Upgrading Endpoint Security Management Servers in Management High Availability from R80.20 and higher

Notes:

  • This procedure is supported only for servers that run R80.20.M1, R80.20, R80.20.M2, R80.30, or higher versions.

  • For additional information related to this upgrade, see sk163814.

Important - Before you upgrade an Endpoint Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.:

Step

Instructions

1

Back up your current configuration (see Backing Up and Restoring).

2

See the Upgrade Options and Prerequisites.

3

Only the latest published database revision is upgraded.

If there are pending changes, we recommend to Publish the session.

4

You must close all GUI clients (SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. applications) connected to the source Endpoint Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. or Endpoint Policy Server.

5

Install the latest version of the CPUSEClosed Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself. from sk92449.

Note - This is to make sure the CPUSE is able to support the required Upgrade Tools package.

6

Run the Pre-Upgrade Verifier on all source servers and fix all detected issues before you start the upgrade.

7

In Management High Availability, make sure the Primary Endpoint Security Management Server is upgraded and runs, before you start the upgrade on other servers.

Important - Before you can install Hotfixes on servers that work in Management High Availability, you must upgrade all these servers.

Procedure:

Step

Instructions

1

Upgrade the Primary Endpoint Security Management Server with one of the supported methods.

2

Upgrade the Secondary Endpoint Security Management Server with one of the supported methods.

Important - Make sure the Endpoint Security Management Servers can communicate with each other and SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. works between these servers. For details, see sk179794.

3

Get the R81.10 SmartConsole.

See Installing SmartConsole.

4

Connect with SmartConsole to the R81.10 Primary Endpoint Security Management Server.

5

Update the object version of the Secondary Endpoint Security Management Server:

  1. From the left navigation panel, click Gateways & Servers.

  2. Open the Secondary Endpoint Security Management Server object.

  3. From the left tree, click General Properties.

  4. In the Platform section > in the Version field, select R81.10.

  5. Click OK.

6

Make sure Secure Internal Communication (SIC) works correctly with the Secondary Security Management Server:

  1. From the left navigation panel, click Gateways & Servers.

  2. Open the Secondary Security Management Server object.

  3. On the General Properties page, click Communication.

  4. Click Test SIC Status.

    The SIC Status must show Communicating.

  5. Click Close.

  6. Click OK.

7

Install the management database:

  1. In the top left corner, click Menu > Install database.

  2. Select all objects.

  3. Click Install.

  4. Click OK.

8

Install the Event Policy.

Important - This step applies only if the SmartEvent Correlation Unit Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. is enabled on the R81.10 Endpoint Security Management Server.

  1. In the SmartConsole, from the left navigation panel, click Logs & Monitor.

  2. At the top, click + to open a new tab.

  3. In the bottom left corner, in the External Apps section, click SmartEvent Settings & Policy.

    The Legacy SmartEvent client opens.

  4. In the top left corner, click Menu > Actions > Install Event Policy.

  5. Confirm.

  6. Wait for these messages to appear:

    SmartEvent Policy Installer installation complete

    SmartEvent Policy Installer installation succeeded

  7. Click Close.

  8. Close the Legacy SmartEvent client.

9

Reconfigure the Log Exporter:

  1. Connect to the command line on the server.

  2. Log in to the Expert mode.

  3. Restore the Log Exporter configuration as described in sk127653.

  4. Reconfigure the Log Exporter:

    cp_log_export reconf

  5. Restart the Log Exporter:

    cp_log_export restart

For more information, see the R81.10 Logging and Monitoring Administration Guide > Chapter Log Exporter

10

Synchronize the Endpoint Security Management Servers:

  1. In the top left corner, click Menu > Management High Availability.

  2. In the Peers section, click Actions > Sync Peer.

  3. The status must show Successfully synced for all peers.