VPN-1 Edge X Firmware Upgrade

[pjscott13]

Hi All,

I have realised that our Checkpoint device is extremely out of date and have a few questions in regards to upgrading the Device.

We have a VPN-1 Edge X Device with Embedded NGX running Firmware 6.0.57x. Hardware Type is SBox-200 and Hardware Version is 1.0T.

We have just renewed our Software Subscription with Checkpoint and I notice that there are much newer firmware available. We are also having some issues with a particular VPN tunnel that I believe VPN-1/FireWall-1 NG FP3 HF2 will fix. I logged a case with Checkpoint support nearly 2 weeks ago and the response has been extremely poor so I am hoping I might get a faster response here.

Can I upgrade to 6.5 or 7.0 or do I need to stay in the 6.0 range of firmware? I believe the latest is 6.0.83x. Also, how do I install this FP3 HF2?

I have never upgraded the firmware on a checkpoint device. I assume it is relatively painless and everything should work fine afterwards. Is there something I should prepare myself for before doing the upgrade?

Thanks for all your help!

[RayPesek]

NG FP3 went off support on June 1, 2007. Check Point will not help you with anything that is end of life.

Check Point Software: Check Point Products and Enterprise Support Periods

Versions of the SmartCenter prior to R55 required a SofaWare Connector add-on to be manually installed in order to manage an Edge device. If you don't have it installed, you can use any Edge firmware you want because it will be considered an Interoperable Device, not a managed firewall.

It is painless and just works. Usually. Occasionally you have to do it twice in a row for it to take for some reason.

HTH,

Ray

[pjscott13]

ok. I'm still a bit confused! Looking at the link, the FP3 is not part of our device... it belongs to the Provider-1 device. So I am guessing the Checkpoint article I found is out of date.

Next, I see all these articles etc refer to R60, R61 etc etc. I don't understand what this means. How do I know what Rxx version I am running? All I know is that our firmware is 6.0.57x.

You say that I could upgrade to version 7.0 if I wanted to? And it should all work fine?

Next question is, that we have some Safe@Office devices connect via VPN and a few odd users connect via SecureRemote. If I upgraded the firmware would this cause problems with them until they were upgraded also?

Thanks for your help!

[munrog]

You will need to perform an upgrade of the libsw on the Provider-1 environment and the firmware on the sofaware box itself. The libsw files are constantly updated with new protections etc and are always backwards compatible, ie 7.0 libsw will work with 5.0 firmware etc, however version 7.0 firmware wont work with a 5.0 libsw.

Download the latest available libsw from: https://downloads.checkpoint.com/dc/...&os=&x=12&y=12.

Login to your Provider-1 MDS and copy the libsw*.tar file to somewhere where you can access it.

cd to the libsw location. For example if your CMA is called CMA1
$MDSDIR/customers/CMA1/CPfwbc-41/libsw

Stop your CMA

Backup the contents of this directory.

Untar the libsw*.tar file into this directory and check that version.txt contains the correct version number.

Check Point also recommend doing a "Dos2Unix *" on all the files in this directory if you are running on Solaris or Secureplatform.

If your Provider-1 environment is earlier than NGAI R55 with HFA17, you need to modify the $MDSDIR/customers/CMA1/CPfwbc-41/libsw/SofawareLoader.ini

vi the file and change the PolicyUpdateVersion to 505 (for version 7.0 firmware) or 405 (for version 6.5) or 305 (for version 6.0).

Start your CMA.

Next update the firmware. The latest firmware can also be downloaded from the link above. Download it to your local hard disk.

Login to the sofaware box and click on Setup > Firmware > Firmware Update.

1. Click Browse... and select the new firmware file.
2. Click Upload

The Sofaware Appliance will upload the firmware and reboot.

Push policy to test. Verify that the policy name in the Setup>Tools>Diagnostics page of the VPN-1 Edge gateway is the same as created in SmartDashboard. In addition, make sure the policy's date is correct.

Job done :)

[BarryStiefel]

Quote:

Originally Posted by pjscott13

I logged a case with Checkpoint support nearly 2 weeks ago and the response has been extremely poor so I am hoping I might get a faster response here.

Welcome to our world.

[pjscott13]

Quote:

Originally Posted by munrog

You will need to perform an upgrade of the libsw on the Provider-1 environment and the firmware on the sofaware box itself. The libsw files are constantly updated with new protections etc and are always backwards compatible, ie 7.0 libsw will work with 5.0 firmware etc, however version 7.0 firmware wont work with a 5.0 libsw.

Download the latest available libsw from: https://downloads.checkpoint.com/dc/...&os=&x=12&y=12.

Login to your Provider-1 MDS and copy the libsw*.tar file to somewhere where you can access it.

cd to the libsw location. For example if your CMA is called CMA1
$MDSDIR/customers/CMA1/CPfwbc-41/libsw

Stop your CMA

Backup the contents of this directory.

Untar the libsw*.tar file into this directory and check that version.txt contains the correct version number.

Check Point also recommend doing a "Dos2Unix *" on all the files in this directory if you are running on Solaris or Secureplatform.

If your Provider-1 environment is earlier than NGAI R55 with HFA17, you need to modify the $MDSDIR/customers/CMA1/CPfwbc-41/libsw/SofawareLoader.ini

vi the file and change the PolicyUpdateVersion to 505 (for version 7.0 firmware) or 405 (for version 6.5) or 305 (for version 6.0).

Start your CMA.

Next update the firmware. The latest firmware can also be downloaded from the link above. Download it to your local hard disk.

Login to the sofaware box and click on Setup > Firmware > Firmware Update.

1. Click Browse... and select the new firmware file.
2. Click Upload

The Sofaware Appliance will upload the firmware and reboot.

Push policy to test. Verify that the policy name in the Setup>Tools>Diagnostics page of the VPN-1 Edge gateway is the same as created in SmartDashboard. In addition, make sure the policy's date is correct.

Job done :)

I think I am even more confused now!

How do I login to my Provider-1 MDS? Do I use the command on the sofaware box? All we have is the sofaware box. Blue in colour. All the administration we have done on it is via the web interface. So I am confident in doing the firmware update of the sofaware box using the Setup > Firmware > Firmware Update bit. But I am totally lost with the libsw stuff. Can you please clarify?

[munrog]

Sorry I read the part of your link which said "I'm still a bit confused! Looking at the link, the FP3 is not part of our device... it belongs to the Provider-1 device." and from that understood that you were using Edge/Sofaware managed by Provider-1.

To upgrade your embedded firewall, you simply install the latest firmware:

Download the firmware from from:
https://downloads.checkpoint.com/dc/...&os=&x=12&y=12.

to your local hard disk.

Login to the sofaware box and click on Setup > Firmware > Firmware Update.

1. Click Browse... and select the new firmware file.
2. Click Upload

The Sofaware Appliance will upload the firmware and reboot.

Greg

[pjscott13]

Phew!

I was hoping it would be that easy! My only concern is making sure everything works once it is upgraded from 6.0.57 to 7.0.39.

Should I maybe upgrade in gradual steps instead?

[jkeffer]

Use the backup utility for your current configuration, document your settings and then perform the firmware upgrade.

[RayPesek]

You shouldn't have any issues going right to 7.0.39. I took three Edge X's from 6.0.something straight to 7.0.33 without any problems.

Ray

[ascssmith]

anybody try upgrading the firmware for the adsl modem on the xg32-adsl device?

I've upgraded libsw on mgnmt and device to 7.0.39, then tried to upgrade modem firmware to SW2.0.6ab_pri.firm, which i got from CP. But it fails every time: INTERNAL ERROR... nothing more???

AL

[ascssmith]

found out after working with sofaware techs, CP's version is not valid. they sent me the correct firmware. have tried to zip it and upload, no go. i guess it's too big..

AL

[efdsa]

Don't understand why you can't download the working version from sofaware support site.

[ascssmith]

Don't know either, i think it has to do with "checkpoint" is supposed to handle this. As all edge devices that are managed by FW-1 are CP's responsibility.

I had opened a ticket with CP, and when they finally contacted me, i filled them in and sent them the (2) versions for them to put on their website...

AL

[efdsa]

According to sofaware, there is nothing wrong with the ADSL firmware upgrade on the checkpoint site. I still get this internal error. Anyone got this working?

[munrog]

Check the Annex Version of the DSL hardware. Usually it is Annex A or Annex C. If you are trying to load up the DSL firmware for Annex A on Annex C it will produce this error.
Hope this helps
Greg

[efdsa]

Thanks Munrog, but there is only one upgrade on the checkpoint site for ADSL. Annexes are not mentioned. (A or B).

[ascssmith]

send me a PM with your email and I'll email you the version you need. as CP's version is bad. a = dsl, b = isdn..

AL

[efdsa]

Thanks all for offering the right versions. One of the packages indeed work, however when I wanted to upgrade another Edge I received the same error again. Weird.

[joris]

Idd thx for the package, but strangly I only needed this for one edge device.
The 5 others accepted the package that I downloaded from the CheckPoint site. Those where 6 equal edges, DSL annex A etc ...

strang thing ... ;)