This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Heather_Lewis
Participant
‎2018-07-30 03:05 AM

Blink for fresh install?

We've been doing fresh installs on gateways whenever we upgrade to a major rev, so as not to leave previous files behind. As more of our work becomes remote/international, fresh install on appliances becomes more difficult to arrange.  We came across the Blink utility in Checkmates. Is the Blink utility as good as doing a fresh install? If so, can it be used to upgrade R75 and R77 to R80.10 as a fresh install? @phoneboy
9 Replies
JozkoMrkvicka
Leader
Leader
‎2018-07-30 10:47 AM

https://community.checkpoint.com/thread/8343-remote-clean-installation-of-gaia 

Kind regards,
Jozko Mrkvicka
PhoneBoy
Admin
Admin
‎2018-07-30 01:29 PM

If you're going to tag me, Heather Lewis, you have to use my real name, sadly Smiley Happy

Yes, Blink is basically like doing a clean install, but with a faster setup time.

The official SK is here: Blink - Gaia Fast Deployment 

You can see a bit more about it here: TechTalk: CDT and Blink Video and Slides

Tomer_Noy
Employee
Employee
‎2018-08-07 12:52 PM

While Blink really is great for fresh installs, it's worth trying to understand the reasons for going with a fresh install versus a CPUSE upgrade.

Something that many people don't know is that a CPUSE major upgrade actually behaves very similarly to a fresh install. The process creates a new partition on your device, performs a fresh install into it, then copies over your configuration, while updating it to the target version. You are not left with a mix of files from various HFs.

One exception where a fresh install does make a difference is R80.20.M1 where we've introduced a new file system, so only fresh installs (with optional export/import) can benefit from that.

If you still have reasons why a fresh install is preferred, we (in R&D) would be happy to hear about those.

Tagging Tsahi Etziony

M_Ruszkowski
Collaborator
‎2019-05-02 08:11 AM
In response to Tomer_Noy

This is different then what we have been told in the past.   We have several clusters that are running R77 and R77.20.  These were originally built with a clean install using a USB drive.  We would copy the HFA tgz file to the gateway and then run the "Unix Install Script" (the old way before CPUSE).   So we were told that we should not use CPUSE to do an upgrade to R80.20 because CPUSE could not track the HFA's that were installed and this would cause issues.  So CheckPoint Support recommended clean installs.   So this is bringing me to blink. 

Are you saying this is not the case and we are safe to use CPUSE and do an upgrade from R77.20 to R80.20 and this would be like a nice clean install?

0 Kudos
Tsahi_Etziony
Employee
Employee
‎2019-05-02 10:16 AM
In response to M_Ruszkowski

You can safely use CPUSE for this upgrade. It would be like a nice clean install, with the benefit of having you configuration migrated to the new version.
and with several clusters, I would recommend to manage the upgrade using CDT - will save you a lot of manual effort.
0 Kudos
PhoneBoy
Admin
Admin
‎2019-05-02 11:00 AM
In response to M_Ruszkowski

It's possible that earlier CPUSE upgrades (pre R80) did not actually do what happens now with upgrades to R80.x.
It automates the snapshot + migrate export + clean install + migrate import as part of the upgrade from R77.x to R80.x.
0 Kudos
JozkoMrkvicka
Leader
Leader
‎2019-05-05 11:05 AM
In response to PhoneBoy

If you are using Check Point appliances, you can use LOM interface and mount ISO via LOM interface. It will take ages, as LOM interface is only 100 MB, but works 🙂

Kind regards,
Jozko Mrkvicka
0 Kudos
M_Ruszkowski
Collaborator
‎2019-06-04 07:01 AM
In response to JozkoMrkvicka

Sorry that I did not respond sooner, but it took some time to test the R77 and R77.20 upgrades in the LAB and then finally doing them in PROD using CDT.  So the results were good.  We were able to use CDT and upgrade the legacy R77.x firewalls to R80.20 w/T47 with no issues.   So at this time we are working through 6 to 7 clusters during weekend change windows.  The only issue that we have ran into using CDT on a MDS, is that we have to open a SSH session per Domain that we are upgrading clusters.  Lets say we are upgrading six clusters and each cluster is in a separate domain, then we have to open six SSH sessions to the MDS and do a mdsenv in each and have six CDT upgrades going at once.  Not a big deal...it works.   And one more thing.  If CDT shows completed at the end...well it may not mean that you are done.  We have found that the Monitor will show errors with IPS and other blades that are part of Threat Prevention.  You will need to push policy again to get them to go green and error free.   Again not a big deal.   CDT has dramatically sped up our upgrades and the number of clusters we can do in a maintenance window.

M_Ruszkowski
Collaborator
‎2019-11-08 09:11 AM
In response to M_Ruszkowski

I just wanted to give an update. 

The CDT  has worked very well for us.  We have upgraded more that 135 firewalls since the last post, with no issues.  Keep in mind, we can only do these upgrades on weekends.  It used to take us more than a year to upgrade everything. The upgrades have been from R77.20 and R77.30 to R80.20 with Jumbo Take.   And we are using CDT to roll out HFA's as well.  We have already started patching with Take 118,  which was recently released.  This has dramatically sped up our upgrades and patching cycles. 

If you have not tried CDT, I would recommend just skipping the basic method and go right to the advanced method and define a deployment plan.  Not very hard to do it, and you are going to end up doing this way anyway.  So don't bother with basic method.