Beruflich Dokumente
Kultur Dokumente
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying,
distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written
authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or
omissions. This publication and features described herein are subject to change without notice.
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer
Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point
Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement,
Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1,
FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless
Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management,
Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer,
SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro,
SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal,
SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering,
TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-
1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web
Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router,
Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check
Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The
products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by
other U.S. Patents, foreign patents, or pending applications.
For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS.
Contents
Table of Contents 5
On IPSO .................................................................................................... 68
Installing a Contract File on a Gateway .............................................................. 69
On a Windows Platform ............................................................................... 69
On SecurePlatform, Linux, and Solaris Gateways............................................ 76
On IPSO .................................................................................................... 81
Managing Contracts with SmartUpdate .............................................................. 82
Managing Contracts .................................................................................... 82
Updating Contracts ..................................................................................... 84
6
Reverting to Your Previous Deployment ............................................................ 135
Table of Contents 7
Minimal Effort Upgrade on a ClusterXL Cluster ................................................. 198
Zero Downtime Upgrade on a ClusterXL Cluster ................................................ 199
Supported Modes...................................................................................... 199
Full Connectivity Upgrade on a ClusterXL Cluster .............................................. 202
Understanding a Full Connectivity Upgrade ................................................. 202
Supported Modes...................................................................................... 203
Performing a Full Connectivity Upgrade ...................................................... 204
8
Restoring Your Original Environment........................................................... 266
Renaming Customers ..................................................................................... 267
Identifying Non-Compliant Customer Names................................................ 267
High Availability Environment .................................................................... 267
Automatic Division of Non-Compliant Names............................................... 267
Resolving Non-Compliance ........................................................................ 268
Advanced Usage ....................................................................................... 269
Changing the MDS IP Address and External Interface........................................ 271
IP Address Change.................................................................................... 271
Interface Change ...................................................................................... 271
SmartDefense in Provider-1 ............................................................................ 272
Index........................................................................................................... 305
Table of Contents 9
10
Preface P
Preface
In This Chapter
11
Who Should Use This Guide
Chapter Description
Chapter 1, “Introduction to This chapter introduces the upgrade process.
the Upgrade Process”
Chapter 2, “Upgrading This chapter covers licensing issues as regards
Licenses for Products Prior to NGX.
NGX”
Chapter 3, “Service Contract This chapter covers Service Contract Files
Files”
Chapter 4, “Upgrading a This chapter covers upgrading a distributed
Distributed Deployment” deployment; that is, where the enforcement
points and SmartCenter server are installed on
separate machines.
Chapter 5, “Backup and This chapter covers the backup and revert
Revert for VPN-1 process.
Power/UTM”
Chapter 6, “Upgrading a This chapter covers upgrading a standalone
Standalone Deployment” deployment, where the enforcement point and
the SmartCenter server are installed on the same
machine.
Chapter 7, “Advanced This chapter covers Advanced upgrade
Upgrade of SmartCenter procedures for SmartCenter Server and
Servers & Standalone Standalone Gateways.
Gateways”
Chapter 8, “Upgrading This chapter covers upgrade issues relating to
ClusterXL Deployments” ClusterXL.
12
Who Should Use This Guide
Chapter Description
Chapter 9, “Upgrading This chapter covers upgrade issues regarding
Provider-1” Provider-1.
Chapter 10, “Upgrading This chapter covers upgrading SmartLSM ROBO
SmartLSM ROBO Gateways” Gateways.
Chapter 11, “Upgrading This chapter covers upgrading Eventia Reporter.
Eventia”
Preface 13
Related Documentation
Related Documentation
The NGX R65 release includes the following documentation
Title Description
Internet Security Product Contains an overview of NGX R65 and step by step
Suite Getting Started product installation and upgrade procedures. This
Guide document also provides information about What’s
New, Licenses, Minimum hardware and software
requirements, etc.
Upgrade Guide Explains all available upgrade paths for Check Point
products from VPN-1/FireWall-1 NG forward. This
guide is specifically geared towards upgrading to
NGX R65.
SmartCenter Explains SmartCenter Management solutions. This
Administration Guide guide provides solutions for control over
configuring, managing, and monitoring security
deployments at the perimeter, inside the network, at
all user endpoints.
Firewall and Describes how to control and secure network
SmartDefense access; establish network connectivity; use
Administration Guide SmartDefense to protect against network and
application level attacks; use Web Intelligence to
protect web servers and applications; the integrated
web security capabilities; use Content Vectoring
Protocol (CVP) applications for anti-virus protection,
and URL Filtering (UFP) applications for limiting
access to web sites; secure VoIP traffic.
Virtual Private Networks This guide describes the basic components of a
Administration Guide VPN and provides the background for the
technology that comprises the VPN infrastructure.
14
Related Documentation
Title Description
Eventia Reporter Explains how to monitor and audit traffic, and
Administration Guide generate detailed or summarized reports in the
format of your choice (list, vertical bar, pie chart
etc.) for all events logged by Check Point VPN-1
Power, SecureClient and SmartDefense.
SecurePlatform™/ Explains how to install and configure
SecurePlatform Pro SecurePlatform. This guide will also teach you how
Administration Guide to manage your SecurePlatform and explains
Dynamic Routing (Unicast and Multicast) protocols.
Provider-1/SiteManager-1 Explains the Provider-1/SiteManager-1 security
Administration Guide management solution. This guide provides details
about a three-tier, multi-policy management
architecture and a host of Network Operating Center
oriented features that automate time-consuming
repetitive tasks common in Network Operating
Center environments.
Title Description
Integrity Advanced Explains how to install, configure, and maintain the
Server Installation Integrity Advanced Server.
Guide
Integrity Advanced Provides screen-by-screen descriptions of user
Server Administrator interface elements, with cross-references to relevant
Console Reference chapters of the Administrator Guide. This document
contains an overview of Administrator Console
navigation, including use of the help system.
Integrity Advanced Explains how to managing administrators and
Server Administrator endpoint security with Integrity Advanced Server.
Guide
Integrity Advanced Provides information about how to integrating your
Server Gateway Virtual Private Network gateway device with Integrity
Integration Guide Advanced Server. This guide also contains information
regarding deploying the unified SecureClient/Integrity
client package.
Preface 15
Related Documentation
Title Description
Integrity Advanced Provides information about client and server
Server System requirements.
Requirements
Integrity Agent for Linux Explains how to install and configure Integrity Agent
Installation and for Linux.
Configuration Guide
Integrity XML Policy Provides the contents of Integrity client XML policy
Reference Guide files.
Integrity Client Explains how to use of command line parameters to
Management Guide control Integrity client installer behavior and
post-installation behavior.
16
More Information
More Information
• For additional technical information about Check Point products, consult Check
Point’s SecureKnowledge at https://secureknowledge.checkpoint.com/.
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please
help us by sending your comments to:
cp_techpub_feedback@checkpoint.com
Preface 17
Feedback
18
Chapter 1
Introduction to the Upgrade
Process
In This Chapter
Documentation page 20
NGX License Upgrade page 21
Contract Verification page 22
Management Plug-in Infrastructure page 22
Supported Upgrade Paths and Interoperability page 23
Obtaining Software Installation Packages page 25
Terminology page 26
Upgrade Tools page 28
Upgrading Successfully page 28
19
Documentation
Documentation
This guide covers all available upgrade paths for Check Point products from
VPN-1/FireWall-1 NG forward. This guide is specifically geared towards upgrading
to NGX R65. The R65 release focuses on:
• Increased performance
• End point security
• Central management
• Interoperability
Before you begin:
• Make sure that you have the latest version of this document by checking in the
User Center at:
http://www.checkpoint.com/support/technical/documents
• It is a good idea to have the latest version of the NGX R65 Release Notes
handy. Download them from:
http://www.checkpoint.com/support/technical/documents
For a new features list, refer to the “NGX R65 What’s New Guide”:
http://www.checkpoint.com/support/technical/documents
20
NGX License Upgrade
Note - NGX R60 and later products do not require a license upgrade.
The license upgrade procedure can be performed if you have purchased any of the
Enterprise Software Subscription services. License upgrade will fail for products
and accounts for which you do not have software subscription.
You can manage your accounts, licenses, and Enterprise Support Programs
coverage (under Support Programs from the User Center at:
http://usercenter.checkpoint.com
License upgrade is performed by means of an easy to use tool that automatically
upgrades both locally and centrally managed licenses. Using the tool, you can
upgrade all licenses in the entire managed system. License upgrade can also be
performed manually, per license, in the User Center.
The automatic license upgrade tool enables you to:
1. View the status of the currently installed licenses. On a SmartCenter server (or
a CMA, for Provider-1), you can also view the licenses in the SmartUpdate
License Repository.
2. Simulate the license upgrade process.
3. Perform the actual license upgrade process.
During the license upgrade, all eligible licenses are gathered and sent in SSL
encrypted format to the User Center. Upgraded licenses are returned from the User
Center, and automatically installed. The license upgrade process adds only NGX
licenses. Old licenses and non-eligible licenses (e.g., evaluation licenses or
licenses that pertain to IP addresses no longer in use) remain untouched.
When run on a SmartCenter server (or a CMA, for Provider-1), the license upgrade
process also handles licenses in the SmartUpdate License Repository. After the
software upgrade, SmartUpdate is used to attach the new NGX licenses to the
gateways.
The license upgrade process varies according to the type of deployment:
• License upgrade for VPN-1 Pro/Express deployments is described in Chapter 2,
“Upgrading Licenses for Products Prior to NGX” on page 29.
• License upgrade for Provider-1 deployments is described in
“Provider-1/SiteManager-1 License Upgrade” on page 220.
• License upgrade for SmartLSM deployments is described in: “License Upgrade
for a VPN-1 Power/UTM ROBO Gateway” on page 276
For the latest NGX license upgrade information and downloads, check:
http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/license_upgrade.html
Contract Verification
Contract verification is now an integral part of the Check Point licensing scheme.
Before upgrading to the latest version, your licensing agreements are verified
through the User Center.
See: “Service Contract Files” on page 59” for more information.
22
Supported Upgrade Paths and Interoperability
Release Version
NGX VPN-1 Power/UTM NGX R62
VPN-1 Pro/Express NGX R61
VPN-1 Pro/Express NGX R60A
VPN-1 Pro/Express NGX R60
NG VPN-1 Pro NG R55P
VPN-1 Pro NG R55W
VPN-1 Pro/Express NG With Application Intelligence R55
VPN-1 Pro/Express NG With Application Intelligence R54
VPN-1 Pro/Express NG FP3
Express CI R57
GX 2.5, 2.5, NGX
VSX VSX 2.0.1
VSX NG AI
VSX NG AI Release 2
VSX NGX
InterSpect NGX
Connectra NGX R62
Note - NGX R65 cannot manage gateway versions NG, NG FP1, or NG FP2
24
Obtaining Software Installation Packages
Terminology
Advanced Upgrade: In order to avoid unnecessary risks, it is possible to migrate the
current configuration to a spare server. The upgrade process is then performed on
the migrated server, leaving the production server intact.
ClusterXL: A software-based load sharing and high availability solution for Check
Point gateway deployments. It distributes traffic between clusters of redundant
gateways so that the computing capacity of multiple machines may be combined to
increase total throughput. In the event that any individual gateway becomes
unreachable, all connections are re-directed to a designated backup without
interruption. Tight integration with Check Point's SmartCenter management and
enforcement point solutions ensures that ClusterXL deployment is a simple task for
VPN-1 administrators.
Distributed Deployment: A distributed deployment is performed when the gateway
and the SmartCenter server are deployed on different machines.
Gateway or Check Point Gateway: A gateway is the VPN-1 engine which actively
enforces the Security Policy of the organization.
In Place Upgrade: In Place upgrades are upgrades performed locally.
LSM: Large Scale Manager. SmartLSM enables enterprises to easily scale, deploy,
and manage VPNs and security for thousands of remote locations.
Management Virtual System (MVS): A default Virtual System created by the VSX
installation process during installation. The MVS:
• Handles provisioning and configuration of Virtual Systems and Virtual Routers.
• Manages Gateway State Synchronization when working with clusters.
Package Repository: This is a SmartUpdate repository on the SmartCenter server
that stores uploaded packages. These packages are then used by SmartUpdate to
perform upgrades of Check Point Gateways.
ROBO Gateways: A Remote Office/Branch Office Gateway.
ROBO Profile: An object that you define to represent properties of multiple ROBO
Gateways. Profile objects are version dependent; therefore, when you plan to
upgrade ROBO Gateways to a new version, first define new Profile objects for your
new version. In general, it is recommended that you keep the Profile objects of the
previous versions until all ROBO Gateways of the previous version are upgraded to
the new version. For further information about defining a ROBO Profile, refer to the
Defining Policies for the Gateway Profile Objects chapter in the CheckPoint R65
SmartLSM Administration Guide.
26
Terminology
Upgrade Tools
Various upgrade tools are provided for migration and compatibility verification of
your current deployment. These tools help you successfully upgrade to NGX R65.
The upgrade tools can be found in the following locations:
• in the NGX R65 $FWDIR/bin/upgrade_tools directory.
• http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/utilities.html
Upgrading Successfully
If you encounter unforeseen obstacles during the upgrade process, contact your
Reseller or our SecureKnowledge support center at:
https://secureknowledge.checkpoint.com
28
Chapter 2
Upgrading Licenses for
Products Prior to NGX
In This Chapter
29
Overview of NGX License Upgrade
30
Introduction to License Upgrade
32
Licensing Terminology
Licensing Terminology
The license upgrade procedures use specialized licensing terminology. It is
important to understand the terminology in order to successfully perform the
license upgrade.
• License Upgrade: The process of upgrading the license version from NG to
NGX.
• Software Upgrade: The process of upgrading Check Point software to version
NGX.
• License Repository: A repository on the SmartCenter server that stores licenses
for Check Point products. It is used by SmartUpdate to install and manage
licenses on Check Point Gateways.
• Wrapper: The wizard application on the Check Point CD that allows you to
install and upgrade Check Point products and upgrade licenses.
Tool Location
The license_upgrade tool can be found in one of the following locations:
• On the NGX product CD at <Specific_platform>\
• In the Check Point Download site at:
http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/license_upgrade.h
tml
• It is also part of the NGX installation, located at $CPDIR/bin.
34
Tool Options
Tool Options
The license_upgrade command line tool has a number of options. To view all of the
options, run:
license_upgrade
Table 2-1 lists the available options:
Option Meaning
[L] Displays the licenses installed on your machine.
[S] Sends existing licenses to the User Center website to simulate the
license upgrade to verify that it can be performed. No actual upgrade
is performance and no new licenses are returned.
[U] Sends existing licenses to the User Center website to perform an
upgrade and (by default, in online mode) installs them on the
machine.
[C] Reports whether or not there are licenses on the machine that need to
be upgraded.
[O] Performs license upgrade on a license file that was generated on a
machine with no Internet access to the User Center.
[V] Displays log of last license upgrade or last upgrade simulation.
Note - License upgrade simulation can only be performed on a machine with Internet
connectivity to the Check Point User Center.
36
Performing the License Upgrade
Note - Version 4.1 licenses cannot be upgraded directly to NGX. You must first upgrade
software and licenses to version NG.
Table 2-2 lists the Check Point licenses that are upgraded for each license upgrade
method:
Table 2-2
License License Upgrade for Licenses Upgraded
Management
Method
Centrally managed Entire managed System • Local machine licenses
using (Run upgrade tool on (for SmartCenter)
SmartUpdate SmartCenter server)
• License Repository
(for gateways)
Locally managed Gateway • Local machine licenses
SmartCenter server • Local machine licenses
Standalone gateway • Local machine licenses
deployment, containing both (for SmartCenter and
a SmartCenter and a gateway).
gateway(that manages no
remote gateways).
What Next?
Select the right procedure for you:
• “Deployment with Licenses Managed Centrally Using SmartUpdate” on page 39
• “Deployment with Licenses Managed Locally” on page 44
38
Deployment with Licenses Managed Centrally Using SmartUpdate
40
Deployment with Licenses Managed Centrally Using SmartUpdate
Note - License upgrade using the CD Wrapper does not work for SmartCenter machines on
Windows platforms with via-proxy Internet connectivity.
42
Deployment with Licenses Managed Centrally Using SmartUpdate
9. Copy the cache file (with the new licenses) to the offline SmartCenter. Copy the
file to the same directory as the license upgrade tool.
10. Run the license_upgrade tool on the offline SmartCenter:
• Press [U] to run the upgrade operation.
• Press [N] when asked “Is this machine connected to the Internet?”.
• Press [I] to import the output file (with the upgraded licenses) to the
SmartCenter.
• Enter the output file name with all the upgraded licenses.
11. To check if currently installed licenses have been upgraded, return to the main
menu and press [C].
This displays the number of upgraded licenses on the machine and whether the
original NG licenses have a replacement NGX license.
12. Perform the software upgrade to NGX on both the SmartCenter machine and the
SmartConsole GUI machine.
13. On the SmartConsole GUI machine, open SmartUpdate and connect to the
SmartCenter server. The updated licenses are displayed as Assigned. Use the
Attach assigned licenses option to attach the assigned licenses to the gateways.
14. Perform the software upgrade to NGX on the gateway machine(s).
15. Delete obsolete licenses from NGX gateways. At the SmartConsole GUI
machine, open SmartUpdate and connect to the SmartCenter server. In the
License Repository, sort by the State column, select all the Obsolete licenses,
Detach them, and then Delete them.
Note - SmartUpdate indicates whether a license is Attached or Unattached, and the license
state.
Note - License upgrade using the CD Wrapper does not work for SmartCenter machines on
Windows platforms with via-proxy Internet connectivity.
4. Press [U] to run the upgrade operation. This does the following:
• Collects all the licenses that exist on the machine.
• Fetches updated licenses from the User Center.
• Installs new licenses on the local machine.
44
Deployment with Licenses Managed Locally
46
Trial Licenses
12. To find out which licenses on the machine are obsolete, run cplic print.
13. Delete the obsolete licenses from the machine. For each obsolete license, run
cplic -del <license_signature>
Trial Licenses
Every Check Point product comes with a Trial License that allows unrestricted use
of the product for 15 days.
After the software upgrade, the Trial License continues to work for the remaining
days of the license. There is no need to upgrade the Trial License.
The Trial License does not work if you migrate your current SmartCenter
configuration to a new machine and then upgrade the new machine to NGX.
In This Section
Symptoms
• Error: Warning: Can't find .... in cp.macro. License version might be
not compatible
• Error occurs with commands such as cplic print, cpstop, cpstart, and fw
ver.
48
Troubleshooting License Upgrade
Cause
This error occurs in any situation where a licensed version is not compatible with
the version installed on a machine, for example, an NGX license on an NG
machine. This error typically occurs when the license on the target machine is
upgraded to NGX before the software is upgraded from a previous NG version to
NGX.
If the license upgrade is performed before the software upgrade, Check Point
products generate warning messages until all the software on the machine has been
upgraded. Refer to “License Upgrade Methods” on page 37 to determine the
upgrade path that best applies to your current configuration.
Resolution
Upgrade the software to version NGX. Errors should not appear after the upgrade.
Note that these errors do not affect the functionality of the version NG software.
Cause
Evaluation licenses are not entitled to a license upgrade.
Resolution
Evaluation licenses cannot be upgraded. If you do not need the evaluation license,
delete it. If you do need it, contact Account Services at US +1 817 606 6600
(option 7) or e-mail AccountServices@ts.checkpoint.com.
Cause
The evaluation licenses do not exist in the User Center. Evaluation licenses are not
entitled to a license upgrade.
An evaluation license can be identified by examining the license string. Evaluation
licenses may contain one of the following strings in the Features description:
CK-CP
or
CK-CHECK-POINT-INTERNAL-USE-ONLY
Resolution
Evaluation licenses cannot be upgraded. If you do not need the evaluation license,
delete it. If you do need it, contact Account Services at US +1 817 606 6600
(option 7) or e-mail AccountServices@ts.checkpoint.com.
Cause
VPN-1 Net and VPN-1 SmallOffice are not supported in NGX; therefore, the User
Center generates an error message if an attempt is made to upgrade the license for
these products.
The affected SKUs are:
• VPN-1 Net Family SKUs: CPVP-VNT and LS-CPVP-VNT families
• SmallOffice family SKUs: CPVP-VSO and LS- CPVP-VSO families
Resolution
Contact Account Services at US +1 817 606 6600 (option 7) or e-mail
AccountServices@ts.checkpoint.com.
50
Troubleshooting License Upgrade
Cause
The enforcement of NG gateway features is now performed by the NGX Smartcenter
server. For example, the licensing model of QOS (formerly FloodGate-1) for VPN-1
UTM was altered in NGX, and VPN-1 UTM NGX gateways with QoS require an
appropriate license to be installed on the SmartCenter server. In this scenario, the
license upgrade is not handled automatically. The affected SKU family for QoS is:
CPXP-QOS.
Resolution
If you have an NG Express gateway with a QoS (FloodGate-1) license, or in any
other instance where this problem occurs, proceed as follows:
1. Perform a license upgrade at the User Center website to generate a new
license.
2. Install the new, upgraded license on the NGX management machine (even if
you do not upgrade the gateway).
3. Upgrade the gateway.
4. Delete the unneeded license from the gateway in one of two ways:
• From the command line, run:
cplic del <license_signature>
• Using SmartUpdate, select the unneeded license, Detach it, and then Delete
it.
Cause
This specific license does not exist in any of the accounts that belong to this user.
Resolution
Run the tool again with the appropriate username.
Note that each time you run the tool with a different username, upgraded licenses
from the User Center are added to a cache file located on your machine. This file
contains the successfully upgraded licenses from previous runs.
If the partially successful license upgrade was performed via the Wrapper, then,
after the Wrapper has finished, run the license upgrade again via the command
line, using the appropriate username.
Cause
This user is not authorized to change this license in the User Center.
Resolution
Run the tool again with the appropriate username.
52
Troubleshooting License Upgrade
Note that each time you run the tool with a different username, upgraded licenses
from the User Center are added to a cache file located on your machine. This file
contains the successfully upgraded licenses from previous runs.
If the partially successful license upgrade was performed via the Wrapper, then,
after the Wrapper has finished, run the license upgrade again via the command
line, using the appropriate username.
Cause
The NG version of SecureClient requires two licenses: one license for the gateway
and one for the SmartCenter server. In NGX, only the management license is
needed. The gateway license (CPVP-VPS-1-NG) is no longer needed because it is
incorporated in the VPN-1 license. The relevant SKU families are:
• CPVP-VSC
• LS- CPVP-VSC
• CPVP-VMC
• LS-CPVP-VMC
• CPVP-VSC-100-DES-NG
Resolution
After the software upgrade, delete the unneeded gateway license from the machine.
Do this in one of two ways:
• From the command line, run:
cplic del <license_signature>
• Using SmartUpdate, select the unneeded license, Detach it, and then Delete it.
SmartDefense Licenses
Symptoms
User Center Message (Error code: 902):
SmartDefense License is not needed on the gateway.
Cause
In NGX, enforcement of SmartDefense licenses is handled by the User Center. The
affected SKU families are SU-SMRD and SU-SMDF.
Resolution
Delete the unneeded license from the machine.
Cause
The license upgrade may fail for some licenses and succeed for others. A license
may fail to upgrade for a number of reasons. For example, you may not have an
Enterprise Subscription contract for the licensed product. For additional reasons
why the license upgrade may fail, refer to “Troubleshooting License Upgrade” on
page 48.
Resolution
After solving some or all of the licensing problems referred to in the error log, run
the license_upgrade tool. This upgrades the licenses for which the problem has
been solved.
The tool can be found in one of the following locations:
• On the CD at <Specific_platform>
• In the Check Point Download site at:
http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/license_upgrade.h
tml
54
Troubleshooting License Upgrade
When the license_upgrade tool is run several times, the results are cumulative.
This means that if the upgrade of some licenses failed and the tool is run again:
• Licenses that have been successfully upgraded to NGX remain unchanged.
• Licenses that failed to upgrade in a previous run and were now successfully
upgraded are added to the machine.
For example, if the license upgrade failed because there was no Enterprise
Software Subscription contract for the licensed product, purchase Software
Subscription for those products and then run the tool again to fetch the new
licenses from the User Center website.
Cause
The file with the upgraded licenses that was fetched from the User Center cannot
be imported into the SmartUpdate License Repository while SmartUpdate is open.
Resolution
Close any SmartUpdate GUI client that is running, and run
license_upgrade import -r
The upgraded licenses are imported into the SmartUpdate License Repository.
Cause
Access to port HTTPS-443 is not allowed through the firewall. Access to the User
Center requires this port to be open.
Resolution
Open port HTTPS-443 in the firewall.
For example, in a deployment with one main firewalled gateway, and other gateways
for branch offices within the organization, open HTTPS-443 in the main gateway
for all the branch office gateways behind it.
56
Contract Verification
Contract Verification
Contract verification is an integral part of the Check Point Licensing scheme. See
“Service Contract Files” on page 59 for more information.
58
Chapter 3
Service Contract Files
In This Chapter
Introduction page 59
Working with Contract Files page 60
Installing a Contract File on SmartCenter server page 60
Installing a Contract File on a Gateway page 69
Managing Contracts with SmartUpdate page 82
Introduction
Before upgrading a gateway or SmartCenter server to NGX R65, you need to have a
valid support contract that includes software upgrade and major releases registered
to your Check Point User Center account. The contract file is stored on SmartCenter
Server and downloaded to VPN-1 Power/UTM gateways during the upgrade process.
By verifying your status with the User Center, the contract file enables you to easily
remain compliant with current Check Point licensing standards.
59
Working with Contract Files
60
On a Windows Platform
On a Windows Platform
When upgrading SmartCenter server, the upgrade process checks to see whether a
contract file is already present on the server. If not, the main options for obtaining
a contract are displayed:
You can:
• Download a contracts file from the User Center
If you have Internet access and a valid user account, you may download a
contract file directly from the User Center. The contract file obtained
through the user center contains contract information for all of your
accounts at the User Center. The contract file obtained through the user
center conforms with the terms of your licensing agreements.
i. Click Next.
If the connection succeeds but the downloaded contract file does not
cover the SmartCenter server, a message informs you that the
SmartCenter server is not eligible for upgrade.
However, the absence of a valid contract file will not prevent the
upgrade from taking place. Once the upgrade is complete, contact your
local support provider to obtain a valid contract.
• Import a local contract file
If the server being upgraded does not have Internet access, then:
i. On a machine with Internet access, browse to:
https://usercenter.checkpoint.com/usercenter/index.jsp
ii. Log in to the User Center
iii. Browse to Support.
62
On a Windows Platform
iv. On the Downloads page, in the Service Contract File Download section,
click Download Now:
If the contract file does not cover the SmartCenter server, a message
informs you that the SmartCenter server is not eligible for upgrade.
However, the absence of a valid contract file will not prevent the
upgrade from taking place. Once the upgrade is complete, contact your
local support provider to obtain a valid contract.
vi. Click Next to continue with the upgrade process
• Continue without contract information
Select this option if you intend to obtain and install a valid contract file at
a later date. Note that at this point your gateway is not strictly eligible for
an upgrade; you may be in violation of your Check Point Licensing
Agreement, as shown in the final message of upgrade process:
64
On SecurePlatform, Linux, and Solaris
You can:
• Download a contracts file from the User Center
If you have Internet access and a valid user account, then download a
contract file directly from the User Center. The contract file obtained
through the user center conforms with the terms of your licensing
agreements. If you choose to download contract information from the User
Center, you are prompted to enter your:
• User name
• Password
If the contract file does not cover the SmartCenter server, a message
informs you that the SmartCenter server is not eligible for upgrade.
However, the absence of a valid contract file will not prevent the upgrade
from taking place. Download a valid contract at a later date using
SmartUpdate (see: “Managing Contracts with SmartUpdate” on page 82 for
more information on using SmartUpdate).
• Import a local contract file
If the server being upgraded does not have Internet access, then:
i. On a machine with Internet access, browse to:
https://usercenter.checkpoint.com/usercenter/index.jsp
ii. Log in to the User Center
iii. Browse to Support
66
On SecurePlatform, Linux, and Solaris
iv. On the Downloads page, in the Service Contract File Download section,
click Download Now:
If the contract file does not cover the SmartCenter server, a message
informs you that the SmartCenter server is not eligible for upgrade.
However, the absence of a valid contract file will not prevent the upgrade
On IPSO
Contract verification on IPSO is not interactive. When upgrading an IPSO
SmartCenter server to NGX R65, the upgrade process will check to see if there is a
valid contract already present on the SmartCenter server. If a contract is not
present, the upgrade process proceeds as normal. After successfully upgrading the
gateway, the following message is displayed:
The upgrade process requires a valid contract file in order to
verify that your gateway complies with Check Point licensing
agreements. While the absence of a contract file does not prevent
this upgrade, it is recommended that you obtain a contract file via
SmartUpdate (Licenses & Contracts menu -> Update Contracts).
For further details see:
http://www.checkpoint.com/ngx/upgrade/contract/
At the earliest opportunity, obtain a valid contract file from the Check Point user
center.
68
Installing a Contract File on a Gateway
On a Windows Platform
After accepting the End User License Agreement (EULA), the following message is
displayed:
After clicking Next, the upgrade process checks to see if a valid contract file is
installed on the gateway. If no contract file exists, the upgrade process attempts to
retrieve a contract file from the SmartCenter Server that manages the gateway. If a
contract file cannot be retrieved from SmartCenter server, the main options for
obtaining a contract file for the gateway are displayed:
You can:
• Download a contracts file from the User Center
If you have Internet access and a valid user account, then download a
contract file directly from the User Center. The contract file obtained
through the user center conforms with the terms of your licensing
agreements.
70
On a Windows Platform
If the connection succeeds but the downloaded contract file does not
cover the gateway, the following message appears:
However, this will not prevent the upgrade from taking place.
72
On a Windows Platform
iv. On the Downloads page, in the Service Contract File Download section,
click Download Now:
If the local contract file does not cover the gateway, the following
message is displayed:
However, this will not prevent the upgrade from taking place. If the
contract file covers the gateway, the following message is displayed:
74
On a Windows Platform
The upgrade process searches for a valid contract on the gateway. If a valid
contract is not located, the upgrade process attempts to retrieve the latest contract
file from the SmartCenter server that manages the gateway. If a valid contract file
is not located on the SmartCenter server, the main options for obtaining a contract
file for the gateway are displayed:
76
On SecurePlatform, Linux, and Solaris Gateways
You can:
• Download a contracts file from the User Center
If you have Internet access and a valid user account, then download a
contract file directly from the User Center. The contract file obtained
through the user center conforms with the terms of your licensing
agreements. If you choose to download contract information from the User
Center, you are prompted to enter your:
• User name
• Password
• Proxy server address (if applicable):
If, according to information gathered from your User Center account, your
gateway is not eligible for upgrade, the following message is displayed:
You may still upgrade the gateway but are advised to download a valid contract
at a later date using SmartUpdate (see: “Managing Contracts with
SmartUpdate” on page 82 for more information on using SmartUpdate).
78
On SecurePlatform, Linux, and Solaris Gateways
If the contract file does not cover the gateway, a message informs you
that the gateway is not eligible for upgrade. However, the absence of a
valid contract file will not prevent the upgrade from taking place. Once
the upgrade is complete, contact your local support provider to obtain a
valid contract.
• Continue without contract information
Select this option if you intend to obtain and install a valid contract file at
a later date. Note that at this point your gateway is not strictly eligible for
an upgrade; you may be in violation of your Check Point Licensing
Agreement, as shown in the final message of the upgrade process:
80
On IPSO
On IPSO
Contract verification on IPSO is not interactive. When upgrading an IPSO gateway
to NGX R65, the upgrade process will check to see if there is a valid contract
available on the SmartCenter server that manages the gateway. If none is available,
the upgrade process proceeds. After successfully upgrading the gateway, the
following message is displayed:
The upgrade process requires a valid contract file in order to
verify that your gateway complies with Check Point licensing
agreements. While the absence of a contract file does not prevent
this upgrade, it is recommended that you obtain a contract file via
SmartUpdate (Licenses & Contracts menu -> Update Contracts).
For further details see:
http://www.checkpoint.com/ngx/upgrade/contract/
At the earliest opportunity, obtain a valid contract file from the Check Point user
center.
Managing Contracts
The license Repository window in SmartUpdate displays contracts as well as regular
licenses:
82
Managing Contracts
Clicking Show Contracts displays the contracts associated with this license:
Updating Contracts
Licenses & Contracts on the File menu has enhanced functionality for handling
contracts:
• Licenses & Contracts > Update Contracts
This option installs contract information on SmartCenter server. Each time you
purchase a new contract, use this option to make sure the new contract is
displayed in the license repository:
84
Chapter 4
Upgrading a Distributed
Deployment
In This Chapter
Introduction page 86
Upgrading SmartCenter Server page 91
Upgrading the Gateway page 111
85
Introduction
Introduction
This chapter describes the process of upgrading a distributed deployment to NGX
R65. A distributed deployment consists of at least one SmartCenter server and one
or more gateways. The SmartCenter server and gateway do not reside on the same
physical machine. Since backward compatibility is supported, a SmartCenter server
that has been upgraded to NGX R65 can enforce and manage gateways from
previous versions. In some cases, however, new features may not be available on
earlier versions of the gateway.
The NGX R65 SmartCenter server can manage the following gateways:
Release Version
NGX VPN-1 Power/UTM NGX R62
VPN-1 Pro/Express NGX R61
VPN-1 Pro/Express NGX R60A
VPN-1 Pro/Express NGX R60
NG VPN-1 Pro NG R55P
VPN-1 Pro NG R55W
VPN-1 Pro/Express NG With Application Intelligence R55
VPN-1 Pro/Express NG With Application Intelligence R54
VPN-1 Pro/Express NG FP3
Express CI R57
GX 2.5, 2.5, NGX
VSX VSX 2.0.1
VSX NG AI
VSX NG AI Release 2
VSX NGX
InterSpect NGX
Connectra NGX R62
86
Introduction
Pre-Upgrade Considerations
In This Section
88
Pre-Upgrade Considerations
The actual license required depends on the number of Web servers protected by the
gateway or gateway cluster.
For NGX R60 and later versions, if the correct license is not installed, it is not
possible to install a Policy on any gateway. When upgrading, be aware of this
change of behavior. For additional information, refer to the Web Intelligence chapter
in the CheckPoint R65 Firewall And SmartDefense Administration Guide.
90
Upgrading SmartCenter Server
Usage:
pre_upgrade_verifier.exe -p SmartCenterPath -c CurrentVersion
-t TargetVersion [-f FileName] [-w]
or
pre_upgrade_verifier.exe -p SmartCenterPath -c CurrentVersion
-i[-f FileName][-w]
-p Path of the installed SmartCenter Server (FWDIR)
-c Currently installed version
-t Target version
-i Check originality of INSPECT files only
-f Output in file
-w Web format file
92
Upgrading SmartCenter Server
Uninstalling Packages
Uninstall Check Point packages on the Windows platform using the Add/Remove
applet in the Control Panel. Check Point packages need to be uninstalled in the
opposite order to which they were installed. Since CPsuite is the first package
installed, it should be the last package uninstalled.
94
Upgrading SmartCenter Server
Note - Creating the snapshot image can take up to twenty minutes, during which Check
Point products are stopped.
For more information on contracts, see: “On SecurePlatform, Linux, and Solaris
Gateways” on page 76
8. Three upgrade options are displayed:
• Upgrade
• Export SmartCenter configuration
• Perform pre-upgrade verification only
i. Run the pre-upgrade verification script, and follow the
recommendations contained in the pre-upgrade verification results.
Repeat the process until you see Your configuration is ready for upgrade.
ii. Export the SmartCenter configuration.
iii. Upgrade the installation.
9. Enter c to agree to the license upgrade.
The license upgrade process also handles gateway licenses in the SmartUpdate
License Repository. Select one of the following:
• Enter [L] to view the licenses installed on your machine.
• Enter [C] to check if currently installed licenses have been upgraded.
• Enter [S] to simulate the license upgrade.
• Enter [U] to perform the license upgrade, or generate a license file that can
be used to upgrade licenses on a machine with no Internet access to the
User Center.
• Enter [O] to perform the license upgrade on a license file that was
generated on machine with no Internet access to the User Center.
• Enter [Q] to quit.
10. Select a source for the upgrade utilities.
Either download the most updated files from the Check Point website or use
the upgrade tools contained on the CD. The exported configuration is
automatically imported during the upgrade process.
11. Open SmartUpdate and attach the new NGX licenses to the gateways.
Uninstalling Packages
Check Point packages need to be uninstalled in the opposite order to which they
were installed. Since CPsuite is the first package installed, it should be the last
package uninstalled.
96
Upgrading SmartCenter Server
Run the rpm -e <package name> to view a list of all the installed packages.
Note - Creating the snapshot image can take up to twenty minutes, during which Check
Point products are stopped.
98
Upgrading SmartCenter Server
5. Before the upgrade begins, an image is created of the system and is used to
revert to in the event the upgrade is not successful. The Save an Image before
Upgrade page, displays the image information.
Click Next.
6. In the Safe Upgrade section, select Safe upgrade to require a successful login
after the upgrade is complete. If no login takes place within the configured
amount of time, the system will revert to the saved image.
Click Next.
7. The Current Upgrade File on Appliance section displays the information of the
current upgrade.
To begin the upgrade, click Start.
3. Mount the CD and upgrade the patch command using the following syntax:
# mount /mnt/cdrom
# patch add /mnt/cdrom/SecurePlatform/patch/CPpatch_command_*.tgz.
4. Insert CD1 of the NGX R65 media kit into the CD drive.
5. At the command prompt, enter patch add cd.
6. Select SecurePlatform NGX R65 Upgrade Package (CPspupgrade_R65.tgz).
7. Enter y to accept the checksum calculation.
8. When prompted, create a backup image for automatic revert.
Note - Creating the snapshot image can take up to twenty minutes, during which Check
Point products are stopped.
100
Upgrading SmartCenter Server
Note - The "patch add cd" command presents three options: run the pre-upgrade
verification script; export the SmartCenter configuration; upgrade the installation.
If you select the first option, the command exits after performing the pre-upgrade
verification. To select the second or third options, you need to run the "patch add cd"
command again.
Uninstalling Packages
Check Point packages need to be uninstalled in the opposite order to which they
were installed. Since CPsuite is the first package installed, it will be the last
package uninstalled.
Run the rpm -e <package name> to view a list of all the installed packages.
102
Upgrading SmartCenter Server
12. Reboot.
Uninstalling Packages
Check Point packages need to be uninstalled in the opposite order to which they
were installed. Since CPsuite is the first package installed, it will be the last
package uninstalled.
Run the pkgrm command to view a list of the installed packages.
104
Upgrading SmartCenter Server
Uninstalling Packages
Check Point packages need to be uninstalled in the opposite order to which they
were installed. Since CPsuite is the first package installed, it should be the last
package uninstalled.
Run the rpm -e <package name> to view a list of the installed packages.
106
Upgrading SmartCenter Server
Note - For NGX R65, you must first install either IPSO 4.1, 4.2
8. When the upgrade is complete, click the link to the IPSO Image Management
page.
The IPSO Image Management window opens.
9. Under the title Select an image for next boot, select the last downloaded image.
10. Click Test Boot.
11. Access the CLI console to see when the Reboot is complete. Once the Reboot
is complete, go back to the Network Voyager to verify that the image was set
properly.
12. In the Network Voyager, click Refresh and log in.
13. If you are not returned to the last window you were in, click
System Configuration > Manage IPSO Images.
You should be able to see that the relevant IPSO Image is selected.
14. Select Commit testboot and click Apply.
15. Access the CLI console and log in.
16. Perform an FTP using bin mode to transfer the IPSO_Wrapper_R65.tgz package.
17. Type newpkg -S -m LOCAL -n <CPsuite package path> -o $FWDIR and press Enter.
This command:
• Deactivates previous Check Point packages but does not delete them.
• Finds the upgrade tools in $FWDIR and performs an import/export operation
to preserve the previous configuration.
When the process is complete, you should receive a message indicating that the
process was successful, along with a reminder to update your contract
information. For more information on contracts, see: “On IPSO” on page 81.
18. Log off the console connection, and then log back on to set the environment
variables.
19. Start the installed products by running cpstart.
Note - The previous Check Point packages remain installed but deactivated. Should the
need arise, the previous packages can be activated through the Network Voyager.
108
Upgrading SmartCenter Server
Warning - The configuration file (.tgz) file contains your security configuration. It is highly
recommended to delete it after completing the import process.
110
Upgrading the Gateway
In This Section
SmartUpdate Options
SmartUpdate is the primary tool used for upgrading Check Point gateways. The
following features and tools are available in SmartUpdate:
• Upgrade All Packages: This feature allows you to upgrade all packages installed
on a gateway. For IPSO and SecurePlatform, this feature also allows you to
upgrade your operating system as a part of your upgrade. In NGX R65,
SmartUpdate's “Upgrade all Packages” supports HFAs, i.e., it will suggest
upgrading the gateway with the latest HFA if a HFA package is available in the
Package Repository. "Upgrade All" is the recommended method. In addition,
there is an advanced method to install (distribute) packages one by one.
• Add Package to Repository: SmartUpdate provides three “helper” tools for
adding packages to the Package Repository:
• From CD: Adds a package from the Check Point CD.
• From File: Adds a package that you have stored locally.
112
Upgrading the Gateway
• From Download Center: Adds a package from the Check Point Download
Center.
• SmartUpdate’s Get Check Point Gateway Data: This tool updates SmartUpdate
with the current Check Point or OPSEC third-party packages installed on a
specific gateway or for your entire enterprise.
• Check for Updates: This feature, available from the SmartDashboard Tools
menu, locates the latest HFA on the Check Point Download Center, and adds it
to the Package Repository.
Note - The Allow reboot... option (selected by default) is required in order to activate
the newly installed packages.
The Operation Status pane opens and shows the progress of the installation.
Each operation is represented by a single entry. Double click the entry to open
the Operation Details window, which shows the operation history.
The following operations are performed during the installation process:
• The Check Point Remote Installation Daemon connects to the Check Point
gateway.
• Verification for sufficient disk space.
114
Upgrading the Gateway
Note - It is also possible to use SmartUpdate to install HFAs on gateways from previous
versions (for example, R54 and later).
116
Upgrading the Gateway
118
Upgrading the Gateway
4. Apply the SecurePlatform NGX R65 upgrade package using a CD ROM drive
with the following command:
# patch add cd.
You are prompted to verify the MD5 checksum.
5. Answer the following question:
Do you want to create a backup image for automatic revert? Yes/No
If you select Yes, a Safe Upgrade is performed.
Safe Upgrade automatically takes a snapshot of the entire system so that the
entire system (operating system and installed products) can be restored if
something goes wrong during the Upgrade process (for example, hardware
incompatibility). If the Upgrade process detects a malfunction, it automatically
reverts to the Safe Upgrade image.
When the Upgrade process is complete, upon reboot you are given the option to
manually start the SecurePlatform operating system using the upgraded version
image or using the image created prior to the Upgrade process.
6. After you complete the upgrade process, do the following:
a. Using SmartDashboard, log in to the NGX R65 SmartCenter server that
controls the upgraded gateway.
b. Open the gateway object properties window that represents the upgraded
gateway and change the version to NGX R65.
c. Perform Install Policy on the upgraded gateway.
If a situation arises in which a revert to your previous configuration is required,
refer to “Reverting to Your Previous Deployment” on page 135 for details.
120
Upgrading the Gateway
122
Upgrading the Gateway
Testboot is a special reboot process that permits the user to roll back to a
previous image should problems arise.
10. Access the CLI console to monitor the reboot process. Once the reboot is
complete, return to the Network Voyager and verify that the image was set
properly.
11. In the Network Voyager, click Refresh and log in.
12. If you are not returned to the last window you were in, click
System Configuration > Manage IPSO Images.
You should be able to see that the relevant IPSO Image is selected.
13. In the window that opens, select Commit testboot and click Apply.
Note - If you do not commit the testboot within five minutes of the test completing, the
platform automatically reboots to the previous image.
124
Chapter 5
Backup and Revert for VPN-1
Power/UTM
In This Chapter
125
Introduction
Introduction
Before you perform an upgrade process, you should back up your current
configuration. The purpose of the backup process is to back up the entire
configuration, and to restore it if necessary, for example, in the event that the
upgrade process is unsuccessful.
To back up your configuration, use the Export utility tool of the version for which
you are creating a backup file. For example, if you are backing up NG with
Application Intelligence R55, use the NG with Application Intelligence Export utility
tool. The backup file contains your current system configuration (for example,
objects, rules, and users) and can be used to restore your previous configuration if
the upgrade process fails. The restoration procedure restores the configuration in
effect when the backup procedure was executed.
Note - Operating system level configurations (for example, network configuration) are not
exported.
126
Backing Up Your Current Deployment
Warning - The configuration file (.tgz) contains your product configuration. It is highly
recommended to delete it after completing the import process.
Restoring a Deployment
To restore a deployment:
1. Copy the exported.tgz file to the target SmartCenter server.
2. In the SmartCenter server, insert the product CD for the version being restored.
3. Using the available options, perform an installation using an imported
configuration file.
128
SecurePlatform Backup and Restore Commands
Backup
This command is used to back up the system configuration. You can also copy
backup files to a number of SCP and TFTP servers for improved backup robustness.
The backup command, when run by itself without any additional flags, uses default
backup settings and performs a local backup.
Syntax
backup [-h] [-d] [-l] [--purge DAYS] [--sched [on hh:mm <-m DayOfMonth>
| <-w DaysOfWeek>] | off] [[--tftp <ServerIP> [-path <Path>]
[<Filename>]] |
[--scp <ServerIP> <Username> <Password> [-path <Path>][<Filename>]] |
[--file [-path <Path>][<Filename>]]
Parameters
Table 5-1 Backup Parameters
Parameter Meaning
-h obtain usage
-d debug flag
-l Enables VPN-1 log backup (By default, VPN-1 logs
are not backed up.)
--purge DAYS Deletes old backups from previous backup attempts
[--sched [on hh:mm <-m Schedule interval at which backup is to take place
DayOfMonth> | <-w
• On - specify time and day of week, or day of
DaysOfWeek>] | off]
month
• Off - disable schedule
--tftp <ServerIP> [-path List of IP addresses of TFTP servers, on which the
<Path>][<Filename>] configuration is to be backed up, and optionally the
filename
--scp <ServerIP> List of IP addresses of SCP servers, on which the
<Username> configuration is to be backed up, the username and
<Password>[-path <Path>] password used to access the SCP server, and
[<Filename>] optionally the filename
--file [-path When the backup is performed locally, specify an
<Path>]<Filename> optional filename
130
Restore
Restore
This command is used to restore the system configuration.
Syntax
restore [-h] [-d][[--tftp <ServerIP> <Filename>] |
[--scp <ServerIP> <Username> <Password> <Filename>] |
[--file <Filename>]]
Parameters
Table 5-2
Parameter Meaning
-h obtain usage
-d debug flag
--tftp <ServerIP> IP address of TFTP server, from which the
[<Filename>] configuration is restored, and the filename
--scp <ServerIP> IP address of SCP server, from which the
<Username> <Password> configuration is restored, the username and
[<Filename>] password used to access the SCP server, and the
filename
--file <Filename> Specify a filename for restore operation, performed
locally
For additional information about the backup and restore utilities, refer to the
System Commands section in the CheckPoint R65
SecurePlatform/SecurePlatformPro Administration Guide.
132
Snapshot
Snapshot
This command creates a snapshot file. The snapshot command, run by itself
without any additional flags, uses the default backup settings and creates a local
snapshot.
Syntax
snapshot [-h] [-d] [[--tftp <ServerIP> <Filename>] |
[--scp <ServerIP> <Username> <Password> <Filename>] |
[--file <Filename>]]
Parameters
Table 5-3 Snapshot Parameters
Parameter Meaning
-h obtain usage
-d debug flag
--tftp <ServerIP> IP address of the TFTP server, from which the
<Filename> snapshot is taken, as well as the filename of the
snapshot
--scp <ServerIP> IP address of the SCP server, from which the
<Username> <Password> snapshot is taken, the username and password
<Filename> used to access the SCP server, and the filename of
the snapshot
--file <Filename> When the snapshot is made locally, specify a
filename
Revert
This command reboots the system from a snapshot file. The revert command, run
by itself without any additional flags, uses default backup settings, and reboots the
system from a local snapshot.
revert [-h] [-d] [[--tftp <ServerIP> <Filename>] |
[--scp <ServerIP> <Username> <Password> <Filename>] |
[--file <Filename>]]
Parameters
Table 5-4 Revert Parameters
Parameter Meaning
-h obtain usage
-d debug flag
--tftp <ServerIP> IP address of the TFTP server, from which the
<Filename> snapshot is rebooted, as well as the filename of the
snapshot
--scp <ServerIP> IP address of the SCP server, from which the
<Username> <Password> snapshot is rebooted, the username and password
<Filename> used to access the SCP server, and the filename of
the snapshot
--file <Filename> When the snapshot is made locally, specify a
filename
The revert command functionality can also be accessed from the Snapshot image
management boot option.
134
Reverting to Your Previous Deployment
To revert to version active before NGX R65 VPN-1 Power/UTM, perform the relevant
procedures described in this section.
Note - Make sure to remove all NGX R65 products and compatibility packages before
removing the NGX R65 CPsuite.
Note - On flash-based platforms, the NGX R65 packages no longer appear in the Manage
Packages page since they were never part of the previous configuration set.
136
Reverting to Your Previous Deployment
ICA Considerations
Once the Revert process is complete, certificates issued during the use of NGX
R65 remain valid. While these certificates are valid, they cannot yet be managed
by the Internal CA.
To resume management of older certificates after the Revert process:
1. Back up the InternalCA.NDB and ICA.crl files (located in the $FWDIR/conf
directory) and all *.crl files (located in the $FWDIR/conf/crl directory) from
the version prior to NGX R65 (for example, from NG with Application
Intelligence R55) to a location of your choice.
2. Copy the NGX R65 InternalCA.NDB, ICA.crl and the *.crl files (located in
the $FWDIR/conf directory) from the current NGX R65 version and use them to
overwrite the files (for example, the NG with Application Intelligence R55 files)
in the location specified in step 1 (in the $FWDIR/conf directory).
Note - If the Upgrade process was performed on a machine that runs a different operating
system than the original machine, the InternalCA.NDB file must be converted after it is
copied to the reverted environment. To do this, run the ‘cpca_dbutil d2u’ command
line from the reverted environment.
3. Once the Revert process is complete, use the ICA Management Tool to review
certificates created using NGX R65 in the reverted environment (for example,
the NG with Application Intelligence R55 environment). For example, the
subject to which a specific certificate was issued may no longer exist. In such
a case, you may want to revoke the specific certificate.
For additional information, refer to The Internal Certificate Authority (ICA) and
the ICA Management Tool chapter in the R65 SmartCenter Administration Guide.
138
Chapter 6
Upgrading a Standalone
Deployment
In This Chapter
139
Introduction
Introduction
This chapter describes the process of upgrading a VPN-1 standalone deployment to
NGX R65. A standalone deployment consists of the SmartCenter server and
gateway installed on the same system. Since backward compatibility is supported,
a SmartCenter server that has been upgraded to NGX R65 can enforce and manage
gateways from previous versions. In some cases, however, new features may not be
available on earlier versions of the gateway.
The NGX R65 SmartCenter server can manage the following gateways:
Release Version
NGX VPN-1 Power/UTM NGX R62
VPN-1 Pro/Express NGX R61
VPN-1 Pro/Express NGX R60A
VPN-1 Pro/Express NGX R60
NG VPN-1 Pro NG R55P
VPN-1 Pro NG R55W
VPN-1 Pro/Express NG With Application Intelligence R55
VPN-1 Pro/Express NG With Application Intelligence R54
VPN-1 Pro/Express NG FP3
Express CI R57
GX 2.5, 2.5, NGX
VSX VSX 2.0.1
VSX NG AI
VSX NG AI Release 2
VSX NGX
InterSpect NGX
Connectra NGX R62
Note - NGX R65 cannot manage gateway versions NG, NG FP1, or NG FP2
140
Pre-Upgrade Considerations
Pre-Upgrade Considerations
In This Section
Warning - For all operating systems except SecurePlatform, an NGX R65 upgrade cannot
be reverted to its previous version, once it is complete.
142
Pre-Upgrade Considerations
Warning - For all operating systems except SecurePlatform, an NGX R65 upgrade cannot
be reverted to its previous version once it is complete.
Uninstalling Packages
Uninstall Check Point packages on the Windows platform using the Add/Remove
applet in the Control Panel. Check Point packages need to be uninstalled in the
opposite order to which they were installed. Since CPsuite is the first package
installed, it should be the last package uninstalled.
144
Standalone VPN-1 Gateway Upgrade on SecurePlatform
Warning - For all operating systems except SecurePlatform, an NGX R65 upgrade cannot
be reverted to its previous version once it is complete.
Note - Creating the snapshot image can take up to twenty minutes, during which time
Check Point products are stopped.
146
Standalone VPN-1 Gateway Upgrade on SecurePlatform
Uninstalling Packages
Check Point packages need to be uninstalled in the opposite order to which they
were installed. Since CPsuite is the first package installed, it should be the last
package uninstalled.
Run the rpm -e <package name> to view a list of the installed packages.
Note - Creating the snapshot image can take up to twenty minutes, during which Check
Point products are stopped.
148
Standalone Upgrade on UTM-1
150
VPN-1 Gateway Upgrade on Pre-R54 SecurePlatform Versions
Warning - Once an NGX R65 upgrade is complete for all operating systems except
SecurePlatform it cannot be reverted to its previous versions.
Note - Creating the snapshot image can take up to twenty minutes, during which time
Check Point products are stopped.
152
VPN-1 Gateway Upgrade on Pre-R54 SecurePlatform Versions
Either download the most updated files from the Check Point website or use
the upgrade tools contained on the CD. The exported configuration is
automatically imported during the upgrade process.
14. Open SmartUpdate and attach the new NGX licenses to the gateways.
Uninstalling Packages
Check Point packages need to be uninstalled in the opposite order to which they
were installed. Since CPsuite is the first package installed, it should be the last
package uninstalled.
Run the rpm -e <package name> to view a list of the installed packages.
154
Standalone VPN-1 Gateway Upgrade on a Solaris Platform
Note - For NGX R65, you must first install either IPSO 4.1 or 4.2
156
Standalone VPN-1 Gateway Upgrade on an IPSO Platform
8. Under the title Select an image for next boot, select the last downloaded image.
9. Click Test Boot.
10. Access the CLI console to see when the Reboot is complete. Once the Reboot
is complete, go back to the Network Voyager to verify that the image was set
properly.
11. In the Network Voyager, click Refresh and log in.
12. If you are not returned to the last window you were in, click
System Configuration > Manage IPSO Images.
You should be able to see that the relevant IPSO Image is selected.
13. Select Commit testboot and click Apply.
14. Access the CLI console and log in.
15. Perform an FTP using bin mode to transfer the IPSO_Wrapper_R65.tgz package.
16. Type newpkg -S -m LOCAL -n <CPsuite package path> -o $FWDIR and press Enter.
This command:
• Deactivates previous Check Point packages but does not delete them.
• Installs NGX R65 products but does not activate them.
• Finds the upgrade tools in $FWDIR and performs an import/export operation
to preserve the previous configuration.
Once the process is complete, a message is displayed indicating that the
process was successful.
17. Type Reboot and press Enter.
18. From a console connection, run cpconfig.
19. Select a product:
• Check Point Power for headquarters and branch offices
• Check Point UTM for medium-sized businesses
20. Select an installation type, Stand Alone or Distributed.
21. Select Enterprise SmartCenter from the selection list.
22. Specify the SmartCenter type as Primary or Secondary.
23. Add Licenses.
24. Configure an administrator name and password.
25. Configure the GUI clients and hosts which can access the SmartCenter server
using SmartConsole.
26. Configure Group Permissions.
27. Configure a pool of characters for use in cryptographic operations. Type
randomly until the progress bar is full.
28. Configure the Certificate Authority, and save the CA’s Fingerprint to a file.
29. Start the installed products.
If you opt not to start the installed products at this time, they can be started later
by running cpstart.
Note - The previous Check Point packages remain installed but deactivated. Should the
need arise, the previous packages can be activated using the Network Voyager.
Note - On flash-based platforms, the NGX R65 packages will no longer appear in the
Manage Packages page since they were never part of the previous configuration set.
158
VPN-1 Express CI R57 to NGX R65 on SecurePlatform
Note - This upgrade from VPN-1 Express CI R57 to NGX R65 is only supported for
SecurePlatform.
Warning - The configuration file (.tgz) contains your security configuration. It is highly
recommended to delete it after completing the import process.
160
Chapter 7
Advanced Upgrade of
SmartCenter Servers &
Standalone Gateways
In This Chapter
161
Introduction
Introduction
There are a number of reasons for performing an advanced upgrade, for example if
you need to:
• Upgrade to NGX R65 while replacing the Operating System on which the
current SmartCenter is installed.
• Upgrade to NGX R65 while migrating to a new server.
• Upgrade to NGX R65 while avoiding unnecessary risks to the production
SmartCenter server in case of failure during the upgrade process.
To avoid unnecessary risks, it is possible to migrate the current configuration of the
production SmartCenter server, to a new SmartCenter server.
162
Migrate Your Current SmartCenter Configuration and Upgrade
Introduction
This section describes the advanced upgrade procedure for SmartCenter. The
advanced upgrade procedure involves two machines. The first machine is the
working production machine. The second machine is off-line, and only contains the
operating system. The SmartCenter server is freshly installed on the second
machine and the configuration of the first machine is imported.
When migrating to a new SmartCenter server, the destination server should have the
same IP configuration as the original SmartCenter server. If you are migrating to a
new machine with a different IP address, see: See “Migration to a New Machine
with a Different IP Address” on page 176.
4. When prompted, download the most recently updated upgrade utilities from the
Check Point website.
If this is not possible, select Use the upgrade utilities from the CD.
5. Perform the Pre-Upgrade Verification.
6. Select the destination path for the configuration (.tgz) file.
Wait until the database files are exported.
7. Copy the exported.tgz file to the new SmartCenter server.
8. Insert the NGX R65 CD into the target SmartCenter server.
9. Do one of the following:
• Perform a fresh install of SmartCenter server and import the configuration
file. When prompted, select Installation using Imported Configuration. This
option prompts you for the location of the imported .tgz configuration file
and then automatically installs the new software and utilizes the imported
.tgz configuration file.
• Perform a fresh install of SmartCenter server, and manually import the
configuration file using the upgrade_import tool on the NGX R65 CD.
Warning - The configuration file (.tgz) file contains your security configuration. It is highly
recommended to delete it after completing the import process.
164
Migrate Your Current SmartCenter Configuration and Upgrade
3. Enter n.
4. Enter y to agree to the End-user License Agreement.
5. Select the products:
• Check Point Power (for headquarters and branch offices)
• Check Point UTM (for medium-sized businesses)
6. Enter n.
7. Select New installation as the installation option.
8. Enter n.
9. From the list of products, select SmartCenter.
10. Enter n.
11. Specify the SmartCenter type to install:
• Primary SmartCenter
• Secondary SmartCenter
• Log server
12. Enter n.
13. Enter n to validate the products to install.
14. After product installation, the Check Point Configuration Program opens. Use
the Check Point Configuration program to:
a. Add licenses: The Check Point Configuration Program only manages local
licenses on this machine. The recommended way of managing licenses is
through SmartUpdate.
b. Configure GUI clients: A list of hosts which will be able to connect to this
SmartCenter server using SmartConsole.
c. Configure group permissions: Specifies a group name.
d. Configure a pool of characters: For use in cryptographic operations. Type
randomly until the progress bar is full.
e. Configure the Certificate Authority: Saves the CA’s Fingerprint to a file.
f. Start the installed products.
15. Log in again to the root account to set the new environment variables.
16. Transfer the exported configuration to the new Solaris installation, for example
through FTP.
166
Migrate Your Current SmartCenter Configuration and Upgrade
Note - Creating the snapshot image can take up to twenty minutes, during which time
Check Point products are stopped.
168
Migrate Your Current SmartCenter Configuration and Upgrade
• Enter [O] to perform the license upgrade on a license file that was
generated on machine with no Internet access to the User Center.
• Enter [Q] to quit.
10. Select a source for the upgrade utilities.
Either download the most updated files from the Check Point website or use
the upgrade tools contained on the CD. The exported configuration is
automatically imported during the upgrade process.
11. Open SmartUpdate and attach the new NGX licenses to the gateways.
170
Migrate Your Current SmartCenter Configuration and Upgrade
172
Migrate Your Current SmartCenter Configuration and Upgrade
8. To import a SmartCenter configuration and upgrade it, enter the path to, and
name of, the compressed file that contains the exported configuration. Enter n.
The license upgrade wrapper runs. The license upgrade process may take some
since, as all the licenses are gathered and sent in SSL-encrypted format to the
Check Point User Center.
9. Enter c to continue, or q to quit.
If you choose to continue, refer to “Upgrading Licenses for Products Prior to
NGX” on page 29.
10. Select a source for the upgrade utilities.
While the R65 upgrade utilities are on the NGX R65 CD, it is recommended to
download the latest tools from the Check Point website.
11. Enter n.
12. The pre-upgrade verification process runs automatically. View the results and
follow the recommendations.
13. Enter n.
14. Specify an upgrade option:
• Upgrade installed products
• Upgrade installed products and install new products
15. Enter n.
16. Enter n to validate the products to install.
17. After product installation, the Check Point Configuration Program opens. Use
the Check Point Configuration program to:
a. Add licenses: The Check Point Configuration Program only manages local
licenses on this machine. The recommended way of managing licenses is
through SmartUpdate.
b. Configure GUI clients: A list of hosts which will be able to connect to this
SmartCenter server using SmartConsole.
c. Configure group permissions: Specifies a group name.
d. Configure a pool of characters: For use in cryptographic operations. Type
randomly until the progress bar is full.
e. Configure the Certificate Authority: Saves the CA’s Fingerprint to a file.
f. Start the installed products.
18. Reboot.
174
Migrate Your Current SmartCenter Configuration and Upgrade
19. Log in again to the root account to set the new environment variables.
20. To start Check Point Services, run: cpstart.
176
Migrate Your Current SmartCenter Configuration and Upgrade
5. On the new SmartCenter update the primary SmartCenter object so that its IP
Address and topology match its new configuration.
On the DNS , map the SmartCenter ’s DNS to the new IP address.
This section covers the advanced upgrade procedure for VPN-1 gateways. The
advanced upgrade procedure involves two machines. The first machine is the
working production machine. The second machine is off-line, and only contains the
operating system. The SmartCenter server is freshly installed on the second
machine and the configuration of the first machine is imported.
178
Migrate Your Current VPN-1 Gateway Configuration & Upgrade
Warning - The configuration file (.tgz) file contains your security configuration. It is highly
recommended to delete it after completing the import process.
180
Migrate Your Current VPN-1 Gateway Configuration & Upgrade
a. Add licenses: The Check Point Configuration Program only manages local
licenses on this machine. The recommended way of managing licenses is
through SmartUpdate.
b. Configure GUI clients: A list of hosts which will be able to connect to this
SmartCenter server using SmartConsole.
c. Configure group permissions: Specifies a group name.
d. Configure a pool of characters: For use in cryptographic operations. Type
randomly until the progress bar is full.
e. Configure the Certificate Authority: Saves the CA’s Fingerprint to a file.
f. Start the installed products.
15. Log in again to the root account to set the new environment variables.
16. Transfer the exported configuration to the new solaris installation, for example
through FTP.
17. Change directory to /opt/CPsuite-R65/fw1/bin/upgrade tools
Make sure that the upgrade tools in this directory are the R65 upgrade tools,
taken from the installation CD or downloaded from the Check Point website.
18. Run ./upgrade_import <name_of_exported_configuration_file.tgz>
19. Enter y to stop all Check Point services.
The license upgrade wrapper runs.
20. Enter c to continue, or q to quit.
If you choose to continue, refer to “Upgrading Licenses for Products Prior to
NGX” on page 29.
21. Wait for the message: upgrade_import finished successfully!
22. Enter y to restart Check Point Services.
To perform a new installation and upgrade using the wrapper:
1. Insert CD2 of the NGX R65 media kit into the CD drive, and mount the CD.
2. Run UnixInstallScript.
The wrapper welcome message is displayed.
3. Enter n.
4. Enter y to agree to the End-user License Agreement.
182
Migrate Your Current VPN-1 Gateway Configuration & Upgrade
Note - Creating the snapshot image can take up to twenty minutes, during which time
Check Point products are stopped.
184
Migrate Your Current VPN-1 Gateway Configuration & Upgrade
• Enter [O] to perform the license upgrade on a license file that was
generated on machine with no Internet access to the User Center.
• Enter [Q] to quit.
10. Select a source for the upgrade utilities.
Either download the most updated files from the Check Point website or use
the upgrade tools contained on the CD. The exported configuration is
automatically imported during the upgrade process.
11. Open SmartUpdate and attach the new NGX licenses to the gateways.
186
Migrate Your Current VPN-1 Gateway Configuration & Upgrade
188
Migrate Your Current VPN-1 Gateway Configuration & Upgrade
190
Migrate Your Current VPN-1 Gateway Configuration & Upgrade
192
Chapter 8
Upgrading ClusterXL
Deployments
In This Chapter
193
License Upgrade to NGX
194
Tools for Gateway Upgrades
Note - Full Connectivity Upgrade is supported between minor versions only. For further
information, refer to “Full Connectivity Upgrade on a ClusterXL Cluster” on page 202 and
the NGX R65 Release Notes.
When upgrading from R55W to NGX R65, refer to NGX R65 Release Notes for
details about support of Web Intelligence and VoIP Application Intelligence features
on Load Sharing Clusters.
196
Planning a Cluster Upgrade
198
Zero Downtime Upgrade on a ClusterXL Cluster
Note - Do not change any cluster parameters from the current policy at this time. For
example, if the cluster is running in New High Availability mode, do not change it to LS.
Changes can be made after the upgrade process is complete.
7. If you are upgrading from a previous version, perform the following steps:
a. From the Policy Installation window, clear the For Gateway Clusters, install on
all the members, if it fails do not install at all option located under the Install
on each selected Module independently option.
b. Install the security policy on the cluster.
The policy will be successfully installed on cluster members B and C, and
will fail on member A.
8. Using the cphaprob stat command (executed on a cluster member), verify that
the status of cluster member A is Active or Active Attention. The remaining
cluster members will have a Ready status. The status Active Attention is given
if member A’s synchronization interface reports that its outbound status is
down, because it is no longer communicating with other cluster members.
9. When upgrading versions prior to NGX, execute the fw ctl setsync off
command on Cluster member A.
10. Execute the cphastop command on cluster member A. Machines B and/or C
start to process traffic (depending on whether this is a Load Sharing or High
Availability configuration).
200
Zero Downtime Upgrade on a ClusterXL Cluster
11. It is recommended that you do not install a new policy on the cluster until the
last member has been upgraded. If you must install a new policy, perform the
following steps:
a. Run cpstop on the old Check Point gateway.
b. Run fw ctl set int fwha_conf_immediate 1 on all new Check Point
gateways.
c. Install the policy.
Note - It is recommended that you minimize the time in which cluster members are
running different versions.
202
Full Connectivity Upgrade on a ClusterXL Cluster
Supported Modes
FCU is supported on all modes of ClusterXL, including IPSO’s IP clustering and
VRRP. Legacy High Availability is not supported in FCU. For other third-party
support, refer to the third-party documentation.
Verify that the list of Check Point Gateway names is the same for both cluster
members.
• All the Gateway configuration parameters should have the same values on the
NM and the OM. The same rule applies to any other local configurations you
may have set.
For example, having the attribute block_new_conns with different values on the
NM and on the OM might cause the FCU to fail since gateway behavior cannot
be changed during the upgrade.
• A cluster that performs static NAT using the gateway’s automatic proxy ARP
feature requires special considerations: cpstop the old Check Point Gateway
right after running cphastop. Running cphastop is part of the upgrade
procedure described in “Zero Downtime Upgrade on a ClusterXL Cluster” on
page 199. Failure to do this may cause some of the connections that rely on
proxy ARP to fail and may cause other connections that rely on proxy ARP not
to open until the upgrade process completes. Note, however, that running
cpstop on the old Check Point Gateway rules out the option to rollback to the
OM while maintaining all live connections that were originally created on the
OM.
204
Full Connectivity Upgrade on a ClusterXL Cluster
2. First upgrade only one member, following the steps outlined in “Zero Downtime
Upgrade on a ClusterXL Cluster” on page 199. Before you get to step 10 on
page 200 (executing cphastop), run the following command on all the upgraded
members: fw fcu <other member ip on sync network>. Then continue with
step 10 on page 200 on all remaining OMs.
For more than three members, divide the upgrade of your members so that the
active cluster members can handle the amount of traffic during the upgrade.
Note - cphastop can also be executed from the Cluster object in the SmartConsole. Once
cphastop is executed, do not run cpstart or cphastart again or reboot the machine.
Table id map: This shows the mapping between the gateway’s kernel table indices
on the OM and on the NM. Having a translation is not mandatory.
Table handlers: This should include a sip_state and connection table handlers. In
a VPN-1 Power/UTM configuration, a VPN handler should also be included.
Global handlers: Reserved for future use.
Note - Not all connections are synchronized. For example, local connections and services
that are marked as non-synched.
Options
-t - table
-u - unlimited entries
-s - (optional) summary of the number of connections
For further information on the fw tab -t connections command, refer to the
“Command Line Interface” Book.
206
Chapter 9
Upgrading Provider-1
In This Chapter
207
Introduction
Introduction
This chapter describes methods and utilities for upgradingProvider-1/SiteManager-1
to R65.
In This Section
The following versions need to be upgraded to a more recent version before they
can be upgraded to NGX R65:
• NG FP3 HF2: If you have NG FP3 Edition 1, NG FP3 Edition 2, NG FP3
Edition 3 or NG FP3 HF1, first install the Provider-1/SiteManager-1 NG FP3
HF2 Hotfix or the Hotfix Accumulator Build (HFA).
• NG FP2: Upgrade to FP3 or above in order to upgrade to R65.
• NG FP1 HF1: Upgrade to FP3 or above in order to upgrade to R65.
The latest information regarding supported platforms is always available in the
Check Point Release Notes at:
http://www.checkpoint.com/support/technical/documents/index.html
208
Provider-1/SiteManager-1 Terminology
Provider-1/SiteManager-1 Terminology
Before discussing Provider-1/SiteManager-1 upgrades and licensing, it is worth
reviewing some important Provider-1/SiteManager-1 terms.
• The Multi-Domain Server (MDS) houses Provider-1 system information. It
contains details of the Provider-1 deployment, its administrators, and Customer
management information.
• The MDS has two flavors. The Manager, which runs the Provider-1 deployment,
and the Container, which holds the Customer Management Add-Ons (CMA). The
Manager and Container can be installed on the same server, or separately.
• A Customer Management Add-On (CMA) is the Provider-1 equivalent of the
SmartCenter server for a single Customer. Through the CMA, an administrator
creates Security Policies and manages the Customer modules.
In This Section
210
Installation Script
Installation Script
Starting from NG with Application Intelligence, use the mds_setup installation
script for MDS.
Note - When installing MDS on SecurePlatform, the installation is performed using the
SecurePlatform installer on the CD. Do not execute the mds_setup script directly. For
additional information, refer to “Provider-1/SiteManager-1 Upgrade Practices” on page 251.
To run mds_setup:
1. Mount the Provider-1 CD from the relevant subdirectory.
2. Change the directory to the mounted directory.
3. Browse to either the Solaris or Linux directory, depending on the operating
system of your MDS machine.
4. Run the installation script: ./mds_setup.
When mds_setup is executed, it first checks for an existing installation of MDS:
• If no such installation exists, mds_setup asks you to confirm a fresh
installation of MDS.
• If a previous version of MDS is detected, you are prompted to select one of
the following options (Pre-Upgrade Verification Only, Upgrade or Backup)
listed below.
5. Exit all shell sessions. Open a new shell in order for the new environment to be
set.
Upgrade
When the upgrade option is used, mds_setup runs the Pre-Upgrade Verifier and if
no errors are found, the upgrade process proceeds. In case of errors, mds_setup
stops the installation until all the errors are fixed. In some cases, mds_setup
suggests automatically fixing the problem using a fixing utility. Fixing utilities that
affect the existing installation can also be executed from the command line. You
can choose to stop the installation and execute the fixing utility from the command
line. There are two important things to remember after changing your existing
installation:
• Verify your changes in the existing installation before you upgrade.
• Synchronize global policies. If you make changes in global policies, reassign
these global policies to customers. If you have a multi-MDS environment:
• Synchronize databases between MDSs in High Availability.
• Synchronize databases between CMAs in High Availability.
• Install the database on CLMs.
Backup
Prior to performing an upgrade, back up your MDS. The backup option from
mds_setup runs the mds_backup process (refer to mds_backup). Backup is also
used for replication of your MDS to another machine. Manual operations are
necessary if you are switching IP addresses or network interface names. For
additional information, refer to “Changing the MDS IP Address and External
Interface” on page 271.
212
pv1_license_upgrade
pv1_license_upgrade
The pv1_license_upgrade command line tool is used to perform license upgrade for
Provider-1.
Provider-1/SiteManager-1 NGX cannot function with NG licenses. It is
recommended to upgrade all Provider-1/SiteManager-1 NG licenses to NGX before
upgrading software to NGX.
When the tool is run on the MDS, upgraded licenses are obtained from the Check
Point User Center website for the MDS and for all the CMAs on the MDS. The tool
makes it simple to automatically upgrade licenses, eliminating the need to do so
manually though the User Center.
The pv1_license_upgrade tool can be found in the following locations:
• Provider-1 R65 CD at: <platform>/LicenseUpgrade/
• R65 installation at: /opt/CPmds-R65/system/license_upgrade/
• Check Point Download site at:
http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/license_upgrade.html
license_upgrade
The license_upgrade command line tool is used to perform license upgrade for a
single CMA. It is the same tool as is used to perform license upgrade in
SmartCenter environments. License upgrade is required when upgrading from
versions prior to NGX.
The license_upgrade tool can be found in the following locations:
• Provider-1 R65 CD at: <platform>/LicenseUpgrade/
• R65 installation at: /opt/CPmds-R65/system/license_upgrade/
• Check Point Download site at
http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/license_upgrade.h
tml
• The license_upgrade tool can be run either as a command line with
parameters, or in Wizard mode, which allows you to choose options from a
menu. To run the tool in Wizard mode, run: license_upgrade.
Table 9-1 lists some of the more commonly used tool options.
cma_migrate
This utility is used to import an existing SmartCenter server or CMA into a
Provider-1/SiteManager-1 MDS so that it will become one of its CMAs. If the
imported SmartCenter or CMA is of a version earlier than the MDS to which it is
being imported, then the Upgrade process is performed as part of the import. The
available versions are listed in “Supported Versions and Platforms” on page 208.
Bear in mind that the source and target platforms may be different. The platform of
the source management to be imported can be Solaris, Linux, Windows,
SecurePlatform or IPSO.
Before running cma_migrate, create a new customer and a new CMA. Do not start
the CMA, or the cma_migrate will fail.
Usage
cma_migrate <source management directory path> <target CMA FWDIR
directory>
214
cma_migrate
Example
cma_migrate /tmp/orig_mgmt_dir
/opt/CPmds-R65/customers/cma2/CPsuite-R60/fw1
directory contents
conf This directory contains the information that
resides under $FWDIR/conf of the source
management.
database This directory contains the information that
resides under $FWDIR/database of the source
management.
log This directory contains the information that
resides under $FWDIR/log of the source
management or is empty if you do not wish to
maintain the logs.
conf.cpdir This directory is required when the source
management is NG FP1 or higher. It contains
the information that resides under $CPDIR/conf
of the source management.
The second argument (<target CMA FWDIR directory>) is the FWDIR of the newly
created CMA.
Note - To run the cma_migrate utility from the MDG, right-click a CMA and select Import
Customer Management Add-on from the menu.
repeated between the CMA and entities that connect to it using putkey information.
Use putkey -n to re-establish trust. For additional information on putkey, refer to
the Check Point Command Line Interface documentation.
If you have VPN with externally managed gateways (or Global VPN-1 Communities),
maintain the original FQDN of the management so that the CRL server location is
not changed. This is not a requirement for a VPN between Check Point internal
gateways.
The default FQDN of a CMA is its IP address, therefore if you migrated from CMA
and changed its IP address, you should change its FQDN to the new IP address by
executing:
mdsenv <CMA>, cpconfig, option 4 - Certificate Authority
If your intent is to split a CMA into two or more CMAs, reinitialize their Internal
Certificate Authority so that only one of the new CMAs employs the original ICA:
1. mdsstop_customer <CMA NAME>
2. mdsenv <CMA NAME>
3. Remove the current Internal Certificate Authority by executing the fwm
sic_reset command. This may require some preparation that is described in
detail from the command prompt and also in the Secure Knowledge solution
sk17197.
4. Create a new Internal Certificate Authority by executing:
mdsconfig -ca <CMA NAME> <CMA IP>
5. Run the command: mdsstart_customer <CMA NAME>
216
migrate_assist
migrate_assist
This utility is a helper utility for cma_migrate. It can be used to pull the original
management directories to the current disk storage using FTP.
When you finish running migrate_assist, it is possible to run cma_migrate (refer to
“cma_migrate” on page 214), the input directory of which will be the output
directory of migrate_assist.
Usage
migrate_assist <source machine name/ip> <source FWDIR folder> <user name>
<password> <target folder>[<source CPDIR folder>]
Example
To import a SmartCenter server with the IP address 192.168.0.5 of version NG
FP3, use the following command:
migrate_assist 192.168.0.5 /opt/CPfw1-53 FTP-user
FTPpass/EMC1/opt/CPshared/5.0
Where /EMC1 is the name of the directory created on the MDS server machine,
migrate_assist accesses the source machine and imports the source FWDIR and
CPDIR folders to the specified target folder according to the structure described
above. The user name and password are needed to gain access to the remote
machine via FTP. The source CPDIR parameter is required in case the original
management is NG FP3 and higher.
Note - migrate_assist does not affect the source database, however it is highly
recommended to stop it before running migrate_assist so that no SmartConsole Clients
accidentally edit the database during migration.
migrate_global_policies
The migrate_global_policies utility transfers (and upgrades, if necessary) a global
policies database from one MDS to another.
If the global policies database on the target MDS has polices that are assigned to
customers, migrate_global_policies aborts. This is done to ensure that the Global
Policy used at the Customer's site is not deleted.
Note - When executing the migrate_global_policies utility, the MDS will be stopped.
The CMAs can remain up and running.
Usage
migrate_global_policies <path global policies conf database>
<path global policies conf database> specifies the directory path where
the global policies files, originally taken from the MDS's $MDSDIR/conf, are
located.
218
Backup and Restore
During backup, it is okay to view data but do not write using MDGs, GUIs or other
clients. If the Provider-1/SiteManager-1 system consists of several MDSes, the
backup procedure takes place manually on all the MDSes concurrently. Likewise,
when the restoration procedure takes place, it should be performed on all MDSes
concurrently.
mds_backup
This utility stores binaries and data from your MDS installation. Running
mds_backup requires super-user privileges. This utility runs the gtar command on
the root directories of data and binaries. Any extra information located under these
directories is backed up, except from files that are specified in mds_exclude.dat
($MDSDIR/conf) file. The collected information is wrapped in a single zipped tar file.
The name of the created backup file comprises the date and time of the backup,
followed by the extension .mdsbk.tgz. For example: 13Sep2002-141437.mdsbk.tgz.
The file is placed in the current working directory, thus it is important not to run
mds_backup from one of the directories that is to be backed up. For example, when
backing up an NG FP3 MDS, do not run mds_backup from /opt/CPmds-61 since you
cannot zip the directory in which you need to write.
Usage
mds_backup
mds_restore
Restores an MDS that was previously stored with mds_backup. For correct operation,
mds_restore requires a fresh installation of an MDS from the same version of the
MDS to be restored.
Usage
mds_restore <backup file>
$MDSDIR/bin/set_mds_info -b -y
220
Introduction to License Upgrade in Provider-1 Environments
222
Understanding Provider-1/SiteManager-1 Licenses
Note - If there are NGX licenses on the pre-NGX MDS machine that have not been
upgraded (for example, without an NG license pair), they are not be included in the
pv1_license_upgrade tool’s report.
224
Before License Upgrade
Note - This section only applies if the Provider-1Pro Add-Ons for MDS are installed.
License Upgrade for the Pro Add-Ons for MDS must be performed either manually
via the User Center, or via the Check Point Account Services department.
To understand this issue, some background information is needed.
Pro Add-Ons for MDS is a bundled product that extends the SMART management
capabilities of multiple CMAs by adding SmartUpdate, SmartDirectory, and
SmartView Monitor. Table 9-3 shows the part numbers of Pro Add-ons for MDS.
Table 9-3 Part Numbers of Pro Add-ons for MDS
Pro Add-ons for MDS
Customer Version Part Number
10 NG CPPR-PRO-10-NG
25 NG CPPR-PRO-25-NG
50 NG CPPR-PRO-50-NG
100 NG CPPR-PRO-100-NG
200 NG CPPR-PRO-200-NG
250 NG CPPR-PRO-250-NG
3. At the end of the license generation process, the User Center shows a license
with the IP address of the last CMA for which the Change IP operation was
performed.
Upgrading CMA Pro Add-on Licenses
To upgrade the CMA Pro Add-on licenses:
1. On the MDS machine, run the appropriate console command:
• If the MDS is directly connected to the User Center, run:
pv1_license_upgrade upgrade
• If the MDS is connected to the User Center via a proxy, run:
pv1_license_upgrade upgrade -y <proxy:port> -w <user_name:pwd>
The proxy port number is optional. The username and password (if any) are
for the proxy machine.
2. Save the following information:
• Log Files generated by the tool. The location of the files is printed to the
screen when running the tool.
• The cache file generated when running the tool, $CPDIR/conf/lic_cache.C.
3. Contact Account Services at US +1 817 606 6600 (option 7) or e-mail
AccountServices@ts.checkpoint.com, and provide them with the above
information.
Note - This section only applies if the Virtual Systems Extension - CMA Bundle is installed.
To allow Provider-1 to manage VPN-1 Power VSX, the “Virtual Systems Extension -
CMA Bundle” product is required. If the Virtual Systems Extension - CMA Bundle
is older than VSX NG AI Release 2, automatic license upgrade is not available.
License upgrade must be performed manually via the User Center, or via the Check
Point Account Services department.
To understand this issue, some background information is needed.
Customers purchase multiple CMAs to manage either one VSX Virtual System (VS)
with each CMA, or manage a VS cluster with each CMA.
The purchased part numbers are shown in Table 9-4.
226
Before License Upgrade
• One license for the Provider-1 CMA product in Table 9-10 (to be installed on
the CMA), that specifies the size of the VS cluster that the CMAs are allowed to
manage. A license for a VS cluster of 1 Gateway allows the CMA to manage one
VS, A license for a VS cluster of 2 Gateways allows the CMA to manage a
cluster of two VSs, and so on.
Table 9-6 Provider-1 CMA
Provider-1 CMA (Primary CMA)
Gateways Version Part Number
1 NG CPPR-CMA-1-NG
2 NG CPPR-CMA-2-NG
4 NG CPPR-CMA-4-NG
228
Choosing The Right License Upgrade Procedure
What Next?
Once you have made the above three decisions, you can then decide which of the
following procedures is the right one for you.
• “System-Wide License Upgrade, Before Software Upgrade” on page 231
• “License Upgrade for an Online MDS” on page 231
• “License Upgrade for an Offline MDS” on page 232
• “System-Wide License Upgrade Using the Wrapper” on page 235
(applies to an online MDS version NG)
• “System-Wide License Upgrade, After Software Upgrade” on page 236
• “License Upgrade for an Online MDS” on page 236
• “License Upgrade for an Offline MDS” on page 237
• “License Upgrade for a Single CMA” on page 239
• “License Upgrade for an Online MDS, Before Software Upgrade” on
page 239
• “License Upgrade for an Offline MDS, Before Software Upgrade” on
page 240
• “License Upgrade for an Online MDS, After Software Upgrade” on
page 242
• “License Upgrade for an Offline MDS, After Software Upgrade” on
page 243
230
System-Wide License Upgrade, Before Software Upgrade
3. Perform the software upgrade to NGX on the MDS Manager, MDS Container,
and the MDG.
4. Start the MDS by running:
mdsenv
mdsstart
5. Run the following command line tool on the MDS:
pv1_license_upgrade import -c <cache file name>
The default cache file location is $CPDIR/conf/lic_cache.C. This imports the
NGX licenses from the cache file to the CMA Repositories of every CMA.
6. Perform the software upgrade to NGX on the gateway machine(s).
7. Connect to the MDS using the SmartUpdate component of the MDG, and for
each CMA, delete all obsolete licenses from the NGX gateways.
232
System-Wide License Upgrade, Before Software Upgrade
4. Copy the license_upgrade tool to the online machine. The tool is located at
<platform>/LicenseUpgrade/ on the R65 CD, and in the Check Point Download
site at:
http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/license_upgrade.h
tml
5. Run the appropriate command line tool at the online machine:
• If the online machine is directly connected to the User Center, run:
license_upgrade upgrade -i <input_file> -c <cache_file>
• If the online machine is connected to the User Center via a proxy, run:
license_upgrade upgrade -y <proxy:port> -i <input_file> -c <cache_file>
Where <input_file> is the package file that is the result of step 2. This
fetches new licenses from the User Center and puts them in a cache file.
• Use the [O] Wizard mode option.
6. Specify the package file that is the result of step 2 and the requested cache
file. This fetches new licenses from the User Center and puts them in a cache
file.
7. Copy the cache file (with the new licenses) back to the offline MDS machine.
8. Start the MDS by running
mdsenv
mdsstart
9. Run following command line on the offline MDS:
pv1_license_upgrade import -c <cache_file>
The default cache file location is $CPDIR/conf/lic_cache.C. This imports the
new CMA and MDS licenses to the MDS.
10. Perform the software upgrade to NGX on the MDS Manager, MDS Container,
and the MDG.
234
System-Wide License Upgrade Using the Wrapper
236
System-Wide License Upgrade, After Software Upgrade
238
License Upgrade for a Single CMA
License Upgrade for an Online MDS, Before Software Upgrade page 239
License Upgrade for an Offline MDS, Before Software Upgrade page 240
License Upgrade for an Online MDS, After Software Upgrade page 242
License Upgrade for an Offline MDS, After Software Upgrade page 243
240
License Upgrade for a Single CMA
242
License Upgrade for a Single CMA
The proxy port number is optional. Username and password (if any) are for the
proxy machine.
OR use the [U] wizard mode option.
This does the following:
• Collects all the licenses that exist on the CMA.
• Fetches updated licenses from the User Center.
• Install new licenses on the CMA.
• Copy the license_upgrade tool to the online machine. The tool is located at
<platform>/LicenseUpgrade on the R65 CD, and in the Check Point Download
site at
http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/license_upgrade.h
tml
4. Run the appropriate command line tool on the online machine:
• If the online machine is directly connected to the User Center, run:
license_upgrade upgrade -i <input_file> -c <cache_file>
• If the online machine is connected to the User Center via a proxy, run:
license_upgrade upgrade -y <proxy:port> -i <input_file> -c
<cache_file>
Where <input_file> is the package file that is the result of step 2. This
fetches new CMA licenses from the User Center and puts them in a cache file.
OR
Use the [O] wizard mode option.
Specify the output file package that is the result of step 2. This fetches new
CMA licenses from the User Center and puts them in a cache file.
5. Copy the cache file (with the new CMA licenses) to the MDS machine.
6. Run following command on the MDS machine:
mdsenv <cma_name>
7. Run following command line on the offline target machine
license_upgrade import -c <cache_file>
OR
Use the [U] wizard mode option.
The new CMA licenses are installed on the CMA.
8. Start the CMA services by running
mdsstart_customer <cma name>
9. Import new licenses of this CMA into the NGX CMA Repositories. Run
mdsenv <cma name>)
244
License Upgrade Using the User Center
10. Run the following command line on the offline target machine:
license_upgrade import -c <cache_file>
OR
Use the [U] wizard mode option.
11. Perform the software upgrade to NGX on the gateway machine(s).
12. Connect to the MDS using the SmartUpdate component of the MDG, and for
each CMA, delete all obsolete licenses from NGX gateways.
In This Section
Cause
To understand this issue, some background information is needed:
Pro Add-Ons for MDS is a bundled product that extends the SMART management
capabilities of multiple CMAs by adding SmartUpdate, SmartDirectory, and
SmartView Monitor.
246
Troubleshooting License Upgrade
The CMA Pro Add-on licenses are generated in the User Center is as follows:
1. Perform the Activate License operation on the Pro bundled product, using the IP
address of the first CMA, to generate the license for this CMA. For each
additional CMA, perform the Change IP operation on the bundled product, and
change to the IP address of this CMA.
2. Install each generated license on its respective CMA.
3. At the end of the license generation process, the User Center shows a license
with the IP address of the last CMA for which the Change IP operation was
performed.
Only this last license is upgraded by the license upgrade process.
Resolution
1. On the MDS machine, run the appropriate console command:
• If the MDS is directly connected to the User Center, run:
pv1_license_upgrade upgrade
• If the MDS is connected to the User Center via a proxy, run:
pv1_license_upgrade upgrade -y <proxy:port> -w <user_name:pwd>
The proxy port number is optional. Username and password (if any) are for
the proxy machine.
2. Save the following information:
• Log Files generated by the tool. The location of the files is printed to the
screen when running the tool.
• The cache file generated when running the tool, $CPDIR/conf/lic_cache.C.
3. Contact Account Services at US +1 817 606 6600 (option 7) or e-mail
AccountServices@ts.checkpoint.com, and provide them with the above
information.
Cause
To understand this issue, some background information is needed:
The customer purchases multiple CMAs in order to manage either one VSX Virtual
System (VS) with each CMA, or manage a VS cluster with each CMA.
The purchased VSX part numbers are listed in Table 9-8.
Table 9-8 Virtual Systems Extension - CMA Bundles
Virtual Systems Extension - CMA Bundles (Primary VSX-CMA)
Gateways Version Part Number
C10 NG CPPR-VSX-CMA-C10-NG
C25 NG CPPR-VSX-CMA-C25-NG
C50 NG CPPR-VSX-CMA-C50-NG
C100 NG CPPR-VSX-CMA-C100-NG
C250 NG CPPR-VSX-CMA-C250-NG
248
Troubleshooting License Upgrade
One license for the Provider-1 CMA product in Table 9-10 (to be installed on the
CMA), that specifies the size of the VS cluster that the CMAs are allowed to
manage. A license for a VS cluster of 1 Gateway allows the CMA to manage one VS,
A license for a VS cluster of 2 Gateways allows the CMA to manage a cluster of two
VSs, and so on.
Table 9-10 Provider-1 CMA
Provider-1 CMA (Primary CMA)
Gateways Version Part Number
1 NG CPPR-CMA-1-NG
2 NG CPPR-CMA-2-NG
4 NG CPPR-CMA-4-NG
Provider-1 CMA product licenses are generated in the User Center is as follows:
1. Perform the Activate License operation on the Provider-1 CMA product, using
the IP address of the first CMA, to generate the license for this CMA. For each
additional CMA, perform the Change IP operation on the bundled product, and
change to the IP address of this CMA.
2. Install each generated license on its respective CMA.
3. At the end of the license generation process, the User Center shows a license
with the IP address of the last CMA for which the Change IP operation was
performed.
Only this last license is upgraded by the license upgrade process.
Resolution
1. On the MDS machine, run the appropriate console command:
• If the MDS is directly connected to the User Center, run:
pv1_license_upgrade upgrade
• If the MDS is connected to the User Center via a proxy, run:
250
Provider-1/SiteManager-1 Upgrade Practices
Provider-1/SiteManager-1 Upgrade
Practices
In This Section
In-Place Upgrade
The in-place upgrade process takes place on the existing MDS machine. The MDS
with all CMAs are upgraded during a single upgrade process.
License upgrade is also required when upgrading from versions prior to NGX.
Provider-1/SiteManager-1 NGX cannot function with licenses from versions prior to
NGX. It is therefore highly recommended to upgrade all Provider-1/SiteManager-1
NG licenses to NGX before upgrading the software to NGX.
Note - When upgrading Provider-1 to R65, all SmartUpdate packages on the MDS
(excluding SofaWare firmware packages) are deleted from the SmartUpdate Repository.
5. Perform the license upgrade procedure prior to the MDS software upgrade as
detailed in “System-Wide License Upgrade, Before Software Upgrade” on
page 231. Follow the procedure for an online MDS or an offline MDS, as
applicable.
6. Perform the in-place upgrade.
• For Solaris and Linux, use mds_setup (for additional information, refer to
“Installation Script” on page 211).
• For SecurePlatform, run patch add cd (See “Upgrading to NGX R65 on
SecurePlatform” on page 252).
7. Perform the license upgrade procedure after the MDS software upgrade as
detailed in “System-Wide License Upgrade, Before Software Upgrade” on
page 231. Follow the procedure for an online MDS or an offline MDS, as
applicable.
8. After the upgrade completes, retest using the sub-steps in step 3 above.
252
In-Place Upgrade
Note - The target machine should be on an isolated network segment so that gateways
connected to the original MDS are not affected until you switch to the target machine.
3. Restore the MDS on the target machine. Copy the file created by the backup
process to the target machine and run mds_restore, or run mds_setup and
select the Restore option.
4. If your target machine and the source machine have different IP addresses,
follow the steps listed in “IP Address Change” on page 271 to adjust the
restored MDS to the new IP address. If your target machine and the source
machine have different interface names (e.g. hme0 and hme1), follow the steps
listed in “Interface Change” on page 271 to adjust the restored MDS to the
new interface name.
5. Test to confirm that the replication has been successful:
a) Start the MDS.
b) Verify that all CMAs are running and that you can connect to the MDS with
MDG and Global SmartDashboard.
c) Connect to CMAs using SmartDashboard.
6. Upgrade your MDS. Stop the MDS on the target machine and employ an
In-Place Upgrade (for additional information, refer to “In-Place Upgrade” on
page 251).
254
Gradual Upgrade to Another Machine
256
Migrating from a Standalone Installation to CMA
ii. If the globally used gateway refers to a gateway of a customer that was
not migrated, you can remove the gateway from the global database by
issuing a command line command. First, make sure that the Global
SmartDashboard is not running, and then execute the command:
mdsenv; remove_globally_used_gw <Global name of the gateway>
3. When issuing the command: migrate_global_policies where the existing
Global Policy contains Global Communities, the resulting Global Policy
contains:
• the globally used gateways from the existing database
• the globally used gateways from the migrated database
As a result of the migration, the Global Communities are overridden by the
migrated database.
4. The gradual upgrade does not restore the Global Communities statuses,
therefore, if either the existing or the migrated Global Policy contains Global
Communities, reset the statuses from the command line (with MDS live):
mdsenv; fwm mds rebuild_global_communities_status all
Note - If you want the option to later undo the separation process, back up the standalone
gateway before migrating.
Before migrating the management part of the standalone gateway to the target
CMA, some adjustments are required before the standalone is exported to the CMA:
1. Make sure that:
• FTP access is allowed from the MDS machine (on which the target CMA is
located) and the standalone machine. (This is only necessary if you plan to
use migrate_assist.)
• The target CMA is able to communicate with and install policy on all
managed modules.
2. Add an object representing the CMA (name and IP address) and define it as a
Secondary SmartCenter server.
3. Install policy on all managed gateways.
258
Migrating from a Standalone Installation to CMA
260
Upgrading in a Multi-MDS Environment
Note - MLMs in a multi-MDS system need to be upgraded to the same version as the
Manager and Container MDSs.
262
Upgrading a Multi-MDS System
Note - When synchronizing, make sure to have only one active MDS and one active CMA for
each customer. Modify the active MDS/CMA and synchronize to Standby.
To update the CLM/CMA objects to the most recent version, verify that all active
CMAs are up and running with valid licenses and that SmartDashboard is not
connected. At this time, the following should be run on each MDS after upgrading
all MLMs/MDSs: mdsenv
To update all CLM/CMA objects, run:
$MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL
To update CLM/CMA objects that are located on a specific MLM/MDS, (in case
other MDSs were not yet upgraded) run:
$MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL -n <MLM/MDS name>
After running this utility, remember to synchronize all standby CMAs/SmartCenter
backups.
264
Restarting CMAs
Restarting CMAs
After completing the upgrade process, CMAs should be started sequentially using
the command mdsstart -s.
266
Renaming Customers
Renaming Customers
In This Section
Previous Provider-1 versions allowed customer names or CMA names in Check Point
2000 to contain illegal characters, such as spaces and certain keyword prefixes. In
NG with Application Intelligence, all customer names must adhere to the same
restrictions as CMA names or any other network objects.
Resolving Non-Compliance
During the upgrade procedure, after selecting Option 2 - Upgrade to NGX R65 on the
mds_setup menu, the resolution of compliant names is performed. The translation
prompt is only displayed if a non-compliant name is detected.
Note - Nothing is changed in the existing installation when translating customer names.
Any changes are applied only to the upgraded installation.
Translation prompt - Enter a name to replace the non-compliant name, or enter the
'-' sign to get a menu of additional options. The new name is checked for naming
restrictions compliance and is not accepted until you enter a compliant name.
Additional Options Menu Edit another name - The customer names are presented in
alphabetical order. Choose this option to edit a customer name that was already
translated, or any other customer name.
Skip this name - Choose this option if you are not sure what to do with this name
and want to come back to it later. The upgrade cannot take place until all
non-compliant customer names are translated.
Quit session and save recent translations - Choose this option if you want to save
all the work that was done in this session and resume later.
Quit session and throw away recent translations - Choose this option if you want to
abort the session and undo all the translations that you entered during this session.
Return to translation prompt - Choose this option if you want to return to the
customer name you were prompted with when you entered '-'.
Note - The pre-upgrade tool allows only non-compliant customer names to be translated.
If the session is exited before all the translations are done, the mds_setup utility
exits with an error message stating that the MDS verification failed. To return to the
tool, simply run mds_setup again and choose Option 2 - Upgrade to NGX R65.
High Availability
After completing the translations on the first MDS, copy the following files to the
other MDSes. If the MDSes are properly synchronized, no additional work is
required.
268
Advanced Usage
Files to be copied:
/var/opt/CPcustomers_translated.txt
/var/opt/CPcustomers_translated.md5
When running the tool a second time, the customer names that have already been
translated are shown before the first non-compliant name is displayed. This is also
the case when running on an additional MDS.
Advanced Usage
An advanced user may choose to directly edit the translation file,
/var/opt/CPcustomers_translated.txt. In this case, all the translations are
verified when mds_setup is run again.
Translations file format - The file is structured line-wise. Each line's meaning is
indicated by its first character. An empty line is ignored. Any line that does not
obey the syntax causes the file to be rejected with an appropriate message.
The '-' and '+' lines must form pairs. Otherwise, the file is rejected.
If the translations file is manually modified, the mds_setup detects it and displays
the following menu:
1. Use the translations file anyway - Choose this option only if an authorized
person modified it. This option reads the file, verifies its content and uses the
translations therein.
2. Ignore the translations file and generate a new one - Choose this option to
overwrite the contents of the file.
3. Quit and leave the translations file as it is - Choose this option to exit
mds_setup and leave the translations file as is for now. Run mds_setup again
when you are sure that option 1 or option 2 is suitable.
270
Changing the MDS IP Address and External Interface
IP Address Change
If your target machine and the source machine have different IP addresses, follow
the steps listed below it to adjust the restored MDS to the new IP address.
To change the IP address:
1. The MDS must be stopped. Stop the MDS by running mdsstop.
2. Change the IP address in $MDSDIR/conf/LeadingIP file to the new IP address.
3. Edit the $MDSDIR/conf/mdsdb/mdss.C file. Find the MDS object that has the
source MDS IP address and change its IP address to the new IP address. Do
not change the name of the MDS.
4. Install a new license on the target MDS with the new MDS IP address.
5. For multiple MDS/MLM environments, repeat steps 1 to 4 on each MDS/MLM
for the MDS/MLM for which you changed the IP.
Interface Change
If your target machine and the source machine have different interface names (e.g.,
hme0 and hme1), follow the steps listed below to adjust the restored MDS to the new
interface name.
To change the interface:
1. Change the interface name in file $MDSDIR/conf/external.if to the new
interface name.
2. For each CMA, replace the interface name in $FWDIR/conf/vip_index.conf. For
example, if this is an NG FP3 installation and you have a CMA named cma1,
edit /opt/CPmds-53/customers/cma1/CPfw1-53/conf/vip_index.conf.
SmartDefense in Provider-1
When upgrading to R65, the previous SmartDefense configuration of the Customer
is overridden on the first Global Policy Assign.
It is recommended to save each Customer’s Security Policy so that the settings can
be restored after upgrade. To do so, from the MDG, go to Customer Configuration
window > Assign Global Policy tab, and enable Create database version.
272
Chapter 10
Upgrading SmartLSM ROBO
Gateways
In This Chapter
273
Planning the ROBO Gateway Upgrade
274
ROBO Gateway Upgrade Package to SmartUpdate Repository
276
License Upgrade on Multiple ROBO Gateways
Full Upgrade
This method automatically performs all the required checks and actions for you.
When it successfully completes, the upgraded ROBO Gateway is ready for use. This
is the recommended method to upgrade VPN-1 Power/UTM ROBO Gateways.
To perform a full upgrade:
1. From SmartLSM, select the line representing the VPN-1 Power/UTM ROBO
Gateway to be upgraded.
2. Select Actions > Packages > Upgrade All Packages. This selection can also be
done through the right-click menu, or the Upgrade All Packages icon in the
toolbar.
The upgrade process begins with a verification stage, checking which version is
currently installed on the gateway and whether the required packages exist in
your Package Repository. When it completes, a Verification Details window
opens, showing you the verification results.
3. Select Change to a new Profile after upgrade, and select the appropriate new
SmartLSM Profile from the list.
4. Select Allow reboot if required.
5. Click the Continue button.
The Upgrade process begins. Its stages and completion status can be seen in
the Action Status pane, at the bottom of SmartLSM. The entire progress report
can be seen at any time by viewing the Action History (right-click on the
respective line in the Action Status pane, and select Action History).
278
Upgrading a VPN-1 Power/UTM ROBO Gateway
Specific Installation
This method can be used to install a specific product on a ROBO Gateway.
To perform a specific installation:
1. From SmartLSM, select the line representing the VPN-1 Power/UTM ROBO
gateway you want to upgrade.
2. Select Actions > Packages > Get Gateway Data to fetch information about
Packages currently installed on the VPN-1 Power/UTM ROBO gateway.
3. Select Actions > Packages > Distribute Package… or right-click menu, and
select Distribute Package…, or click the icon in the toolbar.
The Distribute Package window opens. This window displays the relevant
packages from the Package Repository that can be installed on your VPN-1
Power/UTM ROBO gateway.
4. In the Distribute Package window, select the package you want to install.
You can then select one of the following actions:
• Distribute and install packages
• Only distribute packages (install later)
• Install previously distributed packages
5. The Allow Reboot if required option should be selected only when upgrading
VPN-1. If you do not select this option, manually reboot the gateway from its
console. The gateway is rebooted after the package installation is completed.
Note - If you are doing a step-by-step upgrade, do not select Allow Reboot if required.
6. If the operating system is SecurePlatform, you can select Backup image for
automatic revert, in case the installation does not succeed.
7. The option Change to a new profile after install lets you select the SmartLSM
Profile that will be assigned to the package upon installation. When upgrading
the VPN-1 Power/UTM ROBO gateway, you must provide a suitable SmartLSM
Profile from the target version. If you are installing a package that does not
require changing the SmartLSM Profile of the VPN-1 Power/UTM ROBO
gateway, this field remains disabled.
8. Click the Start button.
9. The Install process begins. Its stages and completion status can be seen in the
Action Status pane, at the bottom of SmartLSM. The whole progress report can
be seen at any time by viewing the Action History (right-click on the respective
line in the Action Status pane, and select Action History).
Note - You can verify if the installation will succeed before actually upgrading the ROBO
Gateway by choosing Actions > Packages > Verify Installation.
280
Upgrading a VPN-1 Power/UTM ROBO Gateway In Place
282
SmartLSM Upgrade Tools
The LSMcli command line arguments are fully described in the Command Line
Reference chapter of the R65 SmartLSM Administration Guide. A partial list of
arguments is shown in Table 10-1, which lists only the arguments that are
important for performing upgrades.
Export
The export tool is located in your SmartLSM application, under File > Export to File.
Use this tool to export a ROBO Gateway’s properties into a text file that you can
turn into a script in order to perform batch upgrades.
To see which product packages are available in your package repository, execute:
LSMcli [-d] <Server> <User> <Password> ShowRepository
Note - It is recommended to use the Full Upgrade method to upgrade VPN-1 Power/UTM
ROBO Gateways.
284
Upgrading a VPN-1 UTM Edge ROBO Gateway Using LSMcli
Where:
MyServer = the name of my SmartCenter server.
John = the administrator’s name.
mypassword = the administrator’s password.
VerifyUpgrade = the Full Upgrade verification command.
Upgrade = the Full Upgrade command.
ROBO17 = the VPN-1 Power/UTM ROBO Gateway to be upgraded.
MyNewProfile = the new SmartLSM Profile that ROBO17 will be mapped to after
the upgrade.
Where:
MyServer = the name of my SmartCenter server.
John = the administrator's name.
mypassword = the administrator's password.
ModifyROBO VPN1Edge = the command to modify a property on a VPN-1 UTM
Edge ROBO gateway.
ROBO101 = the Edge ROBO Gateway to be upgraded.
EdgeNewProfile = the new SmartLSM Profile that ROBO101 will be mapped to
after the upgrade (optional).
4.0.23 = the name of the new Firmware package.
Restart = the command to restart the gateway.
286
Using the LSMcli in Scripts
288
Chapter 11
Upgrading Eventia
In This Chapter
289
Overview
Overview
Eventia Reporter of version R56 and higher can be upgraded to R65.
Eventia Analyzer of version 1.0 and higher can be upgraded to R65.
In This Section
Windows Platform
1. In order to begin the installation, login as an administrator and launch the
wrapper by double-clicking on the setup executable.
2. Agree to the License Agreement and click Forward.
3. Select Upgrade and click Forward.
4. Continue following the instructions.
The instructions that appear will differ according to your deployment.
5. Indicate whether to add new products by selecting the Add new products option
and click Forward.
A list of the products that will be upgraded appears. Click Forward.
Depending on the components that you have chosen to install, you may need to
take additional steps (such as installing other components and/or license
management).
290
For Distributed Deployments
6. Verify the default directory, or browse to new location in which Eventia Reporter
will be installed.
7. Verify the default directory, or browse to new location in which the output files
created by Eventia Reporter’s output will be generated.
Click Next and reboot the machine in order to complete the installation of the
Eventia Reporter and to continue with the next phase of the installation.
8. Launch SmartDashboard.
9. Install the Security Policy, (Policy > Install) or install the database (Policy >
Install Database) in order to make the Eventia Reporter fully functional.
SecurePlatform
1. After you install SecurePlatform from the CD, select the Eventia Reporter
product from cpconfig or from the SecurePlatform Web GUI.
2. Continue from step 3 on page 290 in order to complete the process.
Note - After upgrading Eventia Reporter, the GUI client must be defined on the Eventia
Reporter Server. To do this run cpconfig and select GUI Clients.
Note - After upgrading Eventia Reporter in a Provider-1 environment you should select a
customer(s) that will initiate a synchronization with the CMA of the selected customer. To
do this select Tools > Customer Activation in the Eventia Reporter client, select the relevant
customers and click OK.
292
Advanced Eventia Reporter Upgrade
10. Copy the database files from the backup to the target machine.
11. If the original SmartCenter server is of a version prior to NGX R65, the
database needs to be upgraded.
To upgrade the database:
a. Open a console and cd to the installation directory bin.
For Windows, the default location is C:\Program
Files\CheckPoint\EventiaSuite\R65\bin
For other platforms, the default location is /opt/CPrt-R65/svr/bin
b. Run the following script:
• For Windows: evr_upgrade_db
• For other platforms: ./evr_upgrade_db
12. If necessary, modify the following fields in the mysql configuration file to match
the locations of the database data files:
• datadir=
• innodb_log_group_home_dir=
• innodb_data_file_path=
The locations were copied in step 3.
Note - Make sure that the paths are written in Unix format, with a forward (/) slash between
directories
294
Enabling Eventia Analyzer after Upgrading Reporter
1. cpstop
2. evconfig
While running evconfig, enable Analyzer Server or the Correlation Unit.
3. cpstart
Prerequisites
Before upgrading to Analyzer NGX R65, note the path to the current database file:
$RTDIR/events_db/events.sql, where $RTDIR is a variable that contains the path
of the previous Eventia Analyzer installation.
In R63, the default path:
• For Windows is C:\Program Files\CheckPoint\EventiaSuite\R63
• For Unix platforms is /opt/CPrt-R63
This path is changed during the upgrade process.
296
Upgrading Eventia Analyzer to NGX R65
298
THIRD PARTY TRADEMARKS AND COPYRIGHTS
Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and other countries. Entrust’s logos and Entrust
product and service names are also trademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary
of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporate certificate management technology from Entrust.
The following statements refer to those portions of the software copyrighted by University of Michigan. Portions of the software copyright
© 1992-1996 Regents of the University of Michigan. All rights reserved. Redistribution and use in source and binary forms are
permitted provided that this notice is preserved and that due credit is given to the University of Michigan at Ann Arbor. The name of the
University may not be used to endorse or promote products derived from this software without specific prior written permission. This
software is provided “as is” without express or implied warranty. Copyright © Sax Software (terminal emulation only).
The following statements refer to those portions of the software copyrighted by Carnegie Mellon University.
Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted,
provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in
supporting documentation, and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software
without specific, written prior permission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT
OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The following statements refer to those portions of the software copyrighted by The Open Group.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO
EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.
The following statements refer to those portions of the software copyrighted by The OpenSSL Project. This product includes software
developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
The following statements refer to those portions of the software copyrighted by Eric Young. THIS SOFTWARE IS PROVIDED BY ERIC
YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright © 1998 The Open Group.
299
The following statements refer to those portions of the software copyrighted by Jean-loup Gailly and Mark Adler Copyright (C)
1995-2002 Jean-loup Gailly and Mark Adler. This software is provided 'as-is', without any express or implied warranty. In no event will
the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for
any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this
software in a product, an acknowledgment in the product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.
The following statements refer to those portions of the software copyrighted by the Gnu Public License. This program is free software;
you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software
Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be
useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License for more details.You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
The following statements refer to those portions of the software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper
Copyright (c) 2001, 2002 Expat maintainers. Permission is hereby granted, free of charge, to any person obtaining a copy of this
software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom
the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY
KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE
FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own.
Any re-distributions of the code MUST reference the author, and include any and all original documentation. Copyright. Bruce
Verderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring
Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998,
1999, 2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999, 2000, 2001, 2002 Philip Warner.
Portions relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001,
2002 John Ellson (ellson@graphviz.org). Portions relating to gdft.c copyright 2001, 2002 John Ellson (ellson@graphviz.org). Portions
relating to JPEG and to color quantization copyright 2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997,
1998, 1999, 2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the
file README-JPEG.TXT for more information. Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van
den Brande. Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial
application, provided that this notice is present in user-accessible supporting documentation. This does not affect your ownership of
the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If
you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessible
documentation. This software is provided "AS IS." The copyright holders disclaim all warranties, either express or implied, including but
not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying
documentation. Although their code does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and
Hutchison Avenue Software Corporation for their prior contributions.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You
may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
Permission to use, copy, modify, and distribute this software for any purpose
with or without fee is hereby granted, provided that the above copyright
300
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF
THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES
OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use
or other dealings in this Software without prior written authorization of the copyright holder.
Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are
met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For
written permission, please contact group@php.net.
4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission
from group@php.net. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it
"PHP Foo" or "phpfoo"
5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing
version number. Once covered code has been published under a particular version of the license, you may always continue to use it
under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the
license published by the PHP Group. No one other than the PHP Group has the right to modify the terms applicable to covered code
created under this License.
THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
This software consists of voluntary contributions made by many individuals on behalf of the PHP Group. The PHP Group can be
contacted via Email at group@php.net.
For more information on the PHP Group and the PHP project, please see <http://www.php.net>. This product includes the Zend
Engine, freely available at <http://www.zend.com>.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
THE POSSIBILITY OF SUCH DAMAGE.
Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd
301
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to
the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of
the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Except as stated herein, none of the material provided as a part of this document may be copied, reproduced, distrib-uted,
republished, downloaded, displayed, posted or transmitted in any form or by any means, including, but not lim-ited to, electronic,
mechanical, photocopying, recording, or otherwise, without the prior written permission of NextHop Technologies, Inc. Permission is
granted to display, copy, distribute and download the materials in this doc-ument for personal, non-commercial use only, provided you
do not modify the materials and that you retain all copy-right and other proprietary notices contained in the materials unless otherwise
stated. No material contained in this document may be "mirrored" on any server without written permission of NextHop. Any
unauthorized use of any material contained in this document may violate copyright laws, trademark laws, the laws of privacy and
publicity, and communications regulations and statutes. Permission terminates automatically if any of these terms or condi-tions are
breached. Upon termination, any downloaded and printed materials must be immediately destroyed.
Trademark Notice
The trademarks, service marks, and logos (the "Trademarks") used and displayed in this document are registered and unregistered
Trademarks of NextHop in the US and/or other countries. The names of actual companies and products mentioned herein may be
Trademarks of their respective owners. Nothing in this document should be construed as granting, by implication, estoppel, or
otherwise, any license or right to use any Trademark displayed in the document. The owners aggressively enforce their intellectual
property rights to the fullest extent of the law. The Trademarks may not be used in any way, including in advertising or publicity
pertaining to distribution of, or access to, materials in
this document, including use, without prior, written permission. Use of Trademarks as a "hot" link to any website is prohibited unless
establishment of such a link is approved in advance in writing. Any questions concerning the use of these Trademarks should be
referred to NextHop at U.S. +1 734 222 1600.
The material in document is provided with "RESTRICTED RIGHTS." Software and accompanying documentation are provided to the
U.S. government ("Government") in a transaction subject to the Federal Acquisition Regulations with Restricted Rights. The
Government's rights to use, modify, reproduce, release, perform, display or disclose are
restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software and Noncommercial Computer Soft-ware
Documentation clause at DFAR 252.227-7014 (Jun 1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in
Data-General clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of the Commer-cial
Use of the material in this document by the Government constitutes acknowledgment of NextHop's proprietary rights in them, or that of
the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043. Use,
duplication, or disclosure by the Government is subject to restrictions as set forth in applicable laws and regulations.
THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED.
TO THE FULLEST EXTENT POSSIBLE PURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRANTIES,
EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR ANY OTHER
PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THIS DOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS
REGARDING THE USE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USE OF, OR OTHERWISE
RESPECTING, THE MATERIAL IN THIS DOCUMENT.
Limitation of Liability
302
UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR
CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, OR THE
INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR A NEXTHOP AUTHORIZED REPRESENTATIVE HAS
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTS IN THE NEED
FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA, YOU ASSUME ANY COSTS THEREOF. SOME STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR
EXCLUSION MAY NOT FULLY APPLY TO YOU.
BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC"))
PCRE LICENCE
PCRE is a library of functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5
language. Release 5 of PCRE is distributed under the terms of the "BSD" licence, as specified below. The documentation for PCRE,
supplied in the "doc" directory, is distributed under the same terms as the software itself.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions
are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of the University of Cambridge nor the names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
Eventia Reporter includes software whose copyright is owned by, or licensed from, MySQL AB.
303
304
Index
V
R
Virtual Routers 27
release notes link 20 Virtual System 27
remote upgrade 274 VPN-1 distributed
restore 129 deployment 140
ROBO Gateway 26, 274, 278, VPN-1 Edge Firmware
280 package 275
ROBO Profile 26 VPN-1 Gateways 112
VPN-1 Server 144
VSX Clustering 27
S VSX Gateway 27
T
TFTP 129, 132
Translation prompt 268
306