This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
TheRealDiZ
Collaborator
‎2019-07-12 03:09 AM

Upgrade SmartEndPoint from R77.30.03 to R80.20 with migration

Hi guys,

 

Anyone has already tried to upgrade SmartEndPoint server from R77.30.03 to R80.20?

In the R80.20 Install & Upgrade guide is stated :

"These instructions equally apply to:
• Security Management Server
• Endpoint Security Management Server"

!

Is that true?

Anyone that has upgraded a SmartEndPoint before has tips or suggestions about it?

 

I'm concern about for example:

1. The FDE feature where the EndPoint keys are stored on SmartEndPoint Server.. what happens to these keys? They will be export via migrate export?

2. Software deployment rules are based on a specific client package that will be pushed to EndPoint clients that will match that rule.. When you do an upgrade with migration  the current packages will be exported via migrate export or I have to upload them manually on the new machine?

 

Let me know guys.. It will be very very appreciated 😆

 

 

 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2019-07-13 07:23 PM

One of the things I recommend doing in general is doing the migrate export/import into a VM before doing the import in production.
This way, you can observe the things that might need to be tweaked...or manually migrated.
As far as I know, the things you're asking about are migrated, but will check with R&D.
Eyal_Magidish
Employee
Employee
‎2019-07-16 12:58 PM

Hello,

I would like to answer your questions.

1. When upgrading an End Point server, advanced or in place, part of the process is to take all Full Disk Encryption and Media Encryption "Keys".

2. in order to run Advance upgrade first download R80.20 migration tools
https://supportcenter.checkpoint.com/supportcenter/portal/role/supportcenterUser/page/default.psml/m...   

Then use the following command:

  1. Open a command prompt on the source server.
  2. Change directory to: $FWDIR/bin/upgrade_tools (use R80.20 migration tools)
  3. Run migrate export with the path to the output (.tgz) file.

    For example: ./migrate export <output_file_name>

    The <output_file_name> can be the output file path. If you do not include an output file path, the utility generates the tgz file in the $FWDIR/bin/upgrade_tools directory.

    • To automatically include all client MSI packages, run:
      ./migrate export --include-uepm-msi-files <output_file_name>.tgz
    • To export files without MSI packages, run:
      ./migrate export <output_file_name>.tgz

To restore Endpoint Security data:

  1. Copy the tgz file from the source server to the target server.
  2. Open a command prompt.
  3. Change directory to: $FWDIR/bin/upgrade_tools
  4. Run migrate import with the full path to the input (.tgz) file.

    For example: ./migrate import <input_file_name>

    To automatically include all client MSI packages, run:

    ./migrate import --include-uepm-msi-files <input_file_name>.tgz

    To export files without MSI packages, run:

    ./migrate import <input_file_name>.tgz

  5. When prompted, restart the target server.

You may encounter clients that are disconnected, please refer to sk90560.

If you have any concern running the following, please open a support ticket, TAC engineer will be happy to assist. 

 

Regards,

Eyal Magidish

Vladimir
Champion
Champion
‎2019-07-16 02:04 PM

@TheRealDiZ , I have performed one migration from SMS/EPM combo server to R80.20 with "./migrate export --include-uepm-msi-files". All seem to be in order. In my case, disk encryption was not implemented on the source management server, so I cannot say anything on that subject. MSIs were migrated without issues.

TheRealDiZ
Collaborator
‎2019-07-22 02:37 AM
In response to Vladimir

Hi @Eyal_Magidish  @PhoneBoy  @Vladimir ,

Thank you all guys for your answers! Very appreciated.

 

By the way @Vladimir do you have perform the Advanced Upgrade in place or the upgrade with Migration?

As @PhoneBoy  suggested I'm going to perform the procedure with "Migration" in order to check all the configuration before implementing them in production environment.

 

@PhoneBoy Do you have suggestions about specific things (particular configurations/anomalies) that I should worry about?

Do you have any tips/reccomendations from R&D team?

 

Many many thanks to all of you again! 🙂

0 Kudos
PhoneBoy
Admin
Admin
‎2019-07-22 09:48 AM
In response to TheRealDiZ

The one thing that's difficult to simulate in your test environment is actual policy installs/updates to your production gateways.
With Endpoint, you can at least set up a test Endpoint to deploy policy on--I suppose you can do this with gateways as well.
Demo licenses are your friend here.

Other than that, I would just go through your normal workflow and see if anything is amiss.
Vladimir
Champion
Champion
‎2019-07-22 11:17 AM
In response to TheRealDiZ

@TheRealDiZ , this was Advanced upgrade with migration.

This is, generally, my preferred method, as it allows for the modeling and simulation in the virtual lab environments. Clients typically drop their 77.30 exports with database revisions, legacy services and some interesting takes on policies that I have the opportunity to cleanup before importing it in the lab and subsequently, in production. 

TheRealDiZ
Collaborator
‎2019-08-04 02:21 AM
In response to Vladimir

Hi guys,

 

I just want to share with the community my findings.. there some VERY critical step in order to fully deploy R80.20 End Point Security Server and also to be able to upgrade EP clients to the latest E81.10 release.

First of all there was a very confusing options in the "Install and Upgrade Guide R80.20" and I have already shared it with the TAC and should be fixed in when you download the R80.20 Install and Upgrade guide or documentation package.

"Advanced Upgrade with Migration EP Security Server"

---------------------------------------------------------------------------

1. Install the correct ISO using the upgrade wizard & latest JHFA

(*If you're installing the EP Security Server on VMware Esxi you can use as guestOS:

  • Other Linux 64 Bit
  • RHEL7)

2. This is the correct commands in order to properly migrate the DB:

To export the DB

./migrate export -x --include-uepm-msi-files /var/log/<Name of Exported File>

To import the DB

./migrate import -x --include-uepm-msi-files /var/log/<Name of Exported File>

 

*Note: If you want you can use it:

yes | nohup ./migrate export -x -n --include-uepm-msi-files /var/log/<Name of Exported File>

Flags meaning

-x = export logs with their index

yes | nohup = in order to give the (y) confirmation by the command itself instead of you typing "y" each time

-n = non-interactive mode so you can basically skip the interactive menu

--include-uepm-msi-files = includes all customer's msi files and I think it is a very important flag when you have several software deployment rule 

DO NOT USE* --exclude-uepm-postgres-db = It will actually exclude ALL the End Point Server Security  policies!!

 

3. After the import you have to:

Via expert mode on the EP Security Server

  • cpstop ; cpstart 
  • Install the DB (from Smart Console upper left menu --> Install DB)
  • Be careful check the rule PAT number or you can encounter issue with EP clients that will connect to the new EP Security Server; I suggest to do a new export the same day of the deploy in order to have same PAT rule number

--If the customer has AM blade active this and the next one are critical steps--

4. Install the AM Engine First:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

5. Install the AM updater:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 (* if you won't do these two steps the EP client will not able to upgrade itself to the new EP client version due to "unable to update AM" when match the Software Deployment Rule)

---------------------------------------------------------------------------

*Also if you have FDE in place and the customer wants to upgrade Windows OS read carefully EP E8X.XX release notes and be sure to check the os upgrade in place procedure via sk "How to upgrade to Windows 10 1607 and above with FDE in-place":

 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

 

I hope this can help other people!

Enjoy!

Your CP guy @TheRealDiZ 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events