Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
BorisL
Contributor

Migration from R80.10 AWS VSEC standalone instance to R81 AWS Cloudguard IaaS

Hello.

We are trying to migrate configuration to a new instance in order to upgrade versions from our Standalone VSEC running in AWS to R81.

R81 migration tools does not mention R80.10 specifically. Or at least we have not found a reference to it.

Can anybody help in this process? We tried it before with R80.40 and had many problems with NAT policies suddenly stopping to work.

Thanks!

Boris

 

 

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

There is no direct upgrade/migration path from R80.10 to R81.
As noted in the R81 release notes, you first migrate to R80.40 (using migrate export/import), then migrate to R81 (using migrate_server export/import).

When you say you had “many problems with NAT policies” what precisely do you mean?
Those may not be related the actual configuration migration, which should be fairly standardized. 

0 Kudos
BorisL
Contributor

When we migrated to R80.40, after some random time of normal operations, traffic traversing the firewall using static nat rules stopped working. We could not identify the cause nor resolve it.

We have the feeling that the process of upgrading Check Point versions is very fragile. Our only alternative seems to do fresh installs and manually enter all the objects and rules, risking errors. We also need to upgrade two standalone R80.30 systems running on intel servers. We could do it "in-place" using CPUSE but the only way to go back if things don't work is a fresh install of old version and restore from a backup. All alternatives seem difficult.

 

0 Kudos
PhoneBoy
Admin
Admin

The NAT issue sounds like an actual bug versus an issue with the process of migrating the configuration from one version to the next.
Any TAC SRs you opened around this would be helpful (send them in PM).

The issue with having to "restore" R80.30 if you need to revert from R80.40 has to do with introducing a new Linux kernel and filesystem on the gateway.
This was done on management in R80.20.
To support newer Open Server gateways prior to R80.40, we had to release a different image in earlier releases that included the newer kernel.
The side effect of all this complicates reverting from R80.40 on the gateway side, which is why it requires a fresh (re)install on Open Servers in particular.
We also have a similar issue with Check Point appliances if they come pre-installed with R80.40+ and you want to use a previous release instead.

0 Kudos
BorisL
Contributor

Thank you very much again for reply and clarification. 

It seems that the most secure way to upgrade is to reenter the full configuration in the new version.

Are there any tools to export and import at least just the objects in a configuration for Open Server and/or  IaaS?

 

0 Kudos
PhoneBoy
Admin
Admin

There are a couple of community tools you can potentially use for this, if you don't want to use the standard migration tools, which I do NOT believe are related to the issues you're experiencing.

0 Kudos
BorisL
Contributor

Maybe you are right, but we would have to: migrate de VSEC R80.10 to R80.40. Then R80.40 to R81 Iaas. and then on two open servers go from R80.30 ro R80.40 and then to R81.  Sounds like too many points of possible failure.

Reentering configurations is boring and time consuming, but seems the cleanest and safest.

I hope R81 upgrading going forward is smoother. Thanks for your help-

 

0 Kudos