This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
starmen2000
Collaborator
Collaborator
‎2024-01-16 06:52 AM

Mgmt Server Upgrade to R81.20 - Custom Files

Hi,

 

We are in the process of upgrading the Management Server from R81.10 to R81.20, while the gateways remain on R81.10. During the verification process on the Management Server, we encountered the following warning.

 

Checking if there are manually modified inspect files
The upgrade process will deploy new files, which are suitable to version R81.20.
If you wish to apply these modifications again, backup the modified inspect files now, and add the changes post upgrade.

Inspect files have been modified:
   /opt/CPsuite-R81.10/fw1/lib/user_early.def
   /opt/CPsuite-R81.10/fw1/lib/crypt.def
   /opt/CPsuite-R81.10/fw1/lib/user.def
   /opt/CPSFWR80CMP-R81.10/lib/crypt.def
   /opt/CPR8040CMP-R81.10/lib/crypt.def

 

Does this imply that we should implement the custom configuration in the R81.20 directory or in the R81.10 directory of the newly upgraded Management Server? This is considering that the gateways are still running on R81.10.

 

Thanks

0 Kudos
13 Replies
Martijn
Advisor
Advisor
‎2024-01-16 07:42 AM

Hi,

Check the R81.10 and R81.20 Security Management Administrator guides. They have a section about these files and the location on the server. For example crypt.def is located in $FWDIR/lib for both R81.10 and R81.20.

I would backup the R81.10 files and compare them to the files after the upgrade to R81.20. Because your gateways are on R81.10, I think the settings in the R81.20 files apply. To my understanding there is no R81.10 compatibility directory.

Do not replace the R81.20 files with the one you backed up. This is not the supported way. If needed edit the file and add the changes from the R81.10 files.

This is also a good moment to check if the changes made in the file are still needed. The mentioned files are for VPN related settings. Maybe they are are not needed anymore.

Good luck with the upgrade.

Regards,
Martijn

0 Kudos
starmen2000
Collaborator
Collaborator
‎2024-01-16 08:05 AM
In response to Martijn

Do you mean that I should compare the backed-up R81.10 files on the newly upgraded SMS (R81.10) or compare the old R81.10 files with the new R81.20 files? 

0 Kudos
Martijn
Advisor
Advisor
‎2024-01-17 04:06 AM
In response to starmen2000

Hi,

Backup the mentioned files before upgrading to R81.20. If you do not have any R80.40 gateways, you can ignore the files in the R80.40 compatibility directory. Just backup the files from the R81.10 directories.

After the upgrade to R81.20, you can check the files in the R81.20 directory to see if all entries are still OK. As other people already mentioned, the settings in the files are migrated to the new major version. But do a verify just in case.

You only need to worry if your SmartCenter is managing older gateways. An example.

SmartCenter is R80.40
Gateways are R80.40

If you upgrade the SmartCenter from R80.40 to R81.20, the settings in the files are migrated to the new version.
But they only apply to R81.10 or R81.20 gateways. You need to edit the files in the R80.40 compatibility directory to push these settings to a R80.40 gateway when installing a policy.

Regards,
Martijn 

0 Kudos
the_rock
Legend
Legend
‎2024-01-16 07:51 AM

Last time customer saw this, what we did was backup those files, then copy them over to original ones post upgrade and all worked afterwards.

Best,

Andy

0 Kudos
starmen2000
Collaborator
Collaborator
‎2024-01-16 08:06 AM
In response to the_rock

But in my case, Gateways are still on R81.10. Only SMS is going to be upgraded to R81.20. In that case which files should I compare and if needed to change. Old R81.10 Files to new R81.10 Files or old R81.10 files to R81.20 Files?

0 Kudos
the_rock
Legend
Legend
‎2024-01-16 08:10 AM
In response to starmen2000

I have a gut feeling you wont even need to do anything. BUT, just to be safe, make backups regardless and also backup those files mentioned. Then, if any issues, just run cp command to copy them over to same files on R81.20.

So say for user.def (as an example), run this on R81.10 mgmg once in that dir -> cp user.def user.def.backup

then if any issues, on R81.20, copy the file over to same dir, then run cp user.def,backup user.def

Do same for other files, install policy

thats it

Andy

0 Kudos
genisis__
Leader Leader
Leader
‎2024-01-16 10:37 AM
In response to the_rock

I don't think they are needed (but certainly backup),  if you had previously edited these, then clearly the changes that where made may need to added to the new files on R81.20.

0 Kudos
the_rock
Legend
Legend
‎2024-01-16 10:38 AM
In response to genisis__

I agree.

0 Kudos
genisis__
Leader Leader
Leader
‎2024-01-16 10:39 AM
In response to the_rock

I've only really needed to edit 'vpn_route.conf' in the past.

0 Kudos
Henrik_Noerr1
Advisor
‎2024-01-16 11:03 AM

Hey,

Do not copy these files over the new files. That is not good advice.

The files change from release to release. So if you copy them over from r81.10 to r81.20 you lose the new content and will live with this forever. This will accumulate as you go through major releases.

The modifications should be made manually into the new files based on r81.20.

 

We always try to mitigate all custom modifications, simply because they are so hard to maintain, and mostly accumulate legacy.

lastly, the placement for custom def files is the same for r81.10 and r81.20 gateways.

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Multi-DomainSecurityManageme...

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid...

 

I see @Martijn already gave mostly the same answer 🙂 And yes - some risk could pay off here - removing some legacy.

When I moved into current role, we carried around so much customization, that no one had any idea if they we beneficial or not.

/Henrik

0 Kudos
the_rock
Legend
Legend
‎2024-01-16 11:11 AM
In response to Henrik_Noerr1

Thats advise TAC gave us via the case when I worked with customer with those warnings. personally, I dont think its bad advice at all. If you think about it, there should be no difference as far as R81.10 and R81.20. I see your point about upgrade to new versions down the road, but Im fairly sure upgrade would not even change any of those files, at least I never had that problem.

Best,

Andy

0 Kudos
Henrik_Noerr1
Advisor
‎2024-01-16 01:43 PM
In response to the_rock

Well TAC is wrong 🙂 There is a difference between majors, and copying blindly is not the way to go.

Not always you see changes, and not always something that matters to your environment. You can easily do a "diff x.def.major1 x.def.major2" between releases and see for yourself. The issue is that this gets tiresome with 50 domains and a gazillion def files that noone has any idea why was modified in the first place.

0 Kudos
the_rock
Legend
Legend
‎2024-01-16 04:23 PM
In response to Henrik_Noerr1

Respectfully, I disagree. I dont think TAC was wrong there at all and customer was perfectly fine with it. At the end of the day, files were backed up, so if there are ever any issues, easy to fix.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events