How to install R65 HFA 02?

[jmillercw]

Hey all...I'm hoping someone can point me in the right direction:

Setup:
- Brand new install of NGX R65 on SPLAT
- SmartCenter Server is running on Windows Server 2003.

I see that HFA 02 is out for R65. I've downloaded it from the Checkpoint site. I've been pouring over the readme & the Checkpoint guides that I found on the Cd's.... and I still cannot figure out how to do this update.

When I do "Add packages from download center", I don't even see R65 HFA02 listed at all. Something seems to be contradictory here, or I'm just missing something.

I've installed R65 HFA 01 on the SmartCenter server w/o issue....but can't get HFA02.

Nothing I've read today seems to be straight forward enough on how to do the updates.... so I'm asking in here now.

How can I push R65 HFA02 to my SPLAT gateways?

Thanks in advance,

Jay

[RayPesek]

"Push" as in SmartUpdate? I think you'll find that almost no one does it that way.

cd /var
mkdir R65packages
cd R65packages
mkdir HFA02
cd HFA02

SCP the .tgz HFA02 file into this folder. Use WinSCP or something similar. It's put under /var because it usually has the most free space.

From within /var/R65packages/HFA02:

tar -xvzf *.tgz
./UnixInstallScript

Answer yes and reboot when it's done. Note that you must have the SmartCenter at the same or a higher level than the firewall. In other words, move the SmartCenter to HFA02 as well first.

Ray

[rokudan]

Just to add a little advice..

I would strongly consider running SmartCenter on SPLAT as well, rather than on Windows. It performs better, is easier to setup, backup, and recover with... And requires no additional hardening of the OS, as it is stripped and secured out of the box...

[jmillercw]

Thanks for the replies, guys.

It sounds like I can't update the R65 SPLAT Gateways w/ HFA02, as SmartCenter for Windows is only at HFA01. I read that the SmartCenter box can be at a higher HFA version than the gateways, but not vice versa. Looks like I'll hold off on that, unless I'm mis-reading something.

Once again, I appreciate the insight.

[cciesec2006]

that's not correct.

Enforcement modules can have higher HFA than SmartCenter. In other
words, you can have SmartCenter running NGx R65 with NO HFA while
enforcement modules running NGx R65 with HFA_02 and HF_249.
The drawback of this is that you may lack some features on the
SmartCenter but it will work

Enforcement modules can NOT be running higher checkpoint version than
SmartCenter. In other words, you can not have SmartCenter running on
NGx R62 managing Enforcment Modules running NGx R65.

That's the way I understand how checkpoint work, unless they decide
to change it in NGx

[RayPesek]

Since the SmartCenter compiles the policy and pushes it, including the .def files, to the enforcement module I would be very hesitant to have the SmartCenter at a lower HFA. R55 has some 20 HFA's now and that has to make a difference in how the policy is understood by the firewall.

Is there some reason you can't go to HFA02 on the SmartCenter? That's usually very painless.

Ray

[cciesec2006]

Ray,

I used to work for Managed Security Service Providers (MSSPs) and
that's how MSSPs work. You have to keep in mind that almost all
MSSPs use Provider-1 to manage customer enforcement modules.
The Provider-1 infrastructure does not get upgraded very often.
It is a big task and you can not just do it for one customer.

Most often, you end up having customers running HFAs version
higher than the HFAs running on the Provider-1/SmartCenter.
It is not something you do in an enterprise environment but
for MSSPs, that's how it operates.

In summary, you want the SmartCenter running higher HFAs than
the enforcement modules, the other way will work too and supported
by Checkpoint as well.

[RayPesek]

Gotcha. See what I meant by your well-rounded experience? :-)

Ray

[jmillercw]

"Is there some reason you can't go to HFA02 on the SmartCenter? That's usually very painless"

As of right now, there isn't a download on Checkpoint's site for R65 HFA02 for SmartCenter on a Windows platform. So that's why I'm not running it.

I was able to get the HFA 02 installed on the Gateways after jumping through the many hoops to be allowed to SCP to the Gateways.

SO, I've got:

- UTM-1 R65 SPLAT Gateways running HFA02
- Windows SmartCenter server running R65 HFA01

No issues so far.

[cciesec2006]

"As of right now, there isn't a download on Checkpoint's site for R65 HFA02 for SmartCenter on a Windows platform. So that's why I'm not running it."

What are you talking about? NGx R65 HFA_02 has been available on
checkpoint website since November 2007

Product VPN-1 Power/UTM
Version NGX R65
Platform Windows
Release R65_HFA_02
Filename VPN-1_R65_HFA_02_wrapper.windows.tgz
Size 49.50 MB
MD5 Checksum c3e7511b4fca1215d9bef9f1d6571ef2
Date Published 21-Oct-2007

[jmillercw]

"What are you talking about? NGx R65 HFA_02 has been available on
checkpoint website since November 2007

Product VPN-1 Power/UTM
Version NGX R65
Platform Windows
Release R65_HFA_02
Filename VPN-1_R65_HFA_02_wrapper.windows.tgz
Size 49.50 MB
MD5 Checksum c3e7511b4fca1215d9bef9f1d6571ef2
Date Published 21-Oct-2007"

Maybe I'm mis-understanding something here. I downloaded & installed the SmartCenter (Windows) HFA01 update for R65. Don't see HFA02 for Windows Smartcenter R65.

Are you saying that the SmartCenter for Windows update is included in the "VPN-1_R65_HFA_02_wrapper.windows.tgz" update file?

If so, that's good news to me.

[cciesec2006]

Yes, "VPN-1_R65_HFA_02_wrapper.windows.tgz" is HFA_02 for SmartCenter
for Windows. If you happen to run Enforcement module on the Windows,
that is the same HFA as well.

Enjoy

[jmillercw]

Thanks for the info, cciesec2006.

I downloaded it & installed. Tested...works like a champ so far.

[cciesec2006]

Quote:

Originally Posted by jmillercw

Thanks for the info, cciesec2006.

I downloaded it & installed. Tested...works like a champ so far.

You may want to download and install hotfix 249 as well. This hotfix fixes
the upgrade_export and upgrade_import issue. It is very important that you
upgrade your SMC with this hotfix or you will be sorry if the SmartCenter
dies a sudden death and you have no backup.

[RayPesek]

Yes, get 249 because it also fixes a certificate authority crash problem. If you manage Edge boxes, there's a post HFA02 hotfix for it as well. There's also one for an SNMP vulnerability.

The SK lists one for a Floodgate memory leak but you have to call for it, unlike the others.

Ray

[RayPesek]

This is interesting. It's a new SK article titled "VPN-1 Power/UTM and Provider-1 NGX R65 HFA_02 issues Hotfix - sk33821"

It looks like they've rolled the ones mentioned eariler in this thread into one article and added an AntiVirus fix:

Symptoms

* Users that install VPN-1 Pro NGX R65 HFA_02 on the SmartCenter may encounter policy installation failure on VPN-1 Edge/Embedded.
* fwd and cpca processes crash after installing HFA_01/HFA_02 on VPN-1 Power/UTM NGX R65 or on Provider-1 NGX R65.
* When trying to edit an object in a CMA's SmartDashboard, an error is displayed:
"Unable to contact Certificate Authority on the Management Station. Please make sure the Certificate Authority daemon is running".
* Status of cpca and fwm processes shows "down" for each CMA when running the mdsstat command.
* Upgrade_export on VPN-1 Power/UTM and/or Provider-1 NGX R65 HFA_01 & HFA_02 fails with error: "Unable to read local configuration info".
* Error message: "FW-1 at <FW-Name>: Access denied:"
* A server (HTTP, FTP, SMTP or POP3) is configured, using Manual NAT rules, behind static NAT. After enabling Anti-Virus for a protocol, connections to Internal servers are rejected.
* In SmartView Tracker, the drop log shows that the connection was dropped by the Cleanup Rule.

Ray