CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 17 of 17

Thread: What are correct steps to roll back from R77.30 to R76?

  1. #1
    Join Date
    2017-04-21
    Posts
    32
    Rep Power
    0

    Default What are correct steps to roll back from R77.30 to R76?

    Hi,

    I am looking to upgrade of Management server and a gateway from R76 to R77.30. I was wondering if I had to roll back R77.30 to R76 what is the correct steps?

    Thanks

  2. #2
    Join Date
    2017-04-21
    Posts
    32
    Rep Power
    0

    Default Re: What are correct steps to roll back from R77.30 to R76?

    Hi,

    Anyone know correct steps to roll back without doing fresh install?

    Thanks

  3. #3
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    320
    Rep Power
    13

    Default Re: What are correct steps to roll back from R77.30 to R76?

    Quote Originally Posted by juniorra22 View Post
    Hi,

    Anyone know correct steps to roll back without doing fresh install?

    Thanks
    You could take a backup, then restore to that if things go wrong. I wouldn't trust that, though. Check Point's backup and snapshot tools sometimes fail in weird and non-obvious ways. It's better to take a 'migrate export' and clish dump from the SmartCenter, then rebuild it from scratch if things go wrong.

    The important thing is to test your recovery path. Just build a VM in VirtualBox or something and import your SmartCenter's config to it. Take your backup or whatever, try the upgrade in the VM, then try to revert to your backup. Should take maybe two hours total, including building the VM.

    On the firewall side, dump the config from clish. If you use dynamic routing, check the web UI for any route redistribution or anything else you don't see in the clish config. With that information, rebuilding a firewall from scratch should only take 20 minutes (probably less). You can test the snapshot and backup options in a VM, too.
    Zimmie

  4. #4
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: What are correct steps to roll back from R77.30 to R76?

    Snapshot mechanism provides the best rollback option, but it takes time, obviously.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  5. #5
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    320
    Rep Power
    13

    Default Re: What are correct steps to roll back from R77.30 to R76?

    Quote Originally Posted by varera View Post
    Snapshot mechanism provides the best rollback option, but it takes time, obviously.
    I'm not a fan of snapshots in large part because the UI is awful.

    "Are you sure you want to take a snapshot?"
    Yes.
    "Okay! Stopping services!"
    Wait, what?!

    As long as you know they are disruptive, I suppose they're passable.

    Edited to add: And of course, be sure to test it on non-production systems (like a VM) before depending on it in production! That way, you'll know about issues like snapshot stopping services without warning you it will do so.
    Last edited by Bob_Zimmerman; 2017-11-06 at 12:09.
    Zimmie

  6. #6
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: What are correct steps to roll back from R77.30 to R76?

    Quote Originally Posted by Bob_Zimmerman View Post
    I'm not a fan of snapshots in large part because the UI is awful.

    "Are you sure you want to take a snapshot?"
    Yes.
    "Okay! Stopping services!"
    Wait, what?!

    As long as you know they are disruptive, I suppose they're passable.

    Edited to add: And of course, be sure to test it on non-production systems (like a VM) before depending on it in production! That way, you'll know about issues like snapshot stopping services without warning you it will do so.
    Not sure what you're referring to. Here is a snapshot of R77.30 JHFA 286. didn't see any service being stopped

    Power-1-P> add snapshot ttt
    Taking snapshot. You can continue working normally.
    You can use the command 'show snapshots' to monitor creation progress.
    Power-1-P>

  7. #7
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    320
    Rep Power
    13

    Default Re: What are correct steps to roll back from R77.30 to R76?

    Quote Originally Posted by cciesec2006 View Post
    Not sure what you're referring to. Here is a snapshot of R77.30 JHFA 286. didn't see any service being stopped

    Power-1-P> add snapshot ttt
    Taking snapshot. You can continue working normally.
    You can use the command 'show snapshots' to monitor creation progress.
    Power-1-P>
    Huh! I guess I havenít tried it recently enough. I will have to test it again.
    Zimmie

  8. #8
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: What are correct steps to roll back from R77.30 to R76?

    Quote Originally Posted by Bob_Zimmerman View Post
    Huh! I guess I havenít tried it recently enough. I will have to test it again.
    Gaia does not require stopping services on GWs to make snapshots. Although, it is called "image management" now :-)
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  9. #9
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: What are correct steps to roll back from R77.30 to R76?

    Quote Originally Posted by Bob_Zimmerman View Post
    Huh! I guess I havenít tried it recently enough. I will have to test it again.
    LOL.... this has been available since R75 in 2012. You're about 5 years late

  10. #10
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    320
    Rep Power
    13

    Default Re: What are correct steps to roll back from R77.30 to R76?

    Quote Originally Posted by cciesec2006 View Post
    LOL.... this has been available since R75 in 2012. You're about 5 years late
    Most of my major firewalls are still R67 because there is no feature-complete successor product. Still rearchitecting my network so it no longer depends on the missing features. I donít trust snapshots on my SmartCenters. Ďmigrate exportí and rebuilding is a clean recovery mechanism which takes roughly the same amount of time and works in a much wider range of situations than anything purely-local can.
    Zimmie

  11. #11
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: What are correct steps to roll back from R77.30 to R76?

    Quote Originally Posted by Bob_Zimmerman View Post
    Most of my major firewalls are still R67 because there is no feature-complete successor product.
    Realizing that I'm probably opening a can of worms by broaching this question, what features are you using in R67 that are NOT in current versions?
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  12. #12
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    320
    Rep Power
    13

    Default Re: What are correct steps to roll back from R77.30 to R76?

    Quote Originally Posted by PhoneBoy View Post
    Realizing that I'm probably opening a can of worms by broaching this question, what features are you using in R67 that are NOT in current versions?
    This is all getting waaaay off topic. It's multi-instance OSPF I inherited, and I'll send details via DM.

    It sounds like snapshots are a viable method of reverting an update in GAiA as long as the box still boots. I think a 'migrate export' from the SmartCenter copied off of it would be a good idea in case things go badly wrong, but it is not likely to be used.

    Test your backup and recovery method. If you don't test it, you don't have a real backup. It should only take a few hours to try it out, and it can save you an enormous amount of worry and pain later.
    Zimmie

  13. #13
    Join Date
    2017-04-21
    Posts
    32
    Rep Power
    0

    Default Re: What are correct steps to roll back from R77.30 to R76?

    Thanks for the replies. Can someone please let me know if this is a correct statement then?

    Take snapshot of R76, upgrade to R77.30 and then if you want to revert back just restore snapshot on R77.30 and it will downgrade OS and system to R76

    Thanks

  14. #14
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: What are correct steps to roll back from R77.30 to R76?

    Quote Originally Posted by Bob_Zimmerman View Post
    Most of my major firewalls are still R67 because there is no feature-complete successor product. Still rearchitecting my network so it no longer depends on the missing features. I donít trust snapshots on my SmartCenters. Ďmigrate exportí and rebuilding is a clean recovery mechanism which takes roughly the same amount of time and works in a much wider range of situations than anything purely-local can.
    Oh gosh... Running an outdated unsupported version and justifying it. Are you in health industry by any chance?
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  15. #15
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    320
    Rep Power
    13

    Default Re: What are correct steps to roll back from R77.30 to R76?

    Quote Originally Posted by varera View Post
    Oh gosh... Running an outdated unsupported version and justifying it. Are you in health industry by any chance?
    Finance, actually. Where regulatory compliance and security are totally different (and often contradictory) goals. I'm certainly not trying to justify it. I am not able to upgrade yet because it would break the environment. That is a terrible situation entirely of my team's making. For some insane reason, previous admins used routing as a form of access control. If client A can't route to server B, we don't need to be careful with firewall rules! Inevitably, client A wanted to route to server C on the same network block as B, breaking the access control.

    Said previous admins left once they had made everything a tangled, barely-manageable mess.
    Zimmie

  16. #16
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: What are correct steps to roll back from R77.30 to R76?

    Quote Originally Posted by Bob_Zimmerman View Post
    Finance, actually. Where regulatory compliance and security are totally different (and often contradictory) goals. I'm certainly not trying to justify it. I am not able to upgrade yet because it would break the environment. That is a terrible situation entirely of my team's making. For some insane reason, previous admins used routing as a form of access control. If client A can't route to server B, we don't need to be careful with firewall rules! Inevitably, client A wanted to route to server C on the same network block as B, breaking the access control.

    Said previous admins left once they had made everything a tangled, barely-manageable mess.
    Jees, that sounds scary...
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  17. #17
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    320
    Rep Power
    13

    Default Re: What are correct steps to roll back from R77.30 to R76?

    Quote Originally Posted by varera View Post
    Jees, that sounds scary...
    And you know how it goes. Cleanup is always a lower priority than new-shiny right up until the environment collapses because the foundation had slowly turned into smoldering tire fires.

    Bringing it back around, that is part of why I push so hard for testing, particularly when it only takes a relatively small time to do so. Anything you don't test has the potential to turn into an enormous problem later on. By the time you notice it's broken, you may be in a situation which will take weeks or months of work to fix.

    Backups and restorations can fail in very subtle ways. To use an example from another thread, I had to RMA a box a while ago. Turns out the clish config doesn't contain everything you can set up through the web UI (in my case, route redistribution). The cluster shows everything is fine, but things work on one member, then they fail spectacularly and mysteriously on the other.
    Zimmie

Similar Threads

  1. correct fw ctl debug correct syntax
    By cciesec2006 in forum Miscellaneous
    Replies: 9
    Last Post: 2016-05-17, 16:30
  2. auto roll over to a second NAT object
    By Kzak45 in forum Firewall Blade
    Replies: 1
    Last Post: 2014-03-28, 19:33
  3. Steps to install HFA 50 in NGX R65
    By nazimbaksh in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 4
    Last Post: 2009-09-03, 21:53
  4. Upgrade failed - Need to roll back
    By ben.patterson in forum Installing And Upgrading
    Replies: 4
    Last Post: 2009-07-07, 02:48
  5. Upgrade Steps from R55 to NXG R62
    By Thomas Riker in forum Installing And Upgrading
    Replies: 1
    Last Post: 2007-06-11, 18:54

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •