Upgrading a Security Management Server or Log Server from R80.20 and higher with Advanced Upgrade
In an advanced upgrade scenario, you perform the upgrade procedure on the same Check Point server.
|
Notes:
|
|
Important - Before you upgrade a Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. or Log Server:
|
Procedure:
-
Get the required Upgrade Tools on the source server
Important - See Upgrade Tools to understand if your server can download and install the latest version of the Upgrade Tools automatically.
Step
Instructions
1
Download the R81.10 Upgrade Tools from the sk135172..
Note - This is a CPUSE Offline package.
2
Install the R81.10 Upgrade Tools with CPUSE.
See Installing Software Packages on Gaia and follow the applicable action plan for the Local - Offline installation.
3
Make sure the package is installed.
Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81.10 BuildNumber 1
The output must show the same build number you see in the name of the downloaded TGZ package.
ExampleName of the downloaded package:
ngm_upgrade_wrapper_993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R81.10 BuildNumber 1
993000222
[Expert@HostName:0]#
Note - The command "
migrate_server
" from these Upgrade Tools always tries to connect to Check Point Cloud over the Internet.This is to make sure you always have the latest version of these Upgrade Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To download the package manually, refer to sk135172.
-
On the current Security Management Server, run the Pre-Upgrade Verifier and export the entire management database
Step
Instructions
1
Connect to the command line on the source Security Management Server.
2
Log in to the Expert mode.
3
Go to the
$FWDIR/scripts/
directory:cd $FWDIR/scripts
4
Run the Pre-Upgrade Verifier.
-
If this Security Management Server is connected to the Internet, run:
./migrate_server verify -v R81.10
-
If this Security Management Server is not connected to the Internet, run:
./migrate_server verify -v R81.10 -skip_upgrade_tools_check
For details, see the R81.10 CLI Reference Guide - Chapter Security Management Server Commands - Section migrate_server.
5
Read the Pre-Upgrade Verifier output.
If it is necessary to fix errors:
-
Follow the instructions in the report.
-
Run the Pre-Upgrade Verifier again.
6
Export the management database:
-
If this Security Management Server is connected to the Internet, run:
./migrate_server export -v R81.10 [-l | -x] /<Full Path>/<Name of Exported File>
-
If this Security Management Server is not connected to the Internet, run:
./migrate_server export -v R81.10 -skip_upgrade_tools_check [-l | -x] /<Full Path>/<Name of Exported File>
For details, see the R81.10 CLI Reference Guide - Chapter Security Management Server Commands - Section migrate_server.
7
Calculate the MD5 for the exported database files:
md5sum /<Full Path>/<Name of Database File>.tgz
8
Transfer the exported databases from the source Security Management Server to an external storage:
/<Full Path>/<Name of Database File>.tgz
Note - Make sure to transfer the file in the binary mode.
-
-
Install a new R81.10 Security Management Server
Step
Instructions
1
See the R81.10 Release Notes for requirements.
2
Perform the clean install in one of these ways (do not perform initial configuration in SmartConsole):
-
Follow Installing Software Packages on Gaia - select the R81.10 package and perform Clean Install. See sk92449 for detailed steps.
Important - These options are available:
-
The IP addresses of the source and target Security Management Servers can be the same.
If in the future it is necessary to have a different IP address on the R81.10 Security Management Server, you can change it.
For applicable procedures, see sk40993 and sk65451.
Note that you have to issue licenses for the new IP address.
-
The IP addresses of the source and target Security Management Servers can be different.
you must create a special JSON configuration file
mdss.json
that contains each server that migrates to a new IP address.Note that you have to issue licenses for the new IP address.
You must install the new licenses only after you import the databases.
-
-
Get the required Upgrade Tools on the R81.10 server
Important - See Upgrade Tools to understand if your server can download and install the latest version of the Upgrade Tools automatically.
Step
Instructions
1
Download the R81.10 Upgrade Tools from the sk135172..
Note - This is a CPUSE Offline package.
2
Install the R81.10 Upgrade Tools with CPUSE.
See Installing Software Packages on Gaia and follow the applicable action plan for the Local - Offline installation.
3
Make sure the package is installed.
Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81.10 BuildNumber 1
The output must show the same build number you see in the name of the downloaded TGZ package.
ExampleName of the downloaded package:
ngm_upgrade_wrapper_993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R81.10 BuildNumber 1
993000222
[Expert@HostName:0]#
Note - The command "
migrate_server
" from these Upgrade Tools always tries to connect to Check Point Cloud over the Internet.This is to make sure you always have the latest version of these Upgrade Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To download the package manually, refer to sk135172.
-
On the target R81.10 Security Management Server, import the databasesRequired JSON configuration file
If you installed the target R81.10 Security Management Server with a different IP address than the source Security Management Server, you must create a special JSON configuration file before you import the management database from the source Security Management Server. Note that you have to issue licenses for the new IP address.
Important:
-
If none of the servers in the same Security Management environment changed their original IP addresses, then you do not need to create the special JSON configuration file.
-
Even if only one of the servers migrates to a new IP address, all the other servers (including all Log Servers and SmartEvent Servers) must get this configuration file for the import process.
You must use the same JSON configuration file on all servers (including Log Servers and SmartEvent Servers) in the same Security Management environment.
To create the required JSON configuration file:
Step
Instructions
1
Connect to the command line on the target R81.10Security Management Server.
2
Log in to the Expert mode.
3
Create the
/var/log/mdss.json
file that contains each server that migrates to a new IP address.Format for migrating a single Security Management Server to a new IP address:
[{"name":"<Name of Security Management Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of R81.10 Security Management Server>"}]
ExampleThere are 2 servers in the R80.30 Security Management environment - the Security Management Server and the Log Server. The Security Management Server migrates to a new IP address. The Log Server remains with the original IP address.
-
The current IPv4 address of the source R80.30 Security Management Server is:
192.168.10.21
-
The name of the source R80.30 Security Management Server object in SmartConsole is:
MySecMgmtServer
-
The new IPv4 address of the target R81.10 Security Management Server is:
172.30.40.51
-
The required syntax for the JSON configuration file you must use on the Security Management Server and on the Log Server:
[{"name":"MySecMgmtServer","newIpAddress4":"172.30.40.51"}]
Important - All servers in this environment must get the same configuration file.
Importing the databasesImportant - Make sure you followed the instructions in the above section "Required JSON configuration file".
Step
Instructions
1
Connect to the command line on the R81.10 Security Management Server.
2
Log in to the Expert mode.
3
Make sure a valid license is installed:
cplic print
If it is not already installed, then install a valid license now.
4
Transfer the exported databases from an external storage to the R81.10 Security Management Server, to some directory.
Note - Make sure to transfer the files in the binary mode.
5
Make sure the transferred files are not corrupted.
Calculate the MD5 for the transferred files and compare them to the MD5 that you calculated on the original Security Management Server:
md5sum /<Full Path>/<Name of Database File>.tgz
6
Go to the
$FWDIR/scripts/
directory:cd $FWDIR/scripts/
7
Import the management database:
-
If this Security Management Serveris connected to the Internet, run:
./migrate_server import -v R81.10 [-l | -x] /<Full Path>/<Name of Exported File>.tgz
-
If this Security Management Server is not connected to the Internet, run:
./migrate_server import -v R81.10 -skip_upgrade_tools_check [-l | -x] /<Full Path>/<Name of Exported File>.tgz
Important - The "
migrate_server import
" command automatically restarts Check Point services (runs the "cpstop
" and "cpstart
" commands).For details, see the R81.10 CLI Reference Guide - Chapter Security Management Server Commands - Section migrate_server.
-
-
Install the new licenses
Important - This step applies only if the target R81.10 Security Management Server has a different IP address than the source Security Management Server.
Step
Instructions
1
Issue licenses for the new IP address in your Check Point User Center account.
2
Install the new licenses on the R81.10 Security Management Server.
You can do this either in the CLI with the "
cplic put
" command, or in the Gaia Portal Web interface for the Check Point Gaia operating system..3
Wait for a couple of minutes for the Security Management Server to detect the new licenses.
Alternatively, restart Check Point services:
cpstop
cpstart
-
Upgrade the dedicated Log Servers and dedicated SmartEvent Servers
This step is part of the upgrade procedure of a Management Server. If you upgrade a dedicated Log Servers or SmartEvent Servers, then skip this step.
Important - If this Security Management Server manages dedicated Log Servers or SmartEvent Servers, you must upgrade these dedicated servers to the same version as the Security Management Server.
Follow the applicable procedure in Upgrading a Security Management Server or Log Server from R80.20 and higher.
-
Update the object version of the dedicated Log Servers and SmartEvent Servers
Important - If your Security Management Server manages dedicated Log Servers or SmartEvent Servers, you must update the version of the corresponding objects in SmartConsole.
Step
Instructions
1
Connect with SmartConsole to the R81.10 Security Management Server that manages the dedicated Log Server or SmartEvent Server.
2
From the left navigation panel, click Gateways & Servers.
3
Open the object of the dedicated Log Server or SmartEvent Server.
4
From the left tree, click General Properties.
5
In the Platform section > in the Version field, select R81.10.
6
Click OK.
-
Install the management database
Step
Instructions
1
Connect with SmartConsole to the R81.10 Security Management Server.
2
In the top left corner, click . > Install database
3
Select all objects.
4
Click Install.
5
Click OK.
-
Install the Event Policy
Important - This step applies only if the SmartEvent Correlation Unit Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. is enabled on the R81.10 Security Management Server.
Step
Instructions
1
Connect with the SmartConsole to the R81.10 Security Management Server.
2
In the SmartConsole, from the left navigation panel, click Logs & Monitor.
3
At the top, click + to open a new tab.
4
In the bottom left corner, in the External Apps section, click SmartEvent Settings & Policy.
The Legacy SmartEvent client opens.
5
In the top left corner, click . > Actions > Install Event Policy
6
Confirm.
7
Wait for these messages to appear:
SmartEvent Policy Installer installation complete
SmartEvent Policy Installer installation succeeded
8
Click Close.
9
Close the Legacy SmartEvent client.
-
Reconfigure the Log Exporter
Step
Instructions
1
Connect to the command line on the server.
2
Log in to the Expert mode.
3
Restore the Log Exporter configuration as described in sk127653.
4
Reconfigure the Log Exporter:
cp_log_export reconf
5
Restart the Log Exporter:
cp_log_export restart
For more information, see the R81.10 Logging and Monitoring Administration Guide > Chapter Log Exporter.
-
In SmartConsole, install policy on all SmartLSM Security Profiles
Important - This step applies only if you enabled the SmartProvisioning Check Point Software Blade on a Management Server (the actual name is "Provisioning") that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: Large-Scale Management, SmartLSM, LSM. Software Blade on this Management Server.
Step
Instructions
1
Install the Access Control Policy:
-
Click Install Policy.
-
In the Policy field, select the applicable Access Control Policy.
-
Select the applicable SmartLSM Security Profile objects.
-
Click Install.
-
The Access Control Policy must install successfully.
2
Install the Threat Prevention Policy:
-
Click Install Policy.
-
In the Policy field, select the applicable Threat Prevention Policy.
-
Select the applicable SmartLSM Security Profile objects.
-
Click Install.
-
The Threat Prevention Policy must install successfully.
For more information, see the R81.10 SmartProvisioning Administration Guide.
-
-
Test the functionality on the R81.10 Security Management Server
Step
Instructions
1
Connect with SmartConsole to the R81.10 Security Management Server.
2
Make sure the management database and configuration were upgraded correctly.