Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Heather_Lewis
Participant

Blink for fresh install?

We've been doing fresh installs on gateways whenever we upgrade to a major rev, so as not to leave previous files behind. As more of our work becomes remote/international, fresh install on appliances becomes more difficult to arrange.  We came across the Blink utility in Checkmates. Is the Blink utility as good as doing a fresh install? If so, can it be used to upgrade R75 and R77 to R80.10 as a fresh install? @phoneboy
9 Replies
JozkoMrkvicka
Authority
Authority

PhoneBoy
Admin
Admin

If you're going to tag me, Heather Lewis, you have to use my real name, sadly Smiley Happy

Yes, Blink is basically like doing a clean install, but with a faster setup time.

The official SK is here: Blink - Gaia Fast Deployment 

You can see a bit more about it here: TechTalk: CDT and Blink Video and Slides

Tomer_Noy
Employee
Employee

While Blink really is great for fresh installs, it's worth trying to understand the reasons for going with a fresh install versus a CPUSE upgrade.

Something that many people don't know is that a CPUSE major upgrade actually behaves very similarly to a fresh install. The process creates a new partition on your device, performs a fresh install into it, then copies over your configuration, while updating it to the target version. You are not left with a mix of files from various HFs.

One exception where a fresh install does make a difference is R80.20.M1 where we've introduced a new file system, so only fresh installs (with optional export/import) can benefit from that.

If you still have reasons why a fresh install is preferred, we (in R&D) would be happy to hear about those.

Tagging Tsahi Etziony

M_Ruszkowski
Collaborator

This is different then what we have been told in the past.   We have several clusters that are running R77 and R77.20.  These were originally built with a clean install using a USB drive.  We would copy the HFA tgz file to the gateway and then run the "Unix Install Script" (the old way before CPUSE).   So we were told that we should not use CPUSE to do an upgrade to R80.20 because CPUSE could not track the HFA's that were installed and this would cause issues.  So CheckPoint Support recommended clean installs.   So this is bringing me to blink. 

Are you saying this is not the case and we are safe to use CPUSE and do an upgrade from R77.20 to R80.20 and this would be like a nice clean install?

0 Kudos
Tsahi_Etziony
Employee
Employee

You can safely use CPUSE for this upgrade. It would be like a nice clean install, with the benefit of having you configuration migrated to the new version.
and with several clusters, I would recommend to manage the upgrade using CDT - will save you a lot of manual effort.
0 Kudos
PhoneBoy
Admin
Admin

It's possible that earlier CPUSE upgrades (pre R80) did not actually do what happens now with upgrades to R80.x.
It automates the snapshot + migrate export + clean install + migrate import as part of the upgrade from R77.x to R80.x.
0 Kudos
JozkoMrkvicka
Authority
Authority

If you are using Check Point appliances, you can use LOM interface and mount ISO via LOM interface. It will take ages, as LOM interface is only 100 MB, but works 🙂

Kind regards,
Jozko Mrkvicka
0 Kudos
M_Ruszkowski
Collaborator

Sorry that I did not respond sooner, but it took some time to test the R77 and R77.20 upgrades in the LAB and then finally doing them in PROD using CDT.  So the results were good.  We were able to use CDT and upgrade the legacy R77.x firewalls to R80.20 w/T47 with no issues.   So at this time we are working through 6 to 7 clusters during weekend change windows.  The only issue that we have ran into using CDT on a MDS, is that we have to open a SSH session per Domain that we are upgrading clusters.  Lets say we are upgrading six clusters and each cluster is in a separate domain, then we have to open six SSH sessions to the MDS and do a mdsenv in each and have six CDT upgrades going at once.  Not a big deal...it works.   And one more thing.  If CDT shows completed at the end...well it may not mean that you are done.  We have found that the Monitor will show errors with IPS and other blades that are part of Threat Prevention.  You will need to push policy again to get them to go green and error free.   Again not a big deal.   CDT has dramatically sped up our upgrades and the number of clusters we can do in a maintenance window.

M_Ruszkowski
Collaborator

I just wanted to give an update. 

The CDT  has worked very well for us.  We have upgraded more that 135 firewalls since the last post, with no issues.  Keep in mind, we can only do these upgrades on weekends.  It used to take us more than a year to upgrade everything. The upgrades have been from R77.20 and R77.30 to R80.20 with Jumbo Take.   And we are using CDT to roll out HFA's as well.  We have already started patching with Take 118,  which was recently released.  This has dramatically sped up our upgrades and patching cycles. 

If you have not tried CDT, I would recommend just skipping the basic method and go right to the advanced method and define a deployment plan.  Not very hard to do it, and you are going to end up doing this way anyway.  So don't bother with basic method.

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events