Step 1: Installing the SSM160 Firmware

If your Chassis is equipped with SSM160, you must install the SSM160 firmware. Then continue with Step 2: Installing the SGM Image.

Before Installing SSM160 Firmware

Step

Instructions

1

Install hardware components and connect cables:

  1. Install all hardware components into the Standby Chassis (SGMs, SSMs, and CMMs).

    See the Quantum Scalable Chassis Getting Started Guide > Chapter Step 3: Installing Hardware Components and Connecting Power Cables.

  2. If you have a Dual Chassis environment, connect one Sync cable between the two Standby Chassis.

    Connect the cable between these interfaces:

    • eth1-Sync on chassis1

    • eth1-Sync on chassis2

  3. For IP management of the Chassis, connect a cable to one of the management interfaces on chassis1:

    • Connect to the eth1-Mgmt1, if you use a 10Gbps network

    • Connect to the eth1-Mgmt4, if you use a 1Gbps network

2

Connect to the chassis over Console (Serial).

See Installing SSM160 Firmware.

3

Configure a Security Group and a Management IP Address:

  1. Run the Gaia First Time Configuration Wizard.

    See Configuring Gaia for the First Time.

  2. Configure a Security Group.

    See the R81 Quantum Scalable Chassis Administration Guide > Chapter Security Group Concepts.

Configuration settings are applied, and the Security Group reboots.

Other SGMs in the Security Group are configured automatically.

4

Make sure the initial system setup is completed successfully:

  1. Connect to the command line on the Security Group.

  2. Log in to the Expert mode.

  3. Run the asg_policy verify command.

    The InitialPolicy must be installed on the local SGM after initial setup completes and the SGM reboots.

    Example:

    [Expert@MyChassis-ch0X-0X:0]# asg_policy verify

     

    +-----------------------------------------------------------------+

    |Policy Verification                                              |

    +-------+--------------+---------------+-----------------+--------+

    |SGM    |Policy Name   |Policy Date    |Policy Signature |Status  |

    +-------+--------------+---------------+-----------------+--------+

    |1_01   |InitialPolicy |-              |304016f30        |Success |

    +-------+--------------+---------------+-----------------+--------+

     

    +-----------------------------------------------------------------+

    |Summary                                                          |

    +-----------------------------------------------------------------+

    |Policy Verification completed successfully                       |

    +-----------------------------------------------------------------+

  4. Wait until the installation process is complete.

    The installation process is complete when all the SGMs in the Security Group are UP and have the InitialPolicy installed.

Connecting over Console (Serial) Port

Connecting a Console

Step

Instructions

1

Connect the DB9 serial cable to the console (serial) port on the far, left-hand SGM in the chassis.

See the Quantum Scalable Chassis Getting Started Guide > Chapter Hardware Components > Sections:

  • Front Panel on the 64000 Chassis

  • Front Panel on the 44000 Chassis

  • Front Panel on the 61000 N+N Chassis

  • Front Panel on the 61000 Chassis

  • Front Panel on the 41000 Chassis

Example:

2

Connect the other end of the cable to the serial port on your computer.

3

Define the communication parameters in your terminal emulation application (for example, PuTTY):

  • Serial port - 9600 BPS, 8 bits, no parity, 1 stop bit

  • Flow control - None

4

Turn on the Chassis.

5

Log in with these credentials:

  • Username = admin

  • Password = admin

Installing SSM160 Firmware

You have to install firmware on the Security Switch Module SSM160.

SCP password for SSM160 firmware installation

All firmware installations should be performed with the assistance of Check Point Support.

Installing the SSM160 Firmware

Step

Instructions

1

Download the SSM160 firmware from sk93332.

2

Transfer the SSM160 firmware to one of the SGMs.

  1. Transfer the over an SCP

  2. Connect to the Management Interface of one of the SGMs

    Use the management IP address you configured in the Gaia First Time Configuration Wizard

  3. Transfer the file to this directory: /home/admin/

3

Connect to the command line on the SGM.

4

Log in to the Expert mode.

5

From this SGM, copy the SSM160 firmware file to the other SGMs in the Security Group:

asg_cp2blades -b <List of SGMs> /home/admin/<SSM160 Firmware File>

6

From this SGM, copy the firmware to the two SSMs in the Standby Chassis:

scp -P 2024 2.4.B27.2.T-HUB4.tar.bz2 root@SSM1:/batm/current_version/

scp -P 2024 2.4.B27.2.T-HUB4.tar.bz2 root@SSM2:/batm/current_version/

7

Enter the SCP password you received from Check Point Support.

You may see a read-only file system error. For example:

scp -P 2024 2.4.B27.2.T-HUB4.tar.bz2 root@ssm2:/batm/current_version/

root@ssm2's password:

scp: /batm/current_version//2.4.B27.2.T-HUB4.tar.bz2: Read-only file system

 

If you see a read-only file system error, follow these steps:

  1. From the Expert mode, connect to the applicable SSM over SSH:

    ssh ssm1

    ssh ssm2

    The password is: admin

  2. From the default shell, run:

    unhide private

    The password is: private

  3. Run these commands:

    show private shell

    mount -rw -o remount /batm/

    exit

    logout

  4. Copy the firmware file to each SSM:

    scp -P 2024 2.4.B27.2.T-HUB4.tar.bz2 root@SSM1:/batm/current_version/

    scp -P 2024 2.4.B27.2.T-HUB4.tar.bz2 root@SSM2:/batm/current_version/

  5. Enter the SCP password you received from Check Point Support.

8

Activate the new firmware on the SSM.

Do this for the two SSMs on the Standby Chassis:

  1. From the Expert mode, connect to the applicable SSM over SSH:

    ssh ssm1

    ssh ssm2

    The password is: admin

  2. Run:

    file ls os-image

  3. Copy the name of the new image file.

  4. Run:

    file activate-os-image 2.4.B27.2.T-HUB4.tar.bz2

  5. Move to the configuration shell:

    config terminal

  6. Reload the SSM with the new image:

    system reload manufacturing-defaults

 

Example:

T-HUB4# file activate-os-image 2.4.B27.2.T-HUB4.tar.bz2

Image file 2.4.B27.2.T-HUB4.tar.bz2 is tested for validity, please wait... OK

Activating image 2.4.B27.2.T-HUB4.tar.bz2..

 

T-HUB4#

T-HUB4# config terminal

Entering configuration mode terminal

T-HUB4(config)#

T-HUB4(config)# system reload manufacturing-defaults

Are you sure that you want to delete existing configuration and reload manufacturing default configuration (yes/no)? yes

9

Connect to SGM on the other Standby Chassis.

From the Expert shell, run:

blade <SGM ID>

Example:

blade 2_01

Run exit to return to the previous SGM.

10

Repeat the firmware upgrade procedure on the two SSMs of the other Standby Chassis.

11

Make sure the SSM160 firmware upgrade was successful:

asg_version

All SSMs must have the firmware version 2.4.B27.2.

For more information, see sk93332.

Upgrading SSM Firmware

Use the "asg_ssm_upgrade" utility in the Expert mode to upgrade the SSM firmware to the most recent version.

Upgrade one SSM at a time.

Syntax:

asg_ssm_upgrade ssm <SSM ID> [chassis <Chassis ID>] [file <Firmware File>]

Parameters

Parameter

Description

<SSM ID>

Specifies the SSM ID to upgrade.

Valid values:

  • 1

  • 2

  • all

<Chassis ID>

Specifies the Chassis ID.

Valid values:

  • 1

  • 2

  • all

<Firmware File>

Specifies the absolute path and name of the new firmware file.

Important:

  • Before you upgrade, confirm that the checksum of the new firmware file is valid.

  • You must copy the new firmware file to all SGMs.

  • You must connect over console when upgrade the SSM firmware on the chassis.

    In Dual Chassis, this does not applies if you upgrade the SSM firmware on the other chassis.

  • The SSM automatically reboots after the upgrade. This can cause traffic interruption.