Upgrading Prerequisites

In This Section:

Note - You can use the Upgrade/Download Wizard to download the applicable installation and upgrade images.

Before Upgrading

Before you upgrade:

Make sure that you have the latest version of this document.
See the R80.10 Release Notes for:
- Supported upgrade paths
- Minimum hardware and operating system requirements
- Supported Security Gateways
Licenses and Service Contracts:
- Make sure you have valid licenses installed on all applicable Check Point computers - source and target.
- Make sure you have a valid Service Contract that includes software upgrades and major releases registered to your Check Point User Center account.
  The contract file is stored on the Management Server and downloaded to Check Point Security Gateways during the upgrade process.
  
  For more information about Service Contracts, see sk33089.
Make sure that the target server meets the minimum hardware and operating system requirements and is configured identically to the source server.
If the target server uses a different leading IP address than the source, change the target IP address and the external interface.
If SmartConsole connects to the Management Server (you plan to upgrade) through an R7x Security Gateway or Cluster, then follow these steps:
1. Connect to the Management Server that manages the R7x Security Gateway or Cluster
2. Add a new explicit Firewall rule:
  
  Source
  
  Destination
  
  VPN
  
  Service
  
  Action
  
  Install On
  
  SmartConsole Host object
  
  Management Server object
  
  Any Traffic
  
  TCP 19009
  
  Accept
  
  R7x Security Gateway or Cluster
3. Install the modified Firewall policy on the R7x Security Gateway or Cluster.
4. If later you upgrade this R7x Security Gateway or Cluster to R80.10 or higher, delete this explicit rule.
Upgrade all Management Servers in your deployment, including those in High Availability configuration:
- Upgrade R80 and higher Secondary Security Management Servers.
- For Secondary Security Management Servers of R77.xx and lower, do a clean installation and re-establish the SIC trust. Management High Availability synchronization will start automatically.
- Upgrade Secondary Multi-Domain Security Management servers from R80, and R77.xx and lower.
For upgrade of Management Servers in High Availability configuration:
If the Primary management server was upgraded from R80 (with or without the Jumbo Hotfix Accumulator) to R80.10, you must upgrade the Secondary management server in the same way.

Important - To back up and restore a consistent environment, make sure to collect and restore the backups and snapshots from all servers in the High Availability environment at the same time.

Source	Destination	VPN	Service	Action	Install On
SmartConsole Host object	Management Server object	Any Traffic	TCP 19009	Accept	R7x Security Gateway or Cluster

Before you upgrade a Multi-Domain Server, we recommend the steps below to optimize the upgrade process:

Step	Description
1	Delete all unused Threat Prevention Profiles on the Global Domain: On R80.x Multi-Domain Server: Connect with SmartConsole to the Global Domain. From the left navigation panel, click Security Policies. Open every policy. In the top section, click Threat Prevention. In the bottom section Threat Tools, click Profiles. Delete all unused Threat Prevention Profiles. Publish the session. Close SmartConsole. On R77.x Multi-Domain Server: Connect with SmartDashboard to the Global Domain. Go to Threat Prevention tab. From the left tree, click Profiles. Delete all unused Threat Prevention Profiles. Save the changes (click File > Save). Close SmartDashboard.
2	Disable the Staging Mode for IPS protections (see sk142432): Connect with SmartConsole to every Domain. From the left navigation panel, click Security Policies. Open every policy. In the top section, click Threat Prevention. In the bottom section Threat Tools, click Profiles. Edit every profile. From the left tree, click IPS > Updates. Clear the box Set activation as staging mode (Detect). Click OK. Publish the session. Close SmartConsole.

Step

Description

Delete all unused Threat Prevention Profiles on the Global Domain:

On R80.x Multi-Domain Server:

Connect with SmartConsole to the Global Domain.
From the left navigation panel, click Security Policies.
Open every policy.
In the top section, click Threat Prevention.
In the bottom section Threat Tools, click Profiles.
Delete all unused Threat Prevention Profiles.
Publish the session.
Close SmartConsole.

On R77.x Multi-Domain Server:

Connect with SmartDashboard to the Global Domain.
Go to Threat Prevention tab.
From the left tree, click Profiles.
Delete all unused Threat Prevention Profiles.
Save the changes (click File > Save).
Close SmartDashboard.

Disable the Staging Mode for IPS protections (see sk142432):

Connect with SmartConsole to every Domain.
From the left navigation panel, click Security Policies.
Open every policy.
In the top section, click Threat Prevention.
In the bottom section Threat Tools, click Profiles.
Edit every profile.
From the left tree, click IPS > Updates.
Clear the box Set activation as staging mode (Detect).
Click OK.
Publish the session.
Close SmartConsole.

Make sure you have valid licenses installed on all applicable Check Point computers - source and target.
Make sure you have a valid Service Contract that includes software upgrades and major releases registered to your Check Point User Center account.
The contract file is stored on the Management Server and downloaded to Check Point Security Gateways during the upgrade process.

For more on Service Contracts, see sk33089.
Before you start an upgrade or migration procedure on your Management Servers, you must close all GUI clients (SmartConsole applications) connected to your Check Point computers.
Before you start an upgrade of your Security Gateway and Cluster Members, you must upgrade the Management Server.
On Smart-1 appliances with Multi-Domain Server or Multi-Domain Log Server installed, if you configured an interface other than Mgmt as the Leading interface, the upgrade process or clean install process (with CPUSE) configures the interface Mgmt to be the Leading interface. To configure another interface as the Leading interface after the upgrade, see sk107336.

Warning:

If you upgrade from R7x versions and have files in the $FWDIR/lib/ directory and/or the $FWDIR/conf/ directory that you changed manually, the changes will be lost. Make sure you save the customized INSPECT files on an external storage and understand how to replicate the required changes.

Important - If you use the Mobile Access Software Blade and you edited the configurations, review the edits before you upgrade to R80.10.

Open these files on the computer to upgrade and make note of custom changes:
$CVPNDIR/conf/cvpnd.C (Gateway configuration)

$CVPNDIR/conf/httpd.conf (Apache configuration)

$CVPNDIR/conf/includes/* (Apache configuration)

$CVPNDIR/var/ssl/ca-bundle/ (Local certificate authorities)

$CVPNDIR/conf/SmsPhones.lst (DynamicID - SMS OTP - Local Phone List)

/var/ace/sdconf.rec (RSA configuration)

All PHP files

All replaced image files (*.gif, *.jpg)
Upgrade to R80.10.
Update Mobile Access Endpoint Compliance:
1. In SmartConsole, from the left Navigation Toolbar, click Security Policies.
2. In the Shared Policies section, click Mobile Access > Open Mobile Access Policy in SmartConsole.
3. In SmartConsole, click Mobile Access tab > expand Endpoint Security On Demand > click Endpoint Compliance Updates > click Update Databases Now.
4. Close SmartConsole.
Manually edit the new versions of the files, to include your changes.
Do not overwrite the R80.10 files with your customized files!