This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ronan
Explorer
‎2023-01-03 04:24 AM

Upgrade Configuration from R77.30 to R80.40

Hello all,

I have a Checkpoint in hand for the first time and need to swap an older hardware for a new one.

I would like to update the backup configuration of the old firewall to the OS of the new firewall in advance and then apply this to the new one, so I can then do a device swap.

Upgrading the old devices is not possible this way because we are more spread out by locations and we don't have an IT department on site everywhere.

So we wanted to prepare the devices, ship them, and then do a flying swap.

I have looked through the forum itself, but can't find a "fixed" solution

I would be happy if I could get some guidance on this.

 

 

Greetings

0 Kudos
3 Replies
Bob_Zimmerman
Authority
Authority
‎2023-01-03 02:50 PM

Do you have remote access to the old box?

What hardware is it?

Is it a standalone (firewall and management server), or distributed (only firewall, with management running on a separate box)? To find this out, you can use the output of 'fw stat' and 'fwm ver'.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-03 03:08 PM

Full system backups don't work across appliances (must be exact hardware type).
Which means you're effectively rebuilding the appliances with the same configuration.
Note that the Security Policy is stored on the management, so that does not need to be backed up.
You should upgrade your management server to the target version (R81.10 is the current recommended release) prior to starting this process.

You can get the OS configuration of each gateway by typing "save configuration myfile" which will save a copy of the configuration to the user's home directory.
You should be able to import this into a newly installed gateway of a different version.
Alternatively, you can use the text output of "show config" though you may have to modify it before use.
If you made any changes in expert mode, those will have to be backed up and applied separately (note there are some fairly significant differences from R77.30 to R80.40, so not every change can be applied the same way).

Once you've managed to replicate the gateway configuration on the new hardware/version, the SIC one-time password is established, and the box is shipped and unpacked at the destination, you should just be able to plug it in on-site and push policy to it after resetting SIC on the management side and changing the version to match.

0 Kudos
the_rock
Legend
Legend
‎2023-01-03 04:19 PM

Im with phoneboy on this one. Here is what I would suggest...so on R77.30 device, from expert mode, just type clish -c "save configuration" > /var/log/config_backup.txt

That will generate file called config_backup.txt in /var/log dir, which can be used on the new device from clish to run load configuration /var/log/config_backup.txt )or whatever dir you copy the file to).

Now, here is tricky part...for this to work, config file has to "match" new device, meaning interface names would need to match and whatever else is in the original config file and easiest way you would know this is when you run load configuration command, it would error out at whatever line cant be copied over and then you need to go back and modify that line to continue when running command next time.

It might be tidious work, but most likely your best bet.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top