Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PP26
Contributor
Jump to solution

How to advance Upgrade Smart-1 210 SMS r77.30 to 80.20

Hi Mates

 

I am planning an upgrade of SMS (Smart-1 210) from r77.30 to 80.20. We have SmartLog/SmartEvent/Management server running on this single smart appliance . 

I am planning to use   "

Upgrading a Standalone from R80.10 and lower with Advanced Upgrade"  as per the guide. So following that guide I have done the preverifier/import and resolved all issues for database to be imported to r80.20, now when I come to actual upgrade, as per the above article I have 2 options as below

Step 3 of 10: Get the R80.20 Standalone

Current OSAvailable options

Gaia

You can:

 

I asked checkpoint TAC about first Option "Upgrade with CPUSE" as that links back to one of the upgrade methods using which while doing upgrade from Gaia using CPUSE the preverifier etc is all automatic and hence they said since you are using Advance method you need to go for Perform Clean Install and not the Upgrade using CPUSE. I agree to this point.

 

When I researched that second option "Perform a clean installed of R80.20 Standalone" to check what is the exact procedure to upgrade it takes me to below link"

Installing the Gaia Operating System on Check Point Appliances" so now on this page there are clearly below options 

<SNIP>

To install a clean Gaia Operating System on a Check Point appliance, you can:

  • Restore your Check Point appliance to Factory Defaults. This removes all configurations.
  • Perform a clean install of the supported Gaia image with one of these options:
    • Bootable USB device.
    • CPUSE (if Gaia is already installed) - select the desired Check Point version and perform Clean Install. See sk92449 for detailed steps

<SNIP>

 

 

I would like to go for Options of CPUSE (if Gaia is already installed) and I asked TAC about procedure for that and if that is possible as per given on the guide, but he said it is impossible and said any fresh install will need to be done via bootable USB (he said this is the only option). As per him  "CPUSE (if Gaia is already installed)  "Gaia" means version 80.x" but when I argued that why would someone upgrade from same version and also the guide bring you here from the original page where we are trying to upgrade from Gaia 77.30 then he said he will check and confirm.

I also clearly states in the Release Notes, under section SUpported Upgrade path that there are three methods to upgrade Management server as below (CPUSE Clean Install is one of them)

<SNIP>

From R75.4x, R75.40VS, R76, R77.x, R77.20 EP6.0/EP6.1/EP6.2, R77.30.01, R77.30.02, R77.30.03, R80, R80.10 and R80.20.M1 to R80.20*:

Check Point ProductSupported Methods

Security Gateway

Security Management Server

Multi-Domain Server

CloudGuard Controller

  • CPUSE Upgrade
  • CPUSE Clean Install
  • Advanced Upgrade

<SNIP>

 

I just wanted to confirm here about if the fresh install of Gaia 80-.20 can be done from r77.30 using CPUSE ? Which r80.20 from download page (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... ) should be used for this ? Clean Install (this is an ISO) ? Or CPUSE UPgrade (tgz) 

 

I would really appreciate your help please

0 Kudos
1 Solution

Accepted Solutions
Tomer_Noy
Employee
Employee

In order to upgrade your appliance from R77.30 to R80.20, you have 3 main options:

1) In-place CPUSE upgrade

- This is the simplest option. Simply choose the R80.20 CPUSE package from the UI (if you have internet connectivity), or import it in case of offline. Then choose upgrade.
- This will leave you with the existing (non-xfs) filesystem.
- The previous (R77.30) version will remain in a separate partition. In case of disaster, you can easily revert back to it.

2) Clean install CPUSE, then import to upgrade

- First export your existing environment. You should use the migration tools of R80.20 (download from the internet).
- Then choose the R80.20 CPUSE package (from the UI or import if offline), but in this case select "Clean Install".
- Not a mandatory step, but it is recommended to install the latest jumbo hotfix before the following import phase. This will let you perform the upgrade with all the latest fixes, potentially avoiding issues that were already patched.
- The new R80.20 version will be installed to a new partition. Then you can go in and import your configuration to complete the upgrade.
- This option will also leave you with the existing (non-xfs) filesystem.

** There is a slight variation on this option. You can also choose the R80.20 Blink image, which is basically the same as R80.20 regular CPUSE image, except that it already bundles the latest jumbo hotfix and it installs faster.

3) Clean install ISO, then upgrade

- First export your existing environment (as in option #2).
- Then clean install the ISO (probably from USB). You don't have to reset to factory defaults since the ISO installation wipes everything anyway.
- Optionally, install latest R80.20 jumbo HF.
- Import your configuration.
- This will get your system onto the new xfs filesystem.
- The previous R77.30 partition no longer exists, so you cannot revert to it. If disaster recovery is needed, make sure to take a backup and save it on an external drive before starting the process.

 

In the general case, we usually recommend CPUSE upgrades since the process is simplest and allows easy revert (if needed). This is assuming you are upgrading within the same hardware (not moving to a new appliance).

Specifically when moving to R80.20 and up, the xfs filesystem brings performance benefits, so customers may want to consider a clean ISO install.

View solution in original post

14 Replies
Chris_Atkinson
Employee Employee
Employee

Just quickly have you reviewed the section of the release notes about memory requirements and does this system qualify?

 

Upgrades that result in XFS as the file-system are recommended for best results (performance) with R80.20 and above.

 

Migrating to a Smart-1 410 or NGSM10 licensed VM likewise will yield better outcomes.

CCSM R77/R80/ELITE
0 Kudos
PP26
Contributor

@Chris_Atkinson  - yes from what I read it does qualify , it has 16 GB RAM 

0 Kudos
PhoneBoy
Admin
Admin
And if you want the xfs filesystem, you must do a fresh install from USB.
A CPUSE upgrade/fresh-install, which you can do, will not give you the xfs filesystem.
0 Kudos
PP26
Contributor

@PhoneBoy  thanks for your response, so apart from not having xfs file system, any other disadvantage ? is there really a major advantage of having xfs file system compared to the one that 77.30 uses ?

 

Also, if I am ok for not having xfs file system, so it means that clean install can be done using CPUSE , correct? So basically having 77.30 and then using Clean install via 77.30's Gaia CPUSE utility to do a clean install and upgrade it to 80.20? So which file do I use from the download section ? Clean install ?? or CPUSE Upgrade ?

I still want to do a clean install but just not via USB since I will be working this remotely so cannot have an option for USB

0 Kudos
Tomer_Noy
Employee
Employee

In order to upgrade your appliance from R77.30 to R80.20, you have 3 main options:

1) In-place CPUSE upgrade

- This is the simplest option. Simply choose the R80.20 CPUSE package from the UI (if you have internet connectivity), or import it in case of offline. Then choose upgrade.
- This will leave you with the existing (non-xfs) filesystem.
- The previous (R77.30) version will remain in a separate partition. In case of disaster, you can easily revert back to it.

2) Clean install CPUSE, then import to upgrade

- First export your existing environment. You should use the migration tools of R80.20 (download from the internet).
- Then choose the R80.20 CPUSE package (from the UI or import if offline), but in this case select "Clean Install".
- Not a mandatory step, but it is recommended to install the latest jumbo hotfix before the following import phase. This will let you perform the upgrade with all the latest fixes, potentially avoiding issues that were already patched.
- The new R80.20 version will be installed to a new partition. Then you can go in and import your configuration to complete the upgrade.
- This option will also leave you with the existing (non-xfs) filesystem.

** There is a slight variation on this option. You can also choose the R80.20 Blink image, which is basically the same as R80.20 regular CPUSE image, except that it already bundles the latest jumbo hotfix and it installs faster.

3) Clean install ISO, then upgrade

- First export your existing environment (as in option #2).
- Then clean install the ISO (probably from USB). You don't have to reset to factory defaults since the ISO installation wipes everything anyway.
- Optionally, install latest R80.20 jumbo HF.
- Import your configuration.
- This will get your system onto the new xfs filesystem.
- The previous R77.30 partition no longer exists, so you cannot revert to it. If disaster recovery is needed, make sure to take a backup and save it on an external drive before starting the process.

 

In the general case, we usually recommend CPUSE upgrades since the process is simplest and allows easy revert (if needed). This is assuming you are upgrading within the same hardware (not moving to a new appliance).

Specifically when moving to R80.20 and up, the xfs filesystem brings performance benefits, so customers may want to consider a clean ISO install.

PP26
Contributor

@Tomer_Noy firstly thanks a lot and literally mean it as this helps me clear a lot of things which I was kinda half sure about. 

Never done an upgrade before so trying to keep this first major upgrade a simple one, I am planning to go with 2nd options of Clean Install using CPUSE.

 

If you don't mind I just have couple of questions about that second option.

 

Is there actually a package in UI that says Clean Install package as compared to Upgrade package ? I logged into the UI and there was an image R80.20 (the full file name is Fresh_Install_Upgrade) is this the one and only ? or should I look for something specific to be able to be sure it is the one for clean install?

I also tried to do it offline for which I went to the downloads page on R80.20 and downloaded the "Clean Install" file, however this is an ISO as oppose to tgz file. Is this correct file ? Can this ISO be used to do a clean install using CPUSE (offline) ?

 

If I get the correct 80.20 GA Clean Install file , based on your response above , will it not have all HF? if not then how would I know which and how many HFs do I need which are not included in the upgrade image?

 

- where do i find this blink image that has all the HF? i could not find on the download page. 

 

thanks a lot again @Tomer_Noy  really appreciate all your help.

0 Kudos
PhoneBoy
Admin
Admin

The same CPUSE image can be used for Clean Install and Upgrade.
You can choose which when you right-click on the image.
While this screenshot shows R80.20.M2, it also applies to R80.30 as well:

Screen Shot 2019-09-11 at 12.20.45 PM.png

The ISO file can only be used for clean installs via USB and not via CPUSE.

As far as I can tell, we haven't built a Blink image with the latest recommended Jumbo Hotfix on R80.30.
The ones we make available are here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
You can potentially build your own. 

Tomer_Noy
Employee
Employee

@PhoneBoy  you beat me to the reply 😉

Indeed, you can just select "Clean Install" on a regular CPUSE image (tgz) in the CPUSE page.

 

I just want to add that if this is your first upgrade and you are looking for the simplest option, you should consider just clicking "Upgrade" instead of exporting, doing clean install and then importing. It will save you many manual steps and it's basically the same operation.

There are some advantages to a "Clean install + import" (a.k.a. "advanced upgrade"), but I don't think they apply in your case.

Also, to answer your question about required HFs, you don't have to look for specific HFs. Check Point bundles all important fixes into a "jumbo HF" that you can (and should) install. Just install the one that matches your major version. The latest jumbo HF will also appear in the CPUSE page once you've upgraded.

PP26
Contributor

@Tomer_Noy  thanks again for your quick turnaround response. 

Just wanted to understand a little more about your comment "There are some advantages to a "Clean install + import" (a.k.a. "advanced upgrade"), but I don't think they apply in your case."

a) What are the advantages ? I have tried hard looking for a sk or some article to understand exactly what is different with Clean Install via CPUSE vs Clean ISO install via USB, but apart from file system difference and couple of other differences I could not find much. Can you point me to some article where they are compared extensively ? Like for example Clean ISO install will delete all config but for Clean Install via CPUSE keeps the interface IP and the cli config, so that why is this called clean install ? What are the things it changes and what things it leaves untouched? 

 

While searching for answer to look for difference I stumbled upon a different thread (https://community.checkpoint.com/t5/General-Management-Topics/Clean-install-vs-upgrade/m-p/62541#M97...)  where you have provided your valuable input as well . As mentioned by you in that thread , my reason for doing Clean Install via CPUSE is point number 3

<SNIP>

"3) You want to run the upgrade process with the jumbo HF installed. Sometimes we find bugs after the release and fix them in the jumbo. When doing clean-install + import, you have the chance to install the jumbo before the import and get these fixes. If you encountered an issue in your upgrade, we may recommend to do it again with the jumbo."

<SNIP>

Also , with your and  @PhoneBoy  help I got to know about Blink Image, however from the link provided by him, for my SMS  there seems to be no Blink Image (already requested @PhoneBoy  for his input on above reply) but for my Gateway there is one blink image available. So wondering if I can use that to do either CPUSE upgrade or CPUSE clean install ? Which method do you recommend for gateway upgrade if I have to use one of these Blink image ?

 

If the blink image will not work for my gateway upgrades, then if I download the GA R80.20 image from  download page , how can I find what other Jumbo HF will I need to apply ? (I know once we have upgraded it will show in the Status and Actions ) but I am planning to use offline installation via clish and hence if I know the files I can pre download them.

 

Thank you again for your help, I really appreciate this vital information and advice.

0 Kudos
PhoneBoy
Admin
Admin
There are a handful of situations where an in-place upgrade using CPUSE might fail.
That said, because of how it is done, you can recover easily by simply reverting to the snapshot that's taken beforehand, something CPUSE does automatically.
When you do a fresh install using the ISO, the entire hard drive is wiped and repartitioned.
This eliminates disk space-related issues that may come up on an upgrade.

Note that, in general, even if you do an in-place upgrade, it's best to take a migrate export of the management prior to upgrade.
You can then import the configuration into a VM and actually confirm the upgrade will be successful.
This is also a good backup mechanism.

Note that Blink is a "clean install" mechanism, which is generally appropriate for gateways as most of the configuration is on the management anyway.
It does mean some manual steps (apply OS config, reestablish SIC), which aren't required using CPUSE to upgrade in-place.
Also Blink packages are different from CPUSE ones.

As for hotfixes, best to start with the latest recommended JHF for R80.20.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
PP26
Contributor

@PhoneBoy  about your statement "Note that Blink is a "clean install" mechanism, which is generally appropriate for gateways. It does mean some manual steps (apply OS config, reestablish SIC), which aren't required using CPUSE to upgrade in-place." << you mean Clean Install via CPUSE yeah ?  or you mean like installation similar to ISO (a.k.a Fresh Install?)

 

1) If it is same as Clean Install via CPUSE then why using the "blink image" some manual steps (apply OS config, reestablish SIC) are needed ? Is there a list/procedure of all manual steps needed if using this image ? Is this the correct process when using Blink Image for upgrading to 80.20 https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... ?

2) when you use GA CPUSE Package (Clean Install via CPUSE) manual steps are not needed (as far as I am aware, unless you tell me otherwise) Just trying to understand so can prepare.

3) If I use the Blink Image for GW as per https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...  (R80.20 (GA Take 101)) then can I still go for Take_103 on top of that via clish ? As 103 is the Ongoing take per the JHF for R80.20 link you recommended.

4) If not using blink image for Clean Install on GW then after using GA CPUSE package , do you recommend to install the General Availability take (take 91) or Ongoing Take (103) ?

 

5) I could not find the tgz file for take 103, can you tell me please where can I get it from to install via clish  "Check_Point_R80_20_JUMBO_HF_Bundle_T103_sk137592_Security_Gateway_and_Standalone_2_6_18_FULL.tgz"

 

Thanks a lot and I hope  you can assist with above queries please. Really appreciate all your help.

0 Kudos
PhoneBoy
Admin
Admin
Doing a Clean Install via CPUSE carries forward a few things: admin password, IP address, netmask, and default route.
Everything else, including SIC, will have to be configured manually through First-Time Wizard or otherwise.
Blink won't even bring that data forward BUT you can also specify an answers.xml that pre-configures the installation, including FTW questions.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
A Clean Install via ISO wipes the entire appliance (including snapshots).

Regardless of which approach you take, you can/should load whatever the current GA take of the Jumbo Hotfix is.
The ongoing take should only be installed upon specific consultation with TAC.
You also must get the specific package identifier/package for the ongoing hotfix from TAC.
PP26
Contributor

@PhoneBoy  thanks for the input, so after Clean Install via CPUSE is it advised/recommended to do manual config/first-time wizard and then use migrate import utility to import the management database, correct ? 

 

Is there a list about what all manual config are required ? Like apart from SIC, what all is needed so I can make sure to capture those config before ? (I will be doing backup/snapshot/cli config) Trying to make a checklist here so I do not miss anything

0 Kudos
PP26
Contributor

@PhoneBoy  thanks a lot for that picture as they say picture speaks a million words 🙂 As I will be using offline installation via clish I believe there will be an option for "installer clean install" just like we had one in previous major upgrades ?

 

In terms of the blink article,  I did have a look and not sure if it has been missed or not supported to use blink image on Smart -1 210 ? I could see "Smart-1 25B, Smart-1 150, Smart-1 205, Smart-1 225," but not Smart-1 210 , do you know if it is supported and if we can get a blink image for it from Checkpoint Support ? 

 

Also when I was reading the Blink article it mainly talks about installation via USB so basically a completely formatted appliance, Correct? Can I use it to do  an upgrade (Clean install via CPUSE) ? or  am I misreading that article ? Reason I am asking this is because if it is possible I can use one of the blink images to upgrade my gateway (5000) using the available images (Clean install via CPUSE) as that will save me having to apply any further HF and also save me a lot of time.

Thank you again in advance for your valuable time and input.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events