This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cem82
Contributor
‎2020-11-11 03:40 PM

R80.30 upgrade difference between using CPUSE "Major version" vs "Blink image"

Hi

 

I can't find any documentation or posts that cover this.  We are going from R77.30 on open server to R80.30 and would like to know the difference between these methods.  I'm not concerned about keeping config, but would like the install to be as 'clean' as possible.  Up until now have generally been using bootable DVD/USB and doing full format / install however for this gateway getting various traceback errors part way through so installing old version to do with one of these methods.

 

1)  CPUSE > Major Versions > R80.30 Fresh Install and Upgrade for Security Gateway and Standalone

2)  CPUSE > Blink Images > R80.30 Security Gateway

3)  Copying blink image over to /var/log/ and running blink tool

0 Kudos
9 Replies
Boaz_Orshav
Employee
Employee
‎2020-11-11 10:05 PM

Hi

  Please see below for a short description of the installation methods

  Will be glad to assist in any further questions.

https://community.checkpoint.com/t5/Next-Generation-Firewall/Difference-between-clean-install-and-up...

0 Kudos
Vladimir
Champion
Champion
‎2021-07-21 07:15 AM
In response to Boaz_Orshav

Hi @Boaz_Orshav ,

Can you advise on the best approach for the following scenario:

7000 series gateways shipped with either R80.40 or R81 that must be deployed with R80.30.

My current inclination is to import the blink R80.30 and CPUSE > Blink Images > R80.30

Since I am doing it remotely, ISOmorphic is not a viable option.

Thank you,

Vladimir

0 Kudos
RamGuy239
Advisor
Advisor
‎2021-07-22 07:11 AM
In response to Vladimir

Check Point 7000 appliance can't run GAiA R80.30. The CPU in the 7000-series requires 3.10 kernel and R80.30 only has 2.6 kernel. There is a special release of R80.30 with 3.10 kernel that can be used:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...


But this is not a widely adopted or recommended release. These special 3.10 kernel releases of R80.20 and R80.30 got released because some newer appliances and open severs required 3.10 kernel because of their CPU's so Check Point had to come up with R80.20 and R80.30 releases with 3.10 kernel as the 3.10 kernel for gateways got pushed to R80.40.

It's R80.40 that is the first regular release of GAiA that features 3.10 kernel for gateways. I would recommend you to consider going with R80.40, R81 or R81.10 instead of going with the limited R80.30 3.10 release.

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
0 Kudos
RamGuy239
Advisor
Advisor
‎2021-07-22 07:19 AM
In response to Vladimir

If you are doing it remotely, does that mean that you rely on ssh/webui? How do you access it? Does this mean that having the current configuration removed will result in you losing access? The gateway needs to have its IP address and default route in place for you to be able to reach it?

You can't use cpuse or blink package for R80.30 as the Check Point 7000 series does not support R80.30. If you have to use R80.30 and can't move to R80.40/R81/R81.10 you will have to grab the special R80.30 3.10 kernel release:


https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...


But please be aware that this is a limited release not widely deployed. It was released as a result of newer appliances and open servers requiring 3.10 kernel due to their CPU's not supporting the 2.6 kernel. R80.40 is the first regular release with 3.10 kernel for gateways and would be the recommended way of doing things instead of using the limited R80.30 3.10 release. Or you could of course go with R81 or R81.10.

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
0 Kudos
Vladimir
Champion
Champion
‎2021-07-25 10:34 AM
In response to RamGuy239

These are the new appliances in a staging environment, so for the initial version adjustment, I am not concerned with interruption of functionality.

Thank you for the pointer about specific version for 7000s, although it'll be nice to know why those appliances require specific version to begin with.

Client has agreed to take the R80.40 upgrade route, but now we are facing the migration issues that must be dealt with.

Regards,

Vladimir

0 Kudos
IdanC
Employee Alumnus
Employee Alumnus
‎2020-11-12 05:43 AM

Note that in order to have the new filesystem, the only option is to install from ISO.

So if as you said you want to go "as 'clean' as possible", consider that option, it is the only one that formats your box.

0 Kudos
RamGuy239
Advisor
Advisor
‎2021-07-22 07:14 AM

In newer versions of Check Point GAiA there isn't much difference. Major upgrade packages are utilising blink for its deployment. Doesn't really matter if you use the cpuse package to do a clean install, or if you use the blink image for a clean install. The end result is basically the same.

A clean install is only cleaning the running gaia configuration. It will not reformat the hard drive. So the only way to actually do a full clean installation, and for you to get the XFS filesystem that was introduced with R80.40 for gateways is by doing a clean installation using isomorphic tools, iso and USB.

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
0 Kudos
antsvett3
Explorer
‎2021-07-26 08:09 AM
In response to RamGuy239

If you want a true clean install its either USB or using the LOM to install the ISO.

0 Kudos
Tommy_Forrest
Advisor
‎2021-07-26 08:33 AM

Blink is going to save you reboots by installing the latest patches associated with a given release.

Instead of, say, going R77.30->R80.30->R80.30 JHT XYZ using the old school tried-and true method you'd just go from R77.30->R80.30 JHT XYZ.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top