 | ||
 Upgrade of Smart Centre from NG FP3 to NGX | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2006-05-22 | |||
| |||
 Upgrade of Smart Centre from NG FP3 to NGX I need a little advise before I take the final step with my upgrade from NG FP3 to NGX on my new Smart Centre. I am going from NG FP3 on a Nokia platform to NGX on Solaris 8 I decided to do an offline upgrade - leaving the existing management station up & running. I'm at the point where I can acess the new Management Station with the latest GUI tools - the notes suggest that I know modify the Policy on the Primary Management Server so that the original Node now reflects the detail of the new server ( new IP etc..... ). In effect putting the new system in as Primary. Seems to me this is an "All eggs in one basket scenario"......if for some reason I get failures is it simply enough to roll back ? Will everything still work ok ? I'm not sure how I can test the configuration easily - I have 30 firewalls all managed from this policy - I need to know before going LIVE that I can push policy - that SIC still works - that logging continues as normal.....etc... Anyone had issues after upgarding this way - anything I should be wary off ? Notes are great until problems are encountered ! Appreciate any input.  |
| 2006-05-22 | |||
| |||
| Re: Upgrade of Smart Centre from NG FP3 to NGX Quote:
As I did some migrations in the past, I can assure you that, starting from the NG release you should not have any SIC problem, assuming you didn't make any change in the management CA (mandatory). One foreword about the managment IP: if you want the switch from the old to the new environment to work fine, you MUST use the original Smartcenter IP and the some machine and object name also!!! (If I have understood well you used a machine with a different IP for the migration. You should repeat the process with the same IP) Don't daunt with a versions of Primary and Secondary Smartcenters, this is not assured to work at all, and it makes the rollback at least _*difficult*_. With the same IP you should only change back your UTP cables: at the very end an 'fw local unload' and some arp deletion should restore the situation. Instead, use a separate VLAN/switch/hub to do your tests. If you have one (or more) separate enforcement (test)node that are the EXACT (I mean physical) replica of the production ones (to avoid the SIC issue!!!), to do the policy install, it is better even if you have to do *MULTIPLE* installs, if you want to be sure. You will have to (physical) replicate every node... but this is the only way to not reissue the sic. Of course, you will want to upgrade your enforcements points after. Write down some lines to alfcoz@yahoo.com if you are unsure of the procedures. Have an happy migration!!! __________________ Alfredo Cozzino CCSA/CCSE NG AI |
| 2006-05-23 | |||
| |||
| Re: Upgrade of Smart Centre from NG FP3 to NGX Alfcoz Thanks for the input - its ressuring ! I have to change IP on the Management server as the system is going onto a separate VLAN...... However, I will set up the new server on a test network with an Enforcement Module or two......thanks for your email address - If I have any doubts or questions I'll be sure to ask your advise |
| 2006-05-24 | |||
| |||
| Re: Upgrade of Smart Centre from NG FP3 to NGX Quote:
have to setup a separate SIC for every enforcement point, since the master where the enforcement point is registered will have the OLD ip as the reference one for policy installing/fetching. This is NOT true if you are planning to do the Primary/Secondary task, BUT keep in mind that Primary must "see" Secondary Smartcenter in terms of SIC, and thus network reachability between the two modules. __________________ Alfredo Cozzino CCSA/CCSE NG AI |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
