- Products
- Learn
- Local User Groups
- Partners
- More
CheckMates Fifth Birthday
Celebrate with Us!
days
hours
minutes
seconds
Join the CHECKMATES Everywhere Competition
Submit your picture to win!
Check Point Proactive support
Free trial available for 90 Days!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
The 2022 MITRE Engenuity ATT&CK®
Evaluations Results Are In!
Now Available: SmartAwareness Security Training
Training Built to Educate and Engage
MITRE ATT&CK
Inside Check Point products!
CheckFlix!
All Videos In One Space
https://community.checkpoint.com/thread/8343-remote-clean-installation-of-gaia
If you're going to tag me, Heather Lewis, you have to use my real name, sadly
Yes, Blink is basically like doing a clean install, but with a faster setup time.
The official SK is here: Blink - Gaia Fast Deployment
You can see a bit more about it here: TechTalk: CDT and Blink Video and Slides
While Blink really is great for fresh installs, it's worth trying to understand the reasons for going with a fresh install versus a CPUSE upgrade.
Something that many people don't know is that a CPUSE major upgrade actually behaves very similarly to a fresh install. The process creates a new partition on your device, performs a fresh install into it, then copies over your configuration, while updating it to the target version. You are not left with a mix of files from various HFs.
One exception where a fresh install does make a difference is R80.20.M1 where we've introduced a new file system, so only fresh installs (with optional export/import) can benefit from that.
If you still have reasons why a fresh install is preferred, we (in R&D) would be happy to hear about those.
Tagging Tsahi Etziony
This is different then what we have been told in the past. We have several clusters that are running R77 and R77.20. These were originally built with a clean install using a USB drive. We would copy the HFA tgz file to the gateway and then run the "Unix Install Script" (the old way before CPUSE). So we were told that we should not use CPUSE to do an upgrade to R80.20 because CPUSE could not track the HFA's that were installed and this would cause issues. So CheckPoint Support recommended clean installs. So this is bringing me to blink.
Are you saying this is not the case and we are safe to use CPUSE and do an upgrade from R77.20 to R80.20 and this would be like a nice clean install?
If you are using Check Point appliances, you can use LOM interface and mount ISO via LOM interface. It will take ages, as LOM interface is only 100 MB, but works 🙂
Sorry that I did not respond sooner, but it took some time to test the R77 and R77.20 upgrades in the LAB and then finally doing them in PROD using CDT. So the results were good. We were able to use CDT and upgrade the legacy R77.x firewalls to R80.20 w/T47 with no issues. So at this time we are working through 6 to 7 clusters during weekend change windows. The only issue that we have ran into using CDT on a MDS, is that we have to open a SSH session per Domain that we are upgrading clusters. Lets say we are upgrading six clusters and each cluster is in a separate domain, then we have to open six SSH sessions to the MDS and do a mdsenv in each and have six CDT upgrades going at once. Not a big deal...it works. And one more thing. If CDT shows completed at the end...well it may not mean that you are done. We have found that the Monitor will show errors with IPS and other blades that are part of Threat Prevention. You will need to push policy again to get them to go green and error free. Again not a big deal. CDT has dramatically sped up our upgrades and the number of clusters we can do in a maintenance window.
I just wanted to give an update.
The CDT has worked very well for us. We have upgraded more that 135 firewalls since the last post, with no issues. Keep in mind, we can only do these upgrades on weekends. It used to take us more than a year to upgrade everything. The upgrades have been from R77.20 and R77.30 to R80.20 with Jumbo Take. And we are using CDT to roll out HFA's as well. We have already started patching with Take 118, which was recently released. This has dramatically sped up our upgrades and patching cycles.
If you have not tried CDT, I would recommend just skipping the basic method and go right to the advanced method and define a deployment plan. Not very hard to do it, and you are going to end up doing this way anyway. So don't bother with basic method.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY