CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 9 of 9

Thread: R65 to R75 using import_upgrade tools

  1. #1
    Join Date
    2006-07-13
    Location
    Belfast
    Posts
    128
    Rep Power
    14

    Default R65 to R75 using import_upgrade tools

    Hello,

    I am having problems with the migration of the checkpoint manager from SPLAT R65 to GAIA R75 - i have already built a new GAIA R75 manager and wish to migrate my rulebase, objects etc across from R65 to R75

    I have tried 3 options
    1. Migrate direct from SPLAT using upgrade_tools
    2. Copy over R75 upgrade_tools
    3. Extract Check_Point_migration_tools_R75.40.linux30.tgz and run ./migrate upgr

    In each case we are running
    cd /opt/CPsuite-R65/fw1/bin/upgrade_tools/
    ./upgrade_export test
    cp test.tgz /media/test.tgz

    Each execution finished with errors, see below

    Migrating from the current management version is not supported.
    For information on what platforms are supported for upgrade
    please refer to the release notes.

    Execution finished with errors. See log file '/opt/CPshrd-R65/log/migrate-Wed_Nov_13_12-10-24_2013.log' for further details
    An extract from the logs show this error

    [13 Nov 12:10:25] [CondExportingFromSupportedVersion::IsConditionHold s] ERR: Export from installed version is not supported
    [13 Nov 12:10:25] ..<-- CondExportingFromSupportedVersion::IsConditionHold s


    I am assuming that you cant go from R65 directly to R75.40. The R75.40 upgrade/migration tool has different compatibility constraints than the R75 version of that tool. So do i need to upgrade from a previous version (e.g. NGX R65) to an interim version first.
    For example: R65(splat) - > R75(splat) -> R75.40 (gaia)

    Or will i have to go through:
    Supported Management and Gateway Upgrade Paths - upgrade these Security Management Server and Security Gateway versions to R75.40:

    R70.50
    R71.40
    R71.45
    R75
    R75.10
    R75.20
    R75.30
    R75.40

  2. #2
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    17

    Default Re: R65 to R75 using import_upgrade tools

    I would suggest using a seperate directory for the management tools, rather then placing them in the $FWDIR/bin/upgrade_tools directory. The installation and upgrade guide says to use that and rename the existing tools, however is easier just to use a seperate directory.

    I normally suggest

    /var/rxx-migration-tools/

    as the directory and then run the tools from within that directory

    The upgrade wizard suggests

    R65 SPLAT to R75 SPLAT on an interim VM
    R75 SPLAT to R75.40 GAIA

  3. #3
    Join Date
    2006-07-13
    Location
    Belfast
    Posts
    128
    Rep Power
    14

    Default Re: R65 to R75 using import_upgrade tools

    Quote Originally Posted by mcnallym View Post
    I would suggest using a seperate directory for the management tools, rather then placing them in the $FWDIR/bin/upgrade_tools directory. The installation and upgrade guide says to use that and rename the existing tools, however is easier just to use a seperate directory.

    I normally suggest

    /var/rxx-migration-tools/

    as the directory and then run the tools from within that directory

    The upgrade wizard suggests

    R65 SPLAT to R75 SPLAT on an interim VM
    R75 SPLAT to R75.40 GAIA
    Even if the import_export was successful, maybe all I am getting is the rule base & objects as part of the firewall configuration. Is that correct? I am thinking that maybe the quickest way around this is just to type in all the objects, and rule base from scratch as I can print them out ok from the other R65 device.

  4. #4
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    17

    Default Re: R65 to R75 using import_upgrade tools

    All that the migration / upgrade tools do is export the security policies, objects used in the policies ( including users, groups, services, hosts, networks etc ) from the Management Server in a format that can be imported into the Management Server of the version that the tools are for!

    What else are you expecting it to do?

    CondExportingFromSupportedVersion::IsConditionHold s] ERR: Export from installed version is not supported

    What version of tools were you using when you got that error log

  5. #5
    Join Date
    2006-07-13
    Location
    Belfast
    Posts
    128
    Rep Power
    14

    Default Re: R65 to R75 using import_upgrade tools

    Quote Originally Posted by mcnallym View Post
    All that the migration / upgrade tools do is export the security policies, objects used in the policies ( including users, groups, services, hosts, networks etc ) from the Management Server in a format that can be imported into the Management Server of the version that the tools are for!

    What else are you expecting it to do?

    CondExportingFromSupportedVersion::IsConditionHold s] ERR: Export from installed version is not supported

    What version of tools were you using when you got that error log
    I was using Check_Point_migration_tools_R75.40.linux30.tgz on the R65 but it didnt like it.
    I have just rebuilt a R71.10 box as that is a recommended step in between but i am thinking maybe i should just type the objects etc into R75.40 as its very time consuming.
    I think even if the upgrade export to R71 works i still have a few more new checkpoint installs before i reach R75.40

  6. #6
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Smile Re: R65 to R75 using import_upgrade tools

    Quote Originally Posted by oharek View Post
    I was using Check_Point_migration_tools_R75.40.linux30.tgz on the R65 but it didnt like it.
    I have just rebuilt a R71.10 box as that is a recommended step in between but i am thinking maybe i should just type the objects etc into R75.40 as its very time consuming.
    I think even if the upgrade export to R71 works i still have a few more new checkpoint installs before i reach R75.40

    I've done a few of these (haven't done one in about 18 months) and I can tell you that upgrade_export and upgrade_import from R65 to R7x is not very stable for the reason that if you have what so call "plug-in", it will mess up the upgrade_import.

    I currently have an stand-alone SPLAT R65 box and I would like to upgrade it to GAIA R75.47 and my upgrade_export is working fine but the upgrade_import that gives a lot of issue due the plug-in that was enable in R65 (there are fixes for this I am sure but you have to untar the file and remove some files can't remember) and that the upgrade_import does not work to R71.40.

    At this point I don't have any play other than wait for that box to die and then rebuild another one from scratch with GAIA. Fortunately for me, I only have about 5 rules on this firewalls

    good luck to you. in your case, open a TAC with Checkpoint and then wait for a few months.

  7. #7
    Join Date
    2006-07-13
    Location
    Belfast
    Posts
    128
    Rep Power
    14

    Default Re: R65 to R75 using import_upgrade tools

    Quote Originally Posted by cciesec2006 View Post
    I've done a few of these (haven't done one in about 18 months) and I can tell you that upgrade_export and upgrade_import from R65 to R7x is not very stable for the reason that if you have what so call "plug-in", it will mess up the upgrade_import.

    I currently have an stand-alone SPLAT R65 box and I would like to upgrade it to GAIA R75.47 and my upgrade_export is working fine but the upgrade_import that gives a lot of issue due the plug-in that was enable in R65 (there are fixes for this I am sure but you have to untar the file and remove some files can't remember) and that the upgrade_import does not work to R71.40.

    At this point I don't have any play other than wait for that box to die and then rebuild another one from scratch with GAIA. Fortunately for me, I only have about 5 rules on this firewalls

    good luck to you. in your case, open a TAC with Checkpoint and then wait for a few months.
    I have about 50 rules on mine but i think i would be happy enough just to recreate all the objects and recreate the rule base. Is that all i have to do really? If i dont do the upgrade_Import am i losing out on anything else?

  8. #8
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: R65 to R75 using import_upgrade tools

    Quote Originally Posted by oharek View Post
    I have about 50 rules on mine but i think i would be happy enough just to recreate all the objects and recreate the rule base. Is that all i have to do really? If i dont do the upgrade_Import am i losing out on anything else?
    I think you will be losing out any changes you've made to files in these two $FWDIR/conf $FWDIR/lib directories. If you did not, then the answer is NO.

  9. #9
    Join Date
    2006-07-13
    Location
    Belfast
    Posts
    128
    Rep Power
    14

    Default Re: R65 to R75 using import_upgrade tools

    Quote Originally Posted by mcnallym View Post
    I would suggest using a seperate directory for the management tools, rather then placing them in the $FWDIR/bin/upgrade_tools directory. The installation and upgrade guide says to use that and rename the existing tools, however is easier just to use a seperate directory.

    I normally suggest

    /var/rxx-migration-tools/

    as the directory and then run the tools from within that directory

    The upgrade wizard suggests

    R65 SPLAT to R75 SPLAT on an interim VM
    R75 SPLAT to R75.40 GAIA
    Thanks for your advice
    Just to let you know this advice was correct

    I went R65 SPLAT to R71.40 SPLAT on an interim VM then R75 SPLAT and then R75.40 GAIA
    Upgrade_export and upgrade_import is quite trick but i got there in the end
    I also needed a new software Blade license as R71 onwards is different to R65 but these upgrades were free

Similar Threads

  1. Upgrade from R65 to R75
    By oharek in forum Installing And Upgrading
    Replies: 15
    Last Post: 2013-11-28, 15:57
  2. Best way to upgrade from R65 to R75
    By marcko32 in forum Installing And Upgrading
    Replies: 5
    Last Post: 2012-12-03, 05:17
  3. upgrade_export from R65 to R75
    By jmcgrady in forum Installing And Upgrading
    Replies: 2
    Last Post: 2011-06-21, 03:54
  4. R65 SmartConsole Tools Not Working
    By banduraj in forum SmartDashboard
    Replies: 1
    Last Post: 2010-01-28, 17:12
  5. New upgrade tools released for R65 HFA01 and HFA02
    By RayPesek in forum Installing And Upgrading
    Replies: 2
    Last Post: 2007-12-03, 21:36

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •