Print Download PDF Send Feedback

Previous

Next

Upgrading a Standalone from R80.10 and lower with Migration

In a migration and upgrade scenario, you perform the procedure on the source Standalone and the different target Standalone.

Important - Before you upgrade a Standalone:

Step

Description

1

Back up your current configuration.

2

See the Upgrade Options and Prerequisites.

3

In R80 and above, examine the SmartConsole sessions:

  1. Connect with the SmartConsole to the Standalone.
  2. From the left navigation panel, click Manage & Settings > Sessions > View Sessions.
  3. You must publish or discard all sessions, for which the Changes column shows a number greater than zero.

    Right-click on such session and select Publish or Discard.

 

4

You must close all GUI clients (SmartConsole applications) connected to the source Standalone.

Workflow:

  1. Get the R80.30 Management Server Migration Tool
  2. On the current Standalone, run the Pre-Upgrade Verifier and export the entire management database
  3. Install a new R80.30 Standalone
  4. On the R80.30 Standalone, import the databases
  5. Install the R80.30 SmartConsole
  6. Upgrade the dedicated Log Servers and dedicated SmartEvent Servers
  7. Install the management database
  8. Install the Event Policy
  9. Install the Security Policy
  10. Test the functionality
  11. Disconnect the old Standalone from the network
  12. Connect the new Standalone to the network

Step 1 of 12: Get the R80.30 Management Server Migration Tool

Step

Description

1

Download the R80.30 Management Server Migration Tool from the R80.30 Home Page SK.

2

Transfer the R80.30 Management Server Migration Tool package to the current Standalone to some directory (for example, /var/log/path_to_migration_tool/).

Note - Make sure to transfer the file in the binary mode.

Step 2 of 12: On the current Standalone, run the Pre-Upgrade Verifier and export the entire management database

Step

Description

1

Connect to the command line on the current Standalone.

2

Log in to the Expert mode.

3

Go to the directory, where you put the R80.30 Management Server Migration Tool package:

[Expert@SA:0]# cd /var/log/path_to_migration_tool/

4

Extract the R80.30 Management Server Migration Tool package:

[Expert@SA:0]# tar zxvf <Name of Management Server Migration Tool Package>.tgz

5

Important - This step applies only when you upgrade from R77.30 (or lower).

Run the Pre-Upgrade Verifier (PUV).

  1. Run this command and use the applicable syntax based on the instructions on the screen:

    [Expert@SA:0]# ./pre_upgrade_verifier -h

  2. Read the Pre-Upgrade Verifier output.

    If you need to fix errors:

    i) Follow the instructions in the report.

    ii) In a Management High Availability environment, if you made changes, synchronize the Management Servers immediately after these changes.

    iii) Run the Pre-Upgrade Verifier again.

6

Export the management database:

  • If Endpoint Policy Management blade is disabled on this Standalone:

    [Expert@SA:0]# yes | nohup ./migrate export [-l | -x] [-n] /<Full Path>/<Name of Exported File> &

  • If Endpoint Policy Management blade is enabled on this Standalone:

    [Expert@SA:0]# yes | nohup ./migrate export [-l | -x] [-n] [--include-uepm-msi-files] /<Full Path>/<Name of Exported File> &

Notes:

7

This step applies only to R7x and R80 versions.

If SmartEvent Software Blade is enabled, then export the Events database.

See sk110173.

8

Calculate the MD5 for the exported database files:

[Expert@SA:0]# md5sum /<Full Path>/<Name of Database File>.tgz

9

Transfer the exported databases from the current Standalone to an external storage:

/<Full Path>/<Name of Database File>.tgz

Note - Make sure to transfer the file in the binary mode.

Step 3 of 12: Install a new R80.30 Standalone

Step

Description

1

See the R80.30 Release Notes for requirements.

2

Perform a clean install of the R80.30 Standalone on another computer.

Important:

The IP address of the source and target Standalone must be the same. If you need to have a different IP address on the R80.30 Standalone, you can change it only after the upgrade procedure. Note that you have to issue licenses for the new IP address.

Step 4 of 12: On the R80.30 Standalone, import the databases

Step

Description

1

Connect to the command line on the R80.30 Standalone.

2

Log in to the Expert mode.

3

Make sure a valid license is installed:

cplic print

If it is not already installed, then install a valid license now.

4

Transfer the exported databases from an external storage to the R80.30 Standalone, to some directory.

Note - Make sure to transfer the files in the binary mode.

5

Make sure the transferred files are not corrupted. Calculate the MD5 for the transferred files and compare them to the MD5 that you calculated on the original Standalone:

[Expert@SA:0]# md5sum /<Full Path>/<Name of Database File>.tgz

6

Go to the $FWDIR/bin/upgrade_tools/ directory:

[Expert@SA:0]# cd $FWDIR/bin/upgrade_tools/

7

Import the management database:

  • If Endpoint Policy Management blade is disabled on this Standalone:

    [Expert@SA:0]# yes | nohup ./migrate import [-l | -x] [-n] /<Full Path>/<Name of Exported File>.tgz &

  • If Endpoint Policy Management blade is enabled on this Standalone:

    [Expert@SA:0]# yes | nohup ./migrate import [-l | -x] [-n] [--include-uepm-msi-files] /<Full Path>/<Name of Exported File>.tgz &

Notes:

 

If you upgrade from R80 (or higher) version, and the IP addresses of the source and target Standalone are different:

  1. Issue licenses for the new IP address in your Check Point User Center account.
  2. Install the new licenses on the R80.30 Standalone.

If you upgrade from R77.30 (or lower) version to R80.30, then the IP addresses of the source and target Standalone must be the same.

  • If you need to have a different IP address on the R80.30 Standalone, you can change it only after the upgrade procedure. Note that you have to issue licenses for the new IP address.

8

This step applies only if you upgraded from R7x and R80 versions.

If SmartEvent Software Blade is enabled, then import the Events database.

See sk110173.

9

Restart the Check Point services:

[Expert@SA:0]# cpstop

[Expert@SA:0]# cpstart

Step 5 of 12: Install the R80.30 SmartConsole

See Installing SmartConsole.

Step 6 of 12: Upgrade the dedicated Log Servers and dedicated SmartEvent Servers

If your Security Management Server manages dedicated Log Servers or SmartEvent Servers, you must upgrade these dedicated servers to the same version as the Security Management Server:

Step 7 of 12: Install the management database

Step

Description

1

Connect with SmartConsole to the R80.30 Standalone.

2

In the top left corner, click Menu > Install database.

3

Select all objects.

4

Click Install.

5

Click OK.

Step 8 of 12: Install the Event Policy

This step applies only if the SmartEvent Correlation Unit Software Blade is enabled on the R80.30 Standalone.

Step

Description

1

Connect with SmartConsole to the R80.30 Standalone.

2

In the SmartConsole, from the left navigation panel, click Logs & Monitor.

3

At the top, click + to open a new tab.

4

In the bottom left corner, in the External Apps section, click SmartEvent Settings & Policy.

The Legacy SmartEvent client opens.

5

In the top left corner, click Menu > Actions > Install Event Policy.

6

Confirm.

7

Wait for these messages to appear:

SmartEvent Policy Installer installation complete

SmartEvent Policy Installer installation succeeded

8

Click Close.

9

Close the Legacy SmartEvent client.

Step 9 of 12: Install the Security Policy

Step

Description

1

Connect with SmartConsole to the R80.30 Standalone.

2

Click Install Policy.

3

Install the Access Control Policy on the Standalone object.

Step 10 of 12: Test the functionality

Step

Description

1

Connect with SmartConsole to the R80.30 Standalone.

2

Make sure the management database and configuration were upgraded correctly.

Step 11 of 12: Disconnect the old Standalone from the network

Step 12 of 12: Connect the new Standalone to the network