Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Blason_R
Advisor

Is R81SP ISO supported for MHO-140?

Hi Team,

 

I have MHO-140 with R80.20SP and would wanted to format it with R81SP or R81.10 SP. I tried booting the MHO appliances with ISOmorphic and R81 as well as R81.10SP however I am unable to do so.

Can someone please confirm if there is any other procedure to format the MHO appliances? Is there any other ISO available for those?

 

TIA

Blason R

0 Kudos
9 Replies
Blason_R
Advisor

I am specifically talking about this ISO image. I guess per sk this does not support MHO

 

https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.DCFileAction&eventSubmit_d...

0 Kudos
kobil
Employee
Employee

Greetings Blaston_R

MHO140 can be deployed with R80.20SP or R81.10

procedure for deployment can be found in Quantum Maestro R81.10 Administration Guide: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Maestro_AdminGuide/Topics-Ma...

0 Kudos
Blason_R
Advisor

Hi @kobil 

 

I tried the MHO 140 with USB pendrive and R81.10 scalable platform iso but could not boot with USB drive and its loading directly with R80.20 SP. Is there any specific instruction for formatting pen drive?

Wondering if R80.20SP on orchestrator and R81SP on SGM can work together? Considering hotfix on R80.20SP on Orchestrator

0 Kudos
kobil
Employee
Employee

Is your USB device compatible with the MHO and also as described in clean install procedure in "Quantum Maestro R81.10 Administration Guide"?

If you have further issues deploying iso via USB you should contact our TAC

there may be a known issue with some types of USB deployments and mitigation techniques they can assist you with

 

Regarding version compatibility, MHO running R80.20SP do supports R81 GW version (R81 GW can run on R80.20SP MHO or R81.10 MHO)

0 Kudos
RamGuy239
Advisor

I'm not entirely sure what you are saying here. Do you mean to say that you are unable to boot from USB running R81.10SP ISO, but you are capable of booting using the same USB running R80.20SP ISO?

Normally the issue of not being able to boot a Check Point ISO from USB is due to the memory stick being incompatible. The rule of thumb tends to be that the older the memory stick the better. Check Point appliances tends to not like USB3.X memory sticks and they prefer memory sticks that emulate as removable device and not fixed disk. Pretty much all memory sticks manufactured after 2012 is emulating as fixed disk as this is a requirement for Microsoft's "Windows-2-Go" feature.

MHO 140 should be capable of booting the R81.10SP ISO no problem. I would try other memory sticks and make sure that you are using the latest build of the Check Point Isomorphic tool when creating the bootable memory stick.


With that said an orchestrator running R80.20SP will be capable of handling SGM's running R81SP as long as you have at least R80.20SP Jumbo Hotfix 295. You could also patch your orchestrator to Take 314 or higher, then you will be able to do an upgrade from R80.20SP to R81.10SP without the need of using USB/ISO.

0 Kudos
Blason_R
Advisor

Right - This is what I planned.

I believe patching MHO are just a regular command by copying the patch to /var/log and then installed import local.

I am bit confused about patching SGM or individual gateways. Since I am just preparing the devices yet SMO and no groups are created yet hence I feel I wont be able to patch SGMs yet?

0 Kudos
RamGuy239
Advisor

If you don't have any running security groups currently you could simply do a fresh install of R81.10SP on the gateways before you start adding them to security groups. If you want to stick with R81SP and are wondering about patching this can also be done beforehand. You simply make sure that the gateways are running R81SP and apply the latest R81 Take 36 onto them before you start adding them to security groups.

0 Kudos
Blason_R
Advisor

Thanks man! So Applying R81 Take 36 on individual gateways is similar like other firewalls? I am not yet so familiar with gclish and asg commands.

0 Kudos
RamGuy239
Advisor

This all depends on whether they are already a part of a Maestro / Security Group or not. If they are already deployed and a part of a security group it's similar but not entirely identical.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Maestro_AdminGuide/Topics-Maestro-...


The logic stays the same, but you have to utilise global clish commands and global clusterXL commands. If the gateway has yet to be deployed then it's not a part of a security group and is behaving just like any other single gateway and can be patched using normal means.

0 Kudos