upgrade question - clarification

[Pippa]

Well done with your 100% - which tests provide the more reliable answers?

I'm torn between answers A and B on this one - there is a backup command on SecurePlatform that backs up system configuration etc.. I've managed to use it to import into a Windows SmartCenter Server. There's also the option in sysconfig to export the setup.
I'd choose 'A' because it using the NGX CD upgrade tools to export the config and this is always the best method when upgrading - I don't think it is recommended to use the native upgrade tools when upgrading to a higher version - always use the latest for that version.
However, the answer also states that it carries on with the upgrade and I would have thought this would have upgraded everything, the Gateway and SmartCenter Server - you can't uninstall or choose not to install the SCS component using sysconfig if you're doing an upgrade.
My method would be to use the NGX SecurePlatform CD to export the config - copy this across to the new server. Install SmartCenter Server on the new server and import the config. Completely rebuild the gateway on the old hardware and create a new VPN object in SCS and reinitialise. The exisiting Checkpoint object for the old standalone setup can be converted into a checkpoint host and the IP can be ammended to the new SCS address.

I can't find an answer that does it this way! :o(

[Pippa]

It would be interesting to find out which exam tests are more accurate - I think pass4sure seem to be - although they get the answers for state synchronisation wrong - the answer I'd use is fw ctl pstat and I think they go for cphaprob -i list (and this is just for the status of the devices and not sync).

[prakashccsp]

Pippa - Agree with you. P4Sure is updated and you can rely on questions. But for answers, there are some mistakes, including the one you have stated. And also the answer for prevention of DDOS [Puzzles/Stateless]... I needed to go through the documents at Checkpoint before appearing for the examination, to zero in on the most suitable answer.

[chipone]

Could someone clarify Q48 from actualtest - SIP with proxy.
I would paste the question, but i can't cut and paste form PDF i can't seem
to do it, document is protected.

[Pippa]

Because it is using a handover device (proxy/registrar) - you need to setup a VoIP domain for your network - so the source will be VoIP_Domain_A - this object contains the IP network of phones and the host that the proxy is installed on. It's talking to Net_B, so that will be the destination. There is no fully correct answer (so AT is at fault) but I'd go for answer B (probably a typo in the paper). You can't have sip and sip_any in the same rule and you have to use a VoIP Domain object because you are using a handover device. I hope this makes sense.

[chipone]

I always get confused wether its a sip or sip_any, tried making sense of it by reading the SIP services on pages 349 of the NGX II manual.
why do they make it so ambigous.

[Pippa]

sip is used when you're using a handover device in either the source or destination and sip_any when the endpoint is going directly out - however, if you use sip_any and there is domain defined, it will use sip - rather confusing. As long as there is just sip or sip_any in the service column, that should be ok - anything else is wrong, or if both are used.

[Pippa]

When are you taking your CCSE? I have mine coming up this week!

[chipone]

My exam is less than two weeks now, i know i have some reading to do, mainly VOIP and VPN. Currently building a management server and gateway on a windows platform, then might try a secure platform if i have time.
Once i have done the CCSE i will probably do the CCSE plus as there seem alot of usefull diagnostics tools and commands to learn.

[Pippa]

Yes, the CCSE+ looks really useful - there are many commands that I have used but would like a better understanding of. I don't know if I should just study for it and not take the exam or do the exam. What material/resources have you for the CCSE+? By the way, good luck with your CCSE, I'm sure you'll do well!!

[chipone]

Good luck to you, i hope you pass. If you can please PM me how you went on.
The study material i have found is Index of /, it seems good and there is this forum. If you decide to go for the CCSE plus let me know as i will be studying for it with a possibility of taking the exam in the new year.
Click on the link

[Pippa]

How about this one for re-installing the SmartCenter Server. I've left the 2 obvious answers. Would you use the CD-ROM or download the latest upgrade tools from the website? Don't they recommend that you always download the latest? Thanks....

C - 1. Insert the NGX CD-ROM, and select the option to export the configuration into a.tgz file
2. Transfer the .tgz fiel to another networked Caching.
3. Uninstall all NGX packages, and reboot.
4. Use the NGX CD-ROM to select the upgrade_import option to import the configuration.

D - 1. Download the latest upgrade_export utility, and run it from $FWDIR~bin to export the conf return on into a.tgz file.
2. Transfer the .tgz file to another network machine.
3. Uninstall all NGX packages and reboot.
4. Install a new primary SmartCenter Server. 5 Run unnrade imnnrt to imnnrt the cnnfinuratinn

[chipone]

Good question, i have also read that you should download the latest upgrade_export utility.
My gut feeling is 'C' as this would definately work.

C - 1. Insert the NGX CD-ROM, and select the option to export the configuration into a.tgz file
2. Transfer the .tgz fiel to another networked Caching.
3. Uninstall all NGX packages, and reboot.
4. Use the NGX CD-ROM to select the upgrade_import option to import the configuration


Also see page 46 of the NGX_R60_upgrade guide which i have downloaded which mentions CD.

[Pippa]

My feeling is that if your doing an migration from an older version to a newer version, then pop the newer versions CD into the older versions and export the configuration - you can then use this to build your new SmartCenter Server. However, if your doing a migration of the same version you can use the exisitng upgrade tools, or download the latest for that version from the website.

[chipone]

Yes CD is the answer everytime i feel.

Has anyone got a VOIP PDF, i can only find a VPN-1 Pro VOIP capabilities which is only 12 pages long on checkpoint web site.

[Pippa]

you'll find a very good explanation in CheckPoint_R62_Firewall_SmartDefense_UserGuide.pdf (page 213)

[chipone]

thanks, thats a very useful document and will use it to revise.

[prakashccsp]

Guys, as we are moving on for CCSE +, wanted to discuss the following:-

Is there any feature through which we can see the remaining IKE/IPSec timings, to be triggered for re-keying in case of site-to-site VPNs? It is similar to "show crypto isakmp sa detail" in cisco devices, in which, we can see the authentication/encryption algorithms and IKE timers/ time left to be re-keyed. I have searched lot of stuffs but could not find an answer for this. Anybody can guide please?

[user111]

Chipone, Have you taken your ccse yet? If you did any inside suggestion?
How p4s compare to the real test?

[sanjay388]

hi friend what would be the answare for this question

Problem sometime occure when distributing IPSec packets to a few machines in a load sharing multicast cluster, even though the machine have the same source and destination ip address.

What is the best load Sharing method for preventing this type of problem?

A. Load Sharing based on Ip address, Port and serial peripheral interface (SPI)
B. Load Sharing based on ip address only.
C. Load Sharing based on SPIs and ports only.
D. Load Sharing based on ip address and ports.