Upgrading a VSX Gateway with CPUSE

Best Practice - Use the Central Deployment in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.. For more information, see the R81.20 Security Management Administration Guide > Chapter Managing Gateways > Section Central Deployment of Hotfixes and Version Upgrades.

Warning - This is the behavior when you upgrade a VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. from R80.40 / R81 / R81.10, on which CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. Dynamic Balancing was not disabled explicitly, to R81.20 and then install the R81.20 Jumbo Hotfix Accumulator Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. (see sk164155 > Known Limitation PMTR-114499):

CoreXL Dynamic Balancing will be enabled by default.
Any previously configured manual affinity settings for interfaces / daemons will be overridden.

As a workaround, follow this upgrade action plan to make sure CoreXL Dynamic Balancing stays disabled by default, and manual affinity settings are not overridden (if they exist):

Upgrade the VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Gateway to R81.20 and reboot.
Connect to the command line on the VSX Gateway.
Log in to the Expert mode.

Back up the $FWDIR/conf/dynamic_split.conf file:

cp -v $FWDIR/conf/dynamic_split.conf{,_BKP}

Edit the $FWDIR/conf/dynamic_split.conf file:

vi $FWDIR/conf/dynamic_split.conf

In this parameter, configure the value "1" (one):

OFF_BY_DEFAULT_ON_VSX=1

Save the changes in the file and exit the editor.
Install the R81.20 Jumbo Hotfix Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. Accumulator on the VSX Gateway and reboot.

Notes:

In a CPUSE Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself. upgrade scenario, you perform the upgrade procedure on the same VSX Gateway.
This upgrade method is supported only for VSX Gateways that already run Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Operating System.

Important - Before you upgrade a VSX Gateway:

Step

Instructions

Back up your current configuration (see Backing Up and Restoring).

Important - Back up both the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. and the VSX Gateway. Follow sk100395.

See the Upgrade Options and Prerequisites.

Upgrade the Management Server and Log Servers.

Upgrade the licenses on the VSX Gateway, if needed.

See Working with Licenses.

Schedule a full maintenance window to make sure you can make all the custom configurations again after the upgrade.

The upgrade process replaces all existing files with default files.

If you have custom configurations on the VSX Gateway, they are lost during the upgrade.

As a result, different issues can occur in the upgraded VSX Gateway.

These upgrade scenarios are available:

Upgrading the VSX Gateway with CPUSE to R81.20
Clean Install Installation of a Check Point Operating System from scratch on a computer. of the R81.20 VSX Gateway

Upgrading the VSX Gateway with CPUSE to R81.20

On the Management Server, upgrade the configuration of the VSX Gateway object to R81.20

Step

Instructions

Connect to the command line on the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. that manages this VSX Gateway.

On a Multi-Domain Server, go to the context of the Main Domain Management Server that manages this VSX Gateway object:

mdsenv <IP Address or Name of Main Domain Management Server>

Upgrade the configuration of the VSX Gateway object to R81.20:

vsx_util upgrade

This command is interactive.

Enter these details to log in to the management database:

IP address of the Security Management Server or Main Domain Management Server that manages this VSX Gateway
Management Server administrator's username
Management Server administrator's password

Select your VSX Gateway.

Select R81.20.

For auditing purposes, save the vsx_util log file:

On a Security Management Server:

/opt/CPsuite-R81.20/fw1/log/vsx_util_YYYYMMDD_HH_MM.log

On a Multi-Domain Server:

/opt/CPmds-R81.20/customers/<Name_of_Domain>/CPsuite-R81.20/fw1/log/vsx_util_YYYYMMDD_HH_MM.log

Connect with SmartConsole to the R81.20 Security Management Server or Main Domain Management Server that manages this VSX Gateway.

From the left navigation panel, click Gateways & Servers.

Open the VSX Gateway object.

From the left tree, click the General Properties page.

Make sure in the Platform section, the Version field shows R81.20.

Click Cancel (do not click OK).

Note - If you click OK, the Management Server pushes the VSX configuration to the VSX Gateway. Because the VSX Gateway is not upgraded yet, this operation would fail.

Upgrade the VSX Gateway with CPUSE

See Installing Software Packages on Gaia and follow the applicable action plan.

In SmartConsole, install the policy

Step

Instructions

Connect with SmartConsole to the R81.20 Security Management Server or Main Domain Management Server that manages this VSX Gateway.

From the left navigation panel, click Gateways & Servers.

Install the default policy on the VSX Gateway object:

Click Install Policy.

In the Policy field, select the default policy for this VSX Gateway object.

This policy is called:

<Name of VSX Gateway object>_VSX

Click Install.

Install the Threat Prevention Policy on the VSX Gateway object:

Click Install Policy.
In the Policy field, select the applicable Threat Prevention Policy for this VSX Gateway object.
Click Install.

Test the functionality

Step

Instructions

Examine the VSX configuration:

Connect to the command line on the VSX Gateway.
Log in to the Expert mode.

Run:

vsx stat -v

Connect with SmartConsole to the R81.20 Security Management Server or each Target Domain Management Server that manages the Virtual Systems on this VSX Gateway.

From the left navigation panel, click Logs & Monitor > Logs.

Examine the logs from the Virtual Systems on this VSX Gateway to make sure they inspect the traffic as expected.

Clean Install of the R81.20 VSX Gateway

On the Management Server, upgrade the configuration of the VSX Gateway object to R81.20

Step

Instructions

Connect to the command line on the Security Management Server or Multi-Domain Server that manages this VSX Gateway.

On a Multi-Domain Server, go to the context of the Main Domain Management Server that manages this VSX Gateway object:

mdsenv <IP Address or Name of Main Domain Management Server>

Upgrade the configuration of the VSX Gateway object to R81.20:

vsx_util upgrade

This command is interactive.

Enter these details to log in to the management database:

IP address of the Security Management Server or Main Domain Management Server that manages this VSX Gateway
Management Server administrator's username
Management Server administrator's password

Select your VSX Gateway.

Select R81.20.

For auditing purposes, save the vsx_util log file:

On a Security Management Server:

/opt/CPsuite-R81.20/fw1/log/vsx_util_YYYYMMDD_HH_MM.log

On a Multi-Domain Server:

/opt/CPmds-R81.20/customers/<Name_of_Domain>/CPsuite-R81.20/fw1/log/vsx_util_YYYYMMDD_HH_MM.log

Connect with SmartConsole to the R81.20 Security Management Server or Main Domain Management Server that manages this VSX Gateway.

From the left navigation panel, click Gateways & Servers.

Open the VSX Gateway object.

From the left tree, click the General Properties page.

Make sure in the Platform section, the Version field shows R81.20.

Click Cancel (do not click OK).

Note - If you click OK, the Management Server pushes the VSX configuration to the VSX Gateway. Because the VSX Gateway is not upgraded yet, this operation would fail.

On the VSX Gateway, perform a Clean Install of R81.20

Important - You must reboot the VSX Gateway after the upgrade or clean install.

Installation Method

Instructions

Clean Install of R81.20 with CPUSE

See Installing Software Packages on Gaia.

Follow the applicable action plan for the local or central installation.

In local installation, select the R81.20 package and perform Clean Install. See sk92449 for detailed steps.

Clean Install of R81.20 from scratch

Follow Installing a VSX Gateway - only the step "Install the VSX Gateway".

Important - In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous VSX Gateway (prior to the upgrade).

Reconfigure the VSX Gateway

Step

Instructions

Configure the required settings on the VSX Gateway.

For more information, see the R81.20 CLI Reference Guide - Chapter VSX Commands > Section vsx_util > Section vsx_util reconfigure.

Connect to the command line on the R81.20 Security Management Server or Multi-Domain Server that manages this VSX Gateway.

On Multi-Domain Server, go to the context of the Main Domain Management Server that manages this VSX Gateway:

mdsenv <IP Address or Name of Main Domain Management Server>

Restore the VSX configuration:

vsx_util reconfigure

Follow the instructions on the screen.

Important - Enter the same Activation Key you entered during the First Time Configuration Wizard of the VSX Gateway.

Configure the required settings on the VSX Gateway:

OS configuration (for example, DNS, NTP, DHCP, Dynamic Routing, DHCP Relay, and so on).
Settings manually defined in various configuration files.
Applicable Check Point configuration files.

Test the functionality

Step

Instructions

Examine the VSX configuration:

Connect to the command line on the VSX Gateway.
Log in to the Expert mode.

Run:

vsx stat -v

Connect with SmartConsole to the R81.20 Security Management Server or each Target Domain Management Server that manages the Virtual Systems on this VSX Gateway.

From the left navigation panel, click Logs & Monitor > Logs.

Examine the logs from the Virtual Systems on this VSX Gateway to make sure they inspect the traffic as expected.

For more information, see the: