Professional Documents
Culture Documents
Contents
Preface
Who Should Use This Guide.............................................................................. 12 Summary of Contents ....................................................................................... 13 Related Documentation .................................................................................... 14 More Information ............................................................................................. 17 Feedback ........................................................................................................ 18
Chapter 1
Chapter 2
Chapter 3
Table of Contents
On SecurePlatform, Linux, and Solaris .......................................................... 65 On IPSO .................................................................................................... 68 Installing a Contract File on a Gateway .............................................................. 69 On a Windows Platform ............................................................................... 69 On SecurePlatform, Linux, and Solaris Gateways............................................ 76 On IPSO .................................................................................................... 81 Managing Contracts with SmartUpdate .............................................................. 82 Managing Contracts .................................................................................... 82 Updating Contracts ..................................................................................... 84
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Table of Contents
Ready State During Cluster Upgrade/Rollback Operations ............................. 195 Upgrading OPSEC Certified Third-Party Cluster Products .............................. 195 Minimal Effort Upgrade on a ClusterXL Cluster ................................................. 196 Zero Downtime Upgrade on a ClusterXL Cluster ................................................ 197 Supported Modes...................................................................................... 197 Full Connectivity Upgrade on a ClusterXL Cluster .............................................. 200 Understanding a Full Connectivity Upgrade ................................................. 200 Supported Modes...................................................................................... 201 Performing a Full Connectivity Upgrade ...................................................... 202
Chapter 9
Upgrading Provider-1
Introduction .................................................................................................. 206 Supported Versions and Platforms .............................................................. 206 Provider-1/SiteManager-1 Terminology........................................................ 207 Before You Begin ...................................................................................... 207 Provider-1/SiteManager-1 Upgrade Tools ......................................................... 208 Pre-Upgrade Verifiers and Fixing Utilities .................................................... 208 Installation Script ..................................................................................... 209 pv1_license_upgrade................................................................................. 211 license_upgrade........................................................................................ 211 cma_migrate ............................................................................................ 212 migrate_assist .......................................................................................... 215 migrate_global_policies ............................................................................. 216 Backup and Restore .................................................................................. 216 Provider-1/SiteManager-1 License Upgrade ...................................................... 218 Overview of NGX License Upgrade .............................................................. 218 Introduction to License Upgrade in Provider-1 Environments......................... 219 Software Subscription Requirements .......................................................... 220 Understanding Provider-1/SiteManager-1 Licenses....................................... 220 Before License Upgrade ............................................................................ 222 Choosing The Right License Upgrade Procedure .......................................... 227 System-Wide License Upgrade, Before Software Upgrade ............................. 229 System-Wide License Upgrade Using the Wrapper........................................ 233 System-Wide License Upgrade, After Software Upgrade................................ 234 License Upgrade for a Single CMA.............................................................. 237 License Upgrade Using the User Center ...................................................... 243 SmartUpdate Considerations for License Upgrade ........................................ 244 Troubleshooting License Upgrade ............................................................... 244 Provider-1/SiteManager-1 Upgrade Practices .................................................... 249 In-Place Upgrade...................................................................................... 249 Replicate and Upgrade .............................................................................. 252 Gradual Upgrade to Another Machine ......................................................... 253 Migrating from a Standalone Installation to CMA ......................................... 255 MDS Post Upgrade Procedures................................................................... 258 Upgrading in a Multi-MDS Environment ........................................................... 259 Pre-Upgrade Verification and Tools ............................................................. 259 Upgrading a Multi-MDS System ................................................................. 260 Restarting CMAs ............................................................................................ 263
Restoring Your Original Environment................................................................ 264 Before the Upgrade ................................................................................... 264 Restoring Your Original Environment........................................................... 264 Renaming Customers ..................................................................................... 265 Identifying Non-Compliant Customer Names................................................ 265 High Availability Environment .................................................................... 265 Automatic Division of Non-Compliant Names............................................... 265 Resolving Non-Compliance ........................................................................ 266 Advanced Usage ....................................................................................... 267 Changing the MDS IP Address and External Interface........................................ 269 IP Address Change.................................................................................... 269 Interface Change ...................................................................................... 269 SmartDefense in Provider-1 ............................................................................ 270
Chapter 10
Chapter 11
Upgrading Eventia
Overview ....................................................................................................... 288 Upgrading Eventia Reporter ............................................................................ 288 For Standalone Deployments...................................................................... 288 For Distributed Deployments ...................................................................... 289 Advanced Eventia Reporter Upgrade ........................................................... 291 Enabling Eventia Analyzer after Upgrading Reporter ..................................... 293 Upgrading Eventia Analyzer ............................................................................ 294 Upgrading Eventia Analyzer to NGX R65 ..................................................... 294 Verifying the Events Database Has Been Moved ........................................... 296 Enabling Eventia Reporter ......................................................................... 296
Chapter 12
Upgrading IPS-1
Overview ....................................................................................................... 297 Upgrading IPS-1 Management Servers ............................................................. 297 Upgrading IPS-1 Sensors................................................................................ 298 Upgrading IPS-1 Power Sensors ...................................................................... 298
Table of Contents
Remotely Upgrading an IPS-1 Power Sensor................................................ 298 Reinstalling an IPS-1 Power Sensor ............................................................ 299 Upgrading Legacy Sensor Appliances............................................................... 301
Index .......................................................................................................... 7
10
Preface
Preface
P
page 12 page 13 page 14 page 17 page 18
In This Chapter
Who Should Use This Guide Summary of Contents Related Documentation More Information Feedback
11
12
Summary of Contents
Summary of Contents
This document describes how to upgrade to NGX R65. Chapter Chapter 1, Introduction to the Upgrade Process Chapter 2, Upgrading Licenses for Products Prior to NGX Chapter 3, Service Contract Files Chapter 4, Upgrading a Distributed Deployment Description This chapter introduces the upgrade process. This chapter covers licensing issues as regards NGX. This chapter covers Service Contract Files This chapter covers upgrading a distributed deployment; that is, where the enforcement points and SmartCenter server are installed on separate machines. This chapter covers the backup and revert process. This chapter covers upgrading a standalone deployment, where the enforcement point and the SmartCenter server are installed on the same machine. This chapter covers Advanced upgrade procedures for SmartCenter Server and Standalone Gateways. This chapter covers upgrade issues relating to ClusterXL. This chapter covers upgrade issues regarding Provider-1. This chapter covers upgrading SmartLSM ROBO Gateways. This chapter covers upgrading Eventia Reporter. This chapter covers upgrading IPS-1.
Chapter 5, Backup and Revert for VPN-1 Power/UTM Chapter 6, Upgrading a Standalone Deployment
Chapter 7, Advanced Upgrade of SmartCenter Servers & Standalone Gateways Chapter 8, Upgrading ClusterXL Deployments Chapter 9, Upgrading Provider-1 Chapter 10, Upgrading SmartLSM ROBO Gateways Chapter 11, Upgrading Eventia Chapter 12, Upgrading IPS-1
Preface
13
Related Documentation
Related Documentation
The NGX R65 release includes the following documentation:
TABLE P-1 VPN-1 Power documentation suite documentation
Description Contains an overview of NGX R65 and step by step product installation and upgrade procedures. This document also provides information about Whats New, Licenses, Minimum hardware and software requirements, etc. Explains all available upgrade paths for Check Point products from VPN-1/FireWall-1 NG forward. This guide is specifically geared towards upgrading to NGX R65. Explains SmartCenter Management solutions. This guide provides solutions for control over configuring, managing, and monitoring security deployments at the perimeter, inside the network, at all user endpoints. Describes how to control and secure network access; establish network connectivity; use SmartDefense to protect against network and application level attacks; use Web Intelligence to protect web servers and applications; the integrated web security capabilities; use Content Vectoring Protocol (CVP) applications for anti-virus protection, and URL Filtering (UFP) applications for limiting access to web sites; secure VoIP traffic. This guide describes the basic components of a VPN and provides the background for the technology that comprises the VPN infrastructure.
Upgrade Guide
14
Related Documentation TABLE P-1 VPN-1 Power documentation suite documentation (continued)
Description Explains how to monitor and audit traffic, and generate detailed or summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for all events logged by Check Point VPN-1 Power, SecureClient and SmartDefense. Explains how to install and configure SecurePlatform. This guide will also teach you how to manage your SecurePlatform machine and explains Dynamic Routing (Unicast and Multicast) protocols. Explains the Provider-1/SiteManager-1 security management solution. This guide provides details about a three-tier, multi-policy management architecture and a host of Network Operating Center oriented features that automate time-consuming repetitive tasks common in Network Operating Center environments.
TABLE P-2
Title Integrity Advanced Server Installation Guide Integrity Advanced Server Administrator Console Reference
Description Explains how to install, configure, and maintain the Integrity Advanced Server. Provides screen-by-screen descriptions of user interface elements, with cross-references to relevant chapters of the Administrator Guide. This document contains an overview of Administrator Console navigation, including use of the help system. Explains how to managing administrators and endpoint security with Integrity Advanced Server. Provides information about how to integrating your Virtual Private Network gateway device with Integrity Advanced Server. This guide also contains information regarding deploying the unified SecureClient/Integrity client package.
Integrity Advanced Server Administrator Guide Integrity Advanced Server Gateway Integration Guide
Preface
15
Title Integrity Advanced Server System Requirements Integrity Agent for Linux Installation and Configuration Guide Integrity XML Policy Reference Guide Integrity Client Management Guide
Description Provides information about client and server requirements. Explains how to install and configure Integrity Agent for Linux. Provides the contents of Integrity client XML policy files. Explains how to use of command line parameters to control Integrity client installer behavior and post-installation behavior.
16
More Information
More Information
For additional technical information about Check Point products, consult Check Points SecureKnowledge at http://support.checkpoint.com.
View the latest version of this document in the User Center at http://support.checkpoint.com
Preface
17
Feedback
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to: cp_techpub_feedback@checkpoint.com
18
19
Documentation
Documentation
This guide covers all available upgrade paths for Check Point products from VPN-1/FireWall-1 NG forward. This guide is specifically geared towards upgrading to NGX R65. The R65 release focuses on: Increased performance End point security Central management Interoperability
Before you begin: Make sure that you have the latest version of this document by checking in the User Center at: http://www.checkpoint.com/support/technical/documents It is a good idea to have the latest version of the NGX R65 Release Notes handy. Download them from: http://www.checkpoint.com/support/technical/documents For a new features list, refer to the NGX R65 Whats New Guide: http://www.checkpoint.com/support/technical/documents
20
The license upgrade procedure can be performed if you have purchased any of the Enterprise Software Subscription services. License upgrade will fail for products and accounts for which you do not have software subscription. You can manage your accounts, licenses, and Enterprise Support Programs coverage (under Support Programs from the User Center at: http://usercenter.checkpoint.com License upgrade is performed by means of an easy to use tool that automatically upgrades both locally and centrally managed licenses. Using the tool, you can upgrade all licenses in the entire managed system. License upgrade can also be performed manually, per license, in the User Center. The automatic license upgrade tool enables you to: 1. View the status of the currently installed licenses. On a SmartCenter server (or a CMA, for Provider-1), you can also view the licenses in the SmartUpdate License Repository. 2. Simulate the license upgrade process. 3. Perform the actual license upgrade process. During the license upgrade, all eligible licenses are gathered and sent in SSL encrypted format to the User Center. Upgraded licenses are returned from the User Center, and automatically installed. The license upgrade process adds only NGX licenses. Old licenses and non-eligible licenses (e.g., evaluation licenses or licenses that pertain to IP addresses no longer in use) remain untouched.
Chapter 1
21
Contract Verification
When run on a SmartCenter server (or a CMA, for Provider-1), the license upgrade process also handles licenses in the SmartUpdate License Repository. After the software upgrade, SmartUpdate is used to attach the new NGX licenses to the gateways. The license upgrade process varies according to the type of deployment: License upgrade for VPN-1 Pro/Express deployments is described in Chapter 2, Upgrading Licenses for Products Prior to NGX on page 29. License upgrade for Provider-1 deployments is described in Provider-1/SiteManager-1 License Upgrade on page 218. License upgrade for SmartLSM deployments is described in: License Upgrade for a VPN-1 Power/UTM ROBO Gateway on page 274 For the latest NGX license upgrade information and downloads, check: http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/license_upgrade.html
Contract Verification
Contract verification is now an integral part of the Check Point licensing scheme. Before upgrading to the latest version, your licensing agreements are verified through the User Center. See: Service Contract Files on page 59 for more information.
22
Re le a se NGX
NG
Ex pre ss CI GX VSX
Ve rsion VPN-1 Power/UTM NGX R62 VPN-1 Pro/Express NGX R61 VPN-1 Pro/Express NGX R60A VPN-1 Pro/Express NGX R60 VPN-1 Pro NG R55W VPN-1 Pro/Express NG W ith A pplication Intelligence R55 VPN-1 Pro/Express NG R55P VPN-1 Pro/Express NG W ith A pplication Intelligence R54 VPN-1 Pro/Express NG FP3 R57 (Advanced Upgrade only) 2.5 VSX 2.0.1 VSX NG AI VSX NG AI Release 2
Chapter 1
23
Re le a se NGX
NG
Ex pre ss CI GX VS X
V e rsion V PN-1 P ower/UTM NGX R62 V PN-1 P ro/Express NGX R61 V PN-1 P ro/Express NGX R60A V PN-1 P ro/Express NGX R60 V PN-1 P ro NG R55P V PN-1 P ro NG R55W V PN-1 P ro/Express NG W ith A pplication Intelligence R55 V PN-1 P ro/Express NG W ith A pplication Intelligence R54 V PN-1 P ro/Express NG FP 3 R57 2.5, 2.5, NGX V SX NG A I V SX NG A I Release 2 V SX NGX NGX NGX R62
Note - NGX R65 cannot manage gateway versions NG, NG FP1, or NG FP2
24
Chapter 1
25
Terminology
Terminology
Advanced Upgrade: In order to avoid unnecessary risks, it is possible to migrate the current configuration to a spare server. The upgrade process is then performed on the migrated server, leaving the production server intact. ClusterXL: A software-based load sharing and high availability solution for Check Point gateway deployments. It distributes traffic between clusters of redundant gateways so that the computing capacity of multiple machines may be combined to increase total throughput. In the event that any individual gateway becomes unreachable, all connections are re-directed to a designated backup without interruption. Tight integration with Check Point's SmartCenter management and enforcement point solutions ensures that ClusterXL deployment is a simple task for VPN-1 administrators. Distributed Deployment: A distributed deployment is performed when the gateway and the SmartCenter server are deployed on different machines. Gateway or Check Point Gateway: A gateway is the VPN-1 engine which actively enforces the Security Policy of the organization. In Place Upgrade: In Place upgrades are upgrades performed locally. LSM: Large Scale Manager. SmartLSM enables enterprises to easily scale, deploy, and manage VPNs and security for thousands of remote locations. Management Virtual System (MVS): A default Virtual System created by the VSX installation process during installation. The MVS: Handles provisioning and configuration of Virtual Systems and Virtual Routers. Manages Gateway State Synchronization when working with clusters.
Package Repository: This is a SmartUpdate repository on the SmartCenter server that stores uploaded packages. These packages are then used by SmartUpdate to perform upgrades of Check Point Gateways. ROBO Gateways: A Remote Office/Branch Office Gateway. ROBO Profile: An object that you define to represent properties of multiple ROBO Gateways. Profile objects are version dependent; therefore, when you plan to upgrade ROBO Gateways to a new version, first define new Profile objects for your new version. In general, it is recommended that you keep the Profile objects of the previous versions until all ROBO Gateways of the previous version are upgraded to the new version. For further information about defining a ROBO Profile, refer to the Defining Policies for the Gateway Profile Objects chapter in the CheckPoint R65 SmartLSM Administration Guide.
26
Terminology
Security Policy: A Security Policy is created by the system administrator in order to regulate the incoming and outgoing flow of communication. SmartCenter Server: The SmartCenter server is used by the system administrator to manage the Security Policy. The databases and policies of the organization are stored on the SmartCenter server, and are downloaded from time to time to the gateways. SmartConsole Clients: The SmartConsole Clients are the GUI applications that are used to manage different aspects of the Security Policy. For example, SmartView Tracker is a GUI client used to view logs. SmartDashboard: A GUI client that is used to create Security Policies. SmartUpdate: A tool that enables you to centrally upgrade and manage Check Point software and licenses. Standalone Deployment: A standalone deployment is performed when the Check Point components that are responsible for the management of the Security Policy (the SmartCenter server and the gateway) are installed on the same machine. Virtual Routers: Independent routing domains within a VSX Gateway that function like physical routers. Virtual System: A routing and security domain featuring firewall and VPN capabilities supported by a standard Check Point Gateway. Multiple Virtual Systems can run concurrently on a single VSX Gateway, isolated from one another by their use of separate system resources and data storage. VSX Clustering: The connection of two or more VSX Gateways in such a way that if one fails, another immediately takes its place. A single VSX Gateway contains multiple Virtual Routers and Virtual Systems.
Chapter 1
27
Upgrade Tools
Upgrade Tools
Various upgrade tools are provided for migration and compatibility verification of your current deployment. These tools help you successfully upgrade to NGX R65. The upgrade tools can be found in the following locations: in the NGX R65 $FWDIR/bin/upgrade_tools directory. http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/utilities.html
Upgrading Successfully
If you encounter unforeseen obstacles during the upgrade process, contact your Reseller or our SecureKnowledge support center at: https://secureknowledge.checkpoint.com
28
29
For the latest NGX license upgrade information and downloads, check: http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/license_upgrade.html
30
Chapter 2
31
32
Licensing Terminology
Licensing Terminology
The license upgrade procedures use specialized licensing terminology. It is important to understand the terminology in order to successfully perform the license upgrade. License Upgrade: The process of upgrading the license version from NG to NGX. Software Upgrade: The process of upgrading Check Point software to version NGX. License Repository: A repository on the SmartCenter server that stores licenses for Check Point products. It is used by SmartUpdate to install and manage licenses on Check Point Gateways. Wrapper: The wizard application on the Check Point CD that allows you to install and upgrade Check Point products and upgrade licenses.
Chapter 2
33
During the license upgrade, all eligible licenses are gathered and sent in SSL encrypted format to the User Center. Upgraded licenses are returned from the User Center, and automatically installed. The license upgrade process adds only NGX licenses. Old licenses and non-eligible licenses (e.g., evaluation licenses or licenses that pertain to IP addresses no longer in use) remain untouched. When run on a SmartCenter server (or a CMA, for Provider-1), the license upgrade tool also handles licenses in the SmartUpdate License Repository. After using the tool, SmartUpdate is used to attach the new NGX licenses in the License Repository to the gateways.
Tool Location
The license_upgrade tool can be found in one of the following locations: On the NGX product CD at <Specific_platform>\ In the Check Point Download site at: http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/license_upgrade.h tml It is also part of the NGX installation, located at $CPDIR/bin.
34
Tool Options
Tool Options
The license_upgrade command line tool has a number of options. To view all of the options, run:
license_upgrade
Table 2-1 lists the available options: Table 2-1 Option [L]
license_upgrade tool options
Meaning Displays the licenses installed on your machine. Sends existing licenses to the User Center website to simulate the license upgrade to verify that it can be performed. No actual upgrade is performance and no new licenses are returned. Sends existing licenses to the User Center website to perform an upgrade and (by default, in online mode) installs them on the machine. Reports whether or not there are licenses on the machine that need to be upgraded. Performs license upgrade on a license file that was generated on a machine with no Internet access to the User Center. Displays log of last license upgrade or last upgrade simulation.
[S]
[U]
[C]
[O]
[V]
Chapter 2
35
To simulate the license upgrade: 1. Copy the license_upgrade tool from <Specific_platform>\ on the NGX product CD, or from the Check Point Download site at http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/license_upgrade.h tml 2. Place the license_upgrade tool on the NG machine. 3. To simulate the license upgrade, run the license_upgrade tool option:
36
If you use SmartUpdate to manage your licenses, you can update all the licenses in your managed system in a single procedure. For both methods, the upgrade is performed using the license_upgrade tool. For each method, the actual procedure that is used depends on whether or not the machine on which the license upgrade is to be run is online or offline. An online machine is one with Internet connectivity to the Check Point User Center. It is highly recommended to perform the license upgrade before performing any software upgrade. This ensures that the products continue to function after the software upgrade. However, if necessary, the software upgrade can be performed first. Note - Version 4.1 licenses cannot be upgraded directly to NGX. You must first upgrade software and licenses to version NG.
Chapter 2
37
Table 2-2 lists the Check Point licenses that are upgraded for each license upgrade method: Table 2-2 License Management Method Centrally managed using SmartUpdate Locally managed License Upgrade for Licenses Upgraded
Entire managed System (Run upgrade tool on SmartCenter server) Gateway SmartCenter server Standalone gateway deployment, containing both a SmartCenter and a gateway (that manages no remote gateways).
Local machine licenses (for SmartCenter) License Repository (for gateways) Local machine licenses Local machine licenses Local machine licenses (for SmartCenter and gateway).
What Next?
Select the right procedure for you: Deployment with Licenses Managed Centrally Using SmartUpdate on page 39 Deployment with Licenses Managed Locally on page 44
38
After the SmartCenter server is upgraded, SmartUpdate must be used to complete the License Upgrade process. When SmartUpdate is opened, the upgraded licenses are imported into the License Repository and are assigned to the appropriate gateway.
Chapter 2
39
A license can be in one of the following States: Assigned: An NGX license that is associated with the enforcement gateways in the License Repository, but is not yet installed on the gateways as a replacement for an existing NG license. Obsolete: An NG license for which a replacement NGX license is installed on an NGX enforcement gateway. Requires Upgrade: An NG license that is installed on an NGX machine, and for which no replacement upgraded license exists. No NGX license: An NG license that does not need to be upgraded, or one for which the license upgrade failed.
To upgrade licenses for an online SmartCenter: 1. On the SmartConsole GUI machine, open SmartUpdate, connect to the SmartCenter server, and select Licenses > Get all licenses. This ensures that the License Repository is updated. 2. Copy the license_upgrade tool from <Specific_platform>\ on the NGX product CD, or from the Check Point Download site: http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/license_upgrade.h tml 3. Place the license_upgrade tool on the SmartCenter NG machine.
40
4. On the SmartCenter server, perform the license upgrade procedure by running license_upgrade tool (on SecurePlatform, you must be in expert mode). Note - License upgrade using the CD Wrapper does not work for SmartCenter machines on
Windows platforms with via-proxy Internet connectivity.
5. Select the [U] option. This does the following: Collects all the licenses that exist on the machine. Fetches updated licenses from the User Center. Installs new licenses on the local machine. Upgrades any existing Management High Availability licenses on the SmartCenter machine,
6. Perform the software upgrade to NGX on both the SmartCenter machine and the SmartConsole GUI machine. 7. On the SmartConsole GUI machine, open SmartUpdate, and connect to the SmartCenter server. The updated licenses are displayed as Assigned. Use the Attach assigned licenses option to attach the assigned licenses to the gateways. 8. Perform the software upgrade to NGX on the gateway machine(s). 9. Delete obsolete licenses from the NGX gateways. On the SmartConsole GUI machine, open SmartUpdate and connect to the SmartCenter server. In the License Repository, sort by the State column, select all the Obsolete licenses, Detach them, and then Delete them.
Chapter 2
41
To upgrade a license for an offline SmartCenter: 1. On the SmartConsole GUI machine, open SmartUpdate and connect to the SmartCenter server. Select Licenses > Get all licenses. This ensures that the License Repository is updated. 2. Copy the license_upgrade tool from <Specific_platform>\ on the NGX CD, or from the Check Point Download site at: http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/license_upgrade.html 3. Place the license_upgrade tool on the offline SmartCenter server NG. 4. On the offline SmartCenter, run license_upgrade. (On SecurePlatform, you must be in expert mode.) 5. From the menu: Press [U] to run the upgrade operation. Press [N] to specify that you do not have an Internet connection. Press [E] to copy the licenses to a license file. Enter the name of the license package file to be created. Press [Q] to quit the license upgrade tool.
6. Copy the license package file from the offline SmartCenter to any online machine. The online machine does not need to be a Check Point-installed machine. 7. Copy the license_upgrade tool to the online machine from the location specified in step 2. 8. Run the license_upgrade tool on the online machine: Press [O] to run the upgrade operation in offline mode. Enter the name of the exported file with the location of the package file that is the result of step 5. Enter the name of the file to be created with all the upgraded licenses (output file name). Press [Y] when asked Is this machine connected to the Internet?. Press [Y] if you are connected to the Internet via a proxy and supply the proxy IP port and username password, or press [N] if you are not connected via proxy and continue with the upgrade. Enter the username and password of your User Center Account.
New licenses are fetched from the User Center and placed in a cache file.
42
9. Copy the cache file (with the new licenses) to the offline SmartCenter. Copy the file to the same directory as the license upgrade tool. 10. Run the license_upgrade tool on the offline SmartCenter: Press [U] to run the upgrade operation. Press [N] when asked Is this machine connected to the Internet?. Press [I] to import the output file (with the upgraded licenses) to the SmartCenter. Enter the output file name with all the upgraded licenses.
11. To check if currently installed licenses have been upgraded, return to the main menu and press [C]. This displays the number of upgraded licenses on the machine and whether the original NG licenses have a replacement NGX license. 12. Perform the software upgrade to NGX on both the SmartCenter machine and the SmartConsole GUI machine. 13. On the SmartConsole GUI machine, open SmartUpdate and connect to the SmartCenter server. The updated licenses are displayed as Assigned. Use the Attach assigned licenses option to attach the assigned licenses to the gateways. 14. Perform the software upgrade to NGX on the gateway machine(s). 15. Delete obsolete licenses from NGX gateways. At the SmartConsole GUI machine, open SmartUpdate and connect to the SmartCenter server. In the License Repository, sort by the State column, select all the Obsolete licenses, Detach them, and then Delete them. Note - SmartUpdate indicates whether a license is Attached or Unattached, and the license state. For details, refer to License Statuses in SmartUpdate on page 39.
Chapter 2
43
To upgrade licenses for an online machine: 1. Copy the license_upgrade tool from <Specific_platform>\ on the NGX CD, or from the Check Point Download site at: http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/license_upgrade.h tml 2. Place the license_upgrade tool on the online NG machine. 3. On the online machine, perform the license upgrade procedure by running the license_upgrade tool (on SecurePlatform, you must be in expert mode). Note - License upgrade using the CD Wrapper does not work for SmartCenter machines on
Windows platforms with via-proxy Internet connectivity.
4. Press [U] to run the upgrade operation. This does the following: Collects all the licenses that exist on the machine. Fetches updated licenses from the User Center. Installs new licenses on the local machine.
44
On a SmartCenter machine, if Management High Availability licenses exist, they are upgraded.
5. Perform the software upgrade to NGX. 6. Find out which license on the machine are obsolete. Run
cplic print
7. Delete the obsolete licenses from the machine. For each obsolete license, run
Enter the name of the license package file to be created. Press [Q] to quit the license upgrade tool.
5. Copy the license package file from the offline machine to any online machine. The online machine does not need to be a Check Point-installed machine. 6. Copy the license_upgrade tool to the online machine. The tool is located at the location specified in step 2. 7. Run the license_upgrade tool on the online machine: Press [O] to run the upgrade operation in offline mode. Enter the name of the exported file with the location of the package file that is the result of step 5. Enter the name of the file to be created with all the upgraded licenses (output file name). Press [Y] when asked Is this machine connected to the Internet?. Press [Y] if you are connected to the Internet via a proxy and supply the proxy IP port and username password. Press [N] if you are not connected via proxy, and continue with the upgrade. Enter the user and password of your User Center Account.
The new licenses are fetched from the User Center and placed in a cache file. 8. Copy the cache file (with the new licenses) to the offline machine. Copy the file to the same directory as the license_upgrade tool. 9. Run the license_upgrade tool on the offline machine: Press [U] to run the upgrade operation. Press [N] when asked Is this machine connected to the Internet?. Press [I] to import the output file (with the upgraded licenses) back to the SmartCenter. Enter the output file name with all the upgraded licenses.
10. To check if currently installed licenses have been upgraded, return to the main menu and press [C]. This shows the number of upgraded licenses on the machine and whether the original NG licenses have a replacement NGX license. 11. Perform the software upgrade to NGX on the offline machine.
46
Trial Licenses
12. To find out which licenses on the machine are obsolete, run cplic print. 13. Delete the obsolete licenses from the machine. For each obsolete license, run
Trial Licenses
Every Check Point product comes with a Trial License that allows unrestricted use of the product for 15 days. After the software upgrade, the Trial License continues to work for the remaining days of the license. There is no need to upgrade the Trial License. The Trial License does not work if you migrate your current SmartCenter configuration to a new machine and then upgrade the new machine to NGX.
Chapter 2
47
In This Section
Error: License version might be not compatible Evaluation Licenses Created in the User Center Evaluation Licenses Not Created in the User Center Licenses of Products That Are Not Supported in NGX License Not in Any of Your User Center Accounts User Does Not Have Permissions on User Center Account SKU Requires Two Licenses in NG and One License in NGX SmartDefense Licenses License Upgrade Partially Succeeds Upgraded Licenses Do Not Appear in the License Repository Cannot Connect to the User Center page 48 page 49 page 49 page 50 page 52 page 52 page 53 page 54 page 54 page 55 page 55
Symptoms
Error: Warning: Can't find .... in cp.macro. License version might be not compatible Error occurs with commands such as cplic print, cpstop, cpstart, and fw ver.
48
Cause
This error occurs in any situation where a licensed version is not compatible with the version installed on a machine, for example, an NGX license on an NG machine. This error typically occurs when the license on the target machine is upgraded to NGX before the software is upgraded from a previous NG version to NGX. If the license upgrade is performed before the software upgrade, Check Point products generate warning messages until all the software on the machine has been upgraded. Refer to License Upgrade Methods on page 37 to determine the upgrade path that best applies to your current configuration.
Resolution
Upgrade the software to version NGX. Errors should not appear after the upgrade. Note that these errors do not affect the functionality of the version NG software.
Cause
Evaluation licenses are not entitled to a license upgrade.
Resolution
Evaluation licenses cannot be upgraded. If you do not need the evaluation license, delete it. If you do need it, contact Account Services at US +1 817 606 6600 (option 7) or e-mail AccountServices@ts.checkpoint.com.
Chapter 2
49
Cause
The evaluation licenses do not exist in the User Center. Evaluation licenses are not entitled to a license upgrade. An evaluation license can be identified by examining the license string. Evaluation licenses may contain one of the following strings in the Features description:
CK-CP
or
CK-CHECK-POINT-INTERNAL-USE-ONLY Resolution
Evaluation licenses cannot be upgraded. If you do not need the evaluation license, delete it. If you do need it, contact Account Services at US +1 817 606 6600 (option 7) or e-mail AccountServices@ts.checkpoint.com.
Cause
VPN-1 Net and VPN-1 SmallOffice are not supported in NGX; therefore, the User Center generates an error message if an attempt is made to upgrade the license for these products. The affected SKUs are: VPN-1 Net Family SKUs: CPVP-VNT and LS-CPVP-VNT families SmallOffice family SKUs: CPVP-VSO and LS- CPVP-VSO families
Resolution
Contact Account Services at US +1 817 606 6600 (option 7) or e-mail AccountServices@ts.checkpoint.com.
50
Cause
The enforcement of NG gateway features is now performed by the NGX SmartCenter server. For example, the licensing model of QOS (formerly FloodGate-1) for VPN-1 UTM was altered in NGX, and VPN-1 UTM NGX gateways with QoS require an appropriate license to be installed on the SmartCenter server. In this scenario, the license upgrade is not handled automatically. The affected SKU family for QoS is: CPXP-QOS.
Resolution
If you have an NG Express gateway with a QoS (FloodGate-1) license, or in any other instance where this problem occurs, proceed as follows: 1. Perform a license upgrade at the User Center website to generate a new license. 2. Install the new, upgraded license on the NGX management machine (even if you do not upgrade the gateway). 3. Upgrade the gateway. 4. Delete the unneeded license from the gateway in one of two ways: From the command line, run: cplic del <license_signature> Using SmartUpdate, select the unneeded license, Detach it, and then Delete it.
Chapter 2
51
Cause
This specific license does not exist in any of the accounts that belong to this user.
Resolution
Run the tool again with the appropriate username. Note that each time you run the tool with a different username, upgraded licenses from the User Center are added to a cache file located on your machine. This file contains the successfully upgraded licenses from previous runs. If the partially successful license upgrade was performed via the Wrapper, then, after the Wrapper has finished, run the license upgrade again via the command line, using the appropriate username.
Cause
This user is not authorized to change this license in the User Center.
Resolution
Run the tool again with the appropriate username.
52
Note that each time you run the tool with a different username, upgraded licenses from the User Center are added to a cache file located on your machine. This file contains the successfully upgraded licenses from previous runs. If the partially successful license upgrade was performed via the Wrapper, then, after the Wrapper has finished, run the license upgrade again via the command line, using the appropriate username.
Cause
The NG version of SecureClient requires two licenses: one license for the gateway and one for the SmartCenter server. In NGX, only the management license is needed. The gateway license (CPVP-VPS-1-NG) is no longer needed because it is incorporated in the VPN-1 license. The relevant SKU families are: CPVP-VSC LS- CPVP-VSC CPVP-VMC LS-CPVP-VMC CPVP-VSC-100-DES-NG
Resolution
After the software upgrade, delete the unneeded gateway license from the machine. Do this in one of two ways: From the command line, run:
Chapter 2
53
SmartDefense Licenses
Symptoms
User Center Message (Error code: 902):
SmartDefense License is not needed on the gateway.
Cause
In NGX, enforcement of SmartDefense licenses is handled by the User Center. The affected SKU families are SU-SMRD and SU-SMDF.
Resolution
Delete the unneeded license from the machine.
Cause
The license upgrade may fail for some licenses and succeed for others. A license may fail to upgrade for a number of reasons. For example, you may not have an Enterprise Subscription contract for the licensed product. For additional reasons why the license upgrade may fail, refer to Troubleshooting License Upgrade on page 48.
Resolution
After solving some or all of the licensing problems referred to in the error log, run the license_upgrade tool. This upgrades the licenses for which the problem has been solved. The tool can be found in one of the following locations: On the CD at <Specific_platform> In the Check Point Download site at: http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/license_upgrade.h tml
54
When the license_upgrade tool is run several times, the results are cumulative. This means that if the upgrade of some licenses failed and the tool is run again: Licenses that have been successfully upgraded to NGX remain unchanged. Licenses that failed to upgrade in a previous run and were now successfully upgraded are added to the machine.
For example, if the license upgrade failed because there was no Enterprise Software Subscription contract for the licensed product, purchase Software Subscription for those products and then run the tool again to fetch the new licenses from the User Center website.
Cause
The file with the upgraded licenses that was fetched from the User Center cannot be imported into the SmartUpdate License Repository while SmartUpdate is open.
Resolution
Close any SmartUpdate GUI client that is running, and run
license_upgrade import -r
The upgraded licenses are imported into the SmartUpdate License Repository.
Chapter 2
55
Cause
Access to port HTTPS-443 is not allowed through the firewall. Access to the User Center requires this port to be open.
Resolution
Open port HTTPS-443 in the firewall. For example, in a deployment with one main firewalled gateway, and other gateways for branch offices within the organization, open HTTPS-443 in the main gateway for all the branch office gateways behind it.
56
Contract Verification
Contract Verification
Contract verification is an integral part of the Check Point Licensing scheme. See Service Contract Files on page 59 for more information.
Chapter 2
57
Contract Verification
58
3
page 59 page 60 page 60 page 69 page 82
Introduction
Before upgrading a gateway or SmartCenter server to NGX R65, you need to have a valid support contract that includes software upgrade and major releases registered to your Check Point User Center account. The contract file is stored on SmartCenter Server and downloaded to VPN-1 Power/UTM gateways during the upgrade process. By verifying your status with the User Center, the contract file enables you to easily remain compliant with current Check Point licensing standards.
59
60
On a Windows Platform
On a Windows Platform
When upgrading SmartCenter server, the upgrade process checks to see whether a contract file is already present on the server. If not, the main options for obtaining a contract are displayed:
You can: Download a contracts file from the User Center If you have Internet access and a valid user account, you may download a contract file directly from the User Center. The contract file obtained through the user center contains contract information for all of your accounts at the User Center. The contract file obtained through the user center conforms with the terms of your licensing agreements. i. Click Next.
Chapter 3
61
On a Windows Platform
If the connection succeeds but the downloaded contract file does not cover the SmartCenter server, a message informs you that the SmartCenter server is not eligible for upgrade. However, the absence of a valid contract file will not prevent the upgrade from taking place. Once the upgrade is complete, contact your local support provider to obtain a valid contract. Import a local contract file If the server being upgraded does not have Internet access, then: i. On a machine with Internet access, browse to: https://usercenter.checkpoint.com/usercenter/index.jsp ii. Log in to the User Center iii. Browse to Support.
62
On a Windows Platform
iv. On the Downloads page, in the Service Contract File Download section, click Download Now:
v.
Transfer the downloaded file to the management server. After selecting Import a local contracts file, you can then browse to the location where you stored the contract file:
Chapter 3
63
On a Windows Platform
If the contract file does not cover the SmartCenter server, a message informs you that the SmartCenter server is not eligible for upgrade. However, the absence of a valid contract file will not prevent the upgrade from taking place. Once the upgrade is complete, contact your local support provider to obtain a valid contract. vi. Click Next to continue with the upgrade process Continue without contract information Select this option if you intend to obtain and install a valid contract file at a later date. Note that at this point your gateway is not strictly eligible for an upgrade; you may be in violation of your Check Point Licensing Agreement, as shown in the final message of upgrade process:
For more information, see: Managing Contracts with SmartUpdate on page 82.
64
You can: Download a contracts file from the User Center If you have Internet access and a valid user account, then download a contract file directly from the User Center. The contract file obtained through the user center conforms with the terms of your licensing agreements. If you choose to download contract information from the User Center, you are prompted to enter your: User name Password
Chapter 3
65
If the contract file does not cover the SmartCenter server, a message informs you that the SmartCenter server is not eligible for upgrade. However, the absence of a valid contract file will not prevent the upgrade from taking place. Download a valid contract at a later date using SmartUpdate (see: Managing Contracts with SmartUpdate on page 82 for more information on using SmartUpdate). Import a local contract file If the server being upgraded does not have Internet access, then: i. On a machine with Internet access, browse to: https://usercenter.checkpoint.com/usercenter/index.jsp ii. Log in to the User Center iii. Browse to Support
66
iv. On the Downloads page, in the Service Contract File Download section, click Download Now:
Transfer the downloaded file to the management server. After selecting Import a local contracts file, enter the full path to the location where you stored the file:
If the contract file does not cover the SmartCenter server, a message informs you that the SmartCenter server is not eligible for upgrade. However, the absence of a valid contract file will not prevent the upgrade
Chapter 3
67
On IPSO
from taking place. Download a valid contract at a later date using SmartUpdate (see: Managing Contracts with SmartUpdate on page 82 for more information on using SmartUpdate). Continue without contract information Select this option if you intend to obtain and install a valid contract file at a later date. Note that at this point your gateway is not strictly eligible for an upgrade; you may be in violation of your Check Point Licensing Agreement, as shown in the final message of the upgrade process:
For more information, see: Managing Contracts with SmartUpdate on page 82.
On IPSO
Contract verification on IPSO is not interactive. When upgrading an IPSO SmartCenter server to NGX R65, the upgrade process will check to see if there is a valid contract already present on the SmartCenter server. If a contract is not present, the upgrade process proceeds as normal. After successfully upgrading the gateway, the following message is displayed:
The upgrade process requires a valid contract file in order to verify that your gateway complies with Check Point licensing agreements. While the absence of a contract file does not prevent this upgrade, it is recommended that you obtain a contract file via SmartUpdate (Licenses & Contracts menu -> Update Contracts). For further details see: http://www.checkpoint.com/ngx/upgrade/contract/
At the earliest opportunity, obtain a valid contract file from the Check Point user center.
68
On a Windows Platform
After accepting the End User License Agreement (EULA), the following message is displayed:
Chapter 3
69
On a Windows Platform
After clicking Next, the upgrade process checks to see if a valid contract file is installed on the gateway. If no contract file exists, the upgrade process attempts to retrieve a contract file from the SmartCenter Server that manages the gateway. If a contract file cannot be retrieved from SmartCenter server, the main options for obtaining a contract file for the gateway are displayed:
You can: Download a contracts file from the User Center If you have Internet access and a valid user account, then download a contract file directly from the User Center. The contract file obtained through the user center conforms with the terms of your licensing agreements.
70
On a Windows Platform
i.
If the connection succeeds but the downloaded contract file does not cover the gateway, the following message appears:
However, this will not prevent the upgrade from taking place.
Chapter 3
71
On a Windows Platform
ii. After clicking Next, the upgrade process continues. Import a local contract file If the server being upgraded does not have Internet access, then: i. On a machine with Internet access, browse to: https://usercenter.checkpoint.com/usercenter/index.jsp ii. Log in to the User Center iii. Browse to Support
72
On a Windows Platform
iv. On the Downloads page, in the Service Contract File Download section, click Download Now:
v.
Transfer the downloaded file to the gateway. After selecting Import a local contracts file, you can then browse to the location where you stored the file:
Chapter 3
73
On a Windows Platform
If the local contract file does not cover the gateway, the following message is displayed:
However, this will not prevent the upgrade from taking place. If the contract file covers the gateway, the following message is displayed:
74
On a Windows Platform
Continue without contract information Select this option if you intend to obtain and install a valid contract file at a later date. Note that at this point your gateway is not strictly eligible for an upgrade; you may be in violation of your Check Point Licensing Agreement, as shown in the final message of upgrade process:
For more information, see: Managing Contracts with SmartUpdate on page 82.
Chapter 3
75
The upgrade process searches for a valid contract on the gateway. If a valid contract is not located, the upgrade process attempts to retrieve the latest contract file from the SmartCenter server that manages the gateway. If a valid contract file is not located on the SmartCenter server, the main options for obtaining a contract file for the gateway are displayed:
76
You can: Download a contracts file from the User Center If you have Internet access and a valid user account, then download a contract file directly from the User Center. The contract file obtained through the user center conforms with the terms of your licensing agreements. If you choose to download contract information from the User Center, you are prompted to enter your: User name Password Proxy server address (if applicable):
Chapter 3
77
If, according to information gathered from your User Center account, your gateway is not eligible for upgrade, the following message is displayed:
You may still upgrade the gateway but are advised to download a valid contract at a later date using SmartUpdate (see: Managing Contracts with SmartUpdate on page 82 for more information on using SmartUpdate).
78
Import a local contract file If the server being upgraded does not have Internet access, then: i. On a machine with Internet access, browse to: https://usercenter.checkpoint.com/usercenter/index.jsp ii. Log in to the User Center iii. Browse to Support iv. On the Downloads page, in the Service Contract File Download section, click Download Now:
Chapter 3
79
Transfer the downloaded file to the gateway. After selecting Import a local contracts file, enter the full path to the location where you stored the file:
If the contract file does not cover the gateway, a message informs you that the gateway is not eligible for upgrade. However, the absence of a valid contract file will not prevent the upgrade from taking place. Once the upgrade is complete, contact your local support provider to obtain a valid contract. Continue without contract information Select this option if you intend to obtain and install a valid contract file at a later date. Note that at this point your gateway is not strictly eligible for an upgrade; you may be in violation of your Check Point Licensing Agreement, as shown in the final message of the upgrade process:
80
On IPSO
For more information, see: Managing Contracts with SmartUpdate on page 82.
On IPSO
Contract verification on IPSO is not interactive. When upgrading an IPSO gateway to NGX R65, the upgrade process will check to see if there is a valid contract available on the SmartCenter server that manages the gateway. If none is available, the upgrade process proceeds. After successfully upgrading the gateway, the following message is displayed:
The upgrade process requires a valid contract file in order to verify that your gateway complies with Check Point licensing agreements. While the absence of a contract file does not prevent this upgrade, it is recommended that you obtain a contract file via SmartUpdate (Licenses & Contracts menu -> Update Contracts). For further details see: http://www.checkpoint.com/ngx/upgrade/contract/
At the earliest opportunity, obtain a valid contract file from the Check Point user center.
Chapter 3
81
Managing Contracts
The license Repository window in SmartUpdate displays contracts as well as regular licenses:
82
Managing Contracts
Clicking Show Contracts displays the contracts associated with this license:
Selecting a specific contract, then Properties displays the contracts properties, such as contract ID and expiration date as well as which licenses are covered by the contract:
Chapter 3
83
Updating Contracts
Updating Contracts
Licenses & Contracts on the File menu has enhanced functionality for handling contracts: Licenses & Contracts > Update Contracts This option installs contract information on SmartCenter server. Each time you purchase a new contract, use this option to make sure the new contract is displayed in the license repository:
Licenses & Contracts > Get all Licenses a. Collects licenses of all gateways managed by the SmartCenter server b. Updates the contract file on the server if the file on the gateway is newer
84
85
Introduction
Introduction
This chapter describes the process of upgrading a distributed deployment to NGX R65. A distributed deployment consists of at least one SmartCenter server and one or more gateways. The SmartCenter server and gateway do not reside on the same physical machine. Since backward compatibility is supported, a SmartCenter server that has been upgraded to NGX R65 can enforce and manage gateways from previous versions. In some cases, however, new features may not be available on earlier versions of the gateway. The NGX R65 SmartCenter server can manage the following gateways: Re le a se V e rsion V P N-1 P ower/UTM NGX R62 NGX V P N-1 P ro/E x press NGX R61 V P N-1 P ro/E xpress NGX R60A V P N-1 P ro/E x press NGX R60 V P N-1 P ro NG R55P NG V P N-1 P ro NG R55W V P N-1 P ro/E xpress NG W ith A pplication Intelligence R55 V P N-1 P ro/E xpress NG W ith A pplication Intelligence R54 V P N-1 P ro/E x press NG FP 3 Ex pre ss CI R57 2.5, 2.5, NGX GX V S X NG A I VS X V S X NG A I Release 2 V S X NGX Inte rS pe ct NGX Conne ctra NGX R62
NGX R65 is not backwardly compatible with: VPN-1 Pro/Express NG VPN-1 Pro/Express NG FP1 VPN-1 Pro/Express NG FP2
86
Introduction
Upgrading from versions prior to NG (4.0-4.1) is not supported. To upgrade FireWall-1 versions 4.0-4.1, upgrade the installed version to VPN-1 NG R55 (refer to the NG with Application Intelligence R55 Upgrade Guide). Once the VPN-1 NG R55 upgrade is complete, perform an upgrade to NGX R65.
Chapter 4
87
Pre-Upgrade Considerations
Pre-Upgrade Considerations
In This Section
License Upgrade to NGX R65 Web Intelligence License Enforcement Upgrading Products on a SecurePlatform Operating System VPN-1 UTM Edge Gateways Prior to Version 5.0 page 88 page 88 page 89 page 89
Malicious Code Protector LDAP Injection SQL Injection Command Injection Directory Listing Error Concealment ASCII Only Request Header Rejection HTTP Methods
Pre-Upgrade Considerations
The actual license required depends on the number of Web servers protected by the gateway or gateway cluster. For NGX R60 and later versions, if the correct license is not installed, it is not possible to install a Policy on any gateway. When upgrading, be aware of this change of behavior. For additional information, refer to the Web Intelligence chapter in the CheckPoint R65 Firewall And SmartDefense Administration Guide.
Chapter 4
89
Pre-Upgrade Considerations
TopologyOldFormat=1
3. Save and close the file. The change takes effect without running the commands cpstop and cpstart.
90
Chapter 4
91
Usage:
pre_upgrade_verifier.exe -p SmartCenterPath -c CurrentVersion -t TargetVersion [-f FileName] [-w]
Where the currently installed version is one of the following: For Release NGX Version is: NGX_R62 NGX_R61 NGX_R60A NGX_R60 NG NG_R55 NG_R55P NG_R55 NG_R54 NG_FP3 NG GX VSX GX_2.5 VSX_2.0.1 VSX_NG_AI VSX_NG_AI_Release_2 The target version is: NGX_R65.
92
Chapter 4
93
Uninstalling Packages
Uninstall Check Point packages on the Windows platform using the Add/Remove applet in the Control Panel. Check Point packages need to be uninstalled in the opposite order to which they were installed. Since CPsuite is the first package installed, it should be the last package uninstalled.
94
For details on upgrading SecurePlatform versions prior to R54, refer to SmartCenter Upgrade on Pre-R54 Versions of SecurePlatform on page 99. The process described in this section upgrades all of the components (Operating System and software packages) in a single upgrade process. No further upgrades are required. Refer to the CheckPoint R65 SecurePlatform/SecurePlatformPro Administration Guide for additional information. If a situation arises in which a revert to your previous configuration is required, refer to Reverting to Your Previous Deployment on page 133 for details. To perform an upgrade on a SecurePlatform: 1. Insert CD1 of the NGX R65 media kit into the CD drive. 2. At the command prompt, enter patch add cd. 3. Select SecurePlatform NGX R65 Upgrade Package (CPspupgrade_R65.tgz). 4. Enter y to accept the checksum calculation. 5. When prompted, create a backup image for automatic revert. Note - Creating the snapshot image can take up to twenty minutes, during which Check Point products are stopped. 6. The welcome message is displayed. Enter n. 7. Accept the license agreement, and verify your contract information.
Chapter 4 Upgrading a Distributed Deployment 95
For more information on contracts, see: On SecurePlatform, Linux, and Solaris Gateways on page 76 8. Three upgrade options are displayed: Upgrade Export SmartCenter configuration Perform pre-upgrade verification only i. Run the pre-upgrade verification script, and follow the recommendations contained in the pre-upgrade verification results. Repeat the process until you see Your configuration is ready for upgrade.
ii. Export the SmartCenter configuration. iii. Upgrade the installation. 9. Enter c to agree to the license upgrade. The license upgrade process also handles gateway licenses in the SmartUpdate License Repository. Select one of the following: Enter [L] to view the licenses installed on your machine. Enter [C] to check if currently installed licenses have been upgraded. Enter [S] to simulate the license upgrade. Enter [U] to perform the license upgrade, or generate a license file that can be used to upgrade licenses on a machine with no Internet access to the User Center. Enter [O] to perform the license upgrade on a license file that was generated on machine with no Internet access to the User Center. Enter [Q] to quit.
10. Select a source for the upgrade utilities. Either download the most updated files from the Check Point website or use the upgrade tools contained on the CD. The exported configuration is automatically imported during the upgrade process. 11. Open SmartUpdate and attach the new NGX licenses to the gateways.
Uninstalling Packages
Check Point packages need to be uninstalled in the opposite order to which they were installed. Since CPsuite is the first package installed, it should be the last package uninstalled.
96
Run the rpm -e <package name> to view a list of all the installed packages.
Perform pre-upgrade verification only i. Run the pre-upgrade verification script, and follow the recommendations contained in the pre-upgrade verification results. Repeat the process until you see Your configuration is ready for upgrade.
ii. Export the SmartCenter configuration. iii. Upgrade the installation. 10. Enter c to agree to the license upgrade. The license upgrade process also handles gateway licenses in the SmartUpdate License Repository. Select one of the following: Enter [L] to view the licenses installed on your machine. Enter [C] to check if currently installed licenses have been upgraded. Enter [S] to simulate the license upgrade. Enter [U] to perform the license upgrade, or generate a license file that can be used to upgrade licenses on a machine with no Internet access to the User Center. Enter [O] to perform the license upgrade on a license file that was generated on machine with no Internet access to the User Center. Enter [Q] to quit.
11. Select a source for the upgrade utilities. Either download the most updated files from the Check Point website or use the upgrade tools contained on the CD. The exported configuration is automatically imported during the upgrade process. 12. Open SmartUpdate and attach the new NGX licenses to the gateways.
98
5. Before the upgrade begins, an image is created of the system and is used to revert to in the event the upgrade is not successful. The Save an Image before Upgrade page, displays the image information. Click Next. 6. In the Safe Upgrade section, select Safe upgrade to require a successful login after the upgrade is complete. If no login takes place within the configured amount of time, the system will revert to the saved image. Click Next. 7. The Current Upgrade File on Appliance section displays the information of the current upgrade. To begin the upgrade, click Start.
For details on upgrading later SecurePlatform versions, refer to SmartCenter Upgrade on SecurePlatform on page 95. The process described in this section upgrades all of the components (Operating System and software packages) in a single upgrade process. No further upgrades are required. Upgrading pre-R54 versions requires an upgrade of the patch command. If a situation arises in which a revert to your previous configuration is required, refer to Reverting to Your Previous Deployment on page 133 for details. To perform an upgrade on pre-R54 versions of SecurePlatform: 1. Insert the SecurePlatform NGX R65 CD into the CD drive. 2. Enter the expert mode: # expert.
Chapter 4
99
3. Mount the CD and upgrade the patch command using the following syntax:
Note - Creating the snapshot image can take up to twenty minutes, during which Check Point products are stopped. 9. The welcome message is displayed. Enter n. 10. Accept the license agreement, and verify your contract information. For more information on contracts, see:On SecurePlatform, Linux, and Solaris Gateways on page 76 11. Three upgrade options are displayed: Upgrade Export SmartCenter configuration Perform pre-upgrade verification only i. Run the pre-upgrade verification script, and follow the recommendations contained in the pre-upgrade verification results. Repeat the process until you see Your configuration is ready for upgrade.
ii. Export the SmartCenter configuration iii. Upgrade the installation 12. Enter c to agree to the license upgrade. The license upgrade process also handles gateway licenses in the SmartUpdate license repository. Select one of the following: Enter [L] to view the licenses installed on your machine.
100
Enter [C] to check if currently installed licenses have been upgraded. Enter [S] to simulate the license upgrade. Enter [U] to perform the license upgrade, or generate a license file that can be used to upgrade licenses on a machine with no Internet access to the User Center. Enter [O] to perform the license upgrade on a license file that was generated on machine with no Internet access to the User Center. Enter [Q] to quit.
Chapter 4
13. Select a source for the upgrade utilities. Either download the most updated files from the Check Point website or use the upgrade tools contained on the CD. The exported configuration is automatically imported during the upgrade process. Open SmartUpdate and attach the new NGX licenses to the gateways.
Note - The "patch add cd" command presents three options: run the pre-upgrade verification script; export the SmartCenter configuration; upgrade the installation.
If you select the first option, the command exits after performing the pre-upgrade verification. To select the second or third options, you need to run the "patch add cd" command again.
Uninstalling Packages
Check Point packages need to be uninstalled in the opposite order to which they were installed. Since CPsuite is the first package installed, it will be the last package uninstalled. Run the rpm -e <package name> to view a list of all the installed packages.
102
Chapter 4
12. Reboot.
Uninstalling Packages
Check Point packages need to be uninstalled in the opposite order to which they were installed. Since CPsuite is the first package installed, it will be the last package uninstalled. Run the pkgrm command to view a list of the installed packages.
104
Chapter 4
Uninstalling Packages
Check Point packages need to be uninstalled in the opposite order to which they were installed. Since CPsuite is the first package installed, it should be the last package uninstalled. Run the rpm -e <package name> to view a list of the installed packages.
106
3. Click System Configuration > Install New IPSO Image (Upgrade). The New Image Installation Upgrade window opens. 4. Enter the following information: Enter URL to the image location Enter HTTP Realm (for HTTP URLs only) Enter Username (if applicable) Enter Password (if applicable) 5. Click Apply. You are informed that the file download and image installation may take some time. 6. Click Apply. 7. The new image installation process begins. Click the provided link to get the upgrade status.
Chapter 4
8. When the upgrade is complete, click the link to the IPSO Image Management page. The IPSO Image Management window opens. 9. Under the title Select an image for next boot, select the last downloaded image. 10. Click Test Boot. 11. Access the CLI console to see when the Reboot is complete. Once the Reboot is complete, go back to the Network Voyager to verify that the image was set properly. 12. In the Network Voyager, click Refresh and log in. 13. If you are not returned to the last window you were in, click System Configuration > Manage IPSO Images. You should be able to see that the relevant IPSO Image is selected. 14. Select Commit testboot and click Apply. 15. Access the CLI console and log in. 16. Perform an FTP using bin mode to transfer the IPSO_Wrapper_R65.tgz package. 17. Type newpkg -S -m LOCAL -n <CPsuite package path> -o $FWDIR and press Enter. This command: Deactivates previous Check Point packages but does not delete them. Finds the upgrade tools in $FWDIR and performs an import/export operation to preserve the previous configuration.
When the process is complete, you should receive a message indicating that the process was successful, along with a reminder to update your contract information. For more information on contracts, see: On IPSO on page 81. 18. Log off the console connection, and then log back on to set the environment variables. 19. Start the installed products by running cpstart. Note - The previous Check Point packages remain installed but deactivated. Should the need arise, the previous packages can be activated through the Network Voyager.
108
Chapter 4
110
In This Section
Upgrading a Clustered Deployment Upgrading the Gateway Using SmartUpdate Gateway Upgrade Process on a Windows Platform Gateway Upgrade on SecurePlatform Upgrade on SecurePlatform NG FP2, FP3, or FP3 Edition 2 Gateway Upgrade on a Solaris Platform Gateway Upgrade on an IPSO Platform page 111 page 112 page 116 page 118 page 119 page 121 page 122
Chapter 4
SmartUpdate Options
SmartUpdate is the primary tool used for upgrading Check Point gateways. The following features and tools are available in SmartUpdate: Upgrade All Packages: This feature allows you to upgrade all packages installed on a gateway. For IPSO and SecurePlatform, this feature also allows you to upgrade your operating system as a part of your upgrade. In NGX R65, SmartUpdate's Upgrade all Packages supports HFAs, i.e., it will suggest upgrading the gateway with the latest HFA if a HFA package is available in the Package Repository. "Upgrade All" is the recommended method. In addition, there is an advanced method to install (distribute) packages one by one. Add Package to Repository: SmartUpdate provides three helper tools for adding packages to the Package Repository: From CD: Adds a package from the Check Point CD. From File: Adds a package that you have stored locally.
112
From Download Center: Adds a package from the Check Point Download Center.
SmartUpdates Get Check Point Gateway Data: This tool updates SmartUpdate with the current Check Point or OPSEC third-party packages installed on a specific gateway or for your entire enterprise. Check for Updates: This feature, available from the SmartDashboard Tools menu, locates the latest HFA on the Check Point Download Center, and adds it to the Package Repository.
2. Define the remote Check Point gateways in SmartDashboard (for a new SmartCenter server installation). 3. Verify that your SmartCenter server contains the correct license to use SmartUpdate. 4. Verify that the Administrator SmartUpdate permissions (as defined in the cpconfig configuration tool) are Read/Write. 5. To enable SmartUpdate connections to the gateways, make sure that Policy Global Properties > FireWall > Firewall Implied Rules > Accept SmartUpdate Connections (SmartUpdate) is selected. By default, it is selected.
Chapter 4
When adding the package to the Package Repository, the package file is transferred to the SmartCenter server. When the Operation Status window opens, you can verify the success of the operation. The Package Repository is then updated to show the new package object.
2. From the list provided, select the gateways that can be upgraded and click Upgrade. Note - The Allow reboot... option (selected by default) is required in order to activate the newly installed packages. The Operation Status pane opens and shows the progress of the installation. Each operation is represented by a single entry. Double click the entry to open the Operation Details window, which shows the operation history. The following operations are performed during the installation process:
114
The Check Point Remote Installation Daemon connects to the Check Point gateway. Verification for sufficient disk space.
Verification of the package dependencies. The package is transferred to the gateway if it is not already there. The package is installed on the gateway. Enforcement policies are compiled for the new version. The gateway is rebooted if the Allow Reboot... option was selected and the package requires it. The gateway version is updated in SmartDashboard. The installed packages are updated in SmartUpdate.
To upgrade a gateway to a pre-R65 version: 1. Add the corresponding packages to the Package Repository. 2. Right-click the gateway and select Distribute Package... 3. Select the relevant package from the list provided and click Distribute. Repeat steps 2 to 3 for each package that should be installed on the gateway. Note - It is also possible to use SmartUpdate to install HFAs on gateways from previous versions (for example, R54 and later).
Chapter 4
5. When the pre-upgrade verification recommendation appears, select whether or not the Pre-upgrade verification tool should be executed (refer to the Using the Pre-Upgrade Verification Tool on page 91). The Pre-upgrade verification tool performs a compatibility analysis of the currently installed gateway and its current configuration. A detailed report is provided, indicating the appropriate actions that should be taken before and after the upgrade process. The tool can be used manually as well. 6. From the Upgrade Options screen, select Upgrade again. Another verification is run. 7. When prompted, reboot the gateway.
116
8. When the upgrade process is complete, do the following: a. Using SmartDashboard, log in to the NGX R65 SmartCenter server that controls the upgraded gateway. b. Open the gateway object properties window that represents the upgraded gateway and change the version to NGX R65. c. Perform Install Policy on the upgraded gateway. If a situation arises in which a revert to your previous configuration is required, refer to Reverting to Your Previous Deployment on page 133 for details.
Chapter 4
For details on upgrading gateway versions prior to R54, refer to Upgrade on SecurePlatform NG FP2, FP3, or FP3 Edition 2 on page 119. The process described in this section upgrades all components (Operating System and software packages) in a single upgrade process. No further upgrades are required. The single upgrade package contains all necessary software items. Refer to the CheckPoint R65 SecurePlatform/SecurePlatformPro Administration Guide for additional information. If a situation arises in which a revert to your previous configuration is required, refer to Reverting to Your Previous Deployment on page 133 for details.
118
A Safe Upgrade will be performed. Safe Upgrade automatically takes a snapshot of the entire system so that the entire system (operating system and installed products) can be restored if something goes wrong during the Upgrade process (for example, hardware incompatibility). If the Upgrade process detects a malfunction, it automatically reverts to the Safe Upgrade image. When the Upgrade process is complete, upon reboot you are given the option to manually start the SecurePlatform operating system using the upgraded version image or using the image created prior to the Upgrade process. 6. After you complete the upgrade process, do the following: a. Using SmartDashboard, log in to the NGX R65 SmartCenter server that controls the upgraded gateway. b. Open the gateway object properties window for the upgraded gateway and change the version to NGX R65. c. Perform Install Policy on the upgraded gateway.
Chapter 4
4. Apply the SecurePlatform NGX R65 upgrade package using a CD ROM drive with the following command:
120
Chapter 4
a. Using SmartDashboard, log in to the NGX R65 SmartCenter server that controls the upgraded gateway. b. Open the gateway object properties window for the upgraded gateway and change the version to NGX R65. c. Perform Install Policy on the upgraded gateway. If a situation arises in which a revert to your previous configuration is required, refer to Reverting to Your Previous Deployment on page 133 for details.
122
123
Introduction
Introduction
Before you perform an upgrade process, you should back up your current configuration. The purpose of the backup process is to back up the entire configuration, and to restore it if necessary, for example, in the event that the upgrade process is unsuccessful. To back up your configuration, use the Export utility tool of the version for which you are creating a backup file. For example, if you are backing up NG with Application Intelligence R55, use the NG with Application Intelligence Export utility tool. The backup file contains your current system configuration (for example, objects, rules, and users) and can be used to restore your previous configuration if the upgrade process fails. The restoration procedure restores the configuration in effect when the backup procedure was executed. Note - Operating system level configurations (for example, network configuration) are not
exported.
If you are performing an upgrade process on SecurePlatform, you do not have to back up your configuration using the Export utility. SecurePlatform provides the option of backing up your configuration during the Upgrade process.
124
Chapter 5
Restoring a Deployment
Restoring a Deployment
To restore a deployment: 1. Copy the exported.tgz file to the target SmartCenter server. 2. In the SmartCenter server, insert the product CD for the version being restored. 3. Using the available options, perform an installation using an imported configuration file.
126
Backup
This command is used to back up the system configuration. You can also copy backup files to a number of SCP and TFTP servers for improved backup robustness. The backup command, when run by itself without any additional flags, uses default backup settings and performs a local backup.
Syntax
backup [-h] [-d] [-l] [--purge DAYS] [--sched [on hh:mm <-m DayOfMonth> | <-w DaysOfWeek>] | off] [[--tftp <ServerIP> [-path <Path>] [<Filename>]] | [--scp <ServerIP> <Username> <Password> [-path <Path>][<Filename>]] | [--file [-path <Path>][<Filename>]]
Chapter 5
Backup
Parameters
Table 5-1 Parameter -h -d -l --purge DAYS [--sched [on hh:mm <-m DayOfMonth> | <-w DaysOfWeek>] | off]
Backup Parameters
Meaning obtain usage debug flag Enables VPN-1 log backup (By default, VPN-1 logs are not backed up.) Deletes old backups from previous backup attempts Schedule interval at which backup is to take place
On - specify time and day of week, or day of month Off - disable schedule
--tftp <ServerIP> [-path <Path>][<Filename>] --scp <ServerIP> <Username> <Password>[-path <Path>] [<Filename>] --file [-path <Path>]<Filename>
List of IP addresses of TFTP servers, on which the configuration is to be backed up, and optionally the filename List of IP addresses of SCP servers, on which the configuration is to be backed up, the username and password used to access the SCP server, and optionally the filename When the backup is performed locally, specify an optional filename
128
Restore
Restore
This command is used to restore the system configuration.
Syntax
restore [-h] [-d][[--tftp <ServerIP> <Filename>] | [--scp <ServerIP> <Username> <Password> <Filename>] | [--file <Filename>]]
Parameters
Table 5-2 Parameter -h -d --tftp <ServerIP> [<Filename>] --scp <ServerIP> <Username> <Password> [<Filename>] --file <Filename> Meaning obtain usage debug flag IP address of TFTP server, from which the configuration is restored, and the filename IP address of SCP server, from which the configuration is restored, the username and password used to access the SCP server, and the filename Specify a filename for restore operation, performed locally
For additional information about the backup and restore utilities, refer to the System Commands section in the CheckPoint R65 SecurePlatform/SecurePlatformPro Administration Guide.
Chapter 5
SecurePlatform provides the option of backing up the entire SecurePlatform operating system and all of its products using the snapshot command. A snapshot of the system can be taken manually using the snapshot command or automatically during an upgrade procedure using the SafeUpgrade option. Having a snapshot of the entire operating system enables you to restore SecurePlatform if needed. Similar to Backup and Restore, the Snapshot and Revert features ensure easy maintenance and management, even if a situation arises that demands that you undo an upgrade and revert to a previous deployment. The snapshot and revert commands can use a TFTP server or an SCP server to store snapshots. Alternatively, snapshots can be stored locally. Note - The snapshot and revert commands are relevant only for reverting NGX R65 to a previous version on SecurePlatform; because this involves reverting the entire platform. If you are using another platform, see Reverting to Your Previous Deployment on page 133.
130
Snapshot
Snapshot
This command creates an image of SecurePlatform. The snapshot command, run by itself without any additional flags, uses the default backup settings and creates a local snapshot.
Syntax
snapshot [-h] [-d] [[--tftp <ServerIP> <Filename>] | [--scp <ServerIP> <Username> <Password> <Filename>] | [--file <Filename>]]
Parameters
Table 5-3 Parameter -h -d --tftp <ServerIP> <Filename> --scp <ServerIP> <Username> <Password> <Filename> --file <Filename>
Snapshot Parameters
Meaning obtain usage debug flag IP address of the TFTP server, from which the snapshot is taken, as well as the filename of the snapshot IP address of the SCP server, from which the snapshot is taken, the username and password used to access the SCP server, and the filename of the snapshot When the snapshot is made locally, specify a filename
Chapter 5
Revert
Revert
This command restores SecurePlatform from a snapshot file, reverting the machine to a previous deployment. The revert command, run by itself without any additional flags, uses default backup settings, and reboots the system from a local snapshot.
revert [-h] [-d] [[--tftp <ServerIP> <Filename>] | [--scp <ServerIP> <Username> <Password> <Filename>] | [--file <Filename>]]
Parameters
Table 5-4 Parameter -h -d --tftp <ServerIP> <Filename> --scp <ServerIP> <Username> <Password> <Filename> --file <Filename>
Revert Parameters
Meaning obtain usage debug flag IP address of the TFTP server, from which the snapshot is rebooted, as well as the filename of the snapshot IP address of the SCP server, from which the snapshot is rebooted, the username and password used to access the SCP server, and the filename of the snapshot When the snapshot is made locally, specify a filename
The revert command functionality can also be accessed from the Snapshot image management boot option.
132
If you are deploying on SecurePlatform, see SecurePlatform Snapshot Image Management on page 130. To revert to a version that was active before it was upgraded to NGX R65 VPN-1 Power/UTM, perform the uninstall procedure described in this section, according to the platform you have. VPN-1 Power/UTM will uninstall the last active version only, and leave the previously installed version as the now-active version. Note - Make sure to remove all NGX R65 products and compatibility packages before removing the NGX R65 CPsuite.
Chapter 5
2. On the Manage Packages page, confirm that the previous versions of Check Point packages are enabled and the NGX R65 versions are disabled. Note - On flash-based platforms, the NGX R65 packages no longer appear in the Manage
Packages page since they were never part of the previous configuration set.
134
ICA Considerations
Once the Revert process is complete, certificates issued during the use of NGX R65 remain valid. While these certificates are valid, they cannot yet be managed by the Internal CA. To resume management of older certificates after the Revert process: 1. Back up the InternalCA.NDB and ICA.crl files (located in the $FWDIR/conf directory) and all *.crl files (located in the $FWDIR/conf/crl directory) from the version prior to NGX R65 (for example, from NG with Application Intelligence R55) to a location of your choice. 2. Copy the NGX R65 InternalCA.NDB, ICA.crl and the *.crl files (located in the $FWDIR/conf directory) from the current NGX R65 version and use them to overwrite the files (for example, the NG with Application Intelligence R55 files) in the location specified in step 1 (in the $FWDIR/conf directory). Note - If the Upgrade process was performed on a machine that runs a different operating system than the original machine, the InternalCA.NDB file must be converted after it is copied to the reverted environment. To do this, run the cpca_dbutil d2u command line from the reverted environment. 3. Once the Revert process is complete, use the ICA Management Tool to review certificates created using NGX R65 in the reverted environment (for example, the NG with Application Intelligence R55 environment). For example, the subject to which a specific certificate was issued may no longer exist. In such a case, you may want to revoke the specific certificate. For additional information, refer to The Internal Certificate Authority (ICA) and the ICA Management Tool chapter in the R65 SmartCenter Administration Guide.
Chapter 5
136
page 138 page 139 page 142 page 143 page 146 page 148 page 149 page 152 page 154 page 158
137
Introduction
Introduction
This chapter describes the process of upgrading a VPN-1 standalone deployment to NGX R65. A standalone deployment consists of the SmartCenter server and gateway installed on the same system. Since backward compatibility is supported, a SmartCenter server that has been upgraded to NGX R65 can enforce and manage gateways from previous versions. In some cases, however, new features may not be available on earlier versions of the gateway. The NGX R65 SmartCenter server can manage the following gateways: Re le a se V e rsion V PN-1 Power/UTM NGX R62 NGX V PN-1 Pro/E xpress NGX R61 V PN-1 Pro/E xpress NGX R60A V PN-1 Pro/E xpress NGX R60 V PN-1 Pro NG R55P NG V PN-1 Pro NG R55W V PN-1 Pro/E xpress NG W ith Applic ation Intelligence R55 V PN-1 Pro/E xpress NG W ith Applic ation Intelligence R54 V PN-1 Pro/E xpress NG FP3 Ex pre ss CI R57 2.5, 2.5, NGX GX V SX NG AI V SX V SX NG AI Releas e 2 V SX NGX Inte rSpe ct NGX Conne ctra NGX R62
Note - NGX R65 cannot manage gateway versions NG, NG FP1, or NG FP2
138
Pre-Upgrade Considerations
Pre-Upgrade Considerations
In This Section
License Upgrade to NGX Upgrading Products on a SecurePlatform Operating System Reverting to Your Previous Software Version VPN-1 Express CI R57 to NGX R65 on SecurePlatform page 139 page 139 page 140 page 158
Chapter 6
Pre-Upgrade Considerations
To back up your configuration, use the SecurePlatform snapshot and revert commands (for additional information, refer to SecurePlatform Backup and Restore Commands on page 127).
140
Pre-Upgrade Considerations
Where the currently installed version is one of the following: For Release NGX Version is: NGX_R62 NGX_R61 NGX_R60A NGX_R60 NG_R55 NG_R55P NG_R55 NG_R54 NG_FP3 NG GX_2.5 VSX_2.0.1 VSX_NG_AI VSX_NG_AI_Release_2
NG
GX VSX
The target version is: NGX_R65. Note - -f redirects the standard output to a file.
Chapter 6
Uninstalling Packages
Uninstall Check Point packages on the Windows platform using the Add/Remove applet in the Control Panel. Check Point packages need to be uninstalled in the opposite order to which they were installed. Since CPsuite is the first package installed, it should be the last package uninstalled.
142
For details on upgrading SecurePlatform versions prior to R54, refer to VPN-1 Gateway Upgrade on Pre-R54 SecurePlatform Versions on page 149. The process described in this section upgrades all of the components (Operating System and software packages) in a single upgrade process. No further upgrades are required. The single upgrade package contains all necessary software items. Warning - For all operating systems except SecurePlatform, an be reverted to its previous version once it is complete. To perform an upgrade on a SecurePlatform server: 1. Insert CD1 of the NGX R65 media kit into the CD drive. 2. At the command prompt, enter patch add cd. 3. Select SecurePlatform NGX R65 Upgrade Package (CPspupgrade_R65.tgz). 4. Enter y to accept the checksum calculation. 5. When prompted, create a backup image for automatic revert. Note - Creating the snapshot image can take up to twenty minutes, during which time Check Point products are stopped. 6. The welcome message is displayed. Enter n.
Chapter 6
7. Accept the license agreement, and verifying your contract information. For more information on contracts, On SecurePlatform, Linux, and Solaris Gateways on page 76 8. Three upgrade options are displayed: Upgrade Export SmartCenter configuration Perform pre-upgrade verification only i. Run the pre-upgrade verification script, and follow the recommendations contained in the pre-upgrade verification results. Repeat the process until you see Your configuration is ready for upgrade.
ii. Export the SmartCenter configuration. iii. Upgrade the installation. 9. Enter c to agree to the license upgrade. The license upgrade process also handles gateway licenses in the SmartUpdate license repository. Select one of the following: Enter [L] to view the licenses installed on your machine. Enter [C] to check if currently installed licenses have been upgraded. Enter [S] to simulate the license upgrade. Enter [U] to perform the license upgrade, or generate a license file that can be used to upgrade licenses on a machine with no Internet access to the User Center. Enter [O] to perform the license upgrade on a license file that was generated on machine with no Internet access to the User Center. Enter [Q] to quit.
10. Select a source for the upgrade utilities Either download the most updated files from the Check Point website for use the upgrade tools contained on the CD. The exported configuration is automatically imported during the upgrade process. 11. Open SmartUpdate and attach the new NGX licenses to the gateways.
144
Uninstalling Packages
Check Point packages need to be uninstalled in the opposite order to which they were installed. Since CPsuite is the first package installed, it should be the last package uninstalled. Run the rpm -e <package name> to view a list of the installed packages.
Chapter 6
146
i.
Run the pre-upgrade verification script, and follow the recommendations contained in the pre-upgrade verification results. Repeat the process until you see Your configuration is ready for upgrade.
ii. Export the SmartCenter configuration. iii. Upgrade the installation. 10. Enter c to agree to the license upgrade. The license upgrade process also handles gateway licenses in the SmartUpdate License Repository. Select one of the following: Enter [L] to view the licenses installed on your machine. Enter [C] to check if currently installed licenses have been upgraded. Enter [S] to simulate the license upgrade. Enter [U] to perform the license upgrade, or generate a license file that can be used to upgrade licenses on a machine with no Internet access to the User Center. Enter [O] to perform the license upgrade on a license file that was generated on machine with no Internet access to the User Center. Enter [Q] to quit.
11. Select a source for the upgrade utilities. Either download the most updated files from the Check Point website or use the upgrade tools contained on the CD. The exported configuration is automatically imported during the upgrade process. Open SmartUpdate and attach the new NGX licenses to the gateways.
Chapter 6
148
The process described in this section will result with an upgrade of all components (Operating System and software packages) in a single upgrade process. No further upgrades are required. Warning - Once an NGX R65 upgrade is complete for all operating systems except
SecurePlatform it cannot be reverted to its previous versions.
For additional information, refer to the R65 SecurePlatform/SecurePlatformPro Administration Guide. Upgrading pre-R54 versions requires an upgrade of the patch command. To perform an upgrade on pre-R54 versions of SecurePlatform: 1. Insert the SecurePlatform NGX R65 CD into the CD drive. 2. Enter the Expert mode: # expert. 3. Mount the CD and upgrade the patch command using the following syntax:
Chapter 6
8. When prompted, create a backup image for automatic revert. Note - Creating the snapshot image can take up to twenty minutes, during which time Check Point products are stopped. 9. The welcome message is displayed. Enter n. 10. Accept the license agreement, and verify your contract information. For more information on contracts, see: On SecurePlatform, Linux, and Solaris Gateways on page 76 11. Three upgrade options are displayed: Upgrade Export SmartCenter configuration Perform pre-upgrade verification only i. Run the pre-upgrade verification script, and follow the recommendations contained in the pre-upgrade verification results. Repeat the process until you see Your configuration is ready for upgrade.
ii. Export the SmartCenter configuration. iii. Upgrade the installation. 12. Enter c to agree to the license upgrade. The license upgrade process also handles gateway licenses in the SmartUpdate license repository. Select one of the following: Enter [L] to view the licenses installed on your machine. Enter [C] to check if currently installed licenses have been upgraded. Enter [S] to simulate the license upgrade. Enter [U] to perform the license upgrade, or generate a license file that can be used to upgrade licenses on a machine with no Internet access to the User Center. Enter [O] to perform the license upgrade on a license file that was generated on machine with no Internet access to the User Center. Enter [Q] to quit.
150
Either download the most updated files from the Check Point website or use the upgrade tools contained on the CD. The exported configuration is automatically imported during the upgrade process. 14. Open SmartUpdate and attach the new NGX licenses to the gateways.
Uninstalling Packages
Check Point packages need to be uninstalled in the opposite order to which they were installed. Since CPsuite is the first package installed, it should be the last package uninstalled. Run the rpm -e <package name> to view a list of the installed packages.
Chapter 6
152
13. After you complete the upgrade process: a. Using SmartDashboard, log in to the NGX R65 SmartCenter server that controls the upgraded gateway. b. Open the gateway object properties window for the upgraded gateway and change the version to NGX R65. c. Perform Install Policy on the upgraded gateway. If a situation arises in which a revert to your previous configuration is required, refer to Reverting to Your Previous Deployment on page 133 for details.
Chapter 6
Before upgrading: From the Check Point website, download: IPSO 4.2 IPSO_Wrapper_R65.tgz.
To upgrade to R65 with UTM functionality: 1. Enter the Network Voyager and open a CLI console. 2. Click System Configuration > Install New IPSO Image (Upgrade). The New Image Installation Upgrade window opens. 3. Enter the following information (for IPSO 4.2): Enter URL to the image location Enter HTTP Realm (for HTTP URLs only) Enter Username (if applicable) Enter Password (if applicable) 4. Click Apply. You are informed that the file download and image installation may take some time. 5. Click Apply.
154
A message is displayed indicating that the new image installation process has started. 6. When you receive a Success message, click UP > UP > Manage IPSO Images. The IPSO Image Management window opens. 7. Under the title Select an image for next boot, select the last downloaded image: IPSO 4.2 8. Click Test Boot. 9. Access the CLI console to see when the Reboot is complete. Once the Reboot is complete, go back to the Network Voyager to verify that the image was set properly. 10. In the Network Voyager, click Refresh and log in. 11. If you are not returned to the last window you were in, click System Configuration > Manage IPSO Images. You should be able to see that the relevant IPSO Image is selected. 12. Select Commit testboot and click Apply. 13. In Voyager, deactivate existing packages and delete them. Deactivate and delete the packages in the opposite order to which they were installed and activated. 14. Access the CLI console, and log in. 15. Type newpkg, and press Enter. 16. Use the FTP menu option to transfer the UTM-Base package. 17. Install the UTM-Base package. Wait until a message informs you that the process is complete. 18. Activate the UTM-Base package. 19. In Voyager, verify that the UTM Base package is turned ON. 20. On the CLI, type newpkg, and press Enter. 21. Use the FTP menu option to transfer the IPSO_Wrapper_R65.tgz package. 22. Install the IPSO_Wrapper_R65 package. Wait until a message informs you that the process is complete. 23. Type Reboot and press Enter. 24. From a console connection, run cpconfig.
Chapter 6
25. Select a product: Check Point Power for headquarters and branch offices Check Point UTM for medium-sized businesses
26. Select an installation type, Stand Alone or Distributed. 27. Select Enterprise SmartCenter from the selection list. 28. Specify the SmartCenter type as Primary or Secondary. 29. Add Licenses. 30. Configure an administrator name and password. 31. Configure the GUI clients and hosts which can access the SmartCenter server using SmartConsole. 32. Configure Group Permissions. 33. Configure a pool of characters for use in cryptographic operations. Type randomly until the progress bar is full. 34. Configure the Certificate Authority, and save the CAs Fingerprint to a file. 35. Start the installed products. If you opt not to start the installed products at this time, they can be started later by running cpstart. 36. Reboot.
156
1. From the IPSO Image Management page in the Network Voyager, select the earlier IPSO image and reboot. When you revert to the earlier image, IPSO automatically reverts to using the saved configuration set associated with that image. 2. On the Manage Packages page, confirm that the previous versions of Check Point packages are enabled and the NGX R65 versions are disabled. Note - On flash-based platforms, the NGX R65 packages will no longer appear in the Manage Packages page since they were never part of the previous configuration set.
Chapter 6
158
159
Introduction
Introduction
There are a number of reasons for performing an advanced upgrade, for example if you need to: Upgrade to NGX R65 while replacing the Operating System on which the current SmartCenter is installed. Upgrade to NGX R65 while migrating to a new server. Upgrade to NGX R65 while avoiding unnecessary risks to the production SmartCenter server in case of failure during the upgrade process.
To avoid unnecessary risks, it is possible to migrate the current configuration of the production SmartCenter server, to a new SmartCenter server.
160
Introduction
This section describes the advanced upgrade procedure for SmartCenter. The advanced upgrade procedure involves two machines. The first machine is the working production machine. The second machine is off-line, and only contains the operating system. The SmartCenter server is freshly installed on the second machine and the configuration of the first machine is imported. When migrating to a new SmartCenter server, the destination server should have the same IP configuration as the original SmartCenter server. If you are migrating to a new machine with a different IP address, see: See Migration to a New Machine with a Different IP Address on page 175. Warning: An advanced upgrade of SmartCenter Server influences the behavior of the Eventia Reporter Server in regard to consolidation sessions. If you are deploying Eventia Reporter, before you perform an advanced upgrade of SmartCenter server, you must first remove Eventia Reporters consolidation session. See Advanced Eventia Reporter Upgrade on page 291 for how to remove the consolidation session.
Chapter 7
2. Accept the license agreement and click next. 3. Under Upgrade Options, select Export. If you opt to perform the Export procedure manually, make sure you are using the NGX R65 Export tool. The upgrade_export tool is located on the product CD under the windows directory. 4. When prompted, download the most recently updated upgrade utilities from the Check Point website. If this is not possible, select Use the upgrade utilities from the CD. 5. Perform the Pre-Upgrade Verification. 6. Select the destination path for the configuration (.tgz) file. Wait until the database files are exported. 7. Copy the exported.tgz file to the new SmartCenter server. 8. Insert the NGX R65 CD into the target SmartCenter server. 9. Do one of the following: Perform a fresh install of SmartCenter server and import the configuration file. When prompted, select Installation using Imported Configuration. This option prompts you for the location of the imported .tgz configuration file and then automatically installs the new software and utilizes the imported .tgz configuration file. Perform a fresh install of SmartCenter server, and manually import the configuration file using the upgrade_import tool on the NGX R65 CD.
Warning - The configuration file (.tgz) file contains your security configuration. It is highly recommended to delete it after completing the import process.
162
6. Enter n. 7. Select New installation as the installation option. 8. Enter n. 9. From the list of products, select SmartCenter. 10. Enter n. 11. Specify the SmartCenter type to install: Primary SmartCenter Secondary SmartCenter Log server
12. Enter n. 13. Enter n to validate the products to install. 14. After product installation, the Check Point Configuration Program opens. Use the Check Point Configuration program to: a. Add licenses: The Check Point Configuration Program only manages local licenses on this machine. The recommended way of managing licenses is through SmartUpdate. b. Configure GUI clients: A list of hosts which will be able to connect to this SmartCenter server using SmartConsole. c. Configure group permissions: Specifies a group name.
Chapter 7
d. Configure a pool of characters: For use in cryptographic operations. Type randomly until the progress bar is full. e. Configure the Certificate Authority: Saves the CAs Fingerprint to a file. f. Start the installed products.
15. Log in again to the root account to set the new environment variables. 16. Transfer the exported configuration to the new Solaris installation, for example through FTP. 17. Change directory to /opt/CPsuite-R65/fw1/bin/upgrade tools Make sure that the upgrade tools in this directory are the R65 upgrade tools, taken from the installation CD or downloaded from the Check Point website: http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/utilities.html 18. Run ./upgrade_import <name_of_exported_configuration_file.tgz> 19. Enter y to stop all Check Point services. The license upgrade wrapper runs. 20. Enter c to continue, or q to quit. If you choose to continue, refer to Upgrading Licenses for Products Prior to NGX on page 29. 21. Wait for the message: upgrade_import finished successfully! 22. Enter y to restart Check Point Services.
6. Enter n.
164
7. For the installation option, select Installation Using Imported Configuration. 8. To import a SmartCenter configuration and upgrade it, enter the path to, and name of, the compressed file that contains the exported configuration. Enter n. The license upgrade wrapper runs. 9. Enter c to continue, or q to quit. If you choose to continue, refer to Upgrading Licenses for Products Prior to NGX on page 29. 10. Select a source for the upgrade utilities. While the R65 upgrade utilities are on the NGX R65 CD, it is recommended to download the latest tools from the Check Point website: http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/utilities.html 11. Enter n. 12. The pre-upgrade verification process runs automatically. View the results and follow the recommendations. 13. Enter n. 14. Specify an upgrade option: Upgrade installed products Upgrade installed products and install new products
15. Enter n. 16. Enter n to validate the products to install. 17. After product installation, the Check Point Configuration Program opens. Use the Check Point Configuration program to: a. Add licenses: The Check Point Configuration Program only manages local licenses on this machine. The recommended way of managing licenses is through SmartUpdate. b. Configure GUI clients: A list of hosts which will be able to connect to this SmartCenter server using SmartConsole. c. Configure group permissions: Specifies a group name. d. Configure a pool of characters: For use in cryptographic operations. Type randomly until the progress bar is full. e. Configure the Certificate Authority: Saves the CAs Fingerprint to a file. f. Start the installed products.
Chapter 7
18. Reboot. 19. Log in again to the root account to set the new environment variables. 20. To start Check Point Services, run: cpstart.
166
ii. Export the SmartCenter configuration iii. Upgrade the installation 9. Enter c to agree to the license upgrade. The license upgrade process also handles gateway licenses in the SmartUpdate license repository. Select one of the following: Enter [L] to view the licenses installed on your machine. Enter [C] to check if currently installed licenses have been upgraded. Enter [S] to simulate the license upgrade. Enter [U] to perform the license upgrade, or generate a license file that can be used to upgrade licenses on a machine with no Internet access to the User Center.
Chapter 7
Enter [O] to perform the license upgrade on a license file that was generated on machine with no Internet access to the User Center. Enter [Q] to quit.
10. Select a source for the upgrade utilities. Either download the most updated files from the Check Point website or use the upgrade tools contained on the CD. The exported configuration is automatically imported during the upgrade process. 11. Open SmartUpdate and attach the new NGX licenses to the gateways.
168
9. Select the installation type: Stand Alone or Distributed. 10. Select Enterprise SmartCenter from the list. 11. Specify the SmartCenter type as Primary or Secondary. 12. Add Licenses. 13. Configure an administrator name and password. 14. Configure the GUI clients and hosts which can access the SmartCenter server management component. 15. Configure Group Permissions. 16. Configure a pool of characters for use in cryptographic operations. Type randomly until the progress bar is full. 17. Configure the Certificate Authority, and save the CAs Fingerprint to a file.
Chapter 7
18. When prompted, do not start the installed products. 19. From $FWDIR/bin/upgrade_tools, run upgrade_import. 20. Reboot. 21. Start the installed products by running cpstart.
170
6. Enter n. 7. Select New installation as the installation option. 8. Enter n. 9. From the list of products, select SmartCenter. 10. Enter n. 11. Specify the SmartCenter type to install: Primary SmartCenter Secondary SmartCenter Log server
12. Enter n. 13. Enter n to validate the products to install. 14. After product installation, the Check Point Configuration Program opens. Use the Check Point Configuration program to: a. Add licenses: The Check Point Configuration Program only manages local licenses on this machine. The recommended way of managing licenses is through SmartUpdate. b. Configure GUI clients: A list of hosts which will be able to connect to this SmartCenter server using SmartConsole. c. Configure group permissions: Specifies a group name.
Chapter 7
d. Configure a pool of characters: For use in cryptographic operations. Type randomly until the progress bar is full. e. Configure the Certificate Authority: Saves the CAs Fingerprint to a file. f. Start the installed products.
15. Log in again to the root account to set the new environment variables. 16. Transfer the exported configuration to the new Solaris installation, for example, using FTP. 17. Change the directory to /opt/CPsuite-R65/fw1/bin/upgrade tools. Make sure that the upgrade tools in this directory are the R65 upgrade tools taken from the installation CD or downloaded from the Check Point website. 18. Run ./upgrade_import <name_of_exported_configuration_file.tgz> 19. Enter y to stop all Check Point services. The license upgrade wrapper runs. 20. Enter c to continue, or q to quit. If you choose to continue, refer to Upgrading Licenses for Products Prior to NGX on page 29. 21. Wait for the message: upgrade_import finished successfully! 22. Enter y to restart Check Point Services.
6. Enter n. 7. For the installation option, select Installation Using Imported Configuration.
172
8. To import a SmartCenter configuration and upgrade it, enter the path to, and name of, the compressed file that contains the exported configuration. Enter n. The license upgrade wrapper runs. The license upgrade process may take some since, as all the licenses are gathered and sent in SSL-encrypted format to the Check Point User Center. 9. Enter c to continue, or q to quit. If you choose to continue, refer to Upgrading Licenses for Products Prior to NGX on page 29. 10. Select a source for the upgrade utilities. While the R65 upgrade utilities are on the NGX R65 CD, it is recommended to download the latest tools from the Check Point website. 11. Enter n. 12. The pre-upgrade verification process runs automatically. View the results and follow the recommendations. 13. Enter n. 14. Specify an upgrade option: Upgrade installed products Upgrade installed products and install new products
15. Enter n. 16. Enter n to validate the products to install. 17. After product installation, the Check Point Configuration Program opens. Use the Check Point Configuration program to: a. Add licenses: The Check Point Configuration Program only manages local licenses on this machine. The recommended way of managing licenses is through SmartUpdate. b. Configure GUI clients: A list of hosts which will be able to connect to this SmartCenter server using SmartConsole. c. Configure group permissions: Specifies a group name. d. Configure a pool of characters: For use in cryptographic operations. Type randomly until the progress bar is full. e. Configure the Certificate Authority: Saves the CAs Fingerprint to a file. f. Start the installed products.
18. Reboot.
Chapter 7 Advanced Upgrade of SmartCenter Servers & Standalone Gateways 173
19. Log in again to the root account to set the new environment variables. 20. To start Check Point Services, run: cpstart.
174
Chapter 7
5. On the new SmartCenter update the primary SmartCenter object so that its IP Address and topology match its new configuration. On the DNS, map the SmartCenters DNS to the new IP address.
176
This section covers the advanced upgrade procedure for VPN-1 gateways. The advanced upgrade procedure involves two machines. The first machine is the working production machine. The second machine is off-line, and only contains the operating system. The SmartCenter server is freshly installed on the second machine and the configuration of the first machine is imported.
Chapter 7
9. Do one of the following: Perform a fresh install of the VPN-1 gateway, and import the configuration file. When prompted, select Installation using Imported Configuration. This option prompts you for the location of the imported .tgz configuration file and then automatically installs the new software and utilizes the imported .tgz configuration file. Perform a fresh install of VPN-1 gateway, and manually import the configuration file using the upgrade_import tool on the NGX R65 CD.
Warning - The configuration file (.tgz) file contains your security configuration. It is highly recommended to delete it after completing the import process.
178
To perform a new installation and manually import the configuration: 1. Insert CD2 of the NGX R65 media kit into the CD drive, and mount the CD. 2. Run UnixInstallScript. The wrapper welcome message is displayed. 3. Enter n. 4. Enter y to agree to the End-user License Agreement. 5. Select the products: Check Point Power (for headquarters and branch offices) Check Point UTM (for medium-sized businesses)
6. Enter n. 7. Select New installation as the installation option. 8. Enter n. 9. From the list of products, select SmartCenter and VPN-1 Power/UTM 10. Enter n. 11. Specify the SmartCenter type to install: Primary SmartCenter Secondary SmartCenter Log server
12. Enter n. 13. Enter n to validate the products to install. 14. After the installation is complete, the Check Point Configuration Program opens. Use the Check Point Configuration program to:
Chapter 7
a. Add licenses: The Check Point Configuration Program only manages local licenses on this machine. The recommended way of managing licenses is through SmartUpdate. b. Configure GUI clients: A list of hosts which will be able to connect to this SmartCenter server using SmartConsole. c. Configure group permissions: Specifies a group name. d. Configure a pool of characters: For use in cryptographic operations. Type randomly until the progress bar is full. e. Configure the Certificate Authority: Saves the CAs Fingerprint to a file. f. Start the installed products.
15. Log in again to the root account to set the new environment variables. 16. Transfer the exported configuration to the new solaris installation, for example through FTP. 17. Change directory to /opt/CPsuite-R65/fw1/bin/upgrade tools Make sure that the upgrade tools in this directory are the R65 upgrade tools, taken from the installation CD or downloaded from the Check Point website. 18. Run ./upgrade_import <name_of_exported_configuration_file.tgz> 19. Enter y to stop all Check Point services. The license upgrade wrapper runs. 20. Enter c to continue, or q to quit. If you choose to continue, refer to Upgrading Licenses for Products Prior to NGX on page 29. 21. Wait for the message: upgrade_import finished successfully! 22. Enter y to restart Check Point Services. To perform a new installation and upgrade using the wrapper: 1. Insert CD2 of the NGX R65 media kit into the CD drive, and mount the CD. 2. Run UnixInstallScript. The wrapper welcome message is displayed. 3. Enter n. 4. Enter y to agree to the End-user License Agreement.
180
5. Select the products: Check Point Power for headquarters and branch offices Check Point UTM for medium-sized businesses
6. Enter n. 7. Select Installation Using Imported Configuration, for the installation option. 8. To import a SmartCenter configuration and upgrade it, enter the path to, and name of, the compressed file that contains the exported configuration. Enter n. The license upgrade wrapper runs. 9. Enter c to continue, or q to quit. If you choose to continue, refer to Upgrading Licenses for Products Prior to NGX on page 29. 10. Select a source for the upgrade utilities. While the R65 upgrade utilities are on the NGX R65 CD, it is recommended to download the latest tools from the Check Point website: http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/utilities.html 11. Enter n. 12. The pre-upgrade verification process runs automatically. View the results and follow the recommendations. 13. Enter n. 14. Specify an upgrade option: Upgrade installed products Upgrade installed products and install new products
15. Enter n. 16. Enter n to validate the products to install. 17. After the installation is complete, the Check Point Configuration Program opens. Use the Check Point Configuration program to: a. Add licenses: The Check Point Configuration Program only manages local licenses on this machine. The recommended way of managing licenses is through SmartUpdate. b. Configure GUI clients: A list of hosts which will be able to connect to this SmartCenter server using SmartConsole. c. Configure group permissions: Specifies a group name.
Chapter 7 Advanced Upgrade of SmartCenter Servers & Standalone Gateways 181
d. Configure a pool of characters: For use in cryptographic operations. Type randomly until the progress bar is full. e. Configure the Certificate Authority: Saves the CAs Fingerprint to a file. f. Start the installed products.
18. Reboot. 19. Log in again to the root account to set the new environment variables. 20. To start Check Point Services, run: cpstart.
182
ii. Export the SmartCenter configuration. iii. Upgrade the installation. 9. Enter c to agree to the license upgrade. The license upgrade process also handles gateway licenses in the SmartUpdate license repository. Select one of the following: Enter [L] to view the licenses installed on your machine. Enter [C] to check if currently installed licenses have been upgraded. Enter [S] to simulate the license upgrade. Enter [U] to perform the license upgrade, or generate a license file that can be used to upgrade licenses on a machine with no Internet access to the User Center.
Chapter 7
Enter [O] to perform the license upgrade on a license file that was generated on machine with no Internet access to the User Center. Enter [Q] to quit.
10. Select a source for the upgrade utilities. Either download the most updated files from the Check Point website or use the upgrade tools contained on the CD. The exported configuration is automatically imported during the upgrade process. 11. Open SmartUpdate and attach the new NGX licenses to the gateways.
184
9. Select the installation type: Stand Alone. 10. Select Enterprise SmartCenter and VPN-1 Power/UTM from the selection list. 11. Specify the SmartCenter type as Primary or Secondary. 12. Add Licenses. 13. Configure an administrator name and password. 14. Configure the GUI clients and hosts that can access the SmartCenter server management component. 15. Configure Group Permissions. 16. Configure a pool of characters for use in cryptographic operations. Type randomly until the progress bar is full. 17. Configure the Certificate Authority, and save the CAs Fingerprint to a file.
Chapter 7
18. When prompted, do not start the installed products. 19. From $FWDIR/bin/upgrade_tools, run upgrade_import. 20. Reboot. 21. Start the installed products by running cpstart.
186
6. Enter n. 7. Select New installation as the installation option. 8. Enter n. 9. From the list of products, select SmartCenter, and VPN-1 Power/UTM. 10. Enter n. 11. Specify the SmartCenter type to install: Primary SmartCenter Secondary SmartCenter Log server
12. Enter n. 13. Enter n to validate the products to install. 14. After product installation, the Check Point Configuration Program opens. Use the Check Point Configuration program to: a. Add licenses: The Check Point Configuration Program only manages local licenses on this machine. The recommended way of managing licenses is through SmartUpdate. b. Configure GUI clients: A list of hosts that will be able to connect to this SmartCenter server using SmartConsole. c. Configure group permissions: Specifies a group name.
Chapter 7
d. Configure a pool of characters: For use in cryptographic operations. Type randomly until the progress bar is full. e. Configure the Certificate Authority: Saves the CAs Fingerprint to a file. f. Start the installed products.
15. Log in again to the root account to set the new environment variables. 16. Transfer the exported configuration to the new solaris installation, for example through FTP. 17. Change directory to /opt/CPsuite-R65/fw1/bin/upgrade tools Make sure that the upgrade tools in this directory are the R65 upgrade tools, taken from the installation CD or downloaded from the Check Point website. 18. Run ./upgrade_import <name_of_exported_configuration_file.tgz> 19. Enter y to stop all Check Point services. The license upgrade wrapper runs. 20. Enter c to continue, or q to quit. If you choose to continue, refer to Upgrading Licenses for Products Prior to NGX on page 29. 21. Wait for the message: upgrade_import finished successfully! 22. Enter y to restart Check Point Services.
6. Enter n.
188
7. To import a SmartCenter configuration and upgrade it, select Installation Using Imported Configuration as the installation option. 8. Enter the path to, and name of, the compressed file that contains the exported configuration. Enter n. The license upgrade wrapper runs. The license upgrade process may take some time while all the licenses are gathered and sent in SSL-encrypted format to the Check Point User Center. 9. Enter c to continue, or q to quit. If you choose to continue, refer to Upgrading Licenses for Products Prior to NGX on page 29. 10. Select a source for the upgrade utilities. While the R65 upgrade utilities are on the NGX R65 CD, it is recommended to download the latest tools from the Check Point website. 11. Enter n. 12. The pre-upgrade verification process runs automatically. View the results and follow the recommendations. 13. Enter n. 14. Specify an upgrade option: Upgrade installed products Upgrade installed products and install new products
15. Enter n. 16. Enter n to validate the products to install. 17. After product installation is complete, the Check Point Configuration Program opens. Use the Check Point Configuration program to: a. Add licenses: The Check Point Configuration Program only manages local licenses on this machine. The recommended way of managing licenses is through SmartUpdate. b. Configure GUI clients: A list of hosts that will be able to connect to this SmartCenter server using SmartConsole. c. Configure group permissions: Specifies a group name. d. Configure a pool of characters: For use in cryptographic operations. Type randomly until the progress bar is full.
Chapter 7
e. Configure the Certificate Authority: Saves the CAs Fingerprint to a file. f. Start the installed products.
18. Reboot. 19. Log in again to the root account to set the new environment variables. 20. To start Check Point Services, run: cpstart.
190
page 192 page 193 page 194 page 196 page 197 page 200
191
192
SmartUpdates Get Check Point Gateway Data: This tool updates SmartUpdate with the current Check Point or OPSEC third party packages installed on a specific gateway or throughout your entire enterprise.
Chapter 8
Note - Full Connectivity Upgrade is supported between minor versions only. For further
information, refer to Full Connectivity Upgrade on a ClusterXL Cluster on page 200 and the NGX R65 Release Notes.
When upgrading from R55W to NGX R65, refer to NGX R65 Release Notes for details about support of Web Intelligence and VoIP Application Intelligence features on Load Sharing Clusters.
194
Chapter 8
196
4. Upgrade cluster members B and C in one of the following ways: Using SmartUpdate In Place When the upgrade of B and C is complete, reboot both of them.
Chapter 8
5. Continue with the process according to one of the following scenarios: If you are upgrading from NG with Application Intelligence (R54 and above), skip to step 6. When machines B and C are up again, change the cluster version in SmartDashboard to NGX R65. If you are running SmartUpdate, skip to step 8. SmartUpdate compiles and installs an updated policy on the new member, once it is rebooted.
6. Installing the policy: If you are upgrading from NG with Application Intelligence (R54 and above), install the policy on the cluster. The policy will be successfully installed on cluster members B and C, and will fail on member A. Be aware that policy installation on the old Check Point gateway may cut connections for services that do not survive the policy installation. This can be avoided by configuring the Check Point Gateway > Advanced > Connection Persistence tab to either Keep all connections or Keep data connections. For complete instructions, click the help button in the Connection Persistence tab. Note - Do not change any cluster parameters from the current policy at this time. For example, if the cluster is running in New High Availability mode, do not change it to LS.
Changes can be made after the upgrade process is complete.
7. If you are upgrading from a previous version, perform the following steps: a. From the Policy Installation window, clear the For Gateway Clusters, install on all the members, if it fails do not install at all option located under the Install on each selected Module independently option. b. Install the security policy on the cluster. The policy will be successfully installed on cluster members B and C, and will fail on member A. 8. Using the cphaprob stat command (executed on a cluster member), verify that the status of cluster member A is Active or Active Attention. The remaining cluster members will have a Ready status. The status Active Attention is given if member As synchronization interface reports that its outbound status is down, because it is no longer communicating with other cluster members. 9. When upgrading versions prior to NGX, execute the fw ctl setsync off command on Cluster member A. 10. Execute the cphastop command on cluster member A. Machines B and/or C start to process traffic (depending on whether this is a Load Sharing or High Availability configuration).
198
11. It is recommended that you do not install a new policy on the cluster until the last member has been upgraded. If you must install a new policy, perform the following steps: a. Run cpstop on the old Check Point gateway. b. Run fw ctl set int fwha_conf_immediate 1 on all new Check Point gateways. c. Install the policy. Note - It is recommended that you minimize the time in which cluster members are running different versions.
To upgrade the final cluster member: 1. Upgrade cluster member A by either: Using SmartUpdate In Place
2. Reboot cluster member A. 3. Run cphaconf set_ccp multicast followed by cphastart on all cluster members. This returns the cluster control protocol to multicast (instead of broadcast). This step can be skipped if you prefer to remain working with the cluster control protocol in the broadcast mode.
Chapter 8
200
Supported Modes
FCU is supported on all modes of ClusterXL, including IPSOs IP clustering and VRRP. Legacy High Availability is not supported in FCU. For other third-party support, refer to the third-party documentation.
The exact same products must be installed on the OM and on the NM. For example, it is not possible to perform an FCU from a Check Point Gateway that has Floodgate-1 installed to a newer Check Point Gateway that does not have Floodgate-1 installed. Verify the installed products by running the command fw ctl conn on both cluster members. An example output on the NM:
Registered connections modules: No. Name Newconn Packet End Reload Dup Type Dup Handler 0: Accounting 00000000 00000000 d08ff920 00000000 Special d08fed58 1: Authentication d0976098 00000000 00000000 00000000 Special d0975e7c
3: NAT 00000000 00000000 d0955370 00000000 Special d0955520
d091e670 00000000 00000000 d091e114 Special d0913da8 00000000 d09732d8 00000000 None 00000000 00000000 d155a8d0 00000000 Special d1553e48
Verify that the list of Check Point Gateway names is the same for both cluster members.
Chapter 8
All the Gateway configuration parameters should have the same values on the NM and the OM. The same rule applies to any other local configurations you may have set. For example, having the attribute block_new_conns with different values on the NM and on the OM might cause the FCU to fail since gateway behavior cannot be changed during the upgrade.
A cluster that performs static NAT using the gateways automatic proxy ARP feature requires special considerations: cpstop the old Check Point Gateway right after running cphastop. Running cphastop is part of the upgrade procedure described in Zero Downtime Upgrade on a ClusterXL Cluster on page 197. Failure to do this may cause some of the connections that rely on proxy ARP to fail and may cause other connections that rely on proxy ARP not to open until the upgrade process completes. Note, however, that running cpstop on the old Check Point Gateway rules out the option to rollback to the OM while maintaining all live connections that were originally created on the OM.
202
2. First upgrade only one member, following the steps outlined in Zero Downtime Upgrade on a ClusterXL Cluster on page 197. Before you get to step 10 on page 198 (executing cphastop), run the following command on all the upgraded members: fw fcu <other member ip on sync network>. Then continue with step 10 on page 198 on all remaining OMs. For more than three members, divide the upgrade of your members so that the active cluster members can handle the amount of traffic during the upgrade. Note - cphastop can also be executed from the Cluster object in the SmartConsole. Once cphastop is executed, do not run cpstart or cphastart again or reboot the machine.
The command output includes the following parameters: During FCU: This should be yes only after running the fw fcu command and before running cphastop on the final OM. In all other cases it should be no. Number of connection modules: Safe to ignore. Connection module map: The output reveals a translation map from the OM to the NM. For additional information, refer to Full Connectivity Upgrade Limitations on page 201.
Chapter 8 Upgrading ClusterXL Deployments 203
Table id map: This shows the mapping between the gateways kernel table indices on the OM and on the NM. Having a translation is not mandatory. Table handlers: This should include a sip_state and connection table handlers. In a VPN-1 Power/UTM configuration, a VPN handler should also be included. Global handlers: Reserved for future use.
Options
-t - table -u - unlimited entries -s - (optional) summary of the number of connections For further information on the fw tab -t connections command, refer to the Command Line Interface Book.
204
9
page 206 page 208 page 218 page 249 page 260 page 263 page 264 page 265 page 269 page 270
205
Introduction
Introduction
This chapter describes methods and utilities for upgrading Provider-1/SiteManager-1 to R65.
In This Section
Supported Versions and Platforms Provider-1/SiteManager-1 Terminology Before You Begin page 206 page 207 page 207
The following versions need to be upgraded to a more recent version before they can be upgraded to NGX R65: NG FP3 HF2: If you have NG FP3 Edition 1, NG FP3 Edition 2, NG FP3 Edition 3 or NG FP3 HF1, first install the Provider-1/SiteManager-1 NG FP3 HF2 Hotfix or the Hotfix Accumulator Build (HFA). NG FP2: Upgrade to FP3 or above in order to upgrade to R65. NG FP1 HF1: Upgrade to FP3 or above in order to upgrade to R65.
The latest information regarding supported platforms is always available in the Check Point Release Notes at: http://www.checkpoint.com/support/technical/documents/index.html
206
Provider-1/SiteManager-1 Terminology
Provider-1/SiteManager-1 Terminology
Before discussing Provider-1/SiteManager-1 upgrades and licensing, it is worth reviewing some important Provider-1/SiteManager-1 terms. The Multi-Domain Server (MDS) houses Provider-1 system information. It contains details of the Provider-1 deployment, its administrators, and Customer management information. The MDS has two flavors. The Manager, which runs the Provider-1 deployment, and the Container, which holds the Customer Management Add-Ons (CMA). The Manager and Container can be installed on the same server, or separately. A Customer Management Add-On (CMA) is the Provider-1 equivalent of the SmartCenter server for a single Customer. Through the CMA, an administrator creates Security Policies and manages the Customer modules.
Chapter 9
In This Section
Pre-Upgrade Verifiers and Fixing Utilities Installation Script pv1_license_upgrade license_upgrade cma_migrate migrate_assist migrate_global_policies Backup and Restore page 208 page 209 page 211 page 211 page 212 page 215 page 216 page 216
208
Installation Script
The Provider-1/SiteManager-1 Pre-Upgrade Verifier uses Provider-1/SiteManager-1 specific verifications as well as verifications checked by SmartCenters Pre-Upgrade Verification Tool. Refer to Using the Pre-Upgrade Verification Tool on page 91.
Installation Script
Starting from NG with Application Intelligence, use the mds_setup installation script for MDS. Note - When installing MDS on SecurePlatform, the installation is performed using the SecurePlatform installer on the CD. Do not execute the mds_setup script directly. For additional information, refer to Provider-1/SiteManager-1 Upgrade Practices on page 249. To run mds_setup: 1. Mount the Provider-1 CD from the relevant subdirectory. 2. Change the directory to the mounted directory. 3. Browse to either the Solaris or Linux directory, depending on the operating system of your MDS machine. 4. Run the installation script: ./mds_setup. When mds_setup is executed, it first checks for an existing installation of MDS: If no such installation exists, mds_setup asks you to confirm a fresh installation of MDS. If a previous version of MDS is detected, you are prompted to select one of the following options (Pre-Upgrade Verification Only, Upgrade or Backup) listed below.
5. Exit all shell sessions. Open a new shell in order for the new environment to be set.
Chapter 9
Installation Script
Upgrade
When the upgrade option is used, mds_setup runs the Pre-Upgrade Verifier and if no errors are found, the upgrade process proceeds. In case of errors, mds_setup stops the installation until all the errors are fixed. In some cases, mds_setup suggests automatically fixing the problem using a fixing utility. Fixing utilities that affect the existing installation can also be executed from the command line. You can choose to stop the installation and execute the fixing utility from the command line. There are two important things to remember after changing your existing installation: Verify your changes in the existing installation before you upgrade. Synchronize global policies. If you make changes in global policies, reassign these global policies to customers. If you have a multi-MDS environment: Synchronize databases between MDSs in High Availability. Synchronize databases between CMAs in High Availability. Install the database on CLMs.
Backup
Prior to performing an upgrade, back up your MDS. The backup option from mds_setup runs the mds_backup process (refer to mds_backup). Backup is also used for replication of your MDS to another machine. Manual operations are necessary if you are switching IP addresses or network interface names. For additional information, refer to Changing the MDS IP Address and External Interface on page 269.
210
pv1_license_upgrade
pv1_license_upgrade
The pv1_license_upgrade command line tool is used to perform license upgrade for Provider-1. Provider-1/SiteManager-1 NGX cannot function with NG licenses. It is recommended to upgrade all Provider-1/SiteManager-1 NG licenses to NGX before upgrading software to NGX. When the tool is run on the MDS, upgraded licenses are obtained from the Check Point User Center website for the MDS and for all the CMAs on the MDS. The tool makes it simple to automatically upgrade licenses, eliminating the need to do so manually though the User Center. The pv1_license_upgrade tool can be found in the following locations: Provider-1 R65 CD at: <platform>/LicenseUpgrade/ R65 installation at: /opt/CPmds-R65/system/license_upgrade/ Check Point Download site at:
http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/license_upgrade.html
license_upgrade
The license_upgrade command line tool is used to perform license upgrade for a single CMA. It is the same tool as is used to perform license upgrade in SmartCenter environments. License upgrade is required when upgrading from versions prior to NGX. The license_upgrade tool can be found in the following locations: Provider-1 R65 CD at: <platform>/LicenseUpgrade/ R65 installation at: /opt/CPmds-R65/system/license_upgrade/ Check Point Download site at http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/license_upgrade.h tml The license_upgrade tool can be run either as a command line with parameters, or in Wizard mode, which allows you to choose options from a menu. To run the tool in Wizard mode, run: license_upgrade.
Chapter 9
cma_migrate
Table 9-1 lists some of the more commonly used tool options. Table 9-1
license_upgrade Tool Options
Meaning Sends existing licenses to User Center Web site to simulate the license upgrade in order to verify that it can be performed. No actual upgrade is done and no new licenses are returned. Sends existing licenses to the User Center Web site to perform upgrade and (by default, in online mode) installs them on the machine. Reports whether or not there are licenses on the machine that need to be upgraded.
[S]
license_upgrade simulate
[U]
license_upgrade upgrade
[C]
license_upgrade status
By default, on a CMA, each operation is performed on the licenses in the License Repository as well as on the licenses that belong to the local machine.
cma_migrate
This utility is used to import an existing SmartCenter server or CMA into a Provider-1/SiteManager-1 MDS so that it will become one of its CMAs. If the imported SmartCenter or CMA is of a version earlier than the MDS to which it is being imported, then the Upgrade process is performed as part of the import. The available versions are listed in Supported Versions and Platforms on page 206. Bear in mind that the source and target platforms may be different. The platform of the source management to be imported can be Solaris, Linux, Windows, SecurePlatform or IPSO. Before running cma_migrate, create a new customer and a new CMA. Do not start the CMA, or the cma_migrate will fail. The source databases subdirectories to be migrated are conf, database and log. If you are migrating an NG- or NGX-type source database, the CPshared conf and database directories should be put inside the <old source database directory path>. They should be renamed conf.cpdir and database.cpdir (respectively), to avoid overwriting the FWDIR conf and database directories.
212
cma_migrate
Usage
cma_migrate <source management directory path> <target CMA FWDIR directory>
Example
cma_migrate /tmp/orig_mgmt_dir /opt/CPmds-R65/customers/cma2/CPsuite-R60/fw1
The first argument (<source management directory path>)specifies a path on the local MDS machine, where the data of the source management data resides. Use migrate_assist to build this source directory or build it manually. Set the structure under the source management directory as described in Table 9-2. Table 9-2 directory conf
Source Management Structure
contents This directory contains the information that resides in $FWDIR/conf of the source management. This directory contains the information that resides in $FWDIR/database of the source management. This directory contains the information that resides in$FWDIR/log of the source management or is empty if you do not wish to maintain the logs. This directory is required when the source management is NG FP1 or higher. It contains the information that resides in $CPDIR/conf of the source management. This directory contains the information that resides in $CPDIR/registry of the source management.
database
log
conf.cpdir
registry
The second argument (<target CMA FWDIR directory>) is the FWDIR of the newly created CMA. Note - To run the cma_migrate utility from the MDG, right-click a CMA and select Import Customer Management Add-on from the menu.
Chapter 9
cma_migrate
When running cma_migrate, pre-upgrade verification takes place. If no errors are found, then the migration continues. If errors are found, changes must be performed on the original SmartCenter server. The original Certificate Authority and putkey information is maintained when using cma_migrate. This means that the SmartCenter server that was migrated using cma_migrate should not re-generate certificates to gateways and SIC should continue to work with gateways from version NG and later. However, if the IP of the CMA is different than that of the original management, then putkey should be repeated between the CMA and entities that connect to it using putkey information. Use putkey -n to re-establish trust. For additional information on putkey, refer to the Check Point Command Line Interface documentation. If your intent is to split a CMA into two or more CMAs, reinitialize their Internal Certificate Authority so that only one of the new CMAs employs the original ICA: 1. mdsstop_customer <CMA NAME> 2. mdsenv <CMA NAME> 3. Remove the current Internal Certificate Authority by executing the fwm sic_reset command. This may require some preparation that is described in detail from the command prompt and also in the Secure Knowledge solution sk17197. 4. Create a new Internal Certificate Authority by executing: mdsconfig -ca <CMA NAME> <CMA IP> 5. Run the command: mdsstart_customer <CMA NAME>
214
migrate_assist
migrate_assist
This utility is a helper utility for cma_migrate. It can be used to pull the original management directories to the current disk storage using FTP. When you finish running migrate_assist, it is possible to run cma_migrate (refer to cma_migrate on page 212), the input directory of which will be the output directory of migrate_assist.
Usage
migrate_assist <source machine name/ip> <source FWDIR folder> <user name> <password> <target folder>[<source CPDIR folder>]
Example
To import a SmartCenter server with the IP address 192.168.0.5 of version NG FP3, use the following command:
Where /EMC1 is the name of the directory created on the MDS server machine, migrate_assist accesses the source machine and imports the source FWDIR and CPDIR folders to the specified target folder according to the structure described above. The user name and password are needed to gain access to the remote machine via FTP. The source CPDIR parameter is required in case the original management is NG FP3 and higher. Note - migrate_assist does not affect the source database, however it is highly recommended to stop it before running migrate_assist so that no SmartConsole Clients accidentally edit the database during migration.
Chapter 9
migrate_global_policies
migrate_global_policies
The migrate_global_policies utility transfers (and upgrades, if necessary) a global policies database from one MDS to another. If the global policies database on the target MDS has polices that are assigned to customers, migrate_global_policies aborts. This is done to ensure that the Global Policy used at the Customer's site is not deleted. Note - When executing the migrate_global_policies utility, the MDS will be stopped. The CMAs can remain up and running.
Usage
migrate_global_policies <path global policies conf database>
<path global policies conf database> specifies the directory path where the global policies files, originally taken from the MDS's $MDSDIR/conf, are located. Note - Migrate_global_policies fails if there is a global policy assigned to a
Customer, Do not to create and assign any Global Policy to a Customer before you run
migrate_global_policies.
216
During backup, it is okay to view data but do not write using MDGs, GUIs or other clients. If the Provider-1/SiteManager-1 system consists of several MDSes, the backup procedure takes place manually on all the MDSes concurrently. Likewise, when the restoration procedure takes place, it should be performed on all MDSes concurrently.
mds_backup
This utility stores binaries and data from your MDS installation. Running mds_backup requires super-user privileges. This utility runs the gtar command on the root directories of data and binaries. Any extra information located under these directories is backed up, except from files that are specified in mds_exclude.dat ($MDSDIR/conf) file. The collected information is wrapped in a single zipped tar file. The name of the created backup file comprises the date and time of the backup, followed by the extension .mdsbk.tgz. For example: 13Sep2002-141437.mdsbk.tgz. The file is placed in the current working directory, thus it is important not to run mds_backup from one of the directories that is to be backed up. For example, when backing up an NG FP3 MDS, do not run mds_backup from /opt/CPmds-61 since you cannot zip the directory in which you need to write.
Usage mds_backup
mds_restore
Restores an MDS that was previously stored with mds_backup. For correct operation, mds_restore requires a fresh installation of an MDS from the same version of the MDS to be restored.
Chapter 9
218
The automatic license upgrade tool enables you to: View the status of the currently installed licenses. On a CMA, you can also view the licenses in the SmartUpdate License Repository. Simulate the license upgrade process. Perform the license upgrade process.
During the license upgrade, all eligible licenses are gathered and sent in SSL-encrypted format to the User Center. Upgraded licenses are returned from the User Center, and automatically installed. The license upgrade process adds only NGX licenses. Old licenses and non-eligible licenses (e.g., evaluation licenses, or licenses that pertain to IP addresses no longer used) remain untouched. When running on a CMA, the license upgrade process also handles licenses in the SmartUpdate License Repository. After the software upgrade, SmartUpdate is used to attach the new NGX licenses to the gateways. For instructions on upgrading licenses for VPN-1 Power/UTM and SmartLSM deployments, refer to: Upgrading Licenses for Products Prior to NGX on page 29. License Upgrade for a VPN-1 Power/UTM ROBO Gateway on page 274.
For the latest information and downloads regarding NGX license upgrade, check: http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/license_upgrade.html
Chapter 9
The MDS Container has: Licenses for the MDS Container itself, in the cp.license file. This license specifies, among other things, how many CMAs may be configured in the Container. For each CMA, licenses for the CMA itself (CMA licenses), in the cp.license file. An example of a CMA license is one that specifies how many Gateways the CMA can manage. For each CMA, the CMA license repository (CMA Repository) in the licenses.C file. This is a repository of Gateway licenses.
Licenses in the CMA Repository are managed using the SmartUpdate component of the Multi-Domain GUI (MDG). SmartUpdate is used to connect to the MDS Manager and manage the MDS Repository.
220
Chapter 9
For further assistance, refer to SecureKnowledge at https://secureknowledge.checkpoint.com, or contact the Check Point Reseller that provided your licenses.
This results in the following: For each license, a check determines whether or not a license upgrade is required. A report is produced that contains action items to be performed before and after the upgrade, and general information. The action items can be informational, warnings, or errors. If license upgrade is required, error messages are generated. It is highly recommended to deal with all the reported issues, so that the license upgrade can proceed smoothly. Note - If there are NGX licenses on the pre-NGX MDS machine that have not been
upgraded (for example, without an NG license pair), they are not be included in the
222
License Upgrade for the Pro Add-Ons for MDS must be performed either manually via the User Center, or via the Check Point Account Services department. To understand this issue, some background information is needed. Pro Add-Ons for MDS is a bundled product that extends the SMART management capabilities of multiple CMAs by adding SmartUpdate, SmartDirectory, and SmartView Monitor. Table 9-3 shows the part numbers of Pro Add-ons for MDS. Part Numbers of Pro Add-ons for MDS Table 9-3
Pro Add-ons for MDS Customer Version NG 10 NG 25 NG 50 NG 100 NG 200 NG 250 Part Number CPPR-PRO-10-NG CPPR-PRO-25-NG CPPR-PRO-50-NG CPPR-PRO-100-NG CPPR-PRO-200-NG CPPR-PRO-250-NG
3. At the end of the license generation process, the User Center shows a license with the IP address of the last CMA for which the Change IP operation was performed.
pv1_license_upgrade upgrade
If the MDS is connected to the User Center via a proxy, run:
3. Contact Account Services at US +1 817 606 6600 (option 7) or e-mail AccountServices@ts.checkpoint.com, and provide them with the above information.
To allow Provider-1 to manage VPN-1 Power VSX, the Virtual Systems Extension CMA Bundle product is required. If the Virtual Systems Extension - CMA Bundle is older than VSX NG AI Release 2, automatic license upgrade is not available. License upgrade must be performed manually via the User Center, or via the Check Point Account Services department. To understand this issue, some background information is needed. Customers purchase multiple CMAs to manage either one VSX Virtual System (VS) with each CMA, or manage a VS cluster with each CMA. The purchased part numbers are shown in Table 9-4.
224
Table 9-4
Virtual Systems Extension - CMA Bundles (Primary VSX-CMA) Gateways Version Part Number C10 NG CPPR-VSX-CMA-C10-NG C25 NG CPPR-VSX-CMA-C25-NG C50 NG CPPR-VSX-CMA-C50-NG C100 NG CPPR-VSX-CMA-C100-NG C250 NG CPPR-VSX-CMA-C250-NG
The customer receives two licenses: One license for the Provider-1 MDS Container product in Table 9-5 (depending on the number of VSs in Table 9-6). This license allows you to define the purchased number of CMAs. Table 9-5 Provider-1 MDS Container
Prov ider- 1 MDS C ontaine r C ustom e r Ve rsion Part Num be r NG 25 CPPR- MDS- C25- NG NG 50 CPPR- MDS- C50- NG NG 100 CPPR- MDS- C100- NG NG 200 CPPR- MDS- C200- NG NG 250 CPPR- MDS- C250- NG
One license for the Provider-1 CMA product in Table 9-10 (to be installed on the CMA), that specifies the size of the VS cluster that the CMAs are allowed to manage. A license for a VS cluster of 1 Gateway allows the CMA to manage one VS, A license for a VS cluster of 2 Gateways allows the CMA to manage a cluster of two VSs, and so on. Table 9-6 Provider-1 CMA
Provider-1 CMA (Primary CMA) Gateways Version Part Number NG 1 CPPR-CMA-1-NG NG 2 CPPR-CMA-2-NG NG 4 CPPR-CMA-4-NG
Chapter 9
pv1_license_upgrade upgrade
If the MDS is connected to the User Center via a proxy, run:
3. Contact Account Services at US +1 817 606 6600 (option 7) or e-mail AccountServices@ts.checkpoint.com, and provide them with the above information.
226
Decision #2: License Upgrade for Entire System (Single or Multi-MDS) or Single CMA
It is possible to upgrade licenses either for the entire Provider-1/SiteManager-1 environment (all MDS licenses, CMA licenses, and CMA Repository licenses), or a single CMA (CMA licenses and CMA Repository licenses). Upgrading the entire Provider-1/SiteManager-1 environment is the recommended way to upgrade licenses. The procedure uses the SmartUpdate license management capabilities, which are free of charge. Upgrading licenses for a single CMA may be required if you do not wish to upgrade the licenses on other CMAs at this time, for example if the licenses for other CMAs have already been upgraded. Note, however, that the software upgrade occurs for all CMAs at the same time, when the MDS is upgraded.
License upgrade using the mds_setup wrapper works only for online machines with direct Internet connectivity to the Check Point User Center.
Chapter 9
What Next?
Once you have made the above three decisions, you can then decide which of the following procedures is the right one for you. System-Wide License Upgrade, Before Software Upgrade on page 229 License Upgrade for an Online MDS on page 229 License Upgrade for an Offline MDS on page 230
System-Wide License Upgrade Using the Wrapper on page 233 (applies to an online MDS version NG) System-Wide License Upgrade, After Software Upgrade on page 234 License Upgrade for an Online MDS on page 234 License Upgrade for an Offline MDS on page 235
License Upgrade for a Single CMA on page 237 License Upgrade for an Online MDS, Before Software Upgrade on page 237 License Upgrade for an Offline MDS, Before Software Upgrade on page 238 License Upgrade for an Online MDS, After Software Upgrade on page 240 License Upgrade for an Offline MDS, After Software Upgrade on page 241
228
pv1_license_upgrade upgrade
If the MDS is connected to the User Center via a proxy, run:
Chapter 9
3. Perform the software upgrade to NGX on the MDS Manager, MDS Container, and the MDG. 4. Start the MDS by running:
mdsenv mdsstart
5. Run the following command line tool on the MDS:
To perform the license upgrade on an offline MDS: 1. Copy the pv1_license_upgrade tool to the MDS version NG machine. Copy them from the locations specified in pv1_license_upgrade on page 211. 2. On the offline MDS, run the following command line tool: pv1_license_upgrade export -z <package_file> On SecurePlatform, run the command in expert mode. The export command packs all licenses on the machine, for all CMAs and the MDS into a single package file. 3. Copy the package file (containing the licenses) from the offline MDS to the online machine. The online machine does not need to be a Check Point-installed machine.
230
4. Copy the license_upgrade tool to the online machine. The tool is located at <platform>/LicenseUpgrade/ on the R65 CD, and in the Check Point Download site at: http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/license_upgrade.h tml 5. Run the appropriate command line tool at the online machine: If the online machine is directly connected to the User Center, run: license_upgrade upgrade -i <input_file> -c <cache_file> If the online machine is connected to the User Center via a proxy, run: license_upgrade upgrade -y <proxy:port> -i <input_file> -c <cache_file> Where <input_file> is the package file that is the result of step 2. This fetches new licenses from the User Center and puts them in a cache file. Use the [O] Wizard mode option.
6. Specify the package file that is the result of step 2 and the requested cache file. This fetches new licenses from the User Center and puts them in a cache file. 7. Copy the cache file (with the new licenses) back to the offline MDS machine. 8. Start the MDS by running
mdsenv mdsstart
9. Run following command line on the offline MDS:
Chapter 9
232
3. The mds_setup wrapper then proceeds with the software upgrade. 4. Run the following command line tool on the MDS:
Chapter 9
pv1_license_upgrade upgrade
If the MDS is connected to the User Center via a proxy, run:
234
mdsenv mdsstart
4. Run the following command line tool at the MDS:
Chapter 9
5. Run the appropriate command line tool on the online machine: If the online machine is directly connected to the User Center, run:
<input_file> -c
Where <input_file> is the package file that is the result of step 2. This fetches new licenses from the User Center and puts them in a cache file. Use the [O] option of the Wizard mode, and specify the package file that is the result of step 2, and the requested cache file. This fetches new licenses from the User Center and puts them in a cache file.
6. Copy the cache file (with the new licenses) back to the offline MDS machine. 7. Start the MDS services by running:
mdsenv mdsstart
8. Run the following command line on the offline MDS:
mdsenv mdsstart
10. Rerun the following command line on the offline MDS:
236
mdsenv <cma_name>
3. Run the appropriate command line tool on the MDS: If the MDS machine is directly connected to the User Center, run:
license_upgrade upgrade
If the MDS machine is connected to the User Center via a proxy, run:
Chapter 9
4. Upgrade the software on the MDS. 5. Start the MDS services by running:
mdsstart
6. Import new licenses of all CMAs into the NGX CMA Repositories by running:
238
To perform a license upgrade on an offline MDS, before a software upgrade: 1. Copy the license_upgrade tool to the MDS version NG machine from the locations specified in license_upgrade on page 211. 2. At the MDS machine, enter the environment of the single CMA
mdsenv <cma_name>
3. Copy the licenses from this machine to a file using one of the following methods. On SecurePlatform, run the command in expert mode: Run the appropriate command line tool on the offline target machine:
4. Copy the output file package (containing the licenses) from the offline target machine to any online machine. The online machine does not need to be a Check Point-installed machine. 5. Copy the license_upgrade tool to the online machine. 6. Run the appropriate command line tool on the online machine: If the online machine is directly connected to the User Center, run:
<input_file> -c
Where <input_file> is the package file that is the result of step 3. This fetches new CMA licenses from the User Center and puts them in a cache file. Use the [O] wizard mode option.
7. Specify the package file package that is the result of step 3 and the requested cache file. This fetches new licenses from the User Center and puts them in a cache file. 8. Copy the cache file (with the new CMA licenses) to the offline target machine.
Chapter 9
mdsstart
12. Import new licenses of all CMAs into the NGX CMA Repositories. Run the command
To perform the license upgrade: 1. Make sure that the CMA is running. The following command shows the status of all CMAs:
mdsstat
2. On the MDS machine, enter the environment of the single CMA
mdsenv <cma_name>
3. Run the appropriate command line tool on the MDS: If the MDS machine is directly connected to the User Center, run:
license_upgrade upgrade
If the MDS machine is connected to the User Center via a proxy, run:
240
The proxy port number is optional. Username and password (if any) are for the proxy machine. OR use the [U] wizard mode option. This does the following: Collects all the licenses that exist on the CMA. Fetches updated licenses from the User Center. Install new licenses on the CMA.
To perform the license upgrade: 1. On the MDS machine, enter the environment of the single CMA
mdsenv <cma_name>
2. Copy the licenses from this machine to a file using one of the following commands. On SecurePlatform, run the following command in expert mode. Run the following command line tool on the offline MDS:
Chapter 9
Copy the license_upgrade tool to the online machine. The tool is located at <platform>/LicenseUpgrade on the R65 CD, and in the Check Point Download site at http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/license_upgrade.h tml
4. Run the appropriate command line tool on the online machine: If the online machine is directly connected to the User Center, run:
<input_file> -c
Where <input_file> is the package file that is the result of step 2. This fetches new CMA licenses from the User Center and puts them in a cache file. OR Use the [O] wizard mode option. Specify the output file package that is the result of step 2. This fetches new CMA licenses from the User Center and puts them in a cache file. 5. Copy the cache file (with the new CMA licenses) to the MDS machine. 6. Run following command on the MDS machine:
mdsenv <cma_name>
7. Run following command line on the offline target machine
242
10. Run the following command line on the offline target machine:
Chapter 9
In This Section
Provider-1 Pro Add-Ons for MDS License Upgrade Managing VPN-1 Power VSX With Provider-1 page 223 page 224
Cause
To understand this issue, some background information is needed: Pro Add-Ons for MDS is a bundled product that extends the SMART management capabilities of multiple CMAs by adding SmartUpdate, SmartDirectory, and SmartView Monitor.
244
Table 9-7
The CMA Pro Add-on licenses are generated in the User Center is as follows: 1. Perform the Activate License operation on the Pro bundled product, using the IP address of the first CMA, to generate the license for this CMA. For each additional CMA, perform the Change IP operation on the bundled product, and change to the IP address of this CMA. 2. Install each generated license on its respective CMA. 3. At the end of the license generation process, the User Center shows a license with the IP address of the last CMA for which the Change IP operation was performed. Only this last license is upgraded by the license upgrade process.
Resolution
1. On the MDS machine, run the appropriate console command: If the MDS is directly connected to the User Center, run:
pv1_license_upgrade upgrade
If the MDS is connected to the User Center via a proxy, run:
3. Contact Account Services at US +1 817 606 6600 (option 7) or e-mail AccountServices@ts.checkpoint.com, and provide them with the above information.
Chapter 9 Upgrading Provider-1 245
Cause
To understand this issue, some background information is needed: The customer purchases multiple CMAs in order to manage either one VSX Virtual System (VS) with each CMA, or manage a VS cluster with each CMA. The purchased VSX part numbers are listed in Table 9-8. Table 9-8
Virtual Systems Extension - CMA Bundles
Virtual Systems Extension - CMA Bundles (Primary VSX-CMA) Gateways Version Part Number C10 NG CPPR-VSX-CMA-C10-NG C25 NG CPPR-VSX-CMA-C25-NG C50 NG CPPR-VSX-CMA-C50-NG C100 NG CPPR-VSX-CMA-C100-NG C250 NG CPPR-VSX-CMA-C250-NG
The customer receives two licenses: One license for the Provider-1 MDS Container product in Table 9-9 (depending on the number of VSs in Table 9-8). This license allows you to define the purchased number of CMAs.
246
Table 9-9
Provider-1 MDS Container Customer Version Part Number NG 25 CPPR-MDS-C25-NG NG CPPR-MDS-C50-NG 50 NG CPPR-MDS-C100-NG 100 NG CPPR-MDS-C200-NG 200 NG CPPR-MDS-C250-NG 250
One license for the Provider-1 CMA product in Table 9-10 (to be installed on the CMA), that specifies the size of the VS cluster that the CMAs are allowed to manage. A license for a VS cluster of 1 Gateway allows the CMA to manage one VS, A license for a VS cluster of 2 Gateways allows the CMA to manage a cluster of two VSs, and so on. Table 9-10 Provider-1 CMA
Provider-1 CMA (Primary CMA) Gateways Version Part Number NG CPPR-CMA-1-NG 1 NG 2 CPPR-CMA-2-NG NG 4 CPPR-CMA-4-NG
Provider-1 CMA product licenses are generated in the User Center is as follows: 1. Perform the Activate License operation on the Provider-1 CMA product, using the IP address of the first CMA, to generate the license for this CMA. For each additional CMA, perform the Change IP operation on the bundled product, and change to the IP address of this CMA. 2. Install each generated license on its respective CMA. 3. At the end of the license generation process, the User Center shows a license with the IP address of the last CMA for which the Change IP operation was performed. Only this last license is upgraded by the license upgrade process.
Resolution
1. On the MDS machine, run the appropriate console command: If the MDS is directly connected to the User Center, run:
pv1_license_upgrade upgrade
If the MDS is connected to the User Center via a proxy, run:
Chapter 9
3. Contact Account Services at US +1 817 606 6600, option 7 or e-mail AccountServices@ts.checkpoint.com, and provide them with the above information.
248
In-Place Upgrade
The in-place upgrade process takes place on the existing MDS machine. The MDS with all CMAs are upgraded during a single upgrade process. License upgrade is also required when upgrading from versions prior to NGX. Provider-1/SiteManager-1 NGX cannot function with licenses from versions prior to NGX. It is therefore highly recommended to upgrade all Provider-1/SiteManager-1 NG licenses to NGX before upgrading the software to NGX. Note - When upgrading Provider-1 to R65, all SmartUpdate packages on the MDS (excluding SofaWare firmware packages) are deleted from the SmartUpdate Repository. 1. Run the Pre-upgrade verification only option from mds_setup. In a multi-MDS environment, perform this step on all MDSes (refer to Upgrading in a Multi-MDS Environment on page 259 for details). 2. Make the changes required by the pre-upgrade verification, and if you have High Availability, perform the required synchronizations. 3. Test your changes: a. assign global policy b. install policy c. verify logging (through SmartView Tracker) d. view status (through MDG or SmartView Monitor) 4. Back up your system either by selecting the backup options in mds_setup or by running mds_backup.
Chapter 9 Upgrading Provider-1 249
In-Place Upgrade
5. Perform the license upgrade procedure prior to the MDS software upgrade as detailed in System-Wide License Upgrade, Before Software Upgrade on page 229. Follow the procedure for an online MDS or an offline MDS, as applicable. 6. Perform the in-place upgrade. For Solaris and Linux, use mds_setup (for additional information, refer to Installation Script on page 209). For SecurePlatform, run patch add cd (See Upgrading to NGX R65 on SecurePlatform on page 250).
7. Perform the license upgrade procedure after the MDS software upgrade as detailed in System-Wide License Upgrade, Before Software Upgrade on page 229. Follow the procedure for an online MDS or an offline MDS, as applicable. 8. After the upgrade completes, retest using the sub-steps in step 3 above.
250
In-Place Upgrade
Upgrading a Pre-NGX Version (on Linux 22) to NGX R65 (on RedHat Enterprise Linux 3.0)
This procedure is required if you intend to upgrade a Linux 22 platform machine installed with a Provider-1 version prior to NGX to RedHat Enterprise Linux 3.0 with Provider-1 R65. To upgrade to R65 from previous NGX versions, refer to In-Place Upgrade on page 249. To perform the upgrade: 1. For each CMA, create a backup folder that contains subfolders (as described in Table 9-2 on page 213). These folders are used for backing up data files from a previously installed MDS version. These folders and their content must be accessible from the NGX machine after the operating system upgrade. 2. Create an additional folder for the global policy data by backing up all files in $MDSDIR/conf. 3. Perform a fresh RedHat Enterprise Linux 3.0 installation. 4. Perform a fresh installation of R65 MDS on the target machine. For additional information, refer to Installation Script on page 209. 5. Create customers and CMAs with the names used in the previous Provider-1 setup. Do not start the CMAs. 6. Use migrate_global_policies to import the global policies backed up in step 2 (refer tomigrate_global_policies on page 216 for additional information). 7. Migrate all the original CMAs data into the newly created CMAs (from the backup folders created in step 1), either by using Import Customer Management Add-on from the MDG or cma_migrate (refer to cma_migrate on page 212) for each CMA.
Chapter 9
3. Restore the MDS on the target machine. Copy the file created by the backup process to the target machine and run mds_restore, or run mds_setup and select the Restore option. 4. If your target machine and the source machine have different IP addresses, follow the steps listed in IP Address Change on page 269 to adjust the restored MDS to the new IP address. If your target machine and the source machine have different interface names (e.g. hme0 and hme1), follow the steps listed in Interface Change on page 269 to adjust the restored MDS to the new interface name. 5. Test to confirm that the replication has been successful: a) Start the MDS. b) Verify that all CMAs are running and that you can connect to the MDS with MDG and Global SmartDashboard. c) Connect to CMAs using SmartDashboard. 6. Upgrade your MDS. Stop the MDS on the target machine and employ an In-Place Upgrade (for additional information, refer to In-Place Upgrade on page 249).
252
$CPDIR/conf/lic_cache.C
All NGX version CMA and MDS licenses reside in cp.license, and all licenses appear in the cache. 4. On the target MDS, create a customer and CMA but do not start the CMA. 5. Use the migrate_assist utility to copy the CMA directories and files for each CMA from the source machine to the destination machine. For additional information, refer to migrate_assist on page 215. This process transfers the NGX licenses for both the CMA and the CMA Repository. 6. Use cma_migrate to import the CMA. For additional information, refer to cma_migrate on page 212.
Chapter 9
mdsenv mdsstart
8. To import the licenses that were upgraded to the CMA database from the cache file, which was copied from the NG version MDS, run:
2. If some of your CMAs have already been migrated and some have not and you would like to use the Global Policy, make sure that it does not contain gateways of non-existing customers. To test for non-existing customers, assign this Global Policy to a customer. If the assignment operation fails and the error message lists problematic gateways, you have at least one non-existing customer. If this occurs: a. Run the where used query from the Global SmartDashboard > Manage > Network Objects > Actions to identify where the problematic gateway(s) are used in the Global Policy. Review the result set, and edit or delete list items as necessary. Make sure that no problematic gateways are in use. b. The gateways must be disabled from global use: i. From the MDGs General View, right-click a gateway and select Disable Global Use.
254
ii. If the globally used gateway refers to a gateway of a customer that was not migrated, you can remove the gateway from the global database by issuing a command line command. First, make sure that the Global SmartDashboard is not running, and then execute the command: mdsenv; remove_globally_used_gw <Global name of the gateway> 3. When issuing the command: migrate_global_policies where the existing Global Policy contains Global Communities, the resulting Global Policy contains: the globally used gateways from the existing database the globally used gateways from the migrated database
As a result of the migration, the Global Communities are overridden by the migrated database. 4. The gradual upgrade does not restore the Global Communities statuses, therefore, if either the existing or the migrated Global Policy contains Global Communities, reset the statuses from the command line (with MDS live): mdsenv; fwm mds rebuild_global_communities_status all
Before migrating the management part of the standalone gateway to the target CMA, some adjustments are required before the standalone is exported to the CMA: 1. Make sure that: FTP access is allowed from the MDS machine (on which the target CMA is located) and the standalone machine. (This is only necessary if you plan to use migrate_assist.) The target CMA is able to communicate with and install policy on all managed modules.
2. Add an object representing the CMA (name and IP address) and define it as a Secondary SmartCenter server. 3. Install policy on all managed gateways.
Chapter 9 Upgrading Provider-1 255
4. Delete all objects or access rules created in steps 1 and 2. 5. If the standalone gateway has VPN-1 installed: Clear the VPN-1 option in the Check Point Products section of the Standalone gateway object. You may have to first remove it from the Install On column of your rulebase (and then add it again). If the standalone gateway participates in a VPN-1 community, in the VPN tab, remove it from the community and erase its certificate. Note these changes in order to undo them after the migration.
6. Save and close SmartDashboard. Do not install policy. 7. To migrate the management part to the CMA, run:
migrate_assist <Standalone_GW_NAME><Standalone_GW_FWDIR><username> <password><target_dir><Standalone_GW_CPDIR> command. Note - The last parameter <Standalone_GW_CPDIR> is mandatory when running migrate_assist on NG versions.
8. Create a new CMA on the MDS, but do not start it. 9. Migrate the exported database of the standalone gateway into the CMA. Use cma_migrate or the import operation from the MDG, specifying as an argument the database location you used as <target_dir> in the migrate_assist command. 10. To configure the CMA after the migration, start the CMA. On the CMA, launch SmartDashboard. 11. In SmartDashboard, under Network Objects, locate: An object with the Name and IP address of the CMA which is the primary management object (migrated). Previous references to the standalone management object now refer to this object. An object for each gateway managed previously by the standalone station (except for the gateway on the standalone machine).
12. Edit the Primary Management Object and remove all interfaces (Network Object > Topology > Remove). 13. Create an object representing the gateway on the standalone machine (From New > Check Point > Gateway), and: Assign a Name and IP address for the gateway. Select the appropriate Check Point version. Select the appropriate Check Point Products you have installed.
256
If the object previously belonged to a VPN-1 Community, add it back. Do not initialize communication.
14. Run Where Used on the primary management object and, in each location, consider changing to the new gateway object. 15. Install the policy on all modules, except for the standalone gateway. You may see warning messages about this module because it is not yet configured. These messages can be safely ignored. 16. Uninstall the standalone gateway. 17. Install a gateway only on the previous standalone machine. 18. From the CMA SmartDashboard, edit the gateway object created in step 12 and establish trust with that gateway. 19. On the same object, define the gateway's topology. 20. Install the Policy on the gateway.
Chapter 9
/:use_sites
6. Edit the value and change it from true to false. For example:
:use_sites (false)
7. Save the file and exit. 8. Start the MDS services by running mdsenv;mdsstart.
258
Multi-MDS environments may contain components of High Availability in MDS or at the CMA level. It may also contain different types of MDSes: managers, containers, or combinations of the two. In general, High Availability helps to reduce down-time during an upgrade. This section provides guidelines for performing an upgrade in a multi-MDS environment. Specifically, it explains the order of upgrade and synchronization issues.
Chapter 9
260
Chapter 9
To update the CLM/CMA objects to the most recent version, verify that all active CMAs are up and running with valid licenses and that SmartDashboard is not connected. At this time, the following should be run on each MDS after upgrading all MLMs/MDSs: mdsenv To update all CLM/CMA objects, run:
$MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL
To update CLM/CMA objects that are located on a specific MLM/MDS, (in case other MDSs were not yet upgraded) run:
262
Restarting CMAs
The database to import is the database belonging to the primary CMA/SmartCenter Server. Before importing, verify that the database has been synchronized. Also perform these steps if you want to migrate your current High Availability environment to a CMA High Availability on a different MDS. Then, continue with a High Availability deployment (for more information, see the High Availability chapter in the Check Point Provider-1/SiteManager-1 Administration Guide).
Restarting CMAs
After completing the upgrade process, CMAs should be started sequentially using the command mdsstart -s.
Chapter 9
264
Renaming Customers
Renaming Customers
In This Section
Identifying Non-Compliant Customer Names High Availability Environment Automatic Division of Non-Compliant Names Resolving Non-Compliance Advanced Usage page 265 page 265 page 265 page 266 page 267
Previous Provider-1 versions allowed customer names or CMA names in Check Point 2000 to contain illegal characters, such as spaces and certain keyword prefixes. In NG with Application Intelligence, all customer names must adhere to the same restrictions as CMA names or any other network objects.
Chapter 9
Resolving Non-Compliance
Resolving Non-Compliance
During the upgrade procedure, after selecting Option 2 - Upgrade to NGX R65 on the mds_setup menu, the resolution of compliant names is performed. The translation prompt is only displayed if a non-compliant name is detected. Note - Nothing is changed in the existing installation when translating customer names.
Any changes are applied only to the upgraded installation.
Translation prompt - Enter a name to replace the non-compliant name, or enter the '-' sign to get a menu of additional options. The new name is checked for naming restrictions compliance and is not accepted until you enter a compliant name. Additional Options Menu Edit another name - The customer names are presented in alphabetical order. Choose this option to edit a customer name that was already translated, or any other customer name. Skip this name - Choose this option if you are not sure what to do with this name and want to come back to it later. The upgrade cannot take place until all non-compliant customer names are translated. Quit session and save recent translations - Choose this option if you want to save all the work that was done in this session and resume later. Quit session and throw away recent translations - Choose this option if you want to abort the session and undo all the translations that you entered during this session. Return to translation prompt - Choose this option if you want to return to the customer name you were prompted with when you entered '-'. Note - The pre-upgrade tool allows only non-compliant customer names to be translated.
If the session is exited before all the translations are done, the mds_setup utility exits with an error message stating that the MDS verification failed. To return to the tool, simply run mds_setup again and choose Option 2 - Upgrade to NGX R65.
High Availability
After completing the translations on the first MDS, copy the following files to the other MDSes. If the MDSes are properly synchronized, no additional work is required.
266
Advanced Usage
Files to be copied:
/var/opt/CPcustomers_translated.txt /var/opt/CPcustomers_translated.md5
When running the tool a second time, the customer names that have already been translated are shown before the first non-compliant name is displayed. This is also the case when running on an additional MDS.
Advanced Usage
An advanced user may choose to directly edit the translation file, /var/opt/CPcustomers_translated.txt. In this case, all the translations are verified when mds_setup is run again. Translations file format - The file is structured line-wise. Each line's meaning is indicated by its first character. An empty line is ignored. Any line that does not obey the syntax causes the file to be rejected with an appropriate message. Table 9-11 Line Prefixes Line Prefix # Meaning A comment line. Existing non-compliant name. Comment May be inserted anywhere. Must exactly match an existing non-compliant name, otherwise it will be rejected. If the entry does not comply with the naming restrictions, it is ignored.
Chapter 9
Advanced Usage
The '-' and '+' lines must form pairs. Otherwise, the file is rejected. If the translations file is manually modified, the mds_setup detects it and displays the following menu: 1. Use the translations file anyway - Choose this option only if an authorized person modified it. This option reads the file, verifies its content and uses the translations therein. 2. Ignore the translations file and generate a new one - Choose this option to overwrite the contents of the file. 3. Quit and leave the translations file as it is - Choose this option to exit mds_setup and leave the translations file as is for now. Run mds_setup again when you are sure that option 1 or option 2 is suitable.
268
IP Address Change
If your target machine and the source machine have different IP addresses, follow the steps listed below it to adjust the restored MDS to the new IP address. To change the IP address: 1. The MDS must be stopped. Stop the MDS by running mdsstop. 2. Change the IP address in $MDSDIR/conf/LeadingIP file to the new IP address. 3. Edit the $MDSDIR/conf/mdsdb/mdss.C file. Find the MDS object that has the source MDS IP address and change its IP address to the new IP address. Do not change the name of the MDS. 4. Install a new license on the target MDS with the new MDS IP address. 5. For multiple MDS/MLM environments, repeat steps 1 to 4 on each MDS/MLM for the MDS/MLM for which you changed the IP.
Interface Change
If your target machine and the source machine have different interface names (e.g., hme0 and hme1), follow the steps listed below to adjust the restored MDS to the new interface name. To change the interface: 1. Change the interface name in file $MDSDIR/conf/external.if to the new interface name. 2. For each CMA, replace the interface name in $FWDIR/conf/vip_index.conf. For example, if this is an NG FP3 installation and you have a CMA named cma1, edit /opt/CPmds-53/customers/cma1/CPfw1-53/conf/vip_index.conf.
Chapter 9
SmartDefense in Provider-1
SmartDefense in Provider-1
When upgrading to R65, the previous SmartDefense configuration of the Customer is overridden on the first Global Policy Assign. It is recommended to save each Customers Security Policy so that the settings can be restored after upgrade. To do so, from the MDG, go to Customer Configuration window > Assign Global Policy tab, and enable Create database version.
270
271
When upgrading VPN-1 Power/UTM ROBO gateways, the upgrade process removes the initial Plug & Play license from your gateway. Trying to perform a remote upgrade on a gateway without a valid NGX license will succeed, but this gateway will not be able to load the correct policy after the upgrade. Make sure that all gateways have valid permanent NG and NGX licenses installed before the upgrade.
272
Chapter 10
The added assigned licenses are shown grayed-out because they are not yet attached. 4. Click OK to attach the Assigned Licenses to this ROBO. The ROBO gateway now has both NG and NGX licenses. The Licenses window shows that the NGX license is Attached, and the NG license is Obsolete, meaning that it is no longer needed. The NG license is useful because if you need to downgrade the Gateway version, the Gateway will keep on working. 5. Repeat from step 2 for each ROBO gateway.
274
Chapter 10
Full Upgrade
This method automatically performs all the required checks and actions for you. When it successfully completes, the upgraded ROBO Gateway is ready for use. This is the recommended method to upgrade VPN-1 Power/UTM ROBO Gateways. To perform a full upgrade: 1. From SmartLSM, select the line representing the VPN-1 Power/UTM ROBO Gateway to be upgraded. 2. Select Actions > Packages > Upgrade All Packages. This selection can also be done through the right-click menu, or the Upgrade All Packages icon in the toolbar. The upgrade process begins with a verification stage, checking which version is currently installed on the gateway and whether the required packages exist in your Package Repository. When it completes, a Verification Details window opens, showing you the verification results. 3. Select Change to a new Profile after upgrade, and select the appropriate new SmartLSM Profile from the list. 4. Select Allow reboot if required. 5. Click the Continue button. The Upgrade process begins. Its stages and completion status can be seen in the Action Status pane, at the bottom of SmartLSM. The entire progress report can be seen at any time by viewing the Action History (right-click on the respective line in the Action Status pane, and select Action History).
276
Specific Installation
This method can be used to install a specific product on a ROBO Gateway. To perform a specific installation: 1. From SmartLSM, select the line representing the VPN-1 Power/UTM ROBO gateway you want to upgrade. 2. Select Actions > Packages > Get Gateway Data to fetch information about Packages currently installed on the VPN-1 Power/UTM ROBO gateway. 3. Select Actions > Packages > Distribute Package or right-click menu, and select Distribute Package, or click the icon in the toolbar. The Distribute Package window opens. This window displays the relevant packages from the Package Repository that can be installed on your VPN-1 Power/UTM ROBO gateway. 4. In the Distribute Package window, select the package you want to install. You can then select one of the following actions: Distribute and install packages Only distribute packages (install later) Install previously distributed packages
5. The Allow Reboot if required option should be selected only when upgrading VPN-1. If you do not select this option, manually reboot the gateway from its console. The gateway is rebooted after the package installation is completed. Note - If you are doing a step-by-step upgrade, do not select Allow Reboot if required.
6. If the operating system is SecurePlatform, you can select Backup image for automatic revert, in case the installation does not succeed. 7. The option Change to a new profile after install lets you select the SmartLSM Profile that will be assigned to the package upon installation. When upgrading the VPN-1 Power/UTM ROBO gateway, you must provide a suitable SmartLSM Profile from the target version. If you are installing a package that does not require changing the SmartLSM Profile of the VPN-1 Power/UTM ROBO gateway, this field remains disabled. 8. Click the Start button.
Chapter 10
9. The Install process begins. Its stages and completion status can be seen in the Action Status pane, at the bottom of SmartLSM. The whole progress report can be seen at any time by viewing the Action History (right-click on the respective line in the Action Status pane, and select Action History). Note - You can verify if the installation will succeed before actually upgrading the ROBO Gateway by choosing Actions > Packages > Verify Installation.
278
Chapter 10
For general usage and help, type the command LSMcli --help.
280
The LSMcli command line arguments are fully described in the Command Line Reference chapter of the R65 SmartLSM Administration Guide. A partial list of arguments is shown in Table 10-1, which lists only the arguments that are important for performing upgrades. Table 10-1 LSMcli Command line arguments for upgrades Argument -d Server User Password ROBO -F Firmware -P=Profile Meaning (Optional) Run the command with debug output. The IP or hostname of the SmartCenter server. The username and password of a SmartCenter Administrator. The name of the ROBO Gateway to be upgraded. The firmware version of the VPN-1 UTM Edge ROBO Gateway. (Optional) The SmartLSM Profile name the ROBO Gateway will be mapped to after a successful upgrade. You must specify the new SmartLSM Profile when upgrading the VPN-1 version. This is not necessary when installing Hotfixes or other packages. -boot (Optional) Use this option only when upgrading VPN-1. If you do not use this option, manually reboot the gateway from its console. (Optional) Install previously distributed packages. To view the list of packages available in the repository, use the ShowRepository LSMcli command. (Command usage is described in the R65 SmartLSM Administration Guide).
Export
The export tool is located in your SmartLSM application, under File > Export to File. Use this tool to export a ROBO Gateways properties into a text file that you can turn into a script in order to perform batch upgrades.
Chapter 10
To see which product packages are available in your package repository, execute:
LSMcli [-d] <Server> <User> <Password> ShowRepository
To view a list of packages that can be installed on a specific ROBO gateway, execute:
LSMcli [-d] <Server> <User> <Password> GetCandidates <ROBO>
Note - It is recommended to use the Full Upgrade method to upgrade VPN-1 Power/UTM
ROBO Gateways.
282
Where: MyServer = the name of my SmartCenter server. John = the administrators name. mypassword = the administrators password. VerifyUpgrade = the Full Upgrade verification command. Upgrade = the Full Upgrade command. ROBO17 = the VPN-1 Power/UTM ROBO Gateway to be upgraded. MyNewProfile = the new SmartLSM Profile that ROBO17 will be mapped to after the upgrade.
Chapter 10
Where: MyServer = the name of my SmartCenter server. John = the administrator's name. mypassword = the administrator's password. ModifyROBO VPN1Edge = the command to modify a property on a VPN-1 UTM Edge ROBO gateway. ROBO101 = the Edge ROBO Gateway to be upgraded. EdgeNewProfile = the new SmartLSM Profile that ROBO101 will be mapped to after the upgrade (optional). 4.0.23 = the name of the new Firmware package. Restart = the command to restart the gateway.
Example: Using the LSM CLI to write a script to upgrade multiple ROBO Gateways
Create the following script and run it:
LSMcli MyServer John mypassword Upgrade ROBO17 -P=MyNewProfile LSMcli MyServer John mypassword Upgrade ROBO18 -P=MyNewProfile LSMcli MyServer John mypassword Upgrade ROBO19 -P=MyOtherProfile
284
LSMcli MyServer John mypassword AttachAssignedLicenses VPN1 ROBO17 LSMcli MyServer John mypassword AttachAssignedLicenses VPN1 ROBO18 LSMcli MyServer John mypassword AttachAssignedLicenses VPN1 ROBO19
Chapter 10
286
11
page 288 page 288 page 294
287
Overview
Overview
When upgrading products of the Eventia suite, note that: Eventia Reporter of version R56 and higher can be upgraded to R65. Eventia Analyzer of version 1.0 and higher can be upgraded to R65.
In This Section
Windows Platform Solaris / Linux Platform SecurePlatform page 288 page 289 page 289
Windows Platform
1. In order to begin the installation, login as an administrator and launch the wrapper by double-clicking on the setup executable. 2. Agree to the License Agreement and click Forward. 3. Select Upgrade and click Forward. 4. Continue following the instructions. The instructions that appear will differ according to your deployment. 5. Indicate whether to add new products by selecting the Add new products option and click Forward. A list of the products that will be upgraded appears. Click Forward.
288
Depending on the components that you have chosen to install, you may need to take additional steps (such as installing other components and/or license management). 6. Verify the default directory, or browse to new location in which Eventia Reporter will be installed. 7. Verify the default directory, or browse to new location in which the output files created by Eventia Reporters output will be generated. Click Next and reboot the machine in order to complete the installation of the Eventia Reporter and to continue with the next phase of the installation. 8. Launch SmartDashboard. 9. Install the Security Policy, (Policy > Install) or install the database (Policy > Install Database) in order to make the Eventia Reporter fully functional.
SecurePlatform
1. After you install SecurePlatform from the CD, select the Eventia Reporter product from cpconfig or from the SecurePlatform Web GUI. 2. Continue from step 3 on page 288 in order to complete the process.
Chapter 11
290
Copy the directory paths pointed to by these entries. For example, the default entries for a Windows installation are:
6. Run the CD wrapper and perform the Export operation. 7. On the target machine, run the Advanced Upgrade procedure. 8. Run cpstop. 9. Delete the content of the target directories datadir and innodb_log_group_home_dir. 10. Copy the database files from the backup to the target machine. 11. If the original SmartCenter server is of a version prior to NGX R65, the database needs to be upgraded.
To upgrade the database: a. Open a console and cd to the installation directory bin. For Windows, the default location is C:\Program Files\CheckPoint\EventiaSuite\R65\bin
For other platforms, the default location is /opt/CPrt-R65/svr/bin b. Run the following script: For Windows: evr_upgrade_db For other platforms: ./evr_upgrade_db
12. If necessary, modify the following fields in the mysql configuration file to match the locations of the database data files:
13. Copy your company logo image file(s) to $RTDIR/bin. 14. Copy your distribution scripts to the directory $RTDIR/DistributionScripts. (Be sure to verify that the script is supported in the platform to which you are migrating.) 15. Run cpstart. 16. Start a consolidation session in the Management tab of the Eventia Reporter Client.
292
1. cpstop 2. evconfig
While running evconfig, enable Analyzer Server or the Correlation Unit.
3. cpstart
Chapter 11
Prerequisites
Before upgrading to Analyzer NGX R65, note the path to the current database file: $RTDIR/events_db/events.sql, where $RTDIR is a variable that contains the path of the previous Eventia Analyzer installation. In R63, the default path: For Windows is C:\Program Files\CheckPoint\EventiaSuite\R63 For Unix platforms is /opt/CPrt-R63
5. Read and accept the license agreement. 6. Select the first option: upgrade. 7. Download or import a service contract file, or choose to continue without one. 8. Select a source for the NGX R65 upgrade utilities. 9. Select Upgrade Installed Products. 10. Validate the products in the products list. 11. Reboot once the upgrade is complete.
Chapter 11
8. Validate the products in the products list. 9. Once upgrade has completed, login again to the root account. 10. Run cpstart to activate the installed products.
296
12
page 297 page 297 page 298 page 298 page 301
Overview
Alerts Concentrators and IPS-1 Management Servers, including NFR Sentivist Servers and Enterprise Servers, and IPS-1 Power 1000 and 2000 Sensors, of versions 5.x, can be upgraded to the current version. From earlier versions, completely reinstall. Non-Power Sensors installed on SecurePlatform cannot be upgraded to the current version. A new installation is required.
297
Management onto a new hardware platform, follow the instructions in the IPS-1 Management Server Backup and Migration chapter of the IPS-1 Administration Guide.
For a Remote Upgrade, follow the instructions in . For a Full Upgrade, follow the instructions for reinstallation in the Reinstalling an IPS-1 Power Sensor on page 299, using a newer version of the installation source.
298
3. From the root directory of the CD, run: ./upgrade_sensor -d $IPS1DIR/alcr <Sensor_name> The upgrade_sensor script will verify that the given IPS-1 Sensor is upgradeable, transfer the necessary files from the IPS-1 Sensor CD to the Sensor and tell it to complete the upgrade. If the upgrade_sensor script finishes without any errors, the IPS-1 Sensor will reboot itself. When it comes back up, it will be running a new version of the IPS-1 Sensor software. If the upgrade fails, you may need to do a full re-installation of the IPS-1 Sensor.
To reinstall (or perform a Full Upgrade): 1. If you are going to be installing from a network server (not from an LDP), obtain a Check Point IPS-1 Power Sensor installation CD, and extract the Power-Sensor.<version> tar file to a network server accessible from the Power Sensors management interface by FTP, HTTP, or NFS. 2. Connect to the IPS-1 Power Sensor with a Serial Console. 3. Boot the Power Sensor. During disk initialization, you will see the following:
Press ESC twice to enter the ROM Menu, or any other key to auto boot.... Seconds Remaining until Auto Boot: 5
Within 5 seconds, press ESC twice. 4. When prompted for the ROM menu password, if you havent set one, just press Enter. The main ROM menu appears. 5. Select Boot in Rescue Mode.
Chapter 12 Upgrading IPS-1 299
6. When the next menu appears, select (Re)Install System (manual). 7. Set the various date and time values, as prompted. Then confirm the date and time. 8. Available LDP images are listed, with their software version and build numbers. Select an LDP image number, or n to install from a network source. 9. In a network installation, you will be prompted for network information to enable the installation, as follows: a. Set IP information for the Power Sensors management interface. b. Optionally, set a host and domain name. For example: c. mysensor.example.com d. Type the default gateway address. e. Type the IP address of the installation source. f. Type the path on the installation source computer to the directory containing NR-INSTALL-DIRECTORY . Something like:
g. /root/Power-Sensor.5.0.7/Install h. Type the protocol to be used - ftp, nfs, or http. Depending on the selected protocol, you may be prompted for additional information. 10. Select the installation type. There should be only one choice (1). 11. In most cases, select to install to the Multiple Disk Array. 12. Select to install to the root partition. Wait for the system to complete formatting the partition. In most cases, do not create a local installation image. Select n. The system installs the packages and reboots twice. When finished, the system is at the same state as when shipped. Continue with Initial Configuration of IPS-1 Power Sensor section of the Internet Security Product Suite Getting Started Guide.
300
200F
310C
320C
320F
Chapter 12
302
The following statements refer to those portions of the software copyrighted by Jean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. The following statements refer to those portions of the software copyrighted by the Gnu Public License. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. The following statements refer to those portions of the software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expat maintainers. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions of the code MUST reference the author, and include any and all original documentation. Copyright. Bruce Verderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999, 2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 John Ellson (ellson@graphviz.org). Portions relating to gdft.c copyright 2001, 2002 John Ellson (ellson@graphviz.org). Portions relating to JPEG and to color quantization copyright 2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information. Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van den Brande. Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is present in user-accessible supporting documentation. This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessible documentation. This software is provided "AS IS." The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation. Although their code does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 The curl license COPYRIGHT AND PERMISSION NOTICE Copyright (c) 1996 - 2004, Daniel Stenberg, <daniel@haxx.se>.All rights reserved. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder. The PHP License, version 3.0 Copyright (c) 1999 - 2004 The PHP Group. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact group@php.net. 4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from group@php.net. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo" 5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version number. Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No one other than the PHP Group has the right to modify the terms applicable to covered code created under this License. 6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes PHP, freely available from <http://www.php.net/>". THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This software consists of voluntary contributions made by many individuals on behalf of the PHP Group. The PHP Group can be contacted via Email at group@php.net. For more information on the PHP Group and the PHP project, please see <http://www.php.net>. This product includes the Zend Engine, freely available at <http://www.zend.com>. This product includes software written by Tim Hudson (tjh@cryptsoft.com). THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Copyright 2003, 2004 NextHop Technologies, Inc. All rights reserved. Confidential Copyright Notice Except as stated herein, none of the material provided as a part of this document may be copied, reproduced, distrib-uted, republished, downloaded, displayed, posted or transmitted in any form or by any means, including, but not lim-ited to, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of NextHop Technologies, Inc. Permission is granted to display, copy, distribute and download the materials in this doc-ument for personal, non-commercial use only, provided you do not modify the materials and that you retain all copy-right and other proprietary notices contained in the materials unless otherwise stated. No material contained in this document may be "mirrored" on any server without written permission of NextHop. Any unauthorized use of any material contained in this document may violate copyright laws, trademark laws, the laws of privacy and publicity, and communications regulations and statutes. Permission terminates automatically if any of these terms or condi-tions are breached. Upon termination, any downloaded and printed materials must be immediately destroyed. Trademark Notice The trademarks, service marks, and logos (the "Trademarks") used and displayed in this document are registered and unregistered Trademarks of NextHop in the US and/or other countries. The names of actual companies and products mentioned herein may be Trademarks of their respective owners. Nothing in this document should be construed as granting, by implication, estoppel, or otherwise, any license or right to use any Trademark displayed in the document. The owners aggressively enforce their intellectual property rights to the fullest extent of the law. The Trademarks may not be used in any way, including in advertising or publicity pertaining to distribution of, or access to, materials in this document, including use, without prior, written permission. Use of Trademarks as a "hot" link to any website is prohibited unless establishment of such a link is approved in advance in writing. Any questions concerning the use of these Trademarks should be referred to NextHop at U.S. +1 734 222 1600. U.S. Government Restricted Rights The material in document is provided with "RESTRICTED RIGHTS." Software and accompanying documentation are provided to the U.S. government ("Government") in a transaction subject to the Federal Acquisition Regulations with Restricted Rights. The Government's rights to use, modify, reproduce, release, perform, display or disclose are restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software and Noncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun 1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of the Commer-cial Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987). Use of the material in this document by the Government constitutes acknowledgment of NextHop's proprietary rights in them, or that of the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043. Use, duplication, or disclosure by the Government is subject to restrictions as set forth in applicable laws and regulations. Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLE PURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THIS DOCUMENT WARRANTS OR MAKES ANY REPRESENTATIONS REGARDING THE USE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USE OF, OR OTHERWISE RESPECTING, THE MATERIAL IN THIS DOCUMENT. Limitation of Liability UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, OR THE INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR A NEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTS IN THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA, YOU ASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU.
Copyright ComponentOne, LLC 1991-2002. All Rights Reserved. BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")) Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release PCRE LICENCE PCRE is a library of functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5 language. Release 5 of PCRE is distributed under the terms of the "BSD" licence, as specified below. The documentation for PCRE, supplied in the "doc" directory, is distributed under the same terms as the software itself. Written by: Philip Hazel <ph10@cam.ac.uk> University of Cambridge Computing Service, Cambridge, England. Phone: +44 1223 334714. Copyright (c) 1997-2004 University of Cambridge All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the University of Cambridge nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Eventia Reporter includes software whose copyright is owned by, or licensed from, MySQL AB.
Index
A
Administrators 253 Global VPN Communities 254 MDS 209, 210, 216, 217, 252, 269 MDS environment 258 MDS High Availability 265 MDS services 258 mds_backup 217 mds_remove 264 mds_setup 265 migrate_assist 215 migrate_global_policies 216 migration process 91 Minimal Effort Upgrade 111, 194 MLM 261 Multi-MDS environments 259 MVS 26
H
High Availability 110, 249, 259, 266 High Availability Environment 265
B
backup 127 Backup and Restore 216 Backup of system settings 127
C
CLM 210, 261 Clustered deployment 111 ClusterXL 26, 194 CMA 210, 214, 216, 251, 253, 261, 269 cma_migrate 212 cprid 114
I
In Place Upgrade 26 Internal Certificate Authority 214 IPS-1 297 Legacy Sensor Appliances 301 Management Servers 297 Power Sensors 298 Sensors 298 IPSO Platform 107, 154
N
Nokia clustering 195 Nokia OS 112
E
errors 93, 141 Evaluation licenses 49 Eventia Analyzer 288 Eventia Reporter 112, 288 Expert mode 99, 118
L
License Repository 33 License Upgrade 33 License Upgrade Tool Options 35 License_upgrade 34 Licensing Web Intelligence 88 Local Upgrade 111 LSM 26 LSMcli commands 280
O
Operation Status 114 OPSEC 112, 113, 193
P
Package Repository 26, 276 patch command 100 Performance Pack 112 Plug & Play 272 PolicyServer 112 Pre-upgrade utilities 264 Pre-upgrade verification 88, 91, 94, 116, 139, 140, 142, 210, 259, 261
F
Full Connectivity upgrade 200
G
Global Communities 255 July 2008
M
Management plug-ins 22 MD5 checksum 120
U
Upgrade tools 28 UserAuthority 112 UserAuthority Server 112 UTM-1 112
Q
QoS 112
R
release notes link 20 remote upgrade 272 restore 127 ROBO Gateway 26, 272, 276, 278 ROBO Profile 26
V
Virtual Routers 27 Virtual System 27 VPN-1 distributed deployment 138 VPN-1 Edge Firmware package 273 VPN-1 Gateways 112 VPN-1 Server 142 VSX Clustering 27 VSX Gateway 27
S
Safe Upgrade 119, 120, 250 SCP 127 SecureClient 53 SecurePlatform 41, 42, 44, 45, 89, 95, 97, 99, 112, 118, 139, 143, 146, 149, 229, 230, 234, 235, 239, 241 Security Policy 26 Service Contract Files 59 SmartCenter Server 27 SmartConsole Clients 27, 253 SmartDashboard 27 SmartDefense 270 SmartLSM 271 SmartUpdate 27, 39, 112, 193, 198, 244 SmartUpdate Upgrade 111 SmartView Monitor 112 Software Upgrade 33
W
warning 93, 141 Web Intelligence Licensing 88 Whats New link 20 Wrapper 33
Z
Zero Downtime 111, 194
T
TFTP 127, 130 8