Download Complete PDF Send Feedback Print This Page

Previous

Synchronize Contents

Next

Upgrading Prerequisites

Before you upgrade:

  • For information about supported upgrade paths, see the Release Notes.
  • Make sure that you have the latest version of this document.

For the latest R76 documentation, see the R76 home page.

If you use Mobile Access Software Blade and you edited the configurations, review the edits before you upgrade to R76!

  1. Open these files and make note of your changes.

Data

Path

Gateway Configurations

$CVPNDIR/conf/cvpnd.C

Apache Configuration Files

$CVPNDIR/conf/httpd.conf

$CVPNDIR/conf/includes/*

Local certificate authorities

$CVPNDIR/var/ssl/ca-bundle/

DynamicID (SMS OTP) Local Phone List

$CVPNDIR/conf/SmsPhones.lst

RSA configuration

/var/ace/sdconf.rec

Any PHP files that were edited

Any image file that was replaced (*.gif, *.jpg)

  1. Upgrade to R76.
  2. Update Endpoint Compliance (SmartDashboard > Mobile Access > Endpoint Security On Demand > Update Databases Now).
  3. Manually edit the new versions of the files, to include your changes.

    Do not overwrite the R76 files with your customized files!

Related Topics

Contract Verification

Upgrade Tools

Using the Pre-Upgrade Verifier Tool

Upgrading Successfully

Uninstalling Packages

Backing Up

Service Contract Files

Contract Verification

A valid Service Contract is required for all upgrades. The installation procedure makes sure that a service contract is in force before continuing with installation.

Upgrade Tools

Before you upgrade appliances or computers, use the upgrade tools. There is a different package of tools for each platform. After installation, you can find the upgrade tools in the installation directory.

  • Gaia or SecurePlatform: $FWDIR/bin/upgrade_tools
  • Windows: %FWDIR%/bin/upgrade_tools

To make sure you have the latest version of the upgrade tools, you can download the appropriate package from the Check Point Support site.

When you open the upgrade_tools package, you see these files:

Package

Description

migrate.conf

For an Advanced Upgrade (migration of Security Management Server database) or a Security Management Server to Multi-Domain Server migration, this file is necessary.

migrate

Runs Advanced Upgrade or migration.
On Windows, this is migrate.exe.

pre_upgrade_verifier.exe

Analyzes compatibility of the currently installed configuration with the upgrade version. It gives a report on the actions to take before and after the upgrade.

upgrade_export

Backs up all Check Point configurations, without operating system information.
On Windows, this is upgrade_export.exe.

upgrade_import

Restores backed up configuration.
On Windows, this is upgrade_import.exe.

Using the Pre-Upgrade Verifier Tool

The Pre-upgrade Verifier runs automatically during the upgrade process. You can also run it manually with this command.

Syntax:

pre_upgrade_verifier.exe -p ServerPath -c CurrentVersion (-t TargetVersion | -i) [-f FileName] [-w]

Parameters:

Parameter

Description

-p

Path of the installed Security Management Server (FWDIR)

-c

Currently installed version

-t
-i

Target version
If -i is used, only the INSPECT files are analyzed, to see if they were customized.

-f

Output report to this file

-w

Output report to a web format file

Upgrading Successfully

  • When upgrading a Security Management Server, IPS profiles remain in effect on earlier gateways and can be managed from the IPS tab. When the gateway is upgraded, install the policy to get the new IPS profile.
  • When upgrading a Security Gateway, remember to change the gateway object in SmartDashboard to the new version.

If you encounter unforeseen obstacles during the upgrade process, consult the Support Center or contact your Reseller.

Uninstalling Packages

Some upgrade procedures require an uninstall of certain packages. You must uninstall Check Point packages in the opposite order from which they were installed. For example, CPsuite is the first package installed, so it is the last package uninstalled.

To see a list of the installed packages:

  • SecurePlatform: rpm -e <package name>
  • Windows: Use the Control Panel > Add / Remove Programs utility

Backing Up

Before you upgrade, it is recommended to back up the Security Management Servers and Security Gateways. Use the tools appropriate for each platform.

Use the snapshot mechanism if it is available. SecurePlatform on an open server does not have snapshot, so use backup instead.

Gaia Backup

Back up the configuration of the Gaia operating system and of the Security Management server database. You can use the backup to restore a previously saved configuration. The configuration is saved to a .tgz file. You can store backups locally, or remotely to a TFTP, SCP or FTP server. You can run the backup manually, or do a scheduled backup.

For Gaia backup limitations, see sk91400.

Backing Up the System - WebUI

To add a backup:

  1. In the tree view, click Maintenance > System Backup
  2. Click Add Backup.

    The New Backup window opens.

  3. Select the location of the backup file:
    • This appliance
    • TFTP server. Specify the IP address.
    • SCP server. Specify the IP address, user name and password.
    • FTP server. Specify the IP address, user name and password.

Backing Up the System - CLI (Backup)

Backing Up a Configuration

Description

Use these commands to create and save the system's configuration

Syntax

To create and save a backup locally:

add backup local

To create and save a backup on a remote server using FTP:

add backup ftp ip VALUE username VALUE password plain

To create and save a backup on a remote server using TFTP:

add backup tftp ip VALUE 

To save a backup on a remote server using SCP:

add backup scp ip VALUE username VALUE password plain
 

Parameters

Parameter

Description

ip VALUE

The IP address of the remote server.

username VALUE

User name required to log in to the remote server.

password plain

At the prompt, enter the password for the remote server.

 

Example

add backup local

Output

gw> add backup local
Creating backup package. Use the command 'show backups' to monitor creation progress.
 
gw> show backup status
Performing local backup
 
gw> show backups
backup_gw-8b0891_22_7_2012_14_29.tgz Sun, Jul 22, 2012 109.73 MB
 

Comments

Backup configurations are stored in: /var/CPbackup/backups/

Monitoring Backup Status

To monitor the creation of a backup:

show backup status

To show the status of the last backup performed:

show backups

Gaia Snapshot Image Management

You can:

  • Make a new image (a snapshot) of the system. You can revert to the image at a later time.
  • Revert to a locally stored image. This restores the system, including the configuration of the installed products.
  • Delete an image from the local system.
  • Export an existing image. This creates a compressed version of the image. You can then download the exported image to another computer and delete the exported image from the Gaia computer, to save disk space.
  • Import uploads an exported image and makes an image of it (a snapshot). You can revert to the image at a later time.
  • View a list of images that are stored locally.

Configuring Image Management - WebUI

To create an image:

  1. In the tree view, click Maintenance > Image Management.
  2. Below available images, click New Image. The Create New Image window opens.
  3. In the Name field, enter a name for the image.
  4. Optional: In the Description field, enter a description for the image.
  5. Click OK.

    Note - To create the snapshot requires free space on the Backup partition. The required free disk space is the actual size of the root partition, multiplied by 1.15.

To revert to an image:

  1. In the tree view, click Maintenance > Image Management.
  2. Select an image.
  3. Click Revert. The Revert window opens.

    Note - Pay close attention to the warnings about overwriting settings, the credentials, and the reboot and the image details.

  4. Click OK.

To delete an image:

  1. In the tree view, click Maintenance > Image Management.
  2. Select an image.
  3. Click Delete. The Delete Image window opens.
  4. Click Ok.

To export an image:

  1. In the tree view, click Maintenance > Image Management.
  2. Select an image.
  3. Click Export. The Export Image (name) window.
  4. Click Start Export.

    Note -

    • The snapshot image exports to /var/log. The free space required in the export file storage location is the size of the snapshot multiplied by two.
    • The minimum size of a snapshot is 2.5G, so the minimum free space you need in the export file storage location is 5G.

To import an image:

  1. In the tree view, click Maintenance > Image Management.
  2. Select an image.
  3. Click Import. The Import Image window opens.
  4. Click Browse to select the import file for upload.
  5. Click Upload.
  6. Click OK.

Configuring Image Management - CLI (snapshot)

Description

Manage system images (also known as snapshots)

Syntax

To make a new image:

add snapshot VALUE desc VALUE

To delete an image

delete snapshot VALUE

To export or import an image, or to revert to an image:

set snapshot export VALUE path VALUE name VALUE
set snapshot import VALUE path VALUE name VALUE
set snapshot revert VALUE

To show image information

show snapshot VALUE all
show snapshot VALUE date
show snapshot VALUE desc
show snapshot VALUE size
show snapshots

Parameters

Parameter

Description

snapshot VALUE 

Name of the image

desc VALUE

Description of the image

snapshot export VALUE

The name of the image to export

snapshot import VALUE

The name of the image to import

path VALUE

The storage location for the exported image. For example: /var/log

name VALUE

The name of the exported image (not the original image).

all

All image details

 

Comments

  • To create the snapshot image requires free space on the Backup partition. The required free disk space is the actual size of the root partition, multiplied by 1.15.
  • The free space required in the export file storage location is the size of the snapshot multiplied by two.
  • The minimum size of a snapshot is 2.5G, so the minimum free space you need in the export file storage location is 5G.

SecurePlatform Backup

SecurePlatform has a command line or Web GUI utility for backups of your system settings and product configuration. The backup utility can store backups locally on the Security Management Server, or remotely to a TFTP server or an SCP server. You can run the backup manually, or schedule backups.

The backups are TGZ files. When saved locally, the default path is: /var/CPbackup/backups

Backup and Restore commands require expert permissions.

Syntax:

backup [-h] [-d] [-l] [--purge DAYS] [--sched [on hh:mm <-m DayOfMonth> | <-w DaysOfWeek>] | off] [[--tftp <ServerIP> [-path <Path>] [<Filename>]] |
[--scp <ServerIP> <User name> <Password> [-path <Path>][<Filename>]] |
[--file [-path <Path>][<Filename>]] 

Parameter

Description

-h

See help on the command

-d

Debug flag

-l

Enables VPN log backup (by default, VPN logs are not backed up)

--purge

Deletes older backup files, from the number of days given

--sched

Schedule backups

  • On - enter time and day of week, or date of month
  • Off - disable schedule

Example: --sched on 03:00 1

--tftp

Back up to TFTP. Enter IP addresses of TFTP servers
Optional: -path pathname of backup on TFTP

Example: --tftp 192.0.2.3 -path /var/backups/mybckup.tgz

--scp

Back up to SCP. Enter IP addresses of SCP servers, username (with access to SCP server), password, and optionally the filename

Example: --scp 192.0.2.4 usr 123 mybckup.tgz

--file

For local backups, enter an optional filename, or -path parameter and pathname

SecurePlatform Snapshot Image Management

You can back up the entire SecurePlatform operating system and installed configuration with the snapshot command. A snapshot is made automatically during upgrade with the SafeUpgrade option. You can take a snapshot manually with the snapshot command.

The snapshot and revert commands can use a TFTP server or an SCP server to store snapshots. Snapshots can also be stored locally.

Syntax:

snapshot        [-h] [-d] [[--tftp <Server IP> <Filename>] |
                [--scp <Server IP> <Username> <Password> <Filename>] |
                [--file <Filename>]] 

Parameter

Description

-h

See help on the command

-d

Debug flag

--tftp

Back up to TFTP. Enter IP addresses of TFTP servers
Optional: -path pathname of backup on TFTP

Example: --tftp 192.0.2.3 -path /var/backups/mybckup.tgz

--scp

Back up to SCP. Enter IP addresses of SCP servers, username (with access to SCP server), password, and optionally the filename

Example: --scp 192.0.2.4 usr 123 mybckup.tgz

--file

For local backups, enter an optional filename, or -path parameter and pathname

Service Contract Files

Introduction

Before upgrading a gateway or Security Management Server to R76, you need to have a valid support contract that includes software upgrade and major releases registered to your Check Point User Center account. The contract file is stored on Security Management Server and downloaded to Security Gateways during the upgrade process. By verifying your status with the User Center, the contract file enables you to easily remain compliant with current Check Point licensing standards.

Working with Contract Files

As in all upgrade procedures, first upgrade your Security Management Server or Multi-Domain Server before upgrading the gateways. Once the management has been successfully upgraded and contains a contract file, the contract file is transferred to a gateway when the gateway is upgraded (the contract file is retrieved from the management).

Note - Multiple user accounts at the User Center are supported.

Installing a Contract File

On Gaia, SecurePlatform and Windows

When upgrading Security Management server, the upgrade process checks to see whether a contract file is already present on the server. If not, the main options for obtaining a contract are displayed. You can download a contract file or import it.

If the contract file does not cover the Security Management server, a message on Download or Import informs you that the Security Management server is not eligible for upgrade. The absence of a valid contract file does not prevent upgrade. Download a valid contract at a later date using SmartUpdate.

  • Download a contracts file from the User Center

    If you have Internet access and a valid user account, download a contract file directly from the User Center. This contract file conforms to the terms of your licensing agreements. If you choose to download contract information from the User Center, you are prompted to enter your:

    • User name
    • Password
    • Proxy server address (if applicable)
  • Import a local contract file

    If the server does not have Internet access:

    1. On a machine with Internet access, log in to the User Center.
    2. Click Support in the top menu.
    3. Click Additional Services in the secondary menu.
    4. In the Service Contract File Download section, click Download Now.
    5. Transfer the downloaded file to the management server. After selecting Import a local contracts file, enter the full path to the location where you stored the file.
  • Continue without contract information

    Select this option if you intend to get and install a valid contract file at a later date. Note that at this point your gateway is not strictly eligible for an upgrade; you may be in violation of your Check Point Licensing Agreement, as shown in the final message of the upgrade process.

On IP Appliances

Contract verification on IPSO is not interactive. After successfully upgrading the gateway, the following message is displayed:

The upgrade process requires a valid contract file in order to verify that your gateway complies with Check Point licensing agreements. While the absence of a contract file does not prevent this upgrade, it is recommended that you obtain a contract file via

SmartUpdate (Licenses & Contracts menu -> Update Contracts).

For further details see: http://www.checkpoint.com/ngx/upgrade/contract/ 

At the earliest opportunity, obtain a valid contact file from the Check Point User Center.

On Security Gateways

After you accept the End User License Agreement (EULA), the upgrade process searches for a valid contract on the gateway. If a valid contract is not located, the upgrade process attempts to retrieve the latest contract file from the Security Management server. If not found, you can download or import a contract.

If the contract file does not cover the gateway, a message informs you (on Download or Import) that the gateway is not eligible for upgrade. The absence of a valid contract file does not prevent upgrade. When the upgrade is complete, contact your local support provider to obtain a valid contract. Use SmartUpdate to install the contract file.

Use the download or import instructions for installing a contract file on a Security Management Server.

If you continue without a contract, you install a valid contract file later. But the gateway is not eligible for upgrade. You may be in violation of your Check Point Licensing Agreement, as shown in the final message of the upgrade process. Contact your reseller.

 
Top of Page ©2013 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print