Prerequisites for Upgrading and Migrating of Management Servers and Log Servers

Prerequisites:

• Make sure you use the latest version of this document (see the Important Information page for links).

• See the R80.40 Release Notes for:

  • Supported upgrade paths

  • Minimum hardware and operating system requirements

  • Supported Security Gateways

• Make sure to read all applicable known limitations in the R80.40 Known Limitations SK.

• When you use the Advanced Upgrade or the Migration and Upgrade method, before you import the management database on the R80.40 Servers, we strongly recommend to install the latest General Availability Take of the R80.40 Jumbo Hotfix Accumulator from R80.40 Jumbo Hotfix Accumulator.

  This makes sure the R80.40 Servers have the latest improvements for reported import issues.

  This recommendation does not apply to the CPUSE Upgrade method, because these improvements are already integrated in R80.40 CPUSE Upgrade Package.

• Licenses and Service Contracts:

  • Make sure you have valid licenses installed on all applicable Check Point computers - source and target.

  • Make sure you have a valid Service Contract that includes software upgrades and major releases registered to your Check Point User Center account.

    The contract file is stored on the Management Server and downloaded to Check Point Security Gateways during the upgrade process.

    For more information about Service Contracts, see sk33089.

• If SmartConsole connects to the Management Server (which you plan to upgrade) through an R7x Security Gateway or Cluster, then follow the steps below.

  Procedure

  1. Connect to the Management Server that manages the R7x Security Gateway or Cluster

  2. Add a new explicit Firewall rule:

     Source	Destination	VPN	Service	Action	Install On
     SmartConsole Host object	Management Server object	Any Traffic	TCP 19009	Accept	R7x Security Gateway or Cluster

  3. Install the modified Firewall Policy on the R7x Security Gateway or Cluster.

  4. If later you upgrade this R7x Security Gateway or Cluster to R80.10 or higher, delete this explicit rule.

• On your Security Management Servers, Multi-Domain Servers, Domain Management Servers, Multi-Domain Log Servers, Domain Log Servers, Log Servers, and SmartEvent Servers:

  Make a copy of all custom configurations in the applicable directories and files.

  • Collect the Log Exporter configuration - see sk127653.

  • Pay special attention to these scripts:

    • $CPDIR/tmp/.CPprofile.sh

    • $CPDIR/tmp/.CPprofile.csh

  The upgrade process replaces all existing files with default files. You must not copy the customized configuration files from the current version to the upgraded version, because these files can be unique for each version. You must make all the custom configurations again after the upgrade.

  List of the applicable directories

  • $FWDIR/lib/

  • $FWDIR/conf/

  • $CVPNDIR/conf/

  • /opt/CP*/lib/

  • /opt/CP*/conf/

  • $MDSDIR/conf/

  • $MDSDIR/customers/<Name_of_Domain>/CP*/lib/

  • $MDSDIR/customers/<Name_of_Domain>/CP*/conf/

• For your Management Servers in High Availability configuration, plan the upgrade.

  Action Plan for Security Management Servers in High Availability

  Important - To back up and restore a consistent Security Management environment, make sure to collect and restore the backups and snapshots from all servers in the High Availability environment at the same time.

  Upgrade to R80.40	Action Plan
  From R80, R80.10, R80.20, R80.20.M2, and higher versions	Upgrade the Primary Security Management Server. Make sure the Security Management Servers can communicate with each other and SIC works between these servers. For details, see sk179794. Upgrade the Secondary Security Management Servers.
  From R7X or R80.20.M1 versions	Upgrade the Primary Security Management Server. Perform a clean install of the Secondary Security Management Servers. Connect the Secondary Security Management Servers to the Primary Security Management Server.

  Action Plan for Multi-Domain Servers in High Availability

  Important - To back up and restore a consistent Multi-Domain Security Management environment, make sure to collect and restore the backups and snapshots from all servers in the High Availability environment at the same time.

  Upgrade to R80.40	Action Plan
  From R80.20, R80.20.M2, and higher versions	Make sure to run Pre-Upgrade Verifier on all source servers and to fix all detected issues before you start the upgrade. Make sure the Global Domain is Active on the Primary Multi-Domain Server. Upgrade the Primary Multi-Domain Server. Make sure the Multi-Domain Security Management Servers can communicate with each other and SIC works between these servers. For details, see sk179794. Upgrade the Secondary Multi-Domain Servers.
  From R80.20.M1 version	Make sure to run Pre-Upgrade Verifier on all source servers and to fix all detected issues before you start the upgrade. Make sure the Global Domain is Active on the Primary Multi-Domain Server. Upgrade the Primary Multi-Domain Server. Perform a clean install of the Secondary Multi-Domain Servers. Connect the Secondary Multi-Domain Servers to the Primary Multi-Domain Server.
  From R7X or R80.10 versions	If the Primary Multi-Domain Server is not available at this time, you must first promote the Secondary Multi-Domain Server to be the Primary.

• If your Security Management Server or Multi-Domain Server manages dedicated Log Servers or dedicated SmartEvent Servers, you must upgrade these dedicated servers to the same version as the Management Server.

  Important - You must upgrade your Management Servers before you can upgrade these dedicated servers.

  Note - SmartEvent Server can run the same version or higher than the Log Server.

• If your Multi-Domain Server manages Multi-Domain Log Servers, you must upgrade the Multi-Domain Log Servers to the same version as the Multi-Domain Server.

  Important - You must upgrade your Multi-Domain Servers before you can upgrade the Multi-Domain Log Servers.

• Before you upgrade a Multi-Domain Server, we recommend the steps below to optimize the upgrade process.

  Procedure

  Step	Instructions
  1	Delete all unused Threat Prevention Profiles on the Global Domain:
  	On R80.x Multi-Domain Server: Connect with SmartConsole to the Global Domain. From the left navigation panel, click Security Policies. Open every policy. In the top section, click Threat Prevention. In the bottom section Custom Policy Tools, click Profiles. Delete all unused Threat Prevention Profiles. Publish the SmartConsole session. Close SmartConsole.
  	On R77.x Multi-Domain Server: Connect with SmartDashboard to the Global Domain. Go to Threat Prevention tab. From the left tree, click Profiles. Delete all unused Threat Prevention Profiles. Save the changes (click File > Save). Close SmartDashboard.
  2	Disable the Staging Mode for IPS protections (see sk142432): Connect with SmartConsole to every Domain. From the left navigation panel, click Security Policies. Open every policy. In the top section, click Threat Prevention. In the bottom section Custom Policy Tools, click Profiles. Edit every profile. From the left tree, click IPS > Updates. Clear the box Set activation as staging mode (Detect). Click OK. Publish the SmartConsole session. Close SmartConsole.

• Before you start an upgrade or migration procedure on your Management Servers, you must close all GUI clients (SmartConsole applications) connected to your Check Point computers.

• Before you start an upgrade of your Security Gateway and Cluster Members, you must upgrade the Management Server.

• On Smart-1 appliances with Multi-Domain Server or Multi-Domain Log Server installed, if you configured an interface other than Mgmt as the Leading interface, the upgrade process or clean install process (with CPUSE) configures the interface Mgmt to be the Leading interface. To configure another interface as the Leading interface after the upgrade, see sk107336.