This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2019-06-12 12:07 AM

VSX upgrade R80.10 to R80.20 - CPUSE or fresh install

Apart from having "fresh slate" and removing old gremlins, are there any other possible reasons to chose fresh install + vsx_util reconfigure over straight CPUSE upgrade on VSX? File system remains the same.. I would prefer simpler approach (CPUSE) unless someone can provide convincing arguments against it 🙂

 

 

0 Kudos
9 Replies
Martin_Valenta
Advisor
‎2019-06-12 12:25 AM

I would use cdt 1.6. for upgrading VSX

 

https://sc1.checkpoint.com/documents/CDT/v1.6/html_frameset.htm

0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2019-06-12 12:53 AM
In response to Martin_Valenta

Thanks Martin but we're not that big to run centralised upgrades 🙂 three clusters...

0 Kudos
Martin_Valenta
Advisor
‎2019-06-12 01:49 AM
In response to Kaspars_Zibarts

You don't need to do it in bulk, you can upgrade just one vsx cluster..at time, i just take care about 99 % of things which you need to do manually 😉

0 Kudos
Morten__
Participant
‎2020-01-18 06:48 AM
In response to Martin_Valenta

Hi Martin

Which 1% does CDT not take care of?

BR,

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-06-12 01:52 AM
In response to Kaspars_Zibarts

Kaspars,

 

I did an upgrade like this less than a month ago, you read all about it in this post 12600 with VSX low on memory.

One is now with CPUSE and one is clean install, first thing I ran into is that the upgraded machine has an issue with the cluster state of the management interface. Second issue I found was that CCP was set to broadcast on the upgraded system but was set to auto on the clean install, ending up in broadcast/unicast setting.

VS0 is acting up due to the Cluster interface mis-configuration, state is active/down.

Identity Awareness is not working from a VS when it is running on the clean install system, the AD account gets locked within minutes. Move the IA using VS to the upgraded system and reset the lock and IA works just fine.

My customer is not really happy to execute the recommendation from TAC, to do a clean install (for the interface issues) on the other machine as well, as they fear that IA won't work at all anymore.

 

So it really depends, a clean install will set all R80.20 defaults, that are done below the VSX reconfiguration levels. An upgrade will keep the system as is, which in some cases is what you want/need.

 

Regards, Maarten
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2019-06-12 02:04 AM
In response to Maarten_Sjouw

Thanks for feedback Maarten! Appreciated as always! 🙂 We have custom scripts that "survive" CPUSE of course and save 15mins of my life restoring them 🙂
0 Kudos
Alex-
MVP Silver
MVP Silver
‎2019-06-12 01:54 AM
In response to Kaspars_Zibarts

I used CPUSE from R77.30 to R80.20 without any issues for VSX, as you say the FS remains the same on gateways. I thought of fresh install but time and logistical constraints made me go first to try the in-place upgrade and if it failed anyway I would have spent the rest of the day running around DC's imaging appliances.

So as much I like clean installs between major versions, I can't say I found relics or unexpected behaviors other than linked to the new OS itself, solved with the latest hotfix. 🙂

I had less joy with R80.30 where all VS disappeared when running commands in expert mode (vsx stat and the like) but would still show up in CLISH. Upon restoring them by the means of multiple reboots and VS push from the I had to push a policy on every single machine to restore HA.

In-place upgrade of R80.20 to R80.30 for an SMS also failed, upon reboot, everything was gone and I had to resort to a new install with migrate export/import.

 

TL;DR: All good with R80.20.

Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2019-06-12 02:06 AM
In response to Alex-

Thanks Alex! We are sticking with R80.20 for now so should be ok. We did CPUSE for 77.30 > 80.10 so might keep it that way
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-06-12 03:48 AM
In response to Kaspars_Zibarts

Just found the issue with IA, the default for IA is to NOT use NTLMv2, which needs to be changed by 'adlogconfig a' on a per VS base.
Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events