This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Fabien88920
Explorer
‎2025-11-06 06:47 AM
Jump to solution

Upgrade Experience: Log Server & Management Server from 81.20 → R82.00

Hi everyone,
We recently upgraded our Log Server and Management Server from 81.20 to R82.00.
Has anyone else done this upgrade? Any issues or best practices to share? 

Anyone Upgraded to R82.00? Looking for Feedback

0 Kudos
1 Solution

Accepted Solutions
Natan_Chamilevs
Employee
Employee
‎2026-01-27 03:03 PM
In response to CheckPointerXL
Jump to solution

Hi @CheckPointerXL,

My name is Natan Chamilevski, and I manage the team responsible for Management upgrades.

You are correct that the Secondary Management Server / Log Server (including MDS/MLM environments) must be upgraded to the same version and the same Jumbo Hotfix Take (JHF) as the Primary Management Server.

This requirement exists because during the import phase, HA synchronization is performed, and successful synchronization requires that both machines run identical software versions and JHF takes.

In practice, this means:

  • If the Primary Management Server has a JHF installed after upgrading to the target version, the Secondary Management Server / Log Server must be upgraded to the same version and have the same JHF installed.

  • If the Primary Management Server does not have a JHF installed, the Secondary Management Server / Log Server must not be upgraded using Blink.

There are several supported upgrade paths using CPUSE:

  1. Upgrade all Management Servers and Log Servers using Blink via CPUSE.

  2. Upgrade all Management Servers and Log Servers to the new version first, and only after the upgrade is completed, install the JHF on all machines via CPUSE.

  3. Upgrade the Primary Management Server to the new version and install the JHF manually, then upgrade the Secondary Management Servers and Log Servers using Blink.

For Advanced Upgrade, before running the import operation on the Secondary Management Server / Log Server, it must already have the same JHF take installed as the Primary Management Server (or no JHF installed, if none exists on the Primary Management Server).

The same rules and upgrade paths apply to MDS and MLM deployments as well.

Best regards,
Natan Chamilevski

View solution in original post

(1)
29 Replies
the_rock
MVP Diamond
MVP Diamond
‎2025-11-06 07:01 AM
Jump to solution

I did that in the lab few months ago. Did not see any issues at all, went very smooth, no problems. I did generate show config and backup prior, yes, took some time for the upgrade, because after reboot, it still needed to "reimport" all the database etc, so whole process can take 2-3 hours, so you would need to be patient. I recommend to do it either on the weekend or later at night, just to be on the safe side.

Otherwise, just install recommended jumbo as well.

Thats my honest advice.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2025-11-06 08:05 AM
In response to the_rock
Jump to solution

I personally do management upgrades and updates during the business day. I want them stable on weekends and at night in case I get paged to deal with some weird issue, but my team is usually fine being unable to stage new changes for a few hours. 😉

And yeah, management updates (installing a jumbo) are normally very fast, but management upgrades (like R81.20 to R82) take a long time. I've had an MDS take over six hours to upgrade before.

the_rock
MVP Diamond
MVP Diamond
‎2025-11-06 08:10 AM
In response to Bob_Zimmerman
Jump to solution

I get your logic...its just sometimes even though its management, better be safe than sorry 🙂

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2025-11-06 08:32 AM
In response to the_rock
Jump to solution

From my perspective, doing the upgrade during the day is the safer option.

We even do some firewall upgrades during the day. The logic there is the upgrades are too important to do while sleep-deprived. We want everybody sharp so any issues are noticed quickly and we can figure out what's going on. Sleep deprivation affects thinking and judgement on par with being drunk. We would never consider requiring admins liquor up before a change, so why would we require people to be up for >20 hours straight before changes?

Doesn't work for everybody, but it sure works for us.

the_rock
MVP Diamond
MVP Diamond
‎2025-11-06 08:37 AM
In response to Bob_Zimmerman
Jump to solution

In my experience, it really depends on the customer. Just to always be on a cautious side, we always recommend doing this after hours.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
‎2025-11-11 05:33 AM
In response to the_rock
Jump to solution

We are an end customer, and we are not allowed to upgrade our environment (which includes 4 MDS and 9 MLM) on a weekday — nor would we do so even if it were allowed. 🙂
We usually do that on weekends. First weekend MDS and weekend after MLM.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Alex-
MVP Silver
MVP Silver
‎2025-11-06 08:39 AM
In response to Bob_Zimmerman
Jump to solution

Totally. And you get direct feedback from the business and can direct resources where needed more easily than calling on-duty teams left and right, or finding out the next working day.

0 Kudos
Duane_Toler
MVP Silver
MVP Silver
‎2025-11-06 07:12 AM
Jump to solution

There is one issue on a management server I have encountered several times now:

You need to make sure you have the IPS CRC marker file.  If this isn't present, the pre-upgrade verifier will tell you in the report, but if you are doing a Blink upgrade then you might not find out until it's too late.  The file is $FWDIR/conf/SMC_Files/asm/crc_marker_db.fws.  This is (now) covered in sk175089: https://support.checkpoint.com/results/sk/sk175089

If the file does not yet exist for some reason, you can create the zero-byte file as discussed in the SK.  If you ignore the verifier warning and proceed with the upgrade, the database import will fail and your R82 server will be destroyed; you will have to start over with the R81.20 source.  Be warned!  (i had this happen to a management server, learned the hard way)

Otherwise, gateway upgrades have gone well thus far, and other management servers have also gone well (after accounting for the above warning).  Post-upgrade, R82 has thus far performed rather well, which is what I expected.  Kudos to R&D on this one!

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
the_rock
MVP Diamond
MVP Diamond
‎2025-11-06 07:14 AM
In response to Duane_Toler
Jump to solution

Definitely good advice...personally, never had that issue myself.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Duane_Toler
MVP Silver
MVP Silver
‎2025-11-06 07:34 AM
In response to the_rock
Jump to solution

Good!  You don't want to endure that. 🙂 Thankfully I was doing the advanced migration for the customer, moving to a new Azure CloudGuard server, so I had the original source host still available.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-11-06 07:45 AM
In response to Duane_Toler
Jump to solution

Yea, guess depends on the actual process 🙂

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2025-11-06 07:40 AM
Jump to solution

We upgraded all of our managements and log servers from R81.20 to R82 about a week after it became the generally recommended version. A few false starts with Blink cost us several hours. When we switched to a two-step upgrade (upgrade to the major version, then update to the jumbo as a separate step), it worked. Our management environment is four MDSs (two HA pairs), four MLMs, four SmartCenters, and two log servers (two of the SmartCenters aren't big enough to need separate log servers).

We've also upgraded eight clusters to R82 with a ninth in a few days. Those have gone smoothly.

Tomer_Noy
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-11-09 11:43 PM
In response to Bob_Zimmerman
Jump to solution

@Bob_Zimmerman - can you please share what issues you encountered with Blink?

I'm glad that eventually the upgrade worked for you in two steps, but I want to make sure that the Blink option will work as well.

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2025-11-10 09:07 AM
In response to Tomer_Noy
Jump to solution

It just failed with no message. I tried it on three managements: a SmartCenter+log server, a SmartCenter which doesn't handle logs, and a log server with no policy management. No secondary managements in either environment. All three ground for an hour, then failed and took me back to R81.20.

0 Kudos
Gregory_Azratz
Employee
Employee
‎2025-11-10 11:34 PM
In response to Bob_Zimmerman
Jump to solution

Hi @Bob_Zimmerman ,

if by any chance you have the logs from the failed attempts or a way to reproduce it - it will be great
We would like to investigate this and hopefully find the root cause which caused this bad experience.

Gregory

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2026-01-26 06:00 AM
In response to Tomer_Noy
Jump to solution

this is something that needs to be clarified

into admin guide is stated only that management needs to be upgraded first of all

but in my experience, update it + install a jumbo on top, and then try to update a log server it triggers a failed upgrade on log server (Automatically roll back to previous vesrion)

so it seems that it's correct to say "upgrade first the management ONLY to the major version (no jumbo, no blink) then rest of infrastructure, and then finally the jhfs)

is this confirmed in r82?

(1)
the_rock
MVP Diamond
MVP Diamond
‎2026-01-26 06:17 AM
In response to CheckPointerXL
Jump to solution

I would agree with that statement @CheckPointerXL 

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Natan_Chamilevs
Employee
Employee
‎2026-01-27 03:03 PM
In response to CheckPointerXL
Jump to solution

Hi @CheckPointerXL,

My name is Natan Chamilevski, and I manage the team responsible for Management upgrades.

You are correct that the Secondary Management Server / Log Server (including MDS/MLM environments) must be upgraded to the same version and the same Jumbo Hotfix Take (JHF) as the Primary Management Server.

This requirement exists because during the import phase, HA synchronization is performed, and successful synchronization requires that both machines run identical software versions and JHF takes.

In practice, this means:

  • If the Primary Management Server has a JHF installed after upgrading to the target version, the Secondary Management Server / Log Server must be upgraded to the same version and have the same JHF installed.

  • If the Primary Management Server does not have a JHF installed, the Secondary Management Server / Log Server must not be upgraded using Blink.

There are several supported upgrade paths using CPUSE:

  1. Upgrade all Management Servers and Log Servers using Blink via CPUSE.

  2. Upgrade all Management Servers and Log Servers to the new version first, and only after the upgrade is completed, install the JHF on all machines via CPUSE.

  3. Upgrade the Primary Management Server to the new version and install the JHF manually, then upgrade the Secondary Management Servers and Log Servers using Blink.

For Advanced Upgrade, before running the import operation on the Secondary Management Server / Log Server, it must already have the same JHF take installed as the Primary Management Server (or no JHF installed, if none exists on the Primary Management Server).

The same rules and upgrade paths apply to MDS and MLM deployments as well.

Best regards,
Natan Chamilevski

(1)
CheckPointerXL
Advisor
Advisor
‎2026-01-28 12:09 AM
In response to Natan_Chamilevs
Jump to solution

Hi Natan,

thanks for your feedback and to have confirmed that.

I think a (!) Note about avoiding any JHF misalignment during major release upgrades could be helpful in the admin guide

Thanks again and br

 
0 Kudos
yura_k
Contributor
Contributor
‎2026-03-06 01:35 AM
In response to Natan_Chamilevs
Jump to solution

Hi Natan! Could you please tell us does the CRL issue from sk184766 affect the procedure for updating the management server to version R82?

0 Kudos
Duane_Toler
MVP Silver
MVP Silver
‎2026-03-06 06:18 AM
In response to yura_k
Jump to solution

I can confirm that,  yes, it will.  I did an R81.20 -> R82 upgrade on a gateway this week.  This upgrade was CloudGuard so the Blink image could not be used.  As such, the upgrade was to R82 and no jumbo HFA.  After the initial upgrade, the Gaia deployment agent could not download update packages from Check Point.  I had to manually copy over Jumbo HFA 60, install it, then manually copy over the post-JHF hotfix, and install that.  That made everything work.

In addition to being CloudGuard, this gateway was managed with Infinity Portal Smart-1 Cloud.  This CRL issue also meant that the cloud management service was unable to reconnect until I did the Jumbo HFA and hotfix.

Even though your upgrade is for a management server, be sure you have a way to copy the Jumbo HFA and hotfixes to your host.  If you have R82 gateways with your R82 management server, you need the hotfix on all management servers and gateways (or do the CRL validation grace period extension).

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
yura_k
Contributor
Contributor
‎2026-03-06 07:18 AM
In response to Duane_Toler
Jump to solution

This week, my colleague complained that he had failed at management server upgrade from version 81.20 to 82 via the CPUSE, because after rebooting, in the detailed upgrade report, some CRL check did not complete for a long time, and then the server rebooted again and Gaia rolled back to the previous version.

0 Kudos
Oliver_Fink
Advisor
Advisor
‎2026-03-06 07:38 AM
In response to yura_k
Jump to solution

This could be "sk184766 – Certificate and CRL validation fails from March 1, 2026". R82 and R82.10 are affected.

If this is the case, then you will have to do advanced upgrade. In inplace upgrade you cannot patch within the upgrade process. 🤔

0 Kudos
Duane_Toler
MVP Silver
MVP Silver
‎2026-03-06 09:40 AM
In response to yura_k
Jump to solution

I you have the option, you could try the Blink upgrade with JHF 60 included, but you still need to install the post-JHF hotfix for it.  Soon, Check Point will have an update Jumbo HFA with this fix included along with a Blink upgrade for gateways and management.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
Ofer_Barzvi
Employee
Employee
‎2026-03-07 03:19 AM
In response to yura_k
Jump to solution

Hi @yura_k ,
Yesterday we published https://support.checkpoint.com/results/sk/sk184782 about upgrade failure of Multi-Domain Log Server which wasn't seen in other management machines, but suggest to verify that latest upgrade tools (referenced in https://support.checkpoint.com/results/sk/sk135172) are installed on management machines before doing another upgrade.

I also would like to take a look on the upgrade failure that you got , so please email me (or send link to a shared folder) latest /var/log/upgrade-export*.tgz and /var/log/upgrade-import*.tgz from one of the failed machines .

Thanks,
Ofer Barzvi
barzvi@checkpoint.com



0 Kudos
Alex-
MVP Silver
MVP Silver
‎2025-11-06 08:21 AM
Jump to solution

On top of what was already said, if you use VMWare, you might consider an advanced upgrade on a new virtual system. You can then define it as RH8 with Paravirtual which sensibly improve I/O compared to previous versions.

Edit: it's really easy, you disconnected the network to the R81.20 one, create a new VM with these settings, stage it with the same IP, FTW, JHF, import and you're set with better performance.

(1)
the_rock
MVP Diamond
MVP Diamond
‎2025-11-06 08:26 AM
In response to Alex-
Jump to solution

Excellent advice Alex.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-11-07 07:10 PM
In response to Alex-
Jump to solution

Further to this please ensure you pay attention to the vNIC type, avoid "flexible" also E1000 support will be ending.

CCSM R77/R80/ELITE
the_rock
MVP Diamond
MVP Diamond
‎2025-11-08 04:29 AM
In response to Chris_Atkinson
Jump to solution

I always use xmxnet3 in eve-ng.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events