Upgrading Security Management Servers in Management High Availability from R80.20 and higher

Notes:

  • This procedure is supported only for servers that run R80.20.M1, R80.20, R80.20.M2, R80.30, or higher versions.

  • These instructions equally apply to:

    • Security Management Servers

    • CloudGuard Controllers

  • For additional information related to this upgrade, see sk163814.

Important - Before you upgrade a Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.:

Step

Instructions

1

Back up your current configuration (see Backing Up and Restoring).

2

See the Upgrade Options and Prerequisites.

3

Only the latest published database revision is upgraded.

If there are pending changes, we recommend to Publish the session.

4

You must close all GUI clients (SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. applications) connected to the source Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

5

Install the latest version of the CPUSEClosed Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself. from sk92449.

Note - This is to make sure the CPUSE is able to support the required Upgrade Tools package.

6

Run the Pre-Upgrade Verifier on all source servers and fix all detected issues before you start the upgrade.

7

In Management High Availability, make sure the Primary Security Management Server is upgraded and runs, before you start the upgrade on other servers.

Important - Before you can install Hotfixes on servers that work in Management High Availability, you must upgrade all these servers.

Procedure:

Step

Instructions

1

Upgrade the Primary Security Management Server with one of the supported methods.

2

Upgrade the Secondary Security Management Server with one of the supported methods.

Important:

3

Get the R81 SmartConsole.

See Installing SmartConsole.

4

Connect with SmartConsole to the R81 Primary Security Management Server.

5

Update the object version of the Secondary Security Management Server:

  1. From the left navigation panel, click Gateways & Servers.

  2. Open the Secondary Security Management Server object.

  3. From the left tree, click General Properties.

  4. In the Platform section > in the Version field, select R81.

  5. Click OK.

6

Make sure Secure Internal Communication (SIC) works correctly with the Secondary Security Management Server:

  1. From the left navigation panel, click Gateways & Servers.

  2. Open the Secondary Security Management Server object.

  3. On the General Properties page, click Communication.

  4. Click Test SIC Status.

    The SIC Status must show Communicating.

  5. Click Close.

  6. Click OK.

7

Upgrade the dedicated Log Servers and SmartEvent Servers.

Follow the applicable procedure in Upgrading a Security Management Server or Log Server from R80.20 and higher.

Important - If you changed the IPv4 address of one of more Security Management Servers during their upgrade, then you must put the required JSON file on the dedicated Log Servers and SmartEvent Servers. See the corresponding section below.

8

Install the management database:

  1. In the top left corner, click Menu > Install database.

  2. Select all objects.

  3. Click Install.

  4. Click OK.

9

Install the Event Policy.

Important - This step applies only if the SmartEvent Correlation Unit Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. is enabled on the R81 Security Management Server.

  1. In the SmartConsole, from the left navigation panel, click Logs & Monitor.

  2. At the top, click + to open a new tab.

  3. In the bottom left corner, in the External Apps section, click SmartEvent Settings & Policy.

    The Legacy SmartEvent client opens.

  4. In the top left corner, click Menu > Actions > Install Event Policy.

  5. Confirm.

  6. Wait for these messages to appear:

    SmartEvent Policy Installer installation complete

    SmartEvent Policy Installer installation succeeded

  7. Click Close.

  8. Close the Legacy SmartEvent client.

10

Reconfigure the Log Exporter:

  1. Connect to the command line on the server.

  2. Log in to the Expert mode.

  3. Restore the Log Exporter configuration as described in sk127653.

  4. Reconfigure the Log Exporter:

    cp_log_export reconf

  5. Restart the Log Exporter:

    cp_log_export restart

For more information, see the R81 Logging and Monitoring Administration Guide > Chapter Log Exporter

11

Synchronize the Security Management Servers:

  1. In the top left corner, click Menu > Management High Availability.

  2. In the Peers section, click Actions > Sync Peer.

  3. The status must show Successfully synced for all peers.

If you installed the target R81 Security Management Server with a different IP address than the source Security Management Server, you must create a special JSON configuration file before you import the management database from the source Security Management Server. Note that you have to issue licenses for the new IP address.

Important:

  • If none of the servers in the same Security Management environment changed their original IP addresses, then you do not need to create the special JSON configuration file.

  • Even if only one of the servers migrates to a new IP address, all the other servers (including all Log Servers and SmartEvent Servers) must get this configuration file for the import process.

    You must use the same JSON configuration file on all servers (including Log Servers and SmartEvent Servers) in the same Security Management environment.

To create the required JSON configuration file:

Step

Instructions

1

Connect to the command line on the target R81 Security Management Server.

2

Log in to the Expert mode.

3

Create the /var/log/mdss.json file that contains each server that migrates to a new IP address.

[{"name":"<Name of Primary Security Management Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Primary R81 Security Management Server"}]

[{"name":"<Name of Primary Security Management Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Primary R81 Security Management Server"},

{"name":"<Name of Secondary Security Management Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Secondary R81 Security Management Server"}]

[{"name":"<Name of Primary Security Management Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Primary R81 Security Management Server"},

{"name":"<Name of Secondary Security Management Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of Secondary R81 Security Management Server"},

{"name":"<Name of Security Management Server Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of R81 Security Management Server"}]

 

There are 3 servers in the R80.30 Security Management environment - the Primary Security Management Server, the Secondary Security Management Server, and the Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs.. Both the Primary and the Secondary Security Management Servers migrate to new IP addresses. The Log Server remains with the original IP address.

  1. The current IPv4 address of the source Primary R80.30 Security Management Server is:

    192.168.10.21

  2. The current IPv4 address of the source Secondary R80.30 Security Management Server is:

    192.168.10.22

  3. The name of the source Primary R80.30 Security Management Server object in SmartConsole is:

    MyPrimarySecMgmtServer

  4. The name of the source Secondary R80.30 Security Management Server object in SmartConsole is:

    MySecondarySecMgmtServer

  5. The new IPv4 address of the target Primary R81 Security Management Server is:

    172.30.40.51

  6. The new IPv4 address of the target Secondary R81 Security Management Server is:

    172.30.40.52

  7. The required syntax for the JSON configuration file you must use on both the Primary and the Secondary Security Management Servers, and on the Log Server:

    [{"name":"MyPrimarySecMgmtServer","newIpAddress4":"172.30.40.51"},{"name":"MySecondarySecMgmtServer","newIpAddress4":"172.30.40.52"}]

    Important - All servers in this environment must get this same information.