Upgrading a Security Management Server from R80.20, R80.10, and lower with Advanced Upgrade

In an advanced upgrade scenario, you perform the upgrade procedure on the same Security Management Server.

Notes:

To upgrade from R80.20.M1 or R80.20.M2, see Upgrading a Management Server or Log Server from R80.20.M1 or R80.20.M2 with Advanced Upgrade.
These instructions equally apply to:
- Security Management Server
- Endpoint Security Management Server
- vSEC Controller R80.10 or below

Important - Before you upgrade a Security Management Server:

Step	Description
1	Back up your current configuration.
2	See the Upgrade Options and Prerequisites.
3	In R80 and above, examine the SmartConsole sessions: Connect with the SmartConsole to the Security Management Server. From the left navigation panel, click Manage & Settings > Sessions > View Sessions. You must publish or discard all sessions, for which the Changes column shows a number greater than zero. Right-click on such session and select Publish or Discard.
4	You must close all GUI clients (SmartConsole applications) connected to the source Security Management Server.

Workflow:

Get the R80.30 Management Server Migration Tool
On the current Security Management Server, run the Pre-Upgrade Verifier and export the entire management database
Get the R80.30 Security Management Server
On the R80.30 Security Management Server, import the databases
Install the R80.30 SmartConsole
Install the licenses and change the IP address of the R80.30 Security Management Server
Upgrade the dedicated Log Servers and dedicated SmartEvent Servers
Install the management database
Install the Event Policy
Test the functionality

Step 1 of 10: Get the R80.30 Management Server Migration Tool

Step	Description
1	Download the R80.30 Management Server Migration Tool from the R80.30 Home Page SK.
2	Transfer the R80.30 Management Server Migration Tool package to the current Security Management Server to some directory (for example, `/var/log/path_to_migration_tool/`). Note - Make sure to transfer the file in the binary mode.

Step

Description

Download the R80.30 Management Server Migration Tool from the R80.30 Home Page SK.

Transfer the R80.30 Management Server Migration Tool package to the current Security Management Server to some directory (for example, /var/log/path_to_migration_tool/).

Note - Make sure to transfer the file in the binary mode.

Step 2 of 10: On the current Security Management Server, run the Pre-Upgrade Verifier and export the entire management database

Step	Description
1	Connect to the command line on the current Security Management Server.
2	Log in to the Expert mode.
3	Go to the directory, where you put the R80.30 Management Server Migration Tool package: `[Expert@MGMT:0]# cd /var/log/path_to_migration_tool/`
4	Extract the R80.30 Management Server Migration Tool package: `[Expert@MGMT:0]# tar zxvf <`Name of Management Server Migration Tool Package`>.tgz`
5	Important - This step applies only when you upgrade from R77.30 (or lower). Run the Pre-Upgrade Verifier (PUV). Run this command and use the applicable syntax based on the instructions on the screen: `[Expert@MGMT:0]# ./pre_upgrade_verifier -h` Read the Pre-Upgrade Verifier output. If you need to fix errors: i) Follow the instructions in the report. ii) In a Management High Availability environment, if you made changes, synchronize the Management Servers immediately after these changes. iii) Run the Pre-Upgrade Verifier again.
6	Export the management database: If Endpoint Policy Management blade is disabled on this Security Management Server: `[Expert@MGMT:0]# yes \| nohup ./migrate export [-l \| -x] [-n] /<`Full Path`>/<`Name of Exported File`>` & If Endpoint Policy Management blade is enabled on this Security Management Server: `[Expert@MGMT:0]# yes \| nohup ./migrate export [-l \| -x] [-n] [--include-uepm-msi-files] /<`Full Path`>/<`Name of Exported File`>` & Notes: `yes \| nohup ... &` - are mandatory parts of the syntax. See the R80.30 CLI Reference Guide - Chapter Security Management Server Commands - Section migrate. See sk133312.
7	This step applies only to R7x and R80 versions. If SmartEvent Software Blade is enabled, then export the Events database. See sk110173.
8	Calculate the MD5 for the exported database files: `[Expert@MGMT:0]# md5sum /<`Full Path`>/<`Name of Database File`>.tgz`
9	Transfer the exported databases from the current Security Management Server to an external storage: `/<`Full Path`>/<`Name of Database File`>.tgz` Note - Make sure to transfer the file in the binary mode.

Step 3 of 10: Get the R80.30 Security Management Server

Do not perform initial configuration in SmartConsole.

Current OS	Available options
Gaia	You can: Upgrade to R80.30 with the CPUSE. Perform a clean install of the R80.30 Security Management Server.
Operating System other than Gaia	You must perform a clean install of the R80.30 Security Management Server.

Current OS

Available options

Gaia

You can:

Operating System
other than Gaia

You must perform a clean install of the R80.30 Security Management Server.

Important:

If you upgrade from R80 (or higher) version to R80.30, then these options are available:
- The IP addresses of the source and target Security Management Servers can be the same.
  If in the future you need to have a different IP address on the R80.30 Security Management Server, you can change it. For applicable procedures, see sk40993 and sk65451.
  
  Note that you have to issue licenses for the new IP address.
- The IP addresses of the source and target Security Management Servers can be different.
  Note that you have to issue licenses for the new IP address.
  
  You must install the new licenses only after you import the databases.
If you upgrade from R77.30 (or lower) version to R80.30, then the IP addresses of the source and target Security Management Servers must be the same.
If you need to have a different IP address on the R80.30 Security Management Server, you can change it only after the upgrade procedure. Note that you have to issue licenses for the new IP address.

Step 4 of 10: On the R80.30 Security Management Server, import the databases

Step	Description
1	Connect to the command line on the R80.30 Security Management Server.
2	Log in to the Expert mode.
3	Make sure a valid license is installed: `cplic print` If it is not already installed, then install a valid license now.
4	Transfer the exported databases from an external storage to the R80.30 Security Management Server, to some directory. Note - Make sure to transfer the files in the binary mode.
5	Make sure the transferred files are not corrupted. Calculate the MD5 for the transferred files and compare them to the MD5 that you calculated on the original Security Management Server: `[Expert@MGMT:0]# md5sum /<`Full Path`>/<`Name of Database File`>.tgz`
6	Go to the `$FWDIR/bin/upgrade_tools/` directory: `[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/`
7	Import the management database: If Endpoint Policy Management blade is disabled on this Security Management Server: `[Expert@MGMT:0]# yes \| nohup ./migrate import [-l \| -x] [-n] /<`Full Path`>/<`Name of Exported File`>.tgz` & If Endpoint Policy Management blade is enabled on this Security Management Server: `[Expert@MGMT:0]# yes \| nohup ./migrate import [-l \| -x] [-n] [--include-uepm-msi-files] /<`Full Path`>/<`Name of Exported File`>.tgz` & Notes: `yes \| nohup ... &` - are mandatory parts of the syntax. See the R80.30 CLI Reference Guide - Chapter Security Management Server Commands - Section migrate. See sk133312.
	If you upgrade from R80 (or higher) version, and the IP addresses of the source and target Security Management Servers are different: Issue licenses for the new IP address in your Check Point User Center account. Install the new licenses on the R80.30 Security Management Server. If you upgrade from R77.30 (or lower) version to R80.30, then the IP addresses of the source and target Security Management Servers must be the same. If you need to have a different IP address on the R80.30 Security Management Server, you can change it only after the upgrade procedure. Note that you have to issue licenses for the new IP address.
8	This step applies only if you upgraded from R7x and R80 versions. If SmartEvent Software Blade is enabled, then import the Events database. See sk110173.
9	Restart the Check Point services: `[Expert@MGMT:0]# cpstop` `[Expert@MGMT:0]# cpstart`

Step 5 of 10: Install the R80.30 SmartConsole

See Installing SmartConsole.

Step 6 of 10: Install the licenses and change the IP address of the R80.30 Security Management Server

Scenario	Instructions
You upgraded from R80 (or higher) version to R80.30, and the IP addresses of the source and target Security Management Servers are different	Follow these steps: Issue licenses for the new IP address in your Check Point User Center account. Install the new licenses on the R80.30 Security Management Server.
You upgraded from R77.30 (or lower) version to R80.30 and need to have a different IP address on the R80.30 Security Management Server	Follow these steps (based on sk40993): Issue licenses for the new IP address in your Check Point User Center account. Perform the required changes in the SmartConsole: Connect with SmartConsole to the Security Management Server. From the left navigation panel, click Gateways & Servers. Open the Security Management Server object. On the General Properties page, change the current IP address to the new IP address. On the Network Management page, edit the applicable interface and change the current IP address to the new IP address. Click OK. Publish the session. Close the SmartConsole. Stop the Check Point services: Connect to the command line. Log in to either Gaia Clish, or Expert mode. Run: `cpstop` Perform the required changes in Gaia OS: Connect to either Gaia Portal, or Gaia Clish. Edit the applicable interface and change the current IP address to the new IP address. You can perform this change in either Gaia Portal, or Gaia Clish. For details, see R80.30 Gaia Administration Guide. Note: If this Security Management Server has only one interface, then your HTTPS and SSH connection to this Security Management Server is interrupted when you change its IP address. You need to connect again. To avoid this interruption, connect to the Security Management Server over the serial console. Install the new licenses on the R80.30 Security Management Server. You can do this either in the CLI with the `cplic put` command, or in the Gaia Portal. Start the Check Point services: Connect to the command line. Log in to either Gaia Clish, or Expert mode. Run: `cpstart`

Scenario

Instructions

You upgraded from R80 (or higher) version to R80.30, and the IP addresses of the source and target Security Management Servers are different

Follow these steps:

Issue licenses for the new IP address in your Check Point User Center account.
Install the new licenses on the R80.30 Security Management Server.

You upgraded from R77.30 (or lower) version to R80.30 and need to have a different IP address on the R80.30 Security Management Server

Follow these steps (based on sk40993):

Issue licenses for the new IP address in your Check Point User Center account.
Perform the required changes in the SmartConsole:
1. Connect with SmartConsole to the Security Management Server.
2. From the left navigation panel, click Gateways & Servers.
3. Open the Security Management Server object.
4. On the General Properties page, change the current IP address to the new IP address.
5. On the Network Management page, edit the applicable interface and change the current IP address to the new IP address.
6. Click OK.
7. Publish the session.
8. Close the SmartConsole.
Stop the Check Point services:
1. Connect to the command line.
2. Log in to either Gaia Clish, or Expert mode.
3. Run: cpstop
Perform the required changes in Gaia OS:
1. Connect to either Gaia Portal, or Gaia Clish.
2. Edit the applicable interface and change the current IP address to the new IP address.
You can perform this change in either Gaia Portal, or Gaia Clish.

For details, see R80.30 Gaia Administration Guide.

Note: If this Security Management Server has only one interface, then your HTTPS and SSH connection to this Security Management Server is interrupted when you change its IP address. You need to connect again. To avoid this interruption, connect to the Security Management Server over the serial console.
Install the new licenses on the R80.30 Security Management Server.
You can do this either in the CLI with the cplic put command, or in the Gaia Portal.
Start the Check Point services:
1. Connect to the command line.
2. Log in to either Gaia Clish, or Expert mode.
3. Run: cpstart

Note - Make sure that there is connectivity between the Security Management Server and the managed Security Gateways in your network.

Step 7 of 10: Upgrade the dedicated Log Servers and dedicated SmartEvent Servers

If your Security Management Server manages dedicated Log Servers or SmartEvent Servers, you must upgrade these dedicated servers to the same version as the Security Management Server:

Step 8 of 10: Install the management database

Step	Description
1	Connect with SmartConsole to the R80.30 Security Management Server.
2	In the top left corner, click Menu > Install database.
3	Select all objects.
4	Click Install.
5	Click OK.

Step 9 of 10: Install the Event Policy

This step applies only if the SmartEvent Correlation Unit Software Blade is enabled on the R80.30 Security Management Server.

Step	Description
1	Connect with the SmartConsole to the R80.30 Security Management Server.
2	In the SmartConsole, from the left navigation panel, click Logs & Monitor.
3	At the top, click + to open a new tab.
4	In the bottom left corner, in the External Apps section, click SmartEvent Settings & Policy. The Legacy SmartEvent client opens.
5	In the top left corner, click Menu > Actions > Install Event Policy.
6	Confirm.
7	Wait for these messages to appear: `SmartEvent Policy Installer installation complete` `SmartEvent Policy Installer installation succeeded`
8	Click Close.
9	Close the Legacy SmartEvent client.

Step 9 of 10: Test the functionality

Step	Description
1	Connect with SmartConsole to the R80.30 Security Management Server.
2	Make sure the management database and configuration were upgraded correctly.