This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
khodgson_bts
Contributor
2 weeks ago
Jump to solution

Management on Open Server/VM upgrade limitation.

Greetings all.

According to the R82 Release Notes it is not supported to do an in-place upgrade of a management server running on open hardware or VM more than once. Is there a specific reason for this? It's not mentioned anywhere in the documentation.

I can fully accept that a fresh install is necessary every now and then but to expect one every two versions seems a little excessive.

0 Kudos
2 Solutions

Accepted Solutions
Don_Paterson
MVP Gold
MVP Gold
2 weeks ago
Jump to solution

Good question.

You are referring to this:

"Notes:

  1. On an Open Server  / Virtual Machine that runs a Management Server  / Log Server , only one upgrade is allowed."

 

And the text in https://support.checkpoint.com/results/sk/sk168335

"On an Open Server  / Virtual Machine that runs a Management Server  / Log Server , only one upgrade is allowed. See here for more information,
To upgrade again, use an Advanced Upgrade (with Clean Install) or an Upgrade with Migration - see Upgrade Methods."

 

The 'here' link in the SK is broken and probably should point to here:  https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_RN/Content/Topics-RN/HW-Requiremen... 

But that doesn't explain in it.

 

I have put this feedback forward for the SK:

"On an Open Server / Virtual Machine that runs a Management Server / Log Server , only one upgrade is allowed. See here for more information,"
The link in 'here' is broke (not found) and there does not seem to be a reason or any details for the limitation.
What is the reason?
Is this still valid?
Is there a technical block?

 

Check Point release new major versions every 18 months or so on average.

Considering the nature of the platform and the history (changes to file systems (ext3 --> xfs) and new default partition sizes for new builds)) and how some solutions are originally designed and deployed it is often not a bad idea to consider the clean build and import every 3 to 5 years.

One example of a change in design for clean builds is the IPS database updates now go to /var/log (and not / ) but only if you do a clean install R81.20 or R82, not an upgrade.
It can be configured/changed manually after an upgrade but if not then the root partition is still used, meaning that free disk issues are more of a risk.

 

It does put the burden on the customer to do the extra work (export -> rebuild -> import but it is an opportunity to get up to speed with best practices (some out-of-the box) and clean old legacy configurations up.

https://www.checkpoint.com/support-services/support-life-cycle-policy/#software-support

 

Hopefully they can update the SK and RN.

View solution in original post

PhoneBoy
Admin
Admin
2 weeks ago
Jump to solution

In the past, there were specific changes where this was needed to address some underlying issues:

  • In R80.40, we moved to xfs from ext3
  • In R81.20, we fixed disk partitioning to be on a cylinder boundary

The only way to "fix" those issues is a complete reinstall.
Not sure if this is the reason for the stated policy, only providing some justification for doing an advanced migration every so often.

View solution in original post

7 Replies
Don_Paterson
MVP Gold
MVP Gold
2 weeks ago
Jump to solution

Good question.

You are referring to this:

"Notes:

  1. On an Open Server  / Virtual Machine that runs a Management Server  / Log Server , only one upgrade is allowed."

 

And the text in https://support.checkpoint.com/results/sk/sk168335

"On an Open Server  / Virtual Machine that runs a Management Server  / Log Server , only one upgrade is allowed. See here for more information,
To upgrade again, use an Advanced Upgrade (with Clean Install) or an Upgrade with Migration - see Upgrade Methods."

 

The 'here' link in the SK is broken and probably should point to here:  https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_RN/Content/Topics-RN/HW-Requiremen... 

But that doesn't explain in it.

 

I have put this feedback forward for the SK:

"On an Open Server / Virtual Machine that runs a Management Server / Log Server , only one upgrade is allowed. See here for more information,"
The link in 'here' is broke (not found) and there does not seem to be a reason or any details for the limitation.
What is the reason?
Is this still valid?
Is there a technical block?

 

Check Point release new major versions every 18 months or so on average.

Considering the nature of the platform and the history (changes to file systems (ext3 --> xfs) and new default partition sizes for new builds)) and how some solutions are originally designed and deployed it is often not a bad idea to consider the clean build and import every 3 to 5 years.

One example of a change in design for clean builds is the IPS database updates now go to /var/log (and not / ) but only if you do a clean install R81.20 or R82, not an upgrade.
It can be configured/changed manually after an upgrade but if not then the root partition is still used, meaning that free disk issues are more of a risk.

 

It does put the burden on the customer to do the extra work (export -> rebuild -> import but it is an opportunity to get up to speed with best practices (some out-of-the box) and clean old legacy configurations up.

https://www.checkpoint.com/support-services/support-life-cycle-policy/#software-support

 

Hopefully they can update the SK and RN.

khodgson_bts
Contributor
2 weeks ago
In response to Don_Paterson
Jump to solution

Thanks for the reply Don.

I fully agree with everything you've said, I just don't see why this should only apply to open servers / VMs and not also to Smart-1 appliances.

Don_Paterson
MVP Gold
MVP Gold
2 weeks ago
In response to khodgson_bts
Jump to solution

True. Especially considering a Smart-1 appliance could have a supported life span of 7 years (9 if End of Engineering Support is included).

 

If upgrades after the first one is not technically blocked then I would be happy to go for it but they've got that documented so for a TAC they can always recommend or push a clean install and import to get full support.

For that reason I would follow their guidance but it is ideal if it's explained in more detail.

 

PS. I have received the acknowledgement for the feedback for the SK and will post the response in here what I hear back.

the_rock
MVP Platinum
MVP Platinum
2 weeks ago
Jump to solution

Wow, goot catch there, never noticed that before.

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
2 weeks ago
Jump to solution

In the past, there were specific changes where this was needed to address some underlying issues:

  • In R80.40, we moved to xfs from ext3
  • In R81.20, we fixed disk partitioning to be on a cylinder boundary

The only way to "fix" those issues is a complete reinstall.
Not sure if this is the reason for the stated policy, only providing some justification for doing an advanced migration every so often.

Vincent_Bacher
Advisor
Advisor
2 weeks ago
Jump to solution

I wasn't aware of that either.
However, we always perform upgrades using clean installation and migrate export and import.
Therefore, the question does not arise for us.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
(1)
the_rock
MVP Platinum
MVP Platinum
2 weeks ago
In response to Vincent_Bacher
Jump to solution

I also believe thats the best approach.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events