Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
nastiakhon
Contributor
Jump to solution

Updating the latest version of Jumbo General Availability gives an error

Good afternoon, please help me upgrade to the latest version of Jumbo General Availability.
I have a link
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

But when executing this script, I get an error: central deployment is not supported from standalone servers.

Can I update somehow differently, or what do I need for this?

Thanks!

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend

Yes, 100% there will be. Ok, so let me explain in layman's terms the differences, just in case if you were not clear.

Management server - separate entity used to manage CP gateways

Single gateway - just one firewall, no cluster

Cluster - 2 or more firewalls either in HA or load sharing

Standalone - Management + gateway in one entity

Now, as it sounds like you have standalone, any time there is upgrade, reboot is needed, meaning there will be downtime, as any traffic going through it wont work for the time during reboot. One thing to remember, its possible device may not fetch latest policy, meaning it may default back to initial one, which blocks most things, so make sure you have physical access to unload it if that happens by running fw unloadlocal command

Andy

View solution in original post

0 Kudos
19 Replies
Boaz_Orshav
Employee
Employee

Hi

  Can you please specify which script do you use?

  If you use the Smart Console GUI - indeed the central deployment is not supported for a Stand Alone machine

 

0 Kudos
nastiakhon
Contributor

Hello, yes we use Smart Console.

Screenshot_1.jpg

Screenshot_2.jpg

Please tell me how can we update? and can we do without stopping services?
Thanks!

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Gateway & Management combined?

Other update methods are via Web UI or CLI using CPUSE.

CCSM R77/R80/ELITE
0 Kudos
G_W_Albrecht
Legend Legend
Legend

Second is first: No Jumbo without Reboot, sorry for that !

Central Deployment is a way to update / upgrade other CP devices from the SMS that downloads Jumbo or install image, transfers it to the device and after reboot checks if the update was successfull.

That mechanism is not able to upgrade the SMS itself out of obvious reasons 😉 The same is true with StandAlone Deployments (that are not suggested anyway...). So you have to use GAiA WebGUI.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend

As @Chris_Atkinson advised, use web UI, thats your best bet, it will work 100%.

Andy

0 Kudos
nastiakhon
Contributor

Yes, that's right, Gateway & Management combined

I'm new to Checkpoint, and I don't quite know how to do it so that the service remains in a working state. Could you please advise.

If you say that through the web interface, then this is the control of the checkpoint itself?

Screenshot_3.jpg

Here?
Thanks!

the_rock
Legend
Legend

Hey, its all good, we are here to help, there are no insignificant or stupid questions as far as Im concerned. Yea, you got it, so screenshot you attached is what I meant...thats web UI. You just right click on the version you wish to upgrade, do verify first, to make sure its good to go and then you can click upgrade.

Message me privately if you need help, we can do remote session.

Andy

0 Kudos
nastiakhon
Contributor

Thanks for understanding)
I'm currently in the process of preparing for the update, I need to tell the management whether there will be a downtime during this update), can you tell me?)

0 Kudos
the_rock
Legend
Legend

Yes, 100% there will be. Ok, so let me explain in layman's terms the differences, just in case if you were not clear.

Management server - separate entity used to manage CP gateways

Single gateway - just one firewall, no cluster

Cluster - 2 or more firewalls either in HA or load sharing

Standalone - Management + gateway in one entity

Now, as it sounds like you have standalone, any time there is upgrade, reboot is needed, meaning there will be downtime, as any traffic going through it wont work for the time during reboot. One thing to remember, its possible device may not fetch latest policy, meaning it may default back to initial one, which blocks most things, so make sure you have physical access to unload it if that happens by running fw unloadlocal command

Andy

0 Kudos
nastiakhon
Contributor

Thanks!
But I do not quite understand what "may default back to initial one" means, does this mean that all settings will be lost?
Unfortunately, I have just such a situation that I do not have physical access to the equipment. Can I somehow prevent the checkpoint from getting and updating the latest version?

0 Kudos
the_rock
Legend
Legend

Here is what that means...usually, when box reboots, it would fetch latest known policy before the reboot. So say if you installed policy March 20th and you upgraded March 22nd, then after the reboot upon the upgrade, firewall would try to get last know policy from March 20th. Sadly, that does not happen 100% of the time, so to be 100% safe, I always recommend people to have some way to physically access the box in case that happens, because if it loads initial policy, you wont be able to connect to it.

Andy

0 Kudos
nastiakhon
Contributor

By policy do you mean when we press the "install policy" button?

Screenshot_4.jpg

0 Kudos
the_rock
Legend
Legend

yes...you can also run fw stat from expert to get current policy.

0 Kudos
nastiakhon
Contributor

I understand you, thank you very much for your help, I will inform my management that it is not safe for us to update now and that a physical presence is very desirable))) Maybe we will now postpone updates))

And thanks again!))

0 Kudos
the_rock
Legend
Legend

Any time...My motto is always "Better be safe than sorry" ; - )

Andy

0 Kudos
nastiakhon
Contributor

I had a thought, is it possible to make some minor change, for example, create a rule that will not affect the network in any way, set a policy, and then update, in this case, even if the checkpoint returns to the previous policy, this will not affect it in any way on him. Or won't it work like that?
Thanks!

0 Kudos
the_rock
Legend
Legend

Dont do that, I will tell you why...let me give you example that happened to me in my lab couple of months back. What happened was this...I created brand new R81.10 lab with mgmt and firewall, but same happened even with R81 base standalone. I left policy as any any allow, upgraded, rebooted and first time, it kept the policy, but when I applied jumbo hotfix, it reverted to initial policy, which blocked pings, I could not web UI on custom port, only ssh and obviously, no traffic worked. 

What Im trying to tell you is this...does not matter if your policy is one rule any any allow all or 10000 rules, it wont make a difference. This is just me, I wont speak for anyone else, but I had customers tell me before after I insist they have physical access on site...no no, nothing will happen and then when it does (in rare cases), they have to drive 2 hours to get access. Trust me when I say this, you do NOT want to be one of those people.

0 Kudos
nastiakhon
Contributor

Yes, okay, I realized that it is really dangerous, especially that this equipment is 600 km away and it is located in another city)))
THANK YOU!!))

the_rock
Legend
Legend

Well, if you dont mind driving 600 kms, by all means : - ). My record is 1400 kms in one day, but certainly NOT for this reason, haha.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events