fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Upgrading a CheckPoint Manager from R65.4 to R7x

NGX R65 HFA40 is a standard HFA and can be installed both on Security Gateways and on SmartCenter servers.
R65.4 is a Management-based package that in addition to NGX R65 HFA40, also contains various new features and plug-ins.
Upgrading from R65.4 can present some significant issues, due the release being a dead end. You will therefore need to consider the below options before moving forward with the upgrade.

Upgrading to R70

The following is taken from the release notes for R70:

  • Check Point Suite Products before version NGX R60 cannot be upgraded to R70.
  • NGX R65.4 cannot be upgraded to R70.
  • When upgrading NGX R65, only the following plug-ins may be present: Connectra, SmartProvisioning, VSX, and Messaging Security. The presence of any other plug-in will cause the upgrade process to fail.

Note : We have found that you can move to R70 from R65.4, but you have to do the following: R65.4 > R65 > R70. This involves removing all traces of R65.4 – including some elements that are not covered in the standard uninstall.

Upgrade Procedure (R70)

1. Before upgrading, run the following command on the manager to delete a problematic soft link:

rm -f /opt/CPsuite-R65/fw1/PA/conf/PA/PA

2. Take an upgrade_export of the existing config.
3. Backup the networking from the device (Interfaces, default gateway, and routes).
4. Uninstall R65.4 using the uninstall utility:

/opt/CPUninstall/R65.4/UnixInstallScript –u

Sample Output :

***********************************************************
Welcome to Check Point NGX R65.4 Uninstall Utility
***********************************************************

Installation Application is about to stop all Check Point Processes.
Do you wish to continue (y/n) [y] ? y
stopping Check Point Processes...
Uninstalling Connectra NGX R66 management plug-in package...Done!
Uninstalling Connectra NGX R66 management Compatibility package...Done!
Uninstalling VPN-1 NGX R65.2.100 management plug-in package...Error!
Uninstalling VPN-1 NGX R65 with Messaging Security management plug-in hotfix package...Done!
Uninstalling VPN-1 NGX R65 with Messaging Security management plug-in package...Done!
Uninstalling SmartProvisioning NGX R65.4 management plug-in package...Done!
Uninstalling VPN-1 Power VSX NGX R65 management plug-in package...Done!
Uninstalling VPN-1 Power VSX NGX R65 management Compatibility package...Done!

************************************************************************

Package Name                                                    Status
Connectra NGX R66 management plug-in                            Succeeded
Connectra NGX R66 management Compatibility                      Succeeded
VPN-1 NGX R65.2.100 management plug-in                          Failed
VPN-1 NGX R65 with Messaging Security management plug-in hotfix Succeeded
VPN-1 NGX R65 with Messaging Security management plug-in        Succeeded
SmartProvisioning NGX R65.4 management plug-in                  Succeeded
VPN-1 Power VSX NGX R65 management plug-in                      Succeeded
VPN-1 Power VSX NGX R65 management Compatibility                Succeeded

************************************************************************

Note: This will remove most of the elements that you need to remove, however you will still need to remove the VOIP plugin if install (check using “fwm ver”).

5. To remove the VOIP plugin, you must first run the verifier to ensure that there are no VOIP objects being used in the Rule base. To do this, run the following:

/opt/CPPIvoip-R65/bin/plugin_preuninstall_verifier

6. You will need to remove, or change the objects reported in this verifier before you move on. You cannot remove the VOIP plugin until this verifier reports back blank.
7. Once the report is blank run the following:

/opt/CPPIvoip-R65/bin/plugin_uninstall

8. Check the un-install using “fwm ver” – and it should read R65 flat.
9. You can now run through the normal R70 upgrade, using the file “Check_Point_R70_CD1.Splat.iso”, and the following:

mount –o loop [path to iso] /mnt/cdrom ; cd /mnt/cdrom
patch add cd

GUI Issues

If the GUI fails to startup after the upgrade you may need to run the following if fwm is failing after a few seconds:

1. Run cpstop.
2. Delete the following files:

$FWDIR/conf/applications.C
$FWDIR/conf/applications.C.backup
$FWDIR/conf/CPMILinksMgr.db
$FWDIR/conf/CPMILinksMgr.db.private

3. Reboot.

Upgrading to R71

The following is taken from the release notes for R71:

  • To upgrade Check Point Suite Products before version NGX R65 to R71, you must first upgrade to NGX R65 and then to R71.
  • NGX R65.4 cannot be upgraded to R71.
  • When upgrading NGX R65, only the following plug-ins may be present: Connectra, SmartProvisioning, VSX, and Messaging Security. The presence of any other plug-in will cause the upgrade process to fail.

To upgrade R65.4 to R71, you will need to run the following:

  1. Remove R65.4 as per the above procedure.
  2. Remove the VOIP plug in.
  3. Upgrade to R70.
  4. Then upgrade to R71 using the Check Point CD.

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001