Brian Brindle a écrit :
Hello all,
I'm preparing to upgrade two Nokia 1260's from IPSO 3.8.1-Build028 and
Checkpoint R55 to IPSO 4.2build81a03 and Checkpoint R65. Now I've been
a Checkpoint Policy pusher for many years but until recently I've had
very little involvement in the upgrades like this and quite frankly
I"m terrified. I've been pouring over the upgrade guides /
instructions but would be very grateful if you guys could look over my
action plan and offer up any wisdom, advice, words of encouragement or
alternate career choices if it all goes bad.
Basically here's what I've got outlined so far:
Upgrade Smartcenter. Currently Smartcenter is running on a RHEL3.0 box
and I happen to have a spare so I have exported the config
from the existing smartcenter configuration and will do a fresh
install of R65 on the new box. I plan to upgrade the R55 license using
the Checkpoint User Center Webpage from my laptop to get the new
license then transfer it via flash drive to the new smartcenter.
you can upgrade the licence right now.
Once the new Smartcenter box is up and all the dahsboard clients
upgrades I'll shut down the old smartcenter and attempt to push a
policy to the existing R55 cluster and insure that everything is OK.
you'll perhaps have to reset SIC between gatewayand smartcenter.
That should take care of the management end of things. Our 1260's are
running as a multicast HA right now so to minimize downtime I do not
plan to upgrade both at the same time. I want to keep the master
running temporarily and upgrade the member by stopping it and
upgrading it to IPSO 4.2 and R65. I'm still a little confused on how
the license upgrade will work on this FW. I have to re-read that
section.. If all goes well I will shutdown the Master and test out the
new R65 FW to see if everything went well. I know this will still
cause a downtime etc but it seemed to me it would be less of a
downtime than upgrading both at the same time? Anyone have any advice,
thoughts on that? I want to keep it as simple as possible.
you can detach the licence from the member you'll upgrade, then upgrade,
then reattach the licence after the upgrade is done.
My primary concern with the IPSO upgrade is that I have not been able
to determine if doing the upgrade like I suggested above will break
the current cluster configuration we have. If it will retain all
static routes, arp entries, VIP addresses etc.
the upgrade will keep what is in the /config/active file, ie interfaces,
routing, etc.
nokia doesn't recommend to run assymmetric clusters or ha pairs, ie
pairs with different IPSOs and checkpoint versions.
We have some unique configurations I'm worried will also not make the
cut with the upgrade from R55 to R65. We have a lot of manual NAT
translations, mostly set up for site to site VPN's. I've heard that
they can be an issue because of the way R65 does things now? Anyone
know about that?
keep one member in r55 and ipso version you have.
upgrade the second one.
once the upgrade is done, shutdown the r55, and test the most things you
can (the best for this is to use monitoring systems, or hping
commands to do this automatically).
Plan also a time window for all operations. if you cannot fix something
in time, keep some time to switch back to the
r55 member.
Thanks for reading and any words of advice or got-cha's you might
know about will be greatly appriceated.
Don't forget to upgrade up to the latest hfa on r65, ie hfa02 + hotfix.
Brian
Scanned by Check Point Total Security Gateway.
Scanned by Check Point Total Security Gateway.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
