Hotfix Help!

[Scrif]

I'm still learning these Checkpoint firewalls. Here is what I have done:

- Installed NGX R60 on one box, and enabled it as a FW
- Installed NGX R60 (from same CD) and enabled it as SmartCenter

When I do a FW VER -K it says:

This is Check Point VPN-1(TM) & Firewall-1(R) NGX (R60) - Build 458

It says this on both the firewall and the manager. It says nothing about HFA's or Hot Fixes. How do I know if I need an HFA (hotfix)? Do I need one on both the firewall and the manager?

[RayPesek]

Hi Scrif,

The current hotfix is HFA06 for R60: Check Point Software: VPN-1 Power/UTM HFAs

You ALWAYS install the hotfix on the SmartCenter first, no exceptions.

Look into the upgrade_export utility. You will need to use it to save a copy of your SmartCenter configuration before you install any hotfixes. You can rebuild the entire SmartCenter from that backup.

HTH,

Ray

[Scrif]

Thanks for the reply. When you say 'you always install on Manager first', does this mean I do install the Hotfix on both devices? Is the Hotfix the same? Or Do I download 2 separate HFA's form CP.com?

Thanks again.

[abusharif]

Quote:

Originally Posted by Scrif

Thanks for the reply. When you say 'you always install on Manager first', does this mean I do install the Hotfix on both devices? Is the Hotfix the same? Or Do I download 2 separate HFA's form CP.com?

Thanks again.

depends on the operating system. If you firewall module is on nokia and smartcenter/management windows, then its 2 separate HFA's you download, one for each OS as platform.

If we assume you run secureplatform on both firewall and smartcenter then its the same hotfix you use for both. As mentioned above, always upgrade your smartcenter/management first, before upgrading firewall module. (since higher patch level on management can work with lower versions for firewall modules, not vice versa)

[dantro]

fw ver; fw stat

is what I always do to check what is installed on a firewall module.

fwm ver

is the command for a smartcenter server (firewall management)

[wiz4rd]

Hello guys,

I'm going to install last HFA06 on Checkpoint Splat.

scenario:

1 cluster with 2 nodes ( A active B passive )NGX HFA_05
2 MGMT ( management Active + Standby) NGX_HFA_05

ClusterXL : HA NewMode

MGMT-A ---->FwA + FwB
|
MGMT-B----->FwA + FwB

Could you check if sound good for you this procedure under HA New Mode?

1) ./UnixInstallscript on MGMT A + B

2) Node B smartupdate with 3 reboots each for packages installed ( or can I do only one reboot to the end ?)

3) Node A the same of Node B


Is necessary before to start perform "set_ccp broadcast" and when all is ended "cphaconf set_ccp multicast" ? I suppose no because my scenario is with HA New mode so it works with unicast packets.


Thank you