The upgrade of the CP licenses are not a big deal. If you already have a copy of your R55 licenses (if not, download a copy of those from usercenter before you start), then you can change them to R65 licenses in advance (like now), and download the R65 license keys as well. You don't have to install the R65 licenses now, just make sure you get them in advance so they don't stall your upgrade later on if you have a problem. Having copies of (both sets of) license strings archived for your use is a good idea anyway.
When you upgrade IPSO versions, it should retain your routing table, interface IP's, and VRRP config. Hopefully you're on the new VRRP config (not the ancient "legacy" one), otherwise just wipe it out and recreate it in the new mode, it's easier to create and maintain. Just in case, always open up your config summary page in Voyager, and print it out. Worst case, you can reconfig your box completely from scratch with some typing time to put all the IP's and other configs back into the box. Unless you have a huge amount of vlans or routes, you can usually reconfig a box from scratch (think RMA hardware showing up after a problem here, as well ;-) in 20 or 30 minutes. My personal preference here - I have rarely had a Checkpoint upgrade on a Nokia box go well, so I always do a clean install. That's not Nokia's fault, that's Checkpoint's. But there's not much in your Checkpoint install that's customized (all your IP's, routes, VRRP, etc, are all part of IPSO). About the only thing you have to set in your CP config is a few cpconfig settings for HA, initial SIC code to connect from the mgmt station, etc. Therefore, before I start the process, I always shut down, and remove any Checkpoint software via the Voyager GUI, so it's back to being nothing but an IPSO box, upgrade the IPSO version, and when that completes OK, do a fresh install of Checkpoint on it from scratch. YMMV, but it's saved me pain in the past to avoid trying to upgrade stuff in place. One last bit of advice, which has bit me before may times - removing CP products from IPSO via the GUI does NOT always clean all of their baggage out of your config, and I've had new fresh installs that don't work because of it. Once you've cleaned out all products via the GUI, make a backup copy of whatever your config file is (/config/db/initial points to it) and then search it for any "cp" or "fw" strings that might show themselves to be Checkpoint config lines left over in the file. You can tell by the entire config line if it's an IPSO or Checkpoint line by what it's pointing to or says. A clean system should upgrade fine to the latest IPSO version, and a clean config file should let you do a clean Checkpoint install as well. I'm SURE that editing the config file in 'vi' is not something the Nokia support engineer will advise you to do, but after a bad upgraded attempt, followed by a bad clean install attempt, it's what the Nokia support engineer and I figured out was the culprit, so I check for it on every upgrade from now on. Run your upgrades from the command line via ssh or console cable, so you can see any error messages. Some things can be done from the GUI, but you're blind if they throw an error out. Once you 'scp' your new version IPSO tar file up to the box, upgrade it with "newimage -l ipso.tgz -R" (or whatever your file is called). Don't use the "-k" option to keep existing packages (you cleared them all out previously in the above steps anyway, right?). There's no way to run R55 on the latest version of IPSO anyway, so I'm not sure how that could work if it tried to keep existing packages anyway. Once IPSO is up on the new version, and you've checked your interfaces, IP's, routing table, VRRP, etc, and they all look good, scp your checkpoint version onto the box, and do a clean install from the cmd line with "newpkg -m LOCAL -n IPSO_wrapper_Rxx.tgz" (whatever your current Checkpoint IPSO tar file is called). Once it's installed, you can reboot to pick up the new environment variables (like $FWDIR) or just re-login. From there you're into cpconfig, setting basic options, initial SIC string, etc, - then connect from your R65 mgmt station, update your firewall objects to be R65 versions, establish SIC, add your new R65 licenses to the mgmt station, attach those to the firewalls via smartupdate (assuming centralized licensing is used), push policy, and so on as you normally do to setup and test a firewall. Hope that helps a bit. It won't be clear or sound simple until you've done it for both of your boxes and you're comfortable with it, but if you start on your standby firewall first, you have a functional primary firewall to work with while you're going through it. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Brian Brindle Sent: Wednesday, June 04, 2008 02:10 To: [email protected] Subject: [FW-1] Upgrade advice Hello all, I'm preparing to upgrade two Nokia 1260's from IPSO 3.8.1-Build028 and Checkpoint R55 to IPSO 4.2build81a03 and Checkpoint R65. Now I've been a Checkpoint Policy pusher for many years but until recently I've had very little involvement in the upgrades like this and quite frankly I"m terrified. I've been pouring over the upgrade guides / instructions but would be very grateful if you guys could look over my action plan and offer up any wisdom, advice, words of encouragement or alternate career choices if it all goes bad. Basically here's what I've got outlined so far: Upgrade Smartcenter. Currently Smartcenter is running on a RHEL3.0 box and I happen to have a spare so I have exported the config from the existing smartcenter configuration and will do a fresh install of R65 on the new box. I plan to upgrade the R55 license using the Checkpoint User Center Webpage from my laptop to get the new license then transfer it via flash drive to the new smartcenter. Once the new Smartcenter box is up and all the dahsboard clients upgrades I'll shut down the old smartcenter and attempt to push a policy to the existing R55 cluster and insure that everything is OK. That should take care of the management end of things. Our 1260's are running as a multicast HA right now so to minimize downtime I do not plan to upgrade both at the same time. I want to keep the master running temporarily and upgrade the member by stopping it and upgrading it to IPSO 4.2 and R65. I'm still a little confused on how the license upgrade will work on this FW. I have to re-read that section.. If all goes well I will shutdown the Master and test out the new R65 FW to see if everything went well. I know this will still cause a downtime etc but it seemed to me it would be less of a downtime than upgrading both at the same time? Anyone have any advice, thoughts on that? I want to keep it as simple as possible. My primary concern with the IPSO upgrade is that I have not been able to determine if doing the upgrade like I suggested above will break the current cluster configuration we have. If it will retain all static routes, arp entries, VIP addresses etc. We have some unique configurations I'm worried will also not make the cut with the upgrade from R55 to R65. We have a lot of manual NAT translations, mostly set up for site to site VPN's. I've heard that they can be an issue because of the way R65 does things now? Anyone know about that? Thanks for reading and any words of advice or got-cha's you might know about will be greatly appriceated. Brian Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ************************************************************************* The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please resend this communication to the sender and delete the original message or any copy of it from your computer system. Thank you. ************************************************************************* Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
