Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20 and higher with Migration
In a migration and upgrade scenario, you perform the procedure on the source Check Point server and the different target Check Point server.
|
Notes:
|
|
Important - Before you upgrade an Endpoint Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. or Endpoint Policy Server:
|
Procedure:
-
Get the required Upgrade Tools on the source server
Important - See Upgrade Tools to understand if your server can download and install the latest version of the Upgrade Tools automatically.
Step
Instructions
1
Download the R81 Upgrade Tools from the sk135172.
(See Upgrade Tools.)
Note - This is a CPUSE Offline package.
2
Install the R81 Upgrade Tools with CPUSE.
See Installing Software Packages on Gaia and follow the applicable action plan for the Local - Offline installation.
3
Make sure the package is installed.
Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81 BuildNumber 1
The output must show the same build number you see in the name of the downloaded TGZ package.
ExampleName of the downloaded package:
ngm_upgrade_wrapper_993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#
Note - The command "
migrate_server
" from these Upgrade Tools always tries to connect to Check Point Cloud over the Internet.This is to make sure you always have the latest version of these Upgrade Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To download the package manually, refer to sk135172.
-
On the current Endpoint Security Management Server or Endpoint Policy Server, run the Pre-Upgrade Verifier and export the entire management database
Step
Instructions
1
Connect to the command line on the source Endpoint Server.
2
Log in to the Expert mode.
5
Go to the
$FWDIR/scripts/
directory:cd $FWDIR/scripts
3
Run the Pre-Upgrade Verifier.
-
If this Endpoint Server is connected to the Internet, run:
./migrate_server verify -v R81
-
If this Endpoint Server is not connected to the Internet, run:
./migrate_server verify -v R81 -skip_upgrade_tools_check
For details, see the R81 CLI Reference Guide - Chapter Security Management Server Commands - Section migrate_server.
4
Read the Pre-Upgrade Verifier output.
If it is necessary to fix errors:
-
Follow the instructions in the report.
-
Run the Pre-Upgrade Verifier again.
4
Export the management database:
-
If this Endpoint Server is connected to the Internet, run:
./migrate_server export -v R81 [-l | -x] /<Full Path>/<Name of Exported File>
-
If this Endpoint Server is not connected to the Internet, run:
./migrate_server export -v R81 -skip_upgrade_tools_check [-l | -x] /<Full Path>/<Name of Exported File>
Notes:
-
You can also export the MSI packages with the "
--include-uepm-msi-files
" option. -
For details, see the R81 CLI Reference Guide - Chapter Security Management Server Commands - Section migrate_server.
7
Calculate the MD5 for the exported database files:
md5sum /<Full Path>/<Name of Database File>.tgz
8
Transfer the exported databases from the source Endpoint Server to an external storage:
/<Full Path>/<Name of Database File>.tgz
Note - Make sure to transfer the file in the binary mode.
-
-
Install a new R81 Endpoint Security Management Server or Endpoint Policy Server
Step
Instructions
1
See the R81 Release Notes for requirements.
2
Perform the clean install in one of these ways (do not perform initial configuration in SmartConsole):
-
Follow Installing Software Packages on Gaia - select the R81 package and perform Clean Install. See sk92449 for detailed steps.
Important - These options are available:
-
The IP addresses of the source and target servers can be the same.
If in the future it is necessary to have a different IP address on the R81 server, you can change it.
For applicable procedures, see sk40993 and sk65451.
Note that you have to issue licenses for the new IP address.
-
The IP addresses of the source and target servers can be different.
you must create a special JSON configuration file
mdss.json
that contains each server that migrates to a new IP address.Note that you have to issue licenses for the new IP address.
You must install the new licenses only after you import the databases.
-
-
Get the required Upgrade Tools on the target R81 server
Important - See Upgrade Tools to understand if your server can download and install the latest version of the Upgrade Tools automatically.
Step
Instructions
1
Download the R81 Upgrade Tools from the sk135172.
(See Upgrade Tools.)
Note - This is a CPUSE Offline package.
2
Install the R81 Upgrade Tools with CPUSE.
See Installing Software Packages on Gaia and follow the applicable action plan for the Local - Offline installation.
3
Make sure the package is installed.
Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81 BuildNumber 1
The output must show the same build number you see in the name of the downloaded TGZ package.
ExampleName of the downloaded package:
ngm_upgrade_wrapper_993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#
Note - The command "
migrate_server
" from these Upgrade Tools always tries to connect to Check Point Cloud over the Internet.This is to make sure you always have the latest version of these Upgrade Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To download the package manually, refer to sk135172.
-
On the target R81 Endpoint Security Management Server or Endpoint Policy Server, import the databasesRequired JSON configuration file
If you installed the target R81 Endpoint Server with a different IP address than the source Endpoint Server, you must create a special JSON configuration file before you import the management database from the source Endpoint Server. Note that you have to issue licenses for the new IP address.
Important:
-
If none of the servers in the same Endpoint Security environment changed their original IP addresses, then you do not need to create the special JSON configuration file.
-
Even if only one of the servers migrates to a new IP address, all the other servers (including all Log Servers and SmartEvent Servers) must get this configuration file for the import process.
You must use the same JSON configuration file on all servers (including Log Servers and SmartEvent Servers) in the same Endpoint Security environment.
To create the required JSON configuration file:
Step
Instructions
1
Connect to the command line on the target R81 Endpoint Server.
2
Log in to the Expert mode.
3
Create the
/var/log/mdss.json
file that contains each server that migrates to a new IP address.Format for migrating a single Endpoint Server to a new IP address:
[{"name":"<Name of Endpoint Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of R81 Endpoint Server>"}]
ExampleThere are 2 servers in the R80.30 Endpoint Security environment - the Endpoint Security Management Server and the Log Server Dedicated Check Point server that runs Check Point software to store and process logs.. The Endpoint Security Management Server migrates to a new IP address. The Log Server remains with the original IP address.
-
The current IPv4 address of the source R80.30 Endpoint Security Management Server is:
192.168.10.21
-
The name of the source R80.30 Endpoint Security Management Server object in SmartConsole is:
MyEndpointMgmtServer
-
The new IPv4 address of the target R81 Endpoint Security Management Server is:
172.30.40.51
-
The required syntax for the JSON configuration file you must use on the Endpoint Security Management Server and on the Log Server:
[{"name":"MyEndpointMgmtServer","newIpAddress4":"172.30.40.51"}]
Important - All servers in this environment must get this same information.
Importing the databasesImportant - Make sure you followed the instructions in the above section "Required JSON configuration file".
Step
Instructions
1
Connect to the command line on the R81 Endpoint Server.
2
Log in to the Expert mode.
3
Make sure a valid license is installed:
cplic print
If it is not already installed, then install a valid license now.
4
Transfer the exported databases from an external storage to the R81 Endpoint Server, to some directory.
Note - Make sure to transfer the files in the binary mode.
5
Make sure the transferred files are not corrupted.
Calculate the MD5 for the transferred files and compare them to the MD5 that you calculated on the original Endpoint Server:
md5sum /<Full Path>/<Name of Database File>.tgz
6
Go to the
$FWDIR/scripts/
directory:cd $FWDIR/scripts/
7
Import the management database:
-
If this Endpoint Server is connected to the Internet, run:
./migrate_server import -v R81 [-l | -x] /<Full Path>/<Name of Exported File>.tgz
-
If this Endpoint Server is not connected to the Internet, run:
./migrate_server import -v R81 -skip_upgrade_tools_check [-l | -x] /<Full Path>/<Name of Exported File>.tgz
Notes:
-
The "
migrate_server import
" command automatically restarts Check Point services (runs the "cpstop
" and "cpstart
" commands). -
You can also import the MSI packages with the "
--include-uepm-msi-files
" option. -
For details, see the R81 CLI Reference Guide - Chapter Security Management Server Commands - Section migrate_server.
-
-
Install the new licenses
Important - This step applies only if the target R81 Endpoint Server has a different IP address than the source Endpoint Server.
Step
Instructions
1
Issue licenses for the new IP address in your Check Point User Center account.
2
Install the new licenses on the R81 Endpoint Server.
You can do this either in the CLI with the "
cplic put
" command, or in the Gaia Portal Web interface for the Check Point Gaia operating system..3
Wait for a couple of minutes for the Endpoint Server to detect the new licenses.
Alternatively, restart Check Point services:
cpstop
cpstart
-
Upgrade the dedicated Endpoint Policy Servers
This step is part of the upgrade procedure of an Endpoint Security Management Server. If you upgrade a dedicated Endpoint Policy Server, then skip this step.
Important - If your Endpoint Security Management Server manages dedicated Endpoint Policy Servers, you must upgrade these dedicated servers to the same version as the Endpoint Security Management Server.
Follow the applicable procedure in Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20 and higher.
-
Update the object version of the dedicated Endpoint Policy Servers
Important - If your Endpoint Security Management Server manages dedicated Endpoint Policy Servers, you must update the version of the corresponding objects in SmartConsole.
Step
Instructions
1
Connect with SmartConsole to the R81 Security Management Server that manages the Endpoint Policy Server.
2
From the left navigation panel, click Gateways & Servers.
3
Open the object of the Endpoint Policy Server.
4
From the left tree, click General Properties.
5
In the Platform section > in the Version field, select R81.
6
Click OK.
-
Install the management database
Step
Instructions
1
Connect with SmartConsole to the R81 Endpoint Security Management Server.
2
In the top left corner, click . > Install database
3
Select all objects.
4
Click Install.
5
Click OK.
-
Install the Event Policy
Important - This step applies only if the SmartEvent Correlation Unit Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. is enabled on the R81 Endpoint Server.
Step
Instructions
1
Connect with the SmartConsole to the R81 Endpoint Server.
2
In the SmartConsole, from the left navigation panel, click Logs & Monitor.
3
At the top, click + to open a new tab.
4
In the bottom left corner, in the External Apps section, click SmartEvent Settings & Policy.
The Legacy SmartEvent client opens.
5
In the top left corner, click . > Actions > Install Event Policy
6
Confirm.
7
Wait for these messages to appear:
SmartEvent Policy Installer installation complete
SmartEvent Policy Installer installation succeeded
8
Click Close.
9
Close the Legacy SmartEvent client.
-
Reconfigure the Log Exporter
Step
Instructions
1
Connect to the command line on the server.
2
Log in to the Expert mode.
3
Restore the Log Exporter configuration as described in sk127653.
4
Reconfigure the Log Exporter:
cp_log_export reconf
5
Restart the Log Exporter:
cp_log_export restart
For more information, see the R81 Logging and Monitoring Administration Guide > Chapter Log Exporter.
-
Test the functionality on the R81 Endpoint Server
Step
Instructions
1
Connect with SmartConsole to the R81 Endpoint Security Management Server.
Make sure the management database and configuration were upgraded correctly.
2
Connect with SmartConsole to the R81 Endpoint Policy Server.
Make sure the everything works correctly.
-
Disconnect the old Endpoint Server from the network
Disconnect the cables from the old Endpoint Server.
-
Connect the new Endpoint Server to the network
Connect the cables to the new Endpoint Server.