CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 6 of 6

Thread: Upgrade of UTM 3070 - R70.40 to R75.45

  1. #1
    Join Date
    2010-06-28
    Posts
    22
    Rep Power
    0

    Default Upgrade of UTM 3070 - R70.40 to R75.45

    Hi,

    We have a HA pair of UTM 3070 appliances running R70.40 on SecurePlatform. They are utilising ClusterXL for HA, Firewall (about 100 security rules and 50 NAT rules) and IPS blades. They're managed in a distributed setup by a HP Open Server also running R70.40 on SecurePlatform.

    The Check Point website states support for R70 ends March 2013 - so I'm looking at our upgrade options.

    Any reasons not to upgrade to latest release R75.45?
    What are peoples experiences with this upgrade path?
    Should we stick with SecurePlatform or move to GAIA - was leaning towards staying with SecurePlatform as it does everything we need and I assume that will make the upgrade less likely to be problematic?
    Can we expect a decrease or increase in performance when upgrading to R75.45 on the 3070's - Please indicate how by much if possible? No new features will be utilised from those listed above. Our current Active 3070 uses approx 20-30% CPU.

    Thanks

  2. #2
    Join Date
    2006-12-04
    Posts
    1,316
    Rep Power
    15

    Default Re: Upgrade of UTM 3070 - R70.40 to R75.45

    Quote Originally Posted by belongamick View Post
    Hi,

    We have a HA pair of UTM 3070 appliances running R70.40 on SecurePlatform. They are utilising ClusterXL for HA, Firewall (about 100 security rules and 50 NAT rules) and IPS blades. They're managed in a distributed setup by a HP Open Server also running R70.40 on SecurePlatform.

    The Check Point website states support for R70 ends March 2013 - so I'm looking at our upgrade options.

    Any reasons not to upgrade to latest release R75.45?
    What are peoples experiences with this upgrade path?
    Should we stick with SecurePlatform or move to GAIA - was leaning towards staying with SecurePlatform as it does everything we need and I assume that will make the upgrade less likely to be problematic?
    Can we expect a decrease or increase in performance when upgrading to R75.45 on the 3070's - Please indicate how by much if possible? No new features will be utilised from those listed above. Our current Active 3070 uses approx 20-30% CPU.

    Thanks
    You have to upgrade you management server first to R75.45:
    update to R70.50 , export by using R75 image and store on some external server, clean install R75, import , update to R75.40, update to R75,45 (please check all for supporteed update way), install policy check log, SIC test ...
    You can also try to perfrom in place update (I can not recommend this way becouse for example we have a problem with in place upgrade for Provider-1) .

    Clusterr :
    first member:Make clean install of R75.45 SecPlat (or GAIA if you have expierence) , reconfigure Interfaces, routing ..., SIC, set CCP to broadcast (if has beem used before ) , change version in gui to R75.., install policy for cluster, cpstop on old second (R70), check, log, IPS drops, install lic,...

    second member : - the same way., check cluster status


    You should expect only decrease of performance ( at least we have never seen any single performance increase since R55 ). *How much* is not simple question and depend on 1000 things.. (our first and worst case 2x decrease after update from R70.40 to R74.45- CPU usage was 20% and now 40% on open servr 2 Core CPU 2.8 GHz, 8Gb RAM, but with 2000 rules and 1000xxx objets, no IPS)

  3. #3
    Join Date
    2010-06-28
    Posts
    22
    Rep Power
    0

    Default Re: Upgrade of UTM 3070 - R70.40 to R75.45

    Thanks the reply. Was hoping to do an inplace upgrade but I'm considering your approach.

    If I do a fresh installation on SmartCenter manager then I will have to mess around with storing logs elsewhere temporarily (finding disk space with be an issue). And can logs be easily imported later and read by the later version?

    At the moment I'm stuck at the first hurdle of just being able to run the pre upgrade verification tool (I'm running the R75.40 version of the tool):

    Expert@???]# ./pre_upgrade_verifier -p $FWDIR -c R70 -t R75
    Failed to execute plugin upgrade match command
    GetLicFromFile: Failed to open file: /opt/CPshrd-R70/conf/cp.pnp


    [Expert@???]#

    The filename referenced in the error above does not exist:
    [Expert@???]# ls -l /opt/CPshrd-R70/conf/cp.pnp
    ls: /opt/CPshrd-R70/conf/cp.pnp: No such file or directory



    Further question - If you do an inplace upgrade do you have to reinitialize SIC with the firewalls?
    Last edited by belongamick; 2013-01-31 at 12:16.

  4. #4
    Join Date
    2010-06-28
    Posts
    22
    Rep Power
    0

    Default Re: Upgrade of UTM 3070 - R70.40 to R75.45

    Sorted the pre upgrade check error - just used the R75 version of the tool rather than the R75.40 version.

    Presumably after upgrading to R75 you would then have to run the R75.40 version of pre upgrade check.

    [Expert@???]# ./pre_upgrade_verifier -p $FWDIR -c R70 -t R75
    No errors found by the Pre Upgrade Verifier.

  5. #5
    Join Date
    2011-11-20
    Posts
    31
    Rep Power
    0

    Default Re: Upgrade of UTM 3070 - R70.40 to R75.45

    From our experience expect a bump in CPU utilisation...we've stayed SPLAT R75.40 for now.

    In no particular order:
    - Upgrade your NET-SNMP version on the appliance to 5.3.1 afterwards if you monitor the firewalls via SNMP
    - Tune your interface buffers and upgrade your e1000 driver to 7.6.15.5-NAPI if stopping shy of R75.45 (TX Hang Issue)
    - Review & resize your volume sizes prior (refer Tobias' blog here: blog.lachmann.org)
    - Upgrade/convert your licenses to software blades (mandatory)
    - Check your vmalloc value is 512 in /etc/grub.conf (relates to IPS update issues).
    - Manually Preserve your routing config (SK44965)

    In place upgrades on our 3070 Gateways via the Web UI have been straightforward otherwise.

    Also make sure you have multiple backups/snapshots/upgrade_exports at your disposal, you won't regret it!!
    Last edited by AKKO_CP; 2013-02-22 at 02:29.

  6. #6
    Join Date
    2010-06-28
    Posts
    22
    Rep Power
    0

    Default Re: Upgrade of UTM 3070 - R70.40 to R75.45

    Thanks for tips, appreciated! were looking at potentially upgrading the hardware now, so this is on hold for the moment.

Similar Threads

  1. Upgrade Security Management gateway from R71.45 to R75.40
    By OleksandrBolshov in forum Check Point SecurePlatform (SPLAT)
    Replies: 1
    Last Post: 2012-09-03, 08:55
  2. Failing to upgrade from ver R70.40 to R75
    By ottavio in forum Installing And Upgrading
    Replies: 6
    Last Post: 2012-01-12, 21:00
  3. Upgrade Failed R70.40 - R75
    By sleepytom in forum Installing And Upgrading
    Replies: 4
    Last Post: 2011-09-15, 19:40
  4. UTM-1 570 Upgrodae from R70.40 to R75.10
    By attila.peter.hu in forum Check Point UTM-1 Appliances
    Replies: 1
    Last Post: 2011-07-28, 10:09
  5. Upgrade UTM from R65 HFA70 to R70.40
    By phelanre in forum Installing And Upgrading
    Replies: 6
    Last Post: 2011-05-31, 11:13

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •