This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Andrew-OCD
Contributor
‎2023-10-20 04:06 AM
Jump to solution

MDSM R81.10 --> R81.20 Upgrade

Dear Community,

I am looking to upgrade my MDSM from R81.10 JHF Take 110 to the new R81.20.

When I check the CPUSE it is the latest version 2237.

When I check for updates it is no longer showing me the "Major Versions" with R81.20. I only see the following:-

Hotfixes - R81.10 JHF Take 110 installed

Minor Versions (HFAs) - R81.10 SmartConsole BBuilds 418, 414 & 410

Blink Packages - R81.10

- R81.10 MDS + JHF T110 - Available

- R81.10 SM + JHF T110 - Available

- R81.10 MDS + JHF T79 - Downloaded

 

Has something changed because when I check the R81.20 SK173903 page it shows "Upgrading MDSM" use the CPUSE and Major Versions route.

Any suggestions would be greatly appreciated as I do not really want offload and reload all the current Domains and logs.

Best regards

Andrew

Preview file
83 KB
0 Kudos
3 Solutions

Accepted Solutions
Martin_Valenta
Advisor
‎2023-11-02 11:38 PM
Jump to solution

i've did recently MDSM upgrade from r81.10 to r81.20, due to bad partitioning when MDS and MLM were build (system installed over two virtual disks on Dell R730xd) since r80.10 to r81.10 it was not problem, but there is new requirement for partitioning. If you don't see options for r81.20 upgrade, it might be due to that, when you try to import upgrade package from cloud it should appear in your list and then you can run verifier for that package to see what is reason. In my case it required to perform mds_backup, transfer it somewhere, doing clean install of r81.10 + corresponding JHF and mds_restore, then i could see without any interaction that i can upgrade to r81.20 via cpuse..

View solution in original post

0 Kudos
Boaz_Orshav
Employee
Employee
‎2023-11-04 11:55 PM
Jump to solution

Hi Andrew

  According to logs the issue is:

- Your partitions are not in Check Point standard format, and an upgrade is not possible. Reinstall your system and verify correct partitioning.

  I suggest you contact TAC to get more details regarding what exactly is wrong with the way the system is partitioned.

  Indeed I see it as a problem that the package is not seen - we will fix it so the message will appear only on verify stage

Sorry for the inconvenience

View solution in original post

0 Kudos
Andrew-OCD
Contributor
‎2023-12-03 11:43 AM
In response to Andrew-OCD
Jump to solution

Ok avid readers, time for the final update.

Successfully managed to migrate the MDSM off the badly provisioned hardware (NOTE: Be very aware of the CORRECT partition requirements!).

I managed with a lot of SCP copying to get all the logs off the MDSM onto the MDLM (only to find that they had also incrorrectly provisioned the hardware - 2 discs instead of the 1 !!).

After getting a new hardware provisioned with the correct partition config I was able, again with many hours of SCP copying of log files, to migrate the MDLM to the valid hardware.

Now that both systems were on valid hardware I was eventually able to upgrade both systems to R81.20. Not easy but with many reboots and a lot of patience, eventually I got there.

Thank you everybody for your support during these difficult times.

 

Best regards

Andrew

View solution in original post

21 Replies
PhoneBoy
Admin
Admin
‎2023-10-20 04:26 AM
Jump to solution

As far as I know this should still be possible.
Recommend a TAC case here: https://help.checkpoint.com

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-10-20 04:28 AM
Jump to solution

I have heard that CP suggests to wait with an R81.20 upgrade at least until the next Jumbo HF 8)

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
khodgson_bts
Contributor
‎2023-10-20 06:45 AM
Jump to solution

Edit: Sorry, ignore me. I just noticed they're still the R81.10 packages.

 

Can't the Blink packages be used to do an upgrade?

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2023-10-20 07:12 AM
Jump to solution

Are you using a Smart-1, an open server, or a VM of some kind?

Check Point cuts off support for their own hardware really quickly and artificially prevents newer versions from being installed on it, even if the hardware is more than capable of running the software version. R81.20 won't install on any of the 2014 Smart-1 units (205, 210, 225, 3050, 3150).

0 Kudos
Andrew-OCD
Contributor
‎2023-10-21 06:30 AM
In response to Bob_Zimmerman
Jump to solution

This is all running on an Open Server - VMWare ESXi environment.

I have my own lab environment where I tested this and in the lab environment I still had the R81.20 after installing the JHF T110. However, in my lab environment it is complaining:-

No Partial Domain Verification

The following objects do not have a Legacy Server in the database - this indicates that there is a partial domain in the database which should be fixed prior to the upgrade (refer to sk113134).

The problem now is that the SK says contact Check Point and this is my lab environment so I am now going round in circles to find a way to get support.

0 Kudos
the_rock
Legend
Legend
‎2023-10-21 06:35 AM
In response to Andrew-OCD
Jump to solution

Well, they definitely wont help you if its a lab. Can you not just reinstall it?

 

Andy

0 Kudos
Andrew-OCD
Contributor
‎2023-11-02 01:40 PM
In response to the_rock
Jump to solution

Dear Andy,

 

The whole point of using the LAB environment was to test the different aspects when importing the 3 different domains into the MDSM.

Now the idea was to test the upgrade on the LAB environment to see if there was anything weird and there was.

Now I have tried to restore from a backup but I get even more problems since there are different IP addresses in the LAB compared to the Production.

I have to admit to starting to think about the non-ideal solution: Install a fresh R81.20 MDS and try to restore into it the R81.10 MDS but I do not like this solution at all.

Best regards

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-11-02 01:46 PM
In response to Andrew-OCD
Jump to solution

Well, R81.20 would not restore into R81.10, as versions are different. I see @Boaz_Orshav asked you couple of weeks ago to send him the logs? Did you ever end up doing that?

Cheers,

Andy

0 Kudos
Andrew-OCD
Contributor
‎2023-11-02 02:33 PM
In response to the_rock
Jump to solution

I just sent them over.

I meant to export the R81.10 Production environment and import into the fresh install f R81.20.

But as I say this is not a preferred option since it will lose some of the logs since everything is running on a single machine at the moment.

0 Kudos
the_rock
Legend
Legend
‎2023-11-02 03:24 PM
In response to Andrew-OCD
Jump to solution

Well, its an option, though you are right, probably not the optimal one...

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-10-20 11:08 AM
Jump to solution

I would verify with TAC, because I remember when I had mds lab in R81.10, it gave all packages to upgrade to R81.20

Andy

0 Kudos
Andrew-OCD
Contributor
‎2023-11-02 01:41 PM
In response to the_rock
Jump to solution

Yep in the LAB it appeared to be fine.

0 Kudos
Boaz_Orshav
Employee
Employee
‎2023-10-22 05:15 AM
Jump to solution

Hi

  Can you please send me the tgz created by running "da_cli collect_logs" to boazo@checkpoint.com ?

  When a package is not seen on the CPUSE page it is might be because it fails a validation and I'd like to take a look at the logs to understand which validation failed.

0 Kudos
Andrew-OCD
Contributor
‎2023-11-02 02:31 PM
In response to Boaz_Orshav
Jump to solution

Dear,

I have sent over a link to a large transfer site where you can download the logs file.

Best regards

Andy

0 Kudos
Martin_Valenta
Advisor
‎2023-11-02 11:38 PM
Jump to solution

i've did recently MDSM upgrade from r81.10 to r81.20, due to bad partitioning when MDS and MLM were build (system installed over two virtual disks on Dell R730xd) since r80.10 to r81.10 it was not problem, but there is new requirement for partitioning. If you don't see options for r81.20 upgrade, it might be due to that, when you try to import upgrade package from cloud it should appear in your list and then you can run verifier for that package to see what is reason. In my case it required to perform mds_backup, transfer it somewhere, doing clean install of r81.10 + corresponding JHF and mds_restore, then i could see without any interaction that i can upgrade to r81.20 via cpuse..

0 Kudos
Boaz_Orshav
Employee
Employee
‎2023-11-04 11:55 PM
Jump to solution

Hi Andrew

  According to logs the issue is:

- Your partitions are not in Check Point standard format, and an upgrade is not possible. Reinstall your system and verify correct partitioning.

  I suggest you contact TAC to get more details regarding what exactly is wrong with the way the system is partitioned.

  Indeed I see it as a problem that the package is not seen - we will fix it so the message will appear only on verify stage

Sorry for the inconvenience

0 Kudos
Andrew-OCD
Contributor
‎2023-11-13 12:52 PM
In response to Boaz_Orshav
Jump to solution

Dear,

After working with a TAC engineer we were able to find the Partial domain Verification error and fix it by editing the DB.

For the partition problem you are absolutely right I will need to perform a backup and then install a fresh R81.10 with the correct partition then restore into it.

In the mean time I decided to install a dedicated MDS Log Server so I could offload the logs from the system so that we do not lose them, however, this is now posing a small problem associated with establishing the SIC and I am looking through the support sites for suggestions on how to address this. I will continue my search and if I can't find anything I will open a new post here on Check Mates so I can clearly share my solution with all.

Thanks for all of your support so far fellow Check Mates.

I will come back to you all once I have had the chance to try the upgrade in the LAB.

Best regards

Andy

the_rock
Legend
Legend
‎2023-11-13 01:20 PM
In response to Andrew-OCD
Jump to solution

Thanks for the update @Andrew-OCD 

0 Kudos
Andrew-OCD
Contributor
‎2023-11-13 10:20 PM
In response to Andrew-OCD
Jump to solution

OK time for an update.

I found out that the CPCA was not running on the main MDS in the MDSM server. This was probably due to the fact that I had to stop the MDS for changing the IPs. To fix this problem I performed a full "mdsstop" and "mdsstart" then monitored to see that everything came back to normal and it did.

I managed to create the new Multi-Domain Log Server and all of it's needed Domain Log Servers.

Now for the fun part: trying to get the logs transferred from the MDSM over to the Domain Log Servers before cleaning and performing the upgrade.

0 Kudos
Andrew-OCD
Contributor
‎2023-12-03 11:43 AM
In response to Andrew-OCD
Jump to solution

Ok avid readers, time for the final update.

Successfully managed to migrate the MDSM off the badly provisioned hardware (NOTE: Be very aware of the CORRECT partition requirements!).

I managed with a lot of SCP copying to get all the logs off the MDSM onto the MDLM (only to find that they had also incrorrectly provisioned the hardware - 2 discs instead of the 1 !!).

After getting a new hardware provisioned with the correct partition config I was able, again with many hours of SCP copying of log files, to migrate the MDLM to the valid hardware.

Now that both systems were on valid hardware I was eventually able to upgrade both systems to R81.20. Not easy but with many reboots and a lot of patience, eventually I got there.

Thank you everybody for your support during these difficult times.

 

Best regards

Andrew

the_rock
Legend
Legend
‎2023-12-03 12:26 PM
In response to Andrew-OCD
Jump to solution

Good job! Thanks for the update.

Cheers,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events