Upgrade SmartEndPoint from R77.30.03 to R80.20 wit...

TheRealDiZ · ‎2019-07-12

Hi guys,

Anyone has already tried to upgrade SmartEndPoint server from R77.30.03 to R80.20?

In the R80.20 Install & Upgrade guide is stated :

"These instructions equally apply to:
• Security Management Server
• Endpoint Security Management Server"

!

Is that true?

Anyone that has upgraded a SmartEndPoint before has tips or suggestions about it?

I'm concern about for example:

1. The FDE feature where the EndPoint keys are stored on SmartEndPoint Server.. what happens to these keys? They will be export via migrate export?

2. Software deployment rules are based on a specific client package that will be pushed to EndPoint clients that will match that rule.. When you do an upgrade with migration the current packages will be exported via migrate export or I have to upload them manually on the new machine?

Let me know guys.. It will be very very appreciated 😆

PhoneBoy · ‎2019-07-13

One of the things I recommend doing in general is doing the migrate export/import into a VM before doing the import in production.
This way, you can observe the things that might need to be tweaked...or manually migrated.
As far as I know, the things you're asking about are migrated, but will check with R&D.

Eyal_Magidish · ‎2019-07-16

Hello,

I would like to answer your questions.

1. When upgrading an End Point server, advanced or in place, part of the process is to take all Full Disk Encryption and Media Encryption "Keys".

2. in order to run Advance upgrade first download R80.20 migration tools
https://supportcenter.checkpoint.com/supportcenter/portal/role/supportcenterUser/page/default.psml/m...

Then use the following command:

Open a command prompt on the source server.
Change directory to: $FWDIR/bin/upgrade_tools (use R80.20 migration tools)
Run migrate export with the path to the output (.tgz) file.
For example: ./migrate export <output_file_name>

The <output_file_name> can be the output file path. If you do not include an output file path, the utility generates the tgz file in the $FWDIR/bin/upgrade_tools directory.
- To automatically include all client MSI packages, run:
  ./migrate export --include-uepm-msi-files <output_file_name>.tgz
- To export files without MSI packages, run:
  ./migrate export <output_file_name>.tgz

To restore Endpoint Security data:

Copy the tgz file from the source server to the target server.
Open a command prompt.
Change directory to: $FWDIR/bin/upgrade_tools
Run migrate import with the full path to the input (.tgz) file.
For example: ./migrate import <input_file_name>

To automatically include all client MSI packages, run:

./migrate import --include-uepm-msi-files <input_file_name>.tgz

To export files without MSI packages, run:

./migrate import <input_file_name>.tgz
When prompted, restart the target server.

You may encounter clients that are disconnected, please refer to sk90560.

If you have any concern running the following, please open a support ticket, TAC engineer will be happy to assist.

Regards,

Eyal Magidish

Vladimir · ‎2019-07-16

@TheRealDiZ , I have performed one migration from SMS/EPM combo server to R80.20 with "./migrate export --include-uepm-msi-files". All seem to be in order. In my case, disk encryption was not implemented on the source management server, so I cannot say anything on that subject. MSIs were migrated without issues.

TheRealDiZ · ‎2019-07-22

Hi @Eyal_Magidish @PhoneBoy @Vladimir ,

Thank you all guys for your answers! Very appreciated.

By the way @Vladimir do you have perform the Advanced Upgrade in place or the upgrade with Migration?

As @PhoneBoy suggested I'm going to perform the procedure with "Migration" in order to check all the configuration before implementing them in production environment.

@PhoneBoy Do you have suggestions about specific things (particular configurations/anomalies) that I should worry about?

Do you have any tips/reccomendations from R&D team?

Many many thanks to all of you again! 🙂

PhoneBoy · ‎2019-07-22

The one thing that's difficult to simulate in your test environment is actual policy installs/updates to your production gateways.
With Endpoint, you can at least set up a test Endpoint to deploy policy on--I suppose you can do this with gateways as well.
Demo licenses are your friend here.

Other than that, I would just go through your normal workflow and see if anything is amiss.

Vladimir · ‎2019-07-22

@TheRealDiZ , this was Advanced upgrade with migration.

This is, generally, my preferred method, as it allows for the modeling and simulation in the virtual lab environments. Clients typically drop their 77.30 exports with database revisions, legacy services and some interesting takes on policies that I have the opportunity to cleanup before importing it in the lab and subsequently, in production.

TheRealDiZ · ‎2019-08-04

Hi guys,

I just want to share with the community my findings.. there some VERY critical step in order to fully deploy R80.20 End Point Security Server and also to be able to upgrade EP clients to the latest E81.10 release.

First of all there was a very confusing options in the "Install and Upgrade Guide R80.20" and I have already shared it with the TAC and should be fixed in when you download the R80.20 Install and Upgrade guide or documentation package.

"Advanced Upgrade with Migration EP Security Server"

---------------------------------------------------------------------------

1. Install the correct ISO using the upgrade wizard & latest JHFA

(*If you're installing the EP Security Server on VMware Esxi you can use as guestOS:

Other Linux 64 Bit
RHEL7)

2. This is the correct commands in order to properly migrate the DB:

To export the DB

./migrate export -x --include-uepm-msi-files /var/log/<Name of Exported File>

To import the DB

./migrate import -x --include-uepm-msi-files /var/log/<Name of Exported File>

*Note: If you want you can use it:

yes | nohup ./migrate export -x -n --include-uepm-msi-files /var/log/<Name of Exported File>

Flags meaning

-x = export logs with their index

yes | nohup = in order to give the (y) confirmation by the command itself instead of you typing "y" each time

-n = non-interactive mode so you can basically skip the interactive menu

--include-uepm-msi-files = includes all customer's msi files and I think it is a very important flag when you have several software deployment rule

DO NOT USE* --exclude-uepm-postgres-db = It will actually exclude ALL the End Point Server Security policies!!

3. After the import you have to:

Via expert mode on the EP Security Server

cpstop ; cpstart
Install the DB (from Smart Console upper left menu --> Install DB)
Be careful check the rule PAT number or you can encounter issue with EP clients that will connect to the new EP Security Server; I suggest to do a new export the same day of the deploy in order to have same PAT rule number

--If the customer has AM blade active this and the next one are critical steps--

4. Install the AM Engine First:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

5. Install the AM updater:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

(* if you won't do these two steps the EP client will not able to upgrade itself to the new EP client version due to "unable to update AM" when match the Software Deployment Rule)

---------------------------------------------------------------------------

*Also if you have FDE in place and the customer wants to upgrade Windows OS read carefully EP E8X.XX release notes and be sure to check the os upgrade in place procedure via sk "How to upgrade to Windows 10 1607 and above with FDE in-place":

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

I hope this can help other people!

Enjoy!

Your CP guy @TheRealDiZ 🙂

Are you a member of CheckMates?

Upgrade SmartEndPoint from R77.30.03 to R80.20 with migration