Upgrading Security Management Server and Security Gateways

In This Section: Upgrading Standalone Upgrading the Security Management Server Upgrading Security Gateways Upgrading Standalone Full High Availability Upgrading Clusters Enabling IPv6 on Gaia Changing to an IPv6-Only Management IP Address Deleting the IPV4 address from Management HA

Upgrading Standalone

This section explains how to upgrade a standalone (Security Management Server and Security Gateway installed on one appliance or computer). A Security Management Server upgraded to R77 can enforce and manage Gateways from earlier versions. Some new features are not available on earlier versions (see the "Compatibility Tables" in the Release Notes).

Upgrading Standalone Appliances

You can upgrade a Standalone deployment on UTM-1 appliances, certain 2012 Models, and IP appliances.

UTM-1 and 2012 Models

When you upgrade the Check Point release version on the appliance you can also upgrade from SecurePlatform to Gaia. Alternatively, you can upgrade Check Point release version and stay with the SecurePlatform operating system.

SecurePlatform to Gaia

Note - When upgrading from SecurePlatform to Gaia, the size of the disk partitions does not change. To have larger disk partitions, you need to do a clean installation of Gaia.

You can upgrade from the SecurePlatform operating system to the Gaia operating system.

To upgrade a SecurePlatform appliance:

1. Upgrade product licenses to R75 or higher, and attach the licenses to the appliance.
2. Download the appliance upgrade package.
   Check_Point_upg_WEBUI_and_SmartUpdate_R77.Gaia.tgz
3. Connect to the SecurePlatform appliance from a Web browser to https://<appliance_ip_address>.
4. In the login page, enter an administrator username and password.
5. Go to the Upgrade page.
6. Upload the appliance upgrade package to the appliance.
7. Ignore any warning messages.
8. Continue according to the on-screen instructions.

   After the upgrade is complete, the appliance boots to Gaia.

   Note - The connection to the SecurePlatform Portal closes after Gaia is installed.

9. Install the Policy on the Security Gateway. This is highly recommended. The Security Gateway enforces the Initial Policy until you install the Policy:
   1. Using SmartDashboard of the correct version, connect to the Security Management Server.
   2. Open the General Properties page of the Gateway object.
   3. Click Get to update the Platform details.
   4. Install the policy on the Gateway.

If the Gaia appliance has more than 4 GB of memory, it automatically boots to the 64-bit edition. Otherwise, it boots to the 32-bit edition.

If you upgrade and the appliance has more than 4 GB, the appliance boots to the 32-bit edition. You can configure Gaia to automatically boot to the 64-bit edition.

To configure Gaia to automatically boot to the 64-bit edition:

1. Run set edition default 64-bit
2. Run save config
3. Reboot

   Note - The appliance must have at least 6 GB of memory for this to work.

To see which edition is running:

• Go to the Portal System Overview pane. The edition shows in the System Overview widget.
• OR: Run show version os edition

SecurePlatform to SecurePlatform

Use the Portal of the appliance to upgrade Standalone UTM-1 and 2012 Model appliances.

To upgrade appliances using the Portal:

1. Open Internet Explorer and log in to the appliance.
2. Select Appliance > Upgrade.
3. Click Check Point Download Center.

   The Internet browser opens to the Check Point Support Center.

4. Search for and download the R77 upload package file.
5. In the Portal, click Upload upgrade package to appliance.

   The Upload Package to Appliance window opens.

6. Select the upgrade file:
   Check_Point_upg_Portal_and_SmartUpdate_R77.SecurePlatform.tgz
7. Click Upload.
8. Click Start Upgrade.
9. Before the upgrade begins, an image is created of the system and is used to revert to in the event the upgrade is not successful.

   The Save an Image before Upgrade page, displays the image information.

   Click Next.

10. In the Safe Upgrade section, select Safe upgrade to require a successful login after the upgrade is complete. If no login takes place within the configured amount of time, the system will revert to the saved image.

    Click Next.

11. The Current Upgrade File on Appliance section displays the information of the current upgrade.
12. To begin the upgrade, click Start.

IP Appliances

IPSO to Gaia

To learn how to upgrade an IP Appliance from IPSO to Gaia, see sk69643.

IPSO to IPSO

IPSO 6.2 MR4 or above is required. To learn how to upgrade IPSO, see the IPSO 6.2 MR4 Release Notes.

Before upgrading from R75.4x, you must disable and delete unnecessary packages.

To disable and delete unnecessary packages:

1. In Network Voyager, go to Configuration > System configuration > Packages > Manage packages.
2. Disable these packages:
   • Management Enhancements plugin
   • SFW R75 Plug-in Blade
   • CPSG 80 Series compatibility package R71.20
3. Click Save.
4. Delete the disabled plugins and compatibility package.

Downloading the Package

After you download the correct package to an FTP site or local disk, use Network Voyager to put the package on the appliance. In Network Voyager of the appliance, open Configuration > System Configuration > Packages > Install Package. Use the upload procedure that fits: FTP or local disk (the Network Voyager computer).

To upload from an FTP site:

1. In the Voyager Install Package window, select FTP.
2. Enter the name or IP address of the FTP server.
3. Enter the path to the directory on the FTP server where the packages are stored.
4. If necessary, enter the applicable user name and password.
5. Click Apply. The names of the available packages show in the Site Listing window.
6. Select the package and click Apply.
7. In the Information window, click Install.

To upload from a local disk:

1. In the Voyager Install Package window, select Upload.
2. Click Browse and navigate to the package .tgz file.
3. Click Apply.
4. Select the package .tgz file in the Unpack Package window and click Apply.
5. In the Information window, click Upgrade.

To upgrade Security Management Server with Network Voyager:

1. Click the Click here to install/upgrade link to continue with the installation.
2. In the Package Installation and Upgrade pane, select Upgrade and then click Apply.
3. Click the Install Package branch in the Voyager tree to see the installation progress.
4. Go to the Manage Packages page.
   • The R77 and Check Point CPInfo packages are automatically activated during installation (disk-based appliances only).
   • Enable other packages, with the compatibility packages, as needed for your deployment.

   Important - When you install a package using Network Voyager, this message shows: Voyager environment has been updated with the latest package info. The telnet session environment will be updated by: logging out and logging in again the telnet session. This message can be misleading. Click Manage Packages to verify that the package is actually installed correctly. Refresh the page periodically until you see that the installation is complete.

5. Log out of Network Voyager and then log in again.

To upgrade Security Management Server with clish:

1. Access the CLI console, and log in.
2. Type newpkg, and press Enter.
3. Use the FTP menu option to transfer the R77 package. Choose the option:
   Upgrade from an old package.
4. Upgrade to the R77 package.

   Wait until a message informs you that the process is complete.

5. Type reboot and press Enter.

   The package is activated after the reboot.

To verify that R77 is active and is the current version:

1. Verify that R77 is active. Run newpkg –q
2. Verify that R77 is the current version. Run fw ver on a Security Gateway or fwm ver on a Security Management server.

Upgrading Standalone Open Servers

Before you upgrade:

• Back up your current configuration.
• To make sure you have enough space, see the Release Notes

SecurePlatform to Gaia

Use this procedure to upgrade a SecurePlatform computer on to a Gaia computer. Upgrade the operating system and the installed products.

Important: SecurePlatform cannot be upgraded to Gaia if you have dynamic routing configured. For more, see: sk76840.

Note - When upgrading from SecurePlatform to Gaia, the size of the disk partitions does not change. To have larger disk partitions, you need to do a clean installation of Gaia.

To upgrade an open server using the DVD:

1. Upgrade your product licenses to R75 or higher, and attach the licenses to the Security Gateway or standalone server.
2. Insert the R77 DVD into the drive.
3. At the command prompt, enter: patch add cd
4. Select the Gaia upgrade package.
5. Confirm the MD5 checksum.
6. If relevant, when prompted, create a backup image for automatic revert.
7. After extracting files, the Installation program opens.
8. Accept the license agreement.
9. Select upgrade.
10. Configure your contract options.

    You can also continue without contract information and configure it later using SmartUpdate.

11. Select a source for the upgrade utilities.

    Wait for the pre-upgrade verifier to complete successfully.

12. Select Stop Check Point processes.
13. Select Upgrade installed products, or upgrade installed products and add new products, and confirm.
14. Wait while the required installation files are extracted.
    1. Part one of the upgrade procedure saves data and upgrades the operating system.
    2. Part two upgrades Check Point products.
15. After the upgrade completes successfully, remove the DVD from the drive.
16. Reboot when prompted.
17. Install the Policy on the Security Gateway. This is highly recommended. The Security Gateway enforces the Initial Policy until you install the Policy:
    1. Using SmartDashboard of the correct version, connect to the Security Management Server.
    2. Open the General Properties page of the Gateway object.
    3. Click Get to update the Platform details.
    4. Install the policy on the Gateway.

To upgrade a SecurePlatform Open Server using the Portal:

1. Open Internet Explorer and log in to the SecurePlatform Portal.
2. Select Device > Upgrade.
3. Click Check Point Download Center.

   The Internet browser opens to the Check Point Support Center.

4. Search for and download the R77 file for upgrades via the Portal.
5. Click Browse and select the upgrade file:
   Check_Point_upg_Portal_and_SmartUpdate_R77.Gaia.tgz
6. Click Upload package to device.

   The package is uploaded to the SecurePlatform computer.

   After the Upgrade Status shows that the Uploading is Completed you can start the upgrade.

7. Recommended: In the Safe Upgrade section, click Save snapshot of the current system before the upgrade. The snapshot is used to revert the system if the upgrade is not successful.
8. Click Start Upgrade.

   Follow the Upgrade Status. After the upgrade, the computer automatically reboots.

   Note - The connection to the SecurePlatform Portal closes after Gaia is installed.

9. Install the Policy on the Security Gateway. This is highly recommended. The Security Gateway enforces the Initial Policy until you install the Policy:
   1. Using SmartDashboard of the correct version, connect to the Security Management Server.
   2. Open the General Properties page of the Gateway object.
   3. Click Get to update the Platform details.
   4. Install the policy on the Gateway.

SecurePlatform to SecurePlatform

Use this procedure to upgrade a SecurePlatform installation on the same computer. Upgrade the operating system and the installed products.

To upgrade a SecurePlatform Open Server using a DVD:

1. Insert R77 DVD into the drive.
2. At the command prompt, enter: patch add cd
3. Select SecurePlatform R77 Upgrade Package
   Check_Point_Install_and_Upgrade_R77.SecurePlatform_Open_Server.iso
4. Press y to accept the checksum calculation.
5. Optional: When prompted, create a backup image so that you can restore the old version.

   Note - Creating the snapshot image can take a long time. Check Point products are stopped during this time.

6. Press N at the welcome message.
7. Press Y to accept the license agreement.
8. In the next window, select Upgrade and then press N.
9. In the next window, press N to continue.
10. If prompted to download or import a valid support contract, select Continue without contract information. Press N to continue.
11. If a message shows that says your gateway is not eligible for upgrade, press N to continue.

    You can safely ignore this message and use SmartUpdate to update your service contract later.

12. In the next window, select Download most updated files.
13. In the Pre-Upgrade Verification Results window, press N to continue.

    If the Pre-Upgrade Verification fails, do the suggested steps to correct the problem. Start this procedure again from step 2.

14. When prompted, select Stop Check Point processes and press N to continue.
15. When prompted, select Upgrade installed products and press N to continue.
16. In the Validation window, press N.
17. When the upgrade completes successfully, restart the computer.

To upgrade a SecurePlatform Open Server using the Portal:

1. Open Internet Explorer and log in to the SecurePlatform Portal.
2. Select Device > Upgrade.
3. Click Check Point Download Center.

   The Internet browser opens to the Check Point Support Center.

4. Search for and download the R77 file for upgrades via the Portal.
5. Click Browse and select the upgrade file:
   Check_Point_upg_Portal_and_SmartUpdate_R77.SecurePlatform.tgz
6. Click Upload package to device.

   The package is uploaded to the SecurePlatform computer.

   After the Upgrade Status shows that the Uploading is Completed you can start the upgrade.

7. Recommended: In the Safe Upgrade section, click Save snapshot of the current system before the upgrade. The snapshot is used to revert the system if the upgrade is not successful.

   Your browser will automatically try to perform the first login immediately after the upgrade. To allow this, do not close the browser window or browse to another page.

8. Click Start Upgrade.

   Follow the Upgrade Status. After the upgrade, the computer automatically reboots.

9. Install the Policy on the Security Gateway. This is highly recommended. The Security Gateway enforces the Initial Policy until you install the Policy:
   1. Using SmartDashboard of the correct version, connect to the Security Management Server.
   2. Open the General Properties page of the Gateway object.
   3. Click Get to update the Platform details.
   4. Install the policy on the Gateway.

Windows to Windows

Use this procedure to upgrade a Windows installation on the computer. Upgrade the installed products.

To upgrade a Windows standalone computer:

1. Insert the R77 DVD into the drive. The Installation Wizard starts automatically.

   If the wizard does not start automatically, manually run setup.exe from the DVD drive.

2. Click Next at the welcome message.
3. Accept the license agreement and click Next.
4. Select Upgrade and click Next.
5. On the next screen, click Next.
6. If prompted to download or import a valid support contract, select Continue without contract information. Click Next to continue.
7. If a message shows that says your gateway is not eligible for upgrade.

   You can safely ignore this message and use SmartUpdate to update your service contract later. Click Next.

8. Select Download most updated files and click Next.
9. In the Pre-Upgrade Verification Results window, click Next.

   If the Pre-Upgrade Verification fails, do the suggested steps to correct the problem. Start this procedure again from step 2.

10. When prompted to add new products, clear Add new products and then click Next.

    You can add new products at a later time.

11. Click Next at the confirmation message.
12. When the installation completes successfully, click Finish.
13. When prompted, restart the computer.

Upgrading the Security Management Server

You do not have to upgrade the Security Management Server and all of the Gateways at the same time. When the Security Management Server is upgraded, you can still manage Gateways from earlier versions (though the Gateways may not support new features).

Important - To upgrade to R77 Gaia, make sure there is enough free disk space in /var/log. See the R77 Release Notes.

Use the Pre-Upgrade Verification tool to reduce the risk of incompatibility with your existing environment. The Pre-Upgrade Verification tool generates a detailed report of the actions to take before an upgrade.

There are different upgrade methods for the Security Management Server:

• Upgrade Production Security Management Server
• Migrate and Upgrade to a New Security Management Server

  Important - After upgrade, you cannot restore a version with a database revision that was made with the old version. You can see old version database saves in Read-Only mode.

Upgrading Security Management Server on Appliances

You can upgrade a Security Management Server on some Smart-1 appliances and open servers.

Smart-1

You can upgrade a Smart-1 appliance from SecurePlatform to Gaia, or you can upgrade the SecurePlatform version.

SecurePlatform to Gaia

Note - When upgrading from SecurePlatform to Gaia, the size of the disk partitions does not change. To have larger disk partitions, you need to do a clean installation of Gaia.

You can upgrade from the SecurePlatform operating system to the Gaia operating system.

To upgrade a SecurePlatform appliance:

1. Upgrade product licenses to R75 or higher, and attach the licenses to the appliance.
2. Download the appliance upgrade package.
   Check_Point_upg_WEBUI_and_SmartUpdate_R77.Gaia.tgz
3. Connect to the SecurePlatform appliance from a Web browser to https://<appliance_ip_address>.
4. In the login page, enter an administrator username and password.
5. Go to the Upgrade page.
6. Upload the appliance upgrade package to the appliance.
7. Ignore any warning messages.
8. Continue according to the on-screen instructions.

   After the upgrade is complete, the appliance boots to Gaia.

   Note - The connection to the SecurePlatform Portal closes after Gaia is installed.

9. Install the Policy on the Security Gateway. This is highly recommended. The Security Gateway enforces the Initial Policy until you install the Policy:
   1. Using SmartDashboard of the correct version, connect to the Security Management Server.
   2. Open the General Properties page of the Gateway object.
   3. Click Get to update the Platform details.
   4. Install the policy on the Gateway.

SecurePlatform to SecurePlatform

Use the WebUI of the appliance to upgrade Security Management Server Smart-1 and 2012 Model appliances.

To upgrade appliances using the Portal:

1. Open Internet Explorer and log in to the appliance.
2. Select Appliance > Upgrade.
3. Click Check Point Download Center.

   The Internet browser opens to the Check Point Support Center.

4. Search for and download the R77 upload package file.
5. In the Portal, click Upload upgrade package to appliance.

   The Upload Package to Appliance window opens.

6. Select the upgrade file:
   Check_Point_upg_Portal_and_SmartUpdate_R77.SecurePlatform.tgz
7. Click Upload.
8. Click Start Upgrade.
9. Before the upgrade begins, an image is created of the system and is used to revert to in the event the upgrade is not successful.

   The Save an Image before Upgrade page, displays the image information.

   Click Next.

10. In the Safe Upgrade section, select Safe upgrade to require a successful login after the upgrade is complete. If no login takes place within the configured amount of time, the system will revert to the saved image.

    Click Next.

11. The Current Upgrade File on Appliance section displays the information of the current upgrade.
12. To begin the upgrade, click Start.

IP Appliances

For the IP Appliance models that are supported for this release, see the R77 Release Notes.

IPSO to Gaia

To learn how to upgrade an IP Appliance from IPSO to Gaia, see sk69643.

IPSO to IPSO

IPSO 6.2 MR4 or above is required. To learn how to upgrade IPSO, see the IPSO 6.2 MR4 Release Notes.

Before upgrading from R75.4x, you must disable and delete unnecessary packages.

To disable and delete unnecessary packages:

1. In Network Voyager, go to Configuration > System configuration > Packages > Manage packages.
2. Disable these packages:
   • Management Enhancements plugin
   • SFW R75 Plug-in Blade
   • CPSG 80 Series compatibility package R71.20
3. Click Save.
4. Delete the disabled plugins and compatibility package.

Downloading the Package

After you download the correct package to an FTP site or local disk, use Network Voyager to put the package on the appliance. In Network Voyager of the appliance, open Configuration > System Configuration > Packages > Install Package. Use the upload procedure that fits: FTP or local disk (the Network Voyager computer).

To upload from an FTP site:

1. In the Voyager Install Package window, select FTP.
2. Enter the name or IP address of the FTP server.
3. Enter the path to the directory on the FTP server where the packages are stored.
4. If necessary, enter the applicable user name and password.
5. Click Apply. The names of the available packages show in the Site Listing window.
6. Select the package and click Apply.
7. In the Information window, click Install.

To upload from a local disk:

1. In the Voyager Install Package window, select Upload.
2. Click Browse and navigate to the package .tgz file.
3. Click Apply.
4. Select the package .tgz file in the Unpack Package window and click Apply.
5. In the Information window, click Upgrade.

To upgrade Security Management Server with Network Voyager:

1. Click the Click here to install/upgrade link to continue with the installation.
2. In the Package Installation and Upgrade pane, select Upgrade and then click Apply.
3. Click the Install Package branch in the Voyager tree to see the installation progress.
4. Go to the Manage Packages page.
   • The R77 and Check Point CPInfo packages are automatically activated during installation (disk-based appliances only).
   • Enable other packages, with the compatibility packages, as needed for your deployment.

   Important - When you install a package using Network Voyager, this message shows: Voyager environment has been updated with the latest package info. The telnet session environment will be updated by: logging out and logging in again the telnet session. This message can be misleading. Click Manage Packages to verify that the package is actually installed correctly. Refresh the page periodically until you see that the installation is complete.

Log out of Network Voyager and then log in again.

To upgrade Security Management Server with clish:

1. Access the CLI console, and log in.
2. Type newpkg, and press Enter.
3. Use the FTP menu option to transfer the R77 package. Choose the option:
   Upgrade from an old package.
4. Upgrade to the R77 package.

   Wait until a message informs you that the process is complete.

5. Type reboot and press Enter.

   The package is activated after the reboot.

To verify that R77 is active and is the current version:

1. Verify that R77 is active. Run newpkg –q
2. Verify that R77 is the current version. Run fw ver on a Security Gateway or fwm ver on a Security Management server.

Upgrading Security Management Server on Open Servers

A Security Management Server on any computer that meets the minimum requirements can be upgraded. You can upgrade from SecurePlatform to Gaia, or you can upgrade the SecurePlatform version. On Windows and Linux Security Management Servers, you can upgrade the installed Check Point products.

Before you upgrade:

It is recommended to back up your configuration.

SecurePlatform to Gaia

Use this procedure to upgrade the SecurePlatform operating system to Gaia, and to upgrade the installed products.

Important: SecurePlatform cannot be upgraded to Gaia if you have dynamic routing configured. For more, see: sk76840.

Note - When upgrading from SecurePlatform to Gaia, the size of the disk partitions does not change. To have larger disk partitions, you need to do a clean installation of Gaia.

To upgrade Security Management Server on Gaia open servers:

1. Upgrade product licenses to R75 or higher, and attach the licenses to the appliance.
2. Connect a DVD drive to the USB port on the computer.
3. Run: patch add cd
4. Select the Gaia upgrade package.
5. Confirm the MD5 checksum.
6. When prompted, create a backup image for automatic revert.

   After extracting files, the Installation program opens.

7. Accept the license agreement.
8. Select upgrade.
9. Configure your contract options.

   You can also continue without contract information and configure it later using SmartUpdate.

10. Select a source for the upgrade utilities.

    Wait for the pre-upgrade verifier to complete successfully.

11. Select Stop Check Point processes.
12. Select Upgrade installed products, or upgrade installed products and add new products, and confirm.
13. Wait while the required installation files are extracted.
    1. Part one of the upgrade procedure saves data and upgrades the operating system.
    2. Part two upgrades Check Point products.
14. After the upgrade completes successfully, remove the DVD from the drive.
15. Restart when prompted.
16. Install the Policy on the Security Gateway. This is highly recommended. The Security Gateway enforces the Initial Policy until you install the Policy:
    1. Using SmartDashboard of the correct version, connect to the Security Management Server.
    2. Open the General Properties page of the Gateway object.
    3. Click Get to update the Platform details.
    4. Install the policy on the Gateway.

To upgrade a SecurePlatform Open Server using the Portal:

1. Open Internet Explorer and log in to the SecurePlatform Portal.
2. Select Device > Upgrade.
3. Click Check Point Download Center.

   The Internet browser opens to the Check Point Support Center.

4. Search for and download the R77 file for upgrades via the Portal.
5. Click Browse and select the upgrade file:
   Check_Point_upg_Portal_and_SmartUpdate_R77.Gaia.tgz
6. Click Upload package to device.

   The package is uploaded to the SecurePlatform computer.

   After the Upgrade Status shows that the Uploading is Completed you can start the upgrade.

7. Recommended: In the Safe Upgrade section, click Save snapshot of the current system before the upgrade. The snapshot is used to revert the system if the upgrade is not successful.
8. Click Start Upgrade.

   Follow the Upgrade Status. After the upgrade, the computer automatically reboots.

   Note - The connection to the SecurePlatform Portal closes after Gaia is installed.

SecurePlatform to SecurePlatform

Use this procedure to upgrade a SecurePlatform installation on the same computer. Upgrade the operating system and the installed products.

To upgrade a SecurePlatform Open Server using a DVD:

1. Insert R77 DVD into the drive.
2. At the command prompt, enter: patch add cd
3. Select SecurePlatform R77 Upgrade Package
   Check_Point_Install_and_Upgrade_R77.SecurePlatform_Open_Server.iso
4. Press y to accept the checksum calculation.
5. Optional: When prompted, create a backup image so that you can restore the old version.

   Note - Creating the snapshot image can take a long time. Check Point products are stopped during this time.

6. Press N at the welcome message.
7. Press Y to accept the license agreement.
8. In the next window, select Upgrade and then press N.
9. In the next window, press N to continue.
10. If prompted to download or import a valid support contract, select Continue without contract information. Press N to continue.
11. If a message shows that says your gateway is not eligible for upgrade, press N to continue.

    You can safely ignore this message and use SmartUpdate to update your service contract later.

12. In the next window, select Download most updated files.
13. In the Pre-Upgrade Verification Results window, press N to continue.

    If the Pre-Upgrade Verification fails, do the suggested steps to correct the problem. Start this procedure again from step 2.

14. When prompted, select Stop Check Point processes and press N to continue.
15. When prompted, select Upgrade installed products and press N to continue.
16. In the Validation window, press N.
17. When the upgrade completes successfully, restart the computer.

To upgrade a SecurePlatform Open Server using the Portal:

1. Open Internet Explorer and log in to the SecurePlatform Portal.
2. Select Device > Upgrade.
3. Click Check Point Download Center.

   The Internet browser opens to the Check Point Support Center.

4. Search for and download the R77 file for upgrades via the Portal.
5. Click Browse and select the upgrade file:
   Check_Point_upg_Portal_and_SmartUpdate_R77.SecurePlatform.tgz
6. Click Upload package to device.

   The package is uploaded to the SecurePlatform computer.

   After the Upgrade Status shows that the Uploading is Completed you can start the upgrade.

7. Recommended: In the Safe Upgrade section, click Save snapshot of the current system before the upgrade. The snapshot is used to revert the system if the upgrade is not successful.

   Your browser will automatically try to perform the first login immediately after the upgrade. To allow this, do not close the browser window or browse to another page.

8. Click Start Upgrade.

   Follow the Upgrade Status. After the upgrade, the computer automatically reboots.

Linux to Linux

To upgrade a Linux Open Server using a DVD:

1. Before upgrading, make sure your Security Management Server is eligible for upgrade. Go to the User Center and make sure you have a valid license and support contract.
2. Download the ISO file for upgrading to R77 from the R77 home page.
3. Burn the ISO file onto a DVD.
4. Insert DVD into the drive.
5. At the root prompt, create a mount point and mount the DVD. Run:

   mkdir /mnt/cdrom
mount -ro loop /dev/cdrom /mnt/cdrom

6. Go to the mount directory, and look at the files. Run:
   cd /mnt/cdrom/
ls -l
7. Run:
   ./UnixInstallScript
8. Press Y to accept the license agreement.
9. In the next window, select Upgrade and press N to continue.
10. The upgrade script does a check to see if the Security Management Server is eligible for upgrade.

    If your Security Management Server does not have a valid license and contract you are required to either Download contract information from User Center or Import a local service contract file.

    Install a contract file and restart the upgrade script.

11. If contract verification succeeds, press N to continue.
12. In the next window, select Use the upgrade files from the CD and press N.
13. The pre-upgrade verifier runs.

    If the verification fails, we recommend that you review the file, fix the problems, and restart the upgrade.

14. If the Pre-Upgrade Verification succeeds, press N to continue.
15. When prompted, select Stop Check Point processes and press N.
16. When prompted, select Upgrade installed products and press N.
17. In the Validation window, press N.
18. When the upgrade completes successfully, restart the computer.

Windows to Windows

Before you begin, back up the server.

To upgrade a Windows Security Management Server:

1. Insert the R77 DVD.
2. If the upgrade does not start automatically, run Setup.exe from the DVD.
3. Click Next to start the installation wizard.
4. Accept the license agreement and click Next.
5. Click Next to check your license information.
6. From the Upgrade Options screen, select Upgrade and click Next.
7. Follow the support contract and upgrade utility screens.
8. When the pre-upgrade verification recommendation appears, select to execute the Pre-upgrade Verification Tool.
9. Select Add new products and click Next.

   Note - SmartReporter is installed by default, if it was not installed before.

   Depending on the components you have chosen to install, you may need to install other components. Follow the instructions.

   A list of the products that will be upgraded appears. Click Next.

   The new components are installed and the Security Management Server is upgraded. The progress of each component is indicated in the progress bar. Upon completion, a summary appears.

   Note - In Windows Server 2003, if Microsoft.Net framework 2.0 is not installed, it will be installed before the Check Point components.

10. Follow the instructions for license management and fingerprint handling.
11. Click Finish.
12. When prompted, restart the Security Management Server.

Upgrading Endpoint Security

To upgrade to R77 with E80.50 from E80.40 or higher, use the upgrade or advanced upgrade and migration procedures for Security Management Servers in this guide.

Upgrading Security Gateways

You can upgrade Security Gateways using one of these methods:

• SmartUpdate: Centrally upgrade and manage Check Point software and licenses from a SmartConsole client.
• Local Upgrade: Do a local upgrade on the Security Gateway itself.

Upgrading Gateways using SmartUpdate

SmartUpdate is the primary tool used for upgrading Check Point Gateways. The following features and tools are available in SmartUpdate:

• Upgrade All Packages: This feature upgrades all packages installed on a gateway. For IPSO and SecurePlatform, this feature also upgrades your operating system as a part of the upgrade procedure. The SmartUpdate "Upgrade all Packages" option supports HFAs, i.e., it will suggest upgrading the gateway with the latest HFA if a HFA package is available in the Package Repository. "Upgrade All" is the recommended method. In addition, there is an advanced method to install (distribute) packages one by one.
• Add Package to Repository: SmartUpdate provides three "helper" tools for adding packages to the Package Repository:
  • From CD/DVD: Adds a package from the Check Point DVD.
  • From File: Adds a package that you have stored locally.
  • From Download Center: Adds a package from the Check Point Download Center.
• Get Check Point Gateway Data: This tool updates SmartUpdate with the current Check Point or OPSEC third-party packages installed on a specific gateway or for your entire enterprise.
• Check for Updates: This feature, available from the SmartDashboard Tools menu, locates the latest HFA on the Check Point Download Center, and adds it to the Package Repository.

Configuring the Security Management Server for SmartUpdate

To configure the Security Management Server for SmartUpdate:

1. Install the latest version of SmartConsole, including SmartUpdate.
2. Define the remote Check Point Gateways in SmartDashboard (for a new Security Management Server installation).
3. Verify that your Security Management Server contains the correct license to use SmartUpdate.
4. Verify that the Administrator SmartUpdate permissions (as defined in the cpconfig configuration tool) are Read/Write.
5. To enable SmartUpdate connections to the Gateways, make sure that Policy Global Properties > FireWall > Firewall Implied Rules > Accept SmartUpdate Connections (SmartUpdate) is selected. By default, it is selected.

Add Packages to the Package Repository

Use SmartUpdate to add packages to and delete packages from the Package Repository:

• directly from the Check Point Download Center website (Packages > Add > From Download Center),
• by adding them from the Check Point DVD (Packages > Add > From CD/DVD),
• by importing a file (Packages > Add > From File).

When adding the package to the Package Repository, the package file is transferred to the Security Management Server. When the Operation Status window opens, you can verify the success of the operation. The Package Repository is then updated to show the new package object.

Gateway Upgrade - SmartUpdate

To update a gateway using SmartUpdate:

1. From SmartUpdate > Packages > Upgrade All Packages select one or more Gateways and click Continue.

   The Upgrade All Packages window opens, and in the Upgrade Verification list you can see which Gateways can or cannot be upgraded.

   • To see a list of which packages will be installed on the Gateways that can be upgraded, select the gateway and click the Details button.
   • For an explanation as to why a gateway cannot be upgraded, select the relevant gateway and click the Details button.
2. From the list provided, select the Gateways that can be upgraded and click Upgrade.

Note - The Allow reboot option (selected by default) is required in order to activate the newly installed packages.

The Operation Status pane opens and shows the progress of the installation. Each operation is represented by a single entry. Double click the entry to open the Operation Details window, which shows the operation history.

The following operations are performed during the installation process:

• The Check Point Remote Installation Daemon connects to the Check Point gateway.
• Verification for sufficient disk space.
• Verification of the package dependencies.
• The package is transferred to the gateway if it is not already there.
• The package is installed on the gateway.
• Enforcement policies are compiled for the new version.
• The gateway is rebooted if the Allow Reboot option was selected and the package requires it.
• The gateway version is updated in SmartDashboard.
• The installed packages are updated in SmartUpdate.

Upgrading Security Gateways on Appliances

UTM-1, Power-1, and 2012 Models

SecurePlatform to Gaia

You can upgrade from the SecurePlatform operating system to the Gaia operating system.

To upgrade a SecurePlatform appliance:

1. Upgrade product licenses to R75 or higher, and attach the licenses to the appliance.
2. Download the appliance upgrade package.
   Check_Point_upg_WEBUI_and_SmartUpdate_R77.Gaia.tgz
3. Connect to the SecurePlatform appliance from a Web browser to https://<appliance_ip_address>.
4. In the login page, enter an administrator username and password.
5. Go to the Upgrade page.
6. Upload the appliance upgrade package to the appliance.
7. Ignore any warning messages.
8. Continue according to the on-screen instructions.

   After the upgrade is complete, the appliance boots to Gaia.

   Note - The connection to the SecurePlatform Portal closes after Gaia is installed.

9. Install the Policy on the Security Gateway. This is highly recommended. The Security Gateway enforces the Initial Policy until you install the Policy:
   1. Using SmartDashboard of the correct version, connect to the Security Management Server.
   2. Open the General Properties page of the Gateway object.
   3. Click Get to update the Platform details.
   4. Install the policy on the Gateway.

SecurePlatform to SecurePlatform

Use the Portal to upgrade Security Gateways on appliances.

To upgrade appliances using the Portal:

1. Open Internet Explorer and log in to the appliance.
2. Select Appliance > Upgrade.
3. Click Check Point Download Center.

   The Internet browser opens to the Check Point Support Center.

4. Search for and download the R77 upload package file.
5. In the Portal, click Upload upgrade package to appliance.

   The Upload Package to Appliance window opens.

6. Select the upgrade file:
   Check_Point_upg_Portal_and_SmartUpdate_R77.SecurePlatform.tgz
7. Click Upload.
8. Click Start Upgrade.
9. Before the upgrade begins, an image is created of the system and is used to revert to in the event the upgrade is not successful.

   The Save an Image before Upgrade page, displays the image information.

   Click Next.

10. In the Safe Upgrade section, select Safe upgrade to require a successful login after the upgrade is complete. If no login takes place within the configured amount of time, the system will revert to the saved image.

    Click Next.

11. The Current Upgrade File on Appliance section displays the information of the current upgrade.
12. To begin the upgrade, click Start.

IP Appliances

IPSO to Gaia

You can upgrade from IPSO to Gaia with R77 on all IP appliance platforms (IP150, IP280, IP290, IP390, IP560, IP690, IP1280, IP2450) using FTP over a network connection. You can also upgrade to R77 on all of these IP appliance platforms except IP390 and IP560 using a USB removable device and the Check Point ISOmorphic utility.

• To upgrade using a removable device see sk83200.
• To upgrade over the network using FTP, continue with these instructions.

Preparing for Upgrade

Set up this environment.

Item
1	IP Appliance with IPSO IPSO to Gaia installation package or upgrade package.
2	FTP Server with a Gaia ISO image mounted. The ISO is copied to the IP Appliance as part of the installation or upgrade process. The FTP server can be Linux-based or Windows-based. In this example, the FTP Server is at 192.0.2.2.
3	Optional: FTP Server used as a location for one or more of the following: Backup of IPSO and the Security Gateway configuration. (recommended) A special SmartUpdate package that can be used to distribute the IPSO to Gaia installation and upgrade package to multiple Security Gateways. A special package that can be used to install or upgrade Security Gateways, one at a time, without having to answer any questions. This package is created using the answers supplied when running the installation and upgrade package. You can use the same FTP server as for the Gaia ISO, or a different one. In this example, the FTP Server is at 192.0.2.3.
4	Computer with console access to the IP appliance and to the FTP server(s). Console access is recommended because it allows you to keep the connection to the IP Appliance throughout the installation or upgrade. If you connect via SSH you lose the connection after the IP Appliance reboots, and you will not be able to track the installation or upgrade progress.

Upgrade Procedure Overview

	Important - This is an overview of the steps, not the actual instructions. Detailed instructions follow.
Step 1: Get the IPSO to Gaia installation and upgrade package (tgz) and the Gaia ISO image. Step 2: Put the Gaia ISO on an FTP server. Step 3: Install the installation and upgrade package on the IP Appliance using Network Voyager or Clish. Step 4: Run the script: Clean install - run-install-gaia Upgrade - run-upgrade-to-Gaia Step 5: Enter FTP server details and the ISO location. The script tests the FTP Server environment: Route to the FTP server Interface speed and duplex settings FTP access with the given credentials FTP access to the specified path Path contains the Gaia ISO and the user has Read/Write access to the directory Multiple simultaneous connections (>20) to the FTP server are allowed Timeout on FTP server is not too low FTP access to files downloaded by the Gaia boot manager Step 6: Optional, but recommended: Enter data for an FTP server to hold IPSO system and configuration backup. Step 7: Optional: Enter data to make a customized IPSO to Gaia upgrade package. Use this to upgrade multiple Security Gateways with SmartUpdate. Upgrade one Security Gateway with the standard IPSO to Gaia upgrade package. Enter the required data to create the special upgrade package. Upgrade all other Security Gateways simultaneously, using the special upgrade package, without more data. All IP Appliances must be able to access the same ftp servers as the first Security Gateway. Step 8: Confirm your selections. Step 9: The installation or upgrade package now runs automatically: If you made a backup package: The backup tar files are copied from the IP Appliance to the FTP server. If you made a customized installation or upgrade package: The package is copied from the IP Appliance to the FTP server. The Gaia image is copied from the FTP server to the IP Appliance. The Gaia image is installed. The Gaia boot manager is installed. The IP Appliance reboots. You see the Gaia prompt on the IP Appliance.
Step 10: Make sure the upgrade succeeded.

Step 1: Getting the Upgrade Package and the Gaia Image

1. Download the Gaia packages for IP Appliance from the R77 home page on the Check Point Support Center.

   You will see two packages:

   • Gaia ISO image
   • IPSO to Gaia installation and upgrade package. The file name is Check_Point_Install_and_Upgrade_IPSO6.2_to_Gaia_R77.tgz
2. Prepare the installation and upgrade packages:

   Copy the packages to an FTP server, in a directory of your choice. Or transfer the packages by FTP to the IP Appliance.

Step 2: Putting the Gaia ISO on an FTP Server

Network Requirements

Important - High network traffic or large transfers (more than 10/100 Mbps links) can interfere with the FTP transfers for installation.

• Make sure the appliance can reach the FTP server.
• Make sure there is no Firewall which blocks incoming FTP requests from the appliance to the FTP server.
• Configure the FTP server to allow more than 100 (or an unlimited number of) concurrent connections.
• Make sure the Gaia ISO file is mounted on a directory to which the user has access permissions.

On a Linux-based FTP Server:

1. Upload the Gaia ISO file to the FTP server
2. On the FTP server, run:

   mount -o loop -t iso9660 <ISO_filename> <mounting_destination_dir>

On a Windows-based FTP Server:

Upload the Gaia ISO file to the FTP server Extract the Gaia ISO file to a folder on the FTP Server. Use 7-zip, Winzip, WinRAR or similar. In the folder, run the file copyrpms.bat This batch file copies installation files, to give a required workaround to Windows' inability to support soft links. Give FTP credentials to the folder, so the folder can be accessed via FTP.

Step 3: Installing the Package on the IP Appliance

1. Log in to the IP Appliance using a console.
2. Run Clish
3. Install the IPSO to Gaia installation and upgrade package on the IPSO appliance using Clish or using Network Voyager (see the Network Voyager Reference Guide.
   To use Clish:
   • If the IPSO to Gaia package is on an FTP server, run:

     add package media ftp addr <FTP_IP> user <uname> password <pass> name <full_path>/Check_Point_Upgrade_Package_R77.IPSO6.2_to_Gaia.tgz

   Note - If using anonymous ftp, change ftp to anonftp.

   • If the IPSO to Gaia package is on the IP Appliance, go to the directory where the package is located, and run the Clish command:

     add package media local name ./Check_Point_Upgrade_Package_R77.IPSO6.2_to_Gaia.tgz

   The installation and upgrade package is installed.

   Trying to install package: ./package_name.tgz Package Information -- Name : IPSO to Gaia Upgrade Version : <version> Release : <Release> Description: IPSO to Gaia Upgrade Package (<package_version>) Package will be installed under: /opt Package installed and activated successfully. End of package installation.

   The installation success message is Package installed and activated successfully.

   The package is reported to be activated, but there are no background processes running.

4. Show the installed and active packages by running: show package active

   Name Ver Rel Dir Desc {Check Point CPinfo } 10 00 /opt/CPinfo-10 {Check Point CPinfo} {Check Point R70} R70 00 /opt/CPsuite-R70 {Check Point R70} {IPSO to Gaia Upgrade} <ver> <rel> /opt/<package_name> {IPSO to Gaia Upgrade Package (<upgrade_package_version>)}

5. Exit Clish. Run: exit

Step 4: Running the Installation and Upgrade Script

1. Go to the location of the package

   cd /opt/<package_name>/

2. To upgrade, run
   ./run-upgrade-to-Gaia

   To do a clean installation, run
   ./run-install-Gaia

   If you are upgrading multiple appliances from a special upgrade package that was previously saved, the installation or upgrade runs automatically. Continue with Step 9.

   If you are upgrading or installing one appliance, continue here.

   The script runs. The following shows an upgrade. If you do a clean installation, the IPSO configuration is not transferred to Gaia.

   Welcome to the IPSO to Gaia Install/Upgrade procedure.   Checking platform...OK Checking IPSO OS version ...OK Checking hostname ... Checking your configuration Summary: Errors: 0 Warnings: 0 Information: 14 Total Grade: 94 Details in file "/var/tmp/verify-IPSO-for-Gaia.msgs".   A newer version of this script may be available. Contact the Check Point UserCenter at https://usercenter.checkpoint.com and see SK66569.   Do you want to continue with the upgrade ? [y] y   ========================================================= The following types of information are needed to prepare your IPSO appliance for the upgrade:   - info about downloading the Gaia image. - info about transferring the verification reports (optional). - info about transferring an IPSO backup (optional). - info about transferring a special upgrade package with your answers (optional).   Answer the prompts for this info and then the upgrade is performed.   Hit 'Enter' to continue or Ctrl-C to exit

3. Supply the information for downloading the Gaia image

Note - If you have run the upgrade script before, the previously entered values are shown in square brackets [ ]. Press Enter to accept the values, or type in the new values and press Enter.

Step 5: Verifying the FTP Server

Enter the requested FTP server data and the path to the Gaia installation file.

	Required Directory Value
If ISO is mounted to a non-FTP directory	Enter full path to ISO. A relative path or shortcut link will not work. Example: if /home/uname/gaia, ./gaia will not work.
If ISO is mounted to /var/ftp, and FTP user account is used to install	Enter path to ISO. A shortened path will work. Example: if /var/ftp/gaia, gaia will work.
If ISO is mounted to /var/ftp, and non-FTP user account is used to install	Enter full path to ISO. A relative path or shortcut link will not work.

The script runs some tests to verify the FTP environment. If errors are detected, correct the FTP server configuration and then instruct the program to verify the FTP environment again.

Here is an example of a successful test:

Info for download of the Gaia image: Info for download of the Gaia image: IP address of FTP server [192.0.2.2]: User name [gwhite]: Password [******]: Directory [/mnt/gaia_image]: Performing tests of access to FTP server and Gaia ISO Checking route to 192.0.2.2 ... OK Interface: eth-s4p1 speed 100M, duplex full Checking FTP access with given credentials ... OK Checking FTP access to /mnt/gaia_image ... OK Checking /mnt/gaia_image is Gaia ISO ... Yes Checking multiple simultaneous connections to 192.0.2.2 ... OK Checking timeout to 192.0.2.2 ... OK Checking FTP access to files downloaded by Gaia boot-manager system/ramdisk.pxe ... OK system/base/stage2.img ... OK

Step 6 (Optional, Recommended): Supplying Reports and Backup Server Information

The script will request details of the FTP server to store reports and backup data. The same path-rules apply here as in Step 5. The backup creates two tgz files, for:

• IPSO operating system configuration files, user directories, and log files.
• Security Gateway backup files.

Here is an example:

A complete backup of the IPSO system can performed including system configuration, user home directories, log files and files from packages. Do you want to perform this backup ? [y] Use IP address '192.0.2.2' and user 'root' for the backup? [n] Details for transferring the IPSO Backup: IP address of FTP server []: 192.0.2.3 User name []: ftp Password []: *** Directory []: /backupdir   Checking FTP access to 192.0.2.3 (it may take a minute) ... done

Step 7: (Optional): Supplying Special Package Server Information

Enter data of the destination FTP server for the special upgrade package. Enter a destination directory, with the same rules as in Step 5.

A package with your answers to the previous prompts can be created. This package can be used on other IPSO Gateways for unattended conversion to Gaia. Do you want to create such a package? [y] Details for transferring the package with your answers: IP address of FTP server [192.0.2.3]: User name [ftp]: Password [***]: Directory [packagedir]: Checking FTP access to 192.0.2.3 (it may take a minute) ... done

Step 8: Confirming Your Selections

You see a summary of all your answers.

Information for download of the Gaia image: FTP Server IP Address = 192.0.2.2 FTP Server user name = root Directory on FTP Server = /imagedir Information for transferring the IPSO Backup: FTP Server IP Address = 192.0.2.3 FTP Server user name = ftp Directory on FTP Server = /backupdir Information for transferring the package with your answers: FTP Server IP Address = 192.0.2.3 FTP Server user name = ftp Directory on FTP Server = /packagedir   Are these values correct? [y]

1. Click n to change the selections you made before, or type y to start the upgrade.

   The backup file and the special upgrade package file, if you chose to create them, are created.

   Writing values to file Performing IPSO backup (file <ipso_backup_file_name>.tgz) ... done Performing Check Point Security Gateway backup (file <Security Gateway_backup_file_name>.tgz) ... done Transferring IPSO and Check Point Security Gateway backup files ... done Creating a package with your answers (<package_name>_AUTO.tgz) ... done Transferring package with your answers ... done Installing Gaia Boot Manager ... done

2. You have 30 seconds to abort. To stop the upgrade, press Enter.

   IP appliance reboots in 30 seconds to complete the upgrade. Hit 'Enter' to abort.

Important - If you want to make changes, press Enter now. This stops the upgrade to Gaia. To complete the upgrade to Gaia, reboot the IP Appliance.

Step 9: Upgrade Runs Automatically

The upgrade runs unattended.

• The IP Appliance reboots.
• The Gaia Boot Manager runs.

  Important - It is possible that after the reboot the system will show the Boot Manager prompt. To complete the upgrade, type INSTALL at the Boot Manager prompt, and provide the requested information. The upgrade should continue from this point.

• The Gaia image is installed.

• The IPSO and R77 configuration is imported into Gaia, including the SIC trust settings.
• You now see the Gaia prompt.

Congratulations. Gaia and R77 are installed on the IP Appliance.

Important - The HTTPS port for the Portal is set to 443 after an installation or upgrade. To change this, you must use SmartDashboard > Gateway Properties > Portal Settings.

Step 10: Making Sure the Upgrade Succeeded

To check the Security Gateway configuration:

1. At the Gaia prompt, log in with your IPSO credentials.

   The system logs you in to the expert mode. That is, you will be in csh or bash depending on how the original IPSO system was configured.

2. Type clish to enter clish.
3. Run fw ver to see the Security Gateway version information.
4. Run fw stat to confirm that the default policy is enforced.
5. Launch R77 SmartDashboard.
6. In the Security Gateway object:
   1. Click Test SIC status. SIC status should be Trust Established.
   2. Change the version to R77.
   3. Install a policy on the Security Gateway.

Rollback from Gaia to IPSO

You can roll back from Gaia to IPSO 6.2. You can also restore the Check Point Security Gateway and/or Security Management Server configuration.

Before doing a rollback from Gaia to IPSO:

Make sure that:

1. The IPSO boot manager installer is available. Download it from the R77 home page.
2. An IPSO image is available. Put the IPSO image on an FTP server, and make sure that the FTP server is accessible from the Gaia IP Appliance.
3. A backup of the Check Point Security Gateway on the Gaia IP Appliance is available. Put the backup tar file on an FTP server, and make sure the FTP server is accessible from the Gaia IP Appliance.

To roll back from Gaia to IPSO:

1. At the Gaia command line prompt, login as the administrator.
2. Go to expert mode. Type expert and supply the credentials.
3. From the R77 home page on the Support Center, download the IPSO boot manager installer:

   Check_Point_R77_Install_IPSOBootmanager.sh

4. Copy the IPSO boot manager installer to the Gaia IP Appliance. For example, to: /var/tmp.
5. Change file attributes to give executable permissions. Run:

   chmod 777 Check_Point_R77_Install_IPSOBootmanager.sh

6. Install the IPSO boot manager by running:

   ./Check_Point_R77_Install_IPSOBootmanager.sh

   The script asks if you want to roll back to:

   1. IPSO 4.2
2. IPSO 6.2

7. Choose 2.
8. Type reboot.

   After the reboot, the system is running the IPSO boot manager.

9. At the BOOTMGR> prompt, install the IPSO image by running: install
10. Enter the:
    • IP address of the IP Appliance.
    • Default gateway of the IP Appliance.
    • IP address of the FTP server with the IPSO image.
    • User credentials.
    • Directory path.
    • Answers to various configuration questions regarding:
      • The chassis serial number
      • Whether the system is part of a VRRP cluster
      • Whether IGMP and BGP are enabled

    The system automatically reboots into IPSO.

11. Configure the IP Appliance:
    • Hostname
    • New password for admin
    • The management port physical interface (enable)
    • IP address for the management interface
    • Default gateway

To restore the Check Point Security Gateway configuration:

In the following example:

• CP_archive_<hostname and timestamp>.tgz is the Check Point backup archive
• i2g_backup_<hostname and timestamp>.tgz is the IPSO backup file

  Important - If the IPSO backup contains IPSO and Check Point configuration data, the Check Point packages must be restored before the IPSO configuration.

To Restore:

1. Make sure the backup IPSO and CP archives are on an FTP server with connectivity to the IP appliance.
2. Log in to the IP Appliance as admin.
3. Copy the backup archive file containing the Check Point Security Gateway to the IP Appliance:

   cd /var/tmp ftp <ftp-address> username: <ftp-user> password: <ftp-password> >bin >cd <PATH> >get CP_archive_<hostname and timestamp>.tgz >bye

4. Unpack the archive to the root directory

   tar xzf CP_archive_<hostname and timestamp>.tgz -C /

5. Copy and restore the IPSO backup file to the appliance using the set restore CLI commands:

   Clish set restore remote ftp-site <ftp-address> set restore remote ftp-user <username> set restore remote ftp-pass <password> set restore remote ftp-dir <PATH> set restore remote filename i2g_backup_<hostname and timestamp>.tgz

   IPSO automatically reboots.

6. Log out.
7. Log in as admin.

Verify the configuration has been restored.

IPSO to IPSO

For the IP Appliance models that are supported for this release, see the R77 Release Notes. After you download the correct package to an FTP site or local disk, use Network Voyager to put the package on the appliance. In Network Voyager of the appliance, open Configuration > System Configuration > Packages > Install Package. Use the upload procedure that fits: FTP or local disk (the Network Voyager computer).

To upload from an FTP site:

1. In the Voyager Install Package window, select FTP.
2. Enter the name or IP address of the FTP server.
3. Enter the path to the directory on the FTP server where the packages are stored.
4. If necessary, enter the applicable user name and password.
5. Click Apply. The names of the available packages show in the Site Listing window.
6. Select the package and click Apply.
7. In the Information window, click Install.

To upload from a local disk:

1. In the Voyager Install Package window, select Upload.
2. Click Browse and navigate to the package .tgz file.
3. Click Apply.
4. Select the package .tgz file in the Unpack Package window and click Apply.
5. In the Information window, click Upgrade.

To upgrade Security Management Server with Network Voyager:

1. Click the Click here to install/upgrade link to continue with the installation.
2. In the Package Installation and Upgrade pane, select Upgrade and then click Apply.
3. Click the Install Package branch in the Voyager tree to see the installation progress.
4. Go to the Manage Packages page.
   • The R77 and Check Point CPInfo packages are automatically activated during installation (disk-based appliances only).
   • Enable other packages, with the compatibility packages, as needed for your deployment.

   Important - When you install a package using Network Voyager, this message shows: Voyager environment has been updated with the latest package info. The telnet session environment will be updated by: logging out and logging in again the telnet session. This message can be misleading. Click Manage Packages to verify that the package is actually installed correctly. Refresh the page periodically until you see that the installation is complete.

5. Log out of Network Voyager and then log in again.

To upgrade Security Management Server with clish:

1. Access the CLI console, and log in.
2. Type newpkg, and press Enter.
3. Use the FTP menu option to transfer the R77 package. Choose the option:
   Upgrade from an old package.
4. Upgrade to the R77 package.

   Wait until a message informs you that the process is complete.

5. Type reboot and press Enter.

   The package is activated after the reboot.

To verify that R77 is active and is the current version:

1. Verify that R77 is active. Run newpkg –q
2. Verify that R77 is the current version. Run fw ver on a Security Gateway or fwm ver on a Security Management server.

Upgrading Security Gateways on Open Servers

Before you upgrade:

It is recommended to back up your configuration.

SecurePlatform to Gaia

You can upgrade Security Gateways on SecurePlatform to R77 Security Gateways on Gaia.

Important: SecurePlatform cannot be upgraded to Gaia if you have dynamic routing configured. For more, see: sk76840.

To upgrade an open server using the DVD:

1. Upgrade product licenses to R75 or higher, and attach the licenses to the computer.
2. Connect a DVD drive to the USB port on the computer.
3. Run: patch add cd
4. Select the Gaia upgrade package.
5. Confirm the MD5 checksum.
6. If relevant, when prompted, create a backup image for automatic revert.
7. After extracting files, the Installation program opens.
8. Accept the license agreement.
9. Select upgrade.
10. Configure your contract options.

    You can also continue without contract information and configure it later using SmartUpdate.

11. Select a source for the upgrade utilities.

    Wait for the pre-upgrade verifier to complete successfully.

12. Select Stop Check Point processes.
13. Select Upgrade installed products, or upgrade installed products and add new products, and confirm.
14. Wait while the required installation files are extracted.
    1. Part one of the upgrade procedure saves data and upgrades the operating system.
    2. Part two upgrades Check Point products.
15. After the upgrade completes successfully, remove the DVD from the drive.
16. Restart when prompted.
17. Install the Policy on the Security Gateway. This is highly recommended. The Security Gateway enforces the Initial Policy until you install the Policy:
    1. Using SmartDashboard of the correct version, connect to the Security Management Server.
    2. Open the General Properties page of the Gateway object.
    3. Click Get to update the Platform details.
    4. Install the policy on the Gateway.

To upgrade a SecurePlatform Open Server using the Portal:

1. Open Internet Explorer and log in to the SecurePlatform Portal.
2. Select Device > Upgrade.
3. Click Check Point Download Center.

   The Internet browser opens to the Check Point Support Center.

4. Search for and download the R77 file for upgrades via the Portal.
5. Click Browse and select the upgrade file:
   Check_Point_upg_Portal_and_SmartUpdate_R77.Gaia.tgz
6. Click Upload package to device.

   The package is uploaded to the SecurePlatform computer.

   After the Upgrade Status shows that the Uploading is Completed you can start the upgrade.

7. Recommended: In the Safe Upgrade section, click Save snapshot of the current system before the upgrade. The snapshot is used to revert the system if the upgrade is not successful.
8. Click Start Upgrade.

   Follow the Upgrade Status. After the upgrade, the computer automatically reboots.

   Note - The connection to the SecurePlatform Portal closes after Gaia is installed.

9. Install the Policy on the Security Gateway. This is highly recommended. The Security Gateway enforces the Initial Policy until you install the Policy:
   1. Using SmartDashboard of the correct version, connect to the Security Management Server.
   2. Open the General Properties page of the Gateway object.
   3. Click Get to update the Platform details.
   4. Install the policy on the Gateway.

SecurePlatform to SecurePlatform

Use this procedure to upgrade a SecurePlatform installation on the same computer. Upgrade the operating system and the installed products.

To upgrade a SecurePlatform Open Server using a DVD:

1. Insert R77 DVD into the drive.
2. At the command prompt, enter: patch add cd
3. Select SecurePlatform R77 Upgrade Package
   Check_Point_Install_and_Upgrade_R77.SecurePlatform_Open_Server.iso
4. Press y to accept the checksum calculation.
5. Optional: When prompted, create a backup image so that you can restore the old version.

   Note - Creating the snapshot image can take a long time. Check Point products are stopped during this time.

6. Press N at the welcome message.
7. Press Y to accept the license agreement.
8. In the next window, select Upgrade and then press N.
9. In the next window, press N to continue.
10. If prompted to download or import a valid support contract, select Continue without contract information. Press N to continue.
11. If a message shows that says your gateway is not eligible for upgrade, press N to continue.

    You can safely ignore this message and use SmartUpdate to update your service contract later.

12. In the next window, select Download most updated files.
13. In the Pre-Upgrade Verification Results window, press N to continue.

    If the Pre-Upgrade Verification fails, do the suggested steps to correct the problem. Start this procedure again from step 2.

14. When prompted, select Stop Check Point processes and press N to continue.
15. When prompted, select Upgrade installed products and press N to continue.
16. In the Validation window, press N.
17. When the upgrade completes successfully, restart the computer.

To upgrade a SecurePlatform Open Server using the Portal:

1. Open Internet Explorer and log in to the SecurePlatform Portal.
2. Select Device > Upgrade.
3. Click Check Point Download Center.

   The Internet browser opens to the Check Point Support Center.

4. Search for and download the R77 file for upgrades via the Portal.
5. Click Browse and select the upgrade file:
   Check_Point_upg_Portal_and_SmartUpdate_R77.SecurePlatform.tgz
6. Click Upload package to device.

   The package is uploaded to the SecurePlatform computer.

   After the Upgrade Status shows that the Uploading is Completed you can start the upgrade.

7. Recommended: In the Safe Upgrade section, click Save snapshot of the current system before the upgrade. The snapshot is used to revert the system if the upgrade is not successful.

   Your browser will automatically try to perform the first login immediately after the upgrade. To allow this, do not close the browser window or browse to another page.

8. Click Start Upgrade.

   Follow the Upgrade Status. After the upgrade, the computer automatically reboots.

9. Install the Policy on the Security Gateway. This is highly recommended. The Security Gateway enforces the Initial Policy until you install the Policy:
   1. Using SmartDashboard of the correct version, connect to the Security Management Server.
   2. Open the General Properties page of the Gateway object.
   3. Click Get to update the Platform details.
   4. Install the policy on the Gateway.

Windows

This section describes the upgrade process using the R77 Installation DVD.

To upgrade a gateway in a Windows platform:

1. Insert the R77 DVD.
2. If the upgrade does not start automatically, run Setup.exe from the DVD.
3. Click Next to start the installation wizard.

   Note: On QoS enabled gateways, you will be asked to manually run etmstop on the gateway command line. Running etmstop can result in this error message: The Check Point FloodGate-1 service could not be stopped. This is caused by a too-short Windows service check timeout, not etmstop failure. To resolve:

   1. Run etmstop again.
   2. Restart the upgrade procedure by running Setup.exe again (step 2).
4. Accept the license agreement and click Next.
5. Click Next to check your license information.
6. Select one of the license options and click Next.
7. To add Check Point products that were not installed previously, select Install additional Check Point products and click Next.
8. Select the new products to install.
9. A list of the products that will be upgraded or installed. Click Next to start the installation.
10. When the installation is finished, click Next to continue.
11. In Licenses and Contracts, select a licensing option and click Next.
12. In Secure Internal Communication, verify the SIC details and click Next.
13. In Clustering, select whether this Security Gateway is part of a cluster.
14. Click Finish to close the installation wizard.

When the upgrade process is complete:

1. Using SmartDashboard, log in to the R77 Security Management Server that controls the upgraded gateway.
2. Open the gateway object properties window that represents the upgraded gateway and change the version to R77.
3. Install the policy on the upgraded gateway.

If necessary, you can restore the previous configuration.

Upgrading a VSX Gateway

Important - Before you begin, make sure no other administrators are connected to the management server. In a Multi-Domain Security Management deployment, make sure administrators are not connected to Domain Servers. Upgrade and reconfigure operations skip locked Domain Servers. Run the procedure again when they become available. The vsx_util command cannot modify the management database if the database is locked.

To upgrade a VSX Gateway to R77:

1. Close SmartDashboard.
2. On the management server, log in to Expert mode.
3. Run: vsx_util upgrade

   When prompted, enter this information:

   1. Security Gateway or main Domain Server IP address
   2. Administrator name and password
   3. Cluster name (if the VSX Gateway is a cluster member)
   4. Version to upgrade to: R77
4. Wait for the Finished upgrading/database saved successfully message.

   If you use CPUSE to upgrade the VSX Gateway, skip the next step.

5. Run: vsx_util reconfigure

   When prompted, enter this information:

   1. Management server or main Domain Server IP address
   2. Administrator name and password
   3. SIC activation key for the upgraded member

   The security policy is installed and configured on the upgraded VSX Gateway, and this message shows:

   Reconfigure module operation completed successfully

6. Install the necessary licenses.
7. Reboot.

Upgrading Standalone Full High Availability

Full High Availability: The server and the gateway are in a standalone configuration and each has High Availability to a second standalone machine. If there is a failure, the server and the gateway failover to the secondary machine. In the standalone configuration the server and gateway can failover independently of each other. For example, if only the server has an issue, only that server fails over. There is no effect on the gateway in the standalone configuration.

To upgrade Full High Availability for cluster members in standalone configurations, there are different options:

• Upgrade one machine and synchronize the second machine with minimal downtime.
• Upgrade with a clean installation on one machine and synchronize the second machine with system downtime.

Upgrading with Minimal Downtime

You can do a Full High Availability upgrade with minimal downtime to the cluster members.

To upgrade Full High Availability with minimal downtime:

1. Make sure the primary cluster member is active and the secondary is standby: check the status of the members.
2. Start failover to the second cluster member.

   The secondary cluster member processes all the traffic.

3. Log in with SmartDashboard to the management server of the secondary cluster member.
4. Click Change to Active.
5. Configure the secondary cluster member to be the active management server.

   Note - We recommend that you export the database using the Upgrade tools.

6. Upgrade the primary cluster member to the appropriate version.
7. Log in with SmartDashboard to the management server of the primary cluster member.

   Make sure version of the SmartDashboard is the same as the server.

8. Upgrade the version of the object to the new version.
9. Install the policy on the cluster object.

   The primary cluster member processes all the traffic.

   Note - Make sure that the For Gateway Clusters install on all the members option is cleared. Selecting this option causes the installation to fail.

10. Upgrade the secondary cluster member to the appropriate version.
11. Synchronize for management High Availability.

Upgrading with a Clean Installation

You can do a Full High Availability upgrade with a clean installation on the secondary cluster member and synchronize the primary cluster member. This type of upgrade causes downtime to the cluster members.

To upgrade Full High Availability with a clean installation:

1. Make sure the primary cluster member is active and the secondary is standby: check the status of the members.
2. Start failover to the second cluster member.

   The secondary cluster member processes all the traffic.

3. Log in with SmartDashboard to the management server of the secondary cluster member.
4. Click Change to Active.
5. Configure the secondary cluster member to be the active management server.

   Note - We recommend that you export the database using the Upgrade tools.

6. Upgrade the primary cluster member to the appropriate version.
7. Log in with SmartDashboard to the management server of the primary cluster member.

   Make sure version of the SmartDashboard is the same as the server.

8. Upgrade the version of the object to the new version.
9. Install the policy on the cluster object.

   The primary cluster member processes all the traffic.

   Note - Make sure that the For Gateway Clusters install on all the members option is cleared. Selecting this option causes the installation to fail.

10. Install the secondary member.
11. From SmartDashboard, configure the cluster object.
    1. Change the secondary details (if necessary).
    2. Establish SIC.
12. Synchronize for management High Availability.

    The primary management database synchronizes to the secondary management database.

Upgrading Clusters

If the appliance to upgrade was not the primary member of a cluster before, export its database before you upgrade. If it was the primary member before, you do not have to do this.

To upgrade an appliance and add it to a cluster:

1. If the appliance was not the primary member of a cluster, export the Security Management Server database.
2. Upgrade the appliance.
3. If the appliance was not the primary member of a cluster, Import the database.
4. Using the Portal, on the Cluster page, configure the appliance to be the primary member of a new cluster.
5. Connect a second appliance to the network.
   • If the second appliance is based on an earlier version: get the relevant upgrade package from the Download Center, save it to a USB stick, and reinstall the appliance as a secondary cluster member.
   • If the second appliance is upgraded: run the first-time wizard and select Secondary Cluster Member.

Enabling IPv6 on Gaia

IPv6 is automatically enabled if you configure IPv6 addresses in the First Time Configuration Wizard.

If you did not do this, enable IPv6 in one of the following ways:

To enable IPv6 using Clish:

# set ipv6-state on

# save config

# reboot

To enable IPv6 using the Portal:

1. In the Portal navigation tree, select System Management > system Configuration.
2. For IPv6 Support, select On.
3. When prompted, select Yes to reboot.

Changing to an IPv6-Only Management IP Address

To remove the IPv4 management address from a Security Management Server with a dual-IP management addresses (IPv4 and IPv6):

1. Open SmartDashboard using the IPv6 address.
2. Edit the Security Management Server object.
3. In the General Properties page, delete the IPv4 address.
4. Go to the Topology page, Interface Properties window, and delete the IPv4 address.
5. Save.
6. Open the Gaia Portal by connecting to the IPv6 address https://<IPv6 address>.
7. Delete the management IPV4 address from these pages:
   • Network Interfaces
   • IPv4 Static routes

Deleting the IPV4 address from Management HA

You can remove the IPv4 address from one member in a management High Availability environment and keep the IPv6 and IPv4 addresses on the second member.

To remove the IPv4 address from a management HA member:

1. Open the Portal.
2. In the Network Management > Network Interfaces page, delete the IPV4 address.
3. Open SmartDashboard.
4. Reset SIC.
5. Install the database (Policy > Install Database).
6. Reboot.
7. Synchronize the databases of the Security Management Servers.