CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 16 of 16

Thread: MDS Upgradation..

  1. #1
    Join Date
    2011-10-03
    Posts
    76
    Rep Power
    9

    Default MDS Upgradation..

    Hi,

    I have MDS smart-1 50 with image R75.20.
    We are planning to upgrade with R76.But before that I have some quires...

    1) Once the upgradation successful with image R76 and if having some another issue (eg.Policy database), then how can we revert with privious image R75.20?
    Is it require to newly install again R75.20 on same box and restore backup?
    Is it possible to install version from higher (R76) to Lower (R75.20)?

    2) Is there any way to take backup with image on MDS?
    like snapshot, backup or upgrade_export...

    Thanx
    Thanx
    Arjun

  2. #2
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    17

    Default Re: MDS Upgradation..

    Personally I would not do an inplace upgrade, but follow the Exporting and Importing a Multi-Domain Server procedure.

    Make sure you take a full mds_backup before hand and transfer off the Smart-1 50 so that if need to restore you can.
    Do a test restore to another machine with the same name and host IP etc to test the backup. ( Suggest you stick an MDS EVAL license on before restore as won't be on a Smart-1 Appliance unless you have a spare one.)

    Once happy that have a working backup then follow the Exporting and Importing a Multi-Domain Server process.

    ie do the Export Process
    Do a Clean install on the Smart-1 50 to R76
    Run through the initial wizard so have a clean and new R76 installation
    Use the mds_import command to import the exported configuration into the new MDS.

    If you have issues with the R76 then you can rebuild the Appliance to R75.20, and then perform the mds_restore to restore your R75.20 system

    Personally I really prefer to build a new Seperate Hardware unit with the new software and then migrate the Domain/CMA over one at a time, rather then the all or nothing approach of the full upgrade like this, however it does mean you need two sets of hardware.

  3. #3
    Join Date
    2011-10-03
    Posts
    76
    Rep Power
    9

    Default Re: MDS Upgradation..

    Hi,

    Thanx for ur quick reply...

    Two sets of hardware is very difficult...
    "rebuild the Appliance to R75.20" means Newly install R75.20 on Appliance which was earlier upgraded to R76.
    But is it possible from higher to lower...??

    I will test this on VM..

    Thanx..
    Thanx
    Arjun

  4. #4
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    17

    Default Re: MDS Upgradation..

    Quote Originally Posted by sawant.arjun@gmail.com View Post
    Hi,

    Thanx for ur quick reply...

    Two sets of hardware is very difficult...
    "rebuild the Appliance to R75.20" means Newly install R75.20 on Appliance which was earlier upgraded to R76.
    But is it possible from higher to lower...??

    I will test this on VM..

    Thanx..
    When you do a build to R75.20 on the system then you are using an external USB-DVD drive then you are completely flattening the box, it repartitions and formats the disk so what is currently on there is irrelevant, ( hence why very important you move your snapshot / backup off the box before doing so. As such you can install ANY version you want as long as there is an ISO for Smart-1 50 appliances available, the existing disk contents are lost so doesn't matte what version on previously.

  5. #5
    Join Date
    2008-02-15
    Posts
    14
    Rep Power
    0

    Default Re: MDS Upgradation..

    If you have smart-1 appliance you can also do a snapshot an revert to the snapshot (see webui). I guess the snapshot will be done automaticaly during update anyway. Anyway, to be sure I prefer to have ether a secondary mgmt server and a backup if something goes wrong.

    If you are using the non inplace methode, make sure you use mds_backup and mds_restore as mcnallym allready mentioned but not the normal backup / restore commands. I normaly do also the export / import upgrade but did a inplace upgrade of MDS with attached VSX environment from R75.20 to R76 about 4 weeks ago without any issues.

  6. #6
    Join Date
    2011-10-03
    Posts
    76
    Rep Power
    9

    Default Re: MDS Upgradation..

    Quote Originally Posted by 21marvin View Post
    If you have smart-1 appliance you can also do a snapshot an revert to the snapshot (see webui). I guess the snapshot will be done automaticaly during update anyway. Anyway, to be sure I prefer to have ether a secondary mgmt server and a backup if something goes wrong.

    If you are using the non inplace methode, make sure you use mds_backup and mds_restore as mcnallym allready mentioned but not the normal backup / restore commands. I normaly do also the export / import upgrade but did a inplace upgrade of MDS with attached VSX environment from R75.20 to R76 about 4 weeks ago without any issues.

    Hi,

    For upgrading secondary MDS, need to break HA between two MDS.
    How to break HA....???????

    Thanx
    Thanx
    Arjun

  7. #7
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    17

    Default Re: MDS Upgradation..

    When you upgrade the Primary then it won't synch with the non-upgraded Secondary as will be on a seperate version.

    What I have always done personally, is just remove the Secondary Domains ( so no HA ) Flatten the Secondary MDS, by re-installation to the new Version.
    Then rebuild the Secondary Domains and synch them up to the Primary.

    However I have always done Clean Installs and imported the Primary MDS when doing this, rather then an inplace upgrade of the Primary.

  8. #8
    Join Date
    2011-10-03
    Posts
    76
    Rep Power
    9

    Default Re: MDS Upgradation..

    Quote Originally Posted by mcnallym View Post
    When you upgrade the Primary then it won't synch with the non-upgraded Secondary as will be on a seperate version.

    What I have always done personally, is just remove the Secondary Domains ( so no HA ) Flatten the Secondary MDS, by re-installation to the new Version.
    Then rebuild the Secondary Domains and synch them up to the Primary.

    However I have always done Clean Installs and imported the Primary MDS when doing this, rather then an inplace upgrade of the Primary.

    Hi mcnallym,

    Thanx for ur reply...

    just remove the Secondary Domains ( so no HA )

    ....Means physically disconnected the MDS or Just stopping the domain (Stop Domain Management Server) in domain cotents.I m doing upgradation remotely.


    After re-installation to the new Version
    .....How the old Policy package retain on new version.Because firstly will upgrade only one MDS and after one week will second box.

    rebuild the Secondary Domains
    ......Means what...??


    Thanx..
    Thanx
    Arjun

  9. #9
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    17

    Default Re: MDS Upgradation..

    Quote Originally Posted by sawant.arjun@gmail.com View Post
    Hi mcnallym,

    Thanx for ur reply...

    just remove the Secondary Domains ( so no HA )

    ....Means physically disconnected the MDS or Just stopping the domain (Stop Domain Management Server) in domain cotents.I m doing upgradation remotely.


    After re-installation to the new Version
    .....How the old Policy package retain on new version.Because firstly will upgrade only one MDS and after one week will second box.

    rebuild the Secondary Domains
    ......Means what...??


    Thanx..
    No I delete them in the MDS so are removed.

    After re-installation to the new Version
    Is the Secondary MDS that talking about, so the Policy Packages are available on the Primary, and re-synched when attached to the Primary MDS.

    rebuild the Secondary Domains
    As they have been deleted from the MDS then re-add them. The contents then synch from the Primary as they did initially.


    Can be drastic but has worked for me.

  10. #10
    Join Date
    2011-10-03
    Posts
    76
    Rep Power
    9

    Default Re: MDS Upgradation..

    Quote Originally Posted by mcnallym View Post
    No I delete them in the MDS so are removed.

    After re-installation to the new Version
    Is the Secondary MDS that talking about, so the Policy Packages are available on the Primary, and re-synched when attached to the Primary MDS.

    rebuild the Secondary Domains
    As they have been deleted from the MDS then re-add them. The contents then synch from the Primary as they did initially.


    Can be drastic but has worked for me.

    Hi,

    Thanx for ur information...

    But "After re-installation to the new Version"
    Is the Secondary MDS that talking about, so the Policy Packages are available on the Primary, and re-synched when attached to the Primary MDS.

    .....How it will re-synced though there is mismatch in version.
    Primary--R75.20 and Secondary- Upgraded--R76

    Or can I Take mdsbackup from old secondary MDS (R75.20) and restore it on same upgraded MDS (R76)

    Thanx..
    Thanx
    Arjun

  11. #11
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    17

    Default Re: MDS Upgradation..

    mds_backup and mds_restore are for same version of software. You use the UnixInstallScript from the R76 media and select Export current Multi-Domain Server, transfer the file to the upgraded version and then use the mds_import command to do the upgrade

    When doing the Secondary then the Primary is already upgraded.

    Page 124 of the R76 Installation and Upgrade Guide

    Multi-Domain Server High Availability
    Multi-Domain Servers can only communicate and synchronize with other Multi-Domain Servers running the same version. If your deployment has more than one Multi-Domain Server, make sure they are upgraded to the same version.
    To upgrade multiple Multi-Domain Servers:
    1. Upgrade the primary Multi-Domain Server.
    2. Upgrade the other Multi-Domain Servers.
    During the upgrade process, we recommend that you do not use any of the Multi-Domain Servers to make changes to the databases. This can cause inconsistent synchronization between Multi-Domain Servers.

  12. #12
    Join Date
    2011-10-03
    Posts
    76
    Rep Power
    9

    Default Re: MDS Upgradation..

    Quote Originally Posted by mcnallym View Post
    mds_backup and mds_restore are for same version of software. You use the UnixInstallScript from the R76 media and select Export current Multi-Domain Server, transfer the file to the upgraded version and then use the mds_import command to do the upgrade

    When doing the Secondary then the Primary is already upgraded.

    Page 124 of the R76 Installation and Upgrade Guide

    Multi-Domain Server High Availability
    Multi-Domain Servers can only communicate and synchronize with other Multi-Domain Servers running the same version. If your deployment has more than one Multi-Domain Server, make sure they are upgraded to the same version.
    To upgrade multiple Multi-Domain Servers:
    1. Upgrade the primary Multi-Domain Server.
    2. Upgrade the other Multi-Domain Servers.
    During the upgrade process, we recommend that you do not use any of the Multi-Domain Servers to make changes to the databases. This can cause inconsistent synchronization between Multi-Domain Servers.

    Hi mcnallym,

    Can u pls tell me how to run UnixInstallScript, because I never use this script.

    And second thing we are first upgrading secondary MDS (Will keep as standalone) and managed all the gateways.Then after some days will upgrade primary MDS.

    Is it possible to upgrade first secondary and then primary MDS. And how it proceed...


    Thax Once again..
    Thanx
    Arjun

  13. #13
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    17

    Default Re: MDS Upgradation..

    Page 124 states quite clearly

    To upgrade multiple Multi-Domain Servers:
    1. Upgrade the primary Multi-Domain Server.
    2. Upgrade the other Multi-Domain Servers.


    Not really sure why you are trying to do it a different way to what Check Point say to do!

    I would strongly suggest you go an read through the CP_R76_Installation_and_Upgrade_Guide.pdf from Check Point.
    It includes the outline of what you want to do, and also why you are exporting from the Primary and not the Secondary Boxes. Yes there is a reason why you do the Primary first!


    You mount the DVD Media in a USB-DVD Drive

    mount /dev/cdrom
    cd /mnt/cdrom

    ./UnixInstallScript

    will run the UnixInstallScript

    There are then various options presented to you one of which is Export

  14. #14
    Join Date
    2011-10-03
    Posts
    76
    Rep Power
    9

    Default Re: MDS Upgradation..

    Quote Originally Posted by mcnallym View Post
    Page 124 states quite clearly

    To upgrade multiple Multi-Domain Servers:
    1. Upgrade the primary Multi-Domain Server.
    2. Upgrade the other Multi-Domain Servers.


    Not really sure why you are trying to do it a different way to what Check Point say to do!

    I would strongly suggest you go an read through the CP_R76_Installation_and_Upgrade_Guide.pdf from Check Point.
    It includes the outline of what you want to do, and also why you are exporting from the Primary and not the Secondary Boxes. Yes there is a reason why you do the Primary first!


    You mount the DVD Media in a USB-DVD Drive

    mount /dev/cdrom
    cd /mnt/cdrom

    ./UnixInstallScript

    will run the UnixInstallScript

    There are then various options presented to you one of which is Export

    Hi,

    I m doing first secondary for safer side, if anything happened wrong.....we can atleast managed gateway by primary MDM.
    There is no way like upgrading first secondary box????????

    Where can i find UnixInstallScript??....require to download???

    Thanx once again....for keeping update me...Thanx
    Thanx
    Arjun

  15. #15
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    17

    Default Re: MDS Upgradation..

    I have already quoted you information from the R76 Installation and Upgrade Guide TWICE regarding doing the Primary MDS first.

    I also suggested that you have a read through the document as it outlines the overall procedure.

    It contains on Page 113 the line

    "In a High Availability deployment, you must export the primary Multi-Domain Server"

    On Page 119

    Exporting and Importing a Multi-Domain Server
    You can upgrade to the current version by replicating a deployment from existing (source) Multi-Domain Servers to target Multi-Domain Servers. This process combines a simplified methodology for upgrading a Multi-Domain Security Management deployment with the ability to thoroughly test the deployment prior to implementation.
    Use the UnixInstallScript command, with the Export option, to extract database and configuration settings from a Multi-Domain Server, together with its Domain Management Servers, and then stores this data in a single tgz file. If you are working with a high availability deployment, you must export the primary Multi-Domain Server.

    Page 124 of the Installation and Upgrade Guide

    Multi-Domain Server High Availability
    Multi-Domain Servers can only communicate and synchronize with other Multi-Domain Servers running the same version. If your deployment has more than one Multi-Domain Server, make sure they are upgraded to the same version.
    To upgrade multiple Multi-Domain Servers:
    1. Upgrade the primary Multi-Domain Server.
    2. Upgrade the other Multi-Domain Servers.
    During the upgrade process, we recommend that you do not use any of the Multi-Domain Servers to make changes to the databases. This can cause inconsistent synchronization between Multi-Domain Servers.
    Note - You must upgrade your Multi-Domain Log Servers to the same version as the Multi-Domain Servers.

    I don't know how can make this any clearer to you about that you export from the Primary MDS, and upgrade the Primary MDS first.

    If you really want to try and insist on doing the secondary MDS first then you will need to figure it out on your own, as very unlikely that anyone here will have done the upgrade in that way, as if you have issues then the first thing that TAC will say is revert and then follow through the correct procedure of upgrading the Primary MDS first.

    The script is in the root directory of the R76 Media.

    https://supportcenter.checkpoint.com...wupgradewizard

    Use the above to select the correct ISO image to download. Burn the ISO to DVD and then use as I have already previous mentioned

  16. #16
    Join Date
    2011-10-03
    Posts
    76
    Rep Power
    9

    Default Re: MDS Upgradation..

    Quote Originally Posted by mcnallym View Post
    I have already quoted you information from the R76 Installation and Upgrade Guide TWICE regarding doing the Primary MDS first.

    I also suggested that you have a read through the document as it outlines the overall procedure.

    It contains on Page 113 the line

    "In a High Availability deployment, you must export the primary Multi-Domain Server"

    On Page 119

    Exporting and Importing a Multi-Domain Server
    You can upgrade to the current version by replicating a deployment from existing (source) Multi-Domain Servers to target Multi-Domain Servers. This process combines a simplified methodology for upgrading a Multi-Domain Security Management deployment with the ability to thoroughly test the deployment prior to implementation.
    Use the UnixInstallScript command, with the Export option, to extract database and configuration settings from a Multi-Domain Server, together with its Domain Management Servers, and then stores this data in a single tgz file. If you are working with a high availability deployment, you must export the primary Multi-Domain Server.

    Page 124 of the Installation and Upgrade Guide

    Multi-Domain Server High Availability
    Multi-Domain Servers can only communicate and synchronize with other Multi-Domain Servers running the same version. If your deployment has more than one Multi-Domain Server, make sure they are upgraded to the same version.
    To upgrade multiple Multi-Domain Servers:
    1. Upgrade the primary Multi-Domain Server.
    2. Upgrade the other Multi-Domain Servers.
    During the upgrade process, we recommend that you do not use any of the Multi-Domain Servers to make changes to the databases. This can cause inconsistent synchronization between Multi-Domain Servers.
    Note - You must upgrade your Multi-Domain Log Servers to the same version as the Multi-Domain Servers.

    I don't know how can make this any clearer to you about that you export from the Primary MDS, and upgrade the Primary MDS first.

    If you really want to try and insist on doing the secondary MDS first then you will need to figure it out on your own, as very unlikely that anyone here will have done the upgrade in that way, as if you have issues then the first thing that TAC will say is revert and then follow through the correct procedure of upgrading the Primary MDS first.

    The script is in the root directory of the R76 Media.

    https://supportcenter.checkpoint.com...wupgradewizard

    Use the above to select the correct ISO image to download. Burn the ISO to DVD and then use as I have already previous mentioned

    Hi,

    Thanx for your information.
    Thanx
    Arjun

Similar Threads

  1. power-1 appliance version upgradation
    By akchakravarthi09 in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 0
    Last Post: 2012-01-10, 06:10
  2. Upgrading MDS from R70.1 to R75.20 with MDS HA.
    By Bingoig11 in forum Provider-1 (Multi-Domain Management)
    Replies: 0
    Last Post: 2011-12-14, 16:33
  3. power-1 appliance upgradation procedure
    By akchakravarthi09 in forum Check Point Power-1 Appliances
    Replies: 1
    Last Post: 2011-06-28, 05:10
  4. License for upgradation from R65 to R70
    By siva3g in forum Licensing
    Replies: 2
    Last Post: 2010-09-04, 09:12
  5. Smartcenter Server upgradation
    By kevin_turner in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 6
    Last Post: 2008-02-12, 06:47

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •