https://community.checkpoint.com/t5/General-Topics/Do-I-need-to-install-policy-after-each-HOTFIX-upgrade/m-p/219328#M36548 <P>I would say 100% you dont need to, because gateways will fetch last known policy from the mgmt server. The only time I had seen happen otherwise is when you do major upgrade, say from R80.40 to R81.20, where after reboot, it loads initial policy, so you need to unload it and install real one from mgmt server. In one instance, I even had customer tell me it loaded whats called "default filter", which literaally block everything and you need to console in, run fw unloadloca, but thats super RARE.</P> <P>Either way, I always advise people to have physical access, just to be on the safe side.</P> <P>Hope that helps.</P> <P>Best,</P> <P>Andy</P> Mon, 01 Jul 2024 21:04:34 GMT the_rock 2024-07-01T21:04:34Z https://community.checkpoint.com/t5/General-Topics/Do-I-need-to-install-policy-after-each-HOTFIX-upgrade/m-p/219286#M36539 <P>&nbsp;</P><P>I have a query that&nbsp;<STRONG>do I need to install policy after each upgrade?</STRONG><SPAN>&nbsp;</SPAN>And if yes then both cluster members or the Firewall which is upgraded/not upgraded selected for policy push? I am not sure if HotFix upgrade requires policy install step. I have MDS managing all the firewalls.</P><P>Earlier when I did policy install step it was when OS was upgraded R77 to 81. I have change the version name from r77 to r81 in Gateway Cluster Properties--&gt;General Properties--&gt;Platform---&gt;Version and then push the policy.</P><P>I followed these steps while upgrading from R77.30 to R81 take 392:</P><P>Start with Passive Firewall(ideally)<BR />Install latest/recommended Deployment Agent(DA) if installation is not automatically enabled on the firewalls<BR />Upload/Copy of IOS Image on the concerned firewall<BR />Verify IOS Image - Check_Point_R81_T392<BR />After successful verification - Upgrade FW with IOS image<BR />Upload Hot Fix - Check_Point_R81_JUMBO_HF_MAIN_Bundle_T77<BR />Verify uploaded Hot Fix_Bundle_T77<BR />After successful verification, Install Hot Fix<BR />Change Name to R81 on MDS<BR />Policy Push for version R81 after First Firewall IOS &amp; HF upgrade<BR />Revert to Clish Mode in the both Firewalls CLI</P><P>Repeat same steps for Active Firewalls<BR />Policy Push for version R81 after First Firewall IOS &amp; HF upgrade<BR />Make sure Primary Firewall is now active</P><P>&nbsp;</P><P>Thanks!</P> Mon, 01 Jul 2024 15:31:54 GMT https://community.checkpoint.com/t5/General-Topics/Do-I-need-to-install-policy-after-each-HOTFIX-upgrade/m-p/219286#M36539 MVS_VF 2024-07-01T15:31:54Z https://community.checkpoint.com/t5/General-Topics/Do-I-need-to-install-policy-after-each-HOTFIX-upgrade/m-p/219314#M36545 <P>Installing policy is required on version upgrades because the policy compilation is different for each version.<BR />This is not the case for hotfix installations.</P> Mon, 01 Jul 2024 19:00:49 GMT https://community.checkpoint.com/t5/General-Topics/Do-I-need-to-install-policy-after-each-HOTFIX-upgrade/m-p/219314#M36545 PhoneBoy 2024-07-01T19:00:49Z https://community.checkpoint.com/t5/General-Topics/Do-I-need-to-install-policy-after-each-HOTFIX-upgrade/m-p/219326#M36547 <H2>Prerequisites</H2> <P>To use Central Deployment:</P> <UL> <LI> <P>A policy must be installed on the target<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_Other.tp_sgates variable">Security Gateways</SPAN><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_BladesFeatures.tp_clmbs variable">Cluster Members</SPAN>.</P> </LI> </UL> <P><A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuide/Content/Topics-SECMG/Central-Deployment-of-Software-Packages.htm?Highlight=jumbo" target="_blank">https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuide/Content/Topics-SECMG/Central-Deployment-of-Software-Packages.htm?Highlight=jumbo</A></P> <P>Would recommended to the same if you for example Jumbo update the server that manages the gateways. Maybe during the versions something changed regarding policy push so you want to push policy.</P> <P>For normal Jumbo updates via CLISH or CPUSE I would also do it just to be sure but it is not needed. Jumbo update can finish and just run fine without push. But in my opinion it is also a form of a health check after jumbo.&nbsp;</P> Mon, 01 Jul 2024 20:37:37 GMT https://community.checkpoint.com/t5/General-Topics/Do-I-need-to-install-policy-after-each-HOTFIX-upgrade/m-p/219326#M36547 Lesley 2024-07-01T20:37:37Z https://community.checkpoint.com/t5/General-Topics/Do-I-need-to-install-policy-after-each-HOTFIX-upgrade/m-p/219328#M36548 <P>I would say 100% you dont need to, because gateways will fetch last known policy from the mgmt server. The only time I had seen happen otherwise is when you do major upgrade, say from R80.40 to R81.20, where after reboot, it loads initial policy, so you need to unload it and install real one from mgmt server. In one instance, I even had customer tell me it loaded whats called "default filter", which literaally block everything and you need to console in, run fw unloadloca, but thats super RARE.</P> <P>Either way, I always advise people to have physical access, just to be on the safe side.</P> <P>Hope that helps.</P> <P>Best,</P> <P>Andy</P> Mon, 01 Jul 2024 21:04:34 GMT https://community.checkpoint.com/t5/General-Topics/Do-I-need-to-install-policy-after-each-HOTFIX-upgrade/m-p/219328#M36548 the_rock 2024-07-01T21:04:34Z https://community.checkpoint.com/t5/General-Topics/Do-I-need-to-install-policy-after-each-HOTFIX-upgrade/m-p/219330#M36549 <P>For the context and I hope&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;will correct me if Im mistaken, but I believe this is how it works with policy:</P> <P>1) FW will always get policy from the mgmt first</P> <P>2) If 1 fails, then it will try fetch locally stored one in $FWDIR/state/_tmp/FW1&nbsp;</P> <P>3) If 1 and 2 fail, then it would load initial policy, which allows ssh AND web UI, but ONLY on port 443</P> <P>4) if all fails, then most likely default filter will be applied, which block everything, including ssh and web UI</P> <P>Andy</P> Mon, 01 Jul 2024 21:16:39 GMT https://community.checkpoint.com/t5/General-Topics/Do-I-need-to-install-policy-after-each-HOTFIX-upgrade/m-p/219330#M36549 the_rock 2024-07-01T21:16:39Z https://community.checkpoint.com/t5/General-Topics/Do-I-need-to-install-policy-after-each-HOTFIX-upgrade/m-p/219336#M36550 <P>I believe this is still how it works after all these years <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 01 Jul 2024 21:50:46 GMT https://community.checkpoint.com/t5/General-Topics/Do-I-need-to-install-policy-after-each-HOTFIX-upgrade/m-p/219336#M36550 PhoneBoy 2024-07-01T21:50:46Z https://community.checkpoint.com/t5/General-Topics/Do-I-need-to-install-policy-after-each-HOTFIX-upgrade/m-p/219337#M36551 <P>I figured, but have to confirm from the BEST! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 01 Jul 2024 22:05:33 GMT https://community.checkpoint.com/t5/General-Topics/Do-I-need-to-install-policy-after-each-HOTFIX-upgrade/m-p/219337#M36551 the_rock 2024-07-01T22:05:33Z https://community.checkpoint.com/t5/General-Topics/Do-I-need-to-install-policy-after-each-HOTFIX-upgrade/m-p/219465#M36583 <P>Note that this is about the policy push in the middle of a major or minor version upgrade (when you have only upgraded one member). That's definitely not needed for jumbos.</P> <P>You should push policy at the end, once both members are updated.</P> Tue, 02 Jul 2024 17:52:05 GMT https://community.checkpoint.com/t5/General-Topics/Do-I-need-to-install-policy-after-each-HOTFIX-upgrade/m-p/219465#M36583 Bob_Zimmerman 2024-07-02T17:52:05Z