This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Help

Who rated this post

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Bob_Zimmerman
Authority
Authority
‎2024-02-29 11:06 AM
In response to Jose_Luis_Mart1

Absolute worst case, this process should get you to R80.40:

  1. Use ISOmorphic and the R81.20 ISO image to build an R81.20 installation drive. Use R81.20, as it has some fixes during the installation which persist even when you downgrade. Some of these fixes make disk access dramatically faster, so the import in step 9 won't take as long.
  2. Use the upgrade tools ('migrate server', I think; might be 'migrate export' on R77.30) on your existing primary management (note, this may not be your active management; I forget how to confirm which one is primary on R77.30 full HA) to export a copy of your management config.
  3. Save a copy of the clish config.
  4. Use the R81.20 thumb drive to wipe one node and install R81.20 on it.
  5. Import the R80.40 package to CPUSE.
  6. Use 'installer clean-install Check_Point_R80.40_T294_Fresh_Install_and_Upgrade.tgz' to downgrade in-place to R80.40.
  7. Go through the first-time config. This can be done with the web UI, but I prefer the command line tool config_system.
  8. After rebooting, apply your clish config.
  9. Use the upgrade tools to import the config into the R80.40 member. Management sync will not work, but you should be able to log in to the R80.40 member with SmartConsole and see all your rules and objects.
  10. Push policy from the R80.40 member to itself. Be sure to uncheck the box which says to push to both cluster members.
  11. Install jumbo 206 on the R80.40 member.
  12. Enable cross-version sync on the R80.40 member (cphaconf mvc on). After a few seconds, the firewall software should go from Ready to Standby.
  13. Fail over from the R77.30 member to the R80.40 member.
  14. Repeat steps 3-8 and 11 on the second member. No need to do the management-side stuff again, since it will just synchronize with the existing R80.40 member.
  15. Establish SIC trust from the management to the second member. Start the management sync.
  16. Push policy to both members.

Check Point's big advantage to me is it's just software. Except at the low end (Quantum Spark) and high end (Maestro, Quantum LightSpeed), their hardware is nothing special; it's just overpriced x86 servers with weird card slots. This is relevant here because their software works just as well in a VM as it does on real hardware.

Build some VMs and try this process at least once. I probably forgot something in that list of steps. Testing it on VMs will help confirm the process works before you try it on your production boxes. This process is complicated enough I would try it several times. Back when I was doing upgrades by hand, I would try most of my significant upgrades in VMs at least 20 times to build familiarity before trying them for real.

(1)
Who rated this post