This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Duane_Toler
Advisor
‎2021-11-05 08:18 AM

R80.20 to R80.40 Multi-Domain upgrade blocked

Hey all,

 

Is the Gaia CPUSE upgrade from R80.20 to R80.40 blocked for MDS?  I got the R80.40 Blink image for Multi-Domain (blink_image_1.1_Check_Point_R80.40_T294_JHF_T125_MultiDomainServer.tgz), but the "installer verify" says "Clean Install only".  I made sure there are no other admins, sessions, or locks.

 

Current MDS is R80.20 JHF 202.  I also downloaded the NGM upgrade tools for R80.20 build 418.  I looked around the DDR validator script and see the "conditions_set_is_ngm_upgrade.json" script, and it only has the one condition: "Always Fail".  I presume that means it is blocked?

 

I did a fresh install of a new R80.20 MDS on a VM in my home lab and I was able to do "installer upgrade" on it. However, I cannot get my customer's MDS to show the same behavior.  I looked around as many CheckMates posts as I could find before posting, but none of them seemed to quite match my scenario.  I did check sk159012 first.

 

I saw messages from @Itai_Minuhin and @Eran_Habad in this thread, and made sure to get the recent NGM upgrade tools:

https://community.checkpoint.com/t5/Management/UNABLE-TO-UPGRADE-MDM-R80-20-TO-R80-40/m-p/82222

 

Am I missing something?  Thanks!

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
9 Replies
G_W_Albrecht
Legend Legend
Legend
‎2021-11-06 07:26 AM

I would suggest to involve TAC ! Also, a new install and migrate_server is no bad idea...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Dorit_Dor
Employee
Employee
‎2021-11-06 07:54 AM
In response to G_W_Albrecht

In short: Upgrade of multi domain with blink isnt availble 

Blink is very specific to configuration (it jump you directly to the right config) and hence blink image to gw, to management and to multi domain, is different. 

if you look at the jumbo sk where blink links are offered, you will see different downloads (sk165456) and you will see that management server is listed for clean install and upgrade where as multi domain is offered only for clean install. 

0 Kudos
Duane_Toler
Advisor
‎2021-11-08 06:53 AM
In response to Dorit_Dor

Thank you Dorit.

 

If I do "installer clean-install ..." on the existing installation, will that create a new LVM logical volume on the current disk and install R80.40 into the new partition?  I can copy the CLISH configuration and run "migrate_server" to export and import the R80.20 database separately.  This is a VM so I will do VMware snapshot before starting.

 

Thanks!

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2021-11-08 09:39 AM
In response to Duane_Toler

Hi

We'll take this with the relevant owner and get back with an answer.

 

 

0 Kudos
Tsahi_Etziony
Employee
Employee
‎2021-11-09 01:11 AM
In response to Duane_Toler

A clean installation takes care of creating a new LVM partition and installing the new version on the new partition. a clean installation keeps only the basic configuration that is needed for keeping you connection alive, but other than that all is set to the default values. 

If you export the MDS DB prior to the upgrade and import it to the new version, it would work. Just like upgrading to a new HW. The benefit of using the Blink image is that it will save you the trouble of installing a Jumbo on top of the new version as this is already part of the image.

With the clean installation (also with upgrades) the previous root partition will be saved automatically as a snapshot. But if you are also using VMWare snapshots, you can delete the automatic snapshot to save space. 

0 Kudos
IdanC
Employee Alumnus
Employee Alumnus
‎2021-11-09 02:24 AM
In response to Duane_Toler

The old partition is kept, but you won't be able to access it as it is not mounted, it is compressed into a snapshot after a few days.
It is recommended that you first run the export and keep the DB export file off the machine, and copy it back to the machine after the clean installation, then you can import it using migrate_server as in any "Advanced" upgrade.

0 Kudos
Duane_Toler
Advisor
‎2021-11-09 06:29 AM
In response to IdanC

Thank you @IdanC and @Tsahi_Etziony !

 

I downloaded the R80.40+JHF 125 Blink image for R80.20 MDS.  I have the CLISH option to do "installer clean-install ..." for that image.  So I presume I can run this to install the image into the new LVM LV?

 

For backup and safety, I will have a copy of the CLISH configuration and "migrate_server" export to a remote host.  I should be able to place those on the /var/log partition as well, since I know that volume does not get modified.

 

After this method, I do understand we may not get the symlinks in the R80.40 $FWDIR/log from the R80.20 log directory as if an "upgrade" option were used.  We don't have SmartLog / "Log Indexes" enabled for the CMAs on this server due to disk space on the SAN disks.  As a comparison, we won't lose any functionality.

 

Let me know if I missed anything else!

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
IdanC
Employee Alumnus
Employee Alumnus
‎2021-11-10 09:34 AM
In response to Duane_Toler

yes you should be able to put it on /var/log partition as well, it is preserved, but the best practice is to back it up and store it off the machine.

Export and Import would be done according to the Install and Upgrade guide

 https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_Installation_and_Upgrade_Gui...

 

0 Kudos
Duane_Toler
Advisor
‎2021-11-16 12:59 PM
In response to IdanC

This worked as expected!

I did this process:

  • Download the Blink R80.40 for Multi-Domain + JHF 125 image
  • Run 'migrate_server verify' with the R80.40 upgrade tools.  Fixed the IPS items it listed.
  • Run 'migrate_server export -v R80.40 ...'  manually. Copied the export database to a remote host.
  • In CLISH:  'save configuration <filename>'.  Copied the config file to a remote host.
  • For caution, I made a tarball of /home for the local admin users.  Copied this tarball to a remote host.  It wasn't needed, however.
  • In hindsight: The local admins had custom cron scripts in /var/opt/<some directory/ that I should have gotten.  I was able to get these from the previous LV disk volume, tho.
  • In CLISH: 'installer clean-install #'.  This made the new LV as expected, installed R80.40 there, AND it copied over /home, which I did not expect.  As expected, it did make a bare-minimum CLISH config, with just the IP, route, and "admin" user only.  However, the "admin" user retained the original "admin" user password, not the fresh-install "admin/admin".
  • After reboot, I did have to do the Blink first-time-wizard to provide the new hostname, admin password again, IP info, and select the product (Primary MDS was already selected).
  • In R80.40 CLISH, I re-applied the original CLISH config backup.  I left out some things I new would be conflicting with R80.20/R80.40, but it was very minor.
  • Rebooted again, then imported the database with "migrate_server import ...".  This took a LONG time!  Be. Patient.  Perhaps do it at the VM console so you don't get a remote SSH disconnect like I did (thanks to whomever crashed into the nearby utility pole and broke my terrestrial Internet service!).  I was able to recover, tho.  You may want to do "unset TMOUT" before starting!
  • After database import, I rebooted again.  Waited for services with "watch api status" and "watch mdsstat" in different sessions.
  • Logged into SmartConsole R80.40 to each domain, fixed the Validation Status ("MySpace Utilities" appears to now be "MySpace Widgets").  Then do "Install Database"! VERY important or else logs won't connect!  I didn't need to do policy install, tho; I couldn't do that with this customer as it was outside an official service-impacting change window.

Everything seems to be good.  Logs are good now (again: "Install Database").  I did it with API, tho (again, R80.40 JHF 125, API 1.6.1; this doesn't work in R80.30 and lower):

  mgmt_cli -r true show domains |jq -r '.objects[]|.name+" ".servers[].name' |\
  while read dom_name dom_server; do
    mgmt_cli -r true -d $dom_name install-database targets $dom_server
  done

(yes, this assumes you only have 1 CMA per domain; exercise for the reader to do multiple; if you copy/paste, be sure to get that backslash on the end.  YMMV.)

8 domains took about 3.5 hours on an 8-core VM with 32 GB of RAM.

Yes I know about R81, no I'm not taking this customer there yet; we are more conservative.  Once R81 gets its "sea legs", I'll look into it.  I'll do R81 soon on my smaller folks, tho. 

Well done to all of you on the Release Team! Nice work.  I'm looking forward to the R80.40 API for this MDS! We have gateway clusters and having the simple-cluster API is going to be a nice treat!

Thanks to everyone!

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events