Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Nbto
Participant
Jump to solution

Upgrade MGMT + SmartEvent from R77.30 to R80.30

Hello,

 

I'm thinking about migrate my MGMT Server and SmartEvent from Gaia R77.30 to R80.30 (leaveing GW on R77.30) and Im wondering did can use same methods described here:

https://www.youtube.com/watch?v=egAIQqMUOPE

I know that R80.30 is pretty new so I would like to avoid some unexpected problems :(.

Also, there is any step-by-step instruction of migrating SmartEvent from R77.30 to R80.30 ?

 

Best Wishes 🙂

 

 

0 Kudos
2 Solutions

Accepted Solutions
Benedikt_Weissl
Advisor

I'd stay away from R80.30 if you're using PBR or you need to turn off SecureXL (reboot persistent) for any reason. Everything else works fine so far, we have several GWs/Management Server R80.30 with 3.10 Kernel on Open Server hardware and VMs.

That said, you can always keep your old Management Server as a backup if something goes horribly wrong. sk110173 goes into detail about the SmartEvent migration from R7X to R8X.




View solution in original post

0 Kudos
Maarten_Sjouw
Champion
Champion
For management, I've been running R80.30 for about 140 customers (Multidomain) for more than a month now and we had some issues, but there is no reason not to go with management to R80.30.
When you use Application Control and URLF with HTPS scanning, do have a very good look at the pre upgrade verifier. Which is a very good idea anyway.
For the gateway, thre still some specific chllenges, but those are also there in R80.20
We are planning to move all gateways to R80.xx as well but the rigt JHF is not yet GA for .30
Regards, Maarten

View solution in original post

0 Kudos
8 Replies
Benedikt_Weissl
Advisor

You should upgrade both management and gateways to R80.X asap since support for R77.30 ended september 2019 according to https://www.checkpoint.com/support-services/support-life-cycle-policy/.  The methods in the video should work, but you should still take special care to validate the location of important configuration files like vpn_route.conf and table.def.

Is your SmartEvent Server running on the same machine as your Management?

 
 
 
0 Kudos
Nbto
Participant
Oh yeah, i know thats why im preparing. SmartEvent Server is installed on separate virtual machine.

Another question, Gaia R80.30 is stable ?
I heard there were some problem after release of R80.20, so maybe i should prepare installation of R80.10 ?

Thank you!
0 Kudos
Benedikt_Weissl
Advisor

I'd stay away from R80.30 if you're using PBR or you need to turn off SecureXL (reboot persistent) for any reason. Everything else works fine so far, we have several GWs/Management Server R80.30 with 3.10 Kernel on Open Server hardware and VMs.

That said, you can always keep your old Management Server as a backup if something goes horribly wrong. sk110173 goes into detail about the SmartEvent migration from R7X to R8X.




0 Kudos
Maarten_Sjouw
Champion
Champion
For management, I've been running R80.30 for about 140 customers (Multidomain) for more than a month now and we had some issues, but there is no reason not to go with management to R80.30.
When you use Application Control and URLF with HTPS scanning, do have a very good look at the pre upgrade verifier. Which is a very good idea anyway.
For the gateway, thre still some specific chllenges, but those are also there in R80.20
We are planning to move all gateways to R80.xx as well but the rigt JHF is not yet GA for .30
Regards, Maarten
0 Kudos
Nbto
Participant
Humm... okay than, I will go with .30.
About migrating SmartEvent I will go with this procedure:

Upgrading a Dedicated SmartEvent Server with Migration In a migration and upgrade scenario, you perform the procedure on the source SmartEvent Server and the different target SmartEvent Server.
Note - To upgrade from R80.20.M1 to R80.20, see Upgrading a Security Management Server from R80.20.M1 to R80.20 with Migration.
Important - Before you upgrade a SmartEvent Server:
Step Description
1 Back up your current configuration.

2 See the Upgrade Options and Prerequisites.

3 Before you upgrade a dedicated SmartEvent Server, you must upgrade the applicable Management Server that manages it.
4 If you want to export and import the Security log ($FWDIR/log/fw.log) and Audit log ($FWDIR/log/fw.adtlog) with the management database, switch the current logs before you export the management database.
See the R80.20 CLI Reference Guide - Chapter Security Management Server Commands - Section fw - Subsection fw logswitch.

5 You must upgrade your Security Management Servers and Multi-Domain Servers.
6 You must close all GUI clients (SmartConsole applications) connected to the SmartEvent Server.

Workflow:
1. Get the R80.20 upgrade tools
2. On the current SmartEvent Server, run the Pre-Upgrade Verifier and export the management database 3. Install a new R80.20 SmartEvent Server 4. On the R80.20 SmartEvent Server, import the database 5. Install the management database 6. Install the Event Policy 7. Test the functionality on R80.20 SmartEvent Server 8. Test the functionality on R80.20 Management Server

Step 1 of 8: Get the R80.20 upgrade tools Step Description
1 Download the R80.20 upgrade tools from the R80.20 Home Page SK.
2 Transfer the R80.20 upgrade tools package to the current SmartEvent Server to some directory (for example, /var/log/path_to_upgrade_tools/).
Note - Make sure to transfer the file in the binary mode.
Step 2 of 8: On the current SmartEvent Server, run the Pre-Upgrade Verifier and export the management database
Step Description
1 Connect to the command line on the current SmartEvent Server.
2 Log in to the Expert mode.
3 Go to the directory, where you put the R80.20 upgrade tools package:
[Expert@SmartEventServer:0]# cd /var/log/path_to_upgrade_tools/
4 Extract the R80.20 upgrade tools package:
[Expert@SmartEventServer:0]# tar zxvf <Name of Upgrade Tools Package>.tgz
5 Important - This step applies only when you upgrade from R77.30 (or lower) version to R80.20.
Run the Pre-Upgrade Verifier (PUV).
1. Run this command and use the applicable syntax based on the instructions on the screen:
[Expert@SmartEventServer:0]# ./pre_upgrade_verifier -h
2. Read the Pre-Upgrade Verifier output.
If you need to fix errors:
i) Follow the instructions in the report.
ii) Run the Pre-Upgrade Verifier again.
6 Export the management database:
[Expert@SmartEventServer:0]# yes | nohup ./migrate export [-l | -x] [-f] [-n] /<Full Path>/<Name of Exported File>
For details, see the R80.20 CLI Reference Guide - Chapter Security Management Server Commands - Section migrate.
7 If SmartEvent Software Blade is enabled, then export the Events database.
See sk110173.
8 Calculate the MD5 for the exported database file:
[Expert@SmartEventServer:0]# md5sum /<Full Path>/<Name of Database File>.tgz
9 Transfer the exported database from the current SmartEvent Server to an external storage:
/<Full Path>/<Name of Database File>.tgz
Note - Make sure to transfer the file in the binary mode.

Step 3 of 8: Install a new R80.20 SmartEvent Server Step Description
1 See the R80.20 Release Notes for requirements.
2 Perform a clean install of the R80.20 SmartEvent Server.
Important - The IP addresses of the source and target R80.20 SmartEvent Servers must be the same. If you need to have a different IP address on the R80.20 SmartEvent Server, you can change it only after the upgrade procedure. Note that you have
to issue licenses for the new IP address. For applicable procedures, see sk40993 and sk65451.

Step 4 of 8: On the R80.20 SmartEvent Server, import the database Step Description
1 Connect to the command line on the R80.20 SmartEvent Server.
2 Log in to the Expert mode.
3 Transfer the exported database from an external storage to the R80.20 SmartEvent Server, to some directory.
Note - Make sure to transfer the file in the binary mode.
4 Make sure the transferred file is not corrupted.
Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the original SmartEvent Server:
[Expert@SmartEventServer:0]# md5sum /<Full Path>/<Name of Database File>.tgz
5 Go to the $FWDIR/bin/upgrade_tools/ directory:
[Expert@SmartEventServer:0]# cd $FWDIR/bin/upgrade_tools/
6 Import the management database:
[Expert@SmartEventServer:0]# yes | nohup ./migrate import [-l | -x] [-n] /<Full Path>/<Name of Exported File>.tgz
For details, see the R80.20 CLI Reference Guide - Chapter Security Management Server Commands - Section migrate.
7 If SmartEvent Software Blade is enabled, then import the Events database.
See sk110173.
8 Restart the Check Point services:
[Expert@SmartEventServer:0]# cpstop
[Expert@SmartEventServer:0]# cpstart

Step 5 of 8: Install the management database Step Description
1 Connect with the SmartConsole to the R80.20 Management Server that manages this dedicated SmartEvent Server.
2 In the top left corner, click Menu > Install database.
3 Select all objects.
4 Click Install.
5 Click OK.

Step 6 of 8: Install the Event Policy
This step applies only if the SmartEvent Correlation Unit Software Blade is enabled on the dedicated R80.20 SmartEvent Server.
Step Description
1 Connect with the SmartConsole to the dedicated R80.20 SmartEvent Server.
2 At the top, click + to open a new tab.
3 In the bottom left corner, in the External Apps section, click SmartEvent Settings & Policy.
The Legacy SmartEvent client opens.
4 In the top left corner, click Menu > Actions > Install Event Policy.
5 Confirm.
6 Wait for these messages to appear:
SmartEvent Policy Installer installation complete
SmartEvent Policy Installer installation succeeded
7 Click Close.
8 Close the Legacy SmartEvent client.

Step 7 of 8: Test the functionality on R80.20 SmartEvent Server Step Description
1 Connect with the SmartConsole to the R80.20 SmartEvent Server.
2 Make sure the configuration was upgraded correctly and it works as expected.

Step 8 of 8: Test the functionality on R80.20 Management Server Step Description
1 Connect with the SmartConsole to the R80.20 Management Server.
2 Make sure the logging works as expected.Upgrading a Dedicated SmartEvent Server with Migration
0 Kudos
Yair_Shahar
Employee
Employee

Hi Nickel

Can you elaborate on your comment about PBR? what was your experience with it? do you find it degraded compare to older releases?

Thanks in advance.

Yair

0 Kudos
Benedikt_Weissl
Advisor

Hi Yair,

PBR stopped working altogether after we upgraded from R80.10 to R80.30. TAC is already involved, but we don't have a solution yet, so I can't say if its a bug or a hardware issue etc.


Best Regards,

0 Kudos
Benedikt_Weissl
Advisor

Update on my Case:

After updating to Hotfix Version R76 AND creating a second PBR rule for the NATed IP everything works fine now.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events