Requesting Upgrade Advice

[cgit01]

This thread will probably play out over the next few weeks as we perform our upgrade(s) in stages. We will need to maintain the original hardware and configs as a fallback for all changes. I have reasearched the Checkpoint site, this site and scads of documents for advice & guidance. I have never performed a Checkpoint upgrade (apologies in advance).


Current Configuration:

Win 2k3 Smart Center Server (R55, looks like HFA_4)
Single Nokia IP380 Enforment Module (IPSO 3.8)
Neither Box has been patched/upgraded in a while due to problems with VPN partners.


Desired Configuration:

Win 2k3 Smart Center Current with NGX R65 and all patches
Dual Nokia IP560 Enforcement Modules in an HA Configuration. Fully patched and running an appropriate IPSO version.



Stage 1:

Need to create a second Smart Center on a new Windows server. This new box will assume the IP and machine name of the old server on the go live day.

Please advise if the following are the correct steps that I need to take.


1) Configure the new Windows 2003 server as desired with a different machine name and IP.

2) Run upgrade_export on the old windows server and copy the .tgz file to the new Windows Server.

3) Download the Windows Wrapper and hotfix accumulator .tgz files to the new windows server. We are still undecided on whether we will emulate the existing unpatched version or if we want to move forward with a fully patched R55 implementation. The documentation says that a fully updated system is the best candidate for an upgrade to R65, so I think the VPN partner issue needs to be handled at this time.

4) Disable the switch port on the new windows server (or otherwise remove from the network) and change the name and IP to those of the old server.

5) Install the checkpoint products using the windows wrapper and the imported .tgz configuration file. This would be an "Advanced Upgrade using an Imported Configuration" according to the documentation. Dumb question. Will this upgrade automatically change the machine name and IP or do I have to do it manually?

6) Upgrade to the desired HFA level.

7) On go live day, unplug the old windows server, activate the port on the new windows server.

8) Install the security policy on the enforcement point.



Thanks in advance for your help.

[cciesec2006]

this is what I would do:

A- Run upgrade_export on the current windows 2003 box. Copy the .tgz file into a USB thumb drive,
B- Build a NEW Windows 2003 in your LAB ENVIRONMENT WITH THE SAME HOSTNAME and IP ADDRESS AS
YOUR LIVE windows 2003 box,
C- Apply Service Pack 2 and the latest patches,
D- Download the Checkpoint wrapper,
E- Get the checkpoint NGx license,
F- Install Checkpoint NGx R65 on the windows 2003 box,
G- Upgrade to HFA_02,
H- Upgrade to HFA_249,
I- Run upgrade_import with the .tgz file you have on the USB thumb drive,
J- Apply the license,
K- Reboot the box, just to be safe,
L- shutdown the current windows 2003 box that run R55,
M- bring up the NGx R65 box,
N- Push policy to the Enforcement module,
O- Verify connectivity

Very easy right?

[MarioL]

I agree with keeping machine name and IP address, makes things easier.

[Routerkid1]

I think the upgrade_export will fail if the name is not the same as the source of export. I need test it...

[Thorpuse]

Yeah.. the ICA will fail to initiate, as well as licensing issues. AMong other things, it's basically all bad news...

[cgit01]

An update.

Making progress and I'll post more later so that others can use this as lessons learned.

Thanks to all of you for your advice.

We successfully completed the first stage and migrated to a new nokia firewall (IP390) and Smart Center running R60. Here are a few things that I'll elaborate on further.

1) Keep the same Smart Center machine name.
2) Keep the same Smart Center IP address.
3) Cleaning up the Smart Center database makes for smaller files that export and import quicker.
4) Make sure that you have your Windows Wrappers and HFA's in the right form and on the right media.
5) Having alternate hardware makes things a lot easier.
6) Upgrading to NGX licenses works well if done properly.
7) Have the cpclean utility available.
8) Watch out for version compatibility between the Nokia IPSO and Checkpoint packages and the versions on the Smart Center. Some things are forgiving and others are not.

Thanks again to all of you.