Transcription
The Upgrade GuideNG with Application Intelligence (R55)IMPORTANTCheck Point recommends that customers stay up-to-date with the latestservice packs and versions of security products, as they contain securityenhancements and protection against new and changing attacks.For additional technical information about Check Point products, consult Check Point’s SecureKnowledge athttp://support.checkpoint.com/kb/See the latest version of this document in the User Center uments/docs r55.htmlPart Number 700724November 2003
2003-2004 Check Point Software Technologies Ltd.All rights reserved. This product and related documentation are protected by copyrightand distributed under licensing restricting their use, copying, distribution, anddecompilation. No part of this product or related documentation may be reproduced inany form or by any means without prior written authorization of Check Point. Whileevery precaution has been taken in the preparation of this book, Check Point assumesno responsibility for errors or omissions. This publication and features described hereinare subject to change without notice.RESTRICTED RIGHTS LEGEND:Use, duplication, or disclosure by the government is subject to restrictions as set forthin subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clauseat DFARS 252.227-7013 and FAR 52.227-19.TRADEMARKS:Check Point, the Check Point logo, ClusterXL, ConnectControl, FireWall-1, FireWall-1GX, FireWall-1 SecureServer, FireWall-1 SmallOffice, FireWall-1 VSX, FireWall-1 XL,FloodGate-1, INSPECT, INSPECT XL, IQ Engine, MultiGate, Open Security Extension,OPSEC, Provider-1, SecureKnowledge, SecurePlatform, SecureXL, SiteManager-1,SmartCenter, SmartCenter Pro, SmartDashboard, SmartDefense, SmartLSM,SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter,SmartView Status, SmartView Tracker, SmartConsole, TurboCard, ApplicationIntelligence, SVN, UAM, User-to-Address Mapping, UserAuthority, VPN-1, VPN-1Accelerator Card, VPN-1 Net, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote,VPN-1 SecureServer, VPN-1 SmallOffice and VPN-1 VSX are trademarks or registeredtrademarks of Check Point Software Technologies Ltd. or its affiliates. All other productnames mentioned herein are trademarks or registered trademarks of their respectiveowners.The products described in this document are protected by U.S. Patent No. 6,496,935,5,606,668, 5,699,431 and 5,835,726 and may be protected by other U.S. Patents,foreign patents, or pending applications.THIRD PARTIES:Entrust is a registered trademark of Entrust Technologies, Inc. in the United States andother countries. Entrust’s logos and Entrust product and service names are also trademarksof Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary ofEntrust Technologies, Inc. FireWall-1 and SecuRemote incorporate certificate managementtechnology from Entrust.Verisign is a trademark of Verisign Inc.The following statements refer to those portions of the software copyrighted by University ofMichigan. Portions of the software copyright 1992-1996 Regents of the University ofMichigan. All rights reserved. Redistribution and use in source and binary forms arepermitted provided that this notice is preserved and that due credit is given to the Universityof Michigan at Ann Arbor. The name of the University may not be used to endorse orpromote products derived from this software without specific prior written permission. Thissoftware is provided “as is” without express or implied warranty. Copyright Sax Software(terminal emulation only).The following statements refer to those portions of the software copyrighted by CarnegieMellon University.Copyright 1997 by Carnegie Mellon University. All Rights Reserved.Permission to use, copy, modify, and distribute this software and its documentation for anypurpose and without fee is hereby granted, provided that the above copyright notice appearin all copies and that both that copyright notice and this permission notice appear insupporting documentation, and that the name of CMU not be used in advertising or publicitypertaining to distribution of the software without specific, written prior permission.CMUDISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALLIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALLCMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES ORANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUSACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCEOF THIS SOFTWARE.The following statements refer to those portions of the software copyrighted by The OpenGroup.THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANYCLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THESOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.The following statements refer to those portions of the software copyrighted by TheOpenSSL Project. This product includes software developed by the OpenSSL Project foruse in the OpenSSL Toolkit (http://www.openssl.org/).* THIS SOFTWARE IS PROVIDED BYTHE OpenSSL PROJECT AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLEFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OFSUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; ORBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OROTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IFADVISED OF THE POSSIBILITY OF SUCH DAMAGE.The following statements refer to those portions of the software copyrighted by Eric Young.THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS'' AND ANY EXPRESS ORIMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSEARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLEFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OFSUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; ORBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OROTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IFADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright 1998 The OpenGroup.The following statements refer to those portions of the software copyrighted byJean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly andMark Adler. This software is provided 'as-is', without any express or impliedwarranty. In no event will the authors be held liable for any damages arising fromthe use of this software. Permission is granted to anyone to use this software forany purpose, including commercial applications, and to alter it and redistribute itfreely, subject to the following restrictions:1. The origin of this software must not be misrepresented; you must not claim thatyou wrote the original software. If you use this software in a product, anacknowledgment in the product documentation would be appreciated but is notrequired.2. Altered source versions must be plainly marked as such, and must not bemisrepresented as being the original software.3. This notice may not be removed or altered from any source distribution.The following statements refer to those portions of the software copyrighted by theGnu Public License. This program is free software; you can redistribute it and/ormodify it under the terms of the GNU General Public License as published by theFree Software Foundation; either version 2 of the License, or (at your option) anylater version. This program is distributed in the hope that it will be useful, butWITHOUT ANY WARRANTY; without even the implied warranty ofMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNUGeneral Public License for more details.You should have received a copy of theGNU General Public License along with this program; if not, write to the FreeSoftware Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.The following statements refer to those portions of the software copyrighted by Thai OpenSource Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expat maintainers.Permission is hereby granted, free of charge, to any person obtaining a copy of thissoftware and associated documentation files (the "Software"), to deal in the Softwarewithout restriction, including without limitation the rights to use, copy, modify, merge,publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons towhom the Software is furnished to do so, subject to the following conditions: The abovecopyright notice and this permission notice shall be included in all copies or substantialportions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTYOF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THEWARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERSBE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN ANACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR INCONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THESOFTWARE.Check Point Software Technologies Ltd.U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, info@CheckPoint.comInternational Headquarters: 3A Jabotinsky Street, Ramat Gan, 52520, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com
Table Of ContentsChapter 1Introduction to the Upgrade ProcessBefore You Begin 11Upgrading Successfully 12Chapter 2Planning Your UpgradeRecommended Upgrade Flows 13Deployments 13Chapter 3SmartCenter UpgradeBefore You Begin 17Terminology 17Tools 18Built in Safety Measures and Tips 18Planning SmartCenter Upgrades 19Select the Basic or the Advanced Upgrade Method 19Maintaining Backward Compatibility 20SecurePlatform 20backup 20Syntax 20Parameters 21Using the “Patch” Utility to Upgrade Itself 21Using TFTP 21Not Using TFTP 21Upgrading SecurePlatform via the Patch Utility 22Using the CD 22Without the CD 22Basic SmartCenter Upgrade Procedure 23Basic Upgrade Steps 23Advanced SmartCenter Upgrade 24Motivations for Performing Advanced Upgrade 24Selecting a Manual Upgrade or an Automatic Upgrade 25Advanced Upgrade Steps 26Tools for Upgrading SmartCenters 27Pre-Upgrade Verification 27Action Items before the Upgrade 29Action Items after the Upgrade 29Information Messages 29Advanced Upgrade on a Spare Machine Using the Command Line Interface 30Export and Import Commands 32SecurePlatform’s Update Utility 32Upgrading to a Different IP Address or Domain Name 33Table of Contents 3
Notes, Exceptions and Limitations 37After Performing an Advanced Upgrade 37Upgrading with Management High Availability 38Chapter 4Check Point Gateway UpgradesBefore You Begin 39Terminology 39Tools for Gateway Upgrades 40Planning a Check Point Gateway Upgrade 40SecurePlatform 40Upgrading to Windows 2003 Server from pre-2003 Server 40Upgrading Modules with SecurePlatform 41backup 41Syntax 41Parameters 41Using the “Patch” Utility to Upgrade the “Patch” Utility Itself 42Using TFTP 42Not Using TFTP 42Upgrading SecurePlatform via the Patch Utility 42Using the CD 42Without the CD 43Using TFTP 43Without TFTP 43Using SmartUpdate to Upgrade SecurePlatform 43Upgrading Check Point Gateways with SmartUpdate 44Prerequisites for SmartUpdate Upgrade 44Requirements for Upgrading Gateways from Version 4.1 SP2 44Requirements for Upgrading Gateways from NG 44Configuring the SmartCenter Server so that you can use SmartUpdate 44Using SmartUpdate to Add Products to the Product Repository 45Using SmartUpdate to Upgrade Remote Check Point Gateways 45Updating All Products on a Check Point Gateway 45Using SmartUpdate to Upgrade IPSO 46Upgrading a Single Product on a Check Point Gateways 46Upgrading Check Point Gateways In Place 47First Upgrade your Operating System 47Special Considerations for Manual Check Point Gateway Upgrade 47Configuring OPSEC for Check Point Gateways 47Automatic Update 48Manual Update 49Chapter 5ClusterXL UpgradeBefore You Begin 51Terminology 51Tools for Gateway Upgrades 52Planning a Cluster Upgrade 52Working with a Mixed Cluster 53Upgrading OPSEC Certified Third Party Clusters Products 534
Performing a Minimal Effort Upgrade on a ClusterXL Cluster 53Performing a Zero Down Time Upgrade on a ClusterXL Cluster 54Supported Modes 54Planning your Zero Down Time Upgrade 54Upgrade All But One of the Cluster Members 54Upgrade the Final Cluster Member 56Performing a Full Connectivity Upgrade on a ClusterXL Cluster 57Understanding a Full Connectivity Upgrade 57Supported Modes 57Terminology 57Pre-Requisite for using the Full Connectivity Upgrade 57Full Connectivity Upgrade Limitations 57Implementing a Full Connectivity Upgrade 59Upgrading a cluster with 2 members 59Upgrading a cluster with 3 or more members 59Monitoring the Full Connectivity Upgrade 60Reverting to Old Version of SVN Foundation, FireWall-1 or FloodGate-1 61Nokia - Safely Removing NG 61Other Product Roll Backs 62Chapter 6SmartView Reporter UpgradeBefore you begin 63Terminology 63Tools 64How to back up your reports 64How to stop log consolidator 64How to backup the database 65How to re-establish SIC between SmartCenter and SmartView Reporter 65Safety 66Planning 66Performing a Basic SVR Upgrade 66Stand Alone configuration 66Distributed configuration 67Performing an Advanced Upgrade 67General notes on advanced upgrade 67Standalone configuration 68Distributed configuration 68More Upgrade Configurations 69Advance upgrade from one version of NG with Application Intelligence to another 69Upgrade SmartCenter but leave SmartView Reporter in a previous version 69NG with Application Intelligence (R54) 69NG FP3 69Upgrading the SQL Database 70Chapter 7Log Server UpgradeLog Server Upgrades 73SecurePlatform 73Table of Contents 5
Chapter 8Upgrading SmartLSMBefore You begin 75Terminology 75Tools 76Export 76LSM CLI 76Safety 76Planning 76Upgrade your ROBO Gateways 76Adding a ROBO Gateway Upgrade Package to the SmartUpdate Package Repository 77Upgrading a ROBO Gateway Using SmartLSM 77Upgrading a VPN-1 Express/Pro ROBO Gateway 77Full Upgrade 78Specific Install 78Upgrading a VPN-1 Edge ROBO Gateway 79Upgrading a VPN-1 ROBO Gateway Using the LSM CLI 79Upgrading a VPN-1 Express/Pro ROBO GatewayUsing the LSM CLI 79Upgrading a VPN-1 Edge ROBO Gateway Using the LSM CLI 81Using the LSMcli in Scripts 81Upgrading a VPN-1 Express/Pro ROBO Gateway In Place 82Chapter 9Upgrading Provider-1Introduction 83Scope 83Before You Begin 83Supported Platforms 84Supported Versions for Upgrade 84Summary of Sections in this Chapter 85Provider-1/SiteManager-1 Upgrade Tools 85Pre-Upgrade Verifiers and Fixing Utilities 85Installation Script 86Pre-Upgrade Verification Only 87Upgrade 87Backup 87cma migrate 87Usage 88Example 88migrate assist 89Usage 89Example 90migrate global policies 90Usage 90Backup and Restore 91mds backup 91Usage 92mds restore 92Usage 926
Provider-1/SiteManager-1 Upgrade Practices 92In-place Upgrade 92Upgrading your Operating System 93Replicate and Upgrade 93Gradual Upgrade on the same machine - Version 4.1 94Preparations 94Gradually Upgrading the Primary MDS 95Upgrade Steps 96Gradually Upgrading Additional MDSes 97Gradual Upgrade to Another Machine 98Upgrade steps 99Gradual Upgrade with Global VPN Considerations 99Migrating from Stand Alone installation to CMA 100Terminology 100An Overview of the Stand Alone Installation to CMA Migration Procedure 101From a Version 4.1 Installation 102From NG (All Feature Pack) Installation 106Upgrading in a Multi MDS Environment 109Pre-Upgrade Verification and Tools 109Upgrading a Version 4.1 System with an Additional MDS 109Upgrading an NG with Application Intelligence Multi-MDS System 110MDS High Availability 110Before the Upgrade 110CMA High Availability 111Restoring your Original Environment 111Before the Upgrade 111Restoring your original environment 111Renaming Customers 112Identifying Non-Compliant Customer Names 112High-Availability Environment 112Automatic Division of Non-compliant Names 112Resolving the Non-compliance 113Additional options menu 113High-Availability 114Advanced Usage 114Changing MDS IP address and External Interface 115IP Address Change 115Interface Change 115Appendix ABehavioral Changesin FireWall-1Introduction to Behavioral Changes in FireWall-1 117Behavioral Changes In Stateful Inspection 118TCP Connection reuse 118Section Summary 118Version 4.1 SP5 Solution 118NG with Application Intelligence Solution 119TCP Connection Establishment (three-way handshake) 119Table of Contents 7
TCP Sequence Verification 120Connections Recovery After Policy Installation 121First TCP Packet 122Stateless Checks 124Default session timeouts 125Section Summary 125Behavioral Changes in NAT 126Improvements in HIDE NAT Address 126Version 4.1 SP5 Solution 126NG with Application Intelligence Solution 126IP Pools 127Version 4.1 SP5 Solution 127NG with Application Intelligence Solution 127Transparent Server Connection (under NAT) 127Improvements in Static NAT 128New NAT properties in FireWall-1 NG 128Allow Bidirectional NAT 128Automatic ARP configuration 129Behavioral Changes for Services Features 129Match for Any 129Time-out 130Protocol Type 130DNS Enforcement is Used by Default 130Dynamic Port Negotiation Inspection (Well Known Port) 130X11 Drop 131New Service Features 131Keep Connections During Policy Reload 131Dropping X11 Traffic 132SSHv2 and SSLv3 132FTP Behavioral Changes 132FTPbidir 132FTPbasic 132FTPnew Enforcement 133FTP Passive and FTP Port 133Behavioral Changes in INSPECT 133NAT Rule-Match Performance 133SmartCenter Behind NAT 133Client-Side Translation 133NAT for Dynamic Objects 134Disable NAT Inside the VPN Community 134Behavioral Changes in INSPECT 134Backward compatibility note 134Unknown established TCP packet 135Description 135Solution in Version 4.1 135Solution in NG with Application Intelligence 136FTP Related INSPECT Solutions 136FTP control NewLine enforcement 136Description 1368
Version 4.1 solution 137Solution with NG with Application Intelligence 138Changes to FTP control connection timeout 138Description 138Solution in Version 4.1 138Solution in NG with Application Intelligence 139Preventing FTP data connection failures on server port check 139Description 139Solution in Version 4.1 140Solution in NG with Application Intelligence 140Using FTP on non-standard ports 141Description 141Solution in Version 4.1 141Solution in NG with Application Intelligence 142Backward Compatibility 142Bi-direction FTP data connection 143Solution in Version 4.1 143Solution in NG with Application Intelligence 144Authentication related INSPECT solutions 144Preventing re-authentication when a policy is installed. 144Description 144Version 4.1 Solution 144Solution in NG with Application Intelligence 144Removing RADIUS/LDAP/TACACS from Control Connections 145Description 145Solution in Version 4.1 145Solution in NG with Application Intelligence 147Services Related INSPECT Solutions 147Increasing services session timeout 147Description 147Version 4.1 Solution 148Solution in NG with Application Intelligence 148Backward Compatibility Issues for Services 148Custom INSPECT Services 149Overview 149What to change 149prologue 149match 149H.323 New service 150Version 4.1 Solution 150Solution in NG with Application Intelligence 150GRE inspection 150Version 4.1 Solution 150Solution in NG with Application Intelligence 151RSH STDERR back connections with ports lower than 601 151Description 151Version 4.1 Solution 152Solution in NG with Application Intelligence 152DNS Verification 152Table of Contents 9
Description 152Version 4.1 Solution 152Solution in NG with Application Intelligence 153INSPECT Accounting solutions 153Description 153Version 4.1 Solution no. 1 153Version 4.1 Solution no 2 155Solution in NG with Application Intelligence 156Restricting Account Logging to the Account Log Viewer only 156Description 156Version 4.1 Solution 156NG with Application Intelligence Solution 156INSPECT and Load Balancing 157Changes to persistency timeouts 157Description 157Version 4.1 Solution 157NG with Application Intelligence Solution 157INSPECT Tuning solutions 157Changes to the connections table size 157Description 157Version 4.1 solution 157NG with Application Intelligence solution 158Changes to Kernel memory settings 158Description 158Solution in Version 4.1 158Solution in NG with Application Intelligence 16010
CHAPTER1Introduction to theUpgrade ProcessIn This ChapterBefore You Beginpage 11Upgrading Successfullypage 12Before You BeginWelcome to the Upgrade Guide. We created this guide to explain all available upgradepaths for Check Point products from Versions 4.1 SP5 forward. This document isspecifically geared towards upgrading to NG with Application Intelligence (R55).Before you begin please: Backup everything you will be upgrading. Make sure that you have the latest version of this document in the User Center ments/docs r55.html It is a good idea to have the latest version of the NG with Application Intelligence(R55) Release Notes handy. Download them from:http://www.checkpoint.com/techsupport/ng application intelligence/release notes.html If you are wondering what new features are available in NG with ApplicationIntelligence (R55), read the “What’s New Guide”:http://www.checkpoint.com/techsupport/ng application intelligence/r55 whatsnew.html You can upgrade to NG only from Version 4.1 SP5 and higher. If you are runninga version prior to 4.1 SP5, then proceed as follows: Upgrade from that version to Version 4.1 SP5. Upgrade from Version 4.1 SP5 to NG with Application Intelligence.11
Upgrading SuccessfullyUpgrading SuccessfullyAll successful upgrades begin with a solid game plan and a full understanding of thesteps you need follow in order to succeed. This book provides graphics, tips andinstructions to make the upgrade process as clear as possible.It is not necessary to read the entire book. In fact, there may be large portions of thebook that do not apply to you because you do not own the product covered. The bookis structured to show you common scenarios and then to provide the steps necessary forachieving your unique upgrade.We hope that your upgrade goes smoothly but in the event that you run intounexpected snags, please contact your Reseller or our SecureKnowledge support centerat: https://support.checkpoint.com/login/login.jsp12
CHAPTER2Planning Your UpgradeIn This Chapter“Recommended Upgrade Flows” on page 13Recommended Upgrade FlowsSuccessful upgrading begins with a comprehensive upgrade plan, good organizationaloversight and understanding your products. The purpose of this chapter is to provideyou with a broad understanding of how your upgrade deployment fits into CheckPoint’s products. After reading this short chapter, you will have a clearer idea of how toconceptualize and proceed with your upgrade.DeploymentsWhat follows are four separate graphics depicting four Check Point upgradedeployments. In all four deployment, we suggest proceeding as follows:1Upgrade your management products: SmartCenter Server (and SmartConsole),SmartLSM or Provider-1 then SmartView Reporter and Log Server2Upgrade your enforcement products: Check Point gateways (individual modules orClusterXL, ROBO Gateways)Below, find the graphic that most closely resembles your enterprise’s deployment andfollow the instructions in each of the corresponding chapters in this “Upgrade Guide”.13
Recommended Upgrade Flows14FIGURE 2-1Upgrade a SmartCenter with Gateway(s)FIGURE 2-2Upgrade a SmartCenter Server with SmartView Reporter, Gateway(s) andCluster(s)
DeploymentsFIGURE 2-3Provider-1 UpgradeFIGURE 2-4Upgrade a SmartCenter Server with SmartLSM, Gateway(s) and Cluster(s)and ROBO GatewaysChapter 2Planning Your Upgrade15
Recommended Upgrade Flows16
CHAPTER3SmartCenter UpgradeIn This ChapterBefore You Beginpage 17Planning SmartCenter Upgradespage 19SecurePlatformpage 20Basic SmartCenter Upgrade Procedurepage 23Advanced SmartCenter Upgradepage 24Before You BeginThis chapter first goes through the steps to perform a basic upgrade, then goes throughthe steps to perform an advanced upgrade.TerminologyHere are some useful terms that you need to be familiar with in order to continuereading this chapter:Security Policy - A Security Policy is created by the system administrator in order toregulate the incoming and outgoing flow of communication.Enforcement module - An Enforcement module is the engine of VPN-1 Pro whichactively enforces the Security Policy of the organization.SmartCenter Server - The SmartCenter Server is the server used by the systemadministrator to manage the Security Policy. The databases and policies of theorganization are stored on the SmartCenter Server, and are downloaded from time totime to the Enforcement module.17
Before You BeginSmartConsole Clients - The SmartConsole Clients are different GUI applicationswhich are used to manage different aspects of the Security Policy. For instanceSmartView Tracker is a SmartConsole which manages logs.SmartDashboard - SmartDashboard is a SmartConsole which is used by the systemadministrator to create and manage the Security Policy.ToolsPre-Upgrade Verifier - The Pre-Upgrade verifier is a tool that provides you with areport. Three types of results are displayed in the report: Action items to perform before the upgrade Action items to perform after the upgrade Information Messages This tool is automatically run before both basic and advanced upgrades and can berun in preparation for upgrading. Further details regarding this tool are located in“Pre-Upgrade Verification” on page 27.Built in Safety Measures and Tips1Automatic pre-upgrade verification runs by default during your SmartCenterupgrade. The pre-upgrade verification notifies you of important adjustments tomake before upgrading.If you prefer, you can run the pre-upgrade verification from the CD separatelyfrom the upgrade in order to prepare yourself for your upgrade. You will beprovided with a report. Three types of results can be displayed in the report: action items before the upgrade, action items after the upgrade and information.Detailed explanations of these reports are outlined in “SmartCenter Upgrade”. Wehave also provided you with sample output from a pre-upgrade verification. It canbe found in “Pre-Upgrade Verification” on page 27.182During the process of upgrading your SmartCenter, an optional automatic onlinecheck is performed that confirms that your SmartCenter has the most currentupgrade information available. Before running the online check, you are promptedto confirm that you want to run it.3To add even more safety measures, upgrade your SmartCenter Server on a secondmachine. Then either:
Select the Basic or the Advanced Upgrade Method make the spare machine your production management machine or migrate back to the original machine.The steps for performing either of these types of upgrades are detailed in“Advanced SmartCenter Upgrade” on page 24.4Upgrades can be performed incrementally. You do not have to upgradeSmartCenter Server and all its modules all at once.A First upgrade the SmartCenter Server.B After the upgrade, you can still manage your modules from your SmartCenterServer.C At your convenience, the modules can be upgraded one-by-one. A modulethat has not been upgraded, will not yet have the latest features.5If for any reason you are not pleased with the results, restore your prior workenvironment.6If you have an upgrade that you would like to distribute from a central server, useSmartUpdate.Instructions for using SmartUpdate for upgrading are located in Chapter 4,“Upgrading Your Gateway using SmartUpdate”.7When upgrading SmartCenter Server, the database is adjusted to the format of thenew version. This includes the formats for policies, objects, the global properties,etc. In addition, system objects which come with the new version are added toyour database. The files containing these elements are not simply copied so youcannot copy these files from a previous version to a newer version.Planning SmartCenter UpgradesSelect the Basic or the Advanced Upgrade MethodFirst choose the type of upgrade that is right for you: Basic Upgrade: Perform the upgrade directly on to the productionSmartCenter Server or Advanced Upgrade: Perform the upgrade on a spare machine, while theproduction SmartCenter Server is fully operational. Test the full functionality ofthe spare machine and either: replace the old server with the new or migrate the upgraded server back to replace the old server.Chapter 3SmartCenter Upgrade19
SecurePlatformBoth the basic and advanced upgrade can be performed automatically from the CheckPoint CD.Maintaining Backward CompatibilityBackwards Compatibility for management of: VPN-1 modules and FireWall-1 modulesIs automatically built into NG with Application Intelligence’s SmartCenter Serverinstallation.SecurePlatformUpgrade of a SecurePlatform SmartCenter Server and all the Check Point productsinstalled on it is done by simply applying the SecurePlatform upgrade package,
NG with Application Intelligence (R55) . FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FireWall-1 SmallOffice, FireWall-1 VSX, FireWall-1 XL, FloodGate-1, INSPECT, INSPECT XL, IQ Engine, MultiGate, Open Security Extension, . The following statements refer to those portions of the software copyrighted by Thai Open Source Software .
