Upgrade R55 -> R62 Nokia and SPLAT

[tlarson]

My group manages approximately 75 FW's across 36 environments, of these only three are standalone the rest are Active/Standby. We run a mix of SPLAT and Nokia IPSO with Check Point R55. I'm finishing my upgrade documentation and wondered if the group could share a few things.

1. In your experience, what is the approximate upgrade time per HA pair. I'm estimating 2 hrs/pair.

2. I've read through several threads and wondered how accurate Check Points R62 upgrade guide is and what some of the catches are. Specifcally when dealing with HA pairs. If it helps, we run IPSO 3.8.1 b33 (upgrading to 4.1b22) and each FW has multiple interfaces.

3. Manual NAT, yes we use Manual NAT exclusively. We've had a several FW with proxy arps and after a recent upgrade to R55 HFA_18 on splat run into issues with spoofing. I had to enable NAT on client side to get some things to work (i.e. static route to inside destination host didn't work). This is where I'm rusty regarding the difference between Server and Client side NAT. If someone could point me decent FAQ or DOC I would greatly appreciate it.

4. We run no VPN, strictly FW shop with Check Point.

5. Is there a work around for the SmartDefense update issue before you successfully push a policy. We don't use a it and at some point they will get tired of providing a trial license to me ;-)

Thank you in advance for your comments.

[RayPesek]

Go into support.nokia.com and Ask Nokia for the term R62 and see what comes up. Here's a couple of things:

Nokia only supports R62 on IPSO 4.2, despite the Check Point release notes. The IPSO release notes for 4.1 and 4.2 state this and I opened a support case with Nokia to confirm it. That doesn't mean it won't work, just that they have only totally tested it on IPSO 4.2, I guess.

There's a note that on the reboot, the initial policy will be loaded, NOT the last saved policy. It states this will block access via Voyager.

If you're managing any Edge boxes, moving the SmartCenter to R62 will cause ALL SmartDefense settings to be transferred to the SmartCenter, which I have never found in the upgrade guide. That caused me some heartache because we had set custom SmartDefense settings on the Edge's for proprietary applications and the SmartCenter upgrade broke them by applying the defaults again. I had to set up a SmartDefense profile for them, which is a better way for sure, but I didn't plan on having to do it so quickly. :-)

There's also a workaround noted for the Edge boxes losing their installed policy when you upgrade the SmartCenter. It doesn't work. You need to push the policy ASAP.

No HA experience, sorry.

I had to run the license upgrade tool a couple of times for it to do all of them. I had some duplicate service definitions I had to fix (because R55 did not have them but R62 did). The SmartCenter does warn you and list what to do about each of them.

Seems to me it did the SmartDefense update on its own without me initiating it, although I am licensed for it.

HTH,

Ray