Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
r1der
Contributor

Questions on upgrading from R80.10 to R80.40 or R81

Hi Everyone,

First off, thanks for reading my post and what a great community CheckMates has here. I hope you all are safe and have a Merry Christmas/Happy New Year! I have only been using CheckPoint for about 5 months now, please bear with me while I learn. If this is the wrong area, sorry for posting it in the wrong place!

I was hoping I could get some guidance on upgrading them from R80.10 to R80.40 or R81, with little or no downtime, if possible. If I am not mistaken, I can upgrade the Gateways from R80.10 to R81, but the Smart-1 210 hardware or “SMS” will need a two-step upgrade - R80.40 then R81.

Hardware: (1) Smart-1 210 R80.10 build 031 and (2) 5600 SG R80.10 build 124. SGs are setup as High Availability/ClusterXL.

Should I be installing any hotfixes, minor versions, Blink Packages prior? These are what I have currently recommended: Hotfixes - R80.10 Jumbo Hotfix Accumulator General Availability (Take 287), Minor Versions- R80.10 SmartConsole Build 183, Blink Packages – R80.40 Security Management + JHF T89 for Appliances and Open Servers, Major versions (will do this) - R80.40 Gaia Fresh Install and Upgrade.

Here is what I believe the steps should be:

  • Backup SMS and the two SGs.
  • Verify/Update CPUSE – SMS and Gateways currently on Deployment Agent build 1999 R80.10 take 479. I believe this is latest, so we are good.
  • On Smart-1 210/SMS update via Web GUI -> Upgrades (CPUSE) Status and Actions -> Major Versions -> select “R80.40…” Download and assuming Install will be the next option.
  • Upgrade SmartConsole on my PC. Download via SMS WebGUI or CheckPoint
  • Upgrade Security Gateways using this procedure. I am assuming it’s like #3.
    --- I'm reading there are several ways to upgrade, “connectivity upgrade” and “multi-version cluster upgrade”, but then also read from a post that SGs can be updated via SmartConsole on R81. So I'm a bit confused here trying to find out the best method.
  • Post-upgrade checks (I’ll need to do more research on what else needs to be done here).

I am sure I am missing a lot of things to check or do. Please feel free to add anything you think I should be aware of.
Also if R80.40 is more stable, I'd be fine with at least upgrading to that version.

Thank you,

 

 

 

 

 

0 Kudos
Reply
14 Replies
Magnus-Holmberg
Advisor

The link that you providing is to single gateway, make sure to use the cluster procedure. (its the same document just little bit more below)
R80.40 GA with latest GA hotfix is the recommended version.

Regarding upgrading mgmt server, check that you have no locks in sessions etc.
Publish or discard them.  Also verify that everything is working correctly before you start.
Meaning that you do get logs, able to push policy etc.
Also write down any special configuration that you have made in files, such as user.def file or similar 🙂

If you would go for R81 mgmt server, i would use the inbuilt new upgrade tool within R81 from the dashboard for gateway upgrade.
Its built on CDT and seams to work really good. have tried a few times now 🙂
Not sure if i would go to R81 for gw just yet.




https://www.youtube.com/c/MagnusHolmberg-NetSec
r1der
Contributor

OMG, Magnus! What an honor to get a reply from you. 😁 I've been watching your videos, and watched this one yesterday! Thank you so much for all your videos!
Thanks for pointing out I posted the wrong section. I will update my notes.

It sounds like I can run R81 for SMS and R80.40 on both GWs. Is that correct?

0 Kudos
Reply
Magnus-Holmberg
Advisor

Hehe thank you, there are alot of ppl in the forum that knows there stuff 🙂

Sure you can have R81 mgmt and then run gateways with lower version.
Check this list for ref: https://dl3.checkpoint.com/paid/6d/6df941bffcb69413bff2adb395504eee/CheckPoint_R7x_R8x_R81_BCMaps_Oc...

You will not get all benefits from R81 (such as hit counts on nat rules) as some features requires you to have R81 on the GW aswell.
I normally uses this approach myself as its less impact if there are issues with the mgmt server then the gw.
So on GW i do really try to use a very stable release .

Regards
Magnus

https://www.youtube.com/c/MagnusHolmberg-NetSec
Peter_Lyndley
Collaborator

Hi r1der,

Please also note that the Smart-1 210 is no longer supported to run R81 software as it's spec is too low

"Note: R81 is not supported on Smart-1 205 and 210"

It may be time to look at something like Smart-1 cloud or a newer appliance to take full advantage of all the latest features

thanks

Peter

G_W_Albrecht
Champion
Champion

Right - Smart-1 210 came in May 2014 and Engineering Support did end last September. It will be supported until September 2022 with R80.40 as the most current version. 5600 from April 2010 will be supported until December 2025 - but a hint: USFW is not enabled on this appliance...

Vincent_Bacher
Advisor

Another option would be to replace the Smart-1 appliance using an Open Server running on VMware ESX, if already present (or maybe Hyper-V, what is supported as well).

and now to something completely different
r1der
Contributor

Thanks, we'll keep this in mind after upgrade to R80.40 at the very least.

0 Kudos
Reply
r1der
Contributor

Thanks Peter, I completely missed that part! In that case, we will upgrade to R80.40, but are going to start looking into upgrading the appliance.

0 Kudos
Reply
PhoneBoy
Admin
Admin

If your goal is R81, it will be a two-step upgrade process (first to R80.40, then R81).
That’s independent of the Smart-1 210 not supporting R81, FYI.

r1der
Contributor

Hi @PhoneBoy, thanks for the comment and those webinars you host! I think at this point we will go with R80.40 on gateways and SMS. 

Just so I don't feel crazy, and make sure I am reading documentation correctly. I thought this table below states its a direct jump from R80.10 to R81, just not for Management Servers/MDS.

image.png

R81 Release Notes (checkpoint.com)

0 Kudos
Reply
Magnus-Holmberg
Advisor

I think it’s easier if you check this map 🙂

https://dl3.checkpoint.com/paid/bb/bbec60a949756e4a28948fb7f31345b5/CheckPoint_R7x_R8x_R81_UpgradeMa...

Or use check point upgrade wizard.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doShowupgradewizard

 

https://www.youtube.com/c/MagnusHolmberg-NetSec
PhoneBoy
Admin
Admin

The reason Pre-R80.20 management requires a two-step upgrade was we made a fairly significant change in the upgrade infrastructure that was only backported as far as R80.20.
An externally-managed gateway doesn’t have that issue, so it makes sense you can upgrade an R80.10 gateway straight to R81.

Dorit_Dor
Employee
Employee

Indeed, only the mgmt itself have different upgrade from r80.20 (and therefore two-steps). There is no restriction with gw upgrade 

Luis_Dominguez1
Participant

R1der,

For mgmt, you could consider their cloud managment solution.

Regarding upgrading gateways, I found the Central Deployment Tool (CDT) to be extremely useful.  You only have one cluster, so that may be overkill, but using the CDT could still simplify your upgrade after you learn how to use it.

Also, if you're using OSPF, always be mindful that upgrades can cause OSPF to malfunction.  One gateway may have the right OSPF routes but the other may not.  The quick fix is to reboot the active firewall then the standby.  You may see a hiccup of routing.  The standby should take the full load and routing.

Regards,

Luis