Upgrading from Major Releases

Step

Operation

Command

1

Make sure that your Security Management Servers are version R76 or higher.

If not, upgrade your Security Management Servers.

# fwm ver

2

Back up your Scalable Platform.

2a

Create a snapshot of one SGM.

> set global-mode 0

> add snapshot pre_upgrade

2b

Make sure that the snapshot was created successfully.

> show snapshots

2c

Export the snapshot.

> set snapshot export pre_upgrade path /var/log/

> show snapshots

> set global-mode 1

2d

Copy the exported snapshot to external media or a remote server:

/var/log/pre_upgrade.tgz

2e

Collect configuration settings and system status information into a data file:

/var/log/asg_report.<host_name>_<date_stamp>_tar.gz

> asg_info -f

3

Send the output data file to Check Point Support.

The information is used to create a custom configuration procedure for use during the upgrade procedure.

4

Detect errors or other system issues.

Resolve these issues before you start the upgrade process.

> asg diag verify

5

Download the R76SP.50 ISO image or HFA Upgrade package from the R76SP.50 60000/40000 Security Platforms Home Page.

You need image this during the upgrade procedure.

Step

Operation

Command

6

Set Chassis B to administratively DOWN state.

# asg chassis_admin –c <Chassis_B_ID> down

7

Disconnect the cables connected to all ports on Chassis B (Management, Data and Synchronization).

7a

Connect to the serial port on SGM1 on Chassis B.

7b

Use a terminal emulation utility to open a console session.

8

Install the R76SP.50 image on the SGM from a removable media.

Install the image on all the SGMs at the same time, or create a bootable USB media for each SGM.

9

When installation is complete on all SGMs, log into SGM1 from your console session.

User name/password are admin/admin.

10

Start the installation.

> setup

11

Configure the setup to be similar to Chassis A.

Apply all the configuration instructions that Check Point Support gave you.

12

Reboot all SGMs.

Important - Wait until all SGMs are up and running before you continue.

# g_reboot -a -b chassis<Chassis_B_ID>

13

Make sure the installed version is correct.

# asg_version -v

14

Upgrade the SSMs on Chassis B.

# asg_ssm_upgrade ssm all

15

Upgrade CMM firmware on Chassis B.

16

Install a policy on Chassis B.

17

Disconnect the Management port from Chassis A.

Note - Logs are not saved during these steps.

18

Connect the Management port to Chassis B.

19

In SmartDashboard, change the Security Gateway object to version R76.

20

Establish SIC Trust.

21

Install the policy.

Step

Operation

22

Disconnect the cables from all ports (Management, Data, and Synchronization) on Chassis A's SSMs.

The 60000/40000 Security Platform is temporarily disconnected from the network.

23

Connect the data ports to Chassis B.

Note - Do not reconnect the Synchronization port to Chassis B.

24

Run post-upgrade tests to make sure that traffic flows normally on Chassis B.

Note - Chassis B is now handling the traffic.

Step

Operation

Command

25

Connect a console to the serial port on SGM1 on Chassis A.

Use a terminal emulation utility to open a console session.

26

Install the R76SP.50 image from a removable media on each SGM.

Install the image on all SGMs at the same time, or create a bootable USB media for each SGM.

27

Manually upgrade the SSMs on Chassis A.

27a

Activate the private shell.

Connect to the SSM with over SSH.

Press Ctrl+C to close the private shell.

Enter

unhide private (password = private)

show private shell

mount -rw -o remount /batm/

27b

Copy the firmware upgrade file to both SSMs.

When prompted, enter this password:

thmhetafbzh

scp -P 2024 /opt/CPsuite-R76/fw1/conf/hw_firmware/2.4.C20.1.T-ATCA404.tar

.bz2 root@<SSM_IP>:/batm/current_version/

Where <SSM_IP>:

• 198.51.100.32 for SSM1
• 198.51.100.232 for SSM2

27c

From a console session to an SSM, overwrite the default configuration.

T-HUB4# file ls os-image

T-ATCA404# file activate-os-image <Specify File Name>

T-HUB4# config terminal

Entering configuration mode terminal

T-HUB4(config)# system reload manufacturing-defaults

Are you sure that you want to delete existing configuration and

reload manufacturing default configuration (yes/no)? yes

27d

Make sure that the firmware upgrade is successful.

# asg_version -v

27e

Do these steps again on the other SSM.

28

Upgrade CMM firmware on Chassis A.

29

Connect the Sync interface to Chassis B and wait for all SGMs on Chassis A to reboot.

30

Make sure the version is correct.

# asg_version -v

31

Connect all Management and Data ports on Chassis A.

32

Set Chassis A to administratively UP state.

33

Make sure that the 60000/40000 Security Platform works normally.

# asg diag verify

34

Upgrade SSM firmware to be aligned to Chassis B firmware.

# asg_ssm_upgrade

Step

Operation

Command

35

Manually fail over from Chassis B to Chassis A.

Chassis B is now the Standby Chassis.

# asg chassis_admin -c <Chassis_B_ID> down

36

Set Chassis B to administratively UP state.

# asg chassis_admin –c <Chassis_B_ID> up

Step

Operation

Command

37

Run post-upgrade tests to make sure traffic flows normally on Chassis A and that the system works normally.

# asg diag verify