This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
vsurresh
Contributor
‎2021-07-21 02:09 AM
Jump to solution

Security Gateway kernel upgrade

Hello.

Let me preface by saying that I'm a novice at best when it comes to Check Point. I'm looking to get some help with upgrading the kernel on the SGs.

I'm planning to implement management plane separation on a pair of 5800s following this guide https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

As per the guide, one of the requirement is to be on kernel , 3.10 R80.30 Jumbo Hotfix Take 136 or higher. However, the SGs are currently on R80.30 kernel version 2.6.18. How do I also check which Jumbo Hotfix the SGs are on? 

Could somebody please point me in the right direction on how to do upgrade the kernel and and install the hotfix? The management servers are already on 3.10. The output of 'show version all' shown below:

Product version Check Point Gaia R80.30
OS build 200
OS kernel version 2.6.18-92cpx86_64
OS edition 64-bit

Thanks in advance.

 

0 Kudos
1 Solution

Accepted Solutions
RamGuy239
Advisor
Advisor
‎2021-07-21 06:52 AM
In response to vsurresh
Jump to solution

The information regarding R80.30 with 3.10 kernel can be located here:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Management installations moved to 3.10 kernel with R80.20. Gateway installations did not until R80.40. But because some new series of Check Point appliances and open servers have newer series of CPU's they required 3.10 kernel in order to function correctly. Thus Check Point released some limited versions of R80.20 and R80.30 for gateways with 3.10 kernel.

These were never meant for broad adoptions. They were only meant for a small subset of the hardware that required the 3.10 kernel and every since R80.40 went GA the recommended approach for gateway installations that do not support the use of 2.6 kernel is to go straight to R80.40+.

You should aim for an upgrade to R80.40, R81 or R81.10 instead of looking at an R80.30 with 3.10 kernel re-installation. When doing an upgrade from R80.30 with 2.6 kernel to R80.40/R81/R81.10 with 3.10 kernel the transition will be seamless. You can do a direct upgrade and you will move from 2.6 kernel to 3.10 seamlessly.

Before doing any upgrades you should remember that your management server needs to be upgraded beforehand so it can manage your gateways running on newer versions.

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME

View solution in original post

6 Replies
_Val_
Admin
Admin
‎2021-07-21 02:50 AM
Jump to solution

You need to install your GWs with R80.40 or higher. If your MGMT is on R80.30, it has to be upgraded first. 

Also, clear install and not upgrade im place is the recommended way to benefit from the new XFS capabilities. if you do upgrade in place, it remains EXT

vsurresh
Contributor
‎2021-07-21 05:22 AM
In response to _Val_
Jump to solution

Thanks for the response. Do you mean that I can't have kernel 3.10 with R80.30? Can I not have 3.10 with R80.30?

0 Kudos
_Val_
Admin
Admin
‎2021-07-21 05:25 AM
In response to vsurresh
Jump to solution

You can, on Management and on some very limited amount of new models, but no on all GWs. You also cannot change the kernel in any way on any of R80.30 installations, from one to another.

RamGuy239
Advisor
Advisor
‎2021-07-21 06:52 AM
In response to vsurresh
Jump to solution

The information regarding R80.30 with 3.10 kernel can be located here:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Management installations moved to 3.10 kernel with R80.20. Gateway installations did not until R80.40. But because some new series of Check Point appliances and open servers have newer series of CPU's they required 3.10 kernel in order to function correctly. Thus Check Point released some limited versions of R80.20 and R80.30 for gateways with 3.10 kernel.

These were never meant for broad adoptions. They were only meant for a small subset of the hardware that required the 3.10 kernel and every since R80.40 went GA the recommended approach for gateway installations that do not support the use of 2.6 kernel is to go straight to R80.40+.

You should aim for an upgrade to R80.40, R81 or R81.10 instead of looking at an R80.30 with 3.10 kernel re-installation. When doing an upgrade from R80.30 with 2.6 kernel to R80.40/R81/R81.10 with 3.10 kernel the transition will be seamless. You can do a direct upgrade and you will move from 2.6 kernel to 3.10 seamlessly.

Before doing any upgrades you should remember that your management server needs to be upgraded beforehand so it can manage your gateways running on newer versions.

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
RamGuy239
Advisor
Advisor
‎2021-07-21 06:57 AM
In response to RamGuy239
Jump to solution

One thing to remember is that 3.10 kernel also introduce the use of XFS filesystem as opposed to ext3. The only way for you to get the new filesystem is by doing a re-installation from USB/ISO. XFS is not all that important for gateways, but it's still preferable to do a complete re-installation to R80.40/R81/R81.10 so you get it if possible. Make a copy of your GAiA configuration and migrate it to a fresh installation.

For your management doing a re-installation aka an "advanced upgrade" whereby you export the configuration and database from your current management where you move it to a freshly installed R80.40/R81/R81.10 is recommended. A management installation puts much higher loads (IOPS/read/write) on your disk so getting the XFS filesystem is the recommended approach.

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
vsurresh
Contributor
‎2021-07-24 10:32 AM
In response to RamGuy239
Jump to solution

Thanks for response. It started to make sense. I will aim to perform a fresh installation of R80.40.

Cheers

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top