Prerequisites for Upgrading and Migrating of Management Servers and Log Servers

Prerequisites:

• Make sure you use the latest version of this document (see the Important Information page for links).

• See the R81 Release Notes for:

  • Supported upgrade paths

  • Minimum hardware and operating system requirements

  • Supported Security Gateways

• Make sure to read all applicable known limitations in the R81 Known Limitations SK.

• When you use the Advanced Upgrade or the Migration and Upgrade method, before you import the management database on the R81 Servers, we strongly recommend to install the latest Recommended Take of the R81 Jumbo Hotfix Accumulator.

  This makes sure the R81 Servers have the latest improvements for reported import issues.

  This recommendation does not apply to the CPUSE Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself. Upgrade method, because these improvements are already integrated in R81 CPUSE Upgrade Package.

• Licenses and Service Contracts:

  • Make sure you have valid licenses installed on all applicable Check Point computers - source and target.

  • Make sure you have a valid Service Contract that includes software upgrades and major releases registered to your Check Point User Center account (see Contract Verification).

    The contract file is stored on the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. and downloaded to Check Point Security Gateways during the upgrade process.

    For more information about Service Contracts, see sk33089.

• If SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. connects to the Management Server (which you plan to upgrade) through an R7x Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. or Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., then follow the steps below.

  Procedure

  1. Connect to the Management Server that manages the R7x Security Gateway or Cluster

  2. Add a new explicit Firewall rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.:

     Source	Destination	VPN	Service	Action	Install On
     SmartConsole Host object	Management Server object	Any Traffic	TCP 19009	Accept	R7x Security Gateway or Cluster

  3. Install the modified Firewall Policy on the R7x Security Gateway or Cluster.

  4. If you upgrade this R7x Security Gateway or Cluster to R80.10 or higher, delete this explicit rule.

• On your Security Management Servers, Multi-Domain Servers, Domain Management Servers, Multi-Domain Log Servers, Domain Log Servers, Log Servers, and SmartEvent Servers:

  Make a copy of all custom configurations in the applicable directories and files.

  • Collect the Log Exporter configuration - see sk127653.

  • Pay special attention to these scripts:

    • $CPDIR/tmp/.CPprofile.sh

    • $CPDIR/tmp/.CPprofile.csh

  The upgrade process replaces all existing files with default files. You must not copy the customized configuration files from the current version to the upgraded version, because these files can be unique for each version. You must make all the custom configurations again after the upgrade.

  List of the applicable directories

  • $FWDIR/lib/

  • $FWDIR/conf/

  • $CVPNDIR/conf/

  • /opt/CP*/lib/

  • /opt/CP*/conf/

  • $MDSDIR/conf/

  • $MDSDIR/customers/<Name_of_Domain>/CP*/lib/

  • $MDSDIR/customers/<Name_of_Domain>/CP*/conf/

• For your Management Servers in High Availability configuration, plan the upgrade.

  Action Plan for Security Management Servers in High Availability

  Important - To back up and restore a consistent Security Management environment, make sure to collect and restore the backups and snapshots from all servers in the High Availability environment at the same time.

  Upgrade to R81	Action Plan
  From R80.20, R80.20.M2, and higher versions	Upgrade the Primary Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.. Make sure the Security Management Servers can communicate with each other and SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. works between these servers. For details, see sk179794. Upgrade the Secondary Security Management Servers.
  From R80.20.M1 version	Upgrade the Primary Security Management Server. Perform a clean install of the Secondary Security Management Servers. Connect the Secondary Security Management Servers to the Primary Security Management Server.

  Action Plan for Multi-Domain Servers in High Availability

  Important - To back up and restore a consistent Multi-Domain Security Management environment, make sure to collect and restore the backups and snapshots from all servers in the High Availability environment at the same time.

  Upgrade to R81	Action Plan
  From R80.20, R80.20.M2, and higher versions	Make sure to run Pre-Upgrade Verifier on all source servers and to fix all detected issues before you start the upgrade. Make sure the Global Domain is Active on the Primary Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS.. Upgrade the Primary Multi-Domain Server. Make sure the Multi-Domain Security Management Servers can communicate with each other and SIC works between these servers. For details, see sk179794. Upgrade the Secondary Multi-Domain Servers.
  From R80.20.M1 version	Make sure to run Pre-Upgrade Verifier on all source servers and to fix all detected issues before you start the upgrade. Make sure the Global Domain is Active on the Primary Multi-Domain Server. Upgrade the Primary Multi-Domain Server. Perform a clean install of the Secondary Multi-Domain Servers. Connect the Secondary Multi-Domain Servers to the Primary Multi-Domain Server.

• If your Security Management Server or Multi-Domain Server manages dedicated Log Servers or dedicated SmartEvent Servers, you must upgrade these dedicated servers to the same version as the Management Server.

  Important - You must upgrade your Management Servers before you can upgrade these dedicated servers.

  Note - SmartEvent Server can run the same version or higher than the Log Server Dedicated Check Point server that runs Check Point software to store and process logs..

• If your Multi-Domain Server manages Multi-Domain Log Servers, you must upgrade the Multi-Domain Log Servers to the same version as the Multi-Domain Server.

  Important - You must upgrade your Multi-Domain Servers before you can upgrade the Multi-Domain Log Servers.

• Before you upgrade a Multi-Domain Server, we recommend the steps below to optimize the upgrade process.

  Procedure

  Step	Instructions
  1	Delete all unused Threat Prevention Profiles on the Global Domain: Connect with SmartConsole to the Global Domain. From the left navigation panel, click Security Policies. Open each policy. In the top section, click Threat Prevention. In the bottom section Custom Policy Tools, click Profiles. Delete all unused Threat Prevention Profiles. Publish the SmartConsole session. Close SmartConsole.
  2	Disable the Staging Mode for IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). protections (see sk142432): Connect with SmartConsole to each Domain. From the left navigation panel, click Security Policies. Open each policy. In the top section, click Threat Prevention. In the bottom section Custom Policy Tools, click Profiles. Edit each profile. From the left tree, click IPS > Updates. Clear the box Set activation as staging mode (Detect). Click OK. Publish the SmartConsole session. Close SmartConsole.

• Before you start an upgrade or migration procedure on your Management Servers, you must close all GUI clients (SmartConsole applications) connected to your Check Point computers.

• Before you start an upgrade of your Security Gateway and Cluster Members, you must upgrade the Management Server.

• On Smart-1 appliances with Multi-Domain Server or Multi-Domain Log Server Dedicated Check Point server that runs Check Point software to store and process logs in a Multi-Domain Security Management environment. The Multi-Domain Log Server consists of Domain Log Servers that store and process logs from Security Gateways that are managed by the corresponding Domain Management Servers. Acronym: MDLS. installed, if you configured an interface other than Mgmt as the Leading interface, the upgrade process or clean install process (with CPUSE) configures the interface Mgmt to be the Leading interface. To configure a different interface as the Leading interface after the upgrade, see sk107336.

• If an external storage device is connected to a Management Server or Log Server, you must follow sk66003.

  Action Plan

  1. Unmount and disconnect the external storage device.

  2. Upgrade the server to R81.

  3. Stop the SOLR process.

  4. Connect and mount the external storage device to the server.

  5. On the external storage device, configure the required settings to keep log indexes.

  6. Start the SOLR process.