Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
hugothebas
Contributor
Contributor

Jumbo installation on open server gateway

Hello community.

I have a customer that has a security gateway cluster installed on 2 open servers of an unknown brand name.

last week we upgraded them from R80.10 to R80.40, that was only possible using a blink image and only downloading and importing it, it was not possible to directly download it from CPUSE, and major upgrade package was not possible either. after a lot of trouble we were able to upgrade using blink image with Jumbo take 91.

After that we tried to install Jumbo take 94 via CPUSE, it went all OK during installation, but after completion, no traffic would pass through the GWs (same behavior that when we tried to do a clean install using blink image), then I uninstalled Jumbo T94 and it started working again.

I saw at sk165456 that for Open Servers I should use blink images:

scr1.png

 

But is that a way to install only JHA or do I need to use upgrade command as if I was going to upgrade GW version?

Thanks.

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

When upgrading from a prior release on Open Servers to R80.40, a blink image is needed as there are some fixes that are required on Open Server that were not part of the initial GA release.
Once on R80.40, you should be able to use a normal CPUSE upgrade on Open Server.

In this case, I’d open a TAC case.

Tobias_Moritz
Advisor

While I have no idea what is the cause of your current problem, I can tell you that normally, on a OpenServer supported by Check Point (check HCL), everything works fine:

  • Plain install with ISO
  • CPUSE: Major Upgrade to vanilla GA, Major Upgrade with Blink, Jumbo HFA installation, all with direct download over CPUSE*

* Download over CPUSE directly from CP requires internet connection and a valid license / contract.

The reason to use blink image for upgrade (or appliance re-image) instead of vanilla + Jumbo HFA is:

  • its faster, only one reboot instead of two.
  • in case you have an existing gateway exposed to unsecure or critical networks (and you do not isolate it during the upgrade), than you do not have a timespan where an unpatched vanilla gateway is in service. Otherwise an example: R80.30 Jumbo HFA Txxx with critical security patches -> upgrade to R80.40 vanilla GA (without current security patches) -> update to Jumbo HFA Tyyy with critical security patches.

If both points aren't relevant for you, it does not matter if you use vanilla + jumbo or blink with integrated jumbo.

If you install an Open Server from scratch, you have to use vanilla ISO because CP does not provide a Blink ISO yet, only Blink tgz files which either need an appliance or an OpenServer with has already Gaia installed.

You said Open Server with unknown brand name, so I would suggest checking HCL or at least driver compatibility regarding NICs.

Just for interest, you said "it was not possible do directly downloading it from CPUSE": What was the error message?

hugothebas
Contributor
Contributor

Thanks guys.

after reading both replies it's clear that something is wrong with my environment, because I did everything like you said.

I will open a TAC for this case.

@Tobias_MoritzUnfortunately I can't remember  what was the error message and since I upgraded it by importing the image, I can't reproduce either. Sorry for that.

Anyway, thanks to you both again for your help.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events