PDA

View Full Version : upgrade FP2 on IPSO3.6 to R55 on IPSO 3.9



Kenny_NL
2006-11-01, 10:00
I dunno if this question is one for the Nokia/IPSO-list or for the upgrade-list, but does anyone know if it's possible to do a big-bang-upgrade from IPSO 3.6/NG FP2 to IPSO 3.9/R55?

IPSO 3.9 doesn't support FP2 and 3.6 doesn't support R55, so they have to be upgraded at the same time, or is this upgrade only possible through intermediate steps (FP2->FP3, then IPSO upgrade to 3.7, FP3->R55 and lastly upgrade IPSO to 3.9)?

Thanks in advance.

northlandboy
2006-11-01, 17:16
You can do it without having to go via an intermediate step of FP3.

Read through the upgrade guides, but I think it looks like this:

* Install IPSO 3.9. This will disable FP2 during the upgrade. Reboot

* Re-activate the FW-1 package. Install the R55 package as an upgrade (newpkg -m LOCAL -n r55.tgz -o $FWDIR)

* Reboot

* ....

* Profit!

If this is a combined management/enforcement system, then follow something like those steps. Make sure you've got a backup though.

If this is just an enforcement module, then do a clean install of IPSO and CP, and re-establish SIC and push policy.

There can be some problems with upgrading to R55 - Nokia used to talk about potential memory leaks. You could instead do an upgrade_export, rebuild the system, then do an upgrade_import.

Again, it depends on if it's combined enf/mgmt, or separate.

Kenny_NL
2006-11-02, 05:50
All upgrades we're planning to do are fw-modules, and they're also all VRRP-clusters (the old-school monitored circuit-variant).

Thanx for the reply.

northlandboy
2006-11-02, 07:14
In that case, do an IPSO upgrade, but a clean install of Check Point, and just re-establish SIC/license/push policy.

Kenny_NL
2006-12-11, 08:41
This probably sounds stupid, but does that mean a (complete) removal of the active Check Point-software from the box, prior to installing the R55-software?

The reason for all this asking is a previous upgrade-attempt that went horribly wrong (we ended up with two modules that were convinced they were the backup-node in a VRRP-cluster and there was no connectivity as a result of that). Our department had to be very almost invisible for a few weeks after that...