter from the list. 15. 8. and transfer them to $FWDIR/bin/upgrade_tools. 12. 170 . run upgrade_export. 10. Configure an administrator name and password. Specify the SmartCenter type as Primary or Secondary. On the production machine. and save the CA’s Fingerprint to a file. From a console connection. To perform an advanced upgrade on an IPSO platform: 1. Transfer the resulting . run cpconfig.tgz> The package and products are installed but not activated.Migrate Your Current SmartCenter Configuration and Upgrade Advanced Upgrade on an IPSO Platform Advanced upgrade involves performing a new installation and manually importing a previously exported configuration. download the latest NGX R65 upgrade tools. (You need the latest NGX R65 upgrade tools to perform the export operation. 3. On the production machine. 4. 13. From the command prompt. 7. Select a product: • • Check Point Power for headquarters and branch offices Check Point UTM for medium-sized businesses 9.tgz file to the second. 17. download from the Check Point website the NGX R65 upgrade package: IPSO_Wrapper_R65. Configure the Certificate Authority. run: newpkg –S –m LOCAL –n <path_to>/IPSO_Wrapper_R65. Configure a pool of characters for use in cryptographic operations. 14. Type randomly until the progress bar is full. On the second. off line machine. 11.

When prompted. 21. 20. Start the installed products by running cpstart.Migrate Your Current SmartCenter Configuration and Upgrade 18. Chapter 7 Advanced Upgrade of SmartCenter Servers & Standalone Gateways 171 . do not start the installed products. 19. run upgrade_import. From $FWDIR/bin/upgrade_tools. Reboot.

c. 172 . After product installation. Insert CD3 of the NGX R65 media kit into the CD drive. Run UnixInstallScript. b. 8. Use the Check Point Configuration program to: a. Enter n. Select the products: • • Check Point Power for headquarters and branch offices Check Point UTM for medium-sized businesses 6. From the list of products. Enter n to validate the products to install. select SmartCenter. Add licenses: The Check Point Configuration Program only manages local licenses on this machine. 11. Enter y to agree to the End-user License Agreement. Enter n. 2. Select New installation as the installation option. Configure group permissions: Specifies a group name. and mount the CD. The wrapper welcome message is displayed. the Check Point Configuration Program opens. The recommended way of managing licenses is through SmartUpdate. 10. 14. 13. 3. 4. 9. Enter n. Specify the SmartCenter type to install: • • • Primary SmartCenter Secondary SmartCenter Log server 12. Configure GUI clients: A list of hosts which will be able to connect to this SmartCenter server using SmartConsole. 7. 5. Enter n. Enter n.Migrate Your Current SmartCenter Configuration and Upgrade Advanced Upgrade on a Solaris Platform To perform an advanced upgrade on a Solaris platform: 1.

Start the installed products. using FTP. and mount the CD./upgrade_import <name_of_exported_configuration_file. 21. for example. e. 2. Select products: • • Check Point Power for headquarters and branch offices Check Point UTM for medium-sized businesses 6. Configure the Certificate Authority: Saves the CA’s Fingerprint to a file. 20. 4.Migrate Your Current SmartCenter Configuration and Upgrade d. Change the directory to /opt/CPsuite-R65/fw1/bin/upgrade tools. Configure a pool of characters: For use in cryptographic operations. 18. Wait for the message: upgrade_import finished successfully! 22. Run . refer to “Upgrading Licenses for Products Prior to NGX” on page 29. Make sure that the upgrade tools in this directory are the R65 upgrade tools taken from the installation CD or downloaded from the Check Point website. Chapter 7 Advanced Upgrade of SmartCenter Servers & Standalone Gateways 173 . 7. or q to quit. Enter y to restart Check Point Services. Enter y to stop all Check Point services. Performing a Solaris Installation and Upgrade To perform a new Solaris installation and upgrade using the wrapper: 1.tgz> 19. The license upgrade wrapper runs. 15. Type randomly until the progress bar is full. Insert CD2 of the NGX R65 media kit into the CD drive. Run UnixInstallScript. f. The wrapper welcome message is displayed. 16. Transfer the exported configuration to the new Solaris installation. Log in again to the root account to set the new environment variables. Enter c to continue. For the installation option. select Installation Using Imported Configuration. 17. Enter n. If you choose to continue. Enter y to agree to the End-user License Agreement. Enter n. 3. 5.

11. c. Use the Check Point Configuration program to: a. The pre-upgrade verification process runs automatically.Migrate Your Current SmartCenter Configuration and Upgrade 8. as all the licenses are gathered and sent in SSL-encrypted format to the Check Point User Center. 17. View the results and follow the recommendations. After product installation. The license upgrade process may take some since. Enter n. Configure group permissions: Specifies a group name. 12. 174 . 13. Start the installed products. To import a SmartCenter configuration and upgrade it. Enter n. Configure the Certificate Authority: Saves the CA’s Fingerprint to a file. Enter n. refer to “Upgrading Licenses for Products Prior to NGX” on page 29. The recommended way of managing licenses is through SmartUpdate. or q to quit. f. The license upgrade wrapper runs. 9. Enter n to validate the products to install. it is recommended to download the latest tools from the Check Point website. Type randomly until the progress bar is full. Specify an upgrade option: • • Upgrade installed products Upgrade installed products and install new products 15. Configure a pool of characters: For use in cryptographic operations. Reboot. Enter n. the Check Point Configuration Program opens. and name of. 14. While the R65 upgrade utilities are on the NGX R65 CD. If you choose to continue. e. d. Add licenses: The Check Point Configuration Program only manages local licenses on this machine. the compressed file that contains the exported configuration. enter the path to. Select a source for the upgrade utilities. 16. b. Configure GUI clients: A list of hosts which will be able to connect to this SmartCenter server using SmartConsole. 10. Enter c to continue. 18.

20. run: cpstart.Migrate Your Current SmartCenter Configuration and Upgrade 19. Chapter 7 Advanced Upgrade of SmartCenter Servers & Standalone Gateways 175 . To start Check Point Services. Log in again to the root account to set the new environment variables.

On the new SmartCenter . The following two sections explain the steps that should be performed when the new SmartCenter has a different IP address.Migrate Your Current SmartCenter Configuration and Upgrade Migration to a New Machine with a Different IP Address Due to the nature of licenses (which are associated with IP addresses). 4. 3. CPD (TCP 18191) services. 3. Update the SmartCenter licenses with the new IP address. On the original SmartCenter server. create a security rule that allows FW1 (TCP 256). 2. and FW1_CPRID (TCP 18208) services to originate from the new SmartCenter server whose destination is all available gateways. If central licenses are used for the . Perform the appropriate process to migrate your original SmartCenter server. To do this create a SmartCenter object that represents the new SmartCenter’s IP address: Manage > Network Objects > New… > Check Point > Host/Gateway and in the General Properties tab select Secondary SmartCenter Server in the Check Point Products section. 176 . remove the object you created to represent the new SmartCenter ’s IP address (refer to step 1 in the previous section). After Migrating Your Original SmartCenter Server To complete the process of migrating a SmartCenter server to a new machine: 1. Use the cpstart command to start the new SmartCenter . add rules that will allow the new SmartCenter to access the gateways it will manage. when migrating your current SmartCenter configuration. Install the new security policy on all . 2. Before Migrating Your Original SmartCenter Server To prepare to migrate a SmartCenter server to a new machine: 1. Refer to the Upgrading Licenses for Products Prior to NGX page 29 for additional information. 4. verify that the destination server has the same IP configuration as the original SmartCenter. Access the new SmartCenter using SmartDashboard. On the original SmartCenter server. they should also be updated with the new IP Address.

map the SmartCenter ’s DNS to the new IP address. On the new SmartCenter update the primary SmartCenter object so that its IP Address and topology match its new configuration. On the DNS .Migrate Your Current SmartCenter Configuration and Upgrade 5. Chapter 7 Advanced Upgrade of SmartCenter Servers & Standalone Gateways 177 .

6. Perform the Pre-Upgrade Verification. Copy the exported. The upgrade_export tool is located on the product CD under the Windows directory. Select the destination path for the configuration (. 3. Under Upgrade Options. If this is not possible. select Export. 5. The advanced upgrade procedure involves two machines. The first machine is the working production machine. When prompted. make sure that you are using the NGX R65 Export tool. Wait until the database files are exported. download the most updated upgrade utilities from the Check Point website. Accept the license agreement and click Next. Insert the NGX R65 CD into the production Gateway. 178 . Insert the NGX R65 CD into the target SmartCenter server.tgz file to the new SmartCenter server. and only contains the operating system. Advanced Upgrade on a Windows Platform To perform an advanced upgrade on a Windows platform: 1. If you opt to perform the Export procedure manually.Migrate Your Current VPN-1 Gateway Configuration & Upgrade Migrate Your Current VPN-1 Gateway Configuration & Upgrade In This Section: Advanced Upgrade on a Windows Platform Advanced Upgrade on a Linux Platform Advanced Upgrade on SecurePlatform Advanced Upgrade on an IPSO Platform Advanced Upgrade on a Solaris Platform page 178 page 164 page 184 page 170 page 172 This section covers the advanced upgrade procedure for VPN-1 gateways. select Use the upgrade utilities from the CD. The second machine is off-line.tgz) file. 7. 4. The SmartCenter server is freshly installed on the second machine and the configuration of the first machine is imported. 2. 8.

Perform a fresh install of VPN-1 gateway. and manually import the configuration file using the upgrade_import tool on the NGX R65 CD. • Warning . Chapter 7 Advanced Upgrade of SmartCenter Servers & Standalone Gateways 179 .tgz) file contains your security configuration. It is highly recommended to delete it after completing the import process.Migrate Your Current VPN-1 Gateway Configuration & Upgrade 9. Do one of the following: • Perform a fresh install of the VPN-1 gateway.tgz configuration file and then automatically installs the new software and utilizes the imported . select Installation using Imported Configuration.tgz configuration file. When prompted.The configuration file (. and import the configuration file. This option prompts you for the location of the imported .

Enter n to validate the products to install. 2. and mount the CD. To perform a new installation and manually import the configuration: 1. Specify the SmartCenter type to install: • • • Primary SmartCenter Secondary SmartCenter Log server 12. 9. From the list of products. After the installation is complete. Select New installation as the installation option. 3. and the upgrade_import process. 7. 14. Enter n. Enter n. Use the Check Point Configuration program to: 180 . Select the products: • • Check Point Power (for headquarters and branch offices) Check Point UTM (for medium-sized businesses) 6. The wrapper automatically performs the install. the Check Point Configuration Program opens.Migrate Your Current VPN-1 Gateway Configuration & Upgrade Advanced Upgrade on a Linux Platform Advanced upgrade involves either: • • Performing a new installation. Enter y to agree to the End-user License Agreement. Enter n. Insert CD2 of the NGX R65 media kit into the CD drive. Run UnixInstallScript. The wrapper welcome message is displayed. 5. select SmartCenter and VPN-1 Power/UTM 10. 13. Enter n. and manually importing a previously exported configuration. or: Performing a new installation and upgrade through the wrapper. 11. 4. 8. Enter n.

2. 20. Enter y to agree to the End-user License Agreement. 18. 15.Migrate Your Current VPN-1 Gateway Configuration & Upgrade a. 4. Enter y to stop all Check Point services. Configure the Certificate Authority: Saves the CA’s Fingerprint to a file. e. If you choose to continue. Enter y to restart Check Point Services. Start the installed products. The recommended way of managing licenses is through SmartUpdate. taken from the installation CD or downloaded from the Check Point website. or q to quit./upgrade_import <name_of_exported_configuration_file. Transfer the exported configuration to the new solaris installation. Type randomly until the progress bar is full. Insert CD2 of the NGX R65 media kit into the CD drive. and mount the CD. 16. for example through FTP. d. Add licenses: The Check Point Configuration Program only manages local licenses on this machine. 3. Configure group permissions: Specifies a group name. b. Configure GUI clients: A list of hosts which will be able to connect to this SmartCenter server using SmartConsole. Chapter 7 Advanced Upgrade of SmartCenter Servers & Standalone Gateways 181 . Log in again to the root account to set the new environment variables. Change directory to /opt/CPsuite-R65/fw1/bin/upgrade tools Make sure that the upgrade tools in this directory are the R65 upgrade tools. Run . To perform a new installation and upgrade using the wrapper: 1. 21. Wait for the message: upgrade_import finished successfully! 22. The license upgrade wrapper runs. Enter n.tgz> 19. c. 17. The wrapper welcome message is displayed. f. Run UnixInstallScript. Enter c to continue. Configure a pool of characters: For use in cryptographic operations. refer to “Upgrading Licenses for Products Prior to NGX” on page 29.

182 . The recommended way of managing licenses is through SmartUpdate.com/downloads/quicklinks/utilities/ngx/utilities. Select the products: • • Check Point Power for headquarters and branch offices Check Point UTM for medium-sized businesses 6.checkpoint. Enter n. Enter n. If you choose to continue. 8. Configure group permissions: Specifies a group name. 10. Enter n. Specify an upgrade option: • • Upgrade installed products Upgrade installed products and install new products 15. Enter n to validate the products to install.html 11.Migrate Your Current VPN-1 Gateway Configuration & Upgrade 5. Enter c to continue. for the installation option. 17. Select Installation Using Imported Configuration. the compressed file that contains the exported configuration. 14. the Check Point Configuration Program opens. The pre-upgrade verification process runs automatically. it is recommended to download the latest tools from the Check Point website: http://www. 16. 7. 12. View the results and follow the recommendations. c. While the R65 upgrade utilities are on the NGX R65 CD. After the installation is complete. b. Enter n. Use the Check Point Configuration program to: a. refer to “Upgrading Licenses for Products Prior to NGX” on page 29. Select a source for the upgrade utilities. enter the path to. Configure GUI clients: A list of hosts which will be able to connect to this SmartCenter server using SmartConsole. To import a SmartCenter configuration and upgrade it. 13. Add licenses: The Check Point Configuration Program only manages local licenses on this machine. and name of. 9. The license upgrade wrapper runs. Enter n. or q to quit.

Reboot. Log in again to the root account to set the new environment variables. 20. Chapter 7 Advanced Upgrade of SmartCenter Servers & Standalone Gateways 183 . run: cpstart. 19. f. e. To start Check Point Services.Migrate Your Current VPN-1 Gateway Configuration & Upgrade d. Type randomly until the progress bar is full. Configure the Certificate Authority: Saves the CA’s Fingerprint to a file. Start the installed products. Configure a pool of characters: For use in cryptographic operations. 18.

At the command prompt. Enter c to agree to the license upgrade. The welcome message is displayed. Enter [C] to check if currently installed licenses have been upgraded. Enter [S] to simulate the license upgrade. Upgrade the installation. enter patch add cd. Run the pre-upgrade verification script. 8.tgz). iii. Select SecurePlatform NGX R65 Upgrade Package (CPsupgrade_R65. 184 . 5. Enter [U] to perform the license upgrade. Select one of the following: • • • • Enter [L] to view the licenses installed on your machine. 7.Creating the snapshot image can take up to twenty minutes. ii. Repeat the process until you see Your configuration is ready for upgrade.Migrate Your Current VPN-1 Gateway Configuration & Upgrade Advanced Upgrade on SecurePlatform To perform an advanced upgrade on SecurePlatform: 1. The license upgrade process also handles gateway licenses in the SmartUpdate license repository. Note . create a backup image for automatic revert. Three upgrade options are displayed: • • • Upgrade Export SmartCenter configuration Perform pre-upgrade verification only i. during which time Check Point products are stopped. 3. Export the SmartCenter configuration. 4. Enter n. Enter y to agree to the license agreement. 2. 6. When prompted. Enter y to accept the checksum calculation. 9. or generate a license file that can be used to upgrade licenses on a machine with no Internet access to the User Center. and follow the recommendations contained in the pre-upgrade verification results. Insert CD1 of the NGX R65 media kit into the CD drive.

10. The exported configuration is automatically imported during the upgrade process. 11. Either download the most updated files from the Check Point website or use the upgrade tools contained on the CD. Chapter 7 Advanced Upgrade of SmartCenter Servers & Standalone Gateways 185 . Enter [Q] to quit.Migrate Your Current VPN-1 Gateway Configuration & Upgrade • • Enter [O] to perform the license upgrade on a license file that was generated on machine with no Internet access to the User Center. Select a source for the upgrade utilities. Open SmartUpdate and attach the new NGX licenses to the gateways.

(You need the latest NGX R65 upgrade tools to perform the export operation.tgz 5. On the second. Configure a pool of characters for use in cryptographic operations. On the production machine. Configure the GUI clients and hosts that can access the SmartCenter server management component.) 2. and save the CA’s Fingerprint to a file. run upgrade_export. Select the installation type: Stand Alone. 17. Transfer the resulting .tgz file to the second. 6. 4. download the latest NGX R65 upgrade tools. run cpconfig. 8.Migrate Your Current VPN-1 Gateway Configuration & Upgrade Advanced Upgrade on an IPSO Platform Advanced upgrade involves performing a new installation and manually importing a previously exported configuration. 13. On the production machine. 14. To perform an advanced upgrade on an IPSO platform: 1. and transfer them to $FWDIR/bin/upgrade_tools. Reboot. 11. run: newpkg –S –m LOCAL –n <path_to>/IPSO_Wrapper_R65. 12. From a console connection. Select Enterprise SmartCenter and VPN-1 Power/UTM from the selection list. Select a product: • • Check Point Power for headquarters and branch offices Check Point UTM for medium-sized businesses 9.tgz> The package and products are installed but not activated. Type randomly until the progress bar is full. 7. 15. Configure an administrator name and password. 10. off line machine. From the command prompt. 3. off-line machine. Add Licenses. 186 . download from the Check Point website the NGX R65 upgrade package: IPSO_Wrapper_R65. Configure the Certificate Authority. Specify the SmartCenter type as Primary or Secondary. 16. Configure Group Permissions.

21. Start the installed products by running cpstart. run upgrade_import. Chapter 7 Advanced Upgrade of SmartCenter Servers & Standalone Gateways 187 . do not start the installed products. 20. When prompted.Migrate Your Current VPN-1 Gateway Configuration & Upgrade 18. From $FWDIR/bin/upgrade_tools. Reboot. 19.

9. 10. Use the Check Point Configuration program to: a. Add licenses: The Check Point Configuration Program only manages local licenses on this machine. Enter y to agree to the End-user License Agreement. 5. Enter n. Insert CD3 of the NGX R65 media kit into the CD drive. Select the products: • • Check Point Power for headquarters and branch offices Check Point UTM for medium-sized businesses 6. select SmartCenter. Specify the SmartCenter type to install: • • • Primary SmartCenter Secondary SmartCenter Log server 12. 7. 11. Enter n to validate the products to install. Enter n. and mount the CD. Enter n. Enter n. b. From the list of products. the Check Point Configuration Program opens. 2. Select New installation as the installation option. 8. Enter n. 188 . 13. Configure group permissions: Specifies a group name. c. Run UnixInstallScript. 4. 14.Migrate Your Current VPN-1 Gateway Configuration & Upgrade Advanced Upgrade on a Solaris Platform To perform an advanced upgrade on a Solaris platform: 1. 3. The wrapper welcome message is displayed. The recommended way of managing licenses is through SmartUpdate. After product installation. Configure GUI clients: A list of hosts that will be able to connect to this SmartCenter server using SmartConsole. and VPN-1 Power/UTM.

Transfer the exported configuration to the new solaris installation. for example through FTP. 16. 5. Enter c to continue. Change directory to /opt/CPsuite-R65/fw1/bin/upgrade tools Make sure that the upgrade tools in this directory are the R65 upgrade tools.Migrate Your Current VPN-1 Gateway Configuration & Upgrade d. Insert CD2 of the NGX R65 media kit into the CD drive. 20. Performing a New Solaris Installation and Upgrade To perform a new Solaris installation and upgrade using the wrapper: 1. The license upgrade wrapper runs. Chapter 7 Advanced Upgrade of SmartCenter Servers & Standalone Gateways 189 . f. Enter n. Enter y to restart Check Point Services. Select the products: • • Check Point Power for headquarters and branch offices Check Point UTM for medium-sized businesses 6. Configure the Certificate Authority: Saves the CA’s Fingerprint to a file. 2. 4./upgrade_import <name_of_exported_configuration_file. Enter n. Wait for the message: upgrade_import finished successfully! 22. If you choose to continue. taken from the installation CD or downloaded from the Check Point website. e. Enter y to stop all Check Point services. and mount the CD. Run . 21. Enter y to agree to the End-user License Agreement. refer to “Upgrading Licenses for Products Prior to NGX” on page 29.tgz> 19. Start the installed products. 3. The wrapper welcome message is displayed. 17. Type randomly until the progress bar is full. Log in again to the root account to set the new environment variables. 18. 15. Run UnixInstallScript. Configure a pool of characters: For use in cryptographic operations. or q to quit.

c. The pre-upgrade verification process runs automatically. Add licenses: The Check Point Configuration Program only manages local licenses on this machine. 190 . 17.Migrate Your Current VPN-1 Gateway Configuration & Upgrade 7. The license upgrade process may take some time while all the licenses are gathered and sent in SSL-encrypted format to the Check Point User Center. 11. After product installation is complete. 16. b. 12. Enter the path to. The license upgrade wrapper runs. 9. the Check Point Configuration Program opens. it is recommended to download the latest tools from the Check Point website. or q to quit. Configure GUI clients: A list of hosts that will be able to connect to this SmartCenter server using SmartConsole. Enter n. View the results and follow the recommendations. If you choose to continue. While the R65 upgrade utilities are on the NGX R65 CD. Enter n to validate the products to install. Use the Check Point Configuration program to: a. Enter n. To import a SmartCenter configuration and upgrade it. the compressed file that contains the exported configuration. d. refer to “Upgrading Licenses for Products Prior to NGX” on page 29. and name of. Enter n. Enter c to continue. 14. Type randomly until the progress bar is full. The recommended way of managing licenses is through SmartUpdate. Enter n. Configure group permissions: Specifies a group name. 8. Specify an upgrade option: • • Upgrade installed products Upgrade installed products and install new products 15. Select a source for the upgrade utilities. Configure a pool of characters: For use in cryptographic operations. 13. 10. select Installation Using Imported Configuration as the installation option.

Configure the Certificate Authority: Saves the CA’s Fingerprint to a file. Log in again to the root account to set the new environment variables. f. To start Check Point Services. Start the installed products. run: cpstart.Migrate Your Current VPN-1 Gateway Configuration & Upgrade e. 19. Chapter 7 Advanced Upgrade of SmartCenter Servers & Standalone Gateways 191 . Reboot. 18. 20.

Migrate Your Current VPN-1 Gateway Configuration & Upgrade 192 .

Chapter Upgrading ClusterXL Deployments In This Chapter License Upgrade to NGX Tools for Gateway Upgrades Planning a Cluster Upgrade Minimal Effort Upgrade on a ClusterXL Cluster Zero Downtime Upgrade on a ClusterXL Cluster Full Connectivity Upgrade on a ClusterXL Cluster 8 page 194 page 195 page 196 page 198 page 199 page 202 193 .

License Upgrade to NGX License Upgrade to NGX To upgrade to NGX R65. 194 . NGX R65 with licenses from versions previous to NGX will not function. the license upgrade can be performed after the software upgrade. It is highly recommended to upgrade licenses before upgrading the software. refer to “Upgrading Licenses for Products Prior to NGX” on page 29. you must first upgrade licenses for all NG products. For additional information. If necessary.

For IPSO and SecurePlatform.Tools for Gateway Upgrades Tools for Gateway Upgrades • SmartUpdate’s Upgrade All Packages Feature: This feature allows you to upgrade all packages installed on a gateway. From Download Center: Adds a package from the Check Point Download Center. this feature also allows you to upgrade your Operating System as a part of your upgrade. • SmartUpdate’s Get Check Point Gateway Data: This tool updates SmartUpdate with the current Check Point or OPSEC third party packages installed on a specific gateway or throughout your entire enterprise. SmartUpdate’s Add Package to Repository: SmartUpdate provides three tools for adding packages to the Package Repository: • • • • From CD: Adds a package from the Check Point CD. Chapter 8 Upgrading ClusterXL Deployments 195 . From File: Adds a package that you have stored locally.

refer to “Full Connectivity Upgrade on a ClusterXL Cluster” on page 202 and the NGX R65 Release Notes. Zero Downtime: Select this option if network activity is required during the upgrade process. • • Note .Planning a Cluster Upgrade Planning a Cluster Upgrade When upgrading ClusterXL. then verify these values remain unchanged after the upgrade. the following options are available to you: • Minimal Effort Upgrade: Select this option if you have a period of time during which network downtime is allowed. For example. 196 . There is always at least one active member that handles traffic. if “fwha_mac_magic” and “fwha_mac_forward_magic” were set to values other than the default values. The minimal effort method is much simpler because the clusters are upgraded as gateways and therefore can be upgraded as individual gateways. Full Connectivity Upgrade: Choose this option if your gateway needs to remain active and your connections must be maintained. There is always at least one active member that handles traffic and open connections are maintained during the upgrade.Full Connectivity Upgrade is supported between minor versions only. For further information. When upgrading from R55W to NGX R65. The zero downtime method assures both inbound and outbound network connectivity at all time during the upgrade. Permanent Kernel Global Variables When upgrading each cluster member. Full Connectivity Upgrade with Zero Down Time assures both inbound and outbound network connectivity at all time during the upgrade. refer to NGX R65 Release Notes for details about support of Web Intelligence and VoIP Application Intelligence features on Load Sharing Clusters. verify that changes to permanent kernel global variables are not lost (see: sk26202).

it is recommended that you use the minimal effort procedure. disconnect the cluster interfaces and the synchronization network of that cluster member before beginning. physically or using ifconfig.Planning a Cluster Upgrade Ready State During Cluster Upgrade/Rollback Operations When cluster members of different versions are present on the same synchronization network. • For a complete understanding of the upgrade procedure. This behavior is the expected behavior during the upgrade process. The third party may supply an alternative upgrade procedure to achieve a zero downtime upgrade. In this state. zero downtime or minimal effort). When upgrading other third-party clustering products. the cluster members with the new version do not process any traffic destined for the cluster IP address. refer to the third-party vendor documentation before performing the upgrade process. cluster members of the previous version become active while cluster members of the new (upgraded) version remain in a special state called Ready. To avoid such behavior during an upgrade or rollback. follow either one of the available procedures (that is. Zero downtime upgrade is not supported using the regular procedure. Chapter 8 Upgrading ClusterXL Deployments 197 . Upgrading OPSEC Certified Third-Party Cluster Products • • When upgrading Nokia clustering (VRRP and IP Cluster).

meaning you can afford to have a period of time during which network downtime is allowed. each cluster member can be upgraded in the same way as you would upgrade an individual gateway member. 198 . each cluster member is treated as an individual gateway. For additional instructions.Minimal Effort Upgrade on a ClusterXL Cluster Minimal Effort Upgrade on a ClusterXL Cluster If you choose to perform a Minimal Effort Upgrade. refer to “Upgrading a Distributed Deployment” on page 85. In other words.

To upgrade all but one of the cluster members: 1. including IPSO’s IP clustering and VRRP. B and C) as follows: • • On the SmartConsole GUI machine. Run cphaconf set_ccp broadcast on all cluster members. 2. a message prompts you to reboot the cluster members in order to fully activate the change.Zero Downtime Upgrade on a ClusterXL Cluster Zero Downtime Upgrade on a ClusterXL Cluster Supported Modes Zero Downtime is supported on all modes of ClusterXL. Attach the previously upgraded licenses to all cluster members (A. consult your third-party solution’s guide. randomly choose one of the cluster members to upgrade last. This message should be ignored. For additional third-party clustering solutions. and connect to the SmartCenter server. Ensure that the previously upgraded NGX licenses are attached to members B and C. first upgrade all but one of the cluster members. To perform a zero downtime upgrade. Use the Attach assigned licenses option to Attach the Assigned licenses to the cluster members. The updated licenses are displayed as Assigned. 3. and members B and C are standby members. no reboot is required. 4. open SmartUpdate. In previous versions. This changes the cluster control protocol to broadcast instead of multicast and ensures that during the upgrade the new upgraded members stay in the Ready state as long as a previous version member is active. In Load Sharing mode. Upgrade cluster members B and C in one of the following ways: • • Using SmartUpdate In Place When the upgrade of B and C is complete. Chapter 8 Upgrading ClusterXL Deployments 199 . Suppose that cluster member A is the active member. reboot both of them.

Execute the cphastop command on cluster member A. change the cluster version in SmartDashboard to NGX R65. and will fail on member A. perform the following steps: a.Zero Downtime Upgrade on a ClusterXL Cluster 5.Do not change any cluster parameters from the current policy at this time. The status Active Attention is given if member A’s synchronization interface reports that its outbound status is down. Continue with the process according to one of the following scenarios: • If you are upgrading from NG with Application Intelligence (R54 and above). If you are running SmartUpdate. clear the For Gateway Clusters. The remaining cluster members will have a Ready status. install on all the members. execute the fw ctl setsync off command on Cluster member A. Changes can be made after the upgrade process is complete. Note . For complete instructions. if it fails do not install at all option located under the Install on each selected Module independently option. because it is no longer communicating with other cluster members. • 6. Installing the policy: If you are upgrading from NG with Application Intelligence (R54 and above). b. If you are upgrading from a previous version. SmartUpdate compiles and installs an updated policy on the new member. do not change it to LS. skip to step 6. Be aware that policy installation on the old Check Point gateway may cut connections for services that do not survive the policy installation. once it is rebooted. From the Policy Installation window. The policy will be successfully installed on cluster members B and C. 8. Install the security policy on the cluster. click the help button in the Connection Persistence tab. For example. This can be avoided by configuring the Check Point Gateway > Advanced > Connection Persistence tab to either Keep all connections or Keep data connections. When machines B and C are up again. 7. Using the cphaprob stat command (executed on a cluster member). skip to step 8. and will fail on member A. 200 . When upgrading versions prior to NGX. 9. The policy will be successfully installed on cluster members B and C. verify that the status of cluster member A is Active or Active Attention. Machines B and/or C start to process traffic (depending on whether this is a Load Sharing or High Availability configuration). install the policy on the cluster. if the cluster is running in New High Availability mode. 10.

If you must install a new policy.It is recommended that you minimize the time in which cluster members are running different versions. This returns the cluster control protocol to multicast (instead of broadcast). Upgrade cluster member A by either: • • Using SmartUpdate In Place 2. Reboot cluster member A. Note . To upgrade the final cluster member: 1. perform the following steps: a.Zero Downtime Upgrade on a ClusterXL Cluster 11. Run cpstop on the old Check Point gateway. b. Run fw ctl set int fwha_conf_immediate 1 on all new Check Point gateways. c. Chapter 8 Upgrading ClusterXL Deployments 201 . This step can be skipped if you prefer to remain working with the cluster control protocol in the broadcast mode. It is recommended that you do not install a new policy on the cluster until the last member has been upgraded. Run cphaconf set_ccp multicast followed by cphastart on all cluster members. Install the policy. 3.

A full connectivity upgrade is only supported from NGX R65 to a future minor version that specifically supports FCU. NMs are in the “non-active” state. In discussing connectivity. 202 . cluster members are divided into two categories: • • New Members (NMs): Cluster members that have already been upgraded. Understanding a Full Connectivity Upgrade The Full Connectivity Upgrade (FCU) method assures that synchronization is possible from old to new cluster members without losing connectivity. These cluster members are in an “active state” and carry all the traffic. Old Members (OMs): Cluster members that have not yet been upgraded. Connections that have been opened on the old cluster member will continue to “live” on the new cluster member.Full Connectivity Upgrade on a ClusterXL Cluster Full Connectivity Upgrade on a ClusterXL Cluster ClusterXL clusters can be upgraded while at the same time maintaining full connectivity between the cluster members.

For other third-party support. For example. will not survive a Full Connectivity Upgrade. Therefore. Chapter 8 Upgrading ClusterXL Deployments 203 . refer to the third-party documentation. whatever would not normally survive failover. Make sure that the upgraded version is at least NGX or higher. Full Connectivity Upgrade Prerequisites Make sure that the new member (NM) and the old member (OM) contain the same firewall policy and product installation. During the upgrade. including IPSO’s IP clustering and VRRP. do not change the policy from the last policy installed on the Check Point Gateway prior to its upgrade. Legacy High Availability is not supported in FCU. Name Newconn Packet End Reload Dup Type Dup Handler 0: Accounting 00000000 00000000 d08ff920 00000000 Special d08fed58 1: Authentication d0976098 00000000 00000000 00000000 Special d0975e7c 3: NAT 00000000 00000000 d0955370 00000000 Special d0955520 4: SeqVerifier d091e708 6: Tcpstreaming 7: VPN d091e670 00000000 00000000 d091e114 Special d0913da8 00000000 d09732d8 00000000 None 00000000 00000000 d155a8d0 00000000 Special d1553e48 Verify that the list of Check Point Gateway names is the same for both cluster members. Verify the installed products by running the command fw ctl conn on both cluster members. it is not possible to perform an FCU from a Check Point Gateway that has Floodgate-1 installed to a newer Check Point Gateway that does not have Floodgate-1 installed. An example output on the NM: Registered connections modules: No. Full Connectivity Upgrade Limitations • This upgrade procedure is equivalent to a failover in a cluster where both members are of the same version.Full Connectivity Upgrade on a ClusterXL Cluster Supported Modes FCU is supported on all modes of ClusterXL. This includes: • • • • Security servers and services that are marked as non-synced Local connections TCP connections that are TCP streamed The exact same products must be installed on the OM and on the NM.

following the steps outlined in “Zero Downtime Upgrade on a ClusterXL Cluster” on page 199. For example. To upgrade a cluster with three or more members: Choose one of the following two methods: 1. Running cphastop is part of the upgrade procedure described in “Zero Downtime Upgrade on a ClusterXL Cluster” on page 199. having the attribute block_new_conns with different values on the NM and on the OM might cause the FCU to fail since gateway behavior cannot be changed during the upgrade. run the following command on all the upgraded members: fw fcu <other member ip on sync network> then continue with step 10 on page 200 on the single OM. Before you get to step 10 on page 200 (executing cphastop). Note. To upgrade a cluster with two members: Follow the steps outlined in “Zero Downtime Upgrade on a ClusterXL Cluster” on page 199. that running cpstop on the old Check Point Gateway rules out the option to rollback to the OM while maintaining all live connections that were originally created on the OM.0.Full Connectivity Upgrade on a ClusterXL Cluster • All the Gateway configuration parameters should have the same values on the NM and the OM. however. Then continue with step 10 on page 200.g.16. or 204 . The same rule applies to any other local configurations you may have set. run the following command on the upgraded member: fw fcu <other member ip on sync network>(e. • A cluster that performs static NAT using the gateway’s automatic proxy ARP feature requires special considerations: cpstop the old Check Point Gateway right after running cphastop.1). fw fcu 172. Failure to do this may cause some of the connections that rely on proxy ARP to fail and may cause other connections that rely on proxy ARP not to open until the upgrade process completes. Upgrade the two NMs. Performing a Full Connectivity Upgrade The procedure for updating a cluster with full connectivity varies according to the number of members in the cluster. Before you get to step 10 on page 200 (executing cphastop).

........ In all other cases it should be “no”.. 78 --> 0xF98EFFD0 (sip_state) 8158 --> 0xF9872070 (connections) Global handlers .. divide the upgrade of your members so that the active cluster members can handle the amount of traffic during the upgrade. Number of connection modules: Safe to ignore. For additional information. depending on configuration) Table handlers ...... Run this command on the new member... Then continue with step 10 on page 200 on all remaining OMs. Once cphastop is executed..... Chapter 8 Upgrading ClusterXL Deployments 205 . refer to “Full Connectivity Upgrade Limitations” on page 203. Before you get to step 10 on page 200 (executing cphastop). run the following command on all the upgraded members: fw fcu <other member ip on sync network>.....cphastop can also be executed from the Cluster object in the SmartConsole.. First upgrade only one member. For more than three members.. Connection module map: The output reveals a translation map from the OM to the NM... yes Number of connection modules......... do not run cpstart or cphastart again or reboot the machine....Full Connectivity Upgrade on a ClusterXL Cluster 2........... Typical output looks like this: During FCU...... Monitoring the Full Connectivity Upgrade Displaying Upgrade Statistics (cphaprob fcustat) cphaprob fcustat displays statistical information regarding the upgrade process. (none or a specific list... 23 Connection module map (remote -->local) 0 --> 0 (Accounting) 1 --> 1 (Authentication) 2 --> 3 (NAT) 3 --> 4 (SeqVerifier) 4 --> 5 (SynDefender) 5 --> 6 (Tcpstreaming) 6 --> 7 (VPN) Table id map (remote->local). following the steps outlined in “Zero Downtime Upgrade on a ClusterXL Cluster” on page 199...... none The command output includes the following parameters: During FCU: This should be “yes” only after running the fw fcu command and before running cphastop on the final OM. Note ..

Making Adjustments After Checking the Connection Table It is safe to run the fw fcu command more than once. Options -t .Not all connections are synchronized. Global handlers: Reserved for future use. a VPN handler should also be included. 206 . refer to the “Command Line Interface” Book. Be sure to run both cpstop and cpstart on the NM before re-running the fw fcu command. For example. Table handlers: This should include a sip_state and connection table handlers. In a VPN-1 Power/UTM configuration. If everything was synchronized correctly the number of entries in this table and the content itself should be approximately the same in the old and new cluster members. Note . The reason for running cpstop and cpstart is that the table handlers that deal with the upgrade are only created during policy installation (cpstart installs policy).table -u . This is an approximation because between the time that you run the command on the old and new members new connections may have been created or perhaps old connections were deleted.(optional) summary of the number of connections For further information on the fw tab -t connections command. Having a translation is not mandatory.unlimited entries -s . Display the Connections Table (fw tab -t connections -u [-s]) This command displays the “connection” table. local connections and services that are marked as non-synched.Full Connectivity Upgrade on a ClusterXL Cluster Table id map: This shows the mapping between the gateway’s kernel table indices on the OM and on the NM.

Chapter Upgrading Provider-1 In This Chapter Introduction Provider-1/SiteManager-1 Upgrade Tools Provider-1/SiteManager-1 License Upgrade Provider-1/SiteManager-1 Upgrade Practices Upgrading a Multi-MDS System Restarting CMAs Restoring Your Original Environment Renaming Customers Changing the MDS IP Address and External Interface SmartDefense in Provider-1 9 page 208 page 210 page 220 page 251 page 262 page 265 page 266 page 267 page 271 page 272 207 .

first install the Provider-1/SiteManager-1 NG FP3 HF2 Hotfix or the Hotfix Accumulator Build (HFA). NG FP3 Edition 3 or NG FP3 HF1.html 208 .checkpoint. • • The latest information regarding supported platforms is always available in the Check Point Release Notes at: http://www. NG FP1 HF1: Upgrade to FP3 or above in order to upgrade to R65.com/support/technical/documents/index.Introduction Introduction This chapter describes methods and utilities for upgradingProvider-1/SiteManager-1 to R65. NG FP2: Upgrade to FP3 or above in order to upgrade to R65. NG FP3 Edition 2. In This Section Supported Versions and Platforms Provider-1/SiteManager-1 Terminology Before You Begin page 208 page 209 page 209 Supported Versions and Platforms The direct upgrade of the MDS to NGX R65 is supported from the following versions: Release Version VPN-1 Power/UTM NGX R62 NGX VPN-1 Pro/Express NGX R61 VPN-1 Pro/Express NGX R60A VPN-1 Pro/Express NGX R60 VPN-1 Pro NG R55W NG VPN-1 Pro/Express NG With Application Intelligence R55 VPN-1 Pro/Express NG With Application Intelligence R54 The following versions need to be upgraded to a more recent version before they can be upgraded to NGX R65: • NG FP3 HF2: If you have NG FP3 Edition 1.

Through the CMA. or separately. It contains details of the Provider-1 deployment. to “Upgrading a Multi-MDS System” on page 262”.com/support/technical/documents/ If you are upgrading a multi-MDS environment refer.checkpoint.Provider-1/SiteManager-1 Terminology Provider-1/SiteManager-1 Terminology Before discussing Provider-1/SiteManager-1 upgrades and licensing. it is worth reviewing some important Provider-1/SiteManager-1 terms. which runs the Provider-1 deployment. it is recommended that you read: • • the latest Provider-1/SiteManager-1 release notes: http://www. The MDS has two flavors. • The Multi-Domain Server (MDS) houses Provider-1 system information. an administrator creates Security Policies and manages the Customer modules. Chapter 9 Upgrading Provider-1 209 . its administrators. and the Container. A Customer Management Add-On (CMA) is the Provider-1 equivalent of the SmartCenter server for a single Customer.checkpoint.html the latest Check Point suite release notes: http://www.com/support/technical/documents/docs_prov1. and Customer management information. • • Before You Begin Before performing a Provider-1/SiteManager-1 upgrade. The Manager and Container can be installed on the same server. which holds the Customer Management Add-Ons (CMA). The Manager.

but in most cases the fixes are done manually from SmartDashboard. and explains when and how each of them is used. In this case. • • 210 .Provider-1/SiteManager-1 Upgrade Tools Provider-1/SiteManager-1 Upgrade Tools This section describes the different upgrade and migrate utilities. An example of an error to be fixed before the upgrade is when an invalid policy name is found in your existing installation. it is suggested that fixing utilities should be run during the pre-upgrade check. Provider-1/SiteManager-1 upgrade script. Action items after the upgrade: These include errors and warnings. In This Section Pre-Upgrade Verifiers and Fixing Utilities Installation Script pv1_license_upgrade license_upgrade cma_migrate migrate_assist migrate_global_policies Backup and Restore page 210 page 211 page 213 page 213 page 214 page 217 page 218 page 218 Pre-Upgrade Verifiers and Fixing Utilities Before performing the upgrade of Provider-1/SiteManager-1. runs a list of pre-upgrade utilities. Three types of messages are generated by the pre-upgrade utilities: • Action items before the upgrade: These include errors and warnings. The output of the utilities is also saved to a log file. you must rename the policy. In some cases. The utilities search for well known upgrade problems that might be present in your existing installation. Information messages: This section includes items to be noted. Warnings are left for the user to check and conclude whether they should be fixed or not. Check Point verifies the readiness of your current version for the upgrade. Errors have to be repaired before the upgrade. For example. a message indicates that this change is going to occur. mds_setup. when a specific object type that is no longer supported is found in your database and is converted during the upgrade process. which are to be handled after the upgrade.

use the mds_setup installation script for MDS. depending on the operating system of your MDS machine. Do not execute the mds_setup script directly. Run the installation script: . it first checks for an existing installation of MDS: • • If no such installation exists. 4. Mount the Provider-1 CD from the relevant subdirectory. Refer to “Using the Pre-Upgrade Verification Tool” on page 91. Installation Script Starting from NG with Application Intelligence./mds_setup. Browse to either the Solaris or Linux directory. For additional information. 3.When installing MDS on SecurePlatform. When mds_setup is executed. mds_setup asks you to confirm a fresh installation of MDS. Change the directory to the mounted directory. Note . To run mds_setup: 1. 2. Open a new shell in order for the new environment to be set. you are prompted to select one of the following options (Pre-Upgrade Verification Only. Upgrade or Backup) listed below.Installation Script The Provider-1/SiteManager-1 Pre-Upgrade Verifier uses Provider-1/SiteManager-1 specific verifications as well as verifications checked by SmartCenter’s Pre-Upgrade Verification Tool. If a previous version of MDS is detected. refer to “Provider-1/SiteManager-1 Upgrade Practices” on page 251. 5. Chapter 9 Upgrading Provider-1 211 . the installation is performed using the SecurePlatform installer on the CD. Exit all shell sessions.

reassign these global policies to customers. mds_setup stops the installation until all the errors are fixed. mds_setup runs the Pre-Upgrade Verifier and if no errors are found.Installation Script Pre-Upgrade Verification Only Pre-Upgrade Verification Only enables you to run pre-upgrade verification without upgrading your existing installation. You can choose to stop the installation and execute the fixing utility from the command line. In case of errors. Upgrade When the upgrade option is used. For additional information. the upgrade process proceeds. Synchronize global policies. In a multi-MDS environment. Manual operations are necessary if you are switching IP addresses or network interface names. It provides you with a full report on upgrade issues. Fixing utilities that affect the existing installation can also be executed from the command line. Backup Prior to performing an upgrade. the pre-upgrade verification must be run on all MDSes (and MLMs) before upgrading the first MDS. 212 . back up your MDS. mds_setup suggests automatically fixing the problem using a fixing utility. If you make changes in global policies. Use this option at least once before you upgrade. Synchronize databases between CMAs in High Availability. In some cases. refer to “Changing the MDS IP Address and External Interface” on page 271. No fixing utilities are executed. If you have a multi-MDS environment: • • • Synchronize databases between MDSs in High Availability. Backup is also used for replication of your MDS to another machine. Install the database on CLMs. some of which should be handled before the upgrade. The backup option from mds_setup runs the mds_backup process (refer to mds_backup). There are two important things to remember after changing your existing installation: • • Verify your changes in the existing installation before you upgrade.

checkpoint.com/downloads/quicklinks/utilities/ngx/license_upgrade. The pv1_license_upgrade tool can be found in the following locations: • • • Provider-1 R65 CD at: <platform>/LicenseUpgrade/ R65 installation at: /opt/CPmds-R65/system/license_upgrade/ Check Point Download site at: http://www. The tool makes it simple to automatically upgrade licenses. • Chapter 9 Upgrading Provider-1 213 . eliminating the need to do so manually though the User Center. To run the tool in Wizard mode. When the tool is run on the MDS.html license_upgrade The license_upgrade command line tool is used to perform license upgrade for a single CMA. It is recommended to upgrade all Provider-1/SiteManager-1 NG licenses to NGX before upgrading software to NGX. It is the same tool as is used to perform license upgrade in SmartCenter environments. License upgrade is required when upgrading from versions prior to NGX. run: license_upgrade. upgraded licenses are obtained from the Check Point User Center website for the MDS and for all the CMAs on the MDS.checkpoint. Provider-1/SiteManager-1 NGX cannot function with NG licenses. or in Wizard mode.pv1_license_upgrade pv1_license_upgrade The pv1_license_upgrade command line tool is used to perform license upgrade for Provider-1. which allows you to choose options from a menu.h tml The license_upgrade tool can be run either as a command line with parameters. The license_upgrade tool can be found in the following locations: • • • Provider-1 R65 CD at: <platform>/LicenseUpgrade/ R65 installation at: /opt/CPmds-R65/system/license_upgrade/ Check Point Download site at http://www.com/downloads/quicklinks/utilities/ngx/license_upgrade.

cma_migrate

Table 9-1 lists some of the more commonly used tool options. Table 9-1
license_upgrade Tool Options

Wizard Mode Option

Command line option

Meaning Sends existing licenses to User Center Web site to simulate the license upgrade in order to verify that it can be performed. No actual upgrade is done and no new licenses are returned. Sends existing licenses to the User Center Web site to perform upgrade and (by default, in online mode) installs them on the machine. Reports whether or not there are licenses on the machine that need to be upgraded.

[S]

license_upgrade simulate

[U]

license_upgrade upgrade

[C]

license_upgrade status

By default, on a CMA, each operation is performed on the licenses in the License Repository as well as on the licenses that belong to the local machine.

cma_migrate
This utility is used to import an existing SmartCenter server or CMA into a Provider-1/SiteManager-1 MDS so that it will become one of its CMAs. If the imported SmartCenter or CMA is of a version earlier than the MDS to which it is being imported, then the Upgrade process is performed as part of the import. The available versions are listed in “Supported Versions and Platforms” on page 208. Bear in mind that the source and target platforms may be different. The platform of the source management to be imported can be Solaris, Linux, Windows, SecurePlatform or IPSO. Before running cma_migrate, create a new customer and a new CMA. Do not start the CMA, or the cma_migrate will fail.

Usage
cma_migrate <source management directory path> <target CMA FWDIR directory>

214

cma_migrate

Example
cma_migrate /tmp/orig_mgmt_dir /opt/CPmds-R65/customers/cma2/CPsuite-R60/fw1

The first argument (<source management directory path>)specifies a path on the local MDS machine, where the data of the source management data resides. Use migrate_assist to build this source directory or build it manually. Set the structure under the source management directory as described in Table 9-2. Table 9-2 directory conf
Source Management Structure

contents This directory contains the information that resides under $FWDIR/conf of the source management. This directory contains the information that resides under $FWDIR/database of the source management. This directory contains the information that resides under $FWDIR/log of the source management or is empty if you do not wish to maintain the logs. This directory is required when the source management is NG FP1 or higher. It contains the information that resides under $CPDIR/conf of the source management.

database

log

conf.cpdir

The second argument (<target CMA FWDIR directory>) is the FWDIR of the newly created CMA. Note - To run the cma_migrate utility from the MDG, right-click a CMA and select Import
Customer Management Add-on from the menu.

When running cma_migrate, pre-upgrade verification takes place. If no errors are found, then the migration continues. If errors are found, changes must be performed on the original SmartCenter server. The original Certificate Authority and putkey information is maintained when using cma_migrate. This means that the SmartCenter server that was migrated using cma_migrate should not re-generate certificates to gateways and SIC should continue to work with gateways from version NG and later. However, if the IP of the CMA is different than that of the original management, then putkey should be
Chapter 9 Upgrading Provider-1 215

cma_migrate

repeated between the CMA and entities that connect to it using putkey information. Use putkey -n to re-establish trust. For additional information on putkey, refer to the Check Point Command Line Interface documentation. If you have VPN with externally managed gateways (or Global VPN-1 Communities), maintain the original FQDN of the management so that the CRL server location is not changed. This is not a requirement for a VPN between Check Point internal gateways. The default FQDN of a CMA is its IP address, therefore if you migrated from CMA and changed its IP address, you should change its FQDN to the new IP address by executing:

mdsenv <CMA>, cpconfig, option 4 - Certificate Authority
If your intent is to split a CMA into two or more CMAs, reinitialize their Internal Certificate Authority so that only one of the new CMAs employs the original ICA: 1. mdsstop_customer <CMA NAME> 2. mdsenv <CMA NAME> 3. Remove the current Internal Certificate Authority by executing the fwm sic_reset command. This may require some preparation that is described in detail from the command prompt and also in the Secure Knowledge solution sk17197. 4. Create a new Internal Certificate Authority by executing: mdsconfig -ca <CMA NAME> <CMA IP> 5. Run the command: mdsstart_customer <CMA NAME>

216

migrate_assist

migrate_assist
This utility is a helper utility for cma_migrate. It can be used to pull the original management directories to the current disk storage using FTP. When you finish running migrate_assist, it is possible to run cma_migrate (refer to “cma_migrate” on page 214), the input directory of which will be the output directory of migrate_assist.

Usage
migrate_assist <source machine name/ip> <source FWDIR folder> <user name> <password> <target folder>[<source CPDIR folder>]

Example
To import a SmartCenter server with the IP address 192.168.0.5 of version NG FP3, use the following command:

migrate_assist 192.168.0.5 /opt/CPfw1-53 FTP-user FTPpass/EMC1/opt/CPshared/5.0
Where /EMC1 is the name of the directory created on the MDS server machine, migrate_assist accesses the source machine and imports the source FWDIR and CPDIR folders to the specified target folder according to the structure described above. The user name and password are needed to gain access to the remote machine via FTP. The source CPDIR parameter is required in case the original management is NG FP3 and higher. Note - migrate_assist does not affect the source database, however it is highly recommended to stop it before running migrate_assist so that no SmartConsole Clients
accidentally edit the database during migration.

Chapter 9

Upgrading Provider-1 217

migrate_global_policies

migrate_global_policies
The migrate_global_policies utility transfers (and upgrades, if necessary) a global policies database from one MDS to another. If the global policies database on the target MDS has polices that are assigned to customers, migrate_global_policies aborts. This is done to ensure that the Global Policy used at the Customer's site is not deleted. Note - When executing the migrate_global_policies utility, the MDS will be stopped. The CMAs can remain up and running.

Usage
migrate_global_policies <path global policies conf database>
<path global policies conf database> specifies the directory path where the global policies files, originally taken from the MDS's $MDSDIR/conf, are located. Note - Migrate_global_policies fails if there is a global policy assigned to a Customer, Do not to create and assign any Global Policy to a Customer before you run migrate_global_policies.

Backup and Restore
The purpose of the backup/restore utility is to back up an MDS as a whole, including all the CMAs that it maintains, and to restore it when necessary. The restoration procedure brings the MDS to the state it was when the backup procedure was executed. The backup saves both user data and binaries. Backup and restore cannot be used to move the MDS installation between platforms. Restoration can be performed on the original machine or, if your intention is to upgrade by replicating your MDS for testing purposes, to another machine. When performing a restoration to another machine, if the machine’s IP address or interface has changed, refer to “Changing the MDS IP Address and External Interface” on page 271” for instructions on how to adjust the restored MDS to the new machine.

218

Backup and Restore

During backup, it is okay to view data but do not write using MDGs, GUIs or other clients. If the Provider-1/SiteManager-1 system consists of several MDSes, the backup procedure takes place manually on all the MDSes concurrently. Likewise, when the restoration procedure takes place, it should be performed on all MDSes concurrently.

mds_backup
This utility stores binaries and data from your MDS installation. Running mds_backup requires super-user privileges. This utility runs the gtar command on the root directories of data and binaries. Any extra information located under these directories is backed up, except from files that are specified in mds_exclude.dat ($MDSDIR/conf) file. The collected information is wrapped in a single zipped tar file. The name of the created backup file comprises the date and time of the backup, followed by the extension .mdsbk.tgz. For example: 13Sep2002-141437.mdsbk.tgz. The file is placed in the current working directory, thus it is important not to run mds_backup from one of the directories that is to be backed up. For example, when backing up an NG FP3 MDS, do not run mds_backup from /opt/CPmds-61 since you cannot zip the directory in which you need to write.

Usage mds_backup

mds_restore
Restores an MDS that was previously stored with mds_backup. For correct operation, mds_restore requires a fresh installation of an MDS from the same version of the MDS to be restored.

Usage mds_restore <backup file> $MDSDIR/bin/set_mds_info -b -y

Chapter 9

Upgrading Provider-1 219

220 . License upgrade can also be performed manually. Before Software Upgrade System-Wide License Upgrade Using the Wrapper System-Wide License Upgrade. you must first upgrade licenses for all NG products. Log in to http://usercenter. in the User Center. licenses. License upgrade will fail for products and accounts for which you do not have software subscription. per license.checkpoint.com to manage your accounts. After Software Upgrade License Upgrade for a Single CMA License Upgrade Using the User Center SmartUpdate Considerations for License Upgrade Troubleshooting License Upgrade page 220 page 221 page 222 page 222 page 224 page 229 page 231 page 235 page 236 page 239 page 245 page 246 page 246 Overview of NGX License Upgrade To upgrade to R65. and Enterprise Support Programs coverage (under Support Programs). The license upgrade procedure can be performed if you have purchased any of the Enterprise Software Subscription services. NGX cannot function with NG licenses.Provider-1/SiteManager-1 License Upgrade Provider-1/SiteManager-1 License Upgrade In This Section Overview of NGX License Upgrade Introduction to License Upgrade in Provider-1 Environments Software Subscription Requirements Understanding Provider-1/SiteManager-1 Licenses Before License Upgrade Choosing The Right License Upgrade Procedure System-Wide License Upgrade. Using the tool you can upgrade all licenses in the entire managed system. License upgrade is performed by means of an easy to use tool that automatically upgrades both locally and centrally managed licenses.

Perform the license upgrade process. “License Upgrade for a VPN-1 Power/UTM ROBO Gateway” on page 276. Simulate the license upgrade process.com. It is recommended to upgrade all Provider-1/SiteManager-1 NG licenses to NGX before upgrading the software to NGX. SmartUpdate is used to attach the new NGX licenses to the gateways.g. evaluation licenses. On a CMA. The license upgrade procedure for Provider-1/SiteManager-1 uses the pv1_license_upgrade command line tool or the MDS Wrapper (both run on the MDS).. Old licenses and non-eligible licenses (e. Upgraded licenses are returned from the User Center. For instructions on upgrading licenses for VPN-1 Power/UTM and SmartLSM deployments. or licenses that pertain to IP addresses no longer used) remain untouched. For the latest information and downloads regarding NGX license upgrade.checkpoint. The license upgrade process adds only NGX licenses. These tools make it simple to automatically upgrade licenses without having to do so manually through the Check Point User Center website https://usercenter. the license upgrade process also handles licenses in the SmartUpdate License Repository. you can also view the licenses in the SmartUpdate License Repository.Introduction to License Upgrade in Provider-1 Environments The automatic license upgrade tool enables you to: • • • View the status of the currently installed licenses. You must first upgrade to NG and then upgrade the licenses from NG to NGX. After the software upgrade. When running on a CMA. Chapter 9 Upgrading Provider-1 221 .checkpoint. and automatically installed. Licenses for versions prior to NG cannot be upgraded directly to NGX. During the license upgrade. all eligible licenses are gathered and sent in SSL-encrypted format to the User Center. check: http://www.com/downloads/quicklinks/utilities/ngx/license_upgrade.html Introduction to License Upgrade in Provider-1 Environments Provider-1/SiteManager-1 NGX cannot function with NG licenses. refer to: • • “Upgrading Licenses for Products Prior to NGX” on page 29.

the CMA license repository (CMA Repository) in the licenses. how many CMAs may be configured in the Container. Understanding Provider-1/SiteManager-1 Licenses Provider-1/SiteManager-1 Licensing The MDS Manager has: • • Licenses for the MDS itself (MDS licenses). The MDS Container has: • Licenses for the MDS Container itself. You can purchase Enterprise Software Subscription for the entire account. If a product is not covered.C file. licenses for the CMA itself (CMA licenses). in the cp. 222 . in the cp. • • Licenses in the CMA Repository are managed using the SmartUpdate component of the Multi-Domain GUI (MDG). in the cp. License upgrade will fail for products and accounts for which you do not have software subscription. Enterprise Contract column. This license specifies. a read-only copy) of the CMA license repositories. or you can purchase Enterprise Software Subscriptions for individual products. if the account or product is covered. with a link to get a quote for purchasing Enterprise Support. in which case all the products in the account will be covered. This is a repository of Gateway licenses. An example of a CMA license is one that specifies how many Gateways the CMA can manage. This is a mirror (that is. SmartUpdate is used to connect to the MDS Manager and manage the MDS Repository. MDS License Repository (MDS Repository). All CMA license actions are reflected in the MDS License Repository.Software Subscription Requirements Software Subscription Requirements The license upgrade procedure is available to purchasers of any of the Enterprise Software Subscription services. Subscription and Support column. In the Accounts page. For each CMA.license file. the entry says Join Now.license file. An example of an MDS license is one that specifies how many CMAs may be configured. and in the Products page. For each CMA. You can see exactly the products and accounts for which you have software subscription by viewing your User Center account. among other things. the expiration date is shown.license file.

Chapter 9 Upgrading Provider-1 223 . the CMA Repository. On an MDS computer with a combined Manager and Container. the following are upgraded: • • • MDS licenses for both the manager and Container. For each CMA. For each CMA. During the license upgrade process.Understanding Provider-1/SiteManager-1 Licenses License Upgrade Example Licenses are upgraded on a per machine basis. the CMA licenses. all licenses on a machine are upgraded.

A report is produced that contains action items to be performed before and after the upgrade.If there are NGX licenses on the pre-NGX MDS machine that have not been upgraded (for example. check whether or not the MDS licenses and the licenses in the MDS Repository need to be upgraded.com. and then choose the pre-upgrade verification option. without an NG license pair). so that the license upgrade can proceed smoothly. they are not be included in the pv1_license_upgrade tool’s report. If license upgrade is required. warnings. Run the mds_setup wrapper.checkpoint. Note . To determine if a license upgrade is required: • Do one of the following: • Run the console command pv1_license_upgrade status. and general information. or errors. It is highly recommended to deal with all the reported issues.Before License Upgrade Before License Upgrade The following sections describe the steps to be taken before performing the license upgrade: • • • • “Finding out Whether a License Upgrade is Required” on page 224 “Simulating the License Upgrade” on page 225 “Provider-1 Pro Add-Ons for MDS License Upgrade” on page 225 “Managing VPN-1 Power VSX With Provider-1” on page 226 For further assistance. a check determines whether or not a license upgrade is required. Finding out Whether a License Upgrade is Required On the MDS machine. The pv1_license_upgrade tool is located on the Provider-1 R65 CD at <platform>/LicenseUpgrade/. The action items can be informational. 224 . refer to SecureKnowledge at https://secureknowledge. without making any modifications. • This results in the following: • • For each license. or contact the Check Point Reseller that provided your licenses. error messages are generated.

Table 9-3 shows the part numbers of Pro Add-ons for MDS. Install each generated license on its respective CMA. Chapter 9 Upgrading Provider-1 225 .Before License Upgrade Simulating the License Upgrade On the MDS machine. or via the Check Point Account Services department. Part Numbers of Pro Add-ons for MDS Table 9-3 Pro Add-ons for MDS Customer Version NG 10 NG 25 NG 50 NG 100 NG 200 NG 250 Part Number CPPR-PRO-10-NG CPPR-PRO-25-NG CPPR-PRO-50-NG CPPR-PRO-100-NG CPPR-PRO-200-NG CPPR-PRO-250-NG Generating Licenses for the CMA Pro Add-on Licenses for the CMA Pro Add-on for MDS are generated in the User Center.This section only applies if the Provider-1Pro Add-Ons for MDS are installed. To simulate the license upgrade: • Run the console command pv1_license_upgrade simulate. Pro Add-Ons for MDS is a bundled product that extends the SMART management capabilities of multiple CMAs by adding SmartUpdate. perform the Change IP operation on the bundled product. The simulation does not make any modifications. to generate the license for this CMA. some background information is needed. Provider-1 Pro Add-Ons for MDS License Upgrade Note . To understand this issue. Perform the Activate License operation on the Pro bundled product. To generate licenses for the CMA Pro Add-on: 1. For each additional CMA. and SmartView Monitor. SmartDirectory. using the IP address of the first CMA. 2. and change to the IP address of this CMA. simulate the license upgrade in order to find and solve potential problems in upgrading specific licenses. License Upgrade for the Pro Add-Ons for MDS must be performed either manually via the User Center.

checkpoint. To understand this issue. 226 . License upgrade must be performed manually via the User Center. run: pv1_license_upgrade upgrade -y <proxy:port> -w <user_name:pwd> The proxy port number is optional.CMA Bundle is installed. or manage a VS cluster with each CMA. The username and password (if any) are for the proxy machine. Contact Account Services at US +1 817 606 6600 (option 7) or e-mail AccountServices@ts.com. The location of the files is printed to the screen when running the tool.Before License Upgrade 3. some background information is needed. On the MDS machine. and provide them with the above information. Upgrading CMA Pro Add-on Licenses To upgrade the CMA Pro Add-on licenses: 1. The purchased part numbers are shown in Table 9-4. run the appropriate console command: • If the MDS is directly connected to the User Center. $CPDIR/conf/lic_cache.This section only applies if the Virtual Systems Extension . To allow Provider-1 to manage VPN-1 Power VSX. Customers purchase multiple CMAs to manage either one VSX Virtual System (VS) with each CMA. automatic license upgrade is not available. 3.CMA Bundle is older than VSX NG AI Release 2. the “Virtual Systems Extension CMA Bundle” product is required. or via the Check Point Account Services department. 2. Managing VPN-1 Power VSX With Provider-1 Note . At the end of the license generation process. run: pv1_license_upgrade upgrade • If the MDS is connected to the User Center via a proxy. the User Center shows a license with the IP address of the last CMA for which the Change IP operation was performed. If the Virtual Systems Extension . Save the following information: • • Log Files generated by the tool. The cache file generated when running the tool.C.

C25.NG NG 100 CPPR.MDS.MDS.MDS. Table 9-5 Provider-1 MDS Container Prov ide r.MDS. This license allows you to define the purchased number of CMAs.NG NG 250 CPPR.CMA Bundles (Primary VSX-CMA) Gateways Version Part Number C10 NG CPPR-VSX-CMA-C10-NG C25 NG CPPR-VSX-CMA-C25-NG C50 NG CPPR-VSX-CMA-C50-NG C100 NG CPPR-VSX-CMA-C100-NG C250 NG CPPR-VSX-CMA-C250-NG The customer receives two licenses: • One license for the Provider-1 MDS Container product in Table 9-5 (depending on the number of VSs in Table 9-6).NG • One license for the Provider-1 CMA product in Table 9-10 (to be installed on the CMA).C200. and so on.C50.C250. A license for a VS cluster of 1 Gateway allows the CMA to manage one VS. A license for a VS cluster of 2 Gateways allows the CMA to manage a cluster of two VSs.CMA Bundles Virtual Systems Extension . Table 9-6 Provider-1 CMA Provider-1 CMA (Primary CMA) Gateways Version Part Number NG 1 CPPR-CMA-1-NG NG 2 CPPR-CMA-2-NG NG 4 CPPR-CMA-4-NG Chapter 9 Upgrading Provider-1 227 .C100.MDS.1 MDS C onta ine r C ustom e r Ve rsion Part Num be r NG 25 CPPR.NG NG 200 CPPR.Before License Upgrade Table 9-4 Virtual Systems Extension .NG NG 50 CPPR. that specifies the size of the VS cluster that the CMAs are allowed to manage.

the User Center shows a license with the IP address of the last CMA for which the Change IP operation was performed.com.Before License Upgrade Generating Licenses for the Provider-1 CMA Product Licenses for the Provider-1 CMA product are generated in the User Center. Save the following information: • • Log Files generated by the tool. and provide them with the above information. 2. For each additional CMA. When the license generation process is complete. Username and password (if any) are for the proxy machine. run: pv1_license_upgrade upgrade -y <proxy:port> -w <user_name:pwd> The proxy port number is optional. 3. run: pv1_license_upgrade upgrade • If the MDS is connected to the User Center via a proxy. Contact Account Services at US +1 817 606 6600 (option 7) or e-mail AccountServices@ts. using the IP address of the first CMA. Install each generated license on its respective CMA. The location of these files is printed to the screen when running the tool.C. On the MDS machine. To generate licenses for the Provider-1 CMA product: 1. $CPDIR/conf/lic_cache. and change to the IP address of this CMA. Upgrading Provider-1CMA Bundle Licenses To upgrade the Provider-1 CMA-Bundle licenses: 1. perform the Change IP operation on the bundled product. 3. run the appropriate console command: • If the MDS is directly connected to the User Center. The cache file generated when running the tool. 2. Perform the Activate License operation on the Provider-1 CMA product. to generate the license for this CMA. 228 .checkpoint.

No Internet connectivity (offline). Upgrading licenses for a single CMA may be required if you do not wish to upgrade the licenses on other CMAs at this time. which are free of charge. Decision #1: License Upgrade Before or After Software Upgrade It is highly recommended to perform the license upgrade before performing any software upgrade. CMA licenses.Choosing The Right License Upgrade Procedure Choosing The Right License Upgrade Procedure There are various ways to upgrade licenses in a Provider-1/SiteManager-1 environment. for example if the licenses for other CMAs have already been upgraded. that the software upgrade occurs for all CMAs at the same time. and CMA Repository licenses). This section explains some of the considerations that you should take into account before deciding which procedure is right for you. Chapter 9 Upgrading Provider-1 229 . the software upgrade can be done first. Decision #2: License Upgrade for Entire System (Single or Multi-MDS) or Single CMA It is possible to upgrade licenses either for the entire Provider-1/SiteManager-1 environment (all MDS licenses. This ensures that the software continues to function after the software upgrade. however. Via-proxy Internet connectivity (online via proxy). or a single CMA (CMA licenses and CMA Repository licenses). Upgrading the entire Provider-1/SiteManager-1 environment is the recommended way to upgrade licenses. The procedure uses the SmartUpdate license management capabilities. However. when the MDS is upgraded. The possibilities are: • • • Direct Internet connectivity (online). Note. License upgrade using the mds_setup wrapper works only for online machines with direct Internet connectivity to the Check Point User Center. Decision #3: License Upgrade for an Online or Offline Machine The license upgrade procedure depends on how the machine on which the procedure is to be performed is connected to the Check Point User Center website. if necessary.

After Software Upgrade” on page 236 • • “License Upgrade for an Online MDS” on page 236 “License Upgrade for an Offline MDS” on page 237 • “License Upgrade for a Single CMA” on page 239 • • • • “License Upgrade for an Online MDS. you can then decide which of the following procedures is the right one for you.Choosing The Right License Upgrade Procedure What Next? Once you have made the above three decisions. Before Software Upgrade” on page 240 “License Upgrade for an Online MDS. After Software Upgrade” on page 243 230 . • “System-Wide License Upgrade. Before Software Upgrade” on page 239 “License Upgrade for an Offline MDS. After Software Upgrade” on page 242 “License Upgrade for an Offline MDS. Before Software Upgrade” on page 231 • • • • “License Upgrade for an Online MDS” on page 231 “License Upgrade for an Offline MDS” on page 232 “System-Wide License Upgrade Using the Wrapper” on page 235 (applies to an online MDS version NG) “System-Wide License Upgrade.

System-Wide License Upgrade, Before Software Upgrade

System-Wide License Upgrade, Before Software Upgrade
In This Section
License Upgrade for an Online MDS License Upgrade for an Offline MDS page 231 page 232

License Upgrade for an Online MDS
Use this procedure for an online MDS of version NG. An online machine is one with Internet connectivity to the Check Point User Center Web site https://usercenter.checkpoint.com. Note - If the license upgrade is performed before the software upgrade, Check Point
products will generate warning messages until all the software on the machine has been upgraded. Refer to “Error: “License version might be not compatible”” on page 48 for details.

To perform the license upgrade on an online MDS: 1. Copy the pv1_license_upgrade tool to the MDS version NG machine. Copy them from the locations specified in “pv1_license_upgrade” on page 213. 2. Run the appropriate command line tool at the MDS (On SecurePlatform, you must be in expert mode): • If the MDS is directly connected to the User Center, run:

pv1_license_upgrade upgrade
• If the MDS is connected to the User Center via a proxy, run:

pv1_license_upgrade upgrade -y <proxy:port> -w <user_name:pwd>
The proxy port number is optional. Username and password (if any) are for the proxy machine. This does the following: • • • • Collects all the licenses that exist on the MDS machine. Verifies that all licenses can be upgraded, both for MDS and CMAs. Fetches updated licenses from the User Center. Builds a temporary cache file containing the NGX licenses.

Chapter 9

Upgrading Provider-1 231

System-Wide License Upgrade, Before Software Upgrade

3. Perform the software upgrade to NGX on the MDS Manager, MDS Container, and the MDG. 4. Start the MDS by running:

mdsenv mdsstart
5. Run the following command line tool on the MDS:

pv1_license_upgrade import -c <cache file name>
The default cache file location is $CPDIR/conf/lic_cache.C. This imports the NGX licenses from the cache file to the CMA Repositories of every CMA. 6. Perform the software upgrade to NGX on the gateway machine(s). 7. Connect to the MDS using the SmartUpdate component of the MDG, and for each CMA, delete all obsolete licenses from the NGX gateways.

License Upgrade for an Offline MDS
This procedure upgrades licenses in the entire system, and applies to an offline MDS of version NG. An offline MDS is one with no Internet connectivity to the Check Point User Center Web site. Note - If the license upgrade is performed before the software upgrade, Check Point
products will generate warning messages until all the software on the machine has been upgraded. Refer to “Error: “License version might be not compatible”” on page 48 for details.

To perform the license upgrade on an offline MDS: 1. Copy the pv1_license_upgrade tool to the MDS version NG machine. Copy them from the locations specified in “pv1_license_upgrade” on page 213. 2. On the offline MDS, run the following command line tool: pv1_license_upgrade export -z <package_file> On SecurePlatform, run the command in expert mode. The export command packs all licenses on the machine, for all CMAs and the MDS into a single package file. 3. Copy the package file (containing the licenses) from the offline MDS to the online machine. The online machine does not need to be a Check Point-installed machine.

232

System-Wide License Upgrade, Before Software Upgrade

4. Copy the license_upgrade tool to the online machine. The tool is located at <platform>/LicenseUpgrade/ on the R65 CD, and in the Check Point Download site at: http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/license_upgrade.h tml 5. Run the appropriate command line tool at the online machine: • If the online machine is directly connected to the User Center, run: license_upgrade upgrade -i <input_file> -c <cache_file> • If the online machine is connected to the User Center via a proxy, run: license_upgrade upgrade -y <proxy:port> -i <input_file> -c <cache_file> Where <input_file> is the package file that is the result of step 2. This fetches new licenses from the User Center and puts them in a cache file. • Use the [O] Wizard mode option.

6. Specify the package file that is the result of step 2 and the requested cache file. This fetches new licenses from the User Center and puts them in a cache file. 7. Copy the cache file (with the new licenses) back to the offline MDS machine. 8. Start the MDS by running

mdsenv mdsstart
9. Run following command line on the offline MDS:

pv1_license_upgrade import -c <cache_file>
The default cache file location is $CPDIR/conf/lic_cache.C. This imports the new CMA and MDS licenses to the MDS. 10. Perform the software upgrade to NGX on the MDS Manager, MDS Container, and the MDG.

Chapter 9

Upgrading Provider-1 233

System-Wide License Upgrade, Before Software Upgrade

11. Run following command line on the upgraded offline MDS:

pv1_license_upgrade import -c <cache_file>
This imports the new licenses into the CMA license repositories on the MDS. 12. Perform the software upgrade to NGX on the gateway machine(s). 13. Connect to the MDS using the SmartUpdate component of the MDG, and for each CMA, delete all obsolete licenses from NGX gateways.

234

System-Wide License Upgrade Using the Wrapper

System-Wide License Upgrade Using the Wrapper
This license upgrade procedure applies to an online MDS version NG. An online machine is one that has a direct Internet connection to the Check Point User Center Web site. To perform the license upgrade using the Wrapper: 1. At the MDS, run mds_setup and choose the Upgrade option. 2. The pre-upgrade verification begins. • • • • Note the location of the messages generated by the verification tool: /opt/CPInstLog/verification_tools_report The license upgrade status on the MDS and the CMAs is checked. Details are published in log files as to whether or not the license upgrade is needed for each CMA. If a license upgrade is required, you are given the choice to upgrade licenses via the User Center before the software upgrade. To do so, you are required to supply your User Center account credentials. If the online machine is connected to the User Center via a proxy, provide the proxy details. The new licenses are fetched from the User Center and installed.

3. The mds_setup wrapper then proceeds with the software upgrade. 4. Run the following command line tool on the MDS:

pv1_license_upgrade import -c <cache_file>
The default cache file is $CPDIR/conf/lic_cache.C. This imports the NGX licenses from the cache file to the CMA Repositories of every CMA. 5. Perform the software upgrade to NGX on the gateway machine(s). 6. Connect to the MDS using the SmartUpdate component of the MDG, and for each CMA, delete all obsolete licenses from NGX gateways.

Chapter 9

Upgrading Provider-1 235

System-Wide License Upgrade, After Software Upgrade

System-Wide License Upgrade, After Software Upgrade
In This Section
License Upgrade for an Online MDS License Upgrade for an Offline MDS page 236 page 237

License Upgrade for an Online MDS
This procedure is not recommended. NGX software with NG licenses will not function. Use this procedure for an online MDS of version NG. An online machine is one with Internet connectivity to the Check Point User Center Web site https://usercenter.checkpoint.com. To perform a license upgrade for an online MDS: 1. Perform the software upgrade to NGX on the MDS Manager, MDS Container, and the MDG. 2. Run the following command line tool at the MDS (On SecurePlatform, you must be in expert mode): • If the MDS is directly connected to the User Center, run:

pv1_license_upgrade upgrade
• If the MDS is connected to the User Center via a proxy, run:

pv1_license_upgrade upgrade -y <proxy:port> -w <user_name:pwd>
The proxy port number is optional. Username and password (if any) are for the proxy machine. This does the following: • • • • • Collects all the licenses that exist on the MDS machine. Verifies that all licenses can be upgraded, both for MDS and CMAs. Fetches updated licenses from the User Center. Builds a temporary cache file containing the NGX licenses. Installs upgraded licenses for the MDS and CMAs.

236

System-Wide License Upgrade, After Software Upgrade

3. Start the MDS by running:

mdsenv mdsstart
4. Run the following command line tool at the MDS:

pv1_license_upgrade import -C <cache file>
The default cache file is $CPDIR/conf/lic_cache.C. This imports the NGX licenses from the cache file to the CMA Repositories of every CMA. 5. Perform the software upgrade to NGX on the gateway machine(s). 6. Connect to the MDS using the SmartUpdate component of the MDG, and for each CMA, delete all obsolete licenses from NGX gateways.

License Upgrade for an Offline MDS
This procedure is not recommended. NGX software with NG licenses will not function. This license upgrade procedure applies to an MDS version NG, with no Internet connectivity to the Check Point User Center Web site. To perform a license upgrade on an offline MDS: 1. Perform the software upgrade to NGX on the MDS Manager, MDS Container, and the MDG. 2. On the offline MDS, run the following command line tool: pv1_license_upgrade export -z <package_file> On SecurePlatform, run the command in expert mode. The export command packs all licenses on the machine, for all CMAs and the MDS into a single package file. 3. Copy the output file package (containing the licenses) from the offline MDS to an online machine. The online machine does not need to be a Check Point-installed machine. 4. Copy the license_upgrade tool to the online machine. The tool is located at <platform>/LicenseUpgrade/ on the R65 CD, and in the Check Point Download site at: http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/license_upgrade.h tml

Chapter 9

Upgrading Provider-1 237

• Use the [O] option of the Wizard mode. After Software Upgrade 5. Perform the software upgrade to NGX on the gateway machine(s). Connect to the MDS using the SmartUpdate component of the MDG. Run the following command line on the offline MDS: pv1_license_upgrade import -c <cache_file> This imports the new local machine licenses to the MDS and the CMAs. Start the MDS services by running: mdsenv mdsstart 8. 6. delete all obsolete licenses from NGX gateways. Copy the cache file (with the new licenses) back to the offline MDS machine. and the requested cache file. 9. run: license_upgrade upgrade -i <input_file> -c <cache_file> • If the online machine is connected to the User Center via a proxy: license_upgrade upgrade -y <proxy:port> -i <cache_file> <input_file> -c Where <input_file> is the package file that is the result of step 2. Run the appropriate command line tool on the online machine: • If the online machine is directly connected to the User Center. 7. Restart the MDS services by running: mdsenv mdsstart 10.System-Wide License Upgrade. 11. Rerun the following command line on the offline MDS: pv1_license_upgrade import -c <cache_file> This imports the new licenses into the CMA license repositories on the MDS. 12. This fetches new licenses from the User Center and puts them in a cache file. 238 . This fetches new licenses from the User Center and puts them in a cache file. and specify the package file that is the result of step 2. and for each CMA.

Check Point products will generate warning messages until all the software on the machine has been upgraded. After the software upgrade.com. To perform a license upgrade for an online MDS.If the license upgrade is performed before the software upgrade. enter the environment of the single CMA mdsenv <cma_name> 3. Copy the pv1_license_upgrade and the license_upgrade tools to the MDS version NG machine. Before Software Upgrade Use this procedure to upgrade licenses for a single CMA on an online MDS version NG machine. An online machine is one that has Internet connectivity to the Check Point User Center Web site https://usercenter. License upgrade operations occur both before and after the software upgrade. 2. The license upgrade for the single CMA occurs before the software upgrade. licenses for all CMAs are imported into the NGX CMA Repositories.License Upgrade for a Single CMA License Upgrade for a Single CMA In This Section License Upgrade for an Online MDS. before a software upgrade: 1. Refer to “Error: “License version might be not compatible”” on page 48 for details. run: Chapter 9 Upgrading Provider-1 239 . After Software Upgrade page 239 page 240 page 242 page 243 License Upgrade for an Online MDS. Run the appropriate command line tool on the MDS: • If the MDS machine is directly connected to the User Center. On the MDS machine.checkpoint. run: license_upgrade upgrade • If the MDS machine is connected to the User Center via a proxy. The software upgrade occurs for all CMAs at the same time. Copy them from the locations specified in “pv1_license_upgrade” on page 213 and “license_upgrade” on page 213. Before Software Upgrade License Upgrade for an Offline MDS. when the MDS is upgraded. Note . Before Software Upgrade License Upgrade for an Online MDS. After Software Upgrade License Upgrade for an Offline MDS.

and saves upgraded CMA Repository licenses on the CMA. Username and password (if any) are for the proxy machine.License Upgrade for a Single CMA license_upgrade upgrade -y <proxy:port> -w <user_name:pwd> The proxy port number is optional. OR: Use the [U] Wizard mode option. Installs an upgraded license for the CMA. delete all obsolete licenses from NGX gateways.com.C. License upgrade operations occur both before and after the software upgrade. that is. 5. 7. and for each CMA. This does the following: • • • Collects all the licenses that exist on the CMA. Start the MDS services by running: mdsstart 6. Before Software Upgrade This procedure explains how to upgrade licenses for a single CMA on an offline MDS version NG machine. Upgrade the software on the MDS. one that does not have Internet connectivity to the Check Point User Center Web site https://usercenter. Connect to the MDS using the SmartUpdate component of the MDG. After the software upgrade. 8. 240 . licenses for all CMAs are imported into the NGX CMA Repositories. Import new licenses of all CMAs into the NGX CMA Repositories by running: pv1_license_upgrade import -C <cache file> The default cache file is $CPDIR/conf/lic_cache. 4. License Upgrade for an Offline MDS. The license upgrade for the single CMA occurs before the software upgrade. Perform the software upgrade to NGX on the gateway machine(s). Fetches updated licenses from the User Center. This imports the NGX licenses from the cache file to the CMA Repositories of every CMA.checkpoint.

Copy the cache file (with the new CMA licenses) to the offline target machine. before a software upgrade: 1. 6. Copy the license_upgrade tool to the MDS version NG machine from the locations specified in “license_upgrade” on page 213. • Use the [O] wizard mode option. run: license_upgrade upgrade -i <input_file> -c <cache_file> • If the online machine is connected to the User Center via a proxy. This fetches new CMA licenses from the User Center and puts them in a cache file. Copy the licenses from this machine to a file using one of the following methods. Chapter 9 Upgrading Provider-1 241 . Specify the package file package that is the result of step 3 and the requested cache file. 7. run the command in expert mode: • Run the appropriate command line tool on the offline target machine: license_upgrade export -z <package_file> The export command packs all licenses on the machine into a single package file. Copy the license_upgrade tool to the online machine. At the MDS machine. Run the appropriate command line tool on the online machine: • If the online machine is directly connected to the User Center. enter the environment of the single CMA mdsenv <cma_name> 3. 2. 5. Copy the output file package (containing the licenses) from the offline target machine to any online machine. On SecurePlatform. This fetches new licenses from the User Center and puts them in a cache file. 8. • Use the [U] wizard mode option.License Upgrade for a Single CMA To perform a license upgrade on an offline MDS. 4. run: license_upgrade upgrade -y <proxy:port> -i <cache_file> <input_file> -c Where <input_file> is the package file that is the result of step 3. The online machine does not need to be a Check Point-installed machine.

To perform the license upgrade: 1. License Upgrade for an Online MDS.checkpoint. Run the command pv1_license_upgrade import -c <cache file name> 13. Run appropriate command line tool on the offline target machine: license_upgrade import -c <cache_file> OR Use the [U] wizard mode option.License Upgrade for a Single CMA 9. 10. 11. On the MDS machine. enter the environment of the single CMA mdsenv <cma_name> 3.com. and for each CMA. The following command shows the status of all CMAs: mdsstat 2. After Software Upgrade Use this procedure if the following conditions apply: • • • The MDS software (including all CMAs) is already upgraded. The MDS machine has Internet connectivity to the Check Point User Center Web site https://usercenter. while the single CMA licenses and CMA Repository licenses remain to be upgraded. Make sure that the CMA is running. Import new licenses of all CMAs into the NGX CMA Repositories. Upgrade the software on the MDS. run: license_upgrade upgrade -y <proxy:port> -w <user_name:pwd> 242 . Connect to the MDS using the SmartUpdate component of the MDG. run: license_upgrade upgrade • If the MDS machine is connected to the User Center via a proxy. MDS licenses are already upgraded to NGX. delete all obsolete licenses from NGX gateways. Start the MDS services by running: mdsstart 12. Run the appropriate command line tool on the MDS: • If the MDS machine is directly connected to the User Center.

After Software Upgrade This procedure assumes that: • • • The MDS software (including all CMAs) is already upgraded. Copy the licenses from this machine to a file using one of the following commands. Username and password (if any) are for the proxy machine. The online machine does not need to be a Check Point-installed machine. run the following command in expert mode. To perform the license upgrade: 1. Copy the output file package (containing the licenses) from the offline MDS to any online machine. while the single CMA licenses and CMA Repository licenses remain to be upgraded. On SecurePlatform. 3.checkpoint. Run the following command line tool on the offline MDS: license_upgrade export -z <package_file> OR use the [U] wizard mode option. This does the following: • • • Collects all the licenses that exist on the CMA.License Upgrade for a Single CMA The proxy port number is optional. MDS licenses are already upgraded to NGX. License Upgrade for an Offline MDS. The export command packs all licenses on the machine into a single file package. Install new licenses on the CMA. On the MDS machine.com. Chapter 9 Upgrading Provider-1 243 . OR use the [U] wizard mode option. The MDS machine does not have Internet connectivity to the Check Point User Center Web site https://usercenter. enter the environment of the single CMA mdsenv <cma_name> 2. Fetches updated licenses from the User Center.

run: license_upgrade upgrade -y <proxy:port> -i <cache_file> <input_file> -c Where <input_file> is the package file that is the result of step 2. This fetches new CMA licenses from the User Center and puts them in a cache file. Run the appropriate command line tool on the online machine: • If the online machine is directly connected to the User Center. and in the Check Point Download site at http://www. Run following command line on the offline target machine license_upgrade import -c <cache_file> OR Use the [U] wizard mode option. run: license_upgrade upgrade -i <input_file> -c <cache_file> • If the online machine is connected to the User Center via a proxy. Start the CMA services by running mdsstart_customer <cma name> 9. Run mdsenv <cma name>) 244 . Run following command on the MDS machine: mdsenv <cma_name> 7. 5. OR Use the [O] wizard mode option.h tml 4. This fetches new CMA licenses from the User Center and puts them in a cache file.License Upgrade for a Single CMA • Copy the license_upgrade tool to the online machine. 8. Import new licenses of this CMA into the NGX CMA Repositories. Copy the cache file (with the new CMA licenses) to the MDS machine. Specify the output file package that is the result of step 2. The tool is located at <platform>/LicenseUpgrade on the R65 CD.checkpoint.com/downloads/quicklinks/utilities/ngx/license_upgrade. The new CMA licenses are installed on the CMA. 6.

and are then manually added to the license Repository. License Upgrade Using the User Center License upgrade can be performed manually in the User Center. 12. The license must be manually attached to the Gateway using SmartUpdate. Connect to the MDS using the SmartUpdate component of the MDG.License Upgrade Using the User Center 10. For instructions. are not be Assigned to any Gateway. Chapter 9 Upgrading Provider-1 245 .html Licenses that are manually upgraded to NGX in the User Center.checkpoint. 11. delete all obsolete licenses from NGX gateways. Run the following command line on the offline target machine: license_upgrade import -c <cache_file> OR Use the [U] wizard mode option. and for each CMA. Perform the software upgrade to NGX on the gateway machine(s).com/pub/usercenter/faq_us. refer to the Step by Step guide to the User Center at https://usercenter.

Troubleshooting License Upgrade License upgrade is usually a smooth and easy process. There are a few predictable cases where you may encounter some problems. Use this section to solve those license upgrade problems. Cause To understand this issue. Perform Change IP operation in User Center or contact Customer Advocacy at US +1 817 606 6600. Do not use it to upgrade NG licenses to NGX.1 to NG. and SmartView Monitor.checkpoint. the Licenses > Upgrade… menu item is intended for license upgrades from version 4. some background information is needed: Pro Add-Ons for MDS is a bundled product that extends the SMART management capabilities of multiple CMAs by adding SmartUpdate. 246 . License upgrade fails on all other licenses User Center Message (Error Code 118): The IP in the license string does not match the license IP in User Center.com. SmartDirectory. option 7 or e-mail AccountServices@ts. In This Section Provider-1 Pro Add-Ons for MDS License Upgrade Managing VPN-1 Power VSX With Provider-1 page 225 page 226 Provider-1 Pro Add-Ons for MDS License Upgrade Symptoms • • • Automatic license upgrade only succeeds for the license with the IP address of the last CMA for which the Change IP operation was performed.SmartUpdate Considerations for License Upgrade SmartUpdate Considerations for License Upgrade In SmartUpdate NG.

Perform the Activate License operation on the Pro bundled product. $CPDIR/conf/lic_cache. Install each generated license on its respective CMA. For each additional CMA.com. and provide them with the above information. 2. 3. The cache file generated when running the tool. At the end of the license generation process. Resolution 1. 3. using the IP address of the first CMA.Troubleshooting License Upgrade Table 9-7 Part numbers of Pro Add-ons for MDS Pro Add-ons for MDS Customer Version NG 10 NG 25 NG 50 NG 100 NG 200 NG 250 Part Number CPPR-PRO-10-NG CPPR-PRO-25-NG CPPR-PRO-50-NG CPPR-PRO-100-NG CPPR-PRO-200-NG CPPR-PRO-250-NG The CMA Pro Add-on licenses are generated in the User Center is as follows: 1. Chapter 9 Upgrading Provider-1 247 . the User Center shows a license with the IP address of the last CMA for which the Change IP operation was performed. Contact Account Services at US +1 817 606 6600 (option 7) or e-mail AccountServices@ts. run: pv1_license_upgrade upgrade -y <proxy:port> -w <user_name:pwd> The proxy port number is optional. Save the following information: • • Log Files generated by the tool. and change to the IP address of this CMA.checkpoint. Only this last license is upgraded by the license upgrade process. The location of the files is printed to the screen when running the tool. run the appropriate console command: • If the MDS is directly connected to the User Center. to generate the license for this CMA. On the MDS machine. perform the Change IP operation on the bundled product. Username and password (if any) are for the proxy machine.C. run: pv1_license_upgrade upgrade • If the MDS is connected to the User Center via a proxy. 2.

option 7 or e-mail AccountServices@ts.CMA Bundles (Primary VSX-CMA) Gateways Version Part Number C10 NG CPPR-VSX-CMA-C10-NG C25 NG CPPR-VSX-CMA-C25-NG C50 NG CPPR-VSX-CMA-C50-NG C100 NG CPPR-VSX-CMA-C100-NG C250 NG CPPR-VSX-CMA-C250-NG The customer receives two licenses: One license for the Provider-1 MDS Container product in Table 9-9 (depending on the number of VSs in Table 9-8). Perform Change IP operation in User Center or contact Customer Advocacy at US +1 817 606 6600. or manage a VS cluster with each CMA. some background information is needed: The customer purchases multiple CMAs in order to manage either one VSX Virtual System (VS) with each CMA. This license allows you to define the purchased number of CMAs.checkpoint.Troubleshooting License Upgrade Managing VPN-1 Power VSX With Provider-1 Symptoms • • • Automatic license upgrade only succeeds for the license with the IP address of the last CMA for which the Change IP operation was performed.CMA Bundles Virtual Systems Extension .com. License upgrade fails on all other licenses. The purchased VSX part numbers are listed in Table 9-8. Table 9-8 Virtual Systems Extension . Cause To understand this issue. User Center Message (Error Code 118): The IP in the license string does not match the license IP in User Center. 248 .

Perform the Activate License operation on the Provider-1 CMA product. 3. the User Center shows a license with the IP address of the last CMA for which the Change IP operation was performed. Install each generated license on its respective CMA. Resolution 1. Table 9-10 Provider-1 CMA Provider-1 CMA (Primary CMA) Gateways Version Part Number NG 1 CPPR-CMA-1-NG NG 2 CPPR-CMA-2-NG NG 4 CPPR-CMA-4-NG Provider-1 CMA product licenses are generated in the User Center is as follows: 1. and so on. 2.Troubleshooting License Upgrade Table 9-9 Provider-1 MDS Container Provider-1 MDS Container Customer Version Part Number NG 25 CPPR-MDS-C25-NG NG 50 CPPR-MDS-C50-NG NG 100 CPPR-MDS-C100-NG NG 200 CPPR-MDS-C200-NG NG 250 CPPR-MDS-C250-NG One license for the Provider-1 CMA product in Table 9-10 (to be installed on the CMA). At the end of the license generation process. On the MDS machine. run: Chapter 9 Upgrading Provider-1 249 . to generate the license for this CMA. run the appropriate console command: • If the MDS is directly connected to the User Center. A license for a VS cluster of 1 Gateway allows the CMA to manage one VS. run: pv1_license_upgrade upgrade • If the MDS is connected to the User Center via a proxy. A license for a VS cluster of 2 Gateways allows the CMA to manage a cluster of two VSs. For each additional CMA. Only this last license is upgraded by the license upgrade process. and change to the IP address of this CMA. using the IP address of the first CMA. perform the Change IP operation on the bundled product. that specifies the size of the VS cluster that the CMAs are allowed to manage.

The location of the files is printed to the screen when running the tool.com. $CPDIR/conf/lic_cache. 3. Contact Account Services at US +1 817 606 6600. 2. The cache file generated when running the tool.C. option 7 or e-mail AccountServices@ts.checkpoint. The username and password (if any) are for the proxy machine.Troubleshooting License Upgrade pv1_license_upgrade upgrade -y <proxy:port> -w <user_name:pwd> The proxy port number is optional. and provide them with the above information. 250 . Save the following information: • • Log Files generated by the tool.

perform the required synchronizations. 3. assign global policy b. Provider-1/SiteManager-1 NGX cannot function with licenses from versions prior to NGX. verify logging (through SmartView Tracker) d. perform this step on all MDSes (refer to “Upgrading in a Multi-MDS Environment” on page 261 for details). and if you have High Availability. 1. Make the changes required by the pre-upgrade verification. Note . all SmartUpdate packages on the MDS (excluding SofaWare firmware packages) are deleted from the SmartUpdate Repository. License upgrade is also required when upgrading from versions prior to NGX. The MDS with all CMAs are upgraded during a single upgrade process. Run the Pre-upgrade verification only option from mds_setup. install policy c. Back up your system either by selecting the backup options in mds_setup or by running mds_backup. In a multi-MDS environment.When upgrading Provider-1 to R65. view status (through MDG or SmartView Monitor) 4. It is therefore highly recommended to upgrade all Provider-1/SiteManager-1 NG licenses to NGX before upgrading the software to NGX. Chapter 9 Upgrading Provider-1 251 . 2. Test your changes: a.Provider-1/SiteManager-1 Upgrade Practices Provider-1/SiteManager-1 Upgrade Practices In This Section In-Place Upgrade Replicate and Upgrade Gradual Upgrade to Another Machine Migrating from a Standalone Installation to CMA MDS Post Upgrade Procedures page 251 page 254 page 255 page 257 page 260 In-Place Upgrade The in-place upgrade process takes place on the existing MDS machine.

6. as applicable. You are prompted to verify the MD5 checksum. Answer the following question: Do you want to create a backup image for automatic revert? Yes/No If you select Yes. Log in to SecurePlatform (expert mode is not necessary). Perform the in-place upgrade. Follow the procedure for an online MDS or an offline MDS. retest using the sub-steps in step 3 above. upon reboot you are given the option to start the SecurePlatform operating system using the upgraded version image or using the image prior to the Upgrade process. For SecurePlatform. Perform the license upgrade procedure after the MDS software upgrade as detailed in “System-Wide License Upgrade. Upgrading to NGX R65 on SecurePlatform This section describes how to upgrade SecurePlatform R54 and later versions using a CD ROM drive. Follow the procedure for an online MDS or an offline MDS. • • For Solaris and Linux.In-Place Upgrade 5. hardware incompatibility). 2. Before Software Upgrade” on page 231. use mds_setup (for additional information. Safe Upgrade automatically takes a snapshot of the entire system so that the entire system (operating system and installed products) can be restored if something goes wrong during the Upgrade process (for example. Perform the license upgrade procedure prior to the MDS software upgrade as detailed in “System-Wide License Upgrade. 3. as applicable. 4. Apply the SecurePlatform R65 upgrade package: # patch add cd. If the Upgrade process detects a malfunction. Before Software Upgrade” on page 231. 8. 252 . refer to “Installation Script” on page 211). a Safe Upgrade is performed. After the upgrade completes. When the Upgrade process is complete. run patch add cd (See “Upgrading to NGX R65 on SecurePlatform” on page 252). To perform an upgrade on SecurePlatform: 1. it automatically reverts to the Safe Upgrade image. 7.

6. 2. Create customers and CMAs with the names used in the previous Provider-1 setup.0 with Provider-1 R65. To upgrade to R65 from previous NGX versions.0) This procedure is required if you intend to upgrade a Linux 22 platform machine — installed with a Provider-1 version prior to NGX — to RedHat Enterprise Linux 3.In-Place Upgrade Upgrading a Pre-NGX Version(on Linux 22) to NGX R65 (on RedHat Enterprise Linux 3. Do not start the CMAs. These folders and their content must be accessible from the NGX machine after the operating system upgrade. refer to “Installation Script” on page 211. Perform a fresh installation of R65 MDS on the target machine. For additional information.0 installation. Create an additional folder for the global policy data by backing up all files in $MDSDIR/conf. These folders are used for backing up data files from a previously installed MDS version. refer to “In-Place Upgrade” on page 251. either by using Import Customer Management Add-on from the MDG or cma_migrate (refer to “cma_migrate” on page 214) for each CMA. Use migrate_global_policies to import the global policies backed up in step 2 (refer to“migrate_global_policies” on page 218 for additional information). For each CMA. Perform a fresh RedHat Enterprise Linux 3. 4. 3. Chapter 9 Upgrading Provider-1 253 . Migrate all the original CMAs’ data into the newly created CMAs (from the backup folders created in step 1). create a backup folder that contains subfolders (as described in Table 9-2 on page 215). 5. 7. To perform the upgrade: 1.

To perform the Replicate and Upgrade process: 1. If your target machine and the source machine have different interface names (e. If your target machine and the source machine have different IP addresses. refer to “In-Place Upgrade” on page 251). follow the steps listed in “Interface Change” on page 271 to adjust the restored MDS to the new interface name. 6. follow the steps listed in “IP Address Change” on page 271 to adjust the restored MDS to the new IP address. Restore the MDS on the target machine. Upgrade your MDS. Note . or run mds_setup and select the Restore option. Stop the MDS on the target machine and employ an In-Place Upgrade (for additional information. Copy the file created by the backup process to the target machine and run mds_restore. The existing MDS installation is copied to another machine (referred to as the target machine) by using the mds_backup and mds_restore commands. Install a fresh MDS on the target machine. To restore your existing MDS. Back up your existing MDS.g. first install a fresh MDS on the target machine that is the exact same version as your existing MDS. hme0 and hme1). b) Verify that all CMAs are running and that you can connect to the MDS with MDG and Global SmartDashboard. This can be done by running mds_backup or by running mds_setup and selecting the Backup option. 254 . Test to confirm that the replication has been successful: a) Start the MDS. 4. 3. 2.The target machine should be on an isolated network segment so that gateways connected to the original MDS are not affected until you switch to the target machine.Replicate and Upgrade Replicate and Upgrade Choose this type of upgrade if you intend to change hardware as part of the upgrade process or if you want to test the upgrade process first. 5. c) Connect to CMAs using SmartDashboard.

6. 4. 3. Use cma_migrate to import the CMA. On the target MDS. • Global Communities statuses. For additional information. 2. Install MDS of the target version onto the target machine.license. For additional information. fwm mds rebuild_global_communities_status all To perform a gradual upgrade: 1. CMAs are transferred to another MDS machine of version R65. Use the migrate_assist utility to copy the CMA directories and files for each CMA from the source machine to the destination machine. and all licenses appear in the cache. one CMA at a time. Before Software Upgrade” on page 231. In a gradual upgrade. 5. • Policy assignment to customers To do: Assign policies to customers after the upgrade. refer to “cma_migrate” on page 214. This process transfers the NGX licenses for both the CMA and the CMA Repository. refer to “migrate_assist” on page 217. • Provider-1/SiteManager-1 SmartConsole Clients To do: Redefine and reassign to customers after the upgrade. Follow the procedure for an online MDS or an offline MDS. the following information is not retained: • Provider-1/SiteManager-1 Administrators To do: Redefine and reassign to customers after the upgrade. refer to “System-Wide License Upgrade. Copy the following file to the target MDS: $CPDIR/conf/lic_cache.C All NGX version CMA and MDS licenses reside in cp. create a customer and CMA but do not start the CMA. as applicable.Gradual Upgrade to Another Machine Gradual Upgrade to Another Machine In a gradual upgrade. When the upgrade is from a version prior to NGX. To do: execute the command: mdsenv. Chapter 9 Upgrading Provider-1 255 .

with the following exceptions: 1.Gradual Upgrade to Another Machine 7. b. you have at least one non-existing customer. and edit or delete list items as necessary. After Software Upgrade” on page 242. Gradual Upgrade with Global VPN Considerations A gradual upgrade process in an MDS configuration that uses the Global VPN Communities (GVC) is not fundamentally different from the gradual upgrade process described above. If the assignment operation fails and the error message lists problematic gateways. either “License Upgrade for an Online MDS. make sure that it does not contain gateways of non-existing customers. The gateways must be disabled from global use: i. or “License Upgrade for an Offline MDS. Use migrate_global_policies to import the global policies. 256 . Make sure that no problematic gateways are in use. split the upgrade into two parts: • • one for all the CMAs that do not participate in the GVC one for CMAs that do participate with the GVC 2. Run the where used query from the Global SmartDashboard > Manage > Network Objects > Actions to identify where the problematic gateway(s) are used in the Global Policy. run: pv1_license_upgrade import -c <cache file name> If not all licenses were successfully upgraded on the version NG MDS. If some of your CMAs have already been migrated and some have not and you would like to use the Global Policy. Review the result set. right-click a gateway and select Disable Global Use. 9. which was copied from the NG version MDS. Global VPN community setup involves the Global database and the CMAs that are managing gateways participating in the global communities. When gradually upgrading a GVC environment. After Software Upgrade” on page 243. To test for non-existing customers. From the MDG’s General View. If this occurs: a. Start the CMA and run: mdsenv mdsstart 8. To import the licenses that were upgraded to the CMA database from the cache file. assign this Global Policy to a customer. perform the license upgrade for a single CMA.

Note . the resulting Global Policy contains: • • the globally used gateways from the existing database the globally used gateways from the migrated database As a result of the migration. you can remove the gateway from the global database by issuing a command line command. back up the standalone gateway before migrating. When issuing the command: migrate_global_policies where the existing Global Policy contains Global Communities.Migrating from a Standalone Installation to CMA ii. • 2. Before migrating the management part of the standalone gateway to the target CMA. remove_globally_used_gw <Global name of the gateway> 3. and then manage the standalone gateway (as a module only) from the CMA. First. The gradual upgrade does not restore the Global Communities statuses. reset the statuses from the command line (with MDS live): mdsenv. and then execute the command: mdsenv. make sure that the Global SmartDashboard is not running. Make sure that: • FTP access is allowed from the MDS machine (on which the target CMA is located) and the standalone machine. Chapter 9 Upgrading Provider-1 257 . if either the existing or the migrated Global Policy contains Global Communities. fwm mds rebuild_global_communities_status all Migrating from a Standalone Installation to CMA This section describes how to migrate the management part of a standalone gateway to a CMA. Install policy on all managed gateways. the Global Communities are overridden by the migrated database.If you want the option to later undo the separation process. some adjustments are required before the standalone is exported to the CMA: 1. 4. (This is only necessary if you plan to use migrate_assist. Add an object representing the CMA (name and IP address) and define it as a Secondary SmartCenter server. 3. If the globally used gateway refers to a gateway of a customer that was not migrated.) The target CMA is able to communicate with and install policy on all managed modules. therefore.

under Network Objects. launch SmartDashboard. To migrate the management part to the CMA. 7. 11. 5. • 6. 258 . remove it from the community and erase its certificate. and: • • • Assign a Name and IP address for the gateway. • 12. Edit the Primary Management Object and remove all interfaces (Network Object > Topology > Remove). Save and close SmartDashboard. Do not install policy. On the CMA. Note . start the CMA. To configure the CMA after the migration. specifying as an argument the database location you used as <target_dir> in the migrate_assist command. Migrate the exported database of the standalone gateway into the CMA. Previous references to the standalone management object now refer to this object. If the standalone gateway participates in a VPN-1 community. Create an object representing the gateway on the standalone machine (From New > Check Point > Gateway). 9. If the standalone gateway has VPN-1 installed: • Clear the VPN-1 option in the Check Point Products section of the Standalone gateway object. but do not start it. 10. Select the appropriate Check Point version. You may have to first remove it from the Install On column of your rulebase (and then add it again). locate: • An object with the Name and IP address of the CMA which is the primary management object (migrated).Migrating from a Standalone Installation to CMA 4.The last parameter <Standalone_GW_CPDIR> is mandatory when running migrate_assist on NG versions. Note these changes in order to undo them after the migration. Select the appropriate Check Point Products you have installed. 8. An object for each gateway managed previously by the standalone station (except for the gateway on the standalone machine). run: migrate_assist <Standalone_GW_NAME><Standalone_GW_FWDIR><username> <password><target_dir><Standalone_GW_CPDIR> command. 13. In SmartDashboard. Use cma_migrate or the import operation from the MDG. Create a new CMA on the MDS. Delete all objects or access rules created in steps 1 and 2. in the VPN tab.

Do not initialize communication. 18. in each location. 15. 14. consider changing to the new gateway object. Install the Policy on the gateway. 16. add it back. except for the standalone gateway. You may see warning messages about this module because it is not yet configured. Install the policy on all modules. 17. 19. edit the gateway object created in step 12 and establish trust with that gateway. define the gateway's topology. From the CMA SmartDashboard. 20. Install a gateway only on the previous standalone machine. Run Where Used on the primary management object and. Uninstall the standalone gateway. On the same object. These messages can be safely ignored. Chapter 9 Upgrading Provider-1 259 .Migrating from a Standalone Installation to CMA • • If the object previously belonged to a VPN-1 Community.

mdsstart. For example: :use_sites (false) 7. Set the MDS environment and stop all services by typing mdsenv. For example: #cd $MDSDIR/conf/mdsdb/ #cp objects_5_0. perform the following procedure immediately after completing the upgrade. 5. Start the MDS services by running mdsenv. 260 . Use the vi text editor to manually edit the objects_5_0.MDS Post Upgrade Procedures MDS Post Upgrade Procedures When upgrading an MDS machine from one of the supported versions. Save the file and exit. 8.C /tmp 4.C file in the $MDSDIR/ conf/mdsdb/ directory.C file before it is changed. Edit the value and change it from true to false. Find the line statement :use_sites. 2.mdsstop. For example: /:use_sites 6. Open a root command line on the MDS (either on a console or via ssh). 3. To perform post upgrade procedures: 1. Go to the $MDSDIR/conf/mdsdb/ directory and make a backup of the objects_5_0.

or combinations of the two. Start upgrading the first MDS.Upgrading in a Multi-MDS Environment Upgrading in a Multi-MDS Environment In This Section Pre-Upgrade Verification and Tools Upgrading a Multi-MDS System page 261 page 262 Multi-MDS environments may contain components of High Availability in MDS or at the CMA level. High Availability helps to reduce down-time during an upgrade. Specifically. In general. Pre-Upgrade Verification and Tools Run pre-upgrade verification on all MDSes before applying the upgrade to a specific MDS by choosing the Pre-Upgrade Verification Only option from mds_setup (for additional information. refer to “Pre-Upgrade Verifiers and Fixing Utilities” on page 210). This section provides guidelines for performing an upgrade in a multi-MDS environment. It may also contain different types of MDSes: managers. containers. Chapter 9 Upgrading Provider-1 261 . only after you have fixed all the errors and reviewed all the warnings on all your MDSes. it explains the order of upgrade and synchronization issues.

All other containers are managed from the other Manager MDS. Upgrade one Manager MDS. 2. While containers do not accept SmartCenter connections. Each Container MDS that you upgrade is managed from the already upgraded Manager MDS. 3.Upgrading a Multi-MDS System Upgrading a Multi-MDS System In This Section MDS High Availability Before the Upgrade After the Upgrade CMA High Availability page 262 page 263 page 263 page 264 MDS High Availability Communication between Multi-Domain Servers can only take place when the Multi-Domain Servers are of the same version. Upgrade your second Manager MDS. In a system with a single Manager MDS.MLMs in a multi-MDS system need to be upgraded to the same version as the Manager and Container MDSs. Following these steps promises continuous manageability of your container MDS. 262 . Note . there is a period of time when the Container MDSes are not accessible. If more than one Manager MDS exists. the CMAs on the container MDSes do. Upgrade all container MDSes. This means that even if you cannot perform global operations on the container MDS. you can still connect to the CMAs that reside on it. follow these steps: 1.

If the CMA identifies the CLM version as earlier then the current CLM version. perform a license upgrade. In this case. Refer to “System-Wide License Upgrade. then if it exists after modifying the CMA database. Modify the active MDS/CMA and synchronize to Standby. 4. then. 2. IP addresses and services are not completely resolved by the CLM. synchronize the mirror CMA. Where the MDS version is pre-NGX. After upgrading an MDS or an MLM in a multi MDS environment. from step 7. after modifying the global database. then the global policy should be reassigned to the relevant customers. If the pre-upgrade verifier requires a modification to the global database.When synchronizing. in order to repair the error in the CMA databases. Before Software Upgrade” on page 231. If this modification affects a global policy that is assigned to customers. Perform pre-upgrade verification for all MDSes. the CMA/CLM object versions (located in the CMA database) are not updated. by copying it to the other MDSs and running pv1_license_upgrade import -c <cache file name> 3. Note that as an alternative to running pv1_license_upgrade upgrade on all MDSs. Chapter 9 Upgrading Provider-1 263 . you can use the cache file generated on one MDS. when using SmartDashboard to connect to a CMA after the upgrade.Upgrading a Multi-MDS System Before the Upgrade 1. If a modification is required at the CMA level. up to and including step 5. Note . the following scenario takes place: • A complete database installation from the CMA on the CLM does not take place and as result. on other MDSs. install the database on the CLM to verify that the modification is applied to the CLM as well. Before Software Upgrade” on page 231. all other MDSes should be synchronized. additional CMA/CLMs are displayed with the previous version. 5. After the Upgrade Complete the License upgrade to NGX. Continue with “System-Wide License Upgrade. If the customer also has a CLM (on MLM). make sure to have only one active MDS and one active CMA for each customer.

remember to synchronize all standby CMAs/SmartCenter backups. While upgrading one of the MDS containers in the High Availability configuration. To resolve this. the High Availability status of the CMAs appears as Collision. use the migrate utility (refer to cma_migrate page 214). Then. During the synchronization process. every CMA High Availability pair needs to be synchronized. After successfully upgrading one of the MDS containers. CMA High Availability CMA High Availability can help minimize the period of management downtime during upgrade. changes from one of the CMAs override the changes made to another. After the upgrade is completed on all the MDS containers. The CMAs hosted on these MDSs need to be synchronized and defined as Active in order to do so. If policy changes are made on both CMAs during the upgrade process.Upgrading a Multi-MDS System To update the CLM/CMA objects to the most recent version. continue with a High Availability deployment (refer to the High Availability chapter in the Check Point Provider-1/SiteManager-1 Administration Guide). (in case other MDSs were not yet upgraded) run: $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL -n <MLM/MDS name> After running this utility. the following should be run on each MDS after upgrading all MLMs/MDSs: mdsenv To update all CLM/CMA objects. after verifying that it is synchronized. perform these steps if you want to migrate your current High Availability environment to a CMA High Availability on a different MDS. verify that all active CMAs are up and running with valid licenses and that SmartDashboard is not connected. where the imported database is the primary CMA/SmartCenter Server. after the upgrade one of the configurations overrides another and the collisions need to be resolved manually. Likewise. 264 . To migrate CMA/SmartCenter High Availability deployment. run: $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL To update CLM/CMA objects that are located on a specific MLM/MDS. others can be used for managing enforcement points. its CMAs can become Active management servers for the duration of time required to upgrade the others. At this time. The synchronization between the two CMAs in a High Availability configuration takes place only after MDS containers hosting both of them are upgraded.

Restarting CMAs Restarting CMAs After completing the upgrade process. CMAs should be started sequentially using the command mdsstart -s. Chapter 9 Upgrading Provider-1 265 .

b. keep the changes you made as a result of the pre-upgrade verification. Restoring Your Original Environment To restore your original environment: 1. This restores your original environment just before the upgrade. Prepare a backup as the first step of the upgrade process and prepare a second backup right after the Pre-Upgrade Verifier successfully completes with no further suggestions. execute the mds_remove utility from the new version. 2.Restoring Your Original Environment Restoring Your Original Environment In This Section Before the Upgrade Restoring Your Original Environment page 266 page 266 Before the Upgrade Pre-upgrade utilities are an integral part of the upgrade process. If the installation stopped or failed before its completion. 266 . Removing the new installation: a. you are required to change your database before the actual upgrade can take place or the Pre-Upgrade Verifier suggests you execute utilities that perform the required changes automatically. In some cases. after the pre-upgrade verification stage. If the installation finished successfully. manually remove the new software packages. Perform mds_restore using the backup file. Even if you decide to restore your original environment. It may be easier for you to remove all Check Point installed packages and a perform fresh installation of the original version. Prepare a backup of your current configuration using the mds_backup utility from the currently installed version.

such as spaces and certain keyword prefixes. Identifying Non-Compliant Customer Names The mds_setup utility performs several tests on the existing installation before an upgrade takes place. Automatic Division of Non-Compliant Names If the number of customers with non-compliant names is large. One of the tests is a test for customer names compliance with the new naming restrictions. all customer names must adhere to the same restrictions as CMA names or any other network objects. no message is displayed. When a non-compliant customer name is detected. an error message is issued. By default. Since this is non-compliant. If all customer names comply with the restrictions. detailing the reason why the name was rejected. Chapter 9 Upgrading Provider-1 267 . In NG with Application Intelligence. all the intermediate work is saved. the translation task may automatically divide into several sessions. The mds_setup utility identifies non-compliant names as more than a single MDS. it is displayed on the screen. non-compliance is detected on the first MDS you upgrade. High Availability Environment In an MDS High Availability environment.Renaming Customers Renaming Customers In This Section Identifying Non-Compliant Customer Names High Availability Environment Automatic Division of Non-Compliant Names Resolving Non-Compliance Advanced Usage page 267 page 267 page 267 page 268 page 269 Previous Provider-1 versions allowed customer names or CMA names in Check Point 2000 to contain illegal characters.

Return to translation prompt .Upgrade to NGX R65 on the mds_setup menu.Choose this option if you want to save all the work that was done in this session and resume later. The translation prompt is only displayed if a non-compliant name is detected. no additional work is required. If the MDSes are properly synchronized. the mds_setup utility exits with an error message stating that the MDS verification failed. Skip this name . Quit session and throw away recent translations . Translation prompt . or any other customer name.The customer names are presented in alphabetical order. Note . If the session is exited before all the translations are done. or enter the '-' sign to get a menu of additional options. Quit session and save recent translations . the resolution of compliant names is performed. To return to the tool.Upgrade to NGX R65.Resolving Non-Compliance Resolving Non-Compliance During the upgrade procedure. copy the following files to the other MDSes. simply run mds_setup again and choose Option 2 . Additional Options Menu Edit another name . Choose this option to edit a customer name that was already translated.Choose this option if you are not sure what to do with this name and want to come back to it later.The pre-upgrade tool allows only non-compliant customer names to be translated. The new name is checked for naming restrictions compliance and is not accepted until you enter a compliant name.Enter a name to replace the non-compliant name. High Availability After completing the translations on the first MDS. Any changes are applied only to the upgraded installation.Nothing is changed in the existing installation when translating customer names. Note .Choose this option if you want to return to the customer name you were prompted with when you entered '-'. The upgrade cannot take place until all non-compliant customer names are translated.Choose this option if you want to abort the session and undo all the translations that you entered during this session. 268 . after selecting Option 2 .

txt. An empty line is ignored. Chapter 9 Upgrading Provider-1 269 . In this case. all the translations are verified when mds_setup is run again.Advanced Usage Files to be copied: /var/opt/CPcustomers_translated. Table 9-11 Line Prefixes Line Prefix # Meaning A comment line.The file is structured line-wise. This is also the case when running on an additional MDS. Existing non-compliant name.txt /var/opt/CPcustomers_translated. Each line's meaning is indicated by its first character. otherwise it will be rejected. /var/opt/CPcustomers_translated. If the entry does not comply with the naming restrictions. Comment May be inserted anywhere. Advanced Usage An advanced user may choose to directly edit the translation file. Any line that does not obey the syntax causes the file to be rejected with an appropriate message. Must exactly match an existing non-compliant name. the customer names that have already been translated are shown before the first non-compliant name is displayed. Translations file format .md5 When running the tool a second time. + A translation for the preceding '-' line. it is ignored.

If the translations file is manually modified.Choose this option only if an authorized person modified it. 3. 270 . Quit and leave the translations file as it is . Run mds_setup again when you are sure that option 1 or option 2 is suitable. Otherwise. 2. the file is rejected. the mds_setup detects it and displays the following menu: 1. verifies its content and uses the translations therein.Choose this option to overwrite the contents of the file.Advanced Usage The '-' and '+' lines must form pairs. Use the translations file anyway . Ignore the translations file and generate a new one . This option reads the file.Choose this option to exit mds_setup and leave the translations file as is for now.

5. Interface Change If your target machine and the source machine have different interface names (e. Change the IP address in $MDSDIR/conf/LeadingIP file to the new IP address.if to the new interface name. For each CMA. Change the interface name in file $MDSDIR/conf/external.conf. Chapter 9 Upgrading Provider-1 271 . if this is an NG FP3 installation and you have a CMA named cma1.. follow the steps listed below it to adjust the restored MDS to the new IP address. Do not change the name of the MDS. Edit the $MDSDIR/conf/mdsdb/mdss. 2.C file.g. To change the interface: 1. 4. replace the interface name in $FWDIR/conf/vip_index. For example. follow the steps listed below to adjust the restored MDS to the new interface name. To change the IP address: 1.Changing the MDS IP Address and External Interface Changing the MDS IP Address and External Interface In This Section IP Address Change Interface Change page 271 page 271 IP Address Change If your target machine and the source machine have different IP addresses. edit /opt/CPmds-53/customers/cma1/CPfw1-53/conf/vip_index. 3. 2. repeat steps 1 to 4 on each MDS/MLM for the MDS/MLM for which you changed the IP.conf. Stop the MDS by running mdsstop. hme0 and hme1). Find the MDS object that has the source MDS IP address and change its IP address to the new IP address. Install a new license on the target MDS with the new MDS IP address. The MDS must be stopped. For multiple MDS/MLM environments.

the previous SmartDefense configuration of the Customer is overridden on the first Global Policy Assign. To do so.SmartDefense in Provider-1 SmartDefense in Provider-1 When upgrading to R65. from the MDG. It is recommended to save each Customer’s Security Policy so that the settings can be restored after upgrade. go to Customer Configuration window > Assign Global Policy tab. and enable Create database version. 272 .

10 Chapter Upgrading SmartLSM ROBO Gateways In This Chapter Planning the ROBO Gateway Upgrade ROBO Gateway Upgrade Package to SmartUpdate Repository License Upgrade for a VPN-1 Power/UTM ROBO Gateway Upgrading a ROBO Gateway Using SmartLSM Using the Command Line Interface page 274 page 275 page 276 page 278 page 282 273 .

This Install Policy operation only compiles the policy. it does not send it to any gateway. For VPN-1 Power/UTM ROBO gateways. For additional information. 2. 4. The compiled policy is automatically fetched later by the relevant ROBO gateways. but this gateway will not be able to load the correct policy after the upgrade. This chapter describes how to upgrade your ROBO gateways. For VPN-1 Power/UTM ROBO gateway versions prior to NGX. refer to “License Upgrade for a VPN-1 Power/UTM ROBO Gateway” on page 276. 274 . upgrade ROBO Gateway licenses from version NG to NGX. refer to “ROBO Gateway Upgrade Package to SmartUpdate Repository” on page 275. define new SmartLSM Profile objects for the new version and install the respective policies on these objects. the upgrade process removes the initial Plug & Play license from your gateway. it is recommended to upgrade the ROBO gateways managed by SmartLSM so that they are compatible with the latest features and functionalities. Add the upgrade package to the SmartUpdate package repository. 3. Make sure that all gateways have valid permanent NG and NGX licenses installed before the upgrade. The general workflow for upgrading ROBO gateways comprises the following steps: 1.Planning the ROBO Gateway Upgrade Planning the ROBO Gateway Upgrade When you upgrade your SmartCenter server. following their upgrade. Trying to perform a remote upgrade on a gateway without a valid NGX license will succeed. Upgrade your ROBO Gateways in one of the following ways: • • Using SmartLSM (refer to “Upgrading a ROBO Gateway Using SmartLSM” on page 278) Using the SmartLSM Command Line Interface (refer to “Upgrading a VPN-1 Power/UTM ROBO Gateway Using LSMcli” on page 284). For additional information. When upgrading VPN-1 Power/UTM ROBO gateways. in SmartDashboard.

add the packages needed for the upgrade to the SmartUpdate package repository. For details on how to add packages to the Package Repository.ROBO Gateway Upgrade Package to SmartUpdate Repository ROBO Gateway Upgrade Package to SmartUpdate Repository Once you have launched SmartUpdate. refer to the SmartUpdate chapter of the R65 SmartCenter Administration Guide. Chapter 10 Upgrading SmartLSM ROBO Gateways 275 . VPN-1 UTM Edge Firmware packages are added the same way.

one ROBO at a time. as described in “Upgrading a ROBO Gateway Using SmartLSM” on page 278. meaning that it is no longer needed. and the NG license is Obsolete. 3. The NG license is useful because if you need to downgrade the Gateway version. Using SmartLSM to Attach the Upgraded Licenses To attach the upgraded licenses: 1. and then select those licenses that are assigned to this ROBO. open SmartLSM. 276 . and select the Licenses tab. Upgrade the licenses using any of the procedures described in “Upgrading Licenses for Products Prior to NGX” on page 29. 2.License Upgrade for a VPN-1 Power/UTM ROBO Gateway License Upgrade for a VPN-1 Power/UTM ROBO Gateway The general workflow for upgrading ROBO gateway licenses to NGX comprises the following steps: 1. 2. as described in “Using SmartLSM to Attach the Upgraded Licenses” on page 276. Upgrade the software on the ROBO Gateway. the window will report that: There are un-attached licenses that are assigned to this ROBO. The Licenses window shows that the NGX license is Attached. The added assigned licenses are shown grayed-out because they are not yet attached. Add those licenses that are assigned to this ROBO from the SmartLSM License Repository to the Licenses window. The ROBO gateway now has both NG and NGX licenses. Click OK to attach the Assigned Licenses to this ROBO. 4. The first way is easier: • • Click Add these licenses to the list. 3. For each ROBO Gateway. If the license upgrade succeeded. You can do this by performing one of the following two options. Repeat from step 2 for each ROBO gateway. Use SmartLSM to Attach the upgraded licenses to each ROBO Gateway. 5. the Gateway will keep on working. All licenses that are attached to this ROBO gateway are shown. Click Add. open the Edit VPN-1 Power/UTM ROBO Gateway window. On the SmartConsole GUI client machine. Upgrading SmartCenter licenses also upgrades all ROBO Gateway licenses.

refer to “Example: License Upgrade on Multiple ROBO Gateways” on page 287.License Upgrade on Multiple ROBO Gateways License Upgrade on Multiple ROBO Gateways You can use scripting to upgrade licenses on multiple ROBO gateways. For additional information. Chapter 10 Upgrading SmartLSM ROBO Gateways 277 .

Select Change to a new Profile after upgrade. This is the recommended method to upgrade VPN-1 Power/UTM ROBO Gateways. The upgrade process begins with a verification stage. a Verification Details window opens. The Upgrade process begins. Select Actions > Packages > Upgrade All Packages. Select Allow reboot if required. and select the appropriate new SmartLSM Profile from the list. 2. 3. Full Upgrade This method automatically performs all the required checks and actions for you. the Full Upgrade and the Specific Install. 278 . When it completes. showing you the verification results. From SmartLSM. This selection can also be done through the right-click menu. or the Upgrade All Packages icon in the toolbar. When it successfully completes. Click the Continue button. 4. select the line representing the VPN-1 Power/UTM ROBO Gateway to be upgraded. the upgraded ROBO Gateway is ready for use. To perform a full upgrade: 1. Its stages and completion status can be seen in the Action Status pane. and select Action History).Upgrading a ROBO Gateway Using SmartLSM Upgrading a ROBO Gateway Using SmartLSM In This Section Upgrading a VPN-1 Power/UTM ROBO Gateway Upgrading a VPN-1 UTM Edge ROBO Gateway Upgrading a VPN-1 Power/UTM ROBO Gateway In Place page 278 page 280 page 281 Upgrading a VPN-1 Power/UTM ROBO Gateway There are two methods for upgrading a VPN-1 Power/UTM Gateway. checking which version is currently installed on the gateway and whether the required packages exist in your Package Repository. 5. The entire progress report can be seen at any time by viewing the Action History (right-click on the respective line in the Action Status pane. at the bottom of SmartLSM.

Click the Start button. you can select Backup image for automatic revert. This window displays the relevant packages from the Package Repository that can be installed on your VPN-1 Power/UTM ROBO gateway.Upgrading a VPN-1 Power/UTM ROBO Gateway Specific Installation This method can be used to install a specific product on a ROBO Gateway. select the line representing the VPN-1 Power/UTM ROBO gateway you want to upgrade. You can then select one of the following actions: • • • Distribute and install packages Only distribute packages (install later) Install previously distributed packages 5. The Allow Reboot if required option should be selected only when upgrading VPN-1. 2. manually reboot the gateway from its console. If the operating system is SecurePlatform. 7. this field remains disabled. do not select Allow Reboot if required. and select Distribute Package…. Select Actions > Packages > Get Gateway Data to fetch information about Packages currently installed on the VPN-1 Power/UTM ROBO gateway. 4. you must provide a suitable SmartLSM Profile from the target version. The gateway is rebooted after the package installation is completed. or click the icon in the toolbar. in case the installation does not succeed. select the package you want to install. If you do not select this option. Select Actions > Packages > Distribute Package… or right-click menu. To perform a specific installation: 1. The Distribute Package window opens. When upgrading the VPN-1 Power/UTM ROBO gateway. Chapter 10 Upgrading SmartLSM ROBO Gateways 279 . The option Change to a new profile after install lets you select the SmartLSM Profile that will be assigned to the package upon installation. From SmartLSM. 3. Note . 6. If you are installing a package that does not require changing the SmartLSM Profile of the VPN-1 Power/UTM ROBO gateway. 8. In the Distribute Package window.If you are doing a step-by-step upgrade.

The VPN-1 UTM Edge ROBO gateway fetches and installs the new firmware the next time it automatically checks for updates. select the desired firmware from the list. Upgrading a VPN-1 UTM Edge ROBO Gateway To upgrade the gateway: 1. 2. 3. 280 . The Install process begins. restart the ROBO Gateway by selecting Actions > Restart gateway. Select the Use the following firmware option. or by double-clicking the ROBO line. and select Action History). and click OK. Select the Firmware tab.You can verify if the installation will succeed before actually upgrading the ROBO Gateway by choosing Actions > Packages > Verify Installation. or the Edit ROBO gateway icon in the toolbar. select the line representing the VPN-1 UTM Edge ROBO gateway you want to upgrade. Its stages and completion status can be seen in the Action Status pane. In order for the firmware upgrade to take effect immediately. From SmartLSM. Note .Upgrading a VPN-1 UTM Edge ROBO Gateway 9. The whole progress report can be seen at any time by viewing the Action History (right-click on the respective line in the Action Status pane. and choose Edit > Edit ROBO gateway… This selection can also be done through the right-click menu. at the bottom of SmartLSM.

2. The Edit window opens in the General tab. restart the ROBO Gateway by selecting Actions > Restart Gateway. select the line representing the VPN-1 Power/UTM ROBO gateway you just upgraded. To upgrade a gateway In Place: 1. and select a new SmartLSM Profile for the gateway. From SmartLSM. In order for the SmartLSM Profile change to take effect immediately. 5. From the Version menu.Upgrading a VPN-1 Power/UTM ROBO Gateway In Place Upgrading a VPN-1 Power/UTM ROBO Gateway In Place You can upgrade a ROBO gateway In Place (from the ROBO gateway's console). update the new version on the SmartLSM side. Chapter 10 Upgrading SmartLSM ROBO Gateways 281 . 4. and select Edit > Edit ROBO gateway… or right-click the Edit ROBO gateway icon in the toolbar. select the new version of the upgraded gateway. Click OK to close the window. 3. Following the upgrade. select a new SmartLSM Profile for the upgraded gateway. From the Profile menu. just like an In Place upgrade of a regular gateway. The policy and properties of the new SmartLSM Profile are applied on the ROBO Gateway the next time it automatically checks for updates. or double-click the ROBO line.

It can be run on your SmartCenter server. Use the same Operating System as the SmartCenter server. or it can be copied to and run on another host with the same operating system. but it must be: • • • Defined on the SmartCenter server as a GUI Client. It also enables you to upgrade a ROBO Gateway. When used in scripts it allows you to perform batch upgrades. The host does not need to be a Check Point-installed machine.Using the Command Line Interface Using the Command Line Interface In This Section SmartLSM Upgrade Tools Upgrading a VPN-1 Power/UTM ROBO Gateway Using LSMcli Upgrading a VPN-1 UTM Edge ROBO Gateway Using LSMcli Using the LSMcli in Scripts page 282 page 284 page 285 page 286 SmartLSM Upgrade Tools LSMcli The LSM Command Line Interface (LSMcli) is an alternative to SmartLSM. Reachable through the network from the SmartCenter server. The LSMcli tool is contained in the SmartCenter installation package on the SmartCenter server machine. For general usage and help. LSMcli provides the ability to perform SmartLSM operations from a command line or through a script. 282 . type the command LSMcli --help.

The IP or hostname of the SmartCenter server. This is not necessary when installing Hotfixes or other packages. To view the list of packages available in the repository. Chapter 10 Upgrading SmartLSM ROBO Gateways 283 . (Optional) Install previously distributed packages. -boot (Optional) Use this option only when upgrading VPN-1. under File > Export to File. A partial list of arguments is shown in Table 10-1. Table 10-1 LSMcli Command line arguments for upgrades Argument -d Server User Password ROBO -F Firmware -P=Profile Meaning (Optional) Run the command with debug output. -DoNotDistribute Product Vendor Version SP Export The export tool is located in your SmartLSM application.SmartLSM Upgrade Tools The LSMcli command line arguments are fully described in the Command Line Reference chapter of the R65 SmartLSM Administration Guide. Use this tool to export a ROBO Gateway’s properties into a text file that you can turn into a script in order to perform batch upgrades. If you do not use this option. The name of the ROBO Gateway to be upgraded. The firmware version of the VPN-1 UTM Edge ROBO Gateway. (Optional) The SmartLSM Profile name the ROBO Gateway will be mapped to after a successful upgrade. The username and password of a SmartCenter Administrator. use the ShowRepository LSMcli command. You must specify the new SmartLSM Profile when upgrading the VPN-1 version. which lists only the arguments that are important for performing upgrades. manually reboot the gateway from its console. (Command usage is described in the R65 SmartLSM Administration Guide).

Upgrading a VPN-1 Power/UTM ROBO Gateway Using LSMcli Upgrading a VPN-1 Power/UTM ROBO Gateway Using LSMcli For descriptions of the command line arguments for the following commands. execute: LSMcli [-d] <Server> <User> <Password> ShowRepository To verify that a Specific Install on a ROBO gateway will succeed. refer to Table 10-1 on page 283. execute: LSMcli [-d] <Server> <User> <Password> GetCandidates <ROBO> To get data about a specific ROBO gateway. execute: LSMcli [-d] <Server> <User> <Password> VerifyUpgrade <ROBO> To perform a Full Upgrade of a ROBO gateway. execute: LSMcli [-d] <Server> <User> <Password> Install <ROBO> <Product> <Vendor> <Version> <SP> [-P=Profile] [-boot] [-DoNotDistribute] To only distribute a package. execute: LSMcli [-d] <Server> <User> <Password> Distribute <ROBO> <Product> <Vendor> <Version> <SP> To view a list of packages that can be installed on a specific ROBO gateway. execute: LSMcli [-d] <Server> <User> <Password> GetInfo <ROBO> Note . To verify that a Full Upgrade of a ROBO Gateway will succeed. 284 .It is recommended to use the Full Upgrade method to upgrade VPN-1 Power/UTM ROBO Gateways. execute: LSMcli [-d] <Server> <User> <Password> Upgrade <ROBO> [-P=Profile] [-boot] To see which product packages are available in your package repository. execute: LSMcli [-d] <Server> <User> <Password> VerifyInstall <ROBO> <Product> <Vendor> <Version> <SP> To perform a Specific Install on a ROBO gateway.

ROBO17 = the VPN-1 Power/UTM ROBO Gateway to be upgraded. Upgrading a VPN-1 UTM Edge ROBO Gateway Using LSMcli For descriptions of the command line arguments for the following commands. VerifyUpgrade = the Full Upgrade verification command. refer to Table 10-1 on page 283. John = the administrator’s name. execute: LSMcli [-d] <Server> <User> <Password> ModifyROBO VPN1Edge <ROBO> [-P=Profile] [-F=Firmwarename] If you want the firmware update to take effect immediately. mypassword = the administrator’s password. execute: LSMcli [-d] <Server> <User> <Password> ShowRepository To upgrade a VPN-1 UTM Edge ROBO gateway. execute: LSMcli [-d] <Server> <User> <Password> Restart <ROBO> Chapter 10 Upgrading SmartLSM ROBO Gateways 285 . Upgrade = the Full Upgrade command. To see which product packages are available in your package repository. MyNewProfile = the new SmartLSM Profile that ROBO17 will be mapped to after the upgrade.Upgrading a VPN-1 UTM Edge ROBO Gateway Using LSMcli Example: Upgrading a Single VPN-1 Power/UTM ROBO Gateway % LSMcli MyServer John mypassword VerifyUpgrade ROBO17 % LSMcli MyServer John mypassword Upgrade ROBO17 -P=MyNewProfile Where: MyServer = the name of my SmartCenter server.

23 % LSMcli MyServer John mypassword Restart ROBO101 Where: MyServer = the name of my SmartCenter server. Restart = the command to restart the gateway.Using the LSMcli in Scripts Example: Upgrading a Single VPN-1 UTM Edge ROBO Gateway % LSMcli MyServer John mypassword ModifyROBO VPN1Edge ROBO101-P=EdgeNewProfile -F=4. Example: Using the LSM CLI to write a script to upgrade multiple ROBO Gateways Create the following script and run it: LSMcli MyServer John mypassword Upgrade ROBO17 -P=MyNewProfile LSMcli MyServer John mypassword Upgrade ROBO18 -P=MyNewProfile LSMcli MyServer John mypassword Upgrade ROBO19 -P=MyOtherProfile 286 .0. mypassword = the administrator's password.23 = the name of the new Firmware package. EdgeNewProfile = the new SmartLSM Profile that ROBO101 will be mapped to after the upgrade (optional). ROBO101 = the Edge ROBO Gateway to be upgraded. ModifyROBO VPN1Edge = the command to modify a property on a VPN-1 UTM Edge ROBO gateway. John = the administrator's name.0. 4. Using the LSMcli in Scripts Scripting can be very handy when you want to upgrade multiple ROBO Gateways in batches.

create a script that runs the LSMcli command with the AttachAssignedLicenses option on all ROBO Gateways.Using the LSMcli in Scripts Example: License Upgrade on Multiple ROBO Gateways To upgrade licenses on multiple ROBO Gateways. The AttachAssignedLicenses option is equivalent to doing step 3 and step 4 on page 276 in SmartLSM. The command is: LSMcli [-d] <Server> <User> <Password> AttachAssignedLicenses VPN1 <ROBO> For example: LSMcli MyServer John mypassword AttachAssignedLicenses VPN1 ROBO17 LSMcli MyServer John mypassword AttachAssignedLicenses VPN1 ROBO18 LSMcli MyServer John mypassword AttachAssignedLicenses VPN1 ROBO19 Chapter 10 Upgrading SmartLSM ROBO Gateways 287 .

Using the LSMcli in Scripts

288

Chapter Upgrading Eventia
In This Chapter
Overview Upgrading Eventia Reporter Upgrading Eventia Analyzer

11
page 290 page 290 page 296

289

Overview

Overview
Eventia Reporter of version R56 and higher can be upgraded to R65. Eventia Analyzer of version 1.0 and higher can be upgraded to R65.

Upgrading Eventia Reporter
For Standalone Deployments
A Standalone Deployment upgrade refers to a previous Eventia Reporter version that is installed on a SmartCenter Server. To upgrade Eventia Reporter in a Standalone Deployment perform the following steps:

In This Section
Windows Platform Solaris / Linux Platform SecurePlatform page 290 page 291 page 291

Windows Platform
1. In order to begin the installation, login as an administrator and launch the wrapper by double-clicking on the setup executable. 2. Agree to the License Agreement and click Forward. 3. Select Upgrade and click Forward. 4. Continue following the instructions. The instructions that appear will differ according to your deployment. 5. Indicate whether to add new products by selecting the Add new products option and click Forward. A list of the products that will be upgraded appears. Click Forward. Depending on the components that you have chosen to install, you may need to take additional steps (such as installing other components and/or license management).
290

For Distributed Deployments

6. Verify the default directory, or browse to new location in which Eventia Reporter will be installed. 7. Verify the default directory, or browse to new location in which the output files created by Eventia Reporter’s output will be generated. Click Next and reboot the machine in order to complete the installation of the Eventia Reporter and to continue with the next phase of the installation. 8. Launch SmartDashboard. 9. Install the Security Policy, (Policy > Install) or install the database (Policy > Install Database) in order to make the Eventia Reporter fully functional.

Solaris / Linux Platform
1. In order to begin the installation, mount the CD on the relevant subdirectory and launch the wrapper as follows: 2. In the mounted directory, run the script: UnixInstallScript. 3. Read the End-User License Agreement (EULA) and if you accept click Yes. 4. Continue from step 3 on page 290 in order to complete the process.

SecurePlatform
1. After you install SecurePlatform from the CD, select the Eventia Reporter product from cpconfig or from the SecurePlatform Web GUI. 2. Continue from step 3 on page 290 in order to complete the process.

For Distributed Deployments
A Distributed Deployment upgrade refers to a previous Eventia Reporter version that is installed on a dedicated machine and an Eventia Reporter Add-on installed on a SmartCenter Server or MDS (for versions prior to R63). To upgrade Eventia Reporter in a distributed deployment, install NGX R65 on the old Reporter Server and migrate the previous add-on from the SmartCenter Server to the Reporter Server.

Upgrade Eventia Reporter to the new NGX R65
1. Before upgrading, open the Eventia Reporter client.

Chapter 11

Upgrading Eventia 291

For Distributed Deployments

2. Go to Management > Consolidation > Sessions and stop all consolidations sessions by selecting Stop > Terminate. Verify that all the consolidation sessions have a Stopped status before closing Eventia Reporter. 3. Run cpstop and wait till the mysql and log_consolidator processes stop. 4. Install NGX R65 on the previous Reporter Server.

Migrate the Add-on to the Eventia Reporter Server
To upgrade from versions prior to R63, export and import Add-On. Prior Eventia Reporter Add-on version that contain Eventia Reporter definitions and statuses should be copied to the machine on which Eventia Reporter is installed. To migrate the add-on to the Eventia Server: 1. Run cpstop on both the target machine (Eventia Reporter) and the original machine (the Add-on machine). 2. Copy the script evr_addon_export from the directory $RTDIR/conf in the R65 Eventia Reporter Server to the SmartCenter or MDS Server. 3. Invoke evr_addon_export on the SmartCenter or MDS Server. This generates a file called evr_addon_tables.tgz in the same location as evr_addon_export. 4. Copy evr_addon_tables.tgz to the $RTDIR/bin directory on the target R65 Eventia Reporter Server. 5. On the Eventia Reporter Server run svr_install --import evr_addon_tables.tgz. 6. Run cpstart on both the target and original machine. 7. Open the Eventia Reporter client and start the Consolidation Sessions if needed.
Note - After upgrading Eventia Reporter, the GUI client must be defined on the Eventia Reporter Server. To do this run cpconfig and select GUI Clients. Note - After upgrading Eventia Reporter in a Provider-1 environment you should select a customer(s) that will initiate a synchronization with the CMA of the selected customer. To do this select Tools > Customer Activation in the Eventia Reporter client, select the relevant customers and click OK.

292

Advanced Eventia Reporter Upgrade

Advanced Eventia Reporter Upgrade
To perform a full export that includes all of the Eventia Reporter data: 1. On the original (SmartCenter) machine, run cpstop. 2. Back up the database data. The location of the database data files is specified in the mysql configuration file my.ini (Windows) or my.cnf (all other platforms). The mysql configuration file is located in the directory $RTDIR/Database/conf/. 3. With a text editor, open the mysql configuration file. Locate the lines:

• • •

datadir= innodb_log_group_home_dir= innodb_data_file_path=

Copy the directory paths pointed to by these entries. For example, the default entries for a Windows installation are:

[mysqld] datadir="C:/Program Files/CheckPoint/EventiaReporter/R60/ReportingServer/Database/data" innodb_log_group_home_dir="C:/Program Files/CheckPoint/EventiaReporter/R60/ReportingServer/Database/log" innodb_data_file_path = ibdata1:10M:autoextend:max:40G
The third entry, innodb_data_file_path, records database files that were added or moved to absolute locations (for example, if the command UpdateMySQLConfig -A or UpdateMySQLConfig -M has been applied). These files should be copied as well. Make sure to copy the database data files to a location that is accessible from the target machine, and when copying directories, include their sub-directories. 4. Back up any company logo image file(s) in $RTDIR/bin. 5. Back up any custom distribution scripts in $RTDIR/DistributionScripts. 6. Run the CD wrapper and perform the Export operation. 7. On the target machine, run the Advanced Upgrade procedure. 8. Run cpstop. 9. Delete the content of the target directories datadir and innodb_log_group_home_dir.

Chapter 11

Upgrading Eventia 293

Enabling Eventia Analyzer after Upgrading Reporter After upgrading Eventia Reporter from a previous version. Open a console and cd to the installation directory bin. (Be sure to verify that the script is supported in the platform to which you are migrating./evr_upgrade_db 12. 11. Note . 16. only the Eventia Reporter components will be enabled. 14. For Windows. Run the following script: • • For Windows: evr_upgrade_db For other platforms: . the default location is /opt/CPrt-R65/svr/bin b. If necessary. Start a consolidation session in the Management tab of the Eventia Reporter Client. If the original SmartCenter server is of a version prior to NGX R65. Copy the database files from the backup to the target machine.) 15.Enabling Eventia Analyzer after Upgrading Reporter 10. Run cpstart. the database needs to be upgraded. Copy your company logo image file(s) to $RTDIR/bin. with a forward (/) slash between directories 13. To upgrade the database: a. To enable the Eventia Analyzer components (analyzer or correlation unit) as well.Make sure that the paths are written in Unix format. the default location is C:\Program Files\CheckPoint\EventiaSuite\R65\bin For other platforms. run: 294 . Copy your distribution scripts to the directory $RTDIR/DistributionScripts. modify the following fields in the mysql configuration file to match the locations of the database data files: • • • datadir= innodb_log_group_home_dir= innodb_data_file_path= The locations were copied in step 3.

enable Analyzer Server or the Correlation Unit.Enabling Eventia Analyzer after Upgrading Reporter 1. evconfig While running evconfig. 3. cpstop 2. cpstart Chapter 11 Upgrading Eventia 295 .

Select whether to create a backup image for automatic revert (recommended). see the CheckPoint_R63_EventiaSuite_UpgradeGuide. 2.pdf Prerequisites Before upgrading to Analyzer NGX R65. Confirm the MDS checksum. 3. first upgrade to version 2. first upgrade to R63 then to R65 For more detailed information on upgrading to R63. In R63.sql. note the path to the current database file: $RTDIR/events_db/events. 296 . If you wish to upgrade from version 2. then upgrade to R63.Upgrading Eventia Analyzer Upgrading Eventia Analyzer The process consists of: • • • Upgrading Eventia Analyzer to R65 Verifying that the events database has been successfully moved to its new location Enabling Eventia Reporter (optional) Upgrading Eventia Analyzer to NGX R65 Eventia Analyzer can be upgraded to NGX R65: • • Directly from version NGX R63 Indirectly from any version prior to NGX R63.0. Upgrading Analyzer on SecurePlatform 1. 4. Insert the R65 installation CD into the disk drive and run patch add cd. and then to R65. The Welcome message is displayed. b. the default path: • • For Windows is C:\Program Files\CheckPoint\EventiaSuite\R63 For Unix platforms is /opt/CPrt-R63 This path is changed during the upgrade process. where $RTDIR is a variable that contains the path of the previous Eventia Analyzer installation. If you wish to upgrade from version 1. a.0.0.

Select upgrade option. Upgrading Analyzer on a Windows Platform 1. Decide whether to install additional Check Point products. Select a source for the NGX R65 upgrade utilities. or choose to continue without one. 6. 3. Validate the products in the products list. Insert the NGX R65 Installation disk into the disk drive. Read and accept the license agreement. 8. Chapter 11 Upgrading Eventia 297 . 2. Download or import a service contract file. 9. 4. Select a destination location. upgrade your license. Decide whether to copy log files now or manually copy them later. 5. 10. Select to upgrade installed products. 7. Once the upgrade has completed. 6. 8. Insert the NGX R65 installation CD into the disk drive. 12. 11. Reboot once the upgrade is complete. Perform the pre-upgrade verification check. Validate the products in the products list. Select the first option: upgrade. Select a source for the NGX R65 upgrade utilities. Read and Accept the license agreement. 4. 7. or choose to continue without one. 5. Read and accept the license agreement. 9. or choose to continue without one. Download or import a service contract file. Select Upgrade Installed Products. Run: UnixInstallScript. Upgrading Analyzer on Solaris and Linux 1. 10. If necessary. Download or import a service contract file. 7.Upgrading Eventia Analyzer to NGX R65 5. 11. 2. reboot. 6. Select the upgrade option. Select a source for the NGX R65 upgrade utilities. 3.

Run cpstart to activate the installed products. Once upgrade has completed. move the database manually Moving the Events Database To manually move the events database: 1. This should occur automatically during the upgrade process. 9. Enable Eventia Reporter 4. Navigate to the R63 $RTDIR/events_db/. only the Eventia Analyzer components (Analyzer or correlation unit) will be enabled. evconfig 3. 10. Move the file events.sql manually. The events. login again to the root account. cpstop 2. Validate the products in the products list. To enable all components of Eventia Reporter run: 1.sql should be here If the move has failed. To verify that the database has been correctly moved: 1. 2.sql database file should no longer exist in this directory 2. so there is no need to run upgradeDB. The events. cpstart 298 . Run: cpstart. Enabling Eventia Reporter After upgrading Eventia Analyzer from a previous version. from R63 $RTDIR/events_db/ to R65 $RTDIR/events_db/.Verifying the Events Database Has Been Moved 8. Verifying the Events Database Has Been Moved When upgrading from R63 to R65. Run: cpstop. the events database is moved (not copied) from its R63 location to a new R65 location. Navigate to the R65 $RTDIR/events_db/ directory. 3.

IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT. Inc. THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES. INCLUDING. Inc. The following statements refer to those portions of the software copyrighted by Carnegie Mellon University. INCLUDING. Inc. INCIDENTAL. Portions of the software copyright © 1992-1996 Regents of the University of Michigan. ARISING FROM. PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES. WHETHER IN AN ACTION OF CONTRACT. EXPRESS OR IMPLIED. INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE. BUT NOT LIMITED TO. BUT NOT LIMITED TO. FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. FireWall-1 and SecuRemote incorporate certificate management technology from Entrust. OR PROFITS. Verisign is a trademark of Verisign Inc. All rights reserved. INDIRECT. SPECIAL. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www. Permission to use. INDIRECT. WHETHER IN CONTRACT. EXEMPLARY. LOSS OF USE. DAMAGES OR OTHER LIABILITY. WHETHER IN AN ACTION OF CONTRACT. DATA. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT. OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. WHETHER IN CONTRACT. THE SOFTWARE IS PROVIDED "AS IS". THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. STRICT LIABILITY. OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE. INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.org/). modify. Copyright © Sax Software (terminal emulation only). EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES. Copyright 1997 by Carnegie Mellon University. Entrust’s logos and Entrust product and service names are also trademarks of Entrust Technologies. OR CONSEQUENTIAL DAMAGES (INCLUDING. All Rights Reserved. EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. written prior permission. LOSS OF USE. Copyright © 1998 The Open Group. and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific. and distribute this software and its documentation for any purpose and without fee is hereby granted. SPECIAL.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE. Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due credit is given to the University of Michigan at Ann Arbor. PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES. INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY. copy. STRICT LIABILITY. Entrust Technologies Limited is a wholly owned subsidiary of Entrust Technologies. The following statements refer to those portions of the software copyrighted by The OpenSSL Project. BUT NOT LIMITED TO. OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE. This software is provided “as is” without express or implied warranty. The following statements refer to those portions of the software copyrighted by The Open Group.openssl. DATA OR PROFITS. DATA. INCIDENTAL.THIRD PARTY TRADEMARKS AND COPYRIGHTS Entrust is a registered trademark of Entrust Technologies. in the United States and other countries. OR PROFITS. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM. ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY. The following statements refer to those portions of the software copyrighted by Eric Young. The following statements refer to those portions of the software copyrighted by University of Michigan. OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY. BUT NOT LIMITED TO. WITHOUT WARRANTY OF ANY KIND. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. OR CONSEQUENTIAL DAMAGES (INCLUDING. TORT OR OTHERWISE. provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. NEGLIGENCE OR OTHER TORTIOUS ACTION. 299 . IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL. EXEMPLARY.

and/or sell copies of the Software. WITHOUT WARRANTY OF ANY KIND. to any person obtaining a copy of this software and associated documentation files (the "Software"). 2000. Any re-distributions of the code MUST reference the author. you may not use this file except in compliance with the License. This notice may not be removed or altered from any source distribution. David Rowley. EXPRESS OR IMPLIED. 2001. 1997. an acknowledgment in the product documentation would be appreciated but is not required. Cambridge. 2001. Licensed under the Apache License. distribute. 1995. with respect to this code and accompanying documentation. and the intent is to assure proper credit for the authors of gd. and include any and all original documentation. 1998. This software is provided "AS IS. This program is distributed in the hope that it will be useful. TORT OR OTHERWISE. free of charge. including without limitation the rights to use.org). The origin of this software must not be misrepresented. 2002. Portions copyright 1996. or (at your option) any later version. 1997.TXT for more information. 2002 John Ellson (ellson@graphviz. 2002 Greg Roelofs. you must not claim that you wrote the original software. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM. Doug Becker and copyright (C) 1994. 2001.0 (the "License"). Version 2. including a commercial application.4. provided that this notice is present in user-accessible supporting documentation. the authors wish to thank David Koblas.0 The curl license COPYRIGHT AND PERMISSION NOTICE Copyright (c) 1996 . 1999. 2000. Permission has been granted to copy. 1996. See the file README-JPEG. <daniel@haxx. if not. This program is free software. write to the Free Software Foundation. If you use this software in a product.2004. 2000. 300 . and must not be misrepresented as being the original software.The following statements refer to those portions of the software copyrighted by Jean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. modify. 2002 Philip Warner. WHETHER IN AN ACTION OF CONTRACT. Portions relating to JPEG and to color quantization copyright 2000. Permission is hereby granted. sublicense. Inc. YOU MAY NOT re-distribute or represent the code as your own. This software is based in part on the work of the Independent JPEG Group.Com. Daniel Stenberg. DAMAGES OR OTHER LIABILITY.. 1999. 1997. not to interfere with your productive use of gd. 2000. "Derived works" includes all programs that utilize the library.c copyright 1999. 2001. Funded under Grant P41-RR02188 by the National Institutes of Health.apache. 1995.se>. copy. Portions relating to PNG copyright 1999. 1998. FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. copy. Lane. you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation. See the GNU General Public License for more details. ARISING FROM. You may obtain a copy of the License at http://www. Portions copyright 1994.org). merge. 2002 Expat maintainers. This software is provided 'as-is'. Portions relating to GD2 format copyright 1999. Thomas G. Altered source versions must be plainly marked as such. and distribute this software for any purpose with or without fee is hereby granted. The following statements refer to those portions of the software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper Copyright (c) 2001. Permission to use. 1999.All rights reserved. 2000. 2000. 2002 John Ellson (ellson@graphviz. Although their code does not appear in gd 2. to deal in the Software without restriction. 2002 Maurice Szmurlo and Johan Van den Brande. but WITHOUT ANY WARRANTY. 2002 by Cold Spring Harbor Laboratory. 2000.c copyright 2001. OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 3. Portions relating to gdttf. The following statements refer to those portions of the software copyrighted by the Gnu Public License. INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY. GDChart is free for use in your applications and for chart generation. and to alter it and redistribute it freely. 675 Mass Ave. without any express or implied warranty. modify. Portions relating to WBMP copyright 2000. 2001.You should have received a copy of the GNU General Public License along with this program. either express or implied. Bruce Verderaime. subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 2002.org/licenses/LICENSE-2. 2001. including commercial applications. 2001. and Hutchison Avenue Software Corporation for their prior contributions. provided that the above copyright notice and this permission notice appear in all copies. In no event will the authors be held liable for any damages arising from the use of this software. without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. and to permit persons to whom the Software is furnished to do so. including but not limited to implied warranties of merchantability and fitness for a particular purpose. publish. 1998. THE SOFTWARE IS PROVIDED "AS IS". Credit must be given in user-accessible documentation." The copyright holders disclaim all warranties. 2.0. MA 02139. subject to the following restrictions: 1. This does not affect your ownership of the derived work itself. 2002 by Boutell. 1998. 1996. Permission is granted to anyone to use this software for any purpose. If you have questions. Portions relating to gdft. either version 2 of the License. distribute and modify gd in any context without fee. 2001. Copyright. Inc. 2001. 1999. USA. ask.

LOSS OF USE. the name of a copyright holder shall not be used in advertising or otherwise to promote the sale. THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES. 1999. EXEMPLARY. OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 2000 Thai Open Source Software Center Ltd 301 . INCLUDING. The PHP Group may publish revised and/or new versions of the license from time to time. INCLUDING. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. LOSS OF USE. The PHP License. version 3. BUT NOT LIMITED TO. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes PHP. with or without modification. EXPRESS OR IMPLIED.0 Copyright (c) 1999 . OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY.com). OR CONSEQUENTIAL DAMAGES (INCLUDING. please contact group@php. All rights reserved. INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY. For more information on the PHP Group and the PHP project. STRICT LIABILITY. Each version will be given a distinguishing version number. freely available from <http://www. INCIDENTAL. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo" 5.com>.net. STRICT LIABILITY. 4. without prior written permission from group@php. use or other dealings in this Software without prior written authorization of the copyright holder.THE SOFTWARE IS PROVIDED "AS IS". INDIRECT. Redistribution and use in source and binary forms. This product includes the Zend Engine. No one other than the PHP Group has the right to modify the terms applicable to covered code created under this License.net.php. DAMAGES OR OTHER LIABILITY. 6. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT. You may also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. EXEMPLARY. this list of conditions and the following disclaimer. SPECIAL. TORT OR OTHERWISE. you may always continue to use it under the terms of that version. SPECIAL. This software consists of voluntary contributions made by many individuals on behalf of the PHP Group. DATA.net/>". PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES. 3. OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY. OR PROFITS. OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE. EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.php. Products derived from this software may not be called "PHP". OR CONSEQUENTIAL DAMAGES (INCLUDING. EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. The PHP Group can be contacted via Email at group@php. please see <http://www. ARISING FROM. WHETHER IN CONTRACT. OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE.2004 The PHP Group. This product includes software written by Tim Hudson (tjh@cryptsoft. freely available at <http://www. this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. BUT NOT LIMITED TO.net>. FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM. WITHOUT WARRANTY OF ANY KIND. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT. nor may "PHP" appear in their name.net. WHETHER IN CONTRACT.zend. For written permission. INCIDENTAL. Except as contained in this notice. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES. BUT NOT LIMITED TO. Redistributions of source code must retain the above copyright notice. Copyright (c) 1998. WHETHER IN AN ACTION OF CONTRACT. Once covered code has been published under a particular version of the license. DATA. BUT NOT LIMITED TO. PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. INDIRECT. Redistributions in binary form must reproduce the above copyright notice. 2. is permitted provided that the following conditions are met: 1. OR PROFITS.

written permission. Alternative III (Jun 87) and paragraph (c)(2) of the Commer-cial Computer Software-Restricted Rights clause at FAR 52. IMPLIED WARRANTIES OF MERCHANTABILITY. EXPRESSED OR IMPLIED. FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. The names of actual companies and products mentioned herein may be Trademarks of their respective owners. mechanical. FITNESS FOR A PARTICULAR PURPOSE. INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY. Permission terminates automatically if any of these terms or condi-tions are breached. to any person obtaining a copy of this software and associated documentation files (the "Software"). distrib-uted. WHETHER IN AN ACTION OF CONTRACT. and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52. Upon termination. displayed. publish. downloaded.S. including without limitation the rights to use. DAMAGES OR OTHER LIABILITY. copy. service marks. OR THE RESULTS OF THE USE OF. or disclosure by the Government is subject to restrictions as set forth in applicable laws and regulations. Use of the material in this document by the Government constitutes acknowledgment of NextHop's proprietary rights in them. Confidential Copyright Notice Except as stated herein. NEITHER NEXTHOP NOR ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THIS DOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THE USE. THE SOFTWARE IS PROVIDED "AS IS". THE MATERIAL IN THIS DOCUMENT. TORT OR OTHERWISE. recording. by implication. republished. duplication. or access to. including.227-7014 (Jun 1995). none of the material provided as a part of this document may be copied. Limitation of Liability 302 . sublicense. materials in this document. OR RELIABILITY OF. OR OTHERWISE RESPECTING.S. NEXTHOP DISCLAIMS ALL WARRANTIES. without prior. U. Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED. Copyright © 2003. modify. release." Software and accompanying documentation are provided to the U. TO THE FULLEST EXTENT POSSIBLE PURSUANT TO THE APPLICABLE LAW. Trademark Notice The trademarks. Inc. the laws of privacy and publicity. ACCURACY. or that of the original creator. or otherwise. photocopying. distribute and download the materials in this doc-ument for personal. copy. 2004 NextHop Technologies. display or disclose are restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software and Noncommercial Computer Soft-ware Documentation clause at DFAR 252.227-14. free of charge. merge. modify. distribute. California 94043. any license or right to use any Trademark displayed in the document. Government Restricted Rights The material in document is provided with "RESTRICTED RIGHTS. posted or transmitted in any form or by any means. EXPRESS OR IMPLIED. Inc. provided you do not modify the materials and that you retain all copy-right and other proprietary notices contained in the materials unless otherwise stated. OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. WITHOUT WARRANTY OF ANY KIND. ARISING FROM. perform. but not lim-ited to. reproduce. INCLUDING.Permission is hereby granted. and communications regulations and statutes. including in advertising or publicity pertaining to distribution of. including use. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM. The Trademarks may not be used in any way.227-19 (Jun 1987). and to permit persons to whom the Software is furnished to do so. and logos (the "Trademarks") used and displayed in this document are registered and unregistered Trademarks of NextHop in the US and/or other countries. trademark laws. NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. to deal in the Software without restriction. subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. Any questions concerning the use of these Trademarks should be referred to NextHop at U. +1 734 222 1600. Permission is granted to display. without the prior written permission of NextHop Technologies. The owners aggressively enforce their intellectual property rights to the fullest extent of the law. BUT NOT LIMITED TO. Any unauthorized use of any material contained in this document may violate copyright laws. estoppel. reproduced. electronic. VALIDITY. government ("Government") in a transaction subject to the Federal Acquisition Regulations with Restricted Rights. non-commercial use only. All rights reserved. any downloaded and printed materials must be immediately destroyed. Nothing in this document should be construed as granting. Use of Trademarks as a "hot" link to any website is prohibited unless establishment of such a link is approved in advance in writing. or otherwise. Use.S. No material contained in this document may be "mirrored" on any server without written permission of NextHop. The Contractor/Licensor is NextHop located at 1911 Landings Drive. The Government's rights to use. and/or sell copies of the Software. Mountain View.

All Rights Reserved. OR THE INABILITY TO USE. LOSS OF DATA OR PROFIT. as specified below. * Redistributions in binary form must reproduce the above copyright notice. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES.UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT. Cambridge. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. BUT NOT LIMITED TO. INCLUDING. INDIRECT. LLC 1991-2002. WHETHER IN CONTRACT. Eventia Reporter includes software whose copyright is owned by. Release 5 of PCRE is distributed under the terms of the "BSD" licence. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT. or licensed from. OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY. SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU. INDIRECT.ac. YOU ASSUME ANY COSTS THEREOF. EVEN IF NEXTHOP OR A NEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. EXEMPLARY. with or without modification. Written by: Philip Hazel <ph10@cam. ("ISC")) Copyright 1997-2001. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTS IN THE NEED FOR SERVICING. PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES. STRICT LIABILITY. BUT NOT LIMITED TO. Phone: +44 1223 334714. OR CONSEQUENTIAL DAMAGES (INCLUDING. DATA. is distributed under the same terms as the software itself. THE MATERIAL IN THIS DOCUMENT. this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. The documentation for PCRE. supplied in the "doc" directory. LOSS OF USE. England. SPECIAL. OR PROFITS. MySQL AB. BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium. EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 303 . REPAIR OR CORRECTION OF EQUIPMENT OR DATA. Copyright © ComponentOne.uk> University of Cambridge Computing Service.9 Release PCRE LICENCE PCRE is a library of functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5 language. INCIDENTAL. BUT NOT LIMITED TO. ARISING OUT OF THE USE. OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE. Inc. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES. INCLUDING. Redistribution and use in source and binary forms. Theo de Raadt: the OpenBSD 2. * Neither the name of the University of Cambridge nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice. SPECIAL. this list of conditions and the following disclaimer. INCIDENTAL OR CONSEQUENTIAL DAMAGES. Copyright (c) 1997-2004 University of Cambridge All rights reserved.

304 .

219. 261. 216. 271 cma_migrate 214 cprid 114 CRL 216 MDS environment 260 MDS High Availability 267 MDS services 260 mds_backup 219 mds_remove 266 mds_setup 267 migrate_assist 217 migrate_global_policies 218 migration process 91 Minimal Effort Upgrade 111. 218. 263. 218. 271 February 2007 305 . 195 E errors 93. 255. 290 Expert mode 99. 113. 122. 196 MLM 263 Multi-MDS environments 261 MVS 26 I In Place Upgrade 26 Internal Certificate Authority 216 IPSO Platform 107.Index A Administrators 255 G Global Communities 257 Global VPN Communities 256 B backup 129 Backup and Restore 218 Backup of system settings 129 H High Availability 110. 278 patch command 100 Performance Pack 112 Plug & Play 274 PolicyServer 112 Pre-upgrade utilities 266 Pre-upgrade verification 88. 143 Evaluation licenses 49 Eventia Analyzer 290 Eventia Reporter 112. 144. 263 Clustered deployment 111 ClusterXL 26. 142. 91. 212. 94. 156 N Nokia clustering 197 Nokia OS 112 L License Repository 33 License Upgrade 33 License Upgrade Tool Options 35 License_upgrade 34 Licensing Web Intelligence 88 Local Upgrade 111 LSM 26 LSMcli commands 282 O Operation Status 114 OPSEC 112. 268 High Availability Environment 267 C CLM 212. 251. 212. 261. 196 CMA 212. 263 Pre-upgrade verifier 211 Products 89 F FQDN 216 Full Connectivity upgrade 202 M Management plug-ins 22 MD5 checksum 120 MDS 211. 118 P Package Repository 26. 253. 116. 141. 254.

231. 99. 143 Web Intelligence Licensing 88 What’s New link 20 Wrapper 33 Z Zero Downtime 111. 243 Security Policy 26 Service Contract Files 59 SmartCenter Server 27 SmartConsole Clients 27. 252 SCP 129 SecureClient 53 SecurePlatform 41. 118. 278.Provider-1/SiteManager-1 upgrade 209 U Upgrade tools 28 UserAuthority 112 UserAuthority Server 112 UTM-1 112 Q QoS 112 R release notes link 20 remote upgrade 274 restore 129 ROBO Gateway 26. 39. 145. 148. 42. 112. 280 ROBO Profile 26 V Virtual Routers 27 Virtual System 27 VPN-1 distributed deployment 140 VPN-1 Edge Firmware package 275 VPN-1 Gateways 112 VPN-1 Server 144 VSX Clustering 27 VSX Gateway 27 S Safe Upgrade 119. 274. 151. 236. 97. 241. 120. 195. 196 T TFTP 129. 200. 255 SmartDashboard 27 SmartDefense 272 SmartLSM 273 SmartUpdate 27. 45. 246 SmartUpdate Upgrade 111 SmartView Monitor 112 Software Upgrade 33 W warning 93. 89. 44. 112. 141. 237. 232. 95. 132 Translation prompt 268 306 .