Upgrading Prerequisites
Before you upgrade:
- For information about supported upgrade paths, see the Release Notes.
- Make sure that you have the latest version of this document.
For the latest R76 documentation, see the R76 home page.
If you use Mobile Access Software Blade and you edited the configurations, review the edits before you upgrade to R76!
- Open these files and make note of your changes.
|
|
Data
|
Path
|
Gateway Configurations
|
$CVPNDIR/conf/cvpnd.C
|
Apache Configuration Files
|
$CVPNDIR/conf/httpd.conf
|
$CVPNDIR/conf/includes/*
|
Local certificate authorities
|
$CVPNDIR/var/ssl/ca-bundle/
|
DynamicID (SMS OTP) Local Phone List
|
$CVPNDIR/conf/SmsPhones.lst
|
RSA configuration
|
/var/ace/sdconf.rec
|
Any PHP files that were edited
|
Any image file that was replaced (*.gif, *.jpg)
|
- Upgrade to R76.
- Update Endpoint Compliance (> > > ).
- Manually edit the new versions of the files, to include your changes.
Do not overwrite the R76 files with your customized files!
Contract Verification
A valid Service Contract is required for all upgrades. The installation procedure makes sure that a service contract is in force before continuing with installation.
Upgrade Tools
Before you upgrade appliances or computers, use the upgrade tools. There is a different package of tools for each platform. After installation, you can find the upgrade tools in the installation directory.
- Gaia or SecurePlatform:
$FWDIR/bin/upgrade_tools - Windows: %
FWDIR%/bin/upgrade_tools
To make sure you have the latest version of the upgrade tools, you can download the appropriate package from the Check Point Support site.
When you open the package, you see these files:
Package
|
Description
|
migrate.conf
|
For an Advanced Upgrade (migration of Security Management Server database) or a Security Management Server to Multi-Domain Server migration, this file is necessary.
|
migrate
|
Runs Advanced Upgrade or migration.
On Windows, this is .
|
pre_upgrade_verifier.exe
|
Analyzes compatibility of the currently installed configuration with the upgrade version. It gives a report on the actions to take before and after the upgrade.
|
upgrade_export
|
Backs up all Check Point configurations, without operating system information.
On Windows, this is .
|
upgrade_import
|
Restores backed up configuration.
On Windows, this is .
|
Using the Pre-Upgrade Verifier Tool
The Pre-upgrade Verifier runs automatically during the upgrade process. You can also run it manually with this command.
Syntax:
pre_upgrade_verifier.exe -p ServerPath -c CurrentVersion (-t TargetVersion | -i) [-f FileName] [-w]
|
Parameters:
Parameter
|
Description
|
-p
|
Path of the installed Security Management Server (FWDIR)
|
-c
|
Currently installed version
|
-t
-i
|
Target version
If -i is used, only the INSPECT files are analyzed, to see if they were customized.
|
-f
|
Output report to this file
|
-w
|
Output report to a web format file
|
Upgrading Successfully
- When upgrading a Security Management Server, IPS profiles remain in effect on earlier gateways and can be managed from the IPS tab. When the gateway is upgraded, install the policy to get the new IPS profile.
- When upgrading a Security Gateway, remember to change the gateway object in SmartDashboard to the new version.
If you encounter unforeseen obstacles during the upgrade process, consult the Support Center or contact your Reseller.
Uninstalling Packages
Some upgrade procedures require an uninstall of certain packages. You must uninstall Check Point packages in the opposite order from which they were installed. For example, CPsuite is the first package installed, so it is the last package uninstalled.
To see a list of the installed packages:
- SecurePlatform:
rpm -e <package name> - Windows: Use the > utility
Backing Up
Before you upgrade, it is recommended to back up the Security Management Servers and Security Gateways. Use the tools appropriate for each platform.
Use the snapshot mechanism if it is available. SecurePlatform on an open server does not have snapshot, so use backup instead.
Gaia Backup
Back up the configuration of the Gaia operating system and of the Security Management server database. You can use the backup to restore a previously saved configuration. The configuration is saved to a .tgz file. You can store backups locally, or remotely to a TFTP, SCP or FTP server. You can run the backup manually, or do a scheduled backup.
For Gaia backup limitations, see sk91400.
Backing Up the System - WebUI
To add a backup:
- In the tree view, click
- Click .
The window opens.
- Select the location of the backup file:
- . Specify the IP address.
- . Specify the IP address, user name and password.
- . Specify the IP address, user name and password.
Backing Up the System - CLI (Backup)
Backing Up a Configuration
Description
|
Use these commands to create and save the system's configuration
|
Syntax
|
To create and save a backup locally:
add backup local
To create and save a backup on a remote server using FTP:
add backup ftp ip VALUE username VALUE password plain
To create and save a backup on a remote server using TFTP:
add backup tftp ip VALUE
To save a backup on a remote server using SCP:
add backup scp ip VALUE username VALUE password plain
|
Parameters
|
Parameter
|
Description
|
ip VALUE
|
The IP address of the remote server.
|
username VALUE
|
User name required to log in to the remote server.
|
password plain
|
At the prompt, enter the password for the remote server.
|
|
|
Example
|
add backup local
|
Output
|
gw> add backup local
Creating backup package. Use the command 'show backups' to monitor creation progress.
gw> show backup status
Performing local backup
gw> show backups
backup_gw-8b0891_22_7_2012_14_29.tgz Sun, Jul 22, 2012 109.73 MB
|
|
|
Comments
|
Backup configurations are stored in: /var/CPbackup/backups/
|
Monitoring Backup Status
To monitor the creation of a backup:
show backup status
To show the status of the last backup performed:
show backups
Gaia Snapshot Image Management
You can:
- Make a new image (a snapshot) of the system. You can revert to the image at a later time.
- Revert to a locally stored image. This restores the system, including the configuration of the installed products.
- Delete an image from the local system.
- Export an existing image. This creates a compressed version of the image. You can then download the exported image to another computer and delete the exported image from the Gaia computer, to save disk space.
- Import uploads an exported image and makes an image of it (a snapshot). You can revert to the image at a later time.
- View a list of images that are stored locally.
Configuring Image Management - WebUI
To create an image:
- In the tree view, click .
- Below available images, click . The opens.
- In the field, enter a name for the image.
- Optional: In the field, enter a description for the image.
- Click .
|
Note - To create the snapshot requires free space on the Backup partition. The required free disk space is the actual size of the root partition, multiplied by 1.15.
|
To revert to an image:
- In the tree view, click
- Select an image.
- Click . The window opens.
|
Note - Pay close attention to the warnings about overwriting settings, the credentials, and the reboot and the image details.
|
- Click .
To delete an image:
- In the tree view, click .
- Select an image.
- Click . The window opens.
- Click .
To export an image:
- In the tree view, click .
- Select an image.
- Click . The window.
- Click .
|
Note -
- The snapshot image exports to
/var/log. The free space required in the export file storage location is the size of the snapshot multiplied by two. - The minimum size of a snapshot is 2.5G, so the minimum free space you need in the export file storage location is 5G.
|
To import an image:
- In the tree view, click .
- Select an image.
- Click . The window opens.
- Click to select the import file for upload.
- Click .
- Click .
Configuring Image Management - CLI (snapshot)
Description
|
Manage system images (also known as snapshots)
|
Syntax
|
To make a new image:
add snapshot VALUE desc VALUE
To delete an image
delete snapshot VALUE
To export or import an image, or to revert to an image:
set snapshot export VALUE path VALUE name VALUE
set snapshot import VALUE path VALUE name VALUE
set snapshot revert VALUE
To show image information
show snapshot VALUE all
show snapshot VALUE date
show snapshot VALUE desc
show snapshot VALUE size
show snapshots
|
Parameters
|
Parameter
|
Description
|
snapshot VALUE
|
Name of the image
|
desc VALUE
|
Description of the image
|
snapshot export VALUE
|
The name of the image to export
|
snapshot import VALUE
|
The name of the image to import
|
path VALUE
|
The storage location for the exported image. For example: /var/log
|
name VALUE
|
The name of the exported image (not the original image).
|
all
|
All image details
|
|
|
Comments
|
- To create the snapshot image requires free space on the Backup partition. The required free disk space is the actual size of the root partition, multiplied by 1.15.
- The free space required in the export file storage location is the size of the snapshot multiplied by two.
- The minimum size of a snapshot is 2.5G, so the minimum free space you need in the export file storage location is 5G.
|
SecurePlatform Backup
SecurePlatform has a command line or Web GUI utility for backups of your system settings and product configuration. The backup utility can store backups locally on the Security Management Server, or remotely to a TFTP server or an SCP server. You can run the backup manually, or schedule backups.
The backups are TGZ files. When saved locally, the default path is: /var/CPbackup/backups
Backup and Restore commands require expert permissions.
Syntax:
|
|
|
backup [-h] [-d] [-l] [--purge DAYS] [--sched [on hh:mm <-m DayOfMonth> | <-w DaysOfWeek>] | off] [[--tftp <ServerIP> [-path <Path>] [<Filename>]] |
[--scp <ServerIP> <User name> <Password> [-path <Path>][<Filename>]] |
[--file [-path <Path>][<Filename>]]
|
Parameter
|
Description
|
-h
|
See help on the command
|
-d
|
Debug flag
|
-l
|
Enables VPN log backup (by default, VPN logs are not backed up)
|
--purge
|
Deletes older backup files, from the number of days given
|
--sched
|
Schedule backups
- On - enter time and day of week, or date of month
- Off - disable schedule
Example: --sched on 03:00 1
|
--tftp
|
Back up to TFTP. Enter IP addresses of TFTP servers
Optional: -path pathname of backup on TFTP
Example: --tftp 192.0.2.3 -path /var/backups/mybckup.tgz
|
--scp
|
Back up to SCP. Enter IP addresses of SCP servers, username (with access to SCP server), password, and optionally the filename
Example: --scp 192.0.2.4 usr 123 mybckup.tgz
|
--file
|
For local backups, enter an optional filename, or -path parameter and pathname
|
SecurePlatform Snapshot Image Management
You can back up the entire SecurePlatform operating system and installed configuration with the snapshot command. A snapshot is made automatically during upgrade with the SafeUpgrade option. You can take a snapshot manually with the snapshot command.
The snapshot and revert commands can use a TFTP server or an SCP server to store snapshots. Snapshots can also be stored locally.
Syntax:
|
|
snapshot [-h] [-d] [[--tftp <Server IP> <Filename>] |
[--scp <Server IP> <Username> <Password> <Filename>] |
[--file <Filename>]]
|
Parameter
|
Description
|
-h
|
See help on the command
|
-d
|
Debug flag
|
--tftp
|
Back up to TFTP. Enter IP addresses of TFTP servers
Optional: -path pathname of backup on TFTP
Example: --tftp 192.0.2.3 -path /var/backups/mybckup.tgz
|
--scp
|
Back up to SCP. Enter IP addresses of SCP servers, username (with access to SCP server), password, and optionally the filename
Example: --scp 192.0.2.4 usr 123 mybckup.tgz
|
--file
|
For local backups, enter an optional filename, or -path parameter and pathname
|
Service Contract Files
Introduction
Before upgrading a gateway or Security Management Server to R76, you need to have a valid support contract that includes software upgrade and major releases registered to your Check Point User Center account. The contract file is stored on Security Management Server and downloaded to Security Gateways during the upgrade process. By verifying your status with the User Center, the contract file enables you to easily remain compliant with current Check Point licensing standards.
Working with Contract Files
As in all upgrade procedures, first upgrade your Security Management Server or Multi-Domain Server before upgrading the gateways. Once the management has been successfully upgraded and contains a contract file, the contract file is transferred to a gateway when the gateway is upgraded (the contract file is retrieved from the management).
|
Note - Multiple user accounts at the User Center are supported.
|
Installing a Contract File
On Gaia, SecurePlatform and Windows
When upgrading Security Management server, the upgrade process checks to see whether a contract file is already present on the server. If not, the main options for obtaining a contract are displayed. You can download a contract file or import it.
If the contract file does not cover the Security Management server, a message on Download or Import informs you that the Security Management server is not eligible for upgrade. The absence of a valid contract file does not prevent upgrade. Download a valid contract at a later date using SmartUpdate.
- Download a contracts file from the User Center
If you have Internet access and a valid user account, download a contract file directly from the User Center. This contract file conforms to the terms of your licensing agreements. If you choose to download contract information from the User Center, you are prompted to enter your:
- User name
- Password
- Proxy server address (if applicable)
- Import a local contract file
If the server does not have Internet access:
- On a machine with Internet access, log in to the User Center.
- Click in the top menu.
- Click in the secondary menu.
- In the Service Contract File Download section, click Download Now.
- Transfer the downloaded file to the management server. After selecting Import a local contracts file, enter the full path to the location where you stored the file.
- Continue without contract information
Select this option if you intend to get and install a valid contract file at a later date. Note that at this point your gateway is not strictly eligible for an upgrade; you may be in violation of your Check Point Licensing Agreement, as shown in the final message of the upgrade process.
On IP Appliances
Contract verification on IPSO is not interactive. After successfully upgrading the gateway, the following message is displayed:
The upgrade process requires a valid contract file in order to verify that your gateway complies with Check Point licensing agreements. While the absence of a contract file does not prevent this upgrade, it is recommended that you obtain a contract file via
SmartUpdate (Licenses & Contracts menu -> Update Contracts).
For further details see: http://www.checkpoint.com/ngx/upgrade/contract/
|
At the earliest opportunity, obtain a valid contact file from the Check Point User Center.
On Security Gateways
After you accept the End User License Agreement (EULA), the upgrade process searches for a valid contract on the gateway. If a valid contract is not located, the upgrade process attempts to retrieve the latest contract file from the Security Management server. If not found, you can download or import a contract.
If the contract file does not cover the gateway, a message informs you (on Download or Import) that the gateway is not eligible for upgrade. The absence of a valid contract file does not prevent upgrade. When the upgrade is complete, contact your local support provider to obtain a valid contract. Use SmartUpdate to install the contract file.
Use the download or import instructions for installing a contract file on a Security Management Server.
If you continue without a contract, you install a valid contract file later. But the gateway is not eligible for upgrade. You may be in violation of your Check Point Licensing Agreement, as shown in the final message of the upgrade process. Contact your reseller.
|
|
