Upgrading Security Management Server and Security Gateways

In This Section: Upgrading Using Gaia Upgrades (CPUSE) Upgrading Standalone and Security Management Server Upgrading Security Gateways Upgrading Standalone Full High Availability Upgrading Clusters Enabling IPv6 on Gaia Changing to an IPv6-Only Management IP Address Deleting the IPV4 address from Management HA

Upgrading Using Gaia Upgrades (CPUSE)

With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself. The software update packages and full images are for major releases, minor releases and Hotfixes. All of the CPUSE processes are handled by the Deployment Agent daemon (DA).

Gaia automatically locates and shows the available software update packages and full images that are relevant to the Gaia operating system version installed on the computer, the computer's role (gateway, Security Management Server, standalone), and other specific properties. The images and packages can be downloaded from the Check Point Support center and installed.

Note - The Software Updates feature was renamed to Check Point Upgrade Service Engine (CPUSE) in R77.20.

Upgrade Limitations

• Personal files saved outside of the /home directories are erased during the upgrade process. If you created a snapshot immediately before upgrading, you can revert to the snapshot to recover personal files saved outside of the /home directory.
• Open servers that were upgraded from SecurePlatform to Gaia cannot be upgraded.
• Upgrading using Full Images:
  • IP Appliances are not supported.
  • UTM-1 130 and UTM-1 270 are not supported.
  • To upgrade the secondary Security Management Server of a Full High Availability deployment, use the procedure in this guide for upgrading with a clean installation.
  • The ssh key is not migrated to the new version.
  • The Mobile Access Software Blade custom configuration is not upgraded.
  • Virtual Systems Mode is not supported.
  • Endpoint Policy Servers cannot be upgraded.

Software Update Requirements

• At least 4 GB free disk space in /var/log
• Un-partitioned free disk space should be at least the size of root partition. To find out the:
  • Amount of un-partitioned free disk space run: pvs
  • Size of the root partition, run: df -h

To update the Gaia Software Updates agent:

1. Make sure the proxy and the DNS server are configured.
2. In the Portal, go to Upgrades (CPUSE) > Software Updates Policy.
3. In the Software Deployment Policy section. select one of these options:
   • Manually – Do the procedure described in the CPUSE sk
   • Scheduled or Automatic – the latest Deployment Agent is downloaded and automatically installed.
   • Periodically update new Deployment Agent version - Updates only the DA according to the configured time period.
4. Click Apply.

To upgrade to R77 using Upgrades (CPUSE) - Portal:

1. Click the Full Images tab.
2. Select the R77 image.
3. Click Download.
4. To make sure the upgrade is allowed, click Actions > Verifier.
5. Click OK.

   The Installation verified - Installation is allowed window shows. Verification is complete.

6. Click Upgrade.
7. Reboot.
8. When upgrading a Standalone deployment, Security Management Server, Multi-Domain Server: Go to Upgrades (CPUSE) > Status and Actions and click the Full Images tab to see post upgrade completion process.

Upgrading Standalone and Security Management Server

This section explains how to upgrade Gaia standalone and Security Management Server. A Security Management Server upgraded to R77 can enforce and manage Gateways from earlier versions. Some new features are not available on earlier versions

See the R77 Release Notes for the supported features (in the "Compatibility Tables" section) and deployments.

Upgrade Notes

Upgrading Standalone Appliances	You can upgrade a Standalone deployment on UTM-1 appliances, certain 2012 Models, and IP appliances.
Upgrading Open Servers	Before you upgrade: Back up your current configuration. See the Release Notes to make sure that you have enough disk space.
Upgrading the Security Management Server	You do not have to upgrade the Security Management Server and all of the Gateways at the same time. When the Security Management Server is upgraded, you can still manage Gateways from earlier versions (though the Gateways may not support new features). Important - To upgrade Gaia, there must be at least 4GB free disk space in /var/log. Use the Pre-Upgrade Verification tool to reduce the risk of incompatibility with your existing environment. The Pre-Upgrade Verification tool generates a detailed report of the actions to take before an upgrade. There are different upgrade methods for the Security Management Server: Upgrade Production Security Management Server Migrate and Upgrade to a New Security Management Server Important - After upgrade, you cannot restore a version with a database revision that was made with the old version. You can see old version database saves in Read-Only mode.
Upgrading Security Management Server on Appliances	You can upgrade a Security Management Server on some Smart-1 appliances and open servers.

To upgrade using the Portal:

1. Download the Gaia upgrade package from the Check Point Support Center to the Gaia Portal client computer.
   Check_Point_upg_WEBUI_and_SmartUpdate_R77.Gaia.tgz
2. Connect to the Gaia Portal from a Web browser to
   https://<management_IP_address>
3. In the Portal go to the Maintenance > Upgrade page. (Ensure the View Mode is Advanced.)
4. Click Upload.
5. Browse to the location of the upgrade package.
6. After the package is uploaded, either click Done to add the package to the Upgrade Packages repository, or click Upgrade.

   If you added the package to the package repository, select the package, and click Upgrade.

   The package is extracted.

7. After the package is extracted, click OK.

   A console window opens.

   You are asked if you want to save a snapshot of the system before upgrade. We recommend that you answer Yes.

8. The pre-upgrade verifier runs. The output is stored in a text file at /tmp/pre_upgrade_out.txt.
9. If you see the error: "Pre-upgrade verification failed" we recommend that you review the file, fix the problems, and restart the upgrade. Do not take another system snapshot.
10. You are asked if you want to start the upgrade. Select Yes.
11. After the upgrade, click Reboot.

To upgrade using an ISO image on a DVD:

Note - This procedure is not supported on IP Appliances.

1. Download the Gaia ISO image from the Check Point Support Center.
   Check_Point_Install_and_Upgrade_R77.Gaia.iso
2. Burn the ISO file on a DVD.
3. Connect an external DVD drive to a USB socket on the appliance or open server.
4. From Clish, run: upgrade cd
5. You are asked if you want to save a snapshot of the system before upgrade. We recommend that you answer Yes.
6. The pre-upgrade verifier runs. The output is stored in a text file at /tmp/pre_upgrade_out.txt.
7. If you see the error: "Pre-upgrade verification failed" we recommend that you review the file, fix the problems, and restart the upgrade. Do not take another system snapshot.
8. You are asked if you want to start the upgrade. Select Yes.
9. After the upgrade, type OK to reboot.

To upgrade using the upgrade package, with CLI:

You can upload the TGZ to the Portal, and upgrade Gaia with CLI commands.

1. Download the Gaia upgrade package from the Check Point Support Center.
   Check_Point_upg_Portal_and_SmartUpdate_R77.Gaia.tgz
2. In the Gaia CLI, enter expert mode.
3. Use FTP, SCP or similar to transfer the upgrade package to the Gaia appliance or computer. We recommend that you place the package in /var/log/upload.
4. Exit expert mode.
5. In Clish, register the file as an upgrade package. Run the command:
   add upgrade <version> package file <full path>
6. Run:
   upgrade local <version>

   For example:
   upgrade local R77

   You are asked if you want to save a snapshot of the system before upgrade. We recommend that you answer Yes.

7. The pre-upgrade verifier runs. The output is stored in a text file at /tmp/pre_upgrade_out.txt.
8. If you see the error: "Pre-upgrade verification failed" we recommend that you review the file, fix the problems, and restart the upgrade. Do not take another system snapshot.
9. You are asked if you want to start the upgrade. Select Yes.
10. After the upgrade, type OK to reboot.

To Upgrade Endpoint Security on the Security Management Server:

To upgrade to R77 with E80.50 from E80.40 or higher, use the upgrade or advanced upgrade and migration procedures for Security Management Servers in this guide.

Upgrading Security Gateways

You can upgrade Security Gateways using one of these methods:

• SmartUpdate: Centrally upgrade and manage Check Point software and licenses from a SmartConsole client.
• Local Upgrade: Do a local upgrade on the Security Gateway itself.

Upgrading Security Gateways on Open Servers

Before you upgrade:

It is recommended to back up your configuration.

Upgrading Gateways using SmartUpdate

SmartUpdate is the primary tool used for upgrading Check Point Gateways. The following features and tools are available in SmartUpdate:

• Upgrade All Packages: This feature upgrades all packages installed on a gateway. For IPSO and SecurePlatform, this feature also upgrades your operating system as a part of the upgrade procedure. The SmartUpdate "Upgrade all Packages" option supports HFAs, i.e., it will suggest upgrading the gateway with the latest HFA if a HFA package is available in the Package Repository. "Upgrade All" is the recommended method. In addition, there is an advanced method to install (distribute) packages one by one.
• Add Package to Repository: SmartUpdate provides three "helper" tools for adding packages to the Package Repository:
  • From CD/DVD: Adds a package from the Check Point DVD.
  • From File: Adds a package that you have stored locally.
  • From Download Center: Adds a package from the Check Point Download Center.
• Get Check Point Gateway Data: This tool updates SmartUpdate with the current Check Point or OPSEC third-party packages installed on a specific gateway or for your entire enterprise.
• Check for Updates: This feature, available from the SmartDashboard Tools menu, locates the latest HFA on the Check Point Download Center, and adds it to the Package Repository.

Configuring the Security Management Server for SmartUpdate

To configure the Security Management Server for SmartUpdate:

1. Install the latest version of SmartConsole, including SmartUpdate.
2. Define the remote Check Point Gateways in SmartDashboard (for a new Security Management Server installation).
3. Verify that your Security Management Server contains the correct license to use SmartUpdate.
4. Verify that the Administrator SmartUpdate permissions (as defined in the cpconfig configuration tool) are Read/Write.
5. To enable SmartUpdate connections to the Gateways, make sure that Policy Global Properties > FireWall > Firewall Implied Rules > Accept SmartUpdate Connections (SmartUpdate) is selected. By default, it is selected.

Add Packages to the Package Repository

Use SmartUpdate to add packages to and delete packages from the Package Repository:

• directly from the Check Point Download Center website (Packages > Add > From Download Center),
• by adding them from the Check Point DVD (Packages > Add > From CD/DVD),
• by importing a file (Packages > Add > From File).

When adding the package to the Package Repository, the package file is transferred to the Security Management Server. When the Operation Status window opens, you can verify the success of the operation. The Package Repository is then updated to show the new package object.

Gateway Upgrade - SmartUpdate

To update a gateway using SmartUpdate:

1. From SmartUpdate > Packages > Upgrade All Packages select one or more Gateways and click Continue.

   The Upgrade All Packages window opens, and in the Upgrade Verification list you can see which Gateways can or cannot be upgraded.

   • To see a list of which packages will be installed on the Gateways that can be upgraded, select the gateway and click the Details button.
   • For an explanation as to why a gateway cannot be upgraded, select the relevant gateway and click the Details button.
2. From the list provided, select the Gateways that can be upgraded and click Upgrade.

Note - The Allow reboot option (selected by default) is required in order to activate the newly installed packages.

The Operation Status pane opens and shows the progress of the installation. Each operation is represented by a single entry. Double click the entry to open the Operation Details window, which shows the operation history.

The following operations are performed during the installation process:

• The Check Point Remote Installation Daemon connects to the Check Point gateway.
• Verification for sufficient disk space.
• Verification of the package dependencies.
• The package is transferred to the gateway if it is not already there.
• The package is installed on the gateway.
• Enforcement policies are compiled for the new version.
• The gateway is rebooted if the Allow Reboot option was selected and the package requires it.
• The gateway version is updated in SmartDashboard.
• The installed packages are updated in SmartUpdate.

Upgrading using the Portal

To upgrade using the Portal:

1. Download the Gaia upgrade package from the Check Point Support Center to the Gaia Portal client computer.
   Check_Point_upg_WEBUI_and_SmartUpdate_R77.Gaia.tgz
2. Connect to the Gaia Portal from a Web browser to
   https://<management_IP_address>
3. In the Portal go to the Maintenance > Upgrade page. (Ensure the View Mode is Advanced.)
4. Click Upload.
5. Browse to the location of the upgrade package.
6. After the package is uploaded, either click Done to add the package to the Upgrade Packages repository, or click Upgrade.

   If you added the package to the package repository, select the package, and click Upgrade.

   The package is extracted.

7. After the package is extracted, click OK.

   A console window opens.

8. You are asked if you want to save a snapshot of the system before upgrade. We recommend that you answer Yes.
9. You are asked if you want to start the upgrade. Select Yes.
10. After the upgrade, click Reboot.

Upgrading using an ISO image on a DVD:

To upgrade using an ISO image on a DVD:

Note - This procedure is not supported on IP Appliances.

1. Download the Gaia ISO image from the Check Point Support Center.
   Check_Point_Install_and_Upgrade_R77.Gaia.iso
2. Burn the ISO file on a DVD.
3. Connect an external DVD drive to a USB socket on the appliance or open server.
4. From Clish, run: upgrade cd
5. You are asked if you want to save a snapshot of the system before upgrade. We recommend that you answer Yes.
6. You are asked if you want to start the upgrade. Select Yes.
7. After the upgrade, type OK to reboot.

Upgrading using the Upgrade Package, with CLI

To upgrade using the upgrade package, with CLI:

You can upload the TGZ to the Portal, and upgrade Gaia with CLI commands.

1. Download the Gaia upgrade package from the Check Point Support Center.
   Check_Point_upg_Portal_and_SmartUpdate_R77.Gaia.tgz
2. In the Gaia CLI, enter expert mode.
3. Use FTP, SCP or similar to transfer the upgrade package to the Gaia appliance or computer. We recommend that you place the package in /var/log/upload.
4. Exit expert mode.
5. In Clish, register the file as an upgrade package. Run the command:
   add upgrade <version> package file <full path>
6. Run:
   upgrade local <version>

   For example:
   upgrade local R77

7. You are asked if you want to save a snapshot of the system before upgrade. We recommend that you answer Yes.
8. You are asked if you want to start the upgrade. Select Yes.
9. After the upgrade, type OK to reboot.

Upgrading a VSX Gateway

Important - Before you begin, make sure no other administrators are connected to the management server. In a Multi-Domain Security Management deployment, make sure administrators are not connected to Domain Management Servers. Upgrade and reconfigure operations skip locked Domain Management Servers. Run the procedure again when they become available. The vsx_util command cannot modify the management database if the database is locked.

To upgrade a VSX Gateway to R77:

1. Close SmartDashboard.
2. On the management server, log in to Expert mode.
3. Run: vsx_util upgrade

   When prompted, enter this information:

   1. Security Gateway or main Domain Management Server IP address
   2. Administrator name and password
   3. Cluster name (if the VSX Gateway is a cluster member)
   4. Version to upgrade to: R77
4. Wait for the Finished upgrading/database saved successfully message.

   If you use CPUSE to upgrade the VSX Gateway, skip the next step.

5. Run: vsx_util reconfigure

   When prompted, enter this information:

   1. Management server or main Domain Management Server IP address
   2. Administrator name and password
   3. SIC activation key for the upgraded member

   The security policy is installed and configured on the upgraded VSX Gateway, and this message shows:

   Reconfigure module operation completed successfully

6. Install the necessary licenses.
7. Reboot.

Upgrading Standalone Full High Availability

Full High Availability: The server and the gateway are in a standalone configuration and each has High Availability to a second standalone machine. If there is a failure, the server and the gateway failover to the secondary machine. In the standalone configuration the server and gateway can failover independently of each other. For example, if only the server has an issue, only that server fails over. There is no effect on the gateway in the standalone configuration.

To upgrade Full High Availability for cluster members in standalone configurations, there are different options:

• Upgrade one machine and synchronize the second machine with minimal downtime.
• Upgrade with a clean installation on one machine and synchronize the second machine with system downtime.

Upgrading with Minimal Downtime

You can do a Full High Availability upgrade with minimal downtime to the cluster members.

To upgrade Full High Availability with minimal downtime:

1. Make sure the primary cluster member is active and the secondary is standby: check the status of the members.
2. Start failover to the second cluster member.

   The secondary cluster member processes all the traffic.

3. Log in with SmartDashboard to the management server of the secondary cluster member.
4. Click Change to Active.
5. Configure the secondary cluster member to be the active management server.

   Note - We recommend that you export the database using the Upgrade tools.

6. Upgrade the primary cluster member to the appropriate version.
7. Log in with SmartDashboard to the management server of the primary cluster member.

   Make sure version of the SmartDashboard is the same as the server.

8. Upgrade the version of the object to the new version.
9. Install the policy on the cluster object.

   The primary cluster member processes all the traffic.

   Note - Make sure that the For Gateway Clusters install on all the members option is cleared. Selecting this option causes the installation to fail.

10. Upgrade the secondary cluster member to the appropriate version.
11. Synchronize for management High Availability.

Upgrading with a Clean Installation

You can do a Full High Availability upgrade with a clean installation on the secondary cluster member and synchronize the primary cluster member. This type of upgrade causes downtime to the cluster members.

To upgrade Full High Availability with a clean installation:

1. Make sure the primary cluster member is active and the secondary is standby: check the status of the members.
2. Start failover to the second cluster member.

   The secondary cluster member processes all the traffic.

3. Log in with SmartDashboard to the management server of the secondary cluster member.
4. Click Change to Active.
5. Configure the secondary cluster member to be the active management server.

   Note - We recommend that you export the database using the Upgrade tools.

6. Upgrade the primary cluster member to the appropriate version.
7. Log in with SmartDashboard to the management server of the primary cluster member.

   Make sure version of the SmartDashboard is the same as the server.

8. Upgrade the version of the object to the new version.
9. Install the policy on the cluster object.

   The primary cluster member processes all the traffic.

   Note - Make sure that the For Gateway Clusters install on all the members option is cleared. Selecting this option causes the installation to fail.

10. Install the secondary member.
11. From SmartDashboard, configure the cluster object.
    1. Change the secondary details (if necessary).
    2. Establish SIC.
12. Synchronize for management High Availability.

    The primary management database synchronizes to the secondary management database.

Upgrading Clusters

If the appliance to upgrade was not the primary member of a cluster before, export its database before you upgrade. If it was the primary member before, you do not have to do this.

To upgrade an appliance and add it to a cluster:

1. If the appliance was not the primary member of a cluster, export the Security Management Server database.
2. Upgrade the appliance.
3. If the appliance was not the primary member of a cluster, Import the database.
4. Using the Portal, on the Cluster page, configure the appliance to be the primary member of a new cluster.
5. Connect a second appliance to the network.
   • If the second appliance is based on an earlier version: get the relevant upgrade package from the Download Center, save it to a USB stick, and reinstall the appliance as a secondary cluster member.
   • If the second appliance is upgraded: run the first-time wizard and select Secondary Cluster Member.

Enabling IPv6 on Gaia

IPv6 is automatically enabled if you configure IPv6 addresses in the First Time Configuration Wizard.

If you did not do this, enable IPv6 in one of the following ways:

To enable IPv6 using Clish:

# set ipv6-state on

# save config

# reboot

To enable IPv6 using the Portal:

1. In the Portal navigation tree, select System Management > system Configuration.
2. For IPv6 Support, select On.
3. When prompted, select Yes to reboot.

Changing to an IPv6-Only Management IP Address

To remove the IPv4 management address from a Security Management Server with a dual-IP management addresses (IPv4 and IPv6):

1. Open SmartDashboard using the IPv6 address.
2. Edit the Security Management Server object.
3. In the General Properties page, delete the IPv4 address.
4. Go to the Topology page, Interface Properties window, and delete the IPv4 address.
5. Save.
6. Open the Gaia Portal by connecting to the IPv6 address https://<IPv6 address>.
7. Delete the management IPV4 address from these pages:
   • Network Interfaces
   • IPv4 Static routes

Deleting the IPV4 address from Management HA

You can remove the IPv4 address from one member in a management High Availability environment and keep the IPv6 and IPv4 addresses on the second member.

To remove the IPv4 address from a management HA member:

1. Open the Portal.
2. In the Network Management > Network Interfaces page, delete the IPV4 address.
3. Open SmartDashboard.
4. Reset SIC.
5. Install the database (Policy > Install Database).
6. Reboot.
7. Synchronize the databases of the Security Management Servers.