You should upgrade the OS first. I have a procedure that works quite well
for stand alone machines.
The first thing is to make sure you have a valid license for FW1 and MOTIF.
MOTIF is now a separate license issue for FW1 2000. Then you need to make
sure that you are running at least SP6 on the 4.0 version. Now check the
available disk space. You may need to upgrade the disks, like we did.
Now you need to decide whether you are going to upgrade the OS. I upgraded
ours to Solaris 7, which is the highest level supported by CheckPoint. Even
the new version of the firewall will not run in 64 bit mode, so you can not
use Solaris 8. If you are going to upgrade the OS, do this before anything
else. If you do upgrade the OS, make sure you recreate the link for the
sendmail.cf file in/etc/mail.
OK, now you are ready to start the upgrade process.
1) Download the latest Service Pack from CheckPoint and put it on a tape.
2) Save the following files to a place that can be reached while you are
upgrading: objects.C, *.W files, rulebases.fws and
xlate.conf. I did not save the log files because they are not readable
by the new version of the Firewall. Unless you
push them out to a flat text file.
3) Now, if you need to, install SP6 for version 4.0.
4) reboot -- -r
5) Log in and bring up the GUI. Make sure all your rules look right. Make
sure that all the networks are functioning
properly.
6) Now, save the same files that you did in step #2.
7) Put the FW1 2000 CD in the drive.
8) cd /cdrom/cp2000_strong/solaris2
9) pkgadd -d .
10) Now choose the modules that you are going to install. ****NOTE**** Do
not install backwards compatibility unless you
manage 4.0 firewalls from the management server!!**** In my case, I
chose #7 and #8 for the Firewall and the GUI. I do
not reboot at this point, even though it says to.
11) Now change your root login shell environment variable to point to CPfw1
instead of the old 4.0 one.
12) Now run 'cpconfig' and answer the questions as you would a regular
install. ***NOTE*** I only modify what I have to
at this point. i.e. I add the Firewall and Motif licenses, I do not
modify SNMP but I do make sure I answer #2
on the question that asks about allowing connections during the boot
process. I do not allow any because we do not
use network booting procedures. Make sure there are no errors reported
during the portion when it asks you if you want
to convert the files to 4.1.
13) Once you have finished with the question and answer session,
reboot -- -r.
14) Bring up the GUI and make sure all your rules look right. Check to make
sure that your interfaces on the firewall have
the right anti-spoofing settings. They should be the same as before.
Check the address translation tables in the GUI.
This is where most of my problems occurred. Make sure that you have an
external-net and an internal-net defined in the
Network Objects window. I found that what used to work for xlate.conf
no longer works for the NAT GUI. I had to modify
many of the rules so that NAT did not take place while going or coming
from the internal net. Then I had to modify the
original rule to only translate when going to external-net. If you see
packets being dropped on rule 0, you will know to
look at the NAT tables.
14) You need to save the same files again that you saved in step #2.
15) Now you will need to do a 'pkgrm' on the firewall packages. Make sure
you remove them in the right order. Take off the
new ones first and then the older ones. Make sure you remove the GUI
before the FW1 package. Make sure all the old
directories are removed and there are no lingering files.
16) reboot -- -r
17) Now you have a clean system with no firewall installed.
18) Go back to the install procedure for FW1 in step #7.
19) When the firewall install is complete, put the converted files, that you
saved, back in to the $FWDIR/conf directory.
20) fwstop
21) fwstart
22) Bring up the GUI and see if you have a policy. If not, try to load one.
Well, that is what I did for all three of my firewalls. Well, I actually had
to do mine a little longer version. I still had
version 3.0b, so I had to start my procedure with reinstalling 4.0 first.
Of you have any questions, let me know. I actually learned most of this
from my CCSA instructor. I can't say I like how long it takes, but I do
like the fact that there were a lot less surprises this way.
Marc Jacquard
SR. Systems Engineer
Fujitsu America, INC.
Hilo Office
email: [EMAIL PROTECTED]
Telephone: 808-934-4103
Pager: 888-787-5814
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
Carlos Infante
Sent: Thursday, October 05, 2000 10:48 PM
To: [EMAIL PROTECTED]
Subject: [FW1] Firewall upgrading
Dear everybody,
I want to upgrade both the Solaris 2.6 to Solaris 2.7 and the Checkpoint 4.0
to 4.1, Which of the upgrades do I need to do first?. I have one management
station and two firewall modules. Will work the modules (with 4.0) properly
with the management station (running now the upgraded 4.1) in the meanwhile
I upgrade the two firewall modules?
Thanks in advance
___________________________________
Carlos Infante Bello
Network Systems Engineer
NPS, Lucent Technologies
Ronda de Valdecarrizo, 6
28760 Tres Cantos (Madrid) Spain
Tel: +34 91 807 8221
Mobile: +34 646 485 207
e-mail: [EMAIL PROTECTED]
____________________________________
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
