At the risk of sounding unhelpful, you're making a big ask here. You're planning a significant upgrade of some heavy duty kit (so I assume that you have important asset behind it), with what appears to be little or no experience of performing the work.
Now, on the face of it, the processes required are simple enough, both Check Point and Nokia have spent a lot of time developing products that are comparatively easy to maintain and upgrade, and one would hope that this will be easy. Nonetheless, as a professional consultant with over 10 years of experience in doing this kind of thing, I would counsel you to find a good professional to work with you whilst you do this. However easy it looks, there is ALWAYS an opportunity for problems, some are unforeseen, some are just bizarre, and when the pressure is on, an experienced consultant should be able to bring a calm, collected view and the benefit of experience to the resolution process. Some of my latest nights have been doing "quick and easy" upgrades for clients who suddenly discovered all the weirdnesses in their own networks at just the wrong moment. You're right to prepare and upgrade the management first, the R65 management server will manage your R55 firewalls fine, and using upgrade_export/upgrade_import you should be able to pull through the CA and SIC certs, and if you're using the same IP for the new management server, after some ARP cache flushes you should be able to literally swap one box for another. The 1260 upgrades in full cluster may be less straightforward, and I would consider using a new set of disks and rebuilding from scratch on the IPSO version you need. This is my preferred method, we provide loan hardware for the process to our clients and it ensures no legacy nastiness. It's not impossible to perform an upgrade on the existing environment, but mismatched IPSO versions and Check Point versions can cause unplanned outages or odd behaviour, so plan a window for complete downtime during the operation. Once again, by all means be involved in the process, expect to get some skills transfer from your chosen consultant, but DO involve someone who has strong experience in this to work with you. You'll find that the whole process is a lot less frightening when you have someone there who is used to dealing with total brokenness :) Good luck ! Steve Bourike -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Brian Brindle Sent: Wednesday, June 04, 2008 8:10 AM To: [email protected] Subject: [FW-1] Upgrade advice Hello all, I'm preparing to upgrade two Nokia 1260's from IPSO 3.8.1-Build028 and Checkpoint R55 to IPSO 4.2build81a03 and Checkpoint R65. Now I've been a Checkpoint Policy pusher for many years but until recently I've had very little involvement in the upgrades like this and quite frankly I"m terrified. I've been pouring over the upgrade guides / instructions but would be very grateful if you guys could look over my action plan and offer up any wisdom, advice, words of encouragement or alternate career choices if it all goes bad. Basically here's what I've got outlined so far: Upgrade Smartcenter. Currently Smartcenter is running on a RHEL3.0 box and I happen to have a spare so I have exported the config from the existing smartcenter configuration and will do a fresh install of R65 on the new box. I plan to upgrade the R55 license using the Checkpoint User Center Webpage from my laptop to get the new license then transfer it via flash drive to the new smartcenter. Once the new Smartcenter box is up and all the dahsboard clients upgrades I'll shut down the old smartcenter and attempt to push a policy to the existing R55 cluster and insure that everything is OK. That should take care of the management end of things. Our 1260's are running as a multicast HA right now so to minimize downtime I do not plan to upgrade both at the same time. I want to keep the master running temporarily and upgrade the member by stopping it and upgrading it to IPSO 4.2 and R65. I'm still a little confused on how the license upgrade will work on this FW. I have to re-read that section.. If all goes well I will shutdown the Master and test out the new R65 FW to see if everything went well. I know this will still cause a downtime etc but it seemed to me it would be less of a downtime than upgrading both at the same time? Anyone have any advice, thoughts on that? I want to keep it as simple as possible. My primary concern with the IPSO upgrade is that I have not been able to determine if doing the upgrade like I suggested above will break the current cluster configuration we have. If it will retain all static routes, arp entries, VIP addresses etc. We have some unique configurations I'm worried will also not make the cut with the upgrade from R55 to R65. We have a lot of manual NAT translations, mostly set up for site to site VPN's. I've heard that they can be an issue because of the way R65 does things now? Anyone know about that? Thanks for reading and any words of advice or got-cha's you might know about will be greatly appriceated. Brian Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
