Prerequisites for Upgrading and Migrating of Management Servers and Log Servers
Prerequisites:
- Make sure you use the latest version of this document (see the Important Information page for links).
- See the R80.20 Release Notes for:
- Supported upgrade paths
- Minimum hardware and operating system requirements
- Supported Security Gateways
- Make sure to read all applicable known limitations in the R80.20 Known Limitations SK.
- Licenses and Service Contracts:
- Make sure you have valid licenses installed on all applicable Check Point computers - source and target.
- Make sure you have a valid Service Contract that includes software upgrades and major releases registered to your Check Point User Center account.
The contract file is stored on the Management Server and downloaded to Check Point Security Gateways during the upgrade process.
For more information about Service Contracts, see sk33089.
- If SmartConsole connects to the Management Server (you plan to upgrade) through an R7x Security Gateway or Cluster, then follow these steps:
- Connect to the Management Server that manages the R7x Security Gateway or Cluster
- Add a new explicit Firewall rule:
Source
|
Destination
|
VPN
|
Service
|
Action
|
Install On
|
SmartConsole Host object
|
Management Server object
|
Any Traffic
|
TCP 19009
|
Accept
|
R7x Security Gateway or Cluster
|
- Install the modified Firewall policy on the R7x Security Gateway or Cluster.
- If later you upgrade this R7x Security Gateway or Cluster to R80.10 or higher, delete this explicit rule.
- On your Security Management Servers, Multi-Domain Servers, Domain Management Servers, Multi-Domain Log Servers, Domain Log Servers, Log Servers, and SmartEvent Servers:
Make a copy of all custom configurations in the applicable directories and files.
Pay special attention to these scripts:
$CPDIR/tmp/.CPprofile.sh
$CPDIR/tmp/.CPprofile.csh
The upgrade process replaces all existing files with default files. You must not copy the customized configuration files from the current version to the upgraded version, because these files can be unique for each version. You must make all the desired custom configurations again after the upgrade.
List of the applicable directories:
$FWDIR/lib/
$FWDIR/conf/
$CVPNDIR/conf/
/opt/CP*/lib/
/opt/CP*/conf/
$MDSDIR/conf/
$MDSDIR/customers/<
Name_of_Domain>/CP*/lib/
$MDSDIR/customers/<
Name_of_Domain>/CP*/conf/
- For your Management Servers in High Availability configuration, plan the upgrade:
Management Server
|
Supported Upgrades
|
Security Management Servers
|
From R80 or R80.10 to R80.20:
- Upgrade the Primary Security Management Server.
- Upgrade the Secondary Security Management Server.
From R7X or R80.20.M1 to R80.20:
- Upgrade the Primary Security Management Server.
- Perform a clean install of the Secondary Security Management Server.
- Connect the Secondary Security Management Server to the Primary Security Management Server.
|
Multi-Domain Servers
|
From R80.20.M1 to R80.20:
- If the Primary Multi-Domain Server is not available at this time, you must first promote the Secondary Multi-Domain Server to be the Primary.
- Upgrade the Primary Multi-Domain Server.
- Perform a clean install of the Secondary Multi-Domain Server.
- Synchronize the Multi-Domain Servers.
From R7X, R80, or R80.10 to R80.20:
- If the Primary Multi-Domain Server is not available at this time, you must first promote the Secondary Multi-Domain Server to be the Primary.
- Upgrade the Primary Multi-Domain Server.
- Upgrade the Secondary Multi-Domain Server.
Important - To back up and restore a consistent environment, make sure to collect and restore the backups and snapshots from all servers in the High Availability environment at the same time.
|
- If your Security Management Server or Multi-Domain Server manages dedicated Log Servers or dedicated SmartEvent Servers, you must upgrade these dedicated servers to the same version as the Management Server.
Important - You must upgrade your Management Servers before you can upgrade these dedicated servers.
Note - SmartEvent Server can run the same version or higher than the Log Server.
- If your Multi-Domain Server manages Multi-Domain Log Servers, you must upgrade the Multi-Domain Log Servers to the same version as the Multi-Domain Server.
Important - You must upgrade your Multi-Domain Servers before you can upgrade the Multi-Domain Log Servers.
- Before you upgrade a Multi-Domain Server, we recommend the steps below to optimize the upgrade process:
Step
|
Description
|
1
|
Delete all unused Threat Prevention Profiles on the Global Domain:
On R80.x Multi-Domain Server:
- Connect with SmartConsole to the Global Domain.
- From the left navigation panel, click .
- Open every policy.
- In the top section, click .
- In the bottom section , click .
- Delete all unused Threat Prevention Profiles.
- Publish the session.
- Close SmartConsole.
On R77.x Multi-Domain Server:
- Connect with SmartDashboard to the Global Domain.
- Go to tab.
- From the left tree, click .
- Delete all unused Threat Prevention Profiles.
- Save the changes (click ).
- Close SmartDashboard.
|
2
|
Disable the Staging Mode for IPS protections (see sk142432):
- Connect with SmartConsole to every Domain.
- From the left navigation panel, click .
- Open every policy.
- In the top section, click .
- In the bottom section , click .
- Edit every profile.
- From the left tree, click .
- Clear the box .
- Click .
- Publish the session.
- Close SmartConsole.
|
- Make sure you have valid licenses installed on all applicable Check Point computers - source and target.
- Make sure you have a valid Service Contract that includes software upgrades and major releases registered to your Check Point User Center account.
The contract file is stored on the Management Server and downloaded to Check Point Security Gateways during the upgrade process.
For more on Service Contracts, see sk33089.
- Before you start an upgrade or migration procedure on your Management Servers, you must close all GUI clients (SmartConsole applications) connected to your Check Point computers.
- Before you start an upgrade of your Security Gateway and Cluster Members, you must upgrade the Management Server.
- On Smart-1 appliances with Multi-Domain Server or Multi-Domain Log Server installed, if you configured an interface other than as the Leading interface, the upgrade process or clean install process (with CPUSE) configures the interface to be the Leading interface. To configure another interface as the Leading interface after the upgrade, see sk107336.
Required Disk Space:
- The size of the
/var/log/
partition on the target Management Server or Log Server must be at least 25% of the size of the /var/log/
partition on the source Management Server or Log Server. - For Advanced Upgrade or Migration procedure, the hard disk on the Management Server or Log Server must be at least 5 times the size of the exported database.
IPv4 or IPv6 Addresses:
If the source Security Management Server uses only IPv4 or only IPv6, the target Security Management Server must use the same IP address configuration. You can change this configuration later, after the upgrade or migration, if needed.