Documente Academic
Documente Profesional
Documente Cultură
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying,
distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written
authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or
omissions. This publication and features described herein are subject to change without notice.
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer
Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Installation Section
Chapter 1 Introduction
Welcome......................................................................................................... 15
Who Should Use This Guide.............................................................................. 16
R70 Documentation......................................................................................... 16
New Terms...................................................................................................... 17
Related Documentation .................................................................................... 18
For New Check Point Customers........................................................................ 19
Endpoint Security Integration............................................................................ 20
More Information ............................................................................................. 20
Feedback ........................................................................................................ 20
Table of Contents 5
Configuring SecurePlatform Using WebUI ..................................................... 43
Installing on Windows ...................................................................................... 44
Installing on Solaris or Linux............................................................................. 46
Installing on Nokia........................................................................................... 48
Before Installing ......................................................................................... 48
Upgrading IPSO 4.x to IPSO 6.0.7 ............................................................... 48
Configuring R70 ......................................................................................... 50
Initially Configuring Products ............................................................................ 51
Configuration Tool Overview ......................................................................... 51
Using the Configuration Tool on Windows Systems ......................................... 52
Using the Configuration Tool on Unix Systems ............................................... 54
Logging In for the First Time........................................................................ 55
Where To From Here?....................................................................................... 58
6
IPS-1 System Architecture........................................................................... 92
Platforms ................................................................................................... 93
IPS-1 Deployment............................................................................................ 94
IPS-1 Sensor Deployment ............................................................................ 94
IPS-1 Management Deployment ................................................................... 95
IPS-1 Management Installation and Setup ......................................................... 98
Installation of IPS-1 Management Servers ..................................................... 98
IPS-1 Sensor Appliances ................................................................................ 103
Introduction ............................................................................................. 103
IPS-1 Sensor Appliance Models ................................................................. 103
IPS-1 Sensor Installation................................................................................ 108
Connecting to IPS-1 Sensors...................................................................... 108
Installing SecurePlatform and IPS-1 Sensors............................................... 108
Initial Configuration of IPS-1 Sensors ......................................................... 109
Initial Configuration of IPS-1 Power Sensor ................................................. 111
IPS-1 Management Dashboard Installation .................................................. 113
Post-Installation Steps ................................................................................... 114
Configuring NTP on SecurePlatform............................................................ 114
Completing IPS-1 Management Setup......................................................... 115
Completing IPS-1 Sensor Setup ................................................................. 119
Where To From Here?..................................................................................... 122
Upgrade Section
Chapter 7 Introduction to the Upgrade Process
Documentation .............................................................................................. 126
Contract Verification ...................................................................................... 126
Supported Upgrade Paths and Interoperability .................................................. 127
Upgrading Management Servers ................................................................. 127
Backward Compatibility For Gateways ......................................................... 128
Obtaining Software Installation Packages ......................................................... 128
Terminology .................................................................................................. 129
Upgrade Tools ............................................................................................... 131
Upgrading Successfully .................................................................................. 131
Table of Contents 7
On SecurePlatform, and Linux ................................................................... 150
On IPSO .................................................................................................. 154
Managing Contracts with SmartUpdate ............................................................ 155
Managing Contracts .................................................................................. 155
Updating Contracts ................................................................................... 158
8
Standalone Security Gateway Upgrade on SecurePlatform.................................. 204
Uninstalling Packages ............................................................................... 205
Standalone Upgrade on a UTM-1/Power-1 Appliance......................................... 206
Uninstalling Packages ............................................................................... 206
Standalone Gateway Upgrade on an IPSO Platform ........................................... 207
Before Installing ....................................................................................... 207
Upgrading Through Voyager ....................................................................... 207
Upgrading Through the CLI........................................................................ 209
Uninstalling Previous Software Packages..................................................... 210
Table of Contents 9
export_database........................................................................................ 255
merge_plugin_tables ................................................................................. 257
migrate_assist .......................................................................................... 258
cma_migrate ............................................................................................ 259
migrate_global_policies ............................................................................. 264
Backup and Restore .................................................................................. 264
Provider-1 Upgrade Practices.......................................................................... 266
In-Place Upgrade...................................................................................... 266
Replicate and Upgrade .............................................................................. 267
Gradual Upgrade to Another Machine ......................................................... 268
Migrating from Security Management to a CMA ........................................... 270
Upgrading in a Multi-MDS Environment ........................................................... 273
Pre-Upgrade Verification and Tools ............................................................. 273
Upgrading a Multi-MDS System ................................................................. 274
Restarting CMAs ............................................................................................ 277
Restoring Your Original Environment................................................................ 278
Before the Upgrade................................................................................... 278
Restoring Your Original Environment........................................................... 278
Renaming Customers ..................................................................................... 279
Identifying Non-Compliant Customer Names................................................ 279
High Availability Environment .................................................................... 279
Automatic Division of Non-Compliant Names............................................... 279
Resolving Non-Compliance ........................................................................ 280
Advanced Usage ....................................................................................... 281
Changing the MDS IP Address and External Interface........................................ 283
IP Address Change.................................................................................... 283
Interface Change ...................................................................................... 283
IPS in Provider-1 ........................................................................................... 284
10
For Standalone Deployments...................................................................... 300
For Distributed Deployments ...................................................................... 301
Advanced Eventia Reporter Upgrade ........................................................... 303
Enabling Eventia Analyzer after Upgrading Reporter ..................................... 305
Upgrading Eventia Analyzer ............................................................................ 306
Upgrading Eventia Analyzer to R70 ............................................................ 306
Verifying the Events Database Has Been Moved ........................................... 308
Enabling Eventia Reporter ......................................................................... 308
Table of Contents 11
12
Installation Section
This section covers installing the current version
14
Chapter 1
Introduction
In This Chapter
Welcome page 15
Who Should Use This Guide page 16
R70 Documentation page 16
Related Documentation page 18
For New Check Point Customers page 19
Endpoint Security Integration page 20
More Information page 20
Feedback page 20
Welcome
Thank you for choosing Check Point’s Internet Security Product Suite. We hope that
you will be satisfied with this solution and our support services. Check Point
products provide your business with the most up to date and secure solutions
available today.
Check Point also delivers worldwide technical services including educational,
professional, and support services through a network of Authorized Training Centers,
Certified Support Partners, and Check Point technical support personnel to ensure
that you get the most out of your security investment.
15
Who Should Use This Guide
R70 Documentation
Technical documentation is available on your CD-ROM at:
CD3\Docs\CheckPoint_Suite. These documents can also be found at:
http://support.checkpoint.com
To find out about what's new in R70, read the R70 Getting Started Guide.
For upgrading Endpoint Security, refer to the Endpoint Security Installation Guide.
16
New Terms
New Terms
The following product and technology names have been changed for this version.
Table 1: Product and Technology Names
Versions NG and NGX Products and Version R70 Products and
Technologies Technologies
Firewall-1 Firewall
Integrity Endpoint Security
Integrity Clientless Security Endpoint Security On Demand
ROBO Gateway Check Point SmartLSM Security
Gateway
SmartCenter server Security Management server
SmartDefense IPS
SmartDirectory (LDAP) User Directory
SmartLSM management SmartProvisioning
SmartPortal Management Portal
VPN-1 (Power/UTM) Gateway Check Point Security Gateway
VPN-1 UTM Edge UTM-1 Edge
Web Filtering URL Filtering
Chapter 1 Introduction 17
Related Documentation
Related Documentation
The current release includes the following documentation.
Title Description
Internet Security Contains detailed installation instructions for Check
Installation and Upgrade Point network security products. Explains the
Guide available upgrade paths from versions R60-65 to
the current version.
High-End Installation and Contains detailed installation instructions for the
Upgrade Guide Provider-1 and VSX products, including hardware
and software requirements and licensing
requirements. Explains all upgrade paths for Check
Point products specifically geared towards
upgrading to the current version.
Security Management Explains Security Management solutions. This guide
Server Administration provides solutions for control over configuring,
Guide managing, and monitoring security deployments.
Firewall Administration Describes how to control and secure network access
Guide and VoIP traffic; how to use integrated web security
capabilities; and how to optimize Application
Intelligence with capabilities such as Content
Vectoring Protocol (CVP) applications, URL Filtering
(UFP) applications.
IPS Administration Guide Describes how to use IPS to protect against attacks.
Virtual Private Networks Describes the basic components of a VPN and
Administration Guide provides the background for the technology that
comprises the VPN infrastructure.
18
For New Check Point Customers
Title Description
Eventia Reporter Explains how to monitor and audit traffic, and
Administration Guide generate detailed or summarized reports in the
format of your choice (list, vertical bar, pie chart
etc.) for all events logged by Check Point Security
Gateways, SecureClient and IPS.
SecurePlatform/ Explains how to install and configure
SecurePlatform Pro SecurePlatform. This guide will also teach you how
Administration Guide to manage your SecurePlatform machine and
explains Dynamic Routing (Unicast and Multicast)
protocols.
Provider-1/SiteManager-1 Explains the Provider-1 security management
Administration Guide solution. This guide provides details about a
three-tier, multi-policy management architecture
and a host of Network Operating Center oriented
features that automate time-consuming repetitive
tasks common in Network Operating Center
environments.
Chapter 1 Introduction 19
Endpoint Security Integration
More Information
• For additional technical information about Check Point products, consult
Check Point’s SecureKnowledge at http://support.checkpoint.com.
• To view the latest version of this document in the Check Point User Center, go
to: http://support.checkpoint.com.
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please
help us by sending your comments to:
cp_techpub_feedback@checkpoint.com
20
Chapter 2
Getting Started
In This Chapter
Terminology page 22
Provider-1/SiteManager-1 Terminology page 23
Hardware and Software Requirements page 24
Compatibility Tables page 25
Supported Upgrade Paths and Interoperability page 27
Licensing R70 page 29
21
Terminology
Terminology
The following terms are used throughout this chapter:
• Distributed Deployment: When the gateway and the Security Management
server are installed on separate machines.
• Gateway: The software component that enforces the organization’s security
policy and acts as a security enforcement point.
• Security Policy: The policy created by the system administrator that regulates
the flow of incoming and outgoing communication.
• Security Management server: The server used by the system administrator to
manage the security policy. The organization’s databases and security policies
are stored on the Security Management server and downloaded to the gateway.
• SmartConsole: GUI applications that are used to manage various aspects of
security policy enforcement. For example, SmartView Tracker is a SmartConsole
application that manages logs.
• SmartDashboard: A SmartConsole GUI application that is used by the system
administrator to create and manage the security policy.
• Standalone Deployment: When Check Point components responsible for the
management of the security policy (the Security Management server and the
gateway) are installed on the same machine.
22
Provider-1/SiteManager-1 Terminology
Provider-1/SiteManager-1 Terminology
The following Provider-1/SiteManager-1 terms are used throughout this chapter.
• Customer: A business entity or subdivision of a business entity whose networks
are protected by security gateways, UTM-1 Edge appliances or other Check
Point compatible firewalls. The Customer’s security policies and network access
are managed using Provider-1/SiteManager-1.
• Customer Log Module (CLM): A log server for a single Customer.
• Customer Management Add-on (CMA): The Provider-1 equivalent of the Security
Management server for a single Customer. Using the CMA, an administrator
creates security policies and manages customer gateways.
• GUI Client: A computer running Check Point GUI interfaces, such as the
Provider-1 MDG, and other SmartConsole applications.
• Internal Certificate Authority (ICA): In addition to authenticating administrators
and users, the ICA creates and manages X.509 compliant certificates for
Secure Internal Communication (SIC) between security gateways. The MDS has
an ICA that secures the Provider-1 management domain. Each CMA has its own
ICA to secure its customer’s management domain.
• Multi-Domain Log Module (MLM): An MDS Container dedicated to collecting
and storing logs. An MLM is a Container of Customer Log Modules (CLMs).
• Multi-Domain Server (MDS): A server that houses Provider-1 system
information. The MDS contains information on Provider-1 deployment,
administrators, and customer management. The MDS has two modes:
• Manager: Runs the Provider-1 deployment and is the administrator’s entry
point into the Provider-1 environment.
• Container: Holds the Customer Management Add-ons (CMAs).
An MDS can be a Manager, a Container or both.
24
Compatibility Tables
Compatibility Tables
If the existing Check Point implementation contains products that are not
supported by R70, the R70 installation process terminates. Table 2-1 and
Table 2-2 lists supported Check Point products and VPN clients by platform.
Table 2-1 Supported Products by Platform
Check RHEL
Point Windows 5.0 Nokia Crossbeam Solaris
Secure Server Server kernel IPSO X-Series
Ultra-
Platform 2003 2008 2.6.18 6.0.7
SPARC
(SP1-2) 32bit
8, 9, 10
32bit
Security Gateway X X X X X
Security Management X X X X X X
Provider-1/SiteManager-1 Server
X X X
(MDS)
Performance Pack X X X
Advanced Routing X X X
Management Portal X X X X X
Reporting and Event Correlation X X X X X
Clustering (ClusterXL) X X X X X
CoreXL X X X
Provisioning
X X X X
Enabled SmartLSM Gateways
Provisioning
X X X X X
Enabled Management
SSL Network Extender Server X X X X
Endpoint Security Server X X X X
VSX Security Gateway X (IPSO 5) X
OSE Supported Routers Cisco OS Versions: 9.x, 10.x, 11.x, 12.x
Product Notes
1. Anti-Virus and Web Filtering are included on SecurePlatform.
2. Eventia Suite includes Eventia Reporter Server, Eventia Analyzer Server, and
Eventia Analyzer Correlation Unit.
3. ClusterXL is supported only in third party mode with VRRP or IP Clustering. The
maxiumum number of cluster members is eight.
4. Management Portal is supported on the following Web browsers: Internet
Explorer 6 and 7, and Mozilla Firefox 1.5-2.0.
Platform Notes
1. UTM-1 Edge devices cannot be managed from a Security Management running
on a Nokia IPSO platform.
2. UserAuthority is not supported on Nokia flash-based platforms.
3. HA Legacy mode is not supported on Windows Server 2003.
4. Only UltraSPARC 64-bit is supported; for Security Management only (not for
gateways).
Table 2-2 Supported Clients by Platform
Check Point Product Platform and Operating System
Windows Mac Mac Linux
2000 Server / 2000 Pro XP Home Mobile Server Vista Server OS OS
Advanced (SP1-4) & Pro 2003 2003 (SP1) 2008 10.4 10.5
Server (SP3) 2003SE (SP1-2)
(SP1-4) 5.0, 6.0,
6.1
SmartConsole X X X X
Provider-1/SiteManager-1 MDG X X X X
SecuRemote X X X X
SecureClient X X X X X X X
SecureClient Mobile X
SSL Network Extender X X X X X X
Endpoint Security Client X X X
Endpoint Connect Client X X X
26
Supported Upgrade Paths and Interoperability
Release Version
NGX
R60, R60A, R61, R62, R65 (R65.4 not supported)
R65 with HFA 30 with the Connectra NGX R66 Plug-in
R65 with Messaging Security
R65 with the VPN-1 Power VSX NGX R65 Management Plug-in
R65 with the SmartProvisioning Plug-in
R65 UTM-1
R65 Power-1
Interoperability
Management components of the current release, such as IPS-1 Management
Server, Alerts Concentrators and Management Dashboard, are compatible with
Sensors of versions 4.1 onwards.
The different management components (IPS-1 Management Server, Alerts
Concentrators and Management Dashboard) must always be of the same version.
28
Licensing R70
Licensing R70
Most of the software on this CD is automatically enabled for a 15-day evaluation period. To obtain
a permanent license, or to extend the evaluation period, go to the Check Point User Center at:
https://usercenter.checkpoint.com
Customers new to the Check Point User Center should go to:
https://usercenter.checkpoint.com/pub/usercenter/get_started.html
For further licensing assistance, contact Account Services at:
AccountServices@checkpoint.com, or US +1 972-444-6600, option 5.
Licensing R70
Licenses are required for the Security Management server and security gateways.
No license is required for SmartConsole management clients.
Check Point gateways enforce the license installed on the gateway by counting the
number of users that have crossed the gateway. If the maximum number of users is
reached, warning messages are sent to the console.
The Check Point software is activated using a certificate key, which is located on
the back of the software media pack. The certificate key is used to generate a
license key for products that you want to evaluate or purchase. To purchase Check
Point products, contact your reseller.
b. Import the product license key. Licenses are imported using the Check
Point Configuration Tool or SmartUpdate. SmartUpdate allows you to
centrally upgrade and manage Check Point software and licenses. The
certificate keys associate the product license with the Security Management
server, which means that:
• The new license remains valid even if the IP address of the Check Point
gateway changes.
• Only one IP address is needed for all licenses.
• A license can be detached from one Check Point gateway and assigned
to another.
Upgrading Licenses
The upgrade procedure is free of charge to purchasers of the Software Subscription
service (Enterprise Base Support).
The license upgrade procedure runs the license_upgrade command, which makes it
easy to automatically upgrade licenses.
Licensing Provider-1/SiteManager-1
Provider-1/SiteManager-1 licenses are associated with the IP address of the
licensed entity. The Provider-1 Multi-Domain Server (MDS) license is based on the
server type: Manager, Container, Combined Manager and Container, or
Multi-Domain Log Manager (MLM).
Manager: A license for the administrator's entry point into the
Provider-1/SiteManager-1 environment. The Multi-Domain GUI (MDG) and the
Global SmartDashboard tools can connect only to MDS servers with this license.
Container: A license that defines the maximum number of CMAs running on the
MDS machine. With the exception of Provider-1 Enterprise Edition licenses,
multiple container licenses can be added together on one container to enable the
container to hold up to a maximum of 250 CMAs. In addition, each CMA requires
its own CMA license. CMA Pro Add-on licenses, allowing additional management
features at the CMA level, can be purchased in bulk. These purchase packages are
called Pro Add-ons for MDS.
Combined Manager and Container: These licenses combine a Manager license with
a Container license for a specific number of CMAs. In the case of SiteManager-1
licenses, there are no separate Manager and Container versions available, only the
Combined Manager and Container license.
30
Licensing IPS-1
MLM: A comprehensive license that includes the Customer Log Modules (CLMs) it
hosts. There is no need for a separate CLM license if CLMs are hosted on an MLM.
A CLM hosted on an MDS server requires its own CLM license.
Each gateway requires its own license. Licenses are determined according to the
number of computing devices (nodes) protected by the gateway. Provider-1 licenses
can be imported using the Check Point command-line licensing tool or Provider-1's
MDG. For additional information, refer to the Provider-1/SiteManager-1
Administration Guide.
Licensing IPS-1
The IPS-1 Management Server requires a license, defined with the ability to
manage a fixed maximum number of Sensors. In a Combined installation where the
Alerts Concentrator installed together with the IPS-1 Management Server, the Alerts
Concentrator shares the IPS-1 Management Server’s license.
For any separate Alerts Concentrators and for all Sensors, obtain and add licenses.
Licenses are added using IPS-1’s Management Dashboard.
The IPS-1 Management Dashboard does not require a license. However, without a
licensed IPS-1 Management Server, the IPS-1 Dashboard will function only in
Demo mode.
All licenses are stored on the IPS-1 Management Server and must have been
generated according to the IPS-1 Management Server’s IP address.
32
Chapter 3
Setup and Installation
In This Chapter
Overview page 34
Installing on SecurePlatform page 35
Installing on Windows page 44
Installing on Solaris or Linux page 46
Installing on Nokia page 48
Initially Configuring Products page 51
Where To From Here? page 58
33
Overview
Overview
Check Point software is designed to work across multiple platforms and
pre-configured appliances. Each installation differs depending on the product and
the platform.
For upgrading an existing installation, see the upgrade section.
Check Point products can be installed in the following two types of deployments:
• Standalone Deployment: Check Point components that are responsible for the
management of the security policy (the Security Management server and the
gateway) are installed on the same machine.
• Distributed Deployment: The Security gateway and the Security Management
server are installed on different machines.
In both deployments, SmartConsole can be installed on any machine by performing
the following steps:
• Install the components that manage or enforce the security policy (for example,
the Security Management server, the security gateway, and the log server).
• Install one or more SmartConsole clients to manage different aspects of the
deployment. For example, SmartDashboard is used by the system administrator
to manage and create the security policy. Any number of SmartConsole GUI
applications can be installed on the same machine
Note - The TCP/IP network protocol must be installed, properly configured, and operational
before you begin the installation process.
34
Installing on SecurePlatform
Installing on SecurePlatform
In This Section:
• Security Gateway
• Security Management server
• Eventia Suite
• Endpoint Security (CD2)
• Performance Pack
• Management Portal
4. Use the space bar to select the appropriate products and select OK.
5. Select the type of system to install:
• SecurePlatform
• SecurePlatform Pro (which includes the advanced dynamic routing suite)
6. The Keyboard Selection menu opens.
7. Select a keyboard type.
8. From the Network Interface Configuration menu, define the
• IP address of the management interface
• Netmask and Default gateway for the first network interface (eth0 on most
systems).
9. From the HTTPS Server Configuration menu, enable or disable web-based
configuration using SecurePlatform’s WebUI.
Note - If you intend to deploy remote access or Endpoint Security software, select a port
other than 443.
Warning - The formatting procedure erases all information located on your hard drive.
11. Select OK to:
• Format your hard drive
• Extract, copy files, and install SecurePlatform software blades.
• Perform post install configuration
• Install the boot loader
The installation process can take several minutes to complete.
12. When the Installation Complete message appears, remove the installation CD
from the drive, and select OK to reboot the system.
Continue to “Initially Configuring SecurePlatform” on page 41.
36
Installing SecurePlatform from the Network
General Workflow
The client’s requirements are minimal. Only PXE is required. On the server, you
must install:
• A DHCP daemon,
• A TFTP daemon,
• The PXE boot loader,
• The kernel
• The ramdisk.
Then:
1. The client boots from the network, using the PXE network loader.
2. The client sends a broadcast request, using the BOOTP protocol.
3. The server responds to the client, by providing the client’s assigned IP address
and a filename (pxelinux.0 by default), to which to download the PXE boot
loader.
4. The client downloads the PXE Boot Loader, using TFTP, and executes it.
5. The PXE boot loader downloads a PXE configuration file from the server,
containing the names of the kernel and the ramdisk that the client requires.
6. The PXE boot loader downloads the kernel and the ramdisk.
7. The kernel is run, using ramdisk as its environment.
8. The Installer is executed.
9. At this point the installation can be configured to load files from the FTP
server.
Client Setup
On the client machine, enable the network boot, using PXE, from the BIOS setup.
(It sometimes appears as DHCP.)
Server Setup
In This Section
Required Packages
The following packages are required for server setup:
• DHCP daemon (located on the Checkpoint CDROM and installed, by default, on
SecurePlatform)
• Xinetd (/SecurePlatform/RPMS/xinetd-2.3.11-4cp.i386.rpm on the Checkpoint
CDROM)
• TFTP daemon (/SecurePlatform/RPMS/tftp-server-0.32-5cp.i386.rpm)
• FTP server (/SecurePlatform/RPMS/ftpd-0.3.3-118.4cp.i386.rpm)
• TCP-Wrappers package
(/SecurePlatform/RPMS/tcp_wrappers-7.6-34.4cp.i386.rpm)
• Kernel (can be found on the SecurePlatform CD at /SecurePlatform/kernel)
• Ramdisk (can be found on the SecurePlatform CD at
/SecurePlatform/ramdisk-pxe)
Note - To access files on Check Point CDROM, insert the CDROM into the CDROM drive
and enter the command: # mount/mnt/cdrom
38
Installing SecurePlatform from the Network
}host foo {
filename "/pxelinux.0";
40
Initially Configuring SecurePlatform
Option Purpose
Host Name Sets and displays the host name
Domain Name Sets and displays the Domain name
Domain Name Adds, removes, displays Domain name servers
Servers
Network Adds, configures, removes, displays network connections.
Connections
Routing Sets and shows a default gateway
7. Use the menu options to configure:
• The host name
• The domain name and at least one DNS server
• Security Gateway
• User Authority
• Security Management
• Eventia Suite
42
Configuring SecurePlatform Using WebUI
Installing on Windows
The installation on a Windows platform is GUI based. The windows displayed
during installation differ depending on the installed Check Point components.
To perform a new installation on a Windows platform:
1. Log on as Administrator and insert the CD. The installation wizard automatically
starts and a Congratulations message displays.
2. Review the Evaluation Options then click Forward.
3. Accept the terms of the End Users License Agreement.
4. Select one of the following installation options:
• Demo installation (SmartConsole only)
• New installation
• Installation using an imported configuration (for additional information, see:
“Advanced Upgrade on a Windows Platform” on page 242.
5. Click Forward.
If you selected Installation Using Imported Configuration, you are prompted to
provide the location of the imported configuration file.
A list of products is displayed:
44
Installing on Windows
a. Add licenses
b. Add administrators
c. Specify remote clients from which an administrator can log into Security
Management server
d. Initialize the Internal Certificate Authority
e. Export the Security Management server fingerprint to a text file
For additional information, refer to the “Configuration Tool Overview” on
page 51.
9. Reboot the machine. IP forwarding is automatically disabled and a default
security policy is applied to the gateway. The default Security Policy forbids all
inbound connections, except for control connections, for example, install policy
operations. This policy remains in place until you have installed the first
Security Policy.
• Security Gateway
• User Authority
• Security Management
• Eventia Suite
• Endpoint Security
• Performance Pack
• Management Portal
46
Installing on Solaris or Linux
a. Add licenses. The Check Point Configuration program only manages local
licenses on this machine. The recommended way to manage licenses is
using SmartUpdate.
b. Configure GUI clients (a list of hosts that are able to connect to the
Security Management server using SmartConsole).
c. Configure group permissions by specifying a group name.
d. Configure the Certificate Authority, and save the CA’s Fingerprint to a file.
10. Reboot the machine.
IP forwarding is automatically disabled and a default security policy is applied to
the gateway. The default Security Policy forbids all inbound connections, except for
control connections such as install policy operations. This policy remains in place
until you have installed the first security policy.
Installing on Nokia
Installation on Nokia platforms is performed from a console or Nokia Network
Voyager (a secure web-based network element management application). Use a
console to perform the initial configuration.
You can also use Nokia Horizon Manager to install and configure Check Point
components on multiple Nokia appliances simultaneously. For additional
information, refer to Nokia Horizon Manager documentation on the Nokia Support
website:
http://support.nokia.com
Before Installing
• From the Check Point website:
http://www.checkpoint.com/techsupport/downloads.jsp.
download: IPSO_Wrapper_R70.tgz.
• From Nokia, download: IPSO 6.0.7
Note - R70 is not supported on IPSO 4.x images. If you are using IPSO 4.x, first upgrade
to IPSO 6.0.7. If IPSO 6.0.7 is already installed, skip to step 19 on page 49.
48
Upgrading IPSO 4.x to IPSO 6.0.7
5. Click Apply.
A message is displayed indicating that the new image installation process has
started.
6. When you receive a Success message, click UP > UP > Manage IPSO Images.
The IPSO Image Management window opens.
7. Under the title Select an image for next boot, select the last downloaded image:
IPSO 4.1 or 4.2.
8. Click Test Boot.
9. Access the CLI console to see when the Reboot is complete. Once the Reboot
is complete, go back to the Network Voyager to verify that the image was set
properly.
10. In the Network Voyager, click Refresh and log in.
11. If you are not returned to the last window you were in, click
System Configuration > Manage IPSO Images.
You should be able to see that the relevant IPSO (4.1 or 4.2) image is selected.
12. Select Commit testboot and click Apply.
13. Access the CLI console, and log in.
14. Type newpkg, and press Enter.
15. Use the FTP menu option to transfer the 6.0.7 package.
16. Install the 6.0.7 package.
Wait until a message informs you that the process is complete.
17. Activate the 6.0.7 package.
18. In Voyager, verify that the 6.0.7 package is turned ON.
19. On the CLI, type newpkg, and press Enter.
20. Use the FTP menu option to transfer the IPSO_Wrapper_R70.tgz package.
21. Install the IPSO_Wrapper_R70 package.
Wait until a message informs you that the process is complete.
22. Type Reboot and press Enter.
To upgrade IPSO images and Check Point releases using the command line
interface only, see: “Upgrading Through the CLI” on page 209.
Configuring R70
If you upgraded from IPSO 4.x to 6.0.7 then there is no need to configure R70. If
you performed a fresh installation of IPSO 6.0.7:
1. From a console connection, run cpconfig.
2. Select an installation type, Stand Alone or Distributed.
3. Select Security Management server from the selection list.
4. Specify the Security Management server type as Primary or Secondary
Management.
Note - Only relevant for a distributed deployment.
5. Add Licenses.
6. Configure an administrator name and password.
7. Configure the GUI clients and hosts which can access the Security
Management server using SmartConsole.
8. Configure Group Permissions.
9. Configure a pool of characters for use in cryptographic operations. Type
randomly until the progress bar is full.
10. Configure the Certificate Authority, and save the CA’s Fingerprint to a file.
11. Start the installed products.
If you opt not to start the installed products at this time, they can be started
later by running cpstart.
12. Reboot.
50
Initially Configuring Products
Configuration Tool window in order for authentication to succeed. You may want
to export this Fingerprint for verification purposes when you log in to
SmartConsole for the first time.
Note - If you do not define at least one GUI client, you can only manage the Security
Management server from a GUI client that runs on the same machine as the Security
Management server.
52
Using the Configuration Tool on Windows Systems
Note - Components can communicate with each other only once the Certificate Authority is
initialized and each component has received a SIC certificate.
12. Click Next. The Fingerprint window opens and displays the Fingerprint of the
Security Management server. The Fingerprint, a text string derived from the
Security Management server certificate, is used to verify the identity of the
Security Management server that is being accessed through SmartConsole.
13. From the Fingerprint window, click Export to file and save the file. The
Fingerprint is exported to a text file that can be accessed from the
SmartConsole client machine(s) and used to confirm the Fingerprint of the
Security Management server.
14. Once configuration using the Configuration Tool is complete, do the following:
a. From SmartConsole, perform a first time connection to the Security
Management server. The Fingerprint of the Security Management server
displays.
b. Ensure that the Security Management server Fingerprint matches the
Fingerprint displayed in SmartConsole.
Note - Do not perform a first time connection to the Security Management server from
SmartConsole unless the Security Management server Fingerprint is accessible and you can
confirm that it matches the Fingerprint displayed in SmartConsole.
Note - For first time installations, the Configuration Tool runs automatically. The
Configuration Tool can also be run after installation is complete using the cpconfig
command.
54
Logging In for the First Time
Note - Components can communicate with each other only once the Certificate
Authority is initialized and each component has received a SIC certificate.
1. Open SmartDashboard by selecting Start > Programs > Check Point SmartConsole
> SmartDashboard.
2. Log in using the User Name and Password defined in the Configuration Tool’s
Administrators page during the Security Management server installation.
If you are using a locally stored certificate to authenticate your connection,
browse to its location and enter the certificate’s password. The certificate’s
password can be changed by expanding the More Options link and clicking
Change Password.
3. Specify the name or IP address of the target Security Management server and
click OK.
4. Decide whether to connect in Read Only mode. This mode enables you to view
the current configuration without accidentally changing it. It also gives access
to Security Management server when another designated administrator is
already connected.
5. More Options. Clicking the More Options link enables you to fine tune how
SmartDashboard connects to Security Management server.
• The Change Password button in the Certificate Management area of the dialog
enables you to change the password that protects the certificate.
56
Logging In for the First Time
Note - This step is only necessary the first time you log in from a given client computer,
since once the Security Management server is authenticated, the Fingerprint is saved in
the SmartConsole computer’s registry.
58
Chapter 4
Installing Provider-1
In This Chapter:
Overview page 60
Creating the Provider-1 Environment page 61
Where To From Here? page 75
59
Overview
Overview
A typical Management Service Provider (MSP) manages and protects many
customer networks. Provider-1 ensures compatibility with a wide range of security
schemes and product deployments.
Figure 4-1 Sample Provider-1 Deployment
60
Creating the Provider-1 Environment
Overview page 60
Creating the Provider-1 Environment page 61
Where To From Here? page 75
This section describes the process for provisioning a Provider-1 environment. The
following is a typical workflow:
Figure 4-2 Workflow
Note - If you define the primary MDS as a Manager only, you will need to install and
configure one or more container MDSs on separate platforms.
62
Installing and Configuring the Primary MDS
If your hardware is found not to be suitable, the reason for this is displayed as
part of the Welcome message, for example:
4. Select a keyboard type from the list, then select OK. The Networking Device
window opens.
5. Select the interface to be used by the MDS for accessing the management
server and then OK. The Network Interface Configuration window opens.
64
Installing and Configuring the Primary MDS
6. Type the appropriate information in the IP address, net mask, and optionally,
the default gateway fields and select OK. The Host Name Configuration window
opens).
7. Enter a host name that is different from the default host name (cpmodule) and
select OK. The Confirmation window opens.
8. Select OK to proceed or Cancel to abort the installation process. The following
installation operations are performed:
• Hard drive formatting
• Package installation
• Post installation procedures
This procedure may take 10-12 minutes, after which the Installation Complete
window opens.
66
Installing and Configuring the Primary MDS
13. On the Choose network connections Configure your interfaces and network
connections as required. Follow the instructions on the screen.
When finished, enter ‘e’ and then ‘n’ to proceed to the next screen.
14. On the time and date screen, set the time zone, date and time as required.
15. Continue with “Installing the MDG” on page 70
2. In the following screen, select the MDS type as either (1) MDS Manager or (3)
MDS Manager and Container station. The first primary MDS must be one of these
two types.
3. Enter ‘Y’ in response to “Are you installing the Primary MDS Manager?”.
Note - Any information that you enter after this stage can be modified later using the
mdsconfig utility.
4. Specify whether the MDS should start automatically with each reboot
(recommended). If you choose to restart automatically, select a default base
directory when prompted.
5. Enter the name of the primary interface — the interface through which the MDS
will communicate with other MDSs in the Provider-1 network.
6. After the installation routine finishes installing packages, read and accept the
license agreement as directed.
68
Installing and Configuring the Primary MDS
7. Optionally add a Check Point license. You can always add licenses later using
the MDG.
11. When the installation utility finishes, set the source path by running
(according to your shell):
• For csh - source /opt/CPshared/5.0/tmp/.CPprofile.csh
• For sh - . /opt/CPshared/5.0/tmp/.CPprofile.sh
To avoid running the source path command each time you start the MDS, it is
recommended to add these lines to your .cshrc or . profile files, respectively.
12. Reboot the computer.
13. Start the MDS by executing the mdsstart command.
Installing SmartConsole
To install the SmartConsole on Windows platforms:
1. Access the windows/SmartConsole directory on the Provider-1 product CD.
2. Copy the SmartConsole executable to a temporary directory.
3. Start the installation by double-clicking the SmartConsole executable.
4. When the installation has completed, run SmartConsole applications from the
Windows Start > Programs > Check Point SmartConsole R70 > SmartDashboard
menu option.
70
Using the MDG for the First Time
Demo Mode
When starting the MDG, you can elect to open it in Demo mode. This mode does
not require authentication or a connection to the MDS. Demo mode is used when
you want to experiment with different objects and features before you create a real
system. It demonstrates several pre-configured sample customers, CMAs, gateways
and policies.
It is recommended that you use the Demo mode to familiarize yourself with the
MDG’s various views and modes. Operations performed while in Demo mode are
stored in a local database, which allows you to continue a Demo session from the
point at which you left off in a previous session.
72
Adding Licenses using the MDG
74
Where To From Here?
76
Chapter 5
Installing Eventia Suite
In This Chapter
77
Eventia Suite Installation
78
Standalone Installation vs. Distributed Installation
Note - For Eventia Suite to read logs from a distributed log server, the database must be
installed on the log server after the Eventia Suite installation is complete.
Standalone Installation
In This Section:
Windows Platform
1. To install, login as an administrator and launch the wrapper by double-clicking
on the setup executable.
2. Click Next, and accept the terms of the license agreement.
3. Select either:
• Check Point Power
• Check Point UTM
Click Next.
4. Select New Installation.
5. From the Products list, select Eventia Suite. Security Management server is
automatically installed along with Eventia Reporter.
Security Management server is needed because of its log server component.
6. Specify the type of Security Management server to install:
• Primary Security Management server
• Secondary Security Management server
• Log Server
If you want a distributed deployment, select Log Server. If you want a
standalone deployment, select Primary Security Management server.
7. From the list of Eventia Suite components, select Eventia Reporter.
8. Click Next, and a list of products to install is displayed.
9. Verify the default install directory, or browse to new location.
10. The Check Point Configuration program, CPConfig, opens.
80
Solaris & Linux Platforms
11. Select Add and enter the Product License information provided by Check Point.
Alternatively, you may use the 15-day evaluation license. Select OK, and then
Next.
12. The Administrators window appears. Select Add and enter the administrator
name and password. Select OK. Then set permissions for the administrator. Add
more administrators if you like, and then select Next.
13. The GUI Clients window appears. Type in the IP address for a machine that will
run the Eventia Analyzer Client in the Remote Hostname field. Select Add. Add
more GUI Clients if you like, and then select Next.
14. To ensure secure communication between the Eventia Analyzer and Security
Management servers, an identical Activation Key must be set on both. Enter a
Secure Internal Communication (SIC) activation key and record it to be entered
later on the Security Management server. Select Finish.
Return to the wrapper.
15. To complete the installation of the Eventia Reporter and to continue with the
next phase of the installation, click Next and reboot the machine.
16. Launch SmartDashboard.
17. Install the Security Policy, (Policy>Install) or install the database (Policy>Install
Database).
SecurePlatform
1. After you install SecurePlatform from the CD, select the Eventia Reporter
product from cpconfig or from the SecurePlatform Web GUI.
2. Select whether you would like to perform an upgrade or create a new
installation.
3. Continue from step 5 on page 80 in order to complete the installation.
Distributed Installation
In This Section:
Windows Platform
On the machine that will hold the Eventia Suite:
1. Login as an administrator and launch the wrapper by double-clicking on the
setup executable.
2. Click Next, and accept the terms of the license agreement.
3. Select either:
• Check Point Power
• Check Point UTM
Click Next.
4. Select New Installation.
5. From the Products list, select Eventia Suite.
6. Specify Log Server as the type of Security Management server to install.
Security Management server is needed because of its log server component.
7. From the list of Eventia Suite components, select the components that you
want to install (Eventia Analyzer Server, Eventia Correlation Unit, Log
Consolidator).
8. Click Next, and a list of products to install is displayed.
9. Verify the default install directory, or browse to new location.
10. The Check Point Configuration program, CPConfig, opens.
11. Select Add and enter the Product License information provided by Check Point.
Alternatively, you may use the 15-day evaluation license. Select OK, and then
Next.
82
Solaris and Linux and SecurePlatform
12. The Administrators window appears. Select Add and enter the administrator
name and password. Select OK. Then set permissions for the administrator. Add
more administrators if you like, and then select Next.
13. The GUI Clients window appears. Type in the IP address for a machine that will
run the Eventia Analyzer Client in the Remote Hostname field. Select Add. Add
more GUI Clients if you like, and then select Next.
14. To ensure secure communication between the Eventia Analyzer and Security
Management servers, an identical Activation Key must be set on both. Enter a
Secure Internal Communication (SIC) activation key and record it to be entered
later on the Security Management server. Select Finish.
15. Return to the wrapper.
16. To complete the installation of Eventia Suite and continue with the next phase
of the installation, click Next and reboot the machine.
For an R65 level Security Management server (or above) the following rule needs to
be added to the Rule Base if a firewall exists between any Eventia Analyzer
components and the Management Server:
84
Preparing Eventia Suite in Security Management server
In This Section:
Note - Do not run the Get Version operation. Instead, specify the most recent version
possible.
86
For Provider-1/SiteManager-1 Version R55
c. cpstart
Note - Wait a couple of minutes for the objects to synchronize between the MDS and
Eventia Analyzer.
8. On the Eventia Suite machine and/or the Correlation Unit machine that will
read logs from a CMA, run the command cpstop.
9. Edit the file sic_policy.conf, which is located in the directory $CPDIR/conf.
Search for the section [Outbound rules], and change the following lines from:
# for log_export tool and Abacus analyzer
ANY ;ANY ;ANY; lea ; sslca
to:
# for log_export tool, Eventia Analyzer Provider-1
ANY ;ANY ;ANY; lea ; ssl , sslca
Note - Enter the command mdsenv <customer_name> to switch to the appropriate CMA
environment. To return to the MDS environment, enter the command mdsenv.
Note - Do not run the Get Version operation. Instead, specify the most recent version
possible.
Note - Wait a couple of minutes for the objects to synchronize between the MDS and
Eventia Suite.
88
For Provider-1/SiteManager-1 Version R61 and Up
Note - Do not run the Get Version operation. Instead, specify the most recent version
possible.
90
Chapter 6
IPS-1 Setup and Installation
In This Chapter
Overview page 92
IPS-1 Deployment page 94
IPS-1 Management Installation and Setup page 98
IPS-1 Sensor Appliances page 103
IPS-1 Sensor Installation page 108
IPS-1 Management Dashboard Installation page 113
Post-Installation Steps page 114
Where To From Here? page 122
91
Overview
Overview
In This Section:
92
Platforms
Platforms
The IPS-1 Server and Alerts Concentrator can be installed on Check Point’s
SecurePlatform or on other supported operating systems. SecurePlatform is
provided with the IPS-1 installation media.
The IPS-1 Server can be installed together with a Security Management server for
managing security gateways and IPS-1 Sensors from the same platform. In this
case, it is possible to log into the IPS-1 Server via the IPS-1 Management
Dashboard with a Security Management server administrator username and
password. For usernames common to both IPS-1 and the Security Management
Server, the IPS-1 password and privileges override Security Management Server
settings.
IPS-1 (non-Power) Sensors are supported only on Check Point’s SecurePlatform.
IPS-1 Deployment
In This Section:
Sensor Placement
IPS-1 Sensors should be deployed at natural choke points according to network
topology. Usually, Sensors should be just within the network firewall.
Placing Sensors outside the firewall is not recommended, because the Sensor is not
then protected by the firewall, and the unfiltered traffic places a heavier load on
the Sensor.
Ideally, network cores should also be protected with Sensors. In most cases,
network core topology does not enable these Sensors to be placed inline, in which
case the Sensors should be used for intrusion detection in passive mode.
Sensor Topology
In most cases, IPS-1 Sensors should be placed inline, enabling intrusion
prevention. In some cases, such as in a complex switching environment in a
network core, Sensors need to be used for intrusion detection in passive mode.
Sensors’ monitoring interfaces are layer-3 transparent and do not have IP
addresses. Each Sensor has a management interface that requires an IP address,
routable to and from the Alerts Concentrator. For enhanced security, it is
recommended that management be on a separate, out-of-band network.
For full information on Sensor modes, see the IPS-1 Administration Guide.
94
IPS-1 Management Deployment
Inline Sensors’ behavior upon failure can be configured to either open, passing
through all traffic; or closed, severing the traffic path.
Inline Sensors can be set to Bridge (Monitor-Only) mode, to avoid the possibility of
false-positive traffic dropping. In bridge mode, you can track what the Sensor
would have done in prevention mode. You can fine-tune your prevention settings in
bridge mode, and later change to prevention mode.
The appropriate number of Alerts Concentrators varies according to the network and
to administrative needs. The following rough guidelines should be considered:
• Each Alerts Concentrator is usually capable of handling around ten Sensors.
• It is not recommended for a single Alerts Concentrator’s database to approach
40 GB; If it does, an additional Alerts Concentrator is recommended.
For a rough estimate of appropriate database size, multiply the volume of
monitored traffic (in Gbps) by the number of months of alerts you plan to maintain.
The database size (in GB) should approach half of that product.
For example, if the Sensors that send alerts to a particular Alerts Concentrator
collectively monitor 5Gbps, and you want to maintain six months of back alerts, the
database should be 12-15 GB. However, appropriate database size is also
dependent on other factors, such as fine-tuning protections for your system to
minimize false positives.
Optionally, one Alerts Concentrator can be installed together with the IPS-1
Management Server in a Combined installation. This Alerts Concentrator will share
a license and some processes with the IPS-1 Management Server, but alert
information is stored in separate database tables.
96
IPS-1 Management Deployment
In This Section:
98
Installation of IPS-1 Management Servers
Option Purpose
Host Name Sets and displays the host name
Domain Name Sets and displays the Domain name
Domain Name Servers Adds, removes, displays Domain name servers
Network Connections Adds, configures, removes, displays
network connections.
Routing Sets and shows a default gateway
13. Use the menu options to configure:
• The hostname
• The domain name and at least one DNS server
• The computer’s network interfaces
• The default gateway (if required)
Note - Make sure the hostname and IP address are correctly defined at this stage. The
IPS-1 software will take this information from the operating system at installation time.
Subsequent changing of the hostname will not be reflected in the application.
14. Once Network Configuration is complete, press n to continue to Time and Date
Configuration. Configure the following:
• Time zone
• Date
• Local time
• Show date and time settings
15. Press n.
Note - Network Time Protocol (NTP) can be configured through the command line interface
after the all of the installation procedures are complete. For more information, see
“Configuring NTP on SecurePlatform” on page 114.
100
Installation of IPS-1 Management Servers
The absence of a server name in the /etc/hosts file will generate mySQL
errors.
2. Before an upgrade:
a. Stop the IPS-1 processes.
b. As a precaution, back up database files by copying the contents of the
sdb/data directory to another host.
3. Make sure the hostname and IP address are correctly defined in the operating
system. The IPS-1 software will take this information from the operating system
at installation time. Subsequent changing of the hostname will not take effect.
4. Insert CD6 from the media pack, and mount it on the appropriate subdirectory.
5. From the CD’s root directory, run:
./UnixInstallScript [-splat]
On SecurePlatform, include the -splat flag. On Linux omit the flag.
6. Continue here to the following section for the configuration process.
Reinstalling IPS-1
To reinstall IPS-1:
1. Query the IPS-1 rpm for the version number by running:
rpm -qa | grep ips1
2. Stop IPS-1 and remove the IPS-1 rpm by running:
rpm -e CPips1-Rxx-xx
where xx is the version number obtained from the output of the previous
command.
3. Install a new IPS-1 by running: ./UnixInstallScript on the CD.
102
IPS-1 Sensor Appliances
104
IPS-1 Sensor Appliance Models
Note - The interface labels of the 1000F model are the same as
the interface labels for the 1000C model.
• Eight Gigabit fiber Ethernet back-panel interfaces used in IPS (inline) mode
as IPS pairs with bypass support, or in IDS (passive) mode as monitoring
interfaces
• Two 10/100/1000 copper Ethernet back-panel interfaces, of which one is
the management interface and the other should remain unused
106
IPS-1 Sensor Appliance Models
108
Initial Configuration of IPS-1 Sensors
1. Insert CD6 from the media pack into the CD drive, and boot the computer from
the CD.
After booting, Welcome to Check Point SecurePlatform appears. Make sure to
press Enter within 90 seconds.
The installation program is loaded.
The following options are displayed:
• Device List: When selected, the Hardware Scan Details menu displays.
• Add Driver: When selected, the Devices menu opens. Sometimes updated
hardware is incompatible with the previous version’s driver and you receive
an error message during installation because the operating system could not
find the appropriate hard disk driver. Alternatively, the installation may be
complete, but the hardware does not function properly. The Add Driver
option enables you to add the missing driver during the installation process.
2. Select OK to install.
The IPS-1 Products window appears.
3. Select Sensor, and OK.
4. Select the type of hardware you are using. If you are installing on hardware
provided by Check Point (or old hardware provided by NFR), select Appliance. If
you are installing on hardware supplied by another vendor, select Open Sensor.
For Sensor 1000 models, you should select Open Sensor even though the
hardware is supplied by Check Point.
5. Select a keyboard type. Select OK.
6. In the Networking Device window, select the management interface. Select OK.
7. In the Management Interface Configuration window, define the management
interface IP address, netmask and default gateway. Select OK.
8. Select OK to format your hard drive, and extract and install SecurePlatform
software components. The installation process can take several minutes to
complete.
9. When installation is complete, remove the CD.
10. Press Enter to reboot.
Upon initial boot of a freshly installed IPS-1 Sensor, including a new regular
(non-Power) preinstalled appliance, configure it as follows:
1. Log in with username: admin and password: admin .
2. When prompted, change the password and (optionally) the username.
3. Run:
sysconfig
The first-time system configuration wizard begins.
4. Press n to proceed to the next menu.
The Network Configuration menu options appear.
5. Use the menu options to configure:
• The hostname
• The domain name and at least one DNS server
• The management interface
6. Once Network Configuration is complete, press n to continue to Time and Date
Configuration. Configure the following:
• Date
• Time and time zone
• Show date and time settings
Enter n.
Note - Network Time Protocol (NTP) can be configured through the command line interface
after the all of the installation procedures are complete. For more information, see
“Configuring NTP on SecurePlatform” on page 114.
110
Initial Configuration of IPS-1 Power Sensor
8. Configure the Operating Mode options. For each field, select the field with the
Enter key, and select the appropriate value.
• Operating Mode - one of the following:
• IDS (passive): intrusion detection, no prevention. Packets do not pass
from one interface to another.
• IPS (inline, fail-closed): inline intrusion prevention. In fault conditions,
all packets are dropped.
• IPS (inline, fail-open): inline intrusion prevention. In fault conditions, all
packets are passed through.
• IPS Monitor-Only (inline, fail-open): inline bridge mode, but without
actual prevention.
For more information on Sensor modes, see the IPS-1 Administration Guide.
• Management Interface - displays (read-only) the IP address configured in the
operating system.
• Inline Pair(s) - pairs of monitoring interfaces. Depending on your hardware,
you may need to define the interface pairs that you will be using.
Select Next to complete the wizard.
You can modify the Sensor’s settings at anytime by running the cpconfig command.
The IPS-1 Sensor is now installed and configured. Continue to “Post-Installation
Steps” on page 114.
112
IPS-1 Management Dashboard Installation
Note - You can modify the Sensor’s settings at any time by logging on as the ips1 user. But
reconfiguring the internal network address is the ony reason you should ever need to login
as Admin to a power sensor.
Post-Installation Steps
In This Section:
Once the IPS-1 components have been installed, one of the following procedures
may be required before deploying them in the network.
ntp
Configure and start the Network Time Protocol polling client.
Syntax
ntp <MD5_secret> <interval> <server1> [<server2>[<server3>]]
ntp -n <interval> <server1> [<server2>[<server3>]]
Parameters
Table 6-2 ntp Parameters
parameter meaning
MD5_secret pre-shared secret used to authenticate against the NTP server;
use “-n” when authentication is not required.
interval polling interval, in seconds
server[1,2,3 IP address or resolvable name of NTP server
]
ntpstop
Stop polling the NTP server.
114
Completing IPS-1 Management Setup
Syntax
ntpstop
ntpstart
Start polling the NTP server.
Syntax
ntpstart
First Login
After installation, your initial login user name is: admin , and the password is the
one you entered during the IPS-1 Management Server installation. Begin managing
the IPS-1 system as follows:
1. Use the following command to verify that the IPS-1 Server (or Alerts
Concentrator) processes are running:
a. On SecurePlatform, enter expert mode by typing expert and pressing enter.
On other operating systems, login as root.
b. Run:
/etc/init.d/ips1 start
3. Type your username and password, and specify the IPS-1 Server’s IP address or
resolvable hostname. By default, port number is 8443.
Note - The default username is admin. When upgrading from a previous version of IPS-1,
login with the pre-existing usernames. The default username for prior versions of IPS-1 is
nfr.
4. If you are trying to connect to the IPS-1 Server through a proxy server, expand
the login window by clicking More Options and check Use Proxy. Type the proxy
server’s connection and authentication information. Note that for Digest Proxy
only HTTP is supported, not HTTPS.
5. Upon first login, you are prompted to Verify IPS-1 Management Server Certificate.
If you are sure the presented certificate is coming from your IPS-1 Management
Server, click Trust for the IPS-1 Management Dashboard on the host you are
working on to trust this IPS-1 Management Server in the future.
Manage Licenses
A freshly installed IPS-1 Management Server comes with a fifteen day trial license.
If the trial license has expired, you must add an IPS-1 Management Server license
obtained from Check Point’s User Center in order to continue working with IPS-1.
All licenses are stored on the IPS-1 Management Server and must have been
generated according to the IPS-1 Management Server’s IP address.
116
Completing IPS-1 Management Setup
To add a license:
1. Copy your license string, obtained from Check Point’s user center, to the
clipboard.
A license string will include the following:
cplic putlic x.x.x.x 1Jan2001 xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx
CPMP-IPS-5-NGX xx-xxxxxxxxxxx
2. In the License Manager, click Add.
Note - Entering the Alert Concentrator’s IP address is preferred to better protect against
DNS spoofing.
3. Type and confirm the activation key that you specified during the Alerts
Concentrator installation.
Note - f you don’t have the activation key, log onto the Alerts Concentrator and set the
activation key via the set_activation_key command.
4. If there is a proxy server between the IPS-1 Server and the Alerts Concentrator,
select Use Proxy and type the proxy’s connection and authentication
information.
5. Make sure Receive Alerts is On.
118
Completing IPS-1 Sensor Setup
2. Type the Sensor Name exactly as defined on the Sensor itself, and click Next.
Note - You can reset the Activation key on the Sensor with the cpconfig command, or, in
the case of an IPS-1 Power Sensor, by logging in as the nfr user.
5. Click Next.
6. Select the Local Network Addresses that you want the IPS-1 Sensor to protect
from the list of Recently Used Values and use the arrow buttons in the middle of
the window to add, remove or change the order of the addresses in list of
Selected Host Types.
If your network does not appear in the Recently Used Values list, type the
network address and netmask information into the field at the bottom of the
window and press enter.
When all of your network addresses are listed in the Selected Host Types, click
Next.
7. Select the Local Broadcast Addresses for the protected networks from the
Recently Used Values and use the arrow buttons in the middle of the window to
add or remove addresses from the list of Selected Host Types.
If your broadcast address does not appear in the Recently Used Values list, type
the broadcast address into the field at the bottom of the window and press
enter.
When all of your broadcast addresses are listed in the Selected Host Types, click
Next.
8. Click New to assign descriptive names to your interfaces.
The Edit Interface Description window appears:
Enter the raw interface name as it is listed in the Sensor, and enter the
descriptive name that you want to assign to that interface. Click OK.
9. Once you have finished modifying the names of the interfaces, press Finish to
add the new Sensor to the Alerts Concentrator.
120
Completing IPS-1 Sensor Setup
122
Upgrade Section
This section covers upgrading to the current version
124
Chapter 7
Introduction to the Upgrade
Process
In This Chapter
Note - Only versons NGX R60 and above can be upgraded to R70.
125
Documentation
Documentation
This guide covers all available upgrade paths for Check Point products from NGX
R60 forward. Before you begin:
• Make sure that you have the latest version of this document by checking in the
User Center at:
http://support.checkpoint.com
• It is a good idea to have the latest version of the R70 Release Notes handy.
Download them from:
http://support.checkpoint.com
For a new features list, refer to the “R70 What’s New Guide”:
http://support.checkpoint.com
Contract Verification
Contract verification is now an integral part of the Check Point licensing scheme.
Before upgrading to the latest version, your licensing agreements are verified
through the User Center.
See: “Service Contract Files” on page 133” for more information.
126
Supported Upgrade Paths and Interoperability
Release Version
NGX
R60, R60A, R61, R62, R65 (R65.4 not supported)
R65 with HFA 30 with the Connectra NGX R66 Plug-in
R65 with Messaging Security
R65 with the VPN-1 Power VSX NGX R65 Management Plug-in
R65 with the SmartProvisioning Plug-in
R65 UTM-1
R65 Power-1
Release Version
NGX R60, R60A, R61, R62, R65
InterSpect NGX R60
Connectra NGX R61, R62, R62CM, R66
UTM-1 Edge 7.5.x and above
Endpoint Security
128
Terminology
Terminology
Advanced Upgrade: In order to avoid unnecessary risks, it is possible to migrate the
current configuration to a spare server. The upgrade process is then performed on
the migrated server, leaving the production server intact.
ClusterXL: A software-based load sharing and high availability solution for Check
Point gateway deployments. It distributes traffic between clusters of redundant
gateways so that the computing capacity of multiple machines may be combined to
increase total throughput. In the event that any individual gateway becomes
unreachable, all connections are re-directed to a designated backup without
interruption. Tight integration with Check Point's Security Management server and
security gateway solutions ensures that ClusterXL deployment is a simple task for
security gateway administrators.
Distributed Deployment: A distributed deployment is performed when the gateway
and the Security Management server are deployed on different machines.
Gateway or Check Point Gateway: A gateway is the software component which
actively enforces the Security Policy of the organization.
In Place Upgrade: In Place upgrades are upgrades performed locally.
SmartProvisioning: Enables enterprises to easily scale, deploy, and manage VPNs
and security for thousands of remote locations.
Package Repository: This is a SmartUpdate repository on the Security Management
server that stores uploaded packages. These packages are then used by
SmartUpdate to perform upgrades of Check Point Gateways.
SmartLSM Security Gateway: A Remote Office/Branch Office Gateway. (formerly
ROBO gateway)
ROBO Profile: An object that you define to represent properties of multiple ROBO
gateways. Profile objects are version dependent; therefore, when you plan to
upgrade ROBO gateways to a new version, first define new Profile objects for your
new version. In general, it is recommended that you keep the Profile objects of the
previous versions until all ROBO Gateways of the previous version are upgraded to
SmartLSM Security gateways. For further information about defining a ROBO
Profile, refer to the CheckPoint SmartProvisioning Administration Guide.
Security Policy: A Security Policy is created by the system administrator in order to
regulate the incoming and outgoing flow of communication.
130
Upgrade Tools
Upgrade Tools
Various upgrade tools are provided for migration and compatibility verification of
your current deployment. These tools help you successfully upgrade to R70.
The upgrade tools can be found in the following locations:
• in the R70 $FWDIR/bin/upgrade_tools directory.
• http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/utilities.html
Upgrading Successfully
Note that:
• Check Point Suite Products before version NGX R60 cannot be upgraded to
NGX R70.
• When upgrading NGX R65, only the following Plug-ins may be present:
Connectra, SmartProvisioning, VSX, and Messaging Security. The presence of
any other Plug-in will cause the upgrade process to fail.
Warning - If you upgrade from NGX R65 (with Plug-ins) to R70, and later want to uninstall
R70 (rollback to NGX R65), follow the instructions in sk37252
(http://supportcontent.checkpoint.com/solutions?id=sk37252) to avoid potential problems.
132
Chapter 8
Service Contract Files
In This Chapter
Introduction
Before upgrading a gateway or Security Management server to R70, you need to
have a valid support contract that includes software upgrade and major releases
registered to your Check Point User Center account. The contract file is stored on
Security Management server and downloaded to security gateways during the
upgrade process. By verifying your status with the User Center, the contract file
enables you to easily remain compliant with current Check Point licensing
standards.
133
Working with Contract Files
134
On a Windows Platform
On a Windows Platform
When upgrading Security Management server, the upgrade process checks to see
whether a contract file is already present on the server. If not, the main options for
obtaining a contract are displayed:
You can:
• Download a contracts file from the User Center
If you have Internet access and a valid user account, you may download a
contract file directly from the User Center. The contract file obtained
through the user center contains contract information for all of your
accounts at the User Center. The contract file obtained through the user
center conforms with the terms of your licensing agreements.
i. Click Next.
If the connection succeeds but the downloaded contract file does not
cover the Security Management server, a message informs you that the
Security Management server is not eligible for upgrade.
However, the absence of a valid contract file will not prevent the
upgrade from taking place. Once the upgrade is complete, contact your
local support provider to obtain a valid contract.
• Import a local contract file
If the server being upgraded does not have Internet access, then:
i. On a machine with Internet access, browse to:
https://usercenter.checkpoint.com/usercenter/index.jsp
ii. Log in to the User Center
iii. Browse to Support.
136
On a Windows Platform
iv. On the Additional Services page, in the Service Contract File Download
section, click Download Now:
If the contract file does not cover the Security Management server, a
message informs you that the Security Management server is not
eligible for upgrade. However, the absence of a valid contract file will
not prevent the upgrade from taking place. Once the upgrade is
complete, contact your local support provider to obtain a valid contract.
vi. Click Next to continue with the upgrade process
• Continue without contract information
Select this option if you intend to obtain and install a valid contract file at
a later date. Note that at this point your gateway is not strictly eligible for
an upgrade; you may be in violation of your Check Point Licensing
Agreement, as shown in the final message of upgrade process:
138
On SecurePlatform, Linux, and Solaris
You can:
• Download a contracts file from the User Center
If you have Internet access and a valid user account, then download a
contract file directly from the User Center. The contract file obtained
through the user center conforms with the terms of your licensing
agreements. If you choose to download contract information from the User
Center, you are prompted to enter your:
• User name
• Password
If the contract file does not cover the Security Management server, a
message informs you that the Security Management server is not eligible for
upgrade. However, the absence of a valid contract file will not prevent the
upgrade from taking place. Download a valid contract at a later date using
SmartUpdate (see: “Managing Contracts with SmartUpdate” on page 155
for more information on using SmartUpdate).
• Import a local contract file
If the server being upgraded does not have Internet access, then:
i. On a machine with Internet access, browse to:
https://usercenter.checkpoint.com/usercenter/index.jsp
ii. Log in to the User Center
iii. Browse to Support
140
On SecurePlatform, Linux, and Solaris
iv. On the Downloads page, in the Service Contract File Download section,
click Download Now:
If the contract file does not cover the Security Management server, a
message informs you that the Security Management server is not eligible for
upgrade. However, the absence of a valid contract file will not prevent the
upgrade from taking place. Download a valid contract at a later date using
SmartUpdate (see: “Managing Contracts with SmartUpdate” on page 155
for more information on using SmartUpdate).
• Continue without contract information
Select this option if you intend to obtain and install a valid contract file at
a later date. Note that at this point your gateway is not strictly eligible for
an upgrade; you may be in violation of your Check Point Licensing
Agreement, as shown in the final message of the upgrade process:
On IPSO
Contract verification on IPSO is not interactive. When upgrading an IPSO Security
Management server to R70, the upgrade process will check to see if there is a valid
contract already present on the Security Management server. If a contract is not
present, the upgrade process proceeds as normal. After successfully upgrading the
gateway, the following message is displayed:
The upgrade process requires a valid contract file in order to
verify that your gateway complies with Check Point licensing
agreements. While the absence of a contract file does not prevent
this upgrade, it is recommended that you obtain a contract file via
SmartUpdate (Licenses & Contracts menu -> Update Contracts).
For further details see:
http://www.checkpoint.com/ngx/upgrade/contract/
At the earliest opportunity, obtain a valid contract file from the Check Point user
center.
142
Installing a Contract File on a Gateway
On a Windows Platform
After accepting the End User License Agreement (EULA), the following message is
displayed:
After clicking Next, the upgrade process checks to see if a valid contract file is
installed on the gateway. If no contract file exists, the upgrade process attempts to
retrieve a contract file from the Security Management server that manages the
gateway. If a contract file cannot be retrieved from Security Management server,
the main options for obtaining a contract file for the gateway are displayed:
You can:
• Download a contracts file from the User Center
If you have Internet access and a valid user account, then download a
contract file directly from the User Center. The contract file obtained
through the user center conforms with the terms of your licensing
agreements.
144
On a Windows Platform
If the connection succeeds but the downloaded contract file does not
cover the gateway, the following message appears:
However, this will not prevent the upgrade from taking place.
146
On a Windows Platform
iv. On the Downloads page, in the Service Contract File Download section,
click Download Now:
If the local contract file does not cover the gateway, the following
message is displayed:
However, this will not prevent the upgrade from taking place. If the
contract file covers the gateway, the following message is displayed:
148
On a Windows Platform
The upgrade process searches for a valid contract on the gateway. If a valid
contract is not located, the upgrade process attempts to retrieve the latest contract
file from the Security Management server that manages the gateway. If a valid
contract file is not located on the Security Management server, the main options for
obtaining a contract file for the gateway are displayed:
150
On SecurePlatform, and Linux
You can:
• Download a contracts file from the User Center
If you have Internet access and a valid user account, then download a
contract file directly from the User Center. The contract file obtained
through the user center conforms with the terms of your licensing
agreements. If you choose to download contract information from the User
Center, you are prompted to enter your:
• User name
• Password
• Proxy server address (if applicable):
If, according to information gathered from your User Center account, your
gateway is not eligible for upgrade, the following message is displayed:
You may still upgrade the gateway but are advised to download a valid contract
at a later date using SmartUpdate (see: “Managing Contracts with
SmartUpdate” on page 155 for more information on using SmartUpdate).
152
On SecurePlatform, and Linux
If the contract file does not cover the gateway, a message informs you
that the gateway is not eligible for upgrade. However, the absence of a
valid contract file will not prevent the upgrade from taking place. Once
the upgrade is complete, contact your local support provider to obtain a
valid contract.
• Continue without contract information
Select this option if you intend to obtain and install a valid contract file at
a later date. Note that at this point your gateway is not strictly eligible for
an upgrade; you may be in violation of your Check Point Licensing
Agreement, as shown in the final message of the upgrade process:
On IPSO
Contract verification on IPSO is not interactive. When upgrading an IPSO gateway
to R70, the upgrade process will check to see if there is a valid contract available
on the Security Management server that manages the gateway. If none is available,
the upgrade process proceeds. After successfully upgrading the gateway, the
following message is displayed:
The upgrade process requires a valid contract file in order to
verify that your gateway complies with Check Point licensing
agreements. While the absence of a contract file does not prevent
this upgrade, it is recommended that you obtain a contract file via
SmartUpdate (Licenses & Contracts menu -> Update Contracts).
For further details see:
http://www.checkpoint.com/ngx/upgrade/contract/
At the earliest opportunity, obtain a valid contract file from the Check Point user
center.
154
Managing Contracts with SmartUpdate
Managing Contracts
The license Repository window in SmartUpdate displays contracts as well as regular
licenses:
Clicking Show Contracts displays the contracts associated with this license:
156
Managing Contracts
Updating Contracts
Licenses & Contracts on the File menu has enhanced functionality for handling
contracts:
• Licenses & Contracts > Update Contracts
This option installs contract information on Security Management server. Each
time you purchase a new contract, use this option to make sure the new
contract is displayed in the license repository:
158
Chapter 9
Upgrading a Distributed
Deployment
In This Chapter
159
Introduction
Introduction
This chapter describes the process of upgrading a distributed deployment to R70.
A distributed deployment consists of at least one Security Management server and
one or more gateways. The Security Management server and gateway do not reside
on the same physical machine. Since backward compatibility is supported, a
Security Management server that has been upgraded to R70 can enforce and
manage gateways from previous versions. In some cases, however, new features
may not be available on earlier versions of the gateway.
The R70 Security Management server can manage the following gateways:
Release Version
NGX R60, R60A, R61, R62, R65
InterSpect NGX R60
Connectra NGX R61, R62, R62CM, R66
UTM-1 Edge 7.5.x and above
Endpoint Security
160
Pre-Upgrade Considerations
Pre-Upgrade Considerations
In This Section
Pre-upgrade Verification
Use of the Pre-Upgrade verification tool can reduce the risk of incompatibility with
the deployment to R70. It is used to test the current gateway prior to upgrading to
R70. The Pre-Upgrade verification tool produces a detailed report indicating the
appropriate actions that should be taken before performing an upgrade to R70
(refer to “Using the Pre-Upgrade Verification Tool” on page 163).
Note - Once the workaround is complete, features new to R70 may not be available on
the gateway.
162
Upgrading the Security Management Server
Usage:
pre_upgrade_verifier.exe -p SmartCenterPath -c CurrentVersion
-t TargetVersion [-f FileName] [-w]
or
pre_upgrade_verifier.exe -p SmartCenterPath -c CurrentVersion
-i[-f FileName][-w]
-p Path of the installed SmartCenter Server (FWDIR)
-c Currently installed version
-t Target version
-i Check originality of INSPECT files only
-f Output in file
-w Web format file
164
Upgrading the Security Management Server
Uninstalling Packages
Uninstall Check Point packages on the Windows platform using the Add/Remove
applet in the Control Panel. Check Point packages need to be uninstalled in the
opposite order to which they were installed. For example, since CPsuite is the first
package installed, it should be the last package uninstalled.
Note - Creating the snapshot image can take up to twenty minutes, during which Check
Point products are stopped.
166
Upgrading the Security Management Server
Uninstalling Packages
Check Point packages need to be uninstalled in the opposite order to which they
were installed. For example, since CPsuite is the first package installed, it should
be the last package uninstalled.
Run the rpm -e <package name> to view a list of all the installed packages.
Uninstalling Packages
Check Point packages need to be uninstalled in the opposite order to which they
were installed. For example, since CPsuite is the first package installed, it will be
the last package uninstalled.
Run the rpm -e <package name> to view a list of all the installed packages.
168
Upgrading the Security Management Server
Uninstalling Packages
Check Point packages need to be uninstalled in the opposite order to which they
were installed. Since CPsuite is the first package installed, it will be the last
package uninstalled.
Run the pkgrm command to view a list of the installed packages.
170
Upgrading the Security Management Server
Uninstalling Packages
Check Point packages need to be uninstalled in the opposite order to which they
were installed. Since CPsuite is the first package installed, it should be the last
package uninstalled.
Run the rpm -e <package name> to view a list of the installed packages.
172
Upgrading the Security Management Server
7. The new image installation process begins. Click the provided link to get the
upgrade status.
8. When the upgrade is complete, click the link to the IPSO Image Management
page.
The IPSO Image Management window opens.
9. Under the title Select an image for next boot, select the last downloaded image.
10. Click Test Boot.
11. Access the CLI console to see when the Reboot is complete. Once the Reboot
is complete, go back to the Network Voyager to verify that the image was set
properly.
12. In the Network Voyager, click Refresh and log in.
13. If you are not returned to the last window you were in, click
System Configuration > Manage IPSO Images.
You should be able to see that the relevant IPSO Image is selected.
14. Select Commit testboot and click Apply.
15. Access the CLI console and log in.
16. Perform an FTP using bin mode to transfer the
IPSO_Wrapper_<version_number>.tgz package.
17. Type newpkg -S -m LOCAL -n <CPsuite package path> -o $FWDIR and press Enter.
This command:
• Deactivates previous Check Point packages but does not delete them.
• Finds the upgrade tools in $FWDIR and performs an import/export operation
to preserve the previous configuration.
When the process is complete, you should receive a message indicating that the
process was successful, along with a reminder to update your contract
information. For more information on contracts, see: “On IPSO” on page 154.
18. Log off the console connection, and then log back on to set the environment
variables.
19. Start the installed products by running cpstart.
Note - The previous Check Point packages remain installed but deactivated. Should the
need arise, the previous packages can be activated through the Network Voyager.
174
Upgrading the Gateway
In This Section
SmartUpdate Options
SmartUpdate is the primary tool used for upgrading Check Point gateways. The
following features and tools are available in SmartUpdate:
• Upgrade All Packages: This feature allows you to upgrade all packages installed
on a gateway. For IPSO and SecurePlatform, this feature also allows you to
upgrade your operating system as a part of your upgrade. In R70,
SmartUpdate's “Upgrade all Packages” supports HFAs, i.e., it will suggest
upgrading the gateway with the latest HFA if a HFA package is available in the
Package Repository. "Upgrade All" is the recommended method. In addition,
there is an advanced method to install (distribute) packages one by one.
• Add Package to Repository: SmartUpdate provides three “helper” tools for
adding packages to the Package Repository:
• From CD: Adds a package from the Check Point CD.
• From File: Adds a package that you have stored locally.
176
Upgrading the Gateway
• From Download Center: Adds a package from the Check Point Download
Center.
• SmartUpdate’s Get Check Point Gateway Data: This tool updates SmartUpdate
with the current Check Point or OPSEC third-party packages installed on a
specific gateway or for your entire enterprise.
• Check for Updates: This feature, available from the SmartDashboard Tools
menu, locates the latest HFA on the Check Point Download Center, and adds it
to the Package Repository.
Note - The Allow reboot... option (selected by default) is required in order to activate
the newly installed packages.
The Operation Status pane opens and shows the progress of the installation.
Each operation is represented by a single entry. Double click the entry to open
the Operation Details window, which shows the operation history.
The following operations are performed during the installation process:
• The Check Point Remote Installation Daemon connects to the Check Point
gateway.
• Verification for sufficient disk space.
178
Upgrading the Gateway
180
Upgrading the Gateway
182
Upgrading the Gateway
When the Upgrade process is complete, upon reboot you are given the option to
manually start the SecurePlatform operating system using the upgraded version
image or using the image created prior to the Upgrade process.
6. After you complete the upgrade process, do the following:
a. Using SmartDashboard, log in to the R70 Security Management server that
controls the upgraded gateway.
b. Open the gateway object properties window for the upgraded gateway and
change the version to R70.
c. Perform Install Policy on the upgraded gateway.
184
Chapter 10
Backup and Revert for
Security Gateways
In This Chapter
185
Introduction
Introduction
Before you perform an upgrade process, you should back up your current
configuration. The purpose of the backup process is to back up the entire
configuration, and to restore it if necessary, for example, in the event that the
upgrade process is unsuccessful.
To back up your configuration, use the Export utility tool of the version for which
you are creating a backup file. The backup file contains your current system
configuration (for example, objects, rules, and users) and can be used to restore
your previous configuration if the upgrade process fails. The restoration procedure
restores the configuration in effect when the backup procedure was executed.
Note - Operating system level configurations (for example, network configuration) are not
exported.
186
Backing Up Your Current Deployment
Warning - The configuration file (.tgz) contains your product configuration. It is highly
recommended to delete it after completing the import process.
Restoring a Deployment
To restore a deployment:
1. Copy the exported.tgz file to the target Security Management server.
2. In the Security Management server, insert the product CD for the version being
restored.
3. Using the available options, perform an installation using an imported
configuration file.
188
SecurePlatform Backup and Restore Commands
Backup
This command is used to back up the system configuration. You can also copy
backup files to a number of SCP and TFTP servers for improved backup robustness.
The backup command, when run by itself without any additional flags, uses default
backup settings and performs a local backup.
Syntax
backup [-h] [-d] [-l] [--purge DAYS] [--sched [on hh:mm <-m DayOfMonth>
| <-w DaysOfWeek>] | off] [[--tftp <ServerIP> [-path <Path>]
[<Filename>]] |
[--scp <ServerIP> <Username> <Password> [-path <Path>][<Filename>]] |
[--file [-path <Path>][<Filename>]]
Parameters
Table 10-1 Backup Parameters
Parameter Meaning
-h obtain usage
-d debug flag
-l Enables VPN log backup (By default, VPN logs are
not backed up.)
--purge DAYS Deletes old backups from previous backup attempts
[--sched [on hh:mm <-m Schedule interval at which backup is to take place
DayOfMonth> | <-w
• On - specify time and day of week, or day of
DaysOfWeek>] | off]
month
• Off - disable schedule
--tftp <ServerIP> [-path List of IP addresses of TFTP servers, on which the
<Path>][<Filename>] configuration is to be backed up, and optionally the
filename
--scp <ServerIP> List of IP addresses of SCP servers, on which the
<Username> configuration is to be backed up, the username and
<Password>[-path <Path>] password used to access the SCP server, and
[<Filename>] optionally the filename
--file [-path When the backup is performed locally, specify an
<Path>]<Filename> optional filename
190
Restore
Restore
This command is used to restore the system configuration.
Syntax
restore [-h] [-d][[--tftp <ServerIP> <Filename>] |
[--scp <ServerIP> <Username> <Password> <Filename>] |
[--file <Filename>]]
Parameters
Table 10-2
Parameter Meaning
-h obtain usage
-d debug flag
--tftp <ServerIP> IP address of TFTP server, from which the
[<Filename>] configuration is restored, and the filename
--scp <ServerIP> IP address of SCP server, from which the
<Username> <Password> configuration is restored, the username and
[<Filename>] password used to access the SCP server, and the
filename
--file <Filename> Specify a filename for restore operation, performed
locally
For additional information about the backup and restore utilities, refer to the
System Commands section in the CheckPoint R65
SecurePlatform/SecurePlatformPro Administration Guide.
192
Snapshot
Snapshot
This command creates an image of SecurePlatform. The snapshot command, run by
itself without any additional flags, uses the default backup settings and creates a
local snapshot.
Syntax
snapshot [-h] [-d] [[--tftp <ServerIP> <Filename>] |
[--scp <ServerIP> <Username> <Password> <Filename>] |
[--file <Filename>]]
Parameters
Table 10-3 Snapshot Parameters
Parameter Meaning
-h obtain usage
-d debug flag
--tftp <ServerIP> IP address of the TFTP server, from which the
<Filename> snapshot is taken, as well as the filename of the
snapshot
--scp <ServerIP> IP address of the SCP server, from which the
<Username> <Password> snapshot is taken, the username and password
<Filename> used to access the SCP server, and the filename of
the snapshot
--file <Filename> When the snapshot is made locally, specify a
filename
Revert
This command restores SecurePlatform from a snapshot file, reverting the machine
to a previous deployment. The revert command, run by itself without any additional
flags, uses default backup settings, and reboots the system from a local snapshot.
revert [-h] [-d] [[--tftp <ServerIP> <Filename>] |
[--scp <ServerIP> <Username> <Password> <Filename>] |
[--file <Filename>]]
Parameters
Table 10-4 Revert Parameters
Parameter Meaning
-h obtain usage
-d debug flag
--tftp <ServerIP> IP address of the TFTP server, from which the
<Filename> snapshot is rebooted, as well as the filename of the
snapshot
--scp <ServerIP> IP address of the SCP server, from which the
<Username> <Password> snapshot is rebooted, the username and password
<Filename> used to access the SCP server, and the filename of
the snapshot
--file <Filename> When the snapshot is made locally, specify a
filename
The revert command functionality can also be accessed from the Snapshot image
management boot option.
194
Reverting to Your Previous Deployment
Note - Make sure to remove all R70 products and compatibility packages before removing
the R70 CPsuite.
2. On the Manage Packages page, confirm that the previous versions of Check
Point packages are enabled and the R70 versions are disabled.
Note - On flash-based platforms, the R70 packages no longer appear in the Manage
Packages page since they were never part of the previous configuration set.
196
Reverting to Your Previous Deployment
ICA Considerations
Once the Revert process is complete, certificates issued during the use of R70
remain valid. While these certificates are valid, they cannot be processed by the
Internal CA.
To resume management of older certificates after the Revert process:
1. Back up the InternalCA.NDB and ICA.crl files (located in the $FWDIR/conf
directory) and all *.crl files (located in the $FWDIR/conf/crl directory) from
the version prior to R70 to a suitable location.
2. Copy the R70 InternalCA.NDB, ICA.crl and the *.crl files (located in the
$FWDIR/conf directory) from the current R70 version and use them to overwrite
the files in the location specified in step 1 (in the $FWDIR/conf directory).
Note - If the Upgrade process was performed on a machine that runs a different operating
system than the original machine, the InternalCA.NDB file must be converted after it is
copied to the reverted environment. To do this, run the ‘cpca_dbutil d2u’ command
line from the reverted environment.
3. Once the Revert process is complete, use the ICA Management Tool to review
certificates created using R70 in the reverted environment. For example, the
subject to which a specific certificate was issued may no longer exist. In such
a case, you may want to revoke the specific certificate.
For additional information, refer to The Internal Certificate Authority (ICA) and
the ICA Management Tool chapter in the Security Management Server
Administration Guide.
198
Chapter 11
Upgrading a Standalone
Deployment
In This Chapter
199
Introduction
Introduction
This chapter describes the process of upgrading a standalone deployment to R70.
A standalone deployment consists of the Security Management server and gateway
installed on the same system. Since backward compatibility is supported, a
Security Management server that has been upgraded to R70 can enforce and
manage gateways from previous versions. In some cases, however, new features
may not be available on earlier versions of the gateway.
The R70 Security Management server can manage the following gateways:
Release Version
NGX R60, R60A, R61, R62, R65
InterSpect NGX R60
Connectra NGX R61, R62, R62CM, R66
UTM-1 Edge 7.5.x and above
Endpoint Security
200
Pre-Upgrade Considerations
Pre-Upgrade Considerations
In This Section
Warning - For all operating systems except SecurePlatform, an R70 upgrade cannot be
reverted to its previous version, once it is complete.
or
pre_upgrade_verifier.exe -p SmartCenterPath -c CurrentVersion
-i[-f FileName][-w]
-p Path of the installed SmartCenter server (FWDIR)
-c Currently installed version
-t Target version
-i Check originality of INSPECT files only
-f Output in file
-w Web format file
202
Standalone Security Gateway Upgrade on a Windows Platform
Warning - For all operating systems except SecurePlatform, an R70 upgrade cannot be
reverted to its previous version once it is complete.
Uninstalling Packages
Uninstall Check Point packages on the Windows platform using the Add/Remove
applet in the Control Panel. Check Point packages need to be uninstalled in the
opposite order to which they were installed. Since CPsuite is the first package
installed, it should be the last package uninstalled.
Warning - For all operating systems except SecurePlatform, an R70 upgrade cannot be
reverted to its previous version once it is complete.
Note - Creating the snapshot image can take up to twenty minutes, during which time
Check Point products are stopped.
204
Standalone Security Gateway Upgrade on SecurePlatform
• Upgrade
• Export the configuration
• Perform pre-upgrade verification only
i. Run the pre-upgrade verification script, and follow the
recommendations contained in the pre-upgrade verification results.
Repeat the process until you see Your configuration is ready for upgrade.
ii. Export the configuration.
iii. Upgrade the installation.
9. Enter c to agree to the license upgrade.
The license upgrade process also handles gateway licenses in the SmartUpdate
license repository. Select one of the following:
• Enter [L] to view the licenses installed on your machine.
• Enter [C] to check if currently installed licenses have been upgraded.
• Enter [S] to simulate the license upgrade.
• Enter [U] to perform the license upgrade, or generate a license file that can
be used to upgrade licenses on a machine with no Internet access to the
User Center.
• Enter [O] to perform the license upgrade on a license file that was
generated on machine with no Internet access to the User Center.
• Enter [Q] to quit.
10. Select a source for the upgrade utilities
Either download the most updated files from the Check Point website for use
the upgrade tools contained on the CD. The exported configuration is
automatically imported during the upgrade process.
11. Open SmartUpdate and attach the new licenses to the gateways.
Uninstalling Packages
Check Point packages need to be uninstalled in the opposite order to which they
were installed. Since CPsuite is the first package installed, it should be the last
package uninstalled.
Run the rpm -e <package name> to view a list of the installed packages.
Uninstalling Packages
Check Point packages need to be uninstalled in the opposite order to which they
were installed. For example, since CPsuite is the first package installed, it should
be the last package uninstalled.
Run the rpm -e <package name> to view a list of the installed packages.
206
Standalone Gateway Upgrade on an IPSO Platform
Before Installing
• From the Check Point website:
http://www.checkpoint.com/techsupport/downloads.jsp.
download: IPSO_Wrapper_R70.tgz.
• From Nokia, download: IPSO 6.0.7
Note - R70 is not supported on IPSO 4.x images. If you are using IPSO 4.x, first upgrade
to IPSO 6.0.7. If IPSO 6.0.7 is already installed, skip to step 19 on page 208.
You are informed that the file download and image installation may take some
time.
5. Click Apply.
A message is displayed indicating that the new image installation process has
started.
6. When you receive a Success message, click UP > UP > Manage IPSO Images.
The IPSO Image Management window opens.
7. Under the title Select an image for next boot, select the last downloaded image:
IPSO 4.1 or 4.2.
8. Click Test Boot.
9. Access the CLI console to see when the Reboot is complete. Once the Reboot
is complete, go back to the Network Voyager to verify that the image was set
properly.
10. In the Network Voyager, click Refresh and log in.
11. If you are not returned to the last window you were in, click
System Configuration > Manage IPSO Images.
You should be able to see that the relevant IPSO (4.1 or 4.2) image is selected.
12. Select Commit testboot and click Apply.
13. Access the CLI console, and log in.
14. Type newpkg, and press Enter.
15. Use the FTP menu option to transfer the 6.0.7 package.
16. Install the 6.0.7 package.
Wait until a message informs you that the process is complete.
17. Activate the 6.0.7 package.
18. In Voyager, verify that the 6.0.7 package is turned ON.
19. On the CLI, type newpkg, and press Enter.
20. Use the FTP menu option to transfer the IPSO_Wrapper_R70.tgz package.
21. Install the IPSO_Wrapper_R70 package.
Wait until a message informs you that the process is complete.
22. Type Reboot and press Enter.
208
Standalone Gateway Upgrade on an IPSO Platform
Configuring R70
If you upgraded from IPSO 4.x to 6.0.7 then there is no need to configure R70. If
you performed a fresh installation of IPSO 6.0.7:
1. From a console connection, run cpconfig.
2. Select an installation type, Stand Alone or Distributed.
3. Select Security Management server from the selection list.
4. Specify the Security Management server type as Primary or Secondary
Management.
Note - Only relevant for a distributed deployment.
5. Add Licenses.
6. Configure an administrator name and password.
7. Configure the GUI clients and hosts which can access the Security
Management server using SmartConsole.
8. Configure Group Permissions.
9. Configure a pool of characters for use in cryptographic operations. Type
randomly until the progress bar is full.
10. Configure the Certificate Authority, and save the CA’s Fingerprint to a file.
11. Start the installed products.
If you opt not to start the installed products at this time, they can be started
later by running cpstart.
12. Reboot.
210
Standalone Gateway Upgrade on an IPSO Platform
2. On the Manage Packages page, confirm that the previous versions of Check
Point packages are enabled and the R70 versions are disabled.
Note - On flash-based platforms, the R70 packages will no longer appear in the Manage
Packages page since they were never part of the previous configuration set.
212
Chapter 12
Upgrading ClusterXL
Deployments
In This Chapter
213
Planning a Cluster Upgrade
• SmartUpdate’s Get Check Point Gateway Data: This tool updates SmartUpdate
with the current Check Point or OPSEC third party packages installed on a
specific gateway or throughout your entire enterprise.
Note - Full Connectivity Upgrade is supported between minor versions only. For further
information, refer to “Full Connectivity Upgrade on a ClusterXL Cluster” on page 219 and
the R70 Release Notes.
214
Planning a Cluster Upgrade
216
Zero Downtime Upgrade on a ClusterXL Cluster
Note - Do not change any cluster parameters from the current policy at this time. For
example, if the cluster is running in New High Availability mode, do not change it to
Load Sharing. Changes can be made after the upgrade process is complete.
6. If you are upgrading from a previous version, perform the following steps:
a. From the Policy Installation window, clear the For Gateway Clusters, install on
all the members, if it fails do not install at all option located under the Install
on each selected Module independently option.
b. Install the security policy on the cluster.
The policy will be successfully installed on cluster members B and C, and
will fail on member A.
7. Using the cphaprob stat command (executed on a cluster member), verify that
the status of cluster member A is Active or Active Attention. The remaining
cluster members will have a Ready status. The status Active Attention is given
if member A’s synchronization interface reports that its outbound status is
down, because it is no longer communicating with other cluster members.
Note - It is recommended that you minimize the time in which cluster members are
running different versions.
218
Full Connectivity Upgrade on a ClusterXL Cluster
Supported Modes
FCU is supported on all modes of ClusterXL, including IPSO’s IP clustering and
VRRP. Legacy High Availability is not supported in FCU. For other third-party
support, refer to the third-party documentation.
Verify that the list of Check Point Gateway names is the same for both cluster
members.
220
Full Connectivity Upgrade on a ClusterXL Cluster
• All the Gateway configuration parameters should have the same values on the
NM and the OM. The same rule applies to any other local configurations you
may have set.
For example, having the attribute block_new_conns with different values on the
NM and on the OM might cause the FCU to fail since gateway behavior cannot
be changed during the upgrade.
• A cluster that performs static NAT using the gateway’s automatic proxy ARP
feature requires special considerations: cpstop the old Check Point Gateway
right after running cphastop. Running cphastop is part of the upgrade
procedure described in “Zero Downtime Upgrade on a ClusterXL Cluster” on
page 216. Failure to do this may cause some of the connections that rely on
proxy ARP to fail and may cause other connections that rely on proxy ARP not
to open until the upgrade process completes. Note, however, that running
cpstop on the old Check Point Gateway rules out the option to rollback to the
OM while maintaining all live connections that were originally created on the
OM.
2. First upgrade only one member, following the steps outlined in “Zero Downtime
Upgrade on a ClusterXL Cluster” on page 216. Before you get to step 8 on page
218 (executing cphastop), run the following command on all the upgraded
members: fw fcu <other member ip on sync network>. Then continue with
step 8 on page 218 on all remaining OMs.
For more than three members, divide the upgrade of your members so that the
active cluster members can handle the amount of traffic during the upgrade.
Note - cphastop can also be executed from the Cluster object in the SmartConsole. Once
cphastop is executed, do not run cpstart or cphastart again or reboot the machine.
222
Full Connectivity Upgrade on a ClusterXL Cluster
Table id map: This shows the mapping between the gateway’s kernel table indices
on the OM and on the NM. Having a translation is not mandatory.
Table handlers: This should include a sip_state and connection table handlers. In
a security gateway configuration, a VPN handler should also be included.
Global handlers: Reserved for future use.
Note - Not all connections are synchronized. For example, local connections and services
that are marked as non-synched.
Options
-t - table
-u - unlimited entries
-s - (optional) summary of the number of connections
For further information on the fw tab -t connections command, refer to the
“Command Line Interface” Book.
224
Chapter 13
Advanced Upgrade of
Management servers &
Standalone Gateways
In This Chapter
225
Introduction
Introduction
There are a number of reasons for performing an advanced upgrade, for example if
you need to:
• Upgrade to R70 while replacing the Operating System on which the current
Security Management Server is installed.
• Upgrade to R70 while migrating to a new server.
• Upgrade to R70 while avoiding unnecessary risks to the production Security
Management server in case of failure during the upgrade process.
To avoid unnecessary risks, it is possible to migrate the current configuration of the
production Security Management server, to a new Security Management server.
Warning - When performing an advanced upgrade using the import-export tool, it is vital
that the target machine has the same exact configuration as the source machine. For
example, the same products should be installed on both. A products mismatch may result in
a corrupt database.
226
Migrate Your Current Management Configuration and Upgrade
Introduction
This section describes the advanced upgrade procedure for Security Management
Server. The advanced upgrade procedure involves two machines. The first machine
is the working production machine, the source. The second machine, the
destination, is off-line, and only contains the operating system of the latest release,
in this case R70. Security Management server is installed on the second
(destination) machine and the configuration of the first machine (the source) is
imported.
Advanced upgrade on all platforms except IPSO involves:
• Performing a new installation, and manually importing a previously exported
configuration, or:
• Performing a new installation and upgradingthrough the wrapper. The wrapper
automatically performs the install, and the upgrade_import process.
When migrating to a new Security Management server, the destination server should
have the same IP configuration as the original Security Management server. If you
are migrating to a new machine with a different IP address, see: See “Migration to
a New Machine with a Different IP Address” on page 240.
Warning:
An advanced upgrade of Security Management server influences the behavior of the
Eventia Reporter Server in regard to consolidation sessions. If you are deploying
Eventia Reporter, before you perform an advanced upgrade of Security Management
server, you must first remove Eventia Reporter’s consolidation session. See “Advanced
Eventia Reporter Upgrade” on page 303 for how to remove the consolidation session.
228
Migrate Your Current Management Configuration and Upgrade
Warning - The configuration file (.tgz) file contains your security configuration. It is highly
recommended to delete it after completing the upgrade process.
230
Migrate Your Current Management Configuration and Upgrade
17. After product installation, the Check Point Configuration Program opens. Use
the Check Point Configuration program to:
a. Add licenses: The Check Point Configuration Program only manages local
licenses on this machine. The recommended way of managing licenses is
through SmartUpdate.
b. Configure GUI clients: A list of hosts which will be able to connect to this
Security Management server using SmartConsole.
c. Configure group permissions: Specifies a group name.
d. Configure a pool of characters: For use in cryptographic operations. Type
randomly until the progress bar is full.
e. Configure the Certificate Authority: Saves the CA’s Fingerprint to a file.
f. Start the installed products.
18. Reboot.
19. Log in again to the root account to set the new environment variables.
20. To start Check Point Services, run: cpstart.
232
Migrate Your Current Management Configuration and Upgrade
Note - Creating the snapshot image can take up to twenty minutes, during which time
Check Point products are stopped.
• Enter [O] to perform the license upgrade on a license file that was
generated on machine with no Internet access to the User Center.
• Enter [Q] to quit.
10. Select a source for the upgrade utilities.
Either download the most updated files from the Check Point website or use
the upgrade tools contained on the CD. The exported configuration is
automatically imported during the upgrade process.
11. Open SmartUpdate and attach the new licenses to the gateways.
To perform an advanced upgrade on SecurePlatform by manually importing the
database:
1. On the R70 Security Management server, locate the upgrade_export tool in the
$FWDIR/bin/upgrade_tools directory.
2. Copy upgrade_export tool to the same directory on the source machine. (Before
doing this, it is recommended to preserve the old upgrade tools by renaming
them.)
3. Run the upgrade_export tool:
./upgrade_export <new database name>
4. The upgrade_export tool creates a <new database name>.tgz file.
5. Transfer the .tgz file to the R70 $FWDIR/bin/upgrade_tools folder.
6. Run the upgrade_import tool:
./upgrade_import <new database name>.tgz
7. The database is imported.
8. Reboot the Security Management server.
9. Open SmartDashboard and edit the properties of the Security Management
server network object, removing the IP address of the source machine and
replacing it with the new one.
234
Migrate Your Current Management Configuration and Upgrade
236
Migrate Your Current Management Configuration and Upgrade
14. Transfer the exported configuration to the new Solaris installation, for example,
using FTP.
15. Change the directory to /opt/CPsuite-R70/fw1/bin/upgrade tools.
Verify that the upgrade tools in this directory are the R70 upgrade tools taken
from the installation CD or downloaded from the Check Point website.
16. Run ./upgrade_import <name_of_exported_configuration_file.tgz>
17. Enter y to stop all Check Point services.
The license upgrade wrapper runs.
18. Enter c to continue, or q to quit.
19. Wait for the message: upgrade_import finished successfully!
20. Enter y to restart Check Point Services.
238
Migrate Your Current Management Configuration and Upgrade
10. The pre-upgrade verification process runs automatically. View the results and
follow the recommendations.
11. Enter n.
12. Specify an upgrade option:
• Upgrade installed products
• Upgrade installed products and install new products
13. Enter n.
14. Enter n to validate the products to install.
15. After product installation, the Check Point Configuration Program opens. Use
the Check Point Configuration program to:
a. Add licenses: The Check Point Configuration Program only manages local
licenses on this machine. The recommended way of managing licenses is
through SmartUpdate.
b. Configure GUI clients: A list of hosts which will be able to connect to this
Security Management server using SmartConsole.
c. Configure group permissions: Specifies a group name.
d. Configure a pool of characters: For use in cryptographic operations. Type
randomly until the progress bar is full.
e. Configure the Certificate Authority: Saves the CA’s Fingerprint to a file.
f. Start the installed products.
16. Reboot.
17. Log in again to the root account to set the new environment variables.
18. To start Check Point Services, run: cpstart.
240
Migrate Your Current Management Configuration and Upgrade
4. On the new Security Management Server, remove the object you created to
represent the new Security Management Server’s IP address.
5. On the new Security Management Server update the primary Security
Management Server object so that its IP Address and topology match its new
configuration.
6. On the DNS, map the Security Management Server’s DNS to the new IP
address.
This section covers the advanced upgrade procedure for security gateways. The
advanced upgrade procedure involves two machines. The first machine is the
working production machine. The second machine is off-line, and only contains the
operating system. The Security Management server is freshly installed on the
second machine and the configuration of the first machine is imported.
242
Migrate Your Current Gateway Configuration & Upgrade
• Perform a fresh install of the security gateway, and import the configuration
file. When prompted, select Installation using Imported Configuration. This
option prompts you for the location of the imported .tgz configuration file
and then automatically installs the new software and utilizes the imported
.tgz configuration file.
• Perform a fresh install of security gateway, and manually import the
configuration file using the upgrade_import tool on the R70 CD.
Warning - The configuration file (.tgz) file contains your security configuration. It is highly
recommended to delete it after completing the import process.
244
Migrate Your Current Gateway Configuration & Upgrade
http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/utilities.html
9. Enter n.
10. The pre-upgrade verification process runs automatically. View the results and
follow the recommendations.
11. Enter n.
12. Specify an upgrade option:
• Upgrade installed products
• Upgrade installed products and install new products
13. Enter n.
14. Enter n to validate the products to install.
15. After the installation is complete, the Check Point Configuration Program
opens. Use the Check Point Configuration program to:
a. Add licenses: The Check Point Configuration Program only manages local
licenses on this machine. The recommended way of managing licenses is
through SmartUpdate.
b. Configure GUI clients: A list of hosts which will be able to connect to this
Security Management server using SmartConsole.
c. Configure group permissions: Specifies a group name.
d. Configure a pool of characters: For use in cryptographic operations. Type
randomly until the progress bar is full.
e. Configure the Certificate Authority: Saves the CA’s Fingerprint to a file.
f. Start the installed products.
16. Reboot.
17. Log in again to the root account to set the new environment variables.
18. To start Check Point Services, run: cpstart.
246
Migrate Your Current Gateway Configuration & Upgrade
Note - Creating the snapshot image can take up to twenty minutes, during which time
Check Point products are stopped.
• Enter [O] to perform the license upgrade on a license file that was
generated on machine with no Internet access to the User Center.
• Enter [Q] to quit.
10. Select a source for the upgrade utilities.
Either download the most updated files from the Check Point website or use
the upgrade tools contained on the CD. The exported configuration is
automatically imported during the upgrade process.
11. Open SmartUpdate and attach the new licenses to the gateways.
248
Migrate Your Current Gateway Configuration & Upgrade
13. Configure the GUI clients and hosts that can access the Security Management
server management component.
14. Configure Group Permissions.
15. Configure a pool of characters for use in cryptographic operations. Type
randomly until the progress bar is full.
16. Configure the Certificate Authority, and save the CA’s Fingerprint to a file.
17. When prompted, do not start the installed products.
18. From $FWDIR/bin/upgrade_tools, run upgrade_import.
19. Reboot.
20. Start the installed products by running cpstart.
250
Chapter 14
Upgrading Provider-1
In This Chapter
251
Introduction
Introduction
This chapter describes methods and utilities for upgrading Provider-1 to the current
version.
In This Section
Release Version
NGX R65
R62
R61
R60A
R60
252
Provider-1 Upgrade Tools
In This Section
Installation Script
Use the mds_setup installation script for MDS.
Note - When installing MDS on SecurePlatform, the installation is performed using the
SecurePlatform installer on the CD. Do not run the mds_setup script directly. For
additional information, refer to “Provider-1 Upgrade Practices” on page 266.
To run mds_setup:
1. Mount the Provider-1 CD from the relevant subdirectory.
2. Change the directory to the mounted directory.
3. Browse to either the Solaris or Linux directory, depending on the operating
system of your MDS machine.
4. Run the installation script: ./mds_setup.
When mds_setup is executed, it first checks for an existing installation of MDS:
• If no such installation exists, mds_setup asks you to confirm a fresh
installation of MDS.
• If a previous version of MDS is detected, you are prompted to select one of
the following options (Pre-Upgrade Verification Only, Upgrade or Backup)
listed below.
5. Exit all shell sessions. Open a new shell in order for the new environment to be
set.
254
export_database
Upgrade
When the upgrade option is used, mds_setup runs the Pre-Upgrade Verifier and if
no errors are found, the upgrade process proceeds. In case of errors, mds_setup
stops the installation until all the errors are fixed. In some cases, mds_setup
suggests automatically fixing the problem using a fixing utility. Fixing utilities that
affect the existing installation can also be run from the command line. You can
choose to stop the installation and run the fixing utility from the command line.
There are two important things to remember after changing your existing
installation:
• Verify your changes in the existing installation before you upgrade.
• Synchronize global policies. If you make changes in global policies, reassign
these global policies to customers. If you have a multi-MDS environment:
• Synchronize databases between MDSs in High Availability.
• Synchronize databases between CMAs in High Availability.
• Install the database on CLMs.
Backup
Prior to performing an upgrade, back up your MDS. The backup option from
mds_setup runs the mds_backup process (refer to mds_backup). Backup is also
used for replication of your MDS to another machine. Manual operations are
necessary if you are switching IP addresses or network interface names. For
additional information, refer to “Changing the MDS IP Address and External
Interface” on page 283.
export_database
The export_database utility allows you to export an entire database into one .tgz
file that can be imported into a different MDS machine. The following files can be
exported:
Usage
• Exporting a CMA:
./export_database.sh <path for the output file> –c <name of CMA>
• Exporting a Security Management server:
./export_database.sh <path for the output file>
• Exporting an MDS global database:
./export_database.sh <fully qualified path for the output file>
–g
256
merge_plugin_tables
Other flags:
Flag Meaning
-h Display usage
-b Batch mode
-l Include the log database
-m Include the SmartMap database
Example
• To export the database of a CMA, CMA1, including its log database to a file path,
/var/tmp, use the following command:
./export_database.sh /var/tmp –c CMA1 -l
• To export a Security Management database, including its Smartmap database,
to a file path, /var/tmp, use the following command:
./export_database.sh /var/tmp -m
• To export an MDS’s Global Policy to a file path, /var/for_export, use the
following command:
./export_database.sh /var/for_export –g
merge_plugin_tables
The merge_plugin_tables utility is included in the export_database utility. It
searches for all CMA or Security Management Plug-ins and merges the Plug-in
tables with the CMA or Security Management tables.
In Linux and Solaris 2, the merge_plugin_tables tool runs automatically when you
run the export_database tool and its output becomes part of the CMA database
.tgz file.
If you have a Security Management server running on FreeBSD, IPSO 6, or WIN32
you can and should use merge_plugin_tables to consolidate your Plug-in
information before exporting files using migrate_assist.
Usage
merge_plugin_tables <-p conf_dir> [-s] [-h]
where <-p conf_dir> is the path of $FWDIR directory of the CMA/Security
Management, -s performs the utility in silent mode (default is interactive mode),
and -h displays usage.
Example
To merge the Plug-in tables of a CMA, CMA1, run the following commands:
mdsenv cma1
merge_plugin_tables -p "$FWDIR"
migrate_assist
This utility is a helper utility for cma_migrate. It can be used to pull the original
management directories to the current disk storage using FTP.
When you finish running migrate_assist, it is possible to run cma_migrate (refer to
“cma_migrate” on page 259), the input directory of which will be the output
directory of migrate_assist.
You can use export_database instead of migrate_assist to export a CMA,
Security Management, or Global Policy database if your source machine is running
on LInux 30 or Solaris 2. See “export_database” on page 255 for more
information.
Note - Before running migrate_assist, stop source management processes and merge
Plug-in tables.
258
cma_migrate
Usage
migrate_assist <source machine name/ip> <source FWDIR folder> <user name>
<password> <target folder> <source CPDIR folder>
Example
To import a Security Management server with the IP address 192.168.0.5 of
version NGX R60, use the following command:
migrate_assist 192.168.0.5 /opt/CPsuite-R60/fw1 FTP-user FTPpass /EMC1
/opt/CPshrd-R60
Where /EMC1 is the name of the directory created on the MDS server machine,
migrate_assist accesses the source machine and imports the source FWDIR and
CPDIR folders to the specified target folder according to the structure described
above. The user name and password are needed to gain access to the remote
machine via FTP.
Note - When the source management is a Security Management version R70 or higher,
running on Windows, the following procedure should be done before running
migrate_assist:
1. Run the command: cpprod_util CPPROD_GetInstalledPlugIns > plugins.txt.
2. Copy the resulting file (plugins.txt) to %FWDIR%\conf directory.
3. If you have Plug-ins installed, run merge_plugin_tables before running
migrate_assist.
cma_migrate
This utility is used to import an existing Security Management server or CMA into a
Provider-1 MDS so that it will become one of its CMAs. If the imported Security
Management or CMA is of a version earlier than the MDS to which it is being
imported, then the Upgrade process is performed as part of the import. The
available versions are listed in “Supported Versions and Platforms” on page 252.
It is recommended to run cma_migrate to import CMA or Security Management
database files created using the export_database tool.
Bear in mind that the source and target platforms may be different. The platform of
the source management to be imported can be Solaris, Linux, Windows,
SecurePlatform or IPSO.
Before running cma_migrate, create a new customer and a new CMA. Do not start
the CMA, or the cma_migrate will fail.
If you are migrating a CMA to a new CMA with a different IP address, follow the
instructions in “Migration to a New Machine with a Different IP” in the Check Point
Internet Security Products Upgrade Guide.
The source database’s subdirectories to be migrated are conf, database, registry,
and log. The $CPDIR/conf directory should be named conf.cpdir and placed
inside <old source database directory path> to avoid overwriting the
$FWDIR/conf directory.
Note - The registry directory is required only if you are upgrading from version R70 or
higher.
Usage
cma_migrate <source management directory path> <target CMA FWDIR
directory>
260
cma_migrate
Example
cma_migrate /tmp/exported_smc.22Jul2007-224020.tgz
/opt/CPmds-FLO/customers/cma2/CPsuite-FLO/fw1
The second argument (<target CMA FWDIR directory>) is the FWDIR of the newly
created CMA.
Note - To run the cma_migrate utility from the MDG, right-click a CMA and select Import
Customer Management Add-on from the menu. You can also run mdscmd migratecma to
import files to an MDS.
Additional Information
When running cma_migrate, pre-upgrade verification takes place. If no errors are
found, then the migration continues. If errors are found, changes must be
performed on the original Security Management server.
262
cma_migrate
migrate_global_policies
The migrate_global_policies command transfers (and upgrades, if necessary) a
global policies database from one MDS to another.
If the global policies database on the target MDS has polices that are assigned to
customers, migrate_global_policies aborts. This is done to ensure that the Global
Policy used at the Customer's site is not deleted.
Note - When executing the migrate_global_policies utility, the MDS will be stopped.
The CMAs can remain up and running.
Usage
migrate_global_policies <path global policies conf database>
<path global policies conf database>: Specifies the fully qualified path to
the directory where the global policies files, originally exported from the source
MDS ($MDSDIR/conf), are located.
264
Backup and Restore
mds_backup
This utility stores binaries and data from your MDS installation. Running
mds_backup requires superuser privileges. This utility runs the gtar command on
the root directories of data and binaries. Any extra information located under these
directories is backed up, except from files that are specified in mds_exclude.dat
($MDSDIR/conf) file. The collected information is wrapped in a single zipped tar file.
The name of the created backup file comprises the date and time of the backup,
followed by the extension .mdsbk.tgz. For example: 13Sep2002-141437.mdsbk.tgz.
The file is placed in the current working directory, thus it is important not to run
mds_backup from one of the directories that is to be backed up.
Usage
mds_backup
mds_restore
Restores an MDS that was previously stored with mds_backup. For correct operation,
mds_restore requires a fresh installation of an MDS from the same version of the
MDS to be restored.
Usage
mds_restore <backup file>
$MDSDIR/bin/set_mds_info -b -y
In-Place Upgrade
The in-place upgrade process takes place on the existing MDS machine. The MDS
with all CMAs are upgraded during a single upgrade process.
Note - When upgrading Provider-1, all SmartUpdate packages on the MDS (excluding
SofaWare firmware packages) are deleted from the SmartUpdate Repository.
266
Replicate and Upgrade
Note - The target machine should be on an isolated network segment so that gateways
connected to the original MDS are not affected until you switch to the target machine.
3. Restore the MDS on the target machine. Copy the file created by the backup
process to the target machine and run mds_restore, or run mds_setup and
select the Restore option.
4. If your target machine and the source machine have different IP addresses,
follow the steps listed in “IP Address Change” on page 283 to adjust the
restored MDS to the new IP address. If your target machine and the source
machine have different interface names (e.g. hme0 and hme1), follow the steps
listed in “Interface Change” on page 283 to adjust the restored MDS to the
new interface name.
5. Test to confirm that the replication has been successful:
a) Start the MDS.
b) Verify that all CMAs are running and that you can connect to the MDS with
MDG and Global SmartDashboard.
c) Connect to CMAs using SmartDashboard.
6. Upgrade your MDS. Stop the MDS on the target machine and employ an
In-Place Upgrade (for additional information, refer to “In-Place Upgrade” on
page 266).
7. Copy the /opt/CPmds-R70/conf/mdsdb/cp-admins.C file to the same location
ion the destination MDS.
8. Start the MDS.
268
Gradual Upgrade to Another Machine
a. Run the where used query from the Global SmartDashboard > Manage >
Network Objects > Actions to identify where the problematic gateway(s) are
used in the Global Policy. Review the result set, and edit or delete list items
as necessary. Make sure that no problematic gateways are in use.
b. The gateways must be disabled from global use:
i. From the MDG’s General View, right-click a gateway and select Disable
Global Use.
ii. If the globally used gateway refers to a gateway of a customer that was
not migrated, you can remove the gateway from the global database by
issuing a command line command. First, make sure that the Global
SmartDashboard is not running, and then execute the command:
mdsenv; remove_globally_used_gw <Global name of the gateway>
3. When issuing the command: migrate_global_policies where the existing
Global Policy contains Global Communities, the resulting Global Policy
contains:
• the globally used gateways from the existing database
• the globally used gateways from the migrated database
As a result of the migration, the Global Communities are overridden by the
migrated database.
4. The gradual upgrade does not restore the Global Communities statuses,
therefore, if either the existing or the migrated Global Policy contains Global
Communities, reset the statuses from the command line (with MDS live):
mdsenv; fwm mds rebuild_global_communities_status all
Note - If you want the option to later undo the separation process, back up the standalone
gateway before migrating.
Before migrating the management part of the standalone gateway to the target
CMA, some adjustments are required:
1. Make sure that:
270
Migrating from Security Management to a CMA
• FTP access is allowed from the MDS machine (on which the target CMA is
located) and the standalone machine. (This is only necessary if you plan to
use migrate_assist.)
• The target CMA is able to communicate with and install policy on all
gateways.
2. Add an object representing the CMA (name and IP address) and define it as a
Secondary Security Management server.
3. Install policy on all managed gateways.
4. Delete all objects or access rules created in steps 1 and 2.
5. If the standalone gateway already has Check Point Security Gateway installed:
• Clear the Firewall option in the Check Point Products section of the gateway
object. You may have to first remove it from the Install On column of your
rulebase (and then add it again).
• If the standalone gateway participates in a VPN community, in the IPSec
VPN tab, remove it from the community and erase its certificate. Note these
changes in order to undo them after the migration.
6. Save and close SmartDashboard. Do not install policy.
7. To migrate the management part to the CMA, run:
migrate_assist <Standalone_GW_NAME><Standalone_GW_FWDIR><username>
<password><target_dir><Standalone_GW_CPDIR> command.
8. Create a new CMA on the MDS, but do not start it.
9. Migrate the exported database into the CMA. Use cma_migrate or the import
operation from the MDG, specifying as an argument the database location you
used as <target_dir> in the migrate_assist command.
10. To configure the CMA after migration, start the CMA and launch
SmartDashboard.
11. In SmartDashboard, under Network Objects, locate:
• An object with the Name and IP address of the CMA primary management
object (migrated). Previous references to the standalone management object
now refer to this object.
• An object for each gateway managed previously by Security Management.
12. Edit the Primary Management Object and remove all interfaces (Network Object
> Topology > Remove).
13. Create an object representing the gateway on the standalone machine (From
New > Check Point > Gateway), and:
272
Upgrading in a Multi-MDS Environment
Note - MLMs in a multi-MDS system need to be upgraded to the same version as the
Manager and Container MDSs.
274
Upgrading a Multi-MDS System
Note - When synchronizing, make sure to have only one active MDS and one active CMA for
each customer. Modify the active MDS/CMA and synchronize to Standby.
Note - Before migrating, all the objects representing the secondary management should be
deleted from the primary Security Management server.
276
Restarting CMAs
Restarting CMAs
After completing the upgrade process, CMAs should be started sequentially using
the command mdsstart -s.
278
Renaming Customers
Renaming Customers
In This Section
Resolving Non-Compliance
During the upgrade procedure, after selecting Option 2 - Upgrade to R70 on the
mds_setup menu, the resolution of compliant names is performed. The translation
prompt is only displayed if a non-compliant name is detected.
Note - Nothing is changed in the existing installation when translating customer names.
Any changes are applied only to the upgraded installation.
Translation prompt - Enter a name to replace the non-compliant name, or enter the
'-' sign to get a menu of additional options. The new name is checked for naming
restrictions compliance and is not accepted until you enter a compliant name.
Additional Options Menu Edit another name - The customer names are presented in
alphabetical order. Choose this option to edit a customer name that was already
translated, or any other customer name.
Skip this name - Choose this option if you are not sure what to do with this name
and want to come back to it later. The upgrade cannot take place until all
non-compliant customer names are translated.
Quit session and save recent translations - Choose this option if you want to save
all the work that was done in this session and resume later.
Quit session and throw away recent translations - Choose this option if you want to
abort the session and undo all the translations that you entered during this session.
Return to translation prompt - Choose this option if you want to return to the
customer name you were prompted with when you entered '-'.
Note - The pre-upgrade tool allows only non-compliant customer names to be translated.
If the session is exited before all the translations are done, the mds_setup utility
exits with an error message stating that the MDS verification failed. To return to the
tool, simply run mds_setup again and choose Option 2 - Upgrade to R70.
High Availability
After completing the translations on the first MDS, copy the following files to the
other MDSes. If the MDSes are properly synchronized, no additional work is
required.
280
Advanced Usage
Files to be copied:
/var/opt/CPcustomers_translated.txt
/var/opt/CPcustomers_translated.md5
When running the tool a second time, the customer names that have already been
translated are shown before the first non-compliant name is displayed. This is also
the case when running on an additional MDS.
Advanced Usage
An advanced user may choose to directly edit the translation file,
/var/opt/CPcustomers_translated.txt. In this case, all the translations are
verified when mds_setup is run again.
Translations file format - The file is structured line-wise. Each line's meaning is
indicated by its first character. An empty line is ignored. Any line that does not
obey the syntax causes the file to be rejected with an appropriate message.
The '-' and '+' lines must form pairs. Otherwise, the file is rejected.
If the translations file is manually modified, the mds_setup detects it and displays
the following menu:
1. Use the translations file anyway - Choose this option only if an authorized
person modified it. This option reads the file, verifies its content and uses the
translations therein.
2. Ignore the translations file and generate a new one - Choose this option to
overwrite the contents of the file.
3. Quit and leave the translations file as it is - Choose this option to exit
mds_setup and leave the translations file as is for now. Run mds_setup again
when you are sure that option 1 or option 2 is suitable.
282
Changing the MDS IP Address and External Interface
IP Address Change
If your target machine and the source machine have different IP addresses, follow
the steps listed below it to adjust the restored MDS to the new IP address.
To change the IP address:
1. The MDS must be stopped. Stop the MDS by running mdsstop.
2. Change the IP address in $MDSDIR/conf/LeadingIP file to the new IP address.
3. Edit the $MDSDIR/conf/mdsdb/mdss.C file. Find the MDS object that has the
source MDS IP address and change its IP address to the new IP address. Do
not change the name of the MDS.
4. Install a new license on the target MDS with the new MDS IP address.
5. For multiple MDS/MLM environments, repeat steps 1 to 4 on each MDS/MLM
for the MDS/MLM for which you changed the IP.
Interface Change
If your target machine and the source machine have different interface names (e.g.,
hme0 and hme1), follow the steps listed below to adjust the restored MDS to the new
interface name.
To change the interface:
1. Change the interface name in file $MDSDIR/conf/external.if to the new
interface name.
2. For each CMA, replace the interface name in $FWDIR/conf/vip_index.conf.
IPS in Provider-1
• When upgrading to R70, the previous IPS configuration of the Customer is
overridden on the first Global Policy Assign.
It is recommended to save each Customer’s Security Policy so that the settings
can be restored after upgrade. To do so, from the MDG, go to Customer
Configuration window > Assign Global Policy tab, and enable Create database
version.
• Customers who are upgrading to Provider-1 R70 should note that the IPS
subscription has changed.
• All customers subscribed to IPS are automatically assigned to an
“Exclusive” subscription
• “Override” and “Merge” subscriptions are no longer supported.
See the Global Policy Chapter of the Provider-1 R70 Administration Guide for
detailed information.
284
Chapter 15
Upgrading SmartLSM ROBO
Gateways
In This Chapter
285
Planning the ROBO Gateway Upgrade
286
ROBO Gateway Upgrade Package to SmartUpdate Repository
The added assigned licenses are shown grayed-out because they are not yet
attached.
4. Click OK to attach the Assigned Licenses to this ROBO.
The ROBO gateway now has both NG and NGX licenses. The Licenses window
shows that the NGX license is Attached, and the NG license is Obsolete,
meaning that it is no longer needed. The NG license is useful because if you
need to downgrade the Gateway version, the Gateway will keep on working.
5. Repeat from step 2 for each ROBO gateway.
288
Upgrading a ROBO Gateway Using SmartProvisioning
Full Upgrade
This method automatically performs all the required checks and actions for you.
When it successfully completes, the upgraded ROBO Gateway is ready for use. This
is the recommended method to upgrade VPN-1 Power/UTM ROBO Gateways.
To perform a full upgrade:
1. From SmartProvisioning, select the line representing the VPN-1 Power/UTM
ROBO Gateway to be upgraded.
2. Select Actions > Packages > Upgrade All Packages. This selection can also be
done through the right-click menu, or the Upgrade All Packages icon in the
toolbar.
The upgrade process begins with a verification stage, checking which version is
currently installed on the gateway and whether the required packages exist in
your Package Repository. When it completes, a Verification Details window
opens, showing you the verification results.
3. Select Change to a new Profile after upgrade, and select the appropriate new
SmartLSM Profile from the list.
4. Select Allow reboot if required.
5. Click the Continue button.
The Upgrade process begins. Its stages and completion status can be seen in
the Action Status pane, at the bottom of SmartLSM. The entire progress report
can be seen at any time by viewing the Action History (right-click on the
respective line in the Action Status pane, and select Action History).
Specific Installation
This method can be used to install a specific product on a ROBO Gateway.
To perform a specific installation:
1. From SmartLSM, select the line representing the VPN-1 Power/UTM ROBO
gateway you want to upgrade.
2. Select Actions > Packages > Get Gateway Data to fetch information about
Packages currently installed on the VPN-1 Power/UTM ROBO gateway.
3. Select Actions > Packages > Distribute Package… or right-click menu, and
select Distribute Package…, or click the icon in the toolbar.
The Distribute Package window opens. This window displays the relevant
packages from the Package Repository that can be installed on your VPN-1
Power/UTM ROBO gateway.
4. In the Distribute Package window, select the package you want to install.
You can then select one of the following actions:
• Distribute and install packages
• Only distribute packages (install later)
• Install previously distributed packages
5. The Allow Reboot if required option should be selected only when upgrading
VPN-1. If you do not select this option, manually reboot the gateway from its
console. The gateway is rebooted after the package installation is completed.
Note - If you are doing a step-by-step upgrade, do not select Allow Reboot if required.
6. If the operating system is SecurePlatform, you can select Backup image for
automatic revert, in case the installation does not succeed.
7. The option Change to a new profile after install lets you select the SmartLSM
Profile that will be assigned to the package upon installation. When upgrading
the VPN-1 Power/UTM ROBO gateway, you must provide a suitable SmartLSM
290
Upgrading a UTM-1 Edge ROBO Gateway
Profile from the target version. If you are installing a package that does not
require changing the SmartLSM Profile of the VPN-1 Power/UTM ROBO
gateway, this field remains disabled.
8. Click the Start button.
9. The Install process begins. Its stages and completion status can be seen in the
Action Status pane, at the bottom of SmartLSM. The whole progress report can
be seen at any time by viewing the Action History (right-click on the respective
line in the Action Status pane, and select Action History).
Note - You can verify if the installation will succeed before actually upgrading the ROBO
Gateway by choosing Actions > Packages > Verify Installation.
292
Using the Command Line Interface
The LSMcli command line arguments are fully described in the Command Line
Reference chapter of the R70 SmartProvisioning Administration Guide. A partial list
of arguments is shown in Table 15-1, which lists only the arguments that are
important for performing upgrades.
Export
The export tool is located in your SmartLSM application, under File > Export to File.
Use this tool to export a ROBO Gateway’s properties into a text file that you can
turn into a script in order to perform batch upgrades.
294
Upgrading a VPN-1 Power/UTM ROBO Gateway Using LSMcli
To see which product packages are available in your package repository, execute:
LSMcli [-d] <Server> <User> <Password> ShowRepository
Note - It is recommended to use the Full Upgrade method to upgrade VPN-1 Power/UTM
ROBO Gateways.
Where:
MyServer = the name of my Security Management server.
John = the administrator’s name.
mypassword = the administrator’s password.
VerifyUpgrade = the Full Upgrade verification command.
Upgrade = the Full Upgrade command.
ROBO17 = the VPN-1 Power/UTM ROBO Gateway to be upgraded.
MyNewProfile = the new SmartLSM Profile that ROBO17 will be mapped to after
the upgrade.
296
Using the LSMcli in Scripts
Where:
MyServer = the name of my Security Management server.
John = the administrator's name.
mypassword = the administrator's password.
ModifyROBO VPN1Edge = the command to modify a property on a UTM-1 Edge
ROBO gateway.
ROBO101 = the Edge ROBO Gateway to be upgraded.
EdgeNewProfile = the new SmartLSM Profile that ROBO101 will be mapped to
after the upgrade (optional).
4.0.23 = the name of the new Firmware package.
Restart = the command to restart the gateway.
298
Chapter 16
Upgrading Eventia
In This Chapter
299
Overview
Overview
When upgrading products of the Eventia suite, note that:
• Eventia Reporter of version R56 and higher can be upgraded to R70.
• Eventia Analyzer of version 1.0 and higher can be upgraded to R70.
In This Section
Windows Platform
1. In order to begin the installation, login as an administrator and launch the
wrapper by double-clicking on the setup executable.
2. Agree to the License Agreement and click Forward.
3. Select Upgrade and click Forward.
4. Continue following the instructions.
The instructions that appear will differ according to your deployment.
300
For Distributed Deployments
5. Indicate whether to add new products by selecting the Add new products option
and click Forward.
A list of the products that will be upgraded appears. Click Forward.
Depending on the components that you have chosen to install, you may need to
take additional steps (such as installing other components and/or license
management).
6. Verify the default directory, or browse to new location in which Eventia Reporter
will be installed.
7. Verify the default directory, or browse to new location in which the output files
created by Eventia Reporter’s output will be generated.
Click Next and reboot the machine in order to complete the installation of the
Eventia Reporter and to continue with the next phase of the installation.
8. Launch SmartDashboard.
9. Install the Security Policy, (Policy > Install) or install the database (Policy >
Install Database) in order to make the Eventia Reporter fully functional.
SecurePlatform
1. After you install SecurePlatform from the CD, select the Eventia Reporter
product from cpconfig or from the SecurePlatform Web GUI.
2. Continue from step 3 on page 300 in order to complete the process.
Note - After upgrading Eventia Reporter, the GUI client must be defined on the Eventia
Reporter Server. To do this run cpconfig and select GUI Clients.
302
Advanced Eventia Reporter Upgrade
Note - After upgrading Eventia Reporter in a Provider-1 environment you should select a
customer(s) that will initiate a synchronization with the CMA of the selected customer. To
do this select Tools > Customer Activation in the Eventia Reporter client, select the relevant
customers and click OK.
304
Enabling Eventia Analyzer after Upgrading Reporter
10. Copy the compressed database files <xxxx.tgz> to the target machine.
11. Enter the installation directory on the target machine:
• For Windows: C:\Program Files\CheckPoint\EventiaSuite\R70\bin
• Other platforms: /opt/CPrt-R70/bin
12. Run: EVR_DB_Upgrade -mysql "<path of <xxxx.tgz> file/<xxxx.tgz>>"
For example, if you chose to place R60_Backup.tgz in $RTDIR/tmp, run:
EVR_DB_Upgrade -mysql "$RTDIR/tmp/R60_Backup.tgz"
13. If necessary, modify the following fields in the mysql configuration file to match
the locations of the database data files:
• datadir=
• innodb_log_group_home_dir=
• innodb_data_file_path=
The locations were copied in step 2 on page 303.
14. Run cpstart.
Prerequisites
Before upgrading to Analyzer R70, note the path to the current database file:
$RTDIR/events_db/events.sql, where $RTDIR is a variable that contains the path
of the previous Eventia Analyzer installation.
In R63, the default path:
• For Windows is C:\Program Files\CheckPoint\EventiaSuite\R63
• For Unix platforms is /opt/CPrt-R63
This path is changed during the upgrade process.
306
Upgrading Eventia Analyzer to R70
308
Chapter 17
Upgrading IPS-1
In This Chapter
309
IPS-1 Upgrade Paths
310
Upgrading IPS-1 Sensors
For a Full Upgrade, follow the instructions for reinstallation in the “Reinstalling an
IPS-1 Power Sensor” on page 312, using a newer version of the installation source.
The upgrade_sensor script will verify that the given IPS-1 Sensor is upgradeable,
transfer the necessary files from the IPS-1 Sensor CD to the Sensor and tell it to
complete the upgrade. If the upgrade_sensor script finishes without any errors, the
IPS-1 Sensor will reboot itself. When it comes back up, it will be running a new
version of the IPS-1 Sensor software.
If, for some reason, the upgrade fails, you may need to do a full re-installation of
the IPS-1 Sensor.
312
Upgrading Legacy Sensor Appliances
7. Set the various date and time values, as prompted. Then confirm the date and
time.
8. Available LDP images are listed, with their software version and build numbers.
Select an LDP image number, or n to install from a network source.
9. In a network installation, you will be prompted for network information to
enable the installation, as follows:
a. Set IP information for the Power Sensor’s management interface.
b. Optionally, set a host and domain name. For example:
mysensor.example.com
c. Type the default gateway address.
d. Type the IP address of the installation source.
e. Type the path on the installation source computer to the directory
containing NR-INSTALL-DIRECTORY . Something like:
/root/Power-Sensor.5.0.7/Install
f. Type the protocol to be used - ftp, nfs, or http. Depending on the selected
protocol, you may be prompted for additional information.
10. Select the installation type. There should be only one choice (1).
11. In most cases, select to install to the Multiple Disk Array.
12. Select to install to the root partition. Wait for the system to complete formatting
the partition.
In most cases, do not create a local installation image. Select n.
The system installs the packages and reboots twice. When finished, the system is
at the same state as when shipped. Continue setting up the Sensor by following the
instructions in Initial Configuration of IPS-1 Power Sensor.
200F
310C
320C
320F
314
500C (post-Jan 2006)
316