BolеTwo years ago, we wrote that every Check Point administrator sooner or later faces the question of upgrading to a new version. In this an upgrade from R77.30 to R80.10 has been described. By the way, in January 2020, R77.30 became a certified version of the FSTEC. However, a lot has changed at Check Point in 2 years. In the article "” describes all the innovations, of which there are many. In this article, the update procedure will be described in as much detail as possible.
As you know, there are 2 options for implementing Check Point: Standalone and Distributed, that is, without a dedicated management server and with a dedicated one. The Distributed option is highly recommended for several reasons:
-
the load on the gateway resources is minimized;
-
you can not schedule a maintenance window to carry out work with the management server;
-
adequate operation of SmartEvent, since it will hardly work in the Standalone version;
-
it is highly recommended to build a cluster of gateways in a Distributed configuration.
Given all the benefits of a Distributed configuration, we'll look at upgrading the management server and Security Gateway separately.
Update Security Management Server (SMS)
There are 2 ways to update SMS:
-
via CPUSE (via Gaia Portal)
-
using Migration Tools (requires a clean install - fresh install)
Upgrading with CPUSE is not recommended by colleagues from Check Point, as you will not upgrade the file system version and the kernel. However, this method does not require policy migration and is much faster and simpler than the second method.
Clean installation and policy migration using Migration Tools is the recommended method. In addition to the new file system and OS kernel, it often happens that the SMS database is “clogged”, and a clean installation in this regard is a great way to add speed to the server.
1) The first step in any update is to create backups and snapshots. If you have a physical management server, then the backup should be done from the Gaia Portal web interface. Go to the tab Maintenance > System Backup > Backup. Next, you specify the location for saving the backup. This can be an SCP, FTP, TFTP server, or locally on the device, but then you will have to upload this backup to a server or computer later.
Figure 1. Creating a backup in Gaia Portal
2) Next, you should take a snapshot in the tab Maintenance → Snapshot Management → New. The difference between backups and snapshots is that snapshots store more information, including all installed hotfixes. However, it is better to do both.
If you have a management server installed as a virtual machine, then it is recommended to backup the virtual machine using the hypervisor's built-in tools. It's simply faster and more reliable.
Figure 2. Snapshot creation in Gaia Portal
3) Save device configuration from Gaia Portal. You can take a screenshot of all the settings tabs that are in the Gaia Portal, or from Clish enter the command save configuration. This is followed by the file using WinSCP or another client to pick up on your PC.
Figure 3. Saving the configuration to a text file)
Note: if WinSCP does not allow you to connect, change the shell user to /bin/bash either in the web interface in the Users tab, or by entering the command chsh -s /bin/bash.
Update with CPUSE
4) The first 3 steps are mandatory for any upgrade option. If you decide to follow a simpler update path, then in the web interface, go to the tab Upgrades (CPUSE) > Status and Actions > Major Versions > Check Point R80.40 Gaia Fresh Install and Upgrade. Right-click on this update and select verifier. The verification process will start for a few minutes, after which you will see a message that the device can be updated. If you see errors, they need to be corrected.
Figure 4. Update via CPUSE
5) Update to the latest version of CDT (Central Deployment Tool) - a utility that runs on the management server and allows you to install updates, service packs, manage backups, snapshots, scripts and much more. An out-of-date CDT version can lead to upgrade problems. You can download the CDT from .
6) After placing the downloaded SMS archive in any directory via WinSCP, connect via SSH to SMS and go into expert mode. Let me remind you that the WinSCP user must have a shell / bin / bash!
7) Enter commands:
cd /somepathtoCDT/
tar -zxvf .tgz
rpm -Uhv --force CPcdt-00-00.i386.rpm
Figure 5 Installing the Central Deployment Tool (CDT)
8) The next step is to install the R80.40 image. Right click to update Download, then Install. Keep in mind that the update takes 20-30 minutes and the management server will be unavailable for some time. Therefore, it makes sense to agree on a window for maintenance.
9) All licenses and security policies are preserved, so next you should download a new one .
10) Connect to the SMS of the new SmartConsole and set the security policies. Button Install Policy in the upper left corner.
11) Your SMS is updated, next you should install the latest hotfix. In the tab Upgrades (CPUSE) > Status and Actions > Hotfixes click on the right mouse button VerifierThen install update. The device itself will go into reboot after installing the update.
Figure 6 Installing the latest hotfix via CPUSE
Upgrading with Migration Tools
4) First you should also update to the latest version of CDT - points 5, 6, 7 from the section “Updating with CPUSE”.
5) Install the Migration Tools package required to migrate policies from the management server. According to this you can find Migration Tools for versions: R80.20, R80.20 M1, R80.20 M2, R80.30, R80.40. You should download the Migration Tools of the version to which you want to upgradeand not the one you have now! In our case, this is R80.40.
6) Next, in the SMS web interface, go to the tab Upgrades (CPUSE) > Status and Actions > Import Package > Browse > Select the downloaded file > Import.
Figure 7. Migration Tools import
7) From the expert mode on SMS, check that the Migration Tools package is installed using the command (the command output should match the number in the Migration Tools archive name):
cpprod_util CPPROD_GetValue CPupgrade-tools-R80.40 BuildNumber 1
Figure 8. Checking the installation of Migration Tools
8) Go to the $FWDIR/scripts folder on the management server:
cd $FWDIR/scripts
9) Run the pre-upgrade verifier (verification script) with the command (if there are errors, correct them before further steps):
./migrate_server verify -v R80.40
Note: if you see an error “Failed to retrieve Upgrade Tools package”, but you checked that the archive was successfully imported (see point 4), use the command:
./migrate_server verify -v R80.40 -skip_upgrade_tools_check
Figure 9. Running the verification script
10) Export the security policies with the command:
./migrate_server export -v R80.40 / / .tgz
Figure 10. Exporting a security policy
Note: if you see an error “Failed to retrieve Upgrade Tools package”, but you checked that the archive was successfully imported (point 7), use the command:
./migrate_server export -skip_upgrade_tools_check -v R80.40 / / .tgz
11) Calculate the MD5 hash sum and save yourself the output of the command:
md5sum / / .tgz
Figure 11. Calculating the MD5 hash sum
12) Using WinSCP, move this file to your computer.
13) Enter command df -h and save yourself the percentage of directories based on the occupied space.
Figure 12. Percentage of directories on SMS
14.1) In case you have a real SMS
14.1.1) With a bootable USB flash drive is created with the image .
14.1.2) I recommend preparing at least 2 bootable flash drives, as it happens that a flash drive is not always readable.
14.1.3) As an administrator on the computer, run isomorphic.exe. In step 1, select the downloaded Gaia R80.40 image, in step 4, a flash drive. Paragraphs 2 and 3 change do not!
Figure 13. Creating a bootable flash drive
14.1.4) Choose an item “Install automatically without confirmation” and it is important to specify the model of your management server. In the case of SMS, select the 3rd or 4th line.
Figure 14. Selecting a device model for creating a bootable USB flash drive
14.1.5) Next, you turn off the uplines, insert the USB flash drive into the USB port, connect with a console cable through the COM port to the device and turn on SMS. The installation process happens by itself. Default IP address - 192.168.1.1/24and login information Admin / Admin.
14.1.6) The next step is to connect to the web interface on the Gaia Portal (default address ) where you go through device initialization. During initialization you basically press Next, because almost all settings can be changed in the future. However, you can change the IP address, DNS settings and hostname at once.
14.2) In case you have a virtual SMS
14.2.1) Under no circumstances should you delete the old SMS, create a new virtual machine with the same resources (CPU, RAM, HDD) with the same IP address. By the way, you can add RAM and HDD, since the R80.40 version is a little more demanding. So that there is no IP address conflict, turn off the old SMS and start installing the new one.
14.2.2) During the installation of Gaia, configure the actual IP address and allocate under the directory / Root adequate amount of space. The percentage of directories you have should be approximately survive, use output df -h.
15) At the time of choosing the type of installation “Installation Type” choose the first option, since most likely you do not have an MDS (Multi-Domain Server). If MDS, then you managed many domains from under different SMS entities at the same time. In this case, the second option should be chosen.
Figure 15. Gaia installation type selection
16) The most important point that cannot be fixed without reinstallation is the choice of entity. Should choose Security Management and press Next. Everything else is default.
Figure 16. Entity type selection when installing Gaia
17) Once the device reboots, connect to the web interface via or another IP address if you have changed it.
18) Transfer the settings from the screenshots to all the Gaia Portal tabs in which something has been configured, or from clish run the command load configuration .txt. This config file must first be sent to SMS.
Note: due to the fact that the OS is new, WinSCP will not allow you to connect under the administrator, change the shell user to /bin/bash either in the web interface in the Users tab, or by entering the command chsh -s /bin/bash or create a new user.
19) Throw in any directory a file with exported policies from the old management server. Then go to the console in expert mode and check that the MD5 hash sum is the same as before. Otherwise, the export should be done again:
md5sum / / .tgz
20) Repeat step 6 and install Upgrade Tools on the new SMS in Gaia Portal in the tab Upgrades (CPUSE) > Status and Actions.
21) Enter the command in expert mode:
./migrate_server import -v R80.40 -skip_upgrade_tools_check / / .tgz
Figure 17. Importing a security policy to a new SMS
22) Enable services with the command cpstart.
23) Download a new one and connect to the management server. Go to Menu > Manage Licenses and Packages (SmartUpdate) and check that you have saved the license.
Figure 18. Checking installed licenses
24) Set Security Policy on Gateway or Cluster - Install Policy.
Security Gateway (SG) Update
The Security Gateway can be upgraded via CPUSE in the same way as the management server, or reinstalled − fresh install. From my practice, in 99% of cases, everyone re-installs the Security Gateway because it takes almost the same time as updating via CPUSE, but you get a clean updated OS without bugs.
By analogy with SMS, you first need to create a backup and snapshot, as well as save the settings from the Gaia Portal. Refer to points 1, 2 and 3 in the section "Updating the Security Management Server".
Update with CPUSE
Updating the Security Gateway through CPUSE is exactly the same as updating the Security Management Server, so please refer to the beginning of the article.
Important point: the SG update requires reboot! Therefore, carry out the update in the window for maintenance. If you have a cluster, upgrade the passive node first, then switch roles and upgrade the other node. In the case of a cluster, maintenance windows can be avoided.
Installing a new OS version on the Security Gateway
1.1) In case you have a real SG
1.1.1) With a bootable USB flash drive is created with the image . The image is the same as on SMS, but the procedure for creating a bootable flash drive looks a little different.
1.1.2) I recommend preparing at least 2 bootable flash drives, as it happens that a flash drive is not always readable.
1.1.3) As an administrator on the computer, run isomorphic.exe. In step 1, select the downloaded Gaia R80.40 image, in step 4, a flash drive. Paragraphs 2 and 3 change do not!
Figure 19. Creating a bootable flash drive
1.1.4) Choose an item “Install automatically without confirmation”, and it is important to specify the model of your Security Gateway - lines 2 or 3. If this is a physical sandbox (SandBlast Appliance), then select line 5.
Figure 20. Selecting a device model for creating a bootable USB flash drive
1.1.5) Next, you turn off the uplines, insert the USB flash drive into the USB port, connect with a console cable through the COM port to the device and turn on the gateway. The installation process happens by itself. Default IP address - 192.168.1.1/24and login information Admin / Admin. Should be updated first passive node, then install a policy on it, switch roles and then update another node. You will most likely need a maintenance window.
1.1.6) The next step is to connect to the web interface on the Gaia Portal, where you go through the first initialization of the device. During initialization you basically press Next, because almost all settings can be changed in the future. However, you can change the IP address, DNS settings and hostname at once.
1.2) In case you have a virtual SG
1.2.1) Create a new virtual machine with the same resources (CPU, RAM, HDD) or more as R80.40 version is slightly more demanding. In order to avoid an IP address conflict, turn off the old gateway and start installing a new one with the same IP address. The old SG can be safely deleted, since there is nothing valuable on it, because all the most important thing - the security policy - is located on the management server.
1.2.2) During the installation of the OS, configure the current IP address and allocate under the directory / Root adequate amount of space.
3) Connect via HTTPS port to the gateway and start the initialization process. At the time of choosing the type of installation “Installation Type” select the first option - Security Gateway and/or Security Management.
Figure 21. Gaia installation type selection
4) The most important point is the choice of entity (Products). Should choose security gateway and, if you have a cluster, check the box “Unit is a part of a cluster, type: ClusterXL”. If you have a VRRP cluster, then choose this type, but this is unlikely.
Figure 22. Entity type selection when installing Gaia
5) In the next step, set the SIC one-time password to establish trust with the management server. Using this password, a certificate is generated, and the management server will communicate with the gateway via an encrypted communication channel. check mark “Connect to your Management as a Service” should be set if the management server is in the cloud. We just recently wrote about it. and about how convenient and simple cloud server management is.
Figure 23. Creating a SIC
6) Start the initialization process on the next tab. As soon as the device reboots, connect to the web interface and transfer the settings from the screenshots to all Gaia Portal tabs in which something has been configured, or from clish run the command load configuration .txt. This config file must first be uploaded to the Security Gateway.
Note: due to the fact that the OS is new, WinSCP will not allow you to connect under the administrator, change the shell user to /bin/bash either in the web interface in the Users tab, or by entering the command chsh -s /bin/bash or create a new user with this shell.
7) Open and go into the Security Gateway object you just reinstalled. Open a tab General Properties > Communication > Reset SIC and enter the password set in step 5.
Figure 24 Establishing a trust with a new Security Gateway
8) The Gaia version of the object should change, if it does not change, then change it manually. Then install the policy on the gateway.
9) In the Gaia Portal, go to the tab Upgrades (CPUSE) > Status and Actions > Hotfixes and install the latest hotfix. The device will go to reboot during installation!
10) In the case of a cluster, change the roles of the nodes and do the same steps for the other node.
Conclusion
I tried to make the most understandable and comprehensive guide for upgrading from R80.20 / R80.30 to the current R80.40 version, as a lot has changed. Version already appeared in demo mode, but the update procedure is more or less identical. Guided by the official from Check Point, you yourself can figure out all the intricacies.
For all questions, you can contact us. We will be happy to help with the most complex updates and cases as part of our technical support. . Also on our it is possible to order an audit of Check Point settings or leave a free for a technical case.
. Stay tuned (, , , , ).
Source: habr.com