topic Re: Upgrading Checkpoint management to R80.X from R77.30 in Firewall and Security Management

Upgrading Checkpoint management to R80.X from R77.30

Michael-Polevoy — Fri, 27 Sep 2019 11:49:27 GMT

Hi All

I have a 17 years old Checkpoint standalone management server, was originally 4.1 and was upgrade through the years to R77.30.

I would like to upgrade the management server to R80.X

I was able to export and import the configuration on a new R80.10 server, but the CPM service was not started.

I was found it is related to the ICA.

I understand I would need to upgrade the ICA certificate to a new version. (SHA-256)

I have many VPNs the relays on this ICA. In addition, I have many users in the internal database, that are using user certificates for remote access authentication, issued by the ICA.

What would be the best way to update the ICA certificate without causing problems to the VPNs and the user authentication?

Best regards,

Michael

Re: Upgrading Checkpoint management to R80.X from R77.30

Daniel_Taney — Fri, 27 Sep 2019 13:21:34 GMT

Have you seen this sk? I think it explains how to accomplish what it is you need to do.

Re: Upgrading Checkpoint management to R80.X from R77.30

Michael-Polevoy — Wed, 02 Oct 2019 08:28:29 GMT

Thanks for the article.

What about the ICA itself which is

Not Valid Before: Wed Jun 19 11:53:44 2002 Local Time
Not Valid After: Tue Jun 14 11:53:44 2022 Local Time
Serial No.: 1
Public Key: RSA (1024 bits)
Signature: RSA with SHA1

Will it block me from upgrading to R80.X?

Re: Upgrading Checkpoint management to R80.X from R77.30

Maarten_Sjouw — Wed, 02 Oct 2019 09:41:38 GMT

To be frank I would skip R80.10 altogether, I have a MDS which was migrated many times as well and I moved a number of domains manually from that server to another MDS running R80.10. I had loads of problems with validation errors and other stuff that did not work properly.
When we upgraded that R80.10 MDS to R80.30 we again ran into a lot of issues with validations on the same domains. Both times TAC and R&D were needed to resolve the problems.
Recently I migrated the R77.30 to R80.30 and had no problems of the sort at all.

Re: Upgrading Checkpoint management to R80.X from R77.30

Tal_Paz-Fridman — Wed, 02 Oct 2019 09:47:35 GMT

You can start by downloading the R80.30 Migrate Tools and running the Pre-Upgrade Verifier

https://supportcenter.checkpoint.com/supportcenter/portal/role/supportcenterUser/page/default.psml/media-type/html?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=84076

Re: Upgrading Checkpoint management to R80.X from R77.30

Michael-Polevoy — Wed, 02 Oct 2019 12:36:33 GMT

Tal,

I run the pre-upgrade tool of R80.30.

It did not stated any problems with the ICA, certificates, or SHA-1.

This is the behavior I had once I tried to migrate to R80.10, but once the migrate import had finished the CPM service was not started.

Regards,

Michael

Re: Upgrading Checkpoint management to R80.X from R77.30

Tal_Paz-Fridman — Wed, 02 Oct 2019 12:40:32 GMT

Hi Micheal

Thanks for updating me. I will check why this is not part of the Pre-Upgrade Verifier checks (and look into adding it to newer versions of the Migrate Tools.)

Thanks

Tal

Re: Upgrading Checkpoint management to R80.X from R77.30

Maarten_Sjouw — Wed, 02 Oct 2019 12:58:24 GMT

Tal,

While you are at that, could you also ask why the user.def file is not reported in the Pre-Upgrade Verifier?

Re: Upgrading Checkpoint management to R80.X from R77.30

Michael-Polevoy — Wed, 16 Oct 2019 18:48:26 GMT

I got a fix and below procedure from the support

install provided hotfix
cpca_client set_sign_hash sha256
cpca_client re_sign_ca
sicRenew -d
mv $CPDIR/conf/new_sic_cert.p12 $CPDIR/conf/sic_cert.p12
cpstop; cpstart (make sure the server is up again)
mcc lca (copy the presented ca name)
mcc replace ~/new_ica.cer
cpstop; cpstart

I completed steps 1 to 6 and was able to start the management services including the CPM.

Do someone knows what steps 7 to 9 are doing?

Best regards,

Michael