Hi!

Well, WebUI is another problem. 🙂 It's an R77.30 and the machines we have to acces it don't have Internet Explorer anymore. I've tried an old Firefox portable and nothing.

Anyway, I'm going through command line with installer. And since it gets no packages, nothing to verify...

I think you are right, I can ask TAC the right way to do this. Thanks!

Try this, its an old trick I used to do for who knows how long...do windows + R, type iexplore and see if that works, though that may open edge browser lol

Andy

I also found that sometimes it works in private window (any browser really, but most likely Google Chrome)

Best,

Andy

Excellent point Bob.

Andy

You are right, hadn't noticed till now that the management needs a two step with R80.40 as the first one. That's probably why currently cpuse is saying the R81.10 packages are not right.

So, more work to do... Nice... 🙂 Thanks!

Is web ui still broken?

Hi! Yes, no way to get an IE working to access WebUI. But no problem, I can work on CLI.

I'm still struggling anyway. Now I've tried to import locally the R80.40 upgrade package and... again, installer says it is not a valid CPUSE package.

I guess next try is to upgrade installer, but I wonder if an R77.30 is going to accept the latest version

There is command to trey update it from cli, I mean da agent, not sure if it works in R77.30...

Here it is in R81.20

Andy

you can simply type da_cli, hit enter and it will give all the options

[Expert@cpazurecluster1:0]# da_cli check_for_updates
{
"Action ID" : "-1",
"Message" : "Checking for new available packages. This operation may take a few moments"
}

[Expert@cpazurecluster1:0]#

Absolute worst case, this process should get you to R80.40:

1. Use ISOmorphic and the R81.20 ISO image to build an R81.20 installation drive. Use R81.20, as it has some fixes during the installation which persist even when you downgrade. Some of these fixes make disk access dramatically faster, so the import in step 9 won't take as long.
2. Use the upgrade tools ('migrate server', I think; might be 'migrate export' on R77.30) on your existing primary management (note, this may not be your active management; I forget how to confirm which one is primary on R77.30 full HA) to export a copy of your management config.
3. Save a copy of the clish config.
4. Use the R81.20 thumb drive to wipe one node and install R81.20 on it.
5. Import the R80.40 package to CPUSE.
6. Use 'installer clean-install Check_Point_R80.40_T294_Fresh_Install_and_Upgrade.tgz' to downgrade in-place to R80.40.
7. Go through the first-time config. This can be done with the web UI, but I prefer the command line tool config_system.
8. After rebooting, apply your clish config.
9. Use the upgrade tools to import the config into the R80.40 member. Management sync will not work, but you should be able to log in to the R80.40 member with SmartConsole and see all your rules and objects.
10. Push policy from the R80.40 member to itself. Be sure to uncheck the box which says to push to both cluster members.
11. Install jumbo 206 on the R80.40 member.
12. Enable cross-version sync on the R80.40 member (cphaconf mvc on). After a few seconds, the firewall software should go from Ready to Standby.
13. Fail over from the R77.30 member to the R80.40 member.
14. Repeat steps 3-8 and 11 on the second member. No need to do the management-side stuff again, since it will just synchronize with the existing R80.40 member.
15. Establish SIC trust from the management to the second member. Start the management sync.
16. Push policy to both members.

Check Point's big advantage to me is it's just software. Except at the low end (Quantum Spark) and high end (Maestro, Quantum LightSpeed), their hardware is nothing special; it's just overpriced x86 servers with weird card slots. This is relevant here because their software works just as well in a VM as it does on real hardware.

Build some VMs and try this process at least once. I probably forgot something in that list of steps. Testing it on VMs will help confirm the process works before you try it on your production boxes. This process is complicated enough I would try it several times. Back when I was doing upgrades by hand, I would try most of my significant upgrades in VMs at least 20 times to build familiarity before trying them for real.

Hi! Still working on this. I'm stuck on the migrate import step.

After a while importing I get an error saying import has failed. Checking the migrate log file:

[4 Apr 15:41:51] [ExecCommandGetOutput] Going to execute command: '"/opt/CPsuite-R80.40/fw1/bin/upgrade_tools/././/ips_upgrade_tool" import "/opt/CPsuite-R80.40/fw1/tmp/migrate/regular_files/fwdir/tmp/ips_files" "/opt/CPsuite-R80.40/fw1/bin/upgrade_tools/././/"'
[4 Apr 15:41:52] [ExecCommandGetOutput] Command completed with an exit code 1
[4 Apr 15:41:52] [ExecCommandGetOutput] ERR: The given exit code indicates an error
[4 Apr 15:41:52] ...<-- ExecCommandGetOutput
[4 Apr 15:41:52] [CommandRunner::exec] ERR: Command execution had failed

And then in the ips upgrade log file:

[4 Apr 15:41:52] [ReadFwsetFile] Going to read file '/opt/CPsuite-R80.40/fw1/tmp
/migrate/regular_files/fwdir/tmp/ips_files/ips_upgrade_tool.conf'
[4 Apr 15:41:52] [ReadFwsetFile] ERR: Failed to open file: No such file or direc
tory
[4 Apr 15:41:52] ..<-- ReadFwsetFile
[4 Apr 15:41:52] .<-- GetConfigFileSet
[4 Apr 15:41:52] [RunSMCImport] ERR: Failed to read configuration file!
[4 Apr 15:41:52] <-- RunSMCImport

Any idea? Thanks!

Appears something wrong with config file, thats final error it gives...did you ever open TAC case on it?

Andy

I'm on it 🙂