Hugo van der Kooij

Things you shouldn't do on a midnight upgrade

Discussion created by Hugo van der Kooij on Oct 15, 2018
Latest reply on Oct 26, 2018 by Dameon Welch-Abernathy

In the list of things you shouldn't do in a midnight upgrade here is another one.


Starting point:

SmartCenter R80.20.M1 on an isolated subnet

Single Gateway R80.10



Upgrade the gateway to R80.20


As you might know this will fail on multiple levels. And is most definitly not supported.


I did an in-place upgrade of R80.20 and that seemed to kick of easily but after reboot I had .... an InitialPolicy installed.


Great. So I locked myself out of my SmartCenter ;-)


As this is running completely in ESX I have sort of an outbound management. The console. So time to get to the CLI (and mgmt_cli).


There you can try to push a policy but it fails because the versions don't match.

mgmt_cli --port 4434 install-policy policy-package 'standard' targets 'fw01'

(My system has been pushed to port 4434 when I installed EndPoint.)


You can correct this version from the CLI by upgrading the version in the object.

mgmt_cli --port 4434 set simple-gateway name 'fw01' version 'R80.20'


Now repeat the policy install and it works.


However this will be the only policy install that will work. So you end up with a firewall you can access again but can't realy manage as R80.20.M1 can't manage a R80.20 gateway.


So I will do an export of objects and reïnstall the SmartCenter to R80.20 and build a new policy and test sk86521 (Reset SIC without restarting the firewall process ) once again.


In case you didn't yet get the general idea of this post ....

Keep away from R80.10.M1

(Unless you know what you do and know why you wanted it for that very, very important business deal that will pay for the extra days you will have to spend on compex updates later.)