ProHoster > Blog > Utongi > Kuvandudza Check Point kubva paR77.30 kusvika 80.20

Kuvandudza Check Point kubva paR77.30 kusvika 80.20

Kuvandudza Check Point kubva paR77.30 kusvika 80.20

Mukupera kwegore ra2019, Check Point yakamira kutsigira shanduro R77.XX, uye zvaive zvakafanira kugadzirisa. Zvakawanda zvakatotaurwa pamusoro pemutsauko pakati peshanduro, zvakanakira uye zvakaipira kuchinja kune iyo R80. Ngatitaurei nezve maitiro ekunyatso gadziridza Check Point virtual midziyo (CloudGuard yeVMware ESXi, Hyper-V, KVM Gateway NGTP) uye chii chinogona kukanganisa.

Saka, takanga tine 2 CCSE mainjiniya, anopfuura gumi nemaviri Check Point R77.30 chaiwo masumbu, makore akati wandei, mashoma hotfixes uye gungwa rose reakasiyana tsikidzi, glitches uye zvese izvo, zvemarudzi ese nehukuru, uye. zvakare nguva dzakasimba kwazvo. Handeyi!

Zviri Mukati:

Kugadzirira kwe
Kugadziridza iyo manejimendi server
Kuvandudza cluster

Kuvandudza Check Point kubva paR77.30 kusvika 80.20

Izvi ndizvo zvinoita seyakajairwa mutengi gore rekuvaka rine chaiyo Check Point inotaridzika

Kugadzirira kwe

Danho rekutanga nderekutarisa kana paine zviwanikwa zvakakwana zvekuvandudza. Izvo zvinokurudzirwa zvishoma zvinodiwa zveR80.20 parizvino zvinotaridzika seizvi:

mudziyo

CPU

RAM

HDD

Security Gateway

2 musimboti

4 Gb

Kubva ku15 GB

SMS

2 musimboti

6 Gb

-

Zvinokurudzirwa zvinotsanangurwa mugwaro CP_R80.20_GA_Release_Notes.

Asi tichaona zvinhu sezvazviri. Kana izvi zvakakwana mune zvakanyanya kushoma kurongeka, saka, sezviratidziro zvemaitiro, isu tinowanzo kuve ne https yekuongorora yakagoneswa, SmartEvent inomhanya paSMS, nezvimwe, izvo, zvechokwadi, zvinoda akasiyana zvachose. Asi kazhinji, hapana anopfuura maR77.30.

Asi pane nuances. Uye vane hukama, kutanga kwezvose, nehukuru hwendangariro yemuviri. Mazhinji mashandiro akananga panguva yekuvandudza anozoda hard disk nzvimbo.

Kune iyo manejimendi server, saizi yemahara dhisiki nzvimbo ichanyanya kuenderana nehuwandu hwezvino matanda (kana isu tichida kuvachengetedza) uye nenhamba yakachengetwa Database Revisions, kunyangwe isu hatichavada ivo muhuwandu hukuru. Ehe, kune cluster node (kunze kwekunge iwe uchichengetawo matanda munharaunda) zvese izvi hazvina basa. Heino maitiro ekutarisa kana uine nzvimbo yaunoda:

  1. Isu tinobatana neSmart Management Server kuburikidza nessh, enda kune nyanzvi modhi uye isa murairo:

    [Nyanzvi@cp-sms:0]# df -h

  2. Pakubuda tinoona chimwe chinhu chakafanana neiyi gadziriso:

    Filesystem Saizi Yakashandiswa Inowanikwa Shandisa% Yakaiswa pa
    /dev/mapper/vg_splat-lv_current 30G 7.4G 21G 27% /
    /dev/sda1 289M 24M 251M 9% /boot
    tmpfs 2.0G 0 2.0G 0% /dev/shm
    /dev/mapper/vg_splat-lv_log 243G 177G 53G 78% /var/log

  3. Iye zvino tiri kufarira chikamu / var / log

Ndapota cherechedza kuti zvichienderana nemutemo wekuchengetedza uye kudzima mafaira ekare, pamwe chete nehukuru hwedhatabhesi yakatengeswa kunze kwenyika, imwe nzvimbo inogona kudiwa. Kana, pakugadzira archive, paine nzvimbo shoma yemahara pane yakatsanangurwa mugwaro rekuchengetedza faira, sisitimu inozotanga kudzima matanda ekare uye HAICHAIsanganisire mudura.

Zvakare, kune iyo yekuvandudza maitiro pachayo, iyo sisitimu inoda inokwana 13 GB yenzvimbo isina kugoverwa hard disk. Unogona kutarisa kuvepo kwayo nemurairo:

[Nyanzvi@cp-sms:0]# pvs

Tichaona chinhu chakadai:

PV VG Fmt Attr PSize PFree
/dev/sda3 vg_splat lvm2 a- 141.69G 43.69G

Muchiitiko ichi tine 43 GB. Pane zviwanikwa zvakakwana. Unogona kutanga updating.

Kugadziridza iyo Check Point SMS maneja server

Usati watanga basa unofanira kuita zvinotevera:

  1. Isa iyo Migration Tools package pane manejimendi server. Kuti uite izvi, unofanirwa kudhawunirodha mufananidzo kubva kune portal Check Point.
  2. Isa iyo archive kune manejimendi server kuburikidza neWinSCP mufolda /var/log/UpgradeR77.30_R80.20 (kana zvichidikanwa, gadzira folda kutanga).
  3. Batanidza kune manejimendi server kuburikidza neSSH uye enda kune iyo folda ine archive:cd /var/log/UpgradeR77.30_R80.20/
  4. Vhura iyo faira:tar -zxvf ./<zita refaira>.tgz
  5. Isu tinotangisa pre_upgrade_verifier utility nemurairo: ./pre_upgrade_verifier -p $FWDIR -c R77 -t R80.20
  6. Pakuitwa kwekuraira, mushumo wezvisingaenderane marongero uchagadzirwa. Inowanikwa pa: /opt/CPsuite-R77/fw1/log/pre_upgrade_verification_report.(xls, html, txt). Zviri nyore kuiisa kuburikidza neSCP uye kuiona kuburikidza nebrowser.
    Kugadzirisa chero zvisingaenderane marongero, shandisa SK117237.
  7. Wobva wamhanya zvakare pre_upgrade_verifier utility kuti uve nechokwadi chekuti zvese zvinokonzeresa kusapindirana zvabviswa.
  8. Tevere, isu tinounganidza ruzivo nezve network interface, iyo routing tafura uye kurodha iyo GAIA kumisikidzwa:
    ip a > /var/log/UpgradeR77.30_R80.20/cp-sms-config.txt
    ip r > /var/log/UpgradeR77.30_R80.20/cp-sms-config.txt
    clish -c "show configuration"> /var/log/UpgradeR77.30_R80.20/cp-sms-config.txt
  9. Isa iyo faira faira kuburikidza neSCP.
  10. Isu tinotora snapshot pane virtualization level.
  11. Isu tinowedzera nguva yekubuda kweSSH chikamu kusvika maawa masere. Izvo zvinoenderana nerombo rako: zvichienderana nehukuru hweiyo dhatabhesi inotengeswa kunze, inogona kugara kubva pamaminetsi akati wandei kusvika maawa akati wandei. Nokuda kweizvi: 
    [Nyanzvi @ HostName] # clish -c "ratidza kusaita-nguva yekupera" tarisa panguva ino yekupedza nguva,

    [Nyanzvi @ HostName] # clish -c "seta kusaita-timeout 720" tsanangura iyo nyowani nguva yekupedza nguva (mumaminitsi),

    [Nyanzvi@HostName]# echo $TMOUT tarisa ikozvino nguva yekupedza nyanzvi mode,

    [Nyanzvi@HostName]# kunze kunze TMOUT=3600 tsanangura iyo nyowani yekupedza nguva nyanzvi modhi (mumasekondi), kana iwe ukaisa kukosha ku0, ipapo nguva yekubuda ichavharwa.

  12. Isu tinodhawunirodha uye kukwidza iyo SMS.iso yekuisa mufananidzo kumuchina chaiwo.

    Pamberi pedanho rinotevera, IVA NECHOKWADI kupeta-tarisa kuti une nzvimbo yakakwana isina kugoverwa pane yako hard drive (rangarira, unoda 13 GB). 

  13. Usati watanga kutumira iyo gadziriso, shandura irogi faira nekuraira: fw logswitch

Export gadziriro uye matanda

  1. Mhanya iyo migrate_export utility kudhawunirodha zvigadziriso. Kuti uite izvi, enda kune yakambogadzirwa folda: cd /var/log/UpgradeR77.30_R80.20/ uye shandisa murairo: ./migrate export -l /var/log/UpgradeR77.30_R80.20/SMS_w_logs_export_r77_r80.tgz

    kana

    enda kune folda: cd $FWDIR/bin/upgrade_tools/ ΠΈ
    mhanya murairo kubva ipapo: ./migrate export -l /var/log/UpgradeR77.30_R80.20/SMS_w_logs_export_r77_r80.tgz

  2. Isu tinobvisa checksum kubva mudura: md5sum /var/log/UpgradeR77.30_R80.20/SMS_w_logs_export_r77_r80.tgz
  3. Chengetedza kukosha kunobuda kune notepad.
  4. Isu tinobatana neSMS kuburikidza neSCP uye torodha iyo archive nekumisikidza kune yekushanda. Iva nechokwadi chekushandisa kufambisa faira muBinary fomati.

Export SmartEvent database

Pano tinoda pre-yakaiswa SMS vhezheni R80. Chero bvunzo ichaita. 

  1. Kubva kuSMS tinoda script iri pano:$RTDIR/bin/eva_db_backup.csh
  2. Rodha script kuburikidza neSCP eva_db_backup.csh kuforodha: /var/log/UpgradeR77.30_R80.20/
  3. Batanidza neSSH kune SMS. Kopa faira kune folda: cp /var/log/UpgradeR77.30_R80.20/eva_db_backup.csh
    $RTDIR/bin/eva_db_backup.csh
  4. Kuchinja encoding: dos2unix $RTDIR/bin/eva_db_backup.csh
  5. Kuwedzera muridzi: chown -v admin: mudzi $RTDIR/bin/eva_db_backup.csh
  6. Wedzera kodzero: chmod -v 0755 $RTDIR/bin/eva_db_backup.csh
  7. Isu tinotanga kutumira kunze kweSmartEvent dhatabhesi: $RTDIR/bin/eva_db_backup.csh
  8. Isa mafaira akagamuchirwa kuburikidza neSCP: $RTDIR/bin/<date>-db-backup.backup ΠΈ $RTDIR/bin/eventiaUpgrade.tar kunzvimbo yebasa.

Update

  1. Enda ku WebUI GAIA SMS β†’ CPUSE β†’ Ratidza ese mapakeji.
  2. Kana CPUSE ichipa chikanganiso chekubatanidza kune Check Point gore, tarisa DGW, DNS uye Proxy marongero.
  3. Kana zvese zviri izvo, uye iko kukanganisa hakuperi, saka iwe unofanirwa kugadzirisa CPUSE nemaoko, uchitungamirirwa sk92449.
  4. Dhawunirodha mufananidzo uye pfuura Verifier. Kana zvichidikanwa, tinobvisa kusawirirana.

    Nekuda kweizvozvo, iwe unofanirwa kuona iyi meseji:

    Kuvandudza Check Point kubva paR77.30 kusvika 80.20

  5. Sarudza R80.20 Nyowani Kuisa uye Kukwidziridza Chekuchengetedza Management.
  6. Paunenge uchiisa iyo yekuvandudza, sarudza Yakachena Isa. Mushure mekuisa, iyo system ichatangazve.
  7. Tinopfuura First Time Wizard.
  8. Mushure mekuwana mukana, tinotarisa maakaundi.
  9. Isu tinobatana neSMS kuburikidza neSSH uye shandura ganda remushandisi wedu kuita / bin/bash/:

    seta mushandisi <zita rekushandisa> goko /bin/bash/

    save config (kana tichida kusiya bin/bash/ segomba rekutanga mushure mekutangazve).

  10. Tevere, isu tinobatana neSMS kuburikidza neSCP uye toendesa iyo archive nekumisikidzwa muBinary mode SMS_w_logs_export_r77_r80.tgz kufolder /var/log/UpgradeR77.30_R80.20/
  11. Isu tinobvisa checksum kubva mudura: md5sum /var/log/UpgradeR77.30_R80.20/SMS_w_logs_export_r77_r80.tgz uye enzanisa nekukosha kwekare. Checksum inofanira kufanana.
  12. Isu tinowedzera nguva yekubuda kweSSH chikamu kusvika maawa masere. Nokuda kweizvi:

    [Nyanzvi @ HostName] # clish -c "ratidza kusaita-nguva yekupera" tarisa panguva ino yekupedza nguva,

    [Nyanzvi @ HostName] # clish -c "seta kusaita-timeout 720" tsanangura iyo nyowani nguva yekupedza nguva (mumaminitsi),

    [Nyanzvi@HostName]# echo $TMOUT tarisa ikozvino nguva yekupedza nyanzvi mode,

    [Nyanzvi@HostName]# kunze kunze TMOUT=3600 tsanangura iyo nyowani yekupedza nguva nyanzvi modhi (mumasekondi). Kana iwe ukaisa kukosha ku0, ipapo nguva yekupera ichadzimwa.

  13. Kuti utore marongero, mhanyisa iyo migrate import utility. Kuti uite izvi, enda kune folda: cd $FWDIR/bin/upgrade_tools/uye mhanyisa iyo import: ./migrate imp
    ort -l /var/log/UpgradeR77.30_R80.20/SMS_w_logs_export_r77_r80.tgz

Ngatinakidzwe nehupenyu kwemaawa maviri anotevera. USADZISE YAKO SSH SESSION panguva yekuita. Pakupedzisira, maitiro ekutama anoratidza meseji yekubudirira kana kukanganisa. 

Checklist mushure mekugadzirisa

  1. Kuwanikwa kwezvinhu.
  2. SIC neGW.
  3. Marezenisi. Kana marezinesi akaratidzwa zvisizvo kana asina kuratidzwa paSMS, mhanyisa iwo mutemo vssec_central_licence yekugovera rezinesi.
  4. Kuisa mutemo. 

Kupinza SmartEvent database

  1. Shandisa SmartEvent blade.
  2. Isu tinobatana kuburikidza neWinSCP kuSMS uye tinotamisa mafaera akambodhawunirodha mune binary modhi <date>-db-backup.backup ΠΈ EventiaUpgrade.tar kufolder /var/log/UpgradeR77.30_R80.20/
  3. Isu tinomhanyisa script nemurairo: $RTDIR/bin/eventiaUpgrade.sh -upgrade /var/log/UpgradeR77.30_R80.20/eventiaUpgrade.tar
  4. Kutarisa chimiro: watch -n 10 eventiaUpgrade.sh
  5. Kutarisa matanda mu SmartEvent. HOTA!

Kugadziridza iyo Check Point GW cluster (Inoshanda/Negadziriro yeparutivi)

Usati watanga basa

  1. Isu tinochengetedza iyo GAIA kumisikidzwa kubva kune imwe neimwe cluster node kune faira, kuita izvi shandisa rairo: clish -c "show configuration"> ./<Zita refaira>.txt
  2. Kurodha mafaera uchishandisa WinSCP.
  3. Batanidza kuWebUI yemanode ese uye enda kune tab CPUSE β†’ Ratidza ese mapakeji.
  4. Kutsvaga iyo update package yevhezheni R80.20 Fresh Install, Press Download.
  5. Isu tinotarisa kuti CCP protocol iri kushanda mumodhi Broadcast, kuti uite izvi, isa murairo: cphaprob -a kana
    Kana iyo modhi yakasarudzwa Multicast, tsiva iyo nekuraira: cphaconf set_ccp kutepfenyura (murairo unoitwa pane imwe neimwe node).
  6. Isu tinoisa Downtime kune anobatanidzwa node mune yako yekutarisa system.
  7. Isu tinotarisa kuti ma parameter anogoneswa padanho rekuona MAC Kero Shanduko ΠΈ Forged Transmits kuitira sync network.

Update

  1. Isu tinobatanidza kuburikidza ne ssh kune Active node uye tomhanya murairo wekutarisa mamiriro esumbu: watch -n 2 cphaprob stat
  2. Dzokera kuWebUI Stanby nodes tab CPUSE uye yepakiti yakasarudzwa R80.20 Fresh Install launch Verifier.
  3. Ngationgororei mushumo weVerifier. Kana kuiswa kuchibvumirwa, enda mberi.
  4. Sarudza pasuru R80.20 Fresh Install uye kutanga ndiwedzere. Munguva yeKuvandudza maitiro, sisitimu ichatangazve. GAIA marongero akachengetwa. Panguva yekudzorerazve, tinocherechedza mamiriro echikwata. Mushure mekurodha, chimiro cheiyo node yakagadziridzwa inofanira kuchinja kuita READY. Mune akati wandei, takasangana nechinguva apo node yanga isati yagadziridzwa yakachinjirwa kune Active Attention mamiriro uye yakamira kuratidza mamiriro eiyo node yakagadziridzwa. Usavhunduka - iyi sarudzo inogamuchirwa zvakare.
  5. Kana iyo update yapera, vhura SmartDashboard.
  6. Vhura iyo cluster chinhu uye shandura iyo cluster vhezheni kubva paR77.30 kuenda kuR80.20. Dzvanya OK. Kana kukanganisa kuchioneka paunenge uchichengetedza shanduko:
    Pane chikanganiso chemukati chakaitika. (Kodhi: 0x8003001D, Haikwanise kuwana faira rekunyora kushanda),
    kutevera SK119973. Mushure meizvozvo, chengetedza shanduko uye tinya Isa Policy.
  7. Muzvirongwa, usatarise sarudzo Kune masumbu egedhi, kana kuisirwa panhengo yecluster kukatadza, usaise pane iyo cluster.
  8. Isu tinoisa mutemo. Iyo sisitimu inoburitsa kukanganisa kune Active node isati yagadziridzwa.
  9. Isu tinobatana kune yakagadziridzwa node kuburikidza ne ssh uye mhanyisa murairo wekutarisa mamiriro esumbu: watch -n 2 cphaprob stat
  10. Batanidza kuWebUI Active node uye enda kune tab CPUSE β†’ Ratidza ese mapakeji.Kutsvaga iyo update package yevhezheni R80.20 Fresh Install, tinya Download.
  11. Isu tinoisa Downtime kune anobatanidzwa node mune yako yekutarisa system.
  12. Dzokera kuWebUI Active nodes tab CPUSE uye yepakiti yakasarudzwa R80.20 Fresh Install launch Verifier.
  13. Ngationgororei mushumo weVerifier. Kana kuiswa kuchibvumirwa, enda mberi.
  14. Sarudza pasuru R80.20 Fresh Install uye kutanga Upgrade. Munguva yeKuvandudza maitiro, sisitimu ichatangazve. GAIA marongero akachengetwa. Panguva yekutangazve, isu tinotarisisa mamiriro esumbu pane yakatogadziridzwa node. Mushure mekutangazve, iyo cluster state pane yakagadziridzwa node ichachinja kubva READY kuenda ACTIVE.
  15. Kana iyo Yekusimudzira maitiro yapera, vhura SmartDashboard uye isa mutemo.

Checklist mushure mekugadzirisa

  • Chiitiko matanda muSmartLog, chimiro cheVPN tunnel.
  • GAIA Settings.
  • Kudzoreredza cluster mushure mebvunzo Failover.
  • Marezinesi uye zvibvumirano. Kana marezinesi akaratidzwa zvisizvo kana asina kuratidzwa paSMS, mhanyisa iwo mutemo. vsec_central_licence yekugovera rezinesi.
  • CoreXL.
  • SecureXL.
  • Hotfix uye CPinfo pane mbiri node.

mhedziso

Kazhinji, ndizvo zvese panguva ino - iwe wakagadziridzwa.

Kwatiri, hurongwa hwese hwakatora paavhareji kubva pa6 kusvika kumaawa gumi nemaviri, zvichienderana nehukuru hwedhatabhesi dzakatengeswa kunze kwenyika. Basa rakaitwa kweusiku huviri: imwe yekuvandudza SMS, yechipiri yeboka.

Pakanga pasina traffic downtime, zvisinei nekuti isu takatarisa zvikanganiso zvese zvataurwa pamusoro pedu.

Ehe, dzimwe nguva matambudziko matsva anogona kumuka panguva yekuvandudza, asi iyi iCheck Point, uye sezvatinoziva tese, panogara paine hotfix!

Husiku hutema nepingi hunofadza uye zvigadziriso!

Source: www.habr.com

Voeg