This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex_Lam1
Contributor
‎2018-10-14 05:39 PM

MDS R77.30 upgrade to R80.10

Hello

 

I see that there are few discussion on this topic, some being successful(but with some fixing) and some hit a brick wall.

 

We are one of them, hitting the brick wall. This is not a smooth upgrade compare to the older versions... #sigh

There were few things to fix, that is removing SCTP service/protocol which is ok, then there are fixing the DHCP legacy protocols/ports and then update IPS definition which we have IPS turned off. 

This is quite frustrating and not a smooth upgrade. 

 

Here’s the error that we got

 

Warnings: It is recommended to resolve the following problems.

==============================================================

 

 

Title: Legacy DHCP Relay Services - Change in behavior in R80 and higher.

-----

* Description: Legacy DHCP Relay services were found in the security rule base. Action is required in order for DHCP Relay to function properly post-upgrade.

 

Two possible options to solve the problem:

1). Remove legacy DHCP Relay services and add new DHCP Relay services. See sk104114 for instructions. This is the recommended action if managing only R77.20 gateways and above.

2). Keep legacy DHCP Relay services and make changes to the Gateways and the Security Management Servers. See sk98839 for instructions. Do this if managing any gateways which are older than R77.20.

 

Legacy DHCP Relay service(s):

bootp, bootps, dhcp-relay, dhcp-rep-localmodule, dhcp-req-localmodule

 

Some of the legacy DHCP Relay service(s) are members of the following rulebase(s):

Policy ##Firewall, rules: 1, 2, 3.

 

For more information, see sk104114 or sk98839.

 

 

Title: Deactivate IPS protections by categories

-----

* Description: Deactivating IPS protections by categories will be supported for pre R80 gateways only.

 

When using the profile with R80.10 gateway it will not be supported.

We recommend you to move to the new tag based activation for IPS protections

 

Profile name:

Default_Protection

So now, we have rollback to R77.30 with the new DHCP protocols as per SKs.

Now, the problem is that, there are few services are broken using the new DHCP protocols and we have to re-roll back to the legacy DHCP.

In R80.10 or R80.20, how would this be addressed?

TAC was already raised. 

We were following the steps described as per installation and upgrade guide of R80.10 which is similar to the method that we did the upgrade from previous versions, e.g. R67 -> R75 -> R77 using ./mdsseup export and migrate import.

high level,  from R77.30 -> R80.10: 

- Using ./mdssetup, export, fix whatever the error message it spills out

- Once all done, Using migrate import

Regards

Alex

3 Replies
Kaspars_Zibarts
Employee Employee
Employee
‎2018-10-15 12:40 AM

I hear the pain Alex. We had some issues with DHCP migration from legacy to new (unrelated to R80.10 upgrade, we did prior R80.10). If I was you, I would still try to fix DHCP prior upgrade and get rid off legacy mode. The new one is so much more logical and easier to use.

Probably not a lot of help, just my experience / opinion Smiley Happy

0 Kudos
Alex_Ambrose
Employee Alumnus
Employee Alumnus
‎2018-10-15 04:20 PM

Hi Alex,

Both "legacy" and "new" services are supported in both R77.30 JHF and R80.10 GA versions. The difference is that R80.10 GA requires some action to be taken when upgrading from R77.30 using "legacy" services, to properly use those legacy services.

You should be able to configure either service type on either version, according to the sk IDs mentioned in the upgrade warning (sk98839 for legacy services, sk104114 for new services). We always recommend using the new services, however if these conflict with other services and your policy requires legacy services, you can use those instead.

If you are having issues configuring your services according to either of those sks or think that they are not clear, I would recommend working with support for further assistance.

0 Kudos
Yair_Shahar
Employee
Employee
‎2018-10-16 04:49 AM

Hi Alex,

"Now, the problem is that, there are few services are broken using the new DHCP protocols and we have to re-roll back to the legacy DHCP."

Can you add more details on what went wrong when using the new services? what protocols got impact? what kind of impact?

Thanks in advanced.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events