Upgrading a VSX Gateway with CPUSE

Notes:

  • In a CPUSE upgrade scenario, you perform the upgrade procedure on the same VSX Gateway.

  • This upgrade method is supported only for VSX Gateways that already run Gaia Operating System.

Important - Before you upgrade a VSX Gateway:

Step

Instructions

1

Back up your current configuration (see Backing Up and Restoring).

Important - Back up both the Management Server and the VSX Gateway. Follow sk100395.

2

See the Upgrade Options and Prerequisites.

3

Upgrade the Management Server and Log Servers.

4

Upgrade the licenses on the VSX Gateway, if needed.

See Working with Licenses.

4

Schedule a full maintenance window to make sure you can make all the custom configurations again after the upgrade.

The upgrade process replaces all existing files with default files.

If you have custom configurations on the VSX Gateway, they are lost during the upgrade.

As a result, different issues can occur in the upgraded VSX Gateway.

These upgrade scenarios are available:

  • Upgrading the VSX Gateway with CPUSE to R80.40

  • Clean Install of the R80.40 VSX Gateway

  1. Step

    Instructions

    1

    Connect to the command line on the Security Management Server or Multi-Domain Server that manages this VSX Gateway.

    2

    Log in to the Expert mode.

    3

    On a Multi-Domain Server, go to the context of the Main Domain Management Server that manages this VSX Gateway object:

    mdsenv <IP Address or Name of Main Domain Management Server>

    4

    Upgrade the configuration of the VSX Gateway object to R80.40:

    vsx_util upgrade

    This command is interactive.

     

    Enter these details to log in to the management database:

    • IP address of the Security Management Server or Main Domain Management Server that manages this VSX Gateway

    • Management Server administrator's username

    • Management Server administrator's password

     

    Select your VSX Gateway.

     

    Select R80.40.

     

    For auditing purposes, save the vsx_util log file:

    • On a Security Management Server:

      /opt/CPsuite-R80.40/fw1/log/vsx_util_YYYYMMDD_HH_MM.log

    • On a Multi-Domain Server:

      /opt/CPmds-R80.40/customers/<Name_of_Domain>/CPsuite-R80.40/fw1/log/vsx_util_YYYYMMDD_HH_MM.log

    5

    Connect with SmartConsole to the R80.40 Security Management Server or Main Domain Management Server that manages this VSX Gateway.

    6

    From the left navigation panel, click Gateways & Servers.

    7

    Open the VSX Gateway object.

    8

    From the left tree, click the General Properties page.

    9

    Make sure in the Platform section, the Version field shows R80.40.

    10

    Click Cancel (do not click OK).

    Note - If you click OK, the Management Server pushes the VSX configuration to the VSX Gateway. Because the VSX Gateway is not upgraded yet, this operation would fail.

  2. See Installing Software Packages on Gaia and follow the applicable action plan.

  3. Step

    Instructions

    1

    Connect with SmartConsole to the R80.40 Security Management Server or Main Domain Management Server that manages this VSX Gateway.

    2

    From the left navigation panel, click Gateways & Servers.

    3

    Install the default policy on the VSX Gateway object:

    1. Click Install Policy.

    2. In the Policy field, select the default policy for this VSX Gateway object.

      This policy is called:

      <Name of VSX Gateway object>_VSX

    3. Click Install.

    4

    Install the Threat Prevention Policy on the VSX Gateway object:

    1. Click Install Policy.

    2. In the Policy field, select the applicable Threat Prevention Policy for this VSX Gateway object.

    3. Click Install.

  4. Step

    Instructions

    1

    Examine the VSX configuration:

    1. Connect to the command line on the VSX Gateway.

    2. Log in to the Expert mode.

    3. Run:

      vsx stat -v

    2

    Connect with SmartConsole to the R80.40 Security Management Server or each Target Domain Management Server that manages the Virtual Systems on this VSX Gateway.

    3

    From the left navigation panel, click Logs & Monitor > Logs.

    4

    Examine the logs from the Virtual Systems on this VSX Gateway to make sure they inspect the traffic as expected.

  1. Step

    Instructions

    1

    Connect to the command line on the Security Management Server or Multi-Domain Server that manages this VSX Gateway.

    2

    Log in to the Expert mode.

    3

    On a Multi-Domain Server, go to the context of the Main Domain Management Server that manages this VSX Gateway object:

    mdsenv <IP Address or Name of Main Domain Management Server>

    4

    Upgrade the configuration of the VSX Gateway object to R80.40:

    vsx_util upgrade

    This command is interactive.

     

    Enter these details to log in to the management database:

    • IP address of the Security Management Server or Main Domain Management Server that manages this VSX Gateway

    • Management Server administrator's username

    • Management Server administrator's password

     

    Select your VSX Gateway.

     

    Select R80.40.

     

    For auditing purposes, save the vsx_util log file:

    • On a Security Management Server:

      /opt/CPsuite-R80.40/fw1/log/vsx_util_YYYYMMDD_HH_MM.log

    • On a Multi-Domain Server:

      /opt/CPmds-R80.40/customers/<Name_of_Domain>/CPsuite-R80.40/fw1/log/vsx_util_YYYYMMDD_HH_MM.log

    5

    Connect with SmartConsole to the R80.40 Security Management Server or Main Domain Management Server that manages this VSX Gateway.

    6

    From the left navigation panel, click Gateways & Servers.

    7

    Open the VSX Gateway object.

    8

    From the left tree, click the General Properties page.

    9

    Make sure in the Platform section, the Version field shows R80.40.

    10

    Click Cancel (do not click OK).

    Note - If you click OK, the Management Server pushes the VSX configuration to the VSX Gateway. Because the VSX Gateway is not upgraded yet, this operation would fail.

  2. Important - You must reboot the VSX Gateway after the upgrade or clean install.

    Installation Method

    Instructions

    Clean Install of R80.40 with CPUSE

    See Installing Software Packages on Gaia.

    Follow the applicable action plan for the local or central installation.

    In local installation, select the R80.40 package and perform Clean Install. See sk92449 for detailed steps.

    Clean Install of R80.40 from scratch

    Follow Installing a VSX Gateway - only the step "Install the VSX Gateway".

    Important - In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous VSX Gateway (prior to the upgrade).

  3. Step

    Instructions

    1

    Configure the required settings on the VSX Gateway.

    For more information, see the R80.40 CLI Reference Guide - Chapter VSX Commands > Section vsx_util > Section vsx_util reconfigure.

    2

    Connect to the command line on the R80.40 Security Management Server or Multi-Domain Server that manages this VSX Gateway.

    3

    Log in to the Expert mode.

    4

    On Multi-Domain Server, go to the context of the Main Domain Management Server that manages this VSX Gateway:

    mdsenv <IP Address or Name of Main Domain Management Server>

    5

    Restore the VSX configuration:

    vsx_util reconfigure

    Follow the instructions on the screen.

    Important - Enter the same Activation Key you entered during the First Time Configuration Wizard of the VSX Gateway.

    6

    Configure the required settings on the VSX Gateway:

    • OS configuration (for example, DNS, NTP, DHCP, Dynamic Routing, DHCP Relay, and so on).

    • Settings manually defined in various configuration files.

    • Applicable Check Point configuration files.

  4. Step

    Instructions

    1

    Examine the VSX configuration:

    1. Connect to the command line on the VSX Gateway.

    2. Log in to the Expert mode.

    3. Run:

      vsx stat -v

    2

    Connect with SmartConsole to the R80.40 Security Management Server or each Target Domain Management Server that manages the Virtual Systems on this VSX Gateway.

    3

    From the left navigation panel, click Logs & Monitor > Logs.

    4

    Examine the logs from the Virtual Systems on this VSX Gateway to make sure they inspect the traffic as expected.

For more information, see the: