Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jesus_Cano
Collaborator

SMS - Upgrade R80 - Licenses

Hi,

We are planning an upgrade form R77.20 to R80.10. 

SMS is virtual.

Gateways are open servers.

We have a migrate import in R80. So we will do a fresh install in a new VM and run migrate import. So i would like to know about licenses, Migrate_import is taking all licenses?. Do we need to do anything with licenses after upgrade (migrate import)?. 

In the gatweays we will run advanced upgrade by CPUSE. Do we need to do anything related to licenses?

Thanks a lot

5 Replies
Daniel_Taney
Advisor

Good morning,

As long as you are not changing the IP addresses of anything, all your licenses will be included as part of the migrate export / import process. All the SIC certificates will also be transferred and the upgrade of your management to R80.x will be completely transparent to the Gateways.

Good luck!

Edit: Just to be clear, the licenses are transferred whether you change the IP address or not. Just be aware that if you do change the IP of the Management, you will have to generate a new license for it in User Center.

R80 CCSA / CCSE
0 Kudos
Jesus_Cano
Collaborator

Thanks Daniel. So i wont have to attach the licenses to the gateways again from SMS, right?

So im still thinking about the upgrade procedure. I thought to do: Fresh install and import backup for SMS, and advacne upgrade for gateways. 

But im thinking now to do the !advanced upgrade" by CPUSE in all (SMS and GWs).

So what do you think? any experience doing it in both ways?

thanks a lot Smiley Happy

0 Kudos
Kevin_Vargo
Collaborator

FWIW:

We did something similar, but from 77.30.  If I was doing this today I'd go to mgmt server 80.20 and the gateways to 80.10 (since support for open Dell servers R740 is still not HCL).  I did not have to play around with licensing.  The difference with your plan is the gateway update.  We opted to do fresh installs on the gateways to get rid of any junk carried over from previous versions; I added those steps below.  Just an option and what we did, not saying one way is right or better over another.  Some issues that did arise were setting up DHCP accurately and anti-spoof setting getting a bit jumbled when doing get interfaces with topology.

Jesus_Cano
Collaborator

Im upgrading from R77.20. Should we do the step 2??? i only have the migrate export and show config (SMS and gateways). 

what about network antispoofing config? 

Kevin_Vargo
Collaborator

I have seen an issue with the .rules file in the past, saving it is up to you (#2).  In my case the PCI Bus IDs got out of order, where a MAC was named a different eth port.  Admittedly it was a few years ago, but took a while to ID the issue.  Now, we simply copy this before a major change and validate the file matches once work has completed.

Heiko Ankenbrand‌ and others made this awesome script to collect anti-spoof settings which you can find at the bottom of this link.  Personally, I collect this before adding interfaces or doing work on interfaces.  My first experience was adding a VLAN, doing a get interface with topology, and seeing every interface change to 'prevent and log' where I did not previously have anti-spoof enabled (that was in 80.10 and now I just do get interfaces w/o topology).  Prior to doing work today I just run this quickly and save the output elsewhere and spot check after making a change.  https://community.checkpoint.com/message/21923-re-one-liner-for-address-spoofing-troubleshooting?com... 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events