Supported Upgrade Paths

Upgrade Paths

Note - For more information about Security Management Servers and supported managed Security Gateways see sk113113.

Upgrade to R82 is available only from these versions:

Current Version	Security Gateways and Traditional VSX ⁽¹⁾	Management Servers and Multi-Domain Servers	Standalone
R81.20, R81.10, R81, R80.40	Yes	Yes	Yes
For Scalable Platforms: R81.20, R81.10	Requires a Jumbo Hotfix Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. ⁽²⁾	Not applicable	Not applicable
For Scalable Platforms: R81, R80.30SP, R80.20SP	Requires a 3-step upgrade path ⁽³⁾	Not applicable	Not applicable
R80.30 kernel 3.10, R80.30 kernel 2.6, R80.20 kernel 3.10, R80.20 kernel 2.6	Requires a 2-step upgrade path ⁽⁴⁾	Requires a 2-step upgrade path ⁽⁴⁾	Requires a 2-step upgrade path ⁽⁴⁾
R80.20.M2, R80.20.M1	Not applicable	Requires a 2-step upgrade path ⁽⁴⁾	Not applicable
R80.10	Requires a 2-step upgrade path ⁽⁴⁾⁽⁶⁾	Requires a 2-step upgrade path ⁽⁴⁾	Requires a 2-step upgrade path ⁽⁴⁾⁽⁶⁾
R80	Not applicable	Requires a 2-step upgrade path ⁽⁴⁾	Not applicable
R77.30	Requires a 2-step upgrade path ^(4)(5)(6)	Requires a 2-step upgrade path ⁽⁴⁾⁽⁵⁾	Requires a 2-step upgrade path ^(4)(5)(6)

Current Version

Security Gateways

and

Traditional VSX ⁽¹⁾

Management Servers

and

Multi-Domain Servers

Standalone

R81.20,

R81.10,

R81,

R80.40

Yes

For Scalable Platforms:

R81.20,

R81.10

Requires a

Jumbo Hotfix Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. ⁽²⁾

Not applicable

For Scalable Platforms:

R81,

R80.30SP,

R80.20SP

Requires a 3-step

upgrade path ⁽³⁾

Not applicable

R80.30 kernel 3.10,

R80.30 kernel 2.6,

R80.20 kernel 3.10,

R80.20 kernel 2.6

Requires a 2-step

upgrade path ⁽⁴⁾

Requires a 2-step

upgrade path ⁽⁴⁾

Requires a 2-step

upgrade path ⁽⁴⁾

R80.20.M2,

R80.20.M1

Not applicable

Requires a 2-step

upgrade path ⁽⁴⁾

Not applicable

R80.10

Requires a 2-step

upgrade path ⁽⁴⁾⁽⁶⁾

Requires a 2-step

upgrade path ⁽⁴⁾

Requires a 2-step

upgrade path ⁽⁴⁾⁽⁶⁾

R80

Not applicable

Requires a 2-step

upgrade path ⁽⁴⁾

Not applicable

R77.30

Requires a 2-step

upgrade path ^(4)(5)(6)

Requires a 2-step

upgrade path ⁽⁴⁾⁽⁵⁾

Requires a 2-step

upgrade path ^(4)(5)(6)

Notes:

Starting from R81.10, VSLS is the only supported mode for new installations of VSX Clusters (does not apply to the VSNext mode).

Upgrade of a VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. in the High Availability mode from R81.10 and earlier versions to R82 is supported.

To convert the upgraded VSX Cluster to VSLS, use the "vsx_util to convert" command.
To upgrade a Scalable Platform from R81.10, R81.20 to R82, you must install a required Take of a Jumbo Hotfix Accumulator Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA.:
- On R81.20 for Scalable Platforms
  
  Must install the R81.20 Jumbo Hotfix Accumulator, Take 92 or higher.
- On R81.10 for Scalable Platforms
  
  Must install the R81.10 Jumbo Hotfix Accumulator, Take 172 or higher.
In Maestro environment, it is possible to upgrade Security Groups A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. and Quantum Maestro Orchestrators A scalable Network Security System that connects multiple Check Point Security Appliances into a unified system. Synonyms: Orchestrator, Quantum Maestro Orchestrator, Maestro Hyperscale Orchestrator. Acronym: MHO. (if you decide to upgrade, you must upgrade both).
To upgrade a Scalable Platform from R81, R80.30SP, R80.20SP to R82, you must follow this 3-step upgrade path:
1. Upgrade to one of these versions:
  - R81.20 for Scalable Platforms
    
    See:
  - R81.10 for Scalable Platforms
    
    See:
2. Install the required Jumbo Hotfix Accumulator:
  - On R81.20 for Scalable Platforms
    
    R81.20 Jumbo Hotfix Accumulator, Take 92 or higher.
  - On R81.10 for Scalable Platforms
    
    R81.10 Jumbo Hotfix Accumulator, Take 172 or higher.
3. Upgrade to R82.
The required 2-step upgrade path is:
1. Upgrade to one of these versions:
  - R81.20 (see the R81.20 Installation and Upgrade Guide).
  - R81.10 (see the R81.10 Installation and Upgrade Guide).
  - R81 (see the R81 Installation and Upgrade Guide).
  - R80.40 (see the R80.40 Installation and Upgrade Guide).
2. Upgrade to R82.
To upgrade an R77.30 environment that implements Carrier Security (former Firewall-1 GX), you must follow sk169415.
Before you start the upgrade on R77.30 or R80.10, you must make sure the Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. OS edition is 64-bit:
1. Get the current Gaia OS edition with this Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). command:
  
  show version all
2. If the Gaia OS edition is "32-bit", run these Gaia Clish commands:
  
  set edition 64-bit
  
  save config
  
  reboot

Upgrade Methods

Use these methods to upgrade your Check Point environment to R82:

Best Practice - If several methods are supported for your product, we recommend Central Deployment in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

Check Point Product	Gaia Fast Deployment Clean Install ⁽¹⁾	Gaia Fast Deployment Upgrade ⁽¹⁾	Central Deployment in SmartConsole ⁽²⁾	CPUSE Clean Install ⁽³⁾	CPUSE Upgrade ⁽⁴⁾	Advanced Upgrade ⁽⁵⁾	Upgrade with Migration ⁽⁶⁾	Upgrade with CDT ⁽⁷⁾
Security Gateways	Yes	Yes	Yes	Yes	Yes	No	No	Yes
VSX Gateways	No	Yes	Yes	Yes	Yes	No	No	Yes
Security Group Members Member of a Security Group in ElasticXL Cluster, Maestro, and Scalable Chassis. Acronym: SGM. - Maestro	No	No	No	Yes	Yes	No	No	No
Security Group Members - Scalable Chassis The container that contains the all the components of a 60000 / 40000 Appliance. Synonym: Chassis.	No	No	No	Yes	Yes	No	No	No
ClusterXL Members in the High Availability modes	No	Yes	Yes	Yes	Yes	No	No	Yes
ClusterXL Members in the Load Sharing modes	No	Yes	No	Yes	Yes	No	No	Yes
VSX Cluster Members in the High Availability mode	No	Yes	Yes	Yes	Yes	No	No	Yes
VSX Cluster Members in the VSLS mode	No	Yes	No	Yes	Yes	No	No	Yes
VRRP Cluster Members	No	Yes	No	Yes	Yes	No	No	Yes
Primary Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.	Yes	Yes	No	Yes	Yes	Yes	Yes	No
Secondary Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.	No	No	Yes	Yes	Yes	Yes	Yes	No
Primary Multi-Domain Security Management Server	Yes	Yes	No	Yes	Yes	Yes	Yes	No
Secondary Multi-Domain Security Management Server	Yes	Yes	No	Yes	Yes	Yes	Yes	No
Primary Multi-Domain Log Server Dedicated Check Point server that runs Check Point software to store and process logs in a Multi-Domain Security Management environment. The Multi-Domain Log Server consists of Domain Log Servers that store and process logs from Security Gateways that are managed by the corresponding Domain Management Servers. Acronym: MDLS.	Yes	Yes	No	Yes	Yes	Yes	Yes	No
Secondary Multi-Domain Log Server Dedicated Check Point server that runs Check Point software to store and process logs.	Yes	Yes	No	Yes	Yes	Yes	Yes	No
Primary CloudGuard Controller Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security.	No	No	No	Yes	Yes	Yes	Yes	No
Secondary CloudGuard Controller	No	No	Yes	Yes	Yes	Yes	Yes	No
Primary Endpoint Security Management Server	No	No	No	Yes	Yes	Yes	Yes	No
Secondary Endpoint Security Management Server	No	No	Yes	Yes	Yes	Yes	Yes	No
Dedicated Log Server	No	No	Yes	Yes	Yes	Yes	Yes	No
Dedicated SmartEvent Server Dedicated Check Point server with the enabled SmartEvent Software Blade that hosts the events database.	No	No	Yes	Yes	Yes	Yes	Yes	No
Full High Availability Cluster Members	No	No	No	Yes	Yes	Yes	Yes	No
Standalone Configuration in which the Security Gateway and the Security Management Server products are installed and configured on the same server. Server	No	No	No	Yes	Yes	Yes	Yes	No

Explanations:

Gaia Fast Deployment:

Performs a multi-step upgrade or clean install with one image.

This image already contains a specific base version, a designated role (for example, a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.), and Hotfixes / Jumbo Hotfix Accumulator.

You can see and install this image with CPUSE Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself. in Gaia Portal Web interface for the Check Point Gaia operating system. or Gaia Clish.

For more information, see sk120193.
Central Deployment in SmartConsole:
- You perform a remote installation of an upgrade package from SmartConsole.
- You install the package from the local repository on the Management Server or from Check Point Cloud.
- You can install the package on several targets at the same time.
- On a ClusterXL and a VSX Cluster in the High Availability mode, the Central Deployment method performs the Multi-Version Cluster (MVC) Upgrade to preserve the current connections:
  1. Upgrades all Cluster Members in the Standby mode.
  2. Enables the MVC mode to allow the synchronization of the current connections between Cluster Members that run different software versions.
  3. Performs a failover from the Cluster Member Security Gateway that is part of a cluster. in the Active state to one of the upgraded Cluster Members.
  4. Upgrades the remaining Cluster Member (formerly in the Active state).
- For instructions, see the R82 Security Management Administration Guide.
CPUSE Clean Install:
- You perform a local installation of the higher version from scratch in Gaia Portal or Gaia Clish.
- You install the package from the local repository in Gaia OS or from Check Point Cloud.
- Requires these steps to preserve the configuration and database:
  1. Export the data before the installation.
  2. Import the data after the installation.
- On a ClusterXL and a VSX Cluster, there are different ways to perform a local upgrade on the Cluster Members based on how you need to preserve the current connections:
  - Multi-Version Cluster (MVC) Upgrade
  - Minimum Effort Upgrade
  - Minimum Downtime Upgrade
- For instructions, see the R82 Installation and Upgrade Guide.
CPUSE Upgrade (In-place Upgrade):
- You perform a local installation of an upgrade package in Gaia Portal or Gaia Clish.
- You install the package from the local repository in Gaia OS or from Check Point Cloud.
- Keeps the current configuration and database.
- On a ClusterXL and a VSX Cluster, there are different ways to perform a local upgrade on the Cluster Members based on how you need to preserve the current connections:
  - Multi-Version Cluster (MVC) Upgrade
  - Minimum Effort Upgrade
  - Minimum Downtime Upgrade
- For instructions, see the R82 Installation and Upgrade Guide.
Advanced Upgrade:
- Intended for Management Servers only.
- You perform a local installation of an upgrade package in Gaia Portal or Gaia Clish.
- You install the package from the local repository in Gaia OS or from Check Point Cloud.
- Requires these steps:
  1. Export of the current management database from the server.
  2. Upgrade of the server with CPUSE (In-place Upgrade or Clean Install).
  3. Import of the exported management database.
- For instructions, see the R82 Installation and Upgrade Guide.
Upgrade with Migration:
- Intended for Management Servers only.
- Requires these steps:
  1. Export of the current management database from the server.
  2. Installation of a different server with a higher version (Clean Install).
  3. Import of the exported management database.
- For instructions, see the R82 Installation and Upgrade Guide.
Upgrade with CDT (Central Deployment Tool):
- Intended for Security Gateways and Cluster Members only.
- You perform a remote installation of an upgrade package from the Management Server.
- You install the package from the local repository on the Management Server.
- You can install the package on several targets at the same time.
- For more information, see sk111158.

The minimum required unpartitioned disk space is the highest value of one of these:

Size of the current root partition.
The used space in the current root partition plus 3 GB.
If the used space is more than 90% of the root partition, then 110% of the size of the current root partition.

Important:

At least 20 GB of free disk space is required in the root partition for an Upgrade to succeed.
At least 10 GB of free disk space is required in the /var/log partition for a Clean Install or Upgrade to succeed.