Documente Academic
Documente Profesional
Documente Cultură
TRADEMARKS:
Please refer to http://www.checkpoint.com/copyright.html for a list of our trademarks For third party notices, see http://www.checkpoint.com/3rd_party_copyright.html.
Contents
Installation Section
Chapter 1 Introduction
Welcome......................................................................................................... 15 Who Should Use This Guide.............................................................................. 16 R70 Documentation......................................................................................... 16 New Terms...................................................................................................... 17 Related Documentation .................................................................................... 18 For New Check Point Customers........................................................................ 19 Endpoint Security Integration............................................................................ 20 More Information ............................................................................................. 20 Feedback ........................................................................................................ 20
Chapter 2
Getting Started
Terminology .................................................................................................... 22 Provider-1/SiteManager-1 Terminology............................................................... 23 Hardware and Software Requirements................................................................ 24 Compatibility Tables ........................................................................................ 25 Product Notes ............................................................................................ 25 Platform Notes ........................................................................................... 26 Supported Upgrade Paths and Interoperability .................................................... 27 Upgrade Paths and Interoperability............................................................... 27 Upgrading Security Management Servers....................................................... 27 Backward Compatibility For Gateways ........................................................... 28 IPS-1 Upgrade Paths and Interoperability...................................................... 28 Licensing R70................................................................................................. 29 Licensing R70 ............................................................................................ 29 Licensing Provider-1/SiteManager-1 ............................................................. 30 Licensing IPS-1 .......................................................................................... 31 Licensing Eventia Suite ............................................................................... 31
Chapter 3
Table of Contents
Configuring SecurePlatform Using WebUI ..................................................... 43 Installing on Windows ...................................................................................... 44 Installing on Solaris or Linux............................................................................. 46 Installing on Nokia........................................................................................... 48 Before Installing ......................................................................................... 48 Upgrading IPSO 4.x to IPSO 6.0.7 ............................................................... 48 Configuring R70 ......................................................................................... 50 Initially Configuring Products ............................................................................ 51 Configuration Tool Overview ......................................................................... 51 Using the Configuration Tool on Windows Systems ......................................... 52 Using the Configuration Tool on Unix Systems ............................................... 54 Logging In for the First Time........................................................................ 55 Where To From Here?....................................................................................... 58
Chapter 4
Installing Provider-1
Overview ......................................................................................................... 60 Creating the Provider-1 Environment ................................................................. 61 Setting Up Provider-1 Networking ................................................................ 61 Install the Gateways .................................................................................... 62 Installing and Configuring the Primary MDS .................................................. 62 Installing SmartConsole and MDG Clients ..................................................... 70 Using the MDG for the First Time ...................................................................... 71 Launching the MDG .................................................................................... 71 Adding Licenses using the MDG ................................................................... 71 Where To From Here?....................................................................................... 73
Chapter 5
Chapter 6
IPS-1 System Architecture........................................................................... 90 Platforms ................................................................................................... 91 IPS-1 Deployment............................................................................................ 92 IPS-1 Sensor Deployment ............................................................................ 92 IPS-1 Management Deployment ................................................................... 93 IPS-1 Management Installation and Setup ......................................................... 96 Installation of IPS-1 Management Servers ..................................................... 96 IPS-1 Sensor Appliances ................................................................................ 101 Introduction ............................................................................................. 101 IPS-1 Sensor Appliance Models ................................................................. 101 IPS-1 Sensor Installation................................................................................ 106 Connecting to IPS-1 Sensors...................................................................... 106 Installing SecurePlatform and IPS-1 Sensors............................................... 106 Initial Configuration of IPS-1 Sensors ......................................................... 107 Initial Configuration of IPS-1 Power Sensor ................................................. 109 IPS-1 Management Dashboard Installation .................................................. 111 Post-Installation Steps ................................................................................... 112 Configuring NTP on SecurePlatform............................................................ 112 Completing IPS-1 Management Setup......................................................... 113 Completing IPS-1 Sensor Setup ................................................................. 117 Where To From Here?..................................................................................... 120
Upgrade Section
Chapter 7 Introduction to the Upgrade Process
Documentation .............................................................................................. 124 Contract Verification ...................................................................................... 124 Supported Upgrade Paths and Interoperability .................................................. 125 Upgrading Management Servers ................................................................. 125 Backward Compatibility For Gateways ......................................................... 126 Obtaining Software Installation Packages ......................................................... 126 Terminology .................................................................................................. 127 Upgrade Tools ............................................................................................... 129 Upgrading Successfully .................................................................................. 129
Chapter 8
On SecurePlatform, and Linux ................................................................... 148 On IPSO .................................................................................................. 152 Managing Contracts with SmartUpdate ............................................................ 153 Managing Contracts .................................................................................. 153 Updating Contracts ................................................................................... 156
Chapter 9
Chapter 10
Chapter 11
Standalone Security Gateway Upgrade on SecurePlatform.................................. 202 Uninstalling Packages ............................................................................... 203 Standalone Upgrade on a UTM-1/Power-1 Appliance......................................... 204 Uninstalling Packages ............................................................................... 204 Standalone Gateway Upgrade on an IPSO Platform ........................................... 205 Before Installing ....................................................................................... 205 Upgrading Through Voyager ....................................................................... 205 Upgrading Through the CLI........................................................................ 207 Uninstalling Previous Software Packages..................................................... 208
Chapter 12
Chapter 13
Chapter 14
Upgrading Provider-1
Introduction .................................................................................................. 250 Supported Versions and Platforms .............................................................. 250 Before You Begin ...................................................................................... 250 Provider-1 Upgrade Tools ............................................................................... 251 Pre-Upgrade Verifiers and Fixing Utilities .................................................... 251 Installation Script ..................................................................................... 252
Table of Contents
export_database........................................................................................ 253 merge_plugin_tables ................................................................................. 255 migrate_assist .......................................................................................... 256 cma_migrate ............................................................................................ 257 migrate_global_policies ............................................................................. 262 Backup and Restore .................................................................................. 262 Provider-1 Upgrade Practices.......................................................................... 264 In-Place Upgrade...................................................................................... 264 Replicate and Upgrade .............................................................................. 265 Gradual Upgrade to Another Machine ......................................................... 266 Migrating from Security Management to a CMA ........................................... 268 Upgrading in a Multi-MDS Environment ........................................................... 271 Pre-Upgrade Verification and Tools ............................................................. 271 Upgrading a Multi-MDS System ................................................................. 272 Restarting CMAs ............................................................................................ 275 Reverting to the Previous Version .................................................................... 276 Before the Upgrade................................................................................... 276 Restoring the Previous Version ................................................................... 276 Renaming Customers ..................................................................................... 277 Identifying Non-Compliant Customer Names................................................ 277 High Availability Environment .................................................................... 277 Automatic Division of Non-Compliant Names............................................... 277 Resolving Non-Compliance ........................................................................ 278 Advanced Usage ....................................................................................... 279 Changing the MDS IP Address and External Interface........................................ 281 IP Address Change.................................................................................... 281 Interface Change ...................................................................................... 281 IPS in Provider-1 ........................................................................................... 282
Chapter 15
Chapter 16
Upgrading Eventia
Overview ....................................................................................................... 298 Upgrading Eventia Reporter ............................................................................ 298
10
For Standalone Deployments...................................................................... 298 For Distributed Deployments ...................................................................... 299 Advanced Eventia Reporter Upgrade ........................................................... 301 Enabling Eventia Analyzer after Upgrading Reporter ..................................... 303 Upgrading Eventia Analyzer ............................................................................ 304 Upgrading Eventia Analyzer to R70 ............................................................ 304 Verifying the Events Database Has Been Moved ........................................... 306 Enabling Eventia Reporter ......................................................................... 306
Chapter 17
Upgrading IPS-1
IPS-1 Upgrade Paths ..................................................................................... 308 Upgrading from R65.1 to R65.2 ................................................................ 308 Upgrading IPS-1 Management Servers ........................................................ 308 Upgrading IPS-1 Sensors................................................................................ 309 Upgrading IPS-1 Power Sensors ...................................................................... 309 Remotely Upgrading an IPS-1 Power Sensor................................................ 309 Reinstalling an IPS-1 Power Sensor ............................................................ 310 Upgrading Legacy Sensor Appliances............................................................... 311 100C and 200C ....................................................................................... 312 200F ....................................................................................................... 312 310C....................................................................................................... 312 320C....................................................................................................... 312 320F ....................................................................................................... 312 500C (pre-Jan 2006) ................................................................................ 312 500C (post-Jan 2006) .............................................................................. 313 500F (pre-Jan 2006) ................................................................................ 313 500F (post-Jan 2006)............................................................................... 313
Table of Contents
11
12
Installation Section
This section covers installing the current version
14
Chapter Introduction
In This Chapter
Welcome Who Should Use This Guide R70 Documentation Related Documentation For New Check Point Customers Endpoint Security Integration More Information Feedback
1
page 15 page 16 page 16 page 18 page 19 page 20 page 20 page 20
Welcome
Thank you for choosing Check Points Internet Security Product Suite. We hope that you will be satisfied with this solution and our support services. Check Point products provide your business with the most up to date and secure solutions available today. Check Point also delivers worldwide technical services including educational, professional, and support services through a network of Authorized Training Centers, Certified Support Partners, and Check Point technical support personnel to ensure that you get the most out of your security investment.
15
To extend your organizations growing security infrastructure and requirements, we recommend that you consider adopting the OPSEC platform (Open Platform for Security). OPSEC is the industry's open, multi-vendor security framework, which has over 350 partners and the largest selection of best-of-breed integrated applications and deployment platforms. For additional information on the Internet Security Product Suite and other security solutions, go to: http://www.checkpoint.com or call Check Point at 1(800) 429-4391. For additional technical information, go to: http://support.checkpoint.com. For more information about the current release, see the latest version of the Release Notes at: http://support.checkpoint.com Welcome to the Check Point family. We look forward to meeting all of your current and future network, application, and management security needs.
R70 Documentation
Technical documentation is available on your CD-ROM at: CD3\Docs\CheckPoint_Suite. These documents can also be found at: http://support.checkpoint.com To find out about what's new in R70, read the R70 Getting Started Guide. For upgrading Endpoint Security, refer to the Endpoint Security Installation Guide.
16
New Terms
New Terms
The following product and technology names have been changed for this version.
Table 1: Product and Technology Names
Versions NG and NGX Products and Technologies Firewall-1 Integrity Integrity Clientless Security ROBO Gateway SmartCenter server SmartDefense SmartDirectory (LDAP) SmartLSM management SmartPortal VPN-1 (Power/UTM) Gateway VPN-1 UTM Edge Web Filtering
Table 2: SmartDashboard Tab Titles
Version R70 Products and Technologies Firewall Endpoint Security Endpoint Security On Demand Check Point SmartLSM Security Gateway Security Management server IPS User Directory SmartProvisioning Management Portal Check Point Security Gateway UTM-1 Edge URL Filtering
Versions NG and NGX SmartDashboard Tabs Address Translation Connectra Content Inspection Messaging Security Security SmartDefense VPN
Version R70 Products SmartDashboard Tabs NAT SSL VPN Anti-Virus and URL Filtering Anti-Spam and Mail Firewall IPS IPSec VPN
Chapter 1
Introduction
17
Related Documentation
Related Documentation
The current release includes the following documentation.
TABLE P-1 Check Point Documentation
Title Internet Security Installation and Upgrade Guide High-End Installation and Upgrade Guide
Description Contains detailed installation instructions for Check Point network security products. Explains the available upgrade paths from versions R60-65 to the current version. Contains detailed installation instructions for the Provider-1 and VSX products, including hardware and software requirements and licensing requirements. Explains all upgrade paths for Check Point products specifically geared towards upgrading to the current version. Explains Security Management solutions. This guide provides solutions for control over configuring, managing, and monitoring security deployments. Describes how to control and secure network access and VoIP traffic; how to use integrated web security capabilities; and how to optimize Application Intelligence with capabilities such as Content Vectoring Protocol (CVP) applications, URL Filtering (UFP) applications. Describes how to use IPS to protect against attacks. Describes the basic components of a VPN and provides the background for the technology that comprises the VPN infrastructure.
18
For New Check Point Customers TABLE P-1 Check Point Documentation (continued)
Description Explains how to monitor and audit traffic, and generate detailed or summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for all events logged by Check Point Security Gateways, SecureClient and IPS. Explains how to install and configure SecurePlatform. This guide will also teach you how to manage your SecurePlatform machine and explains Dynamic Routing (Unicast and Multicast) protocols. Explains the Provider-1 security management solution. This guide provides details about a three-tier, multi-policy management architecture and a host of Network Operating Center oriented features that automate time-consuming repetitive tasks common in Network Operating Center environments.
Chapter 1
Introduction
19
More Information
For additional technical information about Check Point products, consult Check Points SecureKnowledge at http://support.checkpoint.com. To view the latest version of this document in the Check Point User Center, go to: http://support.checkpoint.com.
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to: cp_techpub_feedback@checkpoint.com
20
2
page 22 page 23 page 24 page 25 page 27 page 29
21
Terminology
Terminology
The following terms are used throughout this chapter: Distributed Deployment: When the gateway and the Security Management server are installed on separate machines. Gateway: The software component that enforces the organizations security policy and acts as a security enforcement point. Security Policy: The policy created by the system administrator that regulates the flow of incoming and outgoing communication. Security Management server: The server used by the system administrator to manage the security policy. The organizations databases and security policies are stored on the Security Management server and downloaded to the gateway. SmartConsole: GUI applications that are used to manage various aspects of security policy enforcement. For example, SmartView Tracker is a SmartConsole application that manages logs. SmartDashboard: A SmartConsole GUI application that is used by the system administrator to create and manage the security policy. Standalone Deployment: When Check Point components responsible for the management of the security policy (the Security Management server and the gateway) are installed on the same machine.
22
Provider-1/SiteManager-1 Terminology
Provider-1/SiteManager-1 Terminology
The following Provider-1/SiteManager-1 terms are used throughout this chapter. Customer: A business entity or subdivision of a business entity whose networks are protected by security gateways, UTM-1 Edge appliances or other Check Point compatible firewalls. The Customers security policies and network access are managed using Provider-1/SiteManager-1. Customer Log Module (CLM): A log server for a single Customer. Customer Management Add-on (CMA): The Provider-1 equivalent of the Security Management server for a single Customer. Using the CMA, an administrator creates security policies and manages customer gateways. GUI Client: A computer running Check Point GUI interfaces, such as the Provider-1 MDG, and other SmartConsole applications. Internal Certificate Authority (ICA): In addition to authenticating administrators and users, the ICA creates and manages X.509 compliant certificates for Secure Internal Communication (SIC) between security gateways. The MDS has an ICA that secures the Provider-1 management domain. Each CMA has its own ICA to secure its customers management domain. Multi-Domain Log Module (MLM): An MDS Container dedicated to collecting and storing logs. An MLM is a Container of Customer Log Modules (CLMs). Multi-Domain Server (MDS): A server that houses Provider-1 system information. The MDS contains information on Provider-1 deployment, administrators, and customer management. The MDS has two modes: Manager: Runs the Provider-1 deployment and is the administrators entry point into the Provider-1 environment. Container: Holds the Customer Management Add-ons (CMAs).
Provider-1 Administrator: A security administrator, assigned with granular permissions, that manages specific parts of the Provider-1 system. Administrators can be assigned one of the following four permission levels: Provider-1 Superuser: Manages the entire Provider-1 system, which includes all MDS servers, administrators (with all permission levels), Customers and customer networks. Customer Superuser: Manages all administrators (with lower permission levels), Customers and customer networks.
Chapter 2
Getting Started
23
Global Manager: A new type of administrator account in the MDG. With access to Global SmartDashboard, a Global Manager is capable of managing global policies and global objects. For a Global Manager to have additional access to CMA policies, read-write or partial access rights must be specifically assigned. Customer Manager: Manages customer networks for specific Customers. Administrators with this permission level can use the MDG application, but they can only view and manage their assigned customers. None: Manages customer networks for specific Customers, but cannot access the MDG application.
24
Compatibility Tables
Compatibility Tables
If the existing Check Point implementation contains products that are not supported by R70, the R70 installation process terminates. Table 2-1 and Table 2-2 lists supported Check Point products and VPN clients by platform. Table 2-1
Supported Products by Platform
Platform and Operating System RHEL 5.0 Crossbeam Solaris kernel 2.6.18 X-Series UltraSPARC 8, 9, 10
Security Gateway Security Management Provider-1/SiteManager-1 Server (MDS) Performance Pack Advanced Routing Management Portal Reporting and Event Correlation ClusterXL (including third party clustering) Provisioning Enabled SmartLSM Gateways Provisioning Enabled Management SSL Network Extender Server Endpoint Security Server VSX Security Gateway OSE Supported Routers
X X X X X X
X X X X X X X
X X X X X X X
X X
X X
Product Notes
1. Anti-Virus and Web Filtering are included on SecurePlatform. 2. Eventia Suite includes Eventia Reporter Server, Eventia Analyzer Server, and Eventia Analyzer Correlation Unit.
Chapter 2
Getting Started
25
Platform Notes
3. ClusterXL is supported only in third party mode with VRRP or IP Clustering. The maxiumum number of cluster members is eight. 4. Management Portal is supported on the following Web browsers: Internet Explorer 6 and 7, and Mozilla Firefox 1.5-2.0.
Platform Notes
1. UTM-1 Edge devices cannot be managed from a Security Management running on a Nokia IPSO platform. 2. UserAuthority is not supported on Nokia flash-based platforms. 3. HA Legacy mode is not supported on Windows Server 2003. 4. Only UltraSPARC 64-bit is supported; for Security Management only (not for gateways). Table 2-2
Supported Clients by Platform
C h e c k P o in t Pro d u ct P la t f o r m a n d O p e r a t in g S y s t e m Mac V is t a (S P1 ) 3 2 b it W in d o w s 7 E n te r p r is e a n d U lt im a t e 3 2 b it W in d o w s 7 E n te r p r is e a n d U lt im a t e 6 4 b it S erv er 2008 ( 3 2 b it ) O S 1 0 .4 Mac O S 1 0 .5 L in u x W in d o w s 2000 S erv e r / A dv anc ed S erv e r (S P1 -4 ) 2000 Pro (S P1 -4 ) XP Home & Pro (S P3 ) M o b ile 2003 2003SE 5 .0 , 6 .0 , 6 .1 S erv er 2003 (S P1 -2 )
X X X X X X X X
X X X
X X X X X X X
X X X
X X X
X X X
26
Release NGX
Version R60, R60A, R61, R62, R65 (R65.4 not supported) R65 with HFA 30 with the Connectra NGX R66 Plug-in R65 with Messaging Security R65 with the VPN-1 Power VSX NGX R65 Management Plug-in R65 with the SmartProvisioning Plug-in R65 UTM-1 R65 Power-1
Chapter 2
Getting Started
27
Version R60, R60A, R61, R62, R65 NGX R60 NGX R61, R62, R62CM, R66 7.5.x and above
Interoperability
Management components of the current release, such as IPS-1 Management Server, Alerts Concentrators and Management Dashboard, are compatible with Sensors of versions 4.1 onwards. The different management components (IPS-1 Management Server, Alerts Concentrators and Management Dashboard) must always be of the same version.
28
Licensing R70
Licensing R70
Most of the software on this CD is automatically enabled for a 15-day evaluation period. To obtain a permanent license, or to extend the evaluation period, go to the Check Point User Center at:
https://usercenter.checkpoint.com
Customers new to the Check Point User Center should go to:
https://usercenter.checkpoint.com/pub/usercenter/get_started.html For further licensing assistance, contact Account Services at: AccountServices@checkpoint.com, or US +1 972-444-6600, option 5.
Licensing R70
Licenses are required for the Security Management server and security gateways. No license is required for SmartConsole management clients. Check Point gateways enforce the license installed on the gateway by counting the number of users that have crossed the gateway. If the maximum number of users is reached, warning messages are sent to the console. The Check Point software is activated using a certificate key, which is located on the back of the software media pack. The certificate key is used to generate a license key for products that you want to evaluate or purchase. To purchase Check Point products, contact your reseller.
Chapter 2
Getting Started
29
Licensing Provider-1/SiteManager-1
b. Import the product license key. Licenses are imported using the Check Point Configuration Tool or SmartUpdate. SmartUpdate allows you to centrally upgrade and manage Check Point software and licenses. The certificate keys associate the product license with the Security Management server, which means that: The new license remains valid even if the IP address of the Check Point gateway changes. Only one IP address is needed for all licenses. A license can be detached from one Check Point gateway and assigned to another.
Upgrading Licenses
The upgrade procedure is free of charge to purchasers of the Software Subscription service (Enterprise Base Support). The license upgrade procedure runs the license_upgrade command, which makes it easy to automatically upgrade licenses.
Licensing Provider-1/SiteManager-1
Provider-1/SiteManager-1 licenses are associated with the IP address of the licensed entity. The Provider-1 Multi-Domain Server (MDS) license is based on the server type: Manager, Container, Combined Manager and Container, or Multi-Domain Log Manager (MLM). Manager: A license for the administrator's entry point into the Provider-1/SiteManager-1 environment. The Multi-Domain GUI (MDG) and the Global SmartDashboard tools can connect only to MDS servers with this license. Container: A license that defines the maximum number of CMAs running on the MDS machine. With the exception of Provider-1 Enterprise Edition licenses, multiple container licenses can be added together on one container to enable the container to hold up to a maximum of 250 CMAs. In addition, each CMA requires its own CMA license. CMA Pro Add-on licenses, allowing additional management features at the CMA level, can be purchased in bulk. These purchase packages are called Pro Add-ons for MDS. Combined Manager and Container: These licenses combine a Manager license with a Container license for a specific number of CMAs. In the case of SiteManager-1 licenses, there are no separate Manager and Container versions available, only the Combined Manager and Container license.
30
Licensing IPS-1
MLM: A comprehensive license that includes the Customer Log Modules (CLMs) it hosts. There is no need for a separate CLM license if CLMs are hosted on an MLM. A CLM hosted on an MDS server requires its own CLM license. Each gateway requires its own license. Licenses are determined according to the number of computing devices (nodes) protected by the gateway. Provider-1 licenses can be imported using the Check Point command-line licensing tool or Provider-1's MDG. For additional information, refer to the Provider-1/SiteManager-1 Administration Guide.
Licensing IPS-1
The IPS-1 Management Server requires a license, defined with the ability to manage a fixed maximum number of Sensors. In a Combined installation where the Alerts Concentrator installed together with the IPS-1 Management Server, the Alerts Concentrator shares the IPS-1 Management Servers license. For any separate Alerts Concentrators and for all Sensors, obtain and add licenses. Licenses are added using IPS-1s Management Dashboard. The IPS-1 Management Dashboard does not require a license. However, without a licensed IPS-1 Management Server, the IPS-1 Dashboard will function only in Demo mode. All licenses are stored on the IPS-1 Management Server and must have been generated according to the IPS-1 Management Servers IP address.
Chapter 2
Getting Started
31
32
3
page 34 page 35 page 44 page 46 page 48 page 51 page 58
33
Overview
Overview
Check Point software is designed to work across multiple platforms and pre-configured appliances. Each installation differs depending on the product and the platform. For upgrading an existing installation, see the upgrade section. Check Point products can be installed in the following two types of deployments: Standalone Deployment: Check Point components that are responsible for the management of the security policy (the Security Management server and the gateway) are installed on the same machine. Distributed Deployment: The Security gateway and the Security Management server are installed on different machines.
In both deployments, SmartConsole can be installed on any machine by performing the following steps: Install the components that manage or enforce the security policy (for example, the Security Management server, the security gateway, and the log server). Install one or more SmartConsole clients to manage different aspects of the deployment. For example, SmartDashboard is used by the system administrator to manage and create the security policy. Any number of SmartConsole GUI applications can be installed on the same machine Note - The TCP/IP network protocol must be installed, properly configured, and operational
before you begin the installation process.
34
Installing on SecurePlatform
Installing on SecurePlatform
In This Section:
Installing SecurePlatform Using the CD Installing SecurePlatform from the Network Initially Configuring SecurePlatform Installing R70 Products on SecurePlatform Configuring SecurePlatform Using WebUI page 35 page 37 page 41 page 42 page 43
3. A list of software blades is displayed: Security Gateway Security Management server Eventia Suite Endpoint Security (CD2) Performance Pack Management Portal
Chapter 3
35
4. Use the space bar to select the appropriate products and select OK. 5. Select the type of system to install: SecurePlatform SecurePlatform Pro (which includes the advanced dynamic routing suite)
6. The Keyboard Selection menu opens. 7. Select a keyboard type. 8. From the Network Interface Configuration menu, define the IP address of the management interface Netmask and Default gateway for the first network interface (eth0 on most systems).
9. From the HTTPS Server Configuration menu, enable or disable web-based configuration using SecurePlatforms WebUI. Note - If you intend to deploy remote access or Endpoint Security software, select a port other than 443. 10. Select OK. A message confirms that you are about to format your hard drive. Warning - The formatting procedure erases all information located on your hard drive. 11. Select OK to: Format your hard drive Extract, copy files, and install SecurePlatform software blades. Perform post install configuration Install the boot loader
The installation process can take several minutes to complete. 12. When the Installation Complete message appears, remove the installation CD from the drive, and select OK to reboot the system. Continue to Initially Configuring SecurePlatform on page 41.
36
General Workflow
The clients requirements are minimal. Only PXE is required. On the server, you must install: A DHCP daemon, A TFTP daemon, The PXE boot loader, The kernel The ramdisk.
Then: 1. The client boots from the network, using the PXE network loader. 2. The client sends a broadcast request, using the BOOTP protocol. 3. The server responds to the client, by providing the clients assigned IP address and a filename (pxelinux.0 by default), to which to download the PXE boot loader. 4. The client downloads the PXE Boot Loader, using TFTP, and executes it. 5. The PXE boot loader downloads a PXE configuration file from the server, containing the names of the kernel and the ramdisk that the client requires. 6. The PXE boot loader downloads the kernel and the ramdisk. 7. The kernel is run, using ramdisk as its environment. 8. The Installer is executed. 9. At this point the installation can be configured to load files from the FTP server.
Chapter 3
37
Client Setup
On the client machine, enable the network boot, using PXE, from the BIOS setup. (It sometimes appears as DHCP.)
Server Setup
In This Section
Required Packages DHCP Daemon Setup TFTP and FTP Daemon Setup Hosting Installation Files page 38 page 39 page 40 page 41
Required Packages
The following packages are required for server setup: DHCP daemon (located on the Checkpoint CDROM and installed, by default, on SecurePlatform) Xinetd (/SecurePlatform/RPMS/xinetd-2.3.11-4cp.i386.rpm on the Checkpoint CDROM) TFTP daemon (/SecurePlatform/RPMS/tftp-server-0.32-5cp.i386.rpm) FTP server (/SecurePlatform/RPMS/ftpd-0.3.3-118.4cp.i386.rpm) TCP-Wrappers package (/SecurePlatform/RPMS/tcp_wrappers-7.6-34.4cp.i386.rpm) Kernel (can be found on the SecurePlatform CD at /SecurePlatform/kernel) Ramdisk (can be found on the SecurePlatform CD at /SecurePlatform/ramdisk-pxe) Note - To access files on Check Point CDROM, insert the CDROM into the CDROM drive and enter the command: # mount/mnt/cdrom
38
PXELINUX Configuration Files /SecurePlatform/RPMS/tftp-server-0.32-4cp.i386.rpm includes a default configuration file (located under /tftpboot/pxelinux.cfg) that will serve the kernel and ramdisk to any host. Because more than one system may be booted from the same server, the configuration file name depends on the IP address of the booting machine.
PXELINUX will search for its config file on the boot server in the following way: 1. PXELINUX will search for its config file, using its own IP address, in upper case hexadecimal, e.g. 192.0.2.91 -> C000025B. 2. If that file is not found, PXELINUX will remove one hex digit and try again. Ultimately, PXELINUX will try looking for a file named default (in lower case). As an example, for 192.0.2.91, PXELINUX will try C000025B, C000025, C00002, C0000, C000, C00, C0, C, and default, in that order. Assuming the kernel and ramdisk files are named kernel and ramdisk, respectively, a default configuration file, which will serve these to all clients, will look like this:
default bootnet label bootnet kernel kernel append initrd=ramdisk lang= devfs=nomount \ ramdisk_size=80024 console=tty0
Chapter 3
39
2. Edit the daemons configuration file, found at /etc/dhcpd.conf. The configuration file should include a subnet declaration for each subnet, the DHCP server is connected to. In addition, configuration should include a host declaration, for each host that will use this server for remote installation. A sample configuration file follows:
subnet 192.92.93.0 netmask 255.255.255.0 { }host foo { # The clients MAC address hardware ethernet xx:xx:xx:xx:xx:xx; # The IP address that will be assigned to the # client by this server fixed-address 192.92.93.32; # The file to upload filename "/pxelinux.0"; }
# rpm -i/SecurePlatform/RPMS/tftp-server-0.32-5cp.i386.rpm
4. Install the FTP Daemon RPM:
# rpm -i/SecurePlatform/RPMS/ftpd-0.3.3-118.4cp.i386.rpm
5. Force xinted to reread its configuration:
40
7. Use the menu options to configure: The host name The domain name and at least one DNS server
Chapter 3
41
8. Once Network Configuration is complete, select the Time and Date Configuration menu option and configure the following: Time zone Date Local time Show date and time settings
9. Press n. The Import Check Point Products Configuration window opens and displays the Fetch Import file from TFTP Server option. If you exported the configuration of another SecurePlatform installation, you can now import that configuration. For additional information, see: Advanced Upgrade on SecurePlatform on page 231. 10. Press n to continue to products installation.
4. A product list is displayed: Security Gateway User Authority Security Management Eventia Suite
42
5. Select the appropriate products and press n. 6. If you selected Security Management server, decide whether it should be installed as a primary or secondary Security Management server and whether a Log server should also be installed. 7. If you selected Eventia Suite, select Eventia product should be installed: Reporter, Coorelation unit, or Analyzer. 8. A message validates your choice of products. Press n. The required installation files are extracted and products installed. If you chose to install Security Management server, the Check Point Configuration program opens and guides you through the configuration of: a. Licenses b. Administrators (name and password) c. GUI clients d. A random pool of data for cryptographic operations e. A Certificate authority and saving the fingerprint See: Using the Configuration Tool on Unix Systems on page 54. 9. Reboot the machine. IP forwarding is automatically disabled and a default security policy is applied to the gateway. The default Security Policy forbids all inbound connections, except for control connections, for example, install policy operations. This policy remains in place until you have installed the first Security Policy.
Chapter 3
43
Installing on Windows
Installing on Windows
The installation on a Windows platform is GUI based. The windows displayed during installation differ depending on the installed Check Point components. To perform a new installation on a Windows platform: 1. Log on as Administrator and insert the CD. The installation wizard automatically starts and a Congratulations message displays. 2. Review the Evaluation Options then click Forward. 3. Accept the terms of the End Users License Agreement. 4. Select one of the following installation options: Demo installation (SmartConsole only) New installation Installation using an imported configuration (for additional information, see: Advanced Upgrade on a Windows Platform on page 240.
5. Click Forward. If you selected Installation Using Imported Configuration, you are prompted to provide the location of the imported configuration file. A list of products is displayed:
6. Select the products you wish to install and click Forward. 7. If you selected Security Management server, decide whether it should be installed as a primary or secondary Security Management server and whether a Log server should also be installed. 8. Confirm installation of selected products. Click Forward. The selected products are installed. For first time installations, the Check Point Configuration Tool runs automatically and prompts you to (for Security Management server):
44
Installing on Windows
a. Add licenses b. Add administrators c. Specify remote clients from which an administrator can log into Security Management server d. Initialize the Internal Certificate Authority e. Export the Security Management server fingerprint to a text file For additional information, refer to the Configuration Tool Overview on page 51. 9. Reboot the machine. IP forwarding is automatically disabled and a default security policy is applied to the gateway. The default Security Policy forbids all inbound connections, except for control connections, for example, install policy operations. This policy remains in place until you have installed the first Security Policy.
Chapter 3
45
6. Select the products you wish to install and press n. 7. If you selected Security Management server, decide whether it should be installed as a primary or secondary Security Management server, and whether a Log server should also be installed. 8. Confirm the selected products by pressing n. 9. Once product installation is complete, the Check Point Configuration tool will prompt for various configuration options. For a Security Management server, the stages are:
46
a. Add licenses. The Check Point Configuration program only manages local licenses on this machine. The recommended way to manage licenses is using SmartUpdate. b. Configure GUI clients (a list of hosts that are able to connect to the Security Management server using SmartConsole). c. Configure group permissions by specifying a group name. d. Configure the Certificate Authority, and save the CAs Fingerprint to a file. 10. Reboot the machine. IP forwarding is automatically disabled and a default security policy is applied to the gateway. The default Security Policy forbids all inbound connections, except for control connections such as install policy operations. This policy remains in place until you have installed the first security policy.
Chapter 3
47
Installing on Nokia
Installing on Nokia
Installation on Nokia platforms is performed from a console or Nokia Network Voyager (a secure web-based network element management application). Use a console to perform the initial configuration. You can also use Nokia Horizon Manager to install and configure Check Point components on multiple Nokia appliances simultaneously. For additional information, refer to Nokia Horizon Manager documentation on the Nokia Support website: http://support.nokia.com
Before Installing
From the Check Point website: http://www.checkpoint.com/techsupport/downloads.jsp. download: IPSO_Wrapper_R70.tgz. From Nokia, download: IPSO 6.0.7 Note - R70 is not supported on IPSO 4.x images. If you are using IPSO 4.x, first upgrade to IPSO 6.0.7. If IPSO 6.0.7 is already installed, skip to step 19 on page 49.
5. Click Apply. A message is displayed indicating that the new image installation process has started. 6. When you receive a Success message, click UP > UP > Manage IPSO Images. The IPSO Image Management window opens. 7. Under the title Select an image for next boot, select the last downloaded image: IPSO 4.1 or 4.2. 8. Click Test Boot. 9. Access the CLI console to see when the Reboot is complete. Once the Reboot is complete, go back to the Network Voyager to verify that the image was set properly. 10. In the Network Voyager, click Refresh and log in. 11. If you are not returned to the last window you were in, click System Configuration > Manage IPSO Images. You should be able to see that the relevant IPSO (4.1 or 4.2) image is selected. 12. Select Commit testboot and click Apply. 13. Access the CLI console, and log in. 14. Type newpkg, and press Enter. 15. Use the FTP menu option to transfer the 6.0.7 package. 16. Install the 6.0.7 package. Wait until a message informs you that the process is complete. 17. Activate the 6.0.7 package. 18. In Voyager, verify that the 6.0.7 package is turned ON. 19. On the CLI, type newpkg, and press Enter. 20. Use the FTP menu option to transfer the IPSO_Wrapper_R70.tgz package. 21. Install the IPSO_Wrapper_R70 package. Wait until a message informs you that the process is complete. 22. Type Reboot and press Enter. To upgrade IPSO images and Check Point releases using the command line interface only, see: Upgrading Through the CLI on page 207.
Chapter 3
49
Configuring R70
Configuring R70
If you upgraded from IPSO 4.x to 6.0.7 then there is no need to configure R70. If you performed a fresh installation of IPSO 6.0.7: 1. From a console connection, run cpconfig. 2. Select an installation type, Stand Alone or Distributed. 3. Select Security Management server from the selection list. 4. Specify the Security Management server type as Primary or Secondary Management. Note - Only relevant for a distributed deployment. 5. Add Licenses. 6. Configure an administrator name and password. 7. Configure the GUI clients and hosts which can access the Security Management server using SmartConsole. 8. Configure Group Permissions. 9. Configure a pool of characters for use in cryptographic operations. Type randomly until the progress bar is full. 10. Configure the Certificate Authority, and save the CAs Fingerprint to a file. 11. Start the installed products. If you opt not to start the installed products at this time, they can be started later by running cpstart. 12. Reboot.
50
Chapter 3
51
Configuration Tool window in order for authentication to succeed. You may want to export this Fingerprint for verification purposes when you log in to SmartConsole for the first time.
ii. Browse to the license file, select it and click Open. The license(s) that belong to this host are added. b. Add a license manually. i. Click Add. The Add License window opens.
ii. Configure the appropriate options in the Add License window. iii. Click OK to add the newly configured license. 3. Click Next. 4. In the Administrators tab, click Add. Add an administrator that uses SmartConsole to connect to the Security Management server. From NGX version R60, only one administrator can be added using the Configuration Tool. Additional administrators can be added using SmartDashboard. 5. From the Add Administrator window, configure the required parameters and click OK. 6. Click Next. 7. On the GUI Clients tab, add a GUI client. Note - If you do not define at least one GUI client, you can only manage the Security
Management server from a GUI client that runs on the same machine as the Security Management server.
8. Type the GUI clients name in the Remote hostname field. 9. Click Add. You can add a GUI client using any of the following formats: IP address: For example, 1.2.3.4.
52
Machine name: For example, Alice, or Alice.checkpoint.com. Any: Any IP address. IP1-IP2: A range of IP addresses, for example, 192.168.10.8 192.168.10.16. Wild cards: For example, 192.168.10.
10. Click Next. 11. In the Certificate Authority tab, add a name using the <hostname>.<domain name> format, for example, <hostname>.checkpoint.com. This option enables you to initialize an Internal Certificate Authority (ICA) on the Security Management server and a Secure Internal Communication (SIC) certificate for the Security Management server. SIC certificates authenticate communication between Check Point communicating components, or between Check Point communicating components and OPSEC applications. Note - Components can communicate with each other only once the Certificate Authority is initialized and each component has received a SIC certificate. 12. Click Next. The Fingerprint window opens and displays the Fingerprint of the Security Management server. The Fingerprint, a text string derived from the Security Management server certificate, is used to verify the identity of the Security Management server that is being accessed through SmartConsole. 13. From the Fingerprint window, click Export to file and save the file. The Fingerprint is exported to a text file that can be accessed from the SmartConsole client machine(s) and used to confirm the Fingerprint of the Security Management server. 14. Once configuration using the Configuration Tool is complete, do the following: a. From SmartConsole, perform a first time connection to the Security Management server. The Fingerprint of the Security Management server displays. b. Ensure that the Security Management server Fingerprint matches the Fingerprint displayed in SmartConsole. Note - Do not perform a first time connection to the Security Management server from
SmartConsole unless the Security Management server Fingerprint is accessible and you can confirm that it matches the Fingerprint displayed in SmartConsole.
Chapter 3
53
1. Add licenses. A license can be added manually or fetched from a file. 2. Add administrators. Add an administrator that uses SmartConsole to connect to the Security Management server. Only one administrator can be added using the Configuration Tool. Additional administrators can be added using SmartDashboard. 3. Define GUI clients. You can add GUI clients using any of the following formats: IP address: For example, 1.2.3.4. IP/netmask: A range of IP addresses, for example,
192.168.10.0/255.255.255.0.
Machine name: For example, Alice, or Alice.checkpoint.com. Any: Any IP address. IP1-IP2: A range of IP addresses, for example, 192.168.10.8 192.168.10.16. Wild cards: For example, 192.168.10.
54
This option enables you to initialize an Internal Certificate Authority (ICA) on the Security Management server and a Secure Internal Communication (SIC) certificate for the Security Management server. SIC certificates authenticate communication between Check Point communicating components, or between Check Point communicating components and OPSEC applications. Note - Components can communicate with each other only once the Certificate
Authority is initialized and each component has received a SIC certificate.
5. Export the Security Management servers fingerprint to a text file. The fingerprint, a text string derived from the Security Management server certificate, is used to verify the identity of the Security Management server that is being accessed through SmartConsole. The first time SmartConsole connects to the Security Management server, compare this string to the string displayed in SmartDashboard. 6. Start the installed products.
Chapter 3
55
1. Open SmartDashboard by selecting Start > Programs > Check Point SmartConsole > SmartDashboard.
2. Log in using the User Name and Password defined in the Configuration Tools Administrators page during the Security Management server installation. If you are using a locally stored certificate to authenticate your connection, browse to its location and enter the certificates password. The certificates password can be changed by expanding the More Options link and clicking Change Password. 3. Specify the name or IP address of the target Security Management server and click OK. 4. Decide whether to connect in Read Only mode. This mode enables you to view the current configuration without accidentally changing it. It also gives access to Security Management server when another designated administrator is already connected. 5. More Options. Clicking the More Options link enables you to fine tune how SmartDashboard connects to Security Management server. The Change Password button in the Certificate Management area of the dialog enables you to change the password that protects the certificate.
56
Session Description. Descriptive information entered here populates the Session ID field available in SmartView Trackers Audit Mode. The field can be used to explain why a particular administrator is connecting to Security Management server. Use compressed connection. This option optimizes the connection to Security Management server. By default, the connection to Security Management server is compressed. For a very large configuration database, disabling the compression may help reduce load on the Security Management server. Do not save recent connections information. By default, SmartDashboard server remembers the last user ID and Security Management server to which a connection was made. Select this option to prevent SmartDashboard from displaying the last administrator and Security Management server to which the administrator successfully connected. Plug-in Demo Mode. This option enables SmartDashboard demo mode to display windows and options specific to a particular Plug-in. Select the Plug-in from the Versions drop-down box.
6. Manually authenticate the Security Management server using the Fingerprint provided during the configuration process. Note - This step is only necessary the first time you log in from a given client computer, since once the Security Management server is authenticated, the Fingerprint is saved in the SmartConsole computers registry.
Chapter 3
57
58
4
page 60 page 61 page 73
59
Overview
Overview
A typical Management Service Provider (MSP) manages and protects many customer networks. Provider-1 ensures compatibility with a wide range of security schemes and product deployments. Figure 4-1 Sample Provider-1 Deployment
The components of a basic Provider-1 deployment are: MDS: Each Provider-1 network must have at least one Manager and one Container. They can be installed on the same server or separately. MDG and SmartConsole Applications: Installed on a GUI client (a computer running Check Point GUI) and support centralized system management. CMAs: Installed on a Container MDS. Each CMA manages the network of a single customer domain. Customer Gateways: Protect the customers networks. NOC Gateways: Protect the MSP headquarters and network/security operations centers: Note - Depending on your system specifications, you must decide whether to manage NOC
gateways with a standalone Security Management server or with a Provider-1 system. For Provider-1 systems, a Provider-1 customer is typically dedicated to serve as the NOC customer.
60
This section describes the process for provisioning a Provider-1 environment. The following is a typical workflow: Figure 4-2 Workflow
Chapter 4
Installing Provider-1
61
Note - If you define the primary MDS as a Manager only, you will need to install and
configure one or more container MDSs on separate platforms.
62
If your hardware is found not to be suitable, the reason for this is displayed as part of the Welcome message, for example:
If a hardware device on the target machine is unsuitable, select Device List, which displays a complete list of devices discovered by the hardware scan. Compare this list with the Hardware Compatibility list at: http://www.checkpoint.com/products/supported_platforms/recommended/ngx/ind ex.html Adjust your hardware accordingly.
Chapter 4
Installing Provider-1
63
3. Select OK to proceed with the installation. The Keyboard Selection window opens.
4. Select a keyboard type from the list, then select OK. The Networking Device window opens.
5. Select the interface to be used by the MDS for accessing the management server and then OK. The Network Interface Configuration window opens.
64
6. Type the appropriate information in the IP address, net mask, and optionally, the default gateway fields and select OK. The Host Name Configuration window opens).
7. Enter a host name that is different from the default host name (cpmodule) and select OK. The Confirmation window opens. 8. Select OK to proceed or Cancel to abort the installation process. The following installation operations are performed: Hard drive formatting Package installation Post installation procedures
Chapter 4
Installing Provider-1
65
This procedure may take 10-12 minutes, after which the Installation Complete window opens.
9. Select OK to complete SecurePlatform installation. The system reboots automatically. Ensure that you remove the CD-ROM that you used during the installation process. 10. When the Provider-1 Welcome screen appears, enter n to continue. 11. On the Network Configuration screen, select 1 - Host Name.
66
13. On the Choose network connections Configure your interfaces and network connections as required. Follow the instructions on the screen.
When finished, enter e and then n to proceed to the next screen. 14. On the time and date screen, set the time zone, date and time as required. 15. Continue with Installing the MDG on page 70
Chapter 4
Installing Provider-1
67
2. In the following screen, select the MDS type as either (1) MDS Manager or (3) MDS Manager and Container station. The first primary MDS must be one of these two types.
3. Enter Y in response to Are you installing the Primary MDS Manager?. Note - Any information that you enter after this stage can be modified later using the mdsconfig utility. 4. Specify whether the MDS should start automatically with each reboot (recommended). If you choose to restart automatically, select a default base directory when prompted. 5. Enter the name of the primary interface the interface through which the MDS will communicate with other MDSs in the Provider-1 network. 6. After the installation routine finishes installing packages, read and accept the license agreement as directed.
68
7. Optionally add a Check Point license. You can always add licenses later using the MDG.
8. Optionally, select an operating system user group that is allowed to access to the MDS files. If you do not select a users group, the root users group is given permissions to the files. 9. Press Enter to initialize the Certificate Authority. 10. Configure at least one Provider administrator and assign superuser privileges as directed. Optionally add this administrator to a group.
11. When the installation utility finishes, set the source path by running (according to your shell): For csh - source /opt/CPshared/5.0/tmp/.CPprofile.csh For sh - . /opt/CPshared/5.0/tmp/.CPprofile.sh
To avoid running the source path command each time you start the MDS, it is recommended to add these lines to your .cshrc or . profile files, respectively. 12. Reboot the computer. 13. Start the MDS by executing the mdsstart command.
Chapter 4
Installing Provider-1
69
Installing SmartConsole
To install the SmartConsole on Windows platforms: 1. Access the windows/SmartConsole directory on the Provider-1 product CD. 2. Copy the SmartConsole executable to a temporary directory. 3. Start the installation by double-clicking the SmartConsole executable. 4. When the installation has completed, run SmartConsole applications from the Windows Start > Programs > Check Point SmartConsole R70 > SmartDashboard menu option.
To uninstall the MDG and SmartConsole applications: From the Windows Start menu, select Settings > Control Panel > Add/Remove Programs.
70
Demo Mode
When starting the MDG, you can elect to open it in Demo mode. This mode does not require authentication or a connection to the MDS. Demo mode is used when you want to experiment with different objects and features before you create a real system. It demonstrates several pre-configured sample customers, CMAs, gateways and policies. It is recommended that you use the Demo mode to familiarize yourself with the MDGs various views and modes. Operations performed while in Demo mode are stored in a local database, which allows you to continue a Demo session from the point at which you left off in a previous session.
Chapter 4
Installing Provider-1
71
4. Install licenses using one of the following methods: Fetch License File a. Click Fetch From File. b. In the Open window, browse to and double-click the desired license file. Add License Information Manually a. Click Add. b. In the email message that you received from Check Point, select the entire license string (starting with cplic putlic... and ending with the last SKU/Feature) and copy it to the clipboard. c. In the Add License window, click Paste License to paste the license details you have saved on the clipboard into the Add License window. d. Click Calculate to display your Validation Code. Compare this value with the validation code that you received in your email. If validation fails, contact the Check Point licensing center, providing them with both the validation code contained in the email and the one displayed in this window.
72
Chapter 4
Installing Provider-1
73
74
5
page 76 page 77 page 78 page 80 page 82 page 83 page 84
75
For Hardware Requirements and Supported Platforms please refer to the Release Notes document. This installation process consists of three phases: 1. Install Eventia Suite. 2. Prepare Eventia Suite in Security Management server (refer to Preparing Eventia Suite in Security Management server on page 83). 3. Configuring Eventia Suite (refer to Eventia Analyzer and Eventia Reporter User Guides respectively).
76
A distributed installation requires establishing Secure Internal Communication (SIC) between the two machines. The distributed installation is recommended for better performance. Note - For Eventia Suite to read logs from a distributed log server, the database must be
installed on the log server after the Eventia Suite installation is complete.
Chapter 5
77
Standalone Installation
Standalone Installation
In This Section:
Windows Platform Solaris & Linux Platforms SecurePlatform page 78 page 79 page 79
Windows Platform
1. To install, login as an administrator and launch the wrapper by double-clicking on the setup executable. 2. Click Next, and accept the terms of the license agreement. 3. Select either: Check Point Power Check Point UTM
Click Next. 4. Select New Installation. 5. From the Products list, select Eventia Suite. Security Management server is automatically installed along with Eventia Reporter. Security Management server is needed because of its log server component. 6. Specify the type of Security Management server to install: Primary Security Management server Secondary Security Management server Log Server
If you want a distributed deployment, select Log Server. If you want a standalone deployment, select Primary Security Management server. 7. From the list of Eventia Suite components, select Eventia Reporter. 8. Click Next, and a list of products to install is displayed. 9. Verify the default install directory, or browse to new location. 10. The Check Point Configuration program, CPConfig, opens.
78
11. Select Add and enter the Product License information provided by Check Point. Alternatively, you may use the 15-day evaluation license. Select OK, and then Next. 12. The Administrators window appears. Select Add and enter the administrator name and password. Select OK. Then set permissions for the administrator. Add more administrators if you like, and then select Next. 13. The GUI Clients window appears. Type in the IP address for a machine that will run the Eventia Analyzer Client in the Remote Hostname field. Select Add. Add more GUI Clients if you like, and then select Next. 14. To ensure secure communication between the Eventia Analyzer and Security Management servers, an identical Activation Key must be set on both. Enter a Secure Internal Communication (SIC) activation key and record it to be entered later on the Security Management server. Select Finish. Return to the wrapper. 15. To complete the installation of the Eventia Reporter and to continue with the next phase of the installation, click Next and reboot the machine. 16. Launch SmartDashboard. 17. Install the Security Policy, (Policy>Install) or install the database (Policy>Install Database).
SecurePlatform
1. After you install SecurePlatform from the CD, select the Eventia Reporter product from cpconfig or from the SecurePlatform Web GUI. 2. Select whether you would like to perform an upgrade or create a new installation. 3. Continue from step 5 on page 78 in order to complete the installation.
Chapter 5 Installing Eventia Suite 79
Distributed Installation
Distributed Installation
In This Section:
Windows Platform Solaris and Linux and SecurePlatform page 80 page 81
In a distributed installation, Eventia Suite and Security Management server are installed on separate machines.
Windows Platform
On the machine that will hold the Eventia Suite: 1. Login as an administrator and launch the wrapper by double-clicking on the setup executable. 2. Click Next, and accept the terms of the license agreement. 3. Select either: Check Point Power Check Point UTM
Click Next. 4. Select New Installation. 5. From the Products list, select Eventia Suite. 6. Specify Log Server as the type of Security Management server to install. Security Management server is needed because of its log server component. 7. From the list of Eventia Suite components, select the components that you want to install (Eventia Analyzer Server, Eventia Correlation Unit, Log Consolidator). 8. Click Next, and a list of products to install is displayed. 9. Verify the default install directory, or browse to new location. 10. The Check Point Configuration program, CPConfig, opens. 11. Select Add and enter the Product License information provided by Check Point. Alternatively, you may use the 15-day evaluation license. Select OK, and then Next.
80
12. The Administrators window appears. Select Add and enter the administrator name and password. Select OK. Then set permissions for the administrator. Add more administrators if you like, and then select Next. 13. The GUI Clients window appears. Type in the IP address for a machine that will run the Eventia Analyzer Client in the Remote Hostname field. Select Add. Add more GUI Clients if you like, and then select Next. 14. To ensure secure communication between the Eventia Analyzer and Security Management servers, an identical Activation Key must be set on both. Enter a Secure Internal Communication (SIC) activation key and record it to be entered later on the Security Management server. Select Finish. 15. Return to the wrapper. 16. To complete the installation of Eventia Suite and continue with the next phase of the installation, click Next and reboot the machine.
Chapter 5
81
If either of these conditions is true, modify the Rule Base to enable connectivity between components as follows: Table 5-1
Source Eventia Analyzer Client Eventia Reporter Client Management Server Eventia Analyzer Server Eventia Analyzer Server Correlation Unit Third-party devices that issue syslog messages Additions to the Rule Base to Enable Connectivity Destination Eventia Analyzer Server Eventia Reporter Server Eventia Analyzer and Reporter Server Management Server Correlation Unit Eventia Analyzer Server Log Server enabled to receive syslog messages Service CPMI CPMI CPMI, FW1_ica_push FW1_sam CPD, CPD_amon CPD_seam (TCP/18266) UDP syslog
For an R65 level Security Management server (or above) the following rule needs to be added to the Rule Base if a firewall exists between any Eventia Analyzer components and the Management Server:
Source Correlation Unit Destination Log Server Service LEA
82
Chapter 5
83
In This Section:
For Provider-1/SiteManager-1 Version R55 For Provider-1/SiteManager-1 Version R60 For Provider-1/SiteManager-1 Version R61 and Up page 84 page 86 page 87
3. Select Close and OK. 4. From the File menu, select Save. 5. From the MDG, install Global Policy on all CMAs participating with Eventia Suite. 6. For each CMA participating with Eventia Suite, open its SmartDashboard, select Policy > Install Database, and select only the Log Servers and the CMA from which you want the Eventia Suite to read logs. 7. To enable the syslog server run, the following commands from the command ilne of the Eventia machine: a. syslog -r b. cpstop
84
c. cpstart Note - Wait a couple of minutes for the objects to synchronize between the MDS and
Eventia Analyzer.
8. On the Eventia Suite machine and/or the Correlation Unit machine that will read logs from a CMA, run the command cpstop. 9. Edit the file sic_policy.conf, which is located in the directory $CPDIR/conf. Search for the section [Outbound rules], and change the following lines from: # for log_export tool and Abacus analyzer ANY ;ANY ;ANY; lea ; sslca to:
# for log_export tool, Eventia Analyzer Provider-1 ANY ;ANY ;ANY; lea ; ssl , sslca
10. On the Eventia Suite machine, run the command cpstart. 11. On the Provider-1/SiteManager-1 MDS, run the command mdsstop. 12. Edit the file sic_policy.conf, which is located in the directory $CPDIR/conf. In the section [Inbound rules], locate the following two lines: # log export to DB utility (lea client from any SVN host) ANY ; CP_PRODUCT; ANY; lea ; sslca Add the following rule after these lines: ANY ;ANY ;ANY; lea ; ssl 13. Run the command mdsstart. 14. Execute the putkey operation in the following manner: a. On the Eventia Suite machine, run cpstop and fw putkey -p [shared_password] [CMA_IP].
Chapter 5
85
b. On the MDS, while in the CMA environment, run mdsstop_customer [CMA_IP] and fw putkey -p [shared_ password] [Eventia Suite Server_IP Note - Enter the command mdsenv <customer_name> to switch to the appropriate CMA
environment. To return to the MDS environment, enter the command mdsenv.
c. Run mdsstart_customer [CMA_IP] on the CMA. d. Run cpstart on the Eventia Suite machine
3. .Select Close and OK. 4. Make sure that the products Eventia Reporter is enabled. 5. From the File menu, select Save. 6. From the MDG, install Global Policy on all CMAs participating with Eventia Suite. 7. For each CMA participating with Eventia Suite, open its SmartDashboard, select Policy > Install Database, and select only the Log Servers and the CMA from which you want Eventia Analyzer or Reporter to read logs. 8. To enable the syslog server run the following commands from the command line of the Eventia server: a. syslog -r b. cpstop c. cpstart Note - Wait a couple of minutes for the objects to synchronize between the MDS and
Eventia Suite.
86
3. Select Close and OK. 4. Make sure that the appropriate products (Eventia Reporter, Eventia Analyzer Server, Eventia Correlation Unit and Log Server) are enabled. 5. In the properties of the new Host object, select Log and Masters > Additional Logging Configuration, and enable the property Accept Syslog messages. 6. From the File menu, select Save. 7. From the MDG, install Global Policy on all CMAs participating with Eventia Suite. 8. For each CMA participating with Eventia Suite, open its SmartDashboard, select Policy > Install Database, and select only the Log Servers and the CMA from which you want Eventia Analyzer or Reporter to read logs.
Chapter 5
87
88
89
Overview
Overview
In This Section:
IPS-1 System Architecture Platforms page 90 page 91
An IPS-1 deployment includes the following components: IPS-1 Sensor: Detects and prevents internal network attacks, and sends alerts to the Alerts Concentrator. Alerts Concentrator: Manages and receives alerts from a group of Sensors, and stores the alerts in a MySQL database (included in the Alerts Concentrator installation). Multiple IPS-1 Alerts Concentrators can be distributed throughout the network as needed. IPS-1 Management Server: The central management server for the entire deployment. Receives and correlates relevant alert information from the Alerts Concentrator(s). Alert information is stored in a MySQL database, which is included in the IPS-1 Management Server installation. IPS-1 Management Dashboard: Windows-based remote graphical user interface (GUI) to the IPS-1 Management Server, for managing the IPS-1 system and for monitoring alerts. The IPS-1 Dashboard includes a number of independent interlinked windows, primarily: Policy Manager for configuring protections and managing the entire IPS-1 system. Alert Browser for viewing, tracking, and analyzing real-time alerts.
90
Platforms
Combined Deployment - An Alerts Concentrator is installed together with the IPS-1 Management Server on the same computer. Distributed Deployment - The IPS-1 Management Server connects to one or more Alerts Concentrators installed on separate computers.
The following diagram illustrates the components of the IPS-1 system architecture with two Alerts Concentrators in a Distributed Deployment: Figure 6-1 The IPS-1 System
Platforms
The IPS-1 Server and Alerts Concentrator can be installed on Check Points SecurePlatform or on other supported operating systems. SecurePlatform is provided with the IPS-1 installation media. The IPS-1 Server can be installed together with a Security Management server for managing security gateways and IPS-1 Sensors from the same platform. In this case, it is possible to log into the IPS-1 Server via the IPS-1 Management Dashboard with a Security Management server administrator username and password. For usernames common to both IPS-1 and the Security Management Server, the IPS-1 password and privileges override Security Management Server settings. IPS-1 (non-Power) Sensors are supported only on Check Points SecurePlatform.
Chapter 6
91
IPS-1 Deployment
IPS-1 Deployment
In This Section:
IPS-1 Sensor Deployment IPS-1 Management Deployment page 92 page 93
Sensor Placement
IPS-1 Sensors should be deployed at natural choke points according to network topology. Usually, Sensors should be just within the network firewall. Placing Sensors outside the firewall is not recommended, because the Sensor is not then protected by the firewall, and the unfiltered traffic places a heavier load on the Sensor. Ideally, network cores should also be protected with Sensors. In most cases, network core topology does not enable these Sensors to be placed inline, in which case the Sensors should be used for intrusion detection in passive mode.
Sensor Topology
In most cases, IPS-1 Sensors should be placed inline, enabling intrusion prevention. In some cases, such as in a complex switching environment in a network core, Sensors need to be used for intrusion detection in passive mode. Sensors monitoring interfaces are layer-3 transparent and do not have IP addresses. Each Sensor has a management interface that requires an IP address, routable to and from the Alerts Concentrator. For enhanced security, it is recommended that management be on a separate, out-of-band network. For full information on Sensor modes, see the IPS-1 Administration Guide.
92
Inline Sensors behavior upon failure can be configured to either open, passing through all traffic; or closed, severing the traffic path. Inline Sensors can be set to Bridge (Monitor-Only) mode, to avoid the possibility of false-positive traffic dropping. In bridge mode, you can track what the Sensor would have done in prevention mode. You can fine-tune your prevention settings in bridge mode, and later change to prevention mode.
A network tap has advantages over a switchs SPAN port. For example, the switch could prevent (or be unable to send) some traffic out of the SPAN port. For information on configuring and connecting the switch or tap, see the switchs or taps documentation.
Chapter 6
93
The appropriate number of Alerts Concentrators varies according to the network and to administrative needs. The following rough guidelines should be considered: Each Alerts Concentrator is usually capable of handling around ten Sensors. It is not recommended for a single Alerts Concentrators database to approach 40 GB; If it does, an additional Alerts Concentrator is recommended.
For a rough estimate of appropriate database size, multiply the volume of monitored traffic (in Gbps) by the number of months of alerts you plan to maintain. The database size (in GB) should approach half of that product. For example, if the Sensors that send alerts to a particular Alerts Concentrator collectively monitor 5Gbps, and you want to maintain six months of back alerts, the database should be 12-15 GB. However, appropriate database size is also dependent on other factors, such as fine-tuning protections for your system to minimize false positives. Optionally, one Alerts Concentrator can be installed together with the IPS-1 Management Server in a Combined installation. This Alerts Concentrator will share a license and some processes with the IPS-1 Management Server, but alert information is stored in separate database tables.
Make sure the firewalls in between each component are configured to allow this traffic.
94
Chapter 6
95
In This Section:
Installation of SecurePlatform for IPS-1 Management Installation on Linux and SecurePlatform Initial Configuration of Management Servers page 96 page 99 page 100
96
After booting, Welcome to Check Point SecurePlatform appears. Make sure to press Enter within 90 seconds. The installation program is loaded. The following options are displayed: Device List: When selected, the Hardware Scan Details menu displays. Add Driver: When selected, the Devices menu opens. Sometimes updated hardware is incompatible with the previous versions driver and you receive an error message during installation because the operating system could not find the appropriate hard disk driver. Alternatively, the installation may be complete, but the hardware does not function properly. The Add Driver option enables you to add the missing driver during the installation process.
2. Select OK to install. The IPS-1 Products window appears. 3. Select Management Server, and OK. 4. Depending on the license you purchased, select one of the following options: SecurePlatform SecurePlatform Pro (includes the Advanced Routing Suite and additional enhancements such as RADIUS authentication for administrators)
5. Select a keyboard type. 6. In the Management Interface Configuration window, define the management interface IP address, netmask and default gateway. Select OK. 7. Select OK to format your hard drive, and extract and install SecurePlatform software components. The installation process can take several minutes to complete. 8. Press Enter to reboot. 9. When the computer is finished booting, log in with username: admin , and password: admin. 10. As prompted, change the password and username. 11. Run: sysconfig The first-time system configuration wizard begins. 12. Press n to proceed to the next menu.
Chapter 6
97
The following Network Configuration menu options are displayed: Option Host Name Domain Name Domain Name Servers Network Connections Routing Purpose Sets and displays the host name Sets and displays the Domain name Adds, removes, displays Domain name servers Adds, configures, removes, displays network connections. Sets and shows a default gateway
13. Use the menu options to configure: The hostname The domain name and at least one DNS server The computers network interfaces The default gateway (if required)
Note - Make sure the hostname and IP address are correctly defined at this stage. The
IPS-1 software will take this information from the operating system at installation time. Subsequent changing of the hostname will not be reflected in the application.
14. Once Network Configuration is complete, press n to continue to Time and Date Configuration. Configure the following: Time zone Date Local time Show date and time settings
15. Press n. Note - Network Time Protocol (NTP) can be configured through the command line interface
after the all of the installation procedures are complete. For more information, see Configuring NTP on SecurePlatform on page 112.
98
The absence of a server name in the /etc/hosts file will generate mySQL errors. 2. Before an upgrade: a. Stop the IPS-1 processes. b. As a precaution, back up database files by copying the contents of the sdb/data directory to another host. 3. Make sure the hostname and IP address are correctly defined in the operating system. The IPS-1 software will take this information from the operating system at installation time. Subsequent changing of the hostname will not take effect. 4. Insert CD6 from the media pack, and mount it on the appropriate subdirectory. 5. From the CDs root directory, run: ./UnixInstallScript [-splat] On SecurePlatform, include the -splat flag. On Linux omit the flag. 6. Continue here to the following section for the configuration process.
Reinstalling IPS-1
To reinstall IPS-1: 1. Query the IPS-1 rpm for the version number by running:
rpm -e CPips1-Rxx-xx
where xx is the version number obtained from the output of the previous command. 3. Install a new IPS-1 by running: ./UnixInstallScript on the CD.
Chapter 6 IPS-1 Setup and Installation 99
100
Front Two 10/100Mbps copper Ethernet front-panel interfaces used in IPS (inline) mode as an IPS pair with bypass support, or in IDS (passive) mode as two monitoring interfaces Two 10/100/1000Mbps copper Ethernet front-panel interfaces, of which one is the management interface and the other can be used in IDS (passive) mode as an additional monitoring interface
Front Four 10/100/1000Mbps copper Ethernet front-panel interfaces used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as monitoring interfaces
Back Four 10/100/1000Mbps copper Ethernet back-panel interfaces, of which one is the management interface and the others can be used in IPS (inline) mode as IPS pairs without bypass support, or in IDS (passive) mode as additional monitoring interfaces
Chapter 6 IPS-1 Setup and Installation 101
Front Four 10/100/1000Mbps copper Ethernet front-panel interfaces used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as monitoring interfaces Four 1000Mbps Fiber front-panel interface with bypass support
Back Four 10/100/1000Mbps copper Ethernet back-panel interfaces, of which one is the management interface and the others can be used in IPS (inline) mode as IPS pairs without bypass support, or in IDS (passive) mode as additional monitoring interfaces
Front Eight 0/100/1000Mbps copper Ethernet front-panel interfaces used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as monitoring interfaces
Back Four 10/100/1000Mbps copper Ethernet back-panel interfaces, of which one is the management interface and the others can be used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as additional monitoring interfaces
Front Four 10/100/1000Mbps copper Ethernet front-panel interfaces used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as monitoring interfaces Four 1000Mbps Fiber front-panel interface with bypass support
102
Back Four 10/100/1000Mbps copper Ethernet back-panel interfaces, of which one is the management interface and the others can be used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as additional monitoring interfaces
Eight 10/100/1000 copper Ethernet back-panel interfaces used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as monitoring interfaces Two 10/100/1000 built-in copper Ethernet back-panel interfaces, of which one is the management interface and the other should remain unused
Eight 10/100/1000 Mbps copper Ethernet interfaces (C model) or Gigabit fiber Ethernet interfaces (F model), used in IPS (inline) mode as IPS pairs or in IDS (passive) as monitoring interfaces One front-panel 10/100Mbps copper Ethernet front-panel interface for management
Chapter 6
Eight 10/100/1000 Mbps copper Ethernet interfaces (C model), or Gigabit fiber Ethernet interfaces (F model), used in IPS (inline) mode as IPS pairs, or in IDS (passive) as monitoring interfaces One front-panel 10/100Mbps copper Ethernet front-panel interface for management
50C
Chassis size
200C/F
500C/F
Amps AC
6.0/3.0
8.2/4.1
6.7/3.4
4/2 per chassis unit 90-255 0C to +55C -10C to +70C 10-90%, noncondensin g @35C
Voltage Input Range Operating Temperature Non-Operating Temperature Non-Operating Relative Humidity
Emissions
Mount each unit onto the equipment rack. Connect the power supply. For the Power Sensor, connect two power supplies to each of the two chassis units.
104
Connecting the Power Sensor Chassis Units With the supplied expansion cable, connect the Primary chassis units Expansion slot A to the Expansion chassis units Expansion slot B:
Chapter 6
For third-party hardware connection parameters, see the third-party documentation. An SSH connection to the Sensors management interface (if sshd is configured).
106
1. Insert CD6 from the media pack into the CD drive, and boot the computer from the CD. After booting, Welcome to Check Point SecurePlatform appears. Make sure to press Enter within 90 seconds. The installation program is loaded. The following options are displayed: Device List: When selected, the Hardware Scan Details menu displays. Add Driver: When selected, the Devices menu opens. Sometimes updated hardware is incompatible with the previous versions driver and you receive an error message during installation because the operating system could not find the appropriate hard disk driver. Alternatively, the installation may be complete, but the hardware does not function properly. The Add Driver option enables you to add the missing driver during the installation process.
2. Select OK to install. The IPS-1 Products window appears. 3. Select Sensor, and OK. 4. Select the type of hardware you are using. If you are installing on hardware provided by Check Point (or old hardware provided by NFR), select Appliance. If you are installing on hardware supplied by another vendor, select Open Sensor. For Sensor 1000 models, you should select Open Sensor even though the hardware is supplied by Check Point. 5. Select a keyboard type. Select OK. 6. In the Networking Device window, select the management interface. Select OK. 7. In the Management Interface Configuration window, define the management interface IP address, netmask and default gateway. Select OK. 8. Select OK to format your hard drive, and extract and install SecurePlatform software components. The installation process can take several minutes to complete. 9. When installation is complete, remove the CD. 10. Press Enter to reboot.
Upon initial boot of a freshly installed IPS-1 Sensor, including a new regular (non-Power) preinstalled appliance, configure it as follows: 1. Log in with username: admin and password: admin . 2. When prompted, change the password and (optionally) the username. 3. Run: sysconfig The first-time system configuration wizard begins. 4. Press n to proceed to the next menu. The Network Configuration menu options appear. 5. Use the menu options to configure: The hostname The domain name and at least one DNS server The management interface
6. Once Network Configuration is complete, press n to continue to Time and Date Configuration. Configure the following: Date Time and time zone Show date and time settings
Enter n. Note - Network Time Protocol (NTP) can be configured through the command line interface
after the all of the installation procedures are complete. For more information, see Configuring NTP on SecurePlatform on page 112.
7. Configure the following Alerts Concentrator options for the Sensor: IP address of primary Alerts Concentrator. For Alerts Concentrator High Availability, type an IP address of a second Alerts Concentrator. For more information on Alerts Concentrator High Availability, see the IPS-1 Administration Guide. An Activation Key, a character string of your choice, which you will enter into the IPS-1 Dashboard when adding the Sensor to an Alerts Concentrator.
Select Next.
108
8. Configure the Operating Mode options. For each field, select the field with the Enter key, and select the appropriate value. Operating Mode - one of the following: IDS (passive): intrusion detection, no prevention. Packets do not pass from one interface to another. IPS (inline, fail-closed): inline intrusion prevention. In fault conditions, all packets are dropped. IPS (inline, fail-open): inline intrusion prevention. In fault conditions, all packets are passed through. IPS Monitor-Only (inline, fail-open): inline bridge mode, but without actual prevention.
For more information on Sensor modes, see the IPS-1 Administration Guide. Management Interface - displays (read-only) the IP address configured in the operating system. Inline Pair(s) - pairs of monitoring interfaces. Depending on your hardware, you may need to define the interface pairs that you will be using.
Select Next to complete the wizard. You can modify the Sensors settings at anytime by running the cpconfig command. The IPS-1 Sensor is now installed and configured. Continue to Post-Installation Steps on page 112.
Chapter 6
The IP address of the Primary Alerts Concentrator, and, for an Alerts Concentrator High Availability deployment, the IP address of the second Alerts Concentrator. For more information on Alerts Concentrator High Availability, see the IPS-1 Administration Guide. An Activation Key, a character string of your choice, which you will enter into the IPS-1 Dashboard when adding the Sensor to an Alerts Concentrator.
Select Next. 6. Press Enter to see the following available operation modes: IDS (passive): intrusion detection, no prevention. IPS (inline, fail-closed): inline intrusion prevention. In fault conditions, all packets are dropped. IPS (inline, fail-open): inline intrusion prevention. In fault conditions, all packets are passed through. IPS Monitor-Only (inline, fail-open): inline bridge mode, but without actual prevention. For more information about Sensor modes, see the IPS-1 Administration Guide.
Select an operation mode and select Next. The system reboots. 7. The IPS-1 Power Sensor uses an internal network between components. The network address for this network is preset to 10.10.10.0/24. If this conflicts with your network addressing (for example, the Alerts Concentrator or Sensor are in a network with that same address), reconfigure the internal network address as follows: a. Log into the IPS-1 Power Series appliance as admin . The password is the same as for the nfr user b. At the prompt, type: configure system c. At the next prompt, type: set mccp subset address <address>
110
where <address> is an available 24-bit network address (For example, 192.168.1.0) Note - You can modify the Sensors settings at any time by logging on as the ips1 user. But
reconfiguring the internal network address is the ony reason you should ever need to login as Admin to a power sensor.
The IPS-1 Power Sensor is now configured. Continue to Post-Installation Steps on page 112.
IPS-1 Dashboard can be installed from CD2. The installation files are also located on CD6 of the media pack in: windows\CPipsClient Run the setupwin32 executable, and follow instructions.
Chapter 6
Post-Installation Steps
Post-Installation Steps
In This Section:
Configuring NTP on SecurePlatform Completing IPS-1 Management Setup Completing IPS-1 Sensor Setup page 112 page 113 page 117
Once the IPS-1 components have been installed, one of the following procedures may be required before deploying them in the network.
ntp
Configure and start the Network Time Protocol polling client.
Syntax
ntp <MD5_secret> <interval> <server1> [<server2>[<server3>]] ntp -n <interval> <server1> [<server2>[<server3>]]
Parameters
Table 6-2 parameter MD5_secret interval server[1,2,3 ]
ntp Parameters
meaning pre-shared secret used to authenticate against the NTP server; use -n when authentication is not required. polling interval, in seconds IP address or resolvable name of NTP server
ntpstop
Stop polling the NTP server.
112
Syntax
ntpstop
ntpstart
Start polling the NTP server.
Syntax
ntpstart
First Login
After installation, your initial login user name is: admin , and the password is the one you entered during the IPS-1 Management Server installation. Begin managing the IPS-1 system as follows: 1. Use the following command to verify that the IPS-1 Server (or Alerts Concentrator) processes are running: a. On SecurePlatform, enter expert mode by typing expert and pressing enter. On other operating systems, login as root. b. Run: /etc/init.d/ips1 start
Chapter 6
2. On the client computer, start the IPS-1 Management Dashboard. A login window appears:
3. Type your username and password, and specify the IPS-1 Servers IP address or resolvable hostname. By default, port number is 8443. Note - The default username is admin. When upgrading from a previous version of IPS-1,
login with the pre-existing usernames. The default username for prior versions of IPS-1 is
nfr.
4. If you are trying to connect to the IPS-1 Server through a proxy server, expand the login window by clicking More Options and check Use Proxy. Type the proxy servers connection and authentication information. Note that for Digest Proxy only HTTP is supported, not HTTPS. 5. Upon first login, you are prompted to Verify IPS-1 Management Server Certificate. If you are sure the presented certificate is coming from your IPS-1 Management Server, click Trust for the IPS-1 Management Dashboard on the host you are working on to trust this IPS-1 Management Server in the future.
Manage Licenses
A freshly installed IPS-1 Management Server comes with a fifteen day trial license. If the trial license has expired, you must add an IPS-1 Management Server license obtained from Check Points User Center in order to continue working with IPS-1. All licenses are stored on the IPS-1 Management Server and must have been generated according to the IPS-1 Management Servers IP address.
114
To add a license: 1. Copy your license string, obtained from Check Points user center, to the clipboard. A license string will include the following: cplic putlic x.x.x.x 1Jan2001 xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx CPMP-IPS-5-NGX xx-xxxxxxxxxxx 2. In the License Manager, click Add.
3. Populate the fields by clicking Paste License. Click OK. The added license appears in the license list. In a Distributed Deployment, click Next to continue to the Add Alerts Concentrators page. In a Combined Deployment, the Alerts Concentrator installed with the Server will automatically be added.
Chapter 6
2. In the Host field, type the Alerts Concentrators IP address or resolvable hostname. Note - Entering the Alert Concentrators IP address is preferred to better protect against
DNS spoofing.
3. Type and confirm the activation key that you specified during the Alerts Concentrator installation. Note - f you dont have the activation key, log onto the Alerts Concentrator and set the
activation key via the set_activation_key command.
4. If there is a proxy server between the IPS-1 Server and the Alerts Concentrator, select Use Proxy and type the proxys connection and authentication information. 5. Make sure Receive Alerts is On.
116
6. If this Alerts Concentrator or the IPS-1 Servers communication with it might be slower than others, select Avoid this server for help text. When an Alert Browser user right-clicks an alert and selects Alert Details, the IPS-1 Server first attempts to retrieve the Help Text from another Alerts Concentrator. 7. Click OK. The Alerts Concentrator is added.
2. Type the Sensor Name exactly as defined on the Sensor itself, and click Next.
Chapter 6
3. Type the Sensors IP address or resolvable Hostname. 4. Type and confirm the Activation Key, as defined during Sensor installation or in the Sensors Management Menu. Note - You can reset the Activation key on the Sensor with the cpconfig command, or, in the case of an IPS-1 Power Sensor, by logging in as the nfr user. 5. Click Next. 6. Select the Local Network Addresses that you want the IPS-1 Sensor to protect from the list of Recently Used Values and use the arrow buttons in the middle of the window to add, remove or change the order of the addresses in list of Selected Host Types. If your network does not appear in the Recently Used Values list, type the network address and netmask information into the field at the bottom of the window and press enter. When all of your network addresses are listed in the Selected Host Types, click Next. 7. Select the Local Broadcast Addresses for the protected networks from the Recently Used Values and use the arrow buttons in the middle of the window to add or remove addresses from the list of Selected Host Types. If your broadcast address does not appear in the Recently Used Values list, type the broadcast address into the field at the bottom of the window and press enter. When all of your broadcast addresses are listed in the Selected Host Types, click Next. 8. Click New to assign descriptive names to your interfaces. The Edit Interface Description window appears:
Enter the raw interface name as it is listed in the Sensor, and enter the descriptive name that you want to assign to that interface. Click OK. 9. Once you have finished modifying the names of the interfaces, press Finish to add the new Sensor to the Alerts Concentrator.
118
10. To apply the changes, click Install Policy. For configuring protections and other settings, see the IPS-1 Administration Guide.
Chapter 6
120
Upgrade Section
This section covers upgrading to the current version
122
Note - Only versons NGX R60 and above can be upgraded to R70.
123
Documentation
Documentation
This guide covers all available upgrade paths for Check Point products from NGX R60 forward. Before you begin: Make sure that you have the latest version of this document by checking in the User Center at: http://support.checkpoint.com It is a good idea to have the latest version of the R70 Release Notes handy. Download them from: http://support.checkpoint.com For a new features list, refer to the R70 Whats New Guide: http://support.checkpoint.com
Contract Verification
Contract verification is now an integral part of the Check Point licensing scheme. Before upgrading to the latest version, your licensing agreements are verified through the User Center. See: Service Contract Files on page 131 for more information.
124
Release NGX
Version R60, R60A, R61, R62, R65 (R65.4 not supported) R65 with HFA 30 with the Connectra NGX R66 Plug-in R65 with Messaging Security R65 with the VPN-1 Power VSX NGX R65 Management Plug-in R65 with the SmartProvisioning Plug-in R65 UTM-1 R65 Power-1
Chapter 7
Version R60, R60A, R61, R62, R65 NGX R60 NGX R61, R62, R62CM, R66 7.5.x and above
are available on the product CD. R70 software packages for Nokia are available from:
http://www.checkpoint.com/techsupport/downloads.jsp
126
Terminology
Terminology
Advanced Upgrade: In order to avoid unnecessary risks, it is possible to migrate the current configuration to a spare server. The upgrade process is then performed on the migrated server, leaving the production server intact. ClusterXL: A software-based load sharing and high availability solution for Check Point gateway deployments. It distributes traffic between clusters of redundant gateways so that the computing capacity of multiple machines may be combined to increase total throughput. In the event that any individual gateway becomes unreachable, all connections are re-directed to a designated backup without interruption. Tight integration with Check Point's Security Management server and security gateway solutions ensures that ClusterXL deployment is a simple task for security gateway administrators. Distributed Deployment: A distributed deployment is performed when the gateway and the Security Management server are deployed on different machines. Gateway or Check Point Gateway: A gateway is the software component which actively enforces the Security Policy of the organization. In Place Upgrade: In Place upgrades are upgrades performed locally. SmartProvisioning: Enables enterprises to easily scale, deploy, and manage VPNs and security for thousands of remote locations. Package Repository: This is a SmartUpdate repository on the Security Management server that stores uploaded packages. These packages are then used by SmartUpdate to perform upgrades of Check Point Gateways. SmartLSM Security Gateway: A Remote Office/Branch Office Gateway. (formerly ROBO gateway) ROBO Profile: An object that you define to represent properties of multiple ROBO gateways. Profile objects are version dependent; therefore, when you plan to upgrade ROBO gateways to a new version, first define new Profile objects for your new version. In general, it is recommended that you keep the Profile objects of the previous versions until all ROBO Gateways of the previous version are upgraded to SmartLSM Security gateways. For further information about defining a ROBO Profile, refer to the CheckPoint SmartProvisioning Administration Guide. Security Policy: A Security Policy is created by the system administrator in order to regulate the incoming and outgoing flow of communication.
Chapter 7
Terminology
Security Management server: The Security Management server is used by the system administrator to manage the Security Policy. The databases and policies of the organization are stored on the Security Management server, and are downloaded from time to time to the gateways. SmartConsole Clients: The SmartConsole Clients are the GUI applications that are used to manage different aspects of the Security Policy. For example, SmartView Tracker is a GUI client used to view logs. SmartDashboard: A GUI client that is used to create Security Policies. SmartUpdate: A tool that enables you to centrally upgrade and manage Check Point software and licenses. Standalone Deployment: A standalone deployment is performed when the Check Point components that are responsible for the management of the Security Policy (the Security Management server and the gateway) are installed on the same machine.
128
Upgrade Tools
Upgrade Tools
Various upgrade tools are provided for migration and compatibility verification of your current deployment. These tools help you successfully upgrade to R70. The upgrade tools can be found in the following locations: in the R70 $FWDIR/bin/upgrade_tools directory. http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/utilities.html
Upgrading Successfully
Note that: Check Point Suite Products before version NGX R60 cannot be upgraded to NGX R70. When upgrading NGX R65, only the following Plug-ins may be present: Connectra, SmartProvisioning, VSX, and Messaging Security. The presence of any other Plug-in will cause the upgrade process to fail.
Warning - If you upgrade from NGX R65 (with Plug-ins) to R70, and later want to uninstall R70 (rollback to NGX R65), follow the instructions in sk37252 (http://supportcontent.checkpoint.com/solutions?id=sk37252) to avoid potential problems.
When upgrading a SmartCenter server to R70, SmartDefense profiles will remain in effect on pre-R70 gateways and can be managed from the IPS tab. When upgrading a VPN-1 gateway to R70, remember to change the gateway's object in SmartDashboard to version R70. The gateway will continue to enforce the previously configured SmartDefense profile, but the inspection will be conducted using the new IPS inspection engine. You can apply an R70 IPS profile to the upgraded gateway at any time.
If you encounter unforeseen obstacles during the upgrade process, contact your Reseller or consult the SecureKnowledge support center at: https://secureknowledge.checkpoint.com
Chapter 7
Upgrading Successfully
130
8
page 131 page 132 page 132 page 141 page 153
Introduction
Before upgrading a gateway or Security Management server to R70, you need to have a valid support contract that includes software upgrade and major releases registered to your Check Point User Center account. The contract file is stored on Security Management server and downloaded to security gateways during the upgrade process. By verifying your status with the User Center, the contract file enables you to easily remain compliant with current Check Point licensing standards.
131
132
On a Windows Platform
On a Windows Platform
When upgrading Security Management server, the upgrade process checks to see whether a contract file is already present on the server. If not, the main options for obtaining a contract are displayed:
You can: Download a contracts file from the User Center If you have Internet access and a valid user account, you may download a contract file directly from the User Center. The contract file obtained through the user center contains contract information for all of your accounts at the User Center. The contract file obtained through the user center conforms with the terms of your licensing agreements. i. Click Next.
Chapter 8
On a Windows Platform
If the connection succeeds but the downloaded contract file does not cover the Security Management server, a message informs you that the Security Management server is not eligible for upgrade. However, the absence of a valid contract file will not prevent the upgrade from taking place. Once the upgrade is complete, contact your local support provider to obtain a valid contract. Import a local contract file If the server being upgraded does not have Internet access, then: i. On a machine with Internet access, browse to: https://usercenter.checkpoint.com/usercenter/index.jsp ii. Log in to the User Center iii. Browse to Support.
134
On a Windows Platform
iv. On the Additional Services page, in the Service Contract File Download section, click Download Now:
v.
Transfer the downloaded file to the management server. After selecting Import a local contracts file, you can then browse to the location where you stored the contract file:
Chapter 8
On a Windows Platform
If the contract file does not cover the Security Management server, a message informs you that the Security Management server is not eligible for upgrade. However, the absence of a valid contract file will not prevent the upgrade from taking place. Once the upgrade is complete, contact your local support provider to obtain a valid contract. vi. Click Next to continue with the upgrade process Continue without contract information Select this option if you intend to obtain and install a valid contract file at a later date. Note that at this point your gateway is not strictly eligible for an upgrade; you may be in violation of your Check Point Licensing Agreement, as shown in the final message of upgrade process:
For more information, see: Managing Contracts with SmartUpdate on page 153.
136
You can: Download a contracts file from the User Center If you have Internet access and a valid user account, then download a contract file directly from the User Center. The contract file obtained through the user center conforms with the terms of your licensing agreements. If you choose to download contract information from the User Center, you are prompted to enter your: User name Password
Chapter 8
If the contract file does not cover the Security Management server, a message informs you that the Security Management server is not eligible for upgrade. However, the absence of a valid contract file will not prevent the upgrade from taking place. Download a valid contract at a later date using SmartUpdate (see: Managing Contracts with SmartUpdate on page 153 for more information on using SmartUpdate). Import a local contract file If the server being upgraded does not have Internet access, then: i. On a machine with Internet access, browse to: https://usercenter.checkpoint.com/usercenter/index.jsp ii. Log in to the User Center iii. Browse to Support
138
iv. On the Downloads page, in the Service Contract File Download section, click Download Now:
Transfer the downloaded file to the management server. After selecting Import a local contracts file, enter the full path to the location where you stored the file:
If the contract file does not cover the Security Management server, a message informs you that the Security Management server is not eligible for upgrade. However, the absence of a valid contract file will not prevent the upgrade from taking place. Download a valid contract at a later date using SmartUpdate (see: Managing Contracts with SmartUpdate on page 153 for more information on using SmartUpdate). Continue without contract information
Chapter 8
On IPSO
Select this option if you intend to obtain and install a valid contract file at a later date. Note that at this point your gateway is not strictly eligible for an upgrade; you may be in violation of your Check Point Licensing Agreement, as shown in the final message of the upgrade process:
For more information, see: Managing Contracts with SmartUpdate on page 153.
On IPSO
Contract verification on IPSO is not interactive. When upgrading an IPSO Security Management server to R70, the upgrade process will check to see if there is a valid contract already present on the Security Management server. If a contract is not present, the upgrade process proceeds as normal. After successfully upgrading the gateway, the following message is displayed:
The upgrade process requires a valid contract file in order to verify that your gateway complies with Check Point licensing agreements. While the absence of a contract file does not prevent this upgrade, it is recommended that you obtain a contract file via SmartUpdate (Licenses & Contracts menu -> Update Contracts). For further details see: http://www.checkpoint.com/ngx/upgrade/contract/
At the earliest opportunity, obtain a valid contract file from the Check Point user center.
140
On a Windows Platform
After accepting the End User License Agreement (EULA), the following message is displayed:
Chapter 8
On a Windows Platform
After clicking Next, the upgrade process checks to see if a valid contract file is installed on the gateway. If no contract file exists, the upgrade process attempts to retrieve a contract file from the Security Management server that manages the gateway. If a contract file cannot be retrieved from Security Management server, the main options for obtaining a contract file for the gateway are displayed:
You can: Download a contracts file from the User Center If you have Internet access and a valid user account, then download a contract file directly from the User Center. The contract file obtained through the user center conforms with the terms of your licensing agreements.
142
On a Windows Platform
i.
If the connection succeeds but the downloaded contract file does not cover the gateway, the following message appears:
However, this will not prevent the upgrade from taking place.
Chapter 8
On a Windows Platform
ii. After clicking Next, the upgrade process continues. Import a local contract file If the server being upgraded does not have Internet access, then: i. On a machine with Internet access, browse to: https://usercenter.checkpoint.com/usercenter/index.jsp ii. Log in to the User Center iii. Browse to Support
144
On a Windows Platform
iv. On the Downloads page, in the Service Contract File Download section, click Download Now:
v.
Transfer the downloaded file to the gateway. After selecting Import a local contracts file, you can then browse to the location where you stored the file:
Chapter 8
On a Windows Platform
If the local contract file does not cover the gateway, the following message is displayed:
However, this will not prevent the upgrade from taking place. If the contract file covers the gateway, the following message is displayed:
146
On a Windows Platform
Continue without contract information Select this option if you intend to obtain and install a valid contract file at a later date. Note that at this point your gateway is not strictly eligible for an upgrade; you may be in violation of your Check Point Licensing Agreement, as shown in the final message of upgrade process:
For more information, see: Managing Contracts with SmartUpdate on page 153.
Chapter 8
The upgrade process searches for a valid contract on the gateway. If a valid contract is not located, the upgrade process attempts to retrieve the latest contract file from the Security Management server that manages the gateway. If a valid contract file is not located on the Security Management server, the main options for obtaining a contract file for the gateway are displayed:
148
You can: Download a contracts file from the User Center If you have Internet access and a valid user account, then download a contract file directly from the User Center. The contract file obtained through the user center conforms with the terms of your licensing agreements. If you choose to download contract information from the User Center, you are prompted to enter your: User name Password Proxy server address (if applicable):
Chapter 8
If, according to information gathered from your User Center account, your gateway is not eligible for upgrade, the following message is displayed:
You may still upgrade the gateway but are advised to download a valid contract at a later date using SmartUpdate (see: Managing Contracts with SmartUpdate on page 153 for more information on using SmartUpdate).
150
Import a local contract file If the server being upgraded does not have Internet access, then: i. On a machine with Internet access, browse to: https://usercenter.checkpoint.com/usercenter/index.jsp ii. Log in to the User Center iii. Browse to Support iv. On the Downloads page, in the Service Contract File Download section, click Download Now:
Transfer the downloaded file to the gateway. After selecting Import a local contracts file, enter the full path to the location where you stored the file:
Chapter 8
On IPSO
If the contract file does not cover the gateway, a message informs you that the gateway is not eligible for upgrade. However, the absence of a valid contract file will not prevent the upgrade from taking place. Once the upgrade is complete, contact your local support provider to obtain a valid contract. Continue without contract information Select this option if you intend to obtain and install a valid contract file at a later date. Note that at this point your gateway is not strictly eligible for an upgrade; you may be in violation of your Check Point Licensing Agreement, as shown in the final message of the upgrade process:
For more information, see: Managing Contracts with SmartUpdate on page 153.
On IPSO
Contract verification on IPSO is not interactive. When upgrading an IPSO gateway to R70, the upgrade process will check to see if there is a valid contract available on the Security Management server that manages the gateway. If none is available, the upgrade process proceeds. After successfully upgrading the gateway, the following message is displayed:
The upgrade process requires a valid contract file in order to verify that your gateway complies with Check Point licensing agreements. While the absence of a contract file does not prevent this upgrade, it is recommended that you obtain a contract file via SmartUpdate (Licenses & Contracts menu -> Update Contracts). For further details see: http://www.checkpoint.com/ngx/upgrade/contract/
At the earliest opportunity, obtain a valid contract file from the Check Point user center.
152
Managing Contracts
The license Repository window in SmartUpdate displays contracts as well as regular licenses:
Chapter 8
Managing Contracts
Clicking Show Contracts displays the contracts associated with this license:
154
Managing Contracts
Selecting a specific contract, then Properties displays the contracts properties, such as contract ID and expiration date as well as which licenses are covered by the contract:
Chapter 8
Updating Contracts
Updating Contracts
Licenses & Contracts on the File menu has enhanced functionality for handling contracts: Licenses & Contracts > Update Contracts This option installs contract information on Security Management server. Each time you purchase a new contract, use this option to make sure the new contract is displayed in the license repository:
Licenses & Contracts > Get all Licenses a. Collects licenses of all gateways managed by the Security Management server b. Updates the contract file on the server if the file on the gateway is newer
156
157
Introduction
Introduction
This chapter describes the process of upgrading a distributed deployment to R70. A distributed deployment consists of at least one Security Management server and one or more gateways. The Security Management server and gateway do not reside on the same physical machine. Since backward compatibility is supported, a Security Management server that has been upgraded to R70 can enforce and manage gateways from previous versions. In some cases, however, new features may not be available on earlier versions of the gateway. The R70 Security Management server can manage the following gateways:
Release NGX InterSpect Connectra UTM-1 Edge Endpoint Security Version R60, R60A, R61, R62, R65 NGX R60 NGX R61, R62, R62CM, R66 7.5.x and above
R70 is not backwardly compatible with: VPN-1 Pro/Express NG VPN-1 Pro/Express NG FP1 VPN-1 Pro/Express NG FP2
158
Pre-Upgrade Considerations
Pre-Upgrade Considerations
In This Section
Pre-upgrade Verification Web Intelligence License Enforcement Upgrading Products on a SecurePlatform Operating System UTM-1 Edge Gateways Prior to Firmware Version 7.5 page 159 page 159 page 160 page 160
Pre-upgrade Verification
Use of the Pre-Upgrade verification tool can reduce the risk of incompatibility with the deployment to R70. It is used to test the current gateway prior to upgrading to R70. The Pre-Upgrade verification tool produces a detailed report indicating the appropriate actions that should be taken before performing an upgrade to R70 (refer to Using the Pre-Upgrade Verification Tool on page 161).
The actual license required depends on the number of Web servers protected by the gateway or gateway cluster. For NGX R60 and later versions, if the correct license is not installed, it is not possible to install a Policy on a gateway.
Chapter 9
Pre-Upgrade Considerations
TopologyOldFormat=1
3. Save and close the file. The change takes effect without running the commands cpstop and cpstart.
160
Chapter 9
Usage:
pre_upgrade_verifier.exe -p SmartCenterPath -c CurrentVersion -t TargetVersion [-f FileName] [-w]
Where the currently installed version is one of the following: For Release NGX Version is: NGX_R65 NGX_R62 NGX_R61 NGX_R60A NGX_R60 The target version is: R70.
162
Uninstalling Packages
Uninstall Check Point packages on the Windows platform using the Add/Remove applet in the Control Panel. Check Point packages need to be uninstalled in the opposite order to which they were installed. For example, since CPsuite is the first package installed, it should be the last package uninstalled.
Chapter 9
The process described in this section upgrades all of the components (Operating System and software packages) in a single upgrade process. No further upgrades are required. Refer to the CheckPoint R70 SecurePlatform/SecurePlatformPro Administration Guide for additional information. If a situation arises in which a revert to your previous configuration is required, refer to Reverting to Your Previous Deployment on page 193 for details. To perform an upgrade on a SecurePlatform: 1. Insert CD1 of the R70 media kit into the CD drive. 2. At the command prompt, enter patch add cd. 3. Select SecurePlatform R70 Upgrade Package (CPspupgrade_<version_number>.tgz). 4. Enter y to accept the checksum calculation. 5. When prompted, create a backup image for automatic revert. Note - Creating the snapshot image can take up to twenty minutes, during which Check Point products are stopped. 6. The welcome message is displayed. Enter n. 7. Accept the license agreement, and verify your contract information. For more information on contracts, see: On SecurePlatform, and Linux on page 148
164
8. Three upgrade options are displayed: Upgrade Export the configuration Perform pre-upgrade verification only i. Run the pre-upgrade verification script, and follow the recommendations contained in the pre-upgrade verification results. Repeat the process until you see Your configuration is ready for upgrade.
ii. Export the configuration. iii. Upgrade the installation. 9. Enter c to agree to the license upgrade. The license upgrade process also handles gateway licenses in the SmartUpdate License Repository. Select one of the following: Enter [L] to view the licenses installed on your machine. Enter [C] to check if currently installed licenses have been upgraded. Enter [S] to simulate the license upgrade. Enter [U] to perform the license upgrade, or generate a license file that can be used to upgrade licenses on a machine with no Internet access to the User Center. Enter [O] to perform the license upgrade on a license file that was generated on machine with no Internet access to the User Center. Enter [Q] to quit.
10. Select a source for the upgrade utilities. Either download the most updated files from the Check Point website or use the upgrade tools contained on the CD. The exported configuration is automatically imported during the upgrade process. 11. Open SmartUpdate and attach new licenses to the gateways.
Uninstalling Packages
Check Point packages need to be uninstalled in the opposite order to which they were installed. For example, since CPsuite is the first package installed, it should be the last package uninstalled. Run the rpm -e <package name> to view a list of all the installed packages.
Chapter 9
Uninstalling Packages
Check Point packages need to be uninstalled in the opposite order to which they were installed. For example, since CPsuite is the first package installed, it will be the last package uninstalled. Run the rpm -e <package name> to view a list of all the installed packages.
166
Chapter 9
Uninstalling Packages
Check Point packages need to be uninstalled in the opposite order to which they were installed. Since CPsuite is the first package installed, it will be the last package uninstalled. Run the pkgrm command to view a list of the installed packages.
168
Chapter 9
Uninstalling Packages
Check Point packages need to be uninstalled in the opposite order to which they were installed. Since CPsuite is the first package installed, it should be the last package uninstalled. Run the rpm -e <package name> to view a list of the installed packages.
170
3. Click System Configuration > Install New IPSO Image (Upgrade). The New Image Installation Upgrade window opens. 4. Enter the following information: Enter URL to the image location Enter HTTP Realm (for HTTP URLs only) Enter Username (if applicable) Enter Password (if applicable) 5. Click Apply. You are informed that the file download and image installation may take some time. 6. Click Apply.
Chapter 9
7. The new image installation process begins. Click the provided link to get the upgrade status. 8. When the upgrade is complete, click the link to the IPSO Image Management page. The IPSO Image Management window opens. 9. Under the title Select an image for next boot, select the last downloaded image. 10. Click Test Boot. 11. Access the CLI console to see when the Reboot is complete. Once the Reboot is complete, go back to the Network Voyager to verify that the image was set properly. 12. In the Network Voyager, click Refresh and log in. 13. If you are not returned to the last window you were in, click System Configuration > Manage IPSO Images. You should be able to see that the relevant IPSO Image is selected. 14. Select Commit testboot and click Apply. 15. Access the CLI console and log in. 16. Perform an FTP using bin mode to transfer the IPSO_Wrapper_<version_number>.tgz package. 17. Type newpkg -S -m LOCAL -n <CPsuite package path> -o $FWDIR and press Enter. This command: Deactivates previous Check Point packages but does not delete them. Finds the upgrade tools in $FWDIR and performs an import/export operation to preserve the previous configuration.
When the process is complete, you should receive a message indicating that the process was successful, along with a reminder to update your contract information. For more information on contracts, see: On IPSO on page 152. 18. Log off the console connection, and then log back on to set the environment variables. 19. Start the installed products by running cpstart. Note - The previous Check Point packages remain installed but deactivated. Should the need arise, the previous packages can be activated through the Network Voyager.
172
In This Section
Upgrading a Clustered Deployment Upgrading the Gateway Using SmartUpdate Gateway Upgrade Process on a Windows Platform Gateway Upgrade on SecurePlatform Gateway Upgrade on an IPSO Platform page 173 page 174 page 178 page 180 page 181
Chapter 9
SmartUpdate Options
SmartUpdate is the primary tool used for upgrading Check Point gateways. The following features and tools are available in SmartUpdate: Upgrade All Packages: This feature allows you to upgrade all packages installed on a gateway. For IPSO and SecurePlatform, this feature also allows you to upgrade your operating system as a part of your upgrade. In R70, SmartUpdate's Upgrade all Packages supports HFAs, i.e., it will suggest upgrading the gateway with the latest HFA if a HFA package is available in the Package Repository. "Upgrade All" is the recommended method. In addition, there is an advanced method to install (distribute) packages one by one. Add Package to Repository: SmartUpdate provides three helper tools for adding packages to the Package Repository: From CD: Adds a package from the Check Point CD. From File: Adds a package that you have stored locally.
174
From Download Center: Adds a package from the Check Point Download Center.
SmartUpdates Get Check Point Gateway Data: This tool updates SmartUpdate with the current Check Point or OPSEC third-party packages installed on a specific gateway or for your entire enterprise. Check for Updates: This feature, available from the SmartDashboard Tools menu, locates the latest HFA on the Check Point Download Center, and adds it to the Package Repository.
Chapter 9
When adding the package to the Package Repository, the package file is transferred to the Security Management server. When the Operation Status window opens, you can verify the success of the operation. The Package Repository is then updated to show the new package object.
2. From the list provided, select the gateways that can be upgraded and click Upgrade. Note - The Allow reboot... option (selected by default) is required in order to activate the newly installed packages. The Operation Status pane opens and shows the progress of the installation. Each operation is represented by a single entry. Double click the entry to open the Operation Details window, which shows the operation history. The following operations are performed during the installation process:
176
The Check Point Remote Installation Daemon connects to the Check Point gateway. Verification for sufficient disk space.
Verification of the package dependencies. The package is transferred to the gateway if it is not already there. The package is installed on the gateway. Enforcement policies are compiled for the new version. The gateway is rebooted if the Allow Reboot... option was selected and the package requires it. The gateway version is updated in SmartDashboard. The installed packages are updated in SmartUpdate.
Chapter 9
5. When the pre-upgrade verification recommendation appears, select whether or not the Pre-upgrade verification tool should be executed (refer to the Using the Pre-Upgrade Verification Tool on page 161). The Pre-upgrade verification tool performs a compatibility analysis of the currently installed gateway and its current configuration. A detailed report is provided, indicating the appropriate actions that should be taken before and after the upgrade process. The tool can be used manually as well. 6. From the Upgrade Options screen, select Upgrade again. Another verification is run. 7. When prompted, reboot the gateway.
178
8. When the upgrade process is complete, do the following: a. Using SmartDashboard, log in to the R70 Security Management server that controls the upgraded gateway. b. Open the gateway object properties window that represents the upgraded gateway and change the version to R70. c. Perform Install Policy on the upgraded gateway. If a situation arises in which a revert to your previous configuration is required, refer to Reverting to Your Previous Deployment on page 193 for details.
Chapter 9
The process described in this section upgrades all components (Operating System and software packages) in a single upgrade process. No further upgrades are required. The single upgrade package contains all necessary software items. Refer to the CheckPoint R70 SecurePlatform/SecurePlatformPro Administration Guide for additional information. If a situation arises in which a revert to your previous configuration is required, refer to Reverting to Your Previous Deployment on page 193 for details.
180
When the Upgrade process is complete, upon reboot you are given the option to manually start the SecurePlatform operating system using the upgraded version image or using the image created prior to the Upgrade process. 6. After you complete the upgrade process, do the following: a. Using SmartDashboard, log in to the R70 Security Management server that controls the upgraded gateway. b. Open the gateway object properties window for the upgraded gateway and change the version to R70. c. Perform Install Policy on the upgraded gateway.
Chapter 9
182
10
page 184 page 185 page 186 page 187 page 190 page 193
183
Introduction
Introduction
Before you perform an upgrade process, you should back up your current configuration. The purpose of the backup process is to back up the entire configuration, and to restore it if necessary, for example, in the event that the upgrade process is unsuccessful. To back up your configuration, use the Export utility tool of the version for which you are creating a backup file. The backup file contains your current system configuration (for example, objects, rules, and users) and can be used to restore your previous configuration if the upgrade process fails. The restoration procedure restores the configuration in effect when the backup procedure was executed. Note - Operating system level configurations (for example, network configuration) are not exported. If you are performing an upgrade process on SecurePlatform, you do not have to back up your configuration using the Export utility. SecurePlatform provides the option of backing up your configuration during the Upgrade process.
184
Chapter 10
Restoring a Deployment
Restoring a Deployment
To restore a deployment: 1. Copy the exported.tgz file to the target Security Management server. 2. In the Security Management server, insert the product CD for the version being restored. 3. Using the available options, perform an installation using an imported configuration file.
186
SecurePlatform provides a command line or Web GUI capability for conducting backups of your system settings and products configuration. The backup utility can store backups either locally on the SecurePlatform machine hard drive, or remotely to a TFTP server or an SCP server. The backup can be performed on request, or it can be scheduled to take place at set intervals. The backup files are kept in tar gzipped format (.tgz). Backup files, saved locally, are kept in /var/CPbackup/backups. The restore utility is used for restoring SecurePlatform settings and/or product configurations from backup files. Expert permissions are required to perform the backup and restore procedures.
Backup
This command is used to back up the system configuration. You can also copy backup files to a number of SCP and TFTP servers for improved backup robustness. The backup command, when run by itself without any additional flags, uses default backup settings and performs a local backup.
Syntax
backup [-h] [-d] [-l] [--purge DAYS] [--sched [on hh:mm <-m DayOfMonth> | <-w DaysOfWeek>] | off] [[--tftp <ServerIP> [-path <Path>] [<Filename>]] | [--scp <ServerIP> <Username> <Password> [-path <Path>][<Filename>]] | [--file [-path <Path>][<Filename>]]
Chapter 10
Backup
Parameters
Table 10-1 Backup Parameters Parameter -h -d -l --purge DAYS [--sched [on hh:mm <-m DayOfMonth> | <-w DaysOfWeek>] | off] Meaning obtain usage debug flag Enables VPN log backup (By default, VPN logs are not backed up.) Deletes old backups from previous backup attempts Schedule interval at which backup is to take place --tftp <ServerIP> [-path <Path>][<Filename>] --scp <ServerIP> <Username> <Password>[-path <Path>] [<Filename>] --file [-path <Path>]<Filename>
On - specify time and day of week, or day of month Off - disable schedule
List of IP addresses of TFTP servers, on which the configuration is to be backed up, and optionally the filename List of IP addresses of SCP servers, on which the configuration is to be backed up, the username and password used to access the SCP server, and optionally the filename When the backup is performed locally, specify an optional filename
188
Restore
Restore
This command is used to restore the system configuration.
Syntax
restore [-h] [-d][[--tftp <ServerIP> <Filename>] | [--scp <ServerIP> <Username> <Password> <Filename>] | [--file <Filename>]]
Parameters
Table 10-2 Parameter -h -d --tftp <ServerIP> [<Filename>] --scp <ServerIP> <Username> <Password> [<Filename>] --file <Filename> Meaning obtain usage debug flag IP address of TFTP server, from which the configuration is restored, and the filename IP address of SCP server, from which the configuration is restored, the username and password used to access the SCP server, and the filename Specify a filename for restore operation, performed locally
For additional information about the backup and restore utilities, refer to the System Commands section in the CheckPoint R65 SecurePlatform/SecurePlatformPro Administration Guide.
Chapter 10
SecurePlatform provides the option of backing up the entire SecurePlatform operating system and all of its products using the snapshot command. A snapshot of the system can be taken manually using the snapshot command or automatically during an upgrade procedure using the SafeUpgrade option. Having a snapshot of the entire operating system enables you to restore SecurePlatform if needed. Similar to Backup and Restore, the Snapshot and Revert features ensure easy maintenance and management, even if a situation arises that demands that you undo an upgrade and revert to a previous deployment. The snapshot and revert commands can use a TFTP server or an SCP server to store snapshots. Alternatively, snapshots can be stored locally. Note - The snapshot and revert commands are relevant only for reverting R70 to a previous version on SecurePlatform; because this involves reverting the entire platform. If you are using another platform, see Reverting to Your Previous Deployment on page 193.
190
Snapshot
Snapshot
This command creates an image of SecurePlatform. The snapshot command, run by itself without any additional flags, uses the default backup settings and creates a local snapshot.
Syntax
snapshot [-h] [-d] [[--tftp <ServerIP> <Filename>] | [--scp <ServerIP> <Username> <Password> <Filename>] | [--file <Filename>]]
Parameters
Table 10-3 Snapshot Parameters Parameter -h -d --tftp <ServerIP> <Filename> --scp <ServerIP> <Username> <Password> <Filename> --file <Filename> Meaning obtain usage debug flag IP address of the TFTP server, from which the snapshot is taken, as well as the filename of the snapshot IP address of the SCP server, from which the snapshot is taken, the username and password used to access the SCP server, and the filename of the snapshot When the snapshot is made locally, specify a filename
Chapter 10
Revert
Revert
This command restores SecurePlatform from a snapshot file, reverting the machine to a previous deployment. The revert command, run by itself without any additional flags, uses default backup settings, and reboots the system from a local snapshot.
revert [-h] [-d] [[--tftp <ServerIP> <Filename>] | [--scp <ServerIP> <Username> <Password> <Filename>] | [--file <Filename>]]
Parameters
Table 10-4 Revert Parameters Parameter -h -d --tftp <ServerIP> <Filename> --scp <ServerIP> <Username> <Password> <Filename> --file <Filename> Meaning obtain usage debug flag IP address of the TFTP server, from which the snapshot is rebooted, as well as the filename of the snapshot IP address of the SCP server, from which the snapshot is rebooted, the username and password used to access the SCP server, and the filename of the snapshot When the snapshot is made locally, specify a filename
The revert command functionality can also be accessed from the Snapshot image management boot option.
192
If you are deploying on SecurePlatform, see: SecurePlatform Snapshot Image Management on page 190. To revert to a version that was active before it was upgraded to R70, perform the uninstall procedure described in this section, according to the platform you have. This will uninstall the last active version only, and leave the previously installed version as the now-active version. Note - Make sure to remove all R70 products and compatibility packages before removing the R70 CPsuite.
Chapter 10
2. On the Manage Packages page, confirm that the previous versions of Check Point packages are enabled and the R70 versions are disabled. Note - On flash-based platforms, the R70 packages no longer appear in the Manage
Packages page since they were never part of the previous configuration set.
194
ICA Considerations
Once the Revert process is complete, certificates issued during the use of R70 remain valid. While these certificates are valid, they cannot be processed by the Internal CA. To resume management of older certificates after the Revert process: 1. Back up the InternalCA.NDB and ICA.crl files (located in the $FWDIR/conf directory) and all *.crl files (located in the $FWDIR/conf/crl directory) from the version prior to R70 to a suitable location. 2. Copy the R70 InternalCA.NDB, ICA.crl and the *.crl files (located in the $FWDIR/conf directory) from the current R70 version and use them to overwrite the files in the location specified in step 1 (in the $FWDIR/conf directory). Note - If the Upgrade process was performed on a machine that runs a different operating system than the original machine, the InternalCA.NDB file must be converted after it is copied to the reverted environment. To do this, run the cpca_dbutil d2u command line from the reverted environment. 3. Once the Revert process is complete, use the ICA Management Tool to review certificates created using R70 in the reverted environment. For example, the subject to which a specific certificate was issued may no longer exist. In such a case, you may want to revoke the specific certificate. For additional information, refer to The Internal Certificate Authority (ICA) and the ICA Management Tool chapter in the Security Management Server Administration Guide.
Chapter 10
196
11
page 198 page 199 page 201 page 202 page 204 page 205
197
Introduction
Introduction
This chapter describes the process of upgrading a standalone deployment to R70. A standalone deployment consists of the Security Management server and gateway installed on the same system. Since backward compatibility is supported, a Security Management server that has been upgraded to R70 can enforce and manage gateways from previous versions. In some cases, however, new features may not be available on earlier versions of the gateway. The R70 Security Management server can manage the following gateways:
Release NGX InterSpect Connectra UTM-1 Edge Endpoint Security Version R60, R60A, R61, R62, R65 NGX R60 NGX R61, R62, R62CM, R66 7.5.x and above
198
Pre-Upgrade Considerations
Pre-Upgrade Considerations
In This Section
Upgrading Products on a SecurePlatform Operating System Reverting to Your Previous Software Version page 199 page 199
To back up your configuration, use the SecurePlatform snapshot and revert commands (for additional information, refer to SecurePlatform Backup and Restore Commands on page 187).
Chapter 11
Pre-Upgrade Considerations
Where the currently installed version is one of the following: For Release NGX Version is: NGX_R65 NGX_R62 NGX_R61 NGX_R60A NGX_R60
200
To perform an upgrade on a Windows platform: 1. Access your R70 CD. 2. Execute the Installation package. 3. Agree to the EULA and verify your contract information. For more information on contracts, On a Windows Platform on page 141 4. From the Upgrade Options screen, select Upgrade. 5. When the pre-upgrade verification recommendation appears, select whether or not the Pre-upgrade verification tool should be executed (refer to Using the Pre-Upgrade Verification Tool on page 200). Pre-upgrade verification performs a compatibility analysis of the currently installed gateway and its current configuration. A detailed report is provided, indicating appropriate actions that should be taken before and after the upgrade process. The tool can be used manually as well. 6. From the Upgrade Options screen, select Upgrade again. Another verification is run. 7. Reboot when prompted.
Uninstalling Packages
Uninstall Check Point packages on the Windows platform using the Add/Remove applet in the Control Panel. Check Point packages need to be uninstalled in the opposite order to which they were installed. Since CPsuite is the first package installed, it should be the last package uninstalled.
Chapter 11
The process described in this section upgrades all of the components (Operating System and software packages) in a single upgrade process. No further upgrades are required. The single upgrade package contains all necessary software items. Warning - For all operating systems except SecurePlatform, an R70 upgrade cannot be reverted to its previous version once it is complete. To perform an upgrade on a SecurePlatform server: 1. Insert CD1 of the R70 media kit into the CD drive. 2. At the command prompt, enter patch add cd. 3. Select SecurePlatform R70 Upgrade Package (CPspupgrade_<version_number>.tgz). 4. Enter y to accept the checksum calculation. 5. When prompted, create a backup image for automatic revert. Note - Creating the snapshot image can take up to twenty minutes, during which time Check Point products are stopped. 6. The welcome message is displayed. Enter n. 7. Accept the license agreement, and verifying your contract information. For more information on contracts, On SecurePlatform, and Linux on page 148 8. Three upgrade options are displayed:
202
Upgrade Export the configuration Perform pre-upgrade verification only i. Run the pre-upgrade verification script, and follow the recommendations contained in the pre-upgrade verification results. Repeat the process until you see Your configuration is ready for upgrade.
ii. Export the configuration. iii. Upgrade the installation. 9. Enter c to agree to the license upgrade. The license upgrade process also handles gateway licenses in the SmartUpdate license repository. Select one of the following: Enter [L] to view the licenses installed on your machine. Enter [C] to check if currently installed licenses have been upgraded. Enter [S] to simulate the license upgrade. Enter [U] to perform the license upgrade, or generate a license file that can be used to upgrade licenses on a machine with no Internet access to the User Center. Enter [O] to perform the license upgrade on a license file that was generated on machine with no Internet access to the User Center. Enter [Q] to quit.
10. Select a source for the upgrade utilities Either download the most updated files from the Check Point website for use the upgrade tools contained on the CD. The exported configuration is automatically imported during the upgrade process. 11. Open SmartUpdate and attach the new licenses to the gateways.
Uninstalling Packages
Check Point packages need to be uninstalled in the opposite order to which they were installed. Since CPsuite is the first package installed, it should be the last package uninstalled. Run the rpm -e <package name> to view a list of the installed packages.
Chapter 11
Uninstalling Packages
Check Point packages need to be uninstalled in the opposite order to which they were installed. For example, since CPsuite is the first package installed, it should be the last package uninstalled. Run the rpm -e <package name> to view a list of the installed packages.
204
Before Installing
From the Check Point website: http://www.checkpoint.com/techsupport/downloads.jsp. download: IPSO_Wrapper_R70.tgz. From Nokia, download: IPSO 6.0.7 Note - R70 is not supported on IPSO 4.x images. If you are using IPSO 4.x, first upgrade to IPSO 6.0.7. If IPSO 6.0.7 is already installed, skip to step 19 on page 206.
You are informed that the file download and image installation may take some time. 5. Click Apply. A message is displayed indicating that the new image installation process has started. 6. When you receive a Success message, click UP > UP > Manage IPSO Images. The IPSO Image Management window opens. 7. Under the title Select an image for next boot, select the last downloaded image: IPSO 4.1 or 4.2. 8. Click Test Boot. 9. Access the CLI console to see when the Reboot is complete. Once the Reboot is complete, go back to the Network Voyager to verify that the image was set properly. 10. In the Network Voyager, click Refresh and log in. 11. If you are not returned to the last window you were in, click System Configuration > Manage IPSO Images. You should be able to see that the relevant IPSO (4.1 or 4.2) image is selected. 12. Select Commit testboot and click Apply. 13. Access the CLI console, and log in. 14. Type newpkg, and press Enter. 15. Use the FTP menu option to transfer the 6.0.7 package. 16. Install the 6.0.7 package. Wait until a message informs you that the process is complete. 17. Activate the 6.0.7 package. 18. In Voyager, verify that the 6.0.7 package is turned ON. 19. On the CLI, type newpkg, and press Enter. 20. Use the FTP menu option to transfer the IPSO_Wrapper_R70.tgz package. 21. Install the IPSO_Wrapper_R70 package. Wait until a message informs you that the process is complete. 22. Type Reboot and press Enter.
206
Configuring R70
If you upgraded from IPSO 4.x to 6.0.7 then there is no need to configure R70. If you performed a fresh installation of IPSO 6.0.7: 1. From a console connection, run cpconfig. 2. Select an installation type, Stand Alone or Distributed. 3. Select Security Management server from the selection list. 4. Specify the Security Management server type as Primary or Secondary Management. Note - Only relevant for a distributed deployment. 5. Add Licenses. 6. Configure an administrator name and password. 7. Configure the GUI clients and hosts which can access the Security Management server using SmartConsole. 8. Configure Group Permissions. 9. Configure a pool of characters for use in cryptographic operations. Type randomly until the progress bar is full. 10. Configure the Certificate Authority, and save the CAs Fingerprint to a file. 11. Start the installed products. If you opt not to start the installed products at this time, they can be started later by running cpstart. 12. Reboot.
Or enter "." for the current directory. 6. Enter the Ipso.tgz pkg name, and press Enter. The upgrade process completes, and the machine reboots. 7. Run: show image current. 6.0.7 should be the current IPSO image.
208
2. On the Manage Packages page, confirm that the previous versions of Check Point packages are enabled and the R70 versions are disabled. Note - On flash-based platforms, the R70 packages will no longer appear in the Manage
Packages page since they were never part of the previous configuration set.
Chapter 11
210
12
page 211 page 212 page 214 page 214 page 217
SmartUpdates Get Check Point Gateway Data: This tool updates SmartUpdate with the current Check Point or OPSEC third party packages installed on a specific gateway or throughout your entire enterprise.
Note - Full Connectivity Upgrade is supported between minor versions only. For further information, refer to Full Connectivity Upgrade on a ClusterXL Cluster on page 217 and the R70 Release Notes.
212
Chapter 12
214
On the SmartConsole GUI machine, open SmartUpdate, and connect to the Security Management server. The updated licenses are displayed as Assigned. Use the Attach assigned licenses option to Attach the Assigned licenses to the cluster members.
4. Upgrade cluster members B and C in one of the following ways: Using SmartUpdate In Place When the upgrade of B and C is complete, reboot both of them. If you are running SmartUpdate, skip to step 7. SmartUpdate compiles and installs an updated policy on the new member, once it is rebooted.
5. Installing the policy: Be aware that policy installation on the old Check Point gateway may cut connections for services that do not survive the policy installation. This can be avoided by configuring the Check Point Gateway > Advanced > Connection Persistence tab to either Keep all connections or Keep data connections. For complete instructions, click the help button in the Connection Persistence tab. Note - Do not change any cluster parameters from the current policy at this time. For example, if the cluster is running in New High Availability mode, do not change it to Load Sharing. Changes can be made after the upgrade process is complete. 6. If you are upgrading from a previous version, perform the following steps: a. From the Policy Installation window, clear the For Gateway Clusters, install on all the members, if it fails do not install at all option located under the Install on each selected Module independently option. b. Install the security policy on the cluster. The policy will be successfully installed on cluster members B and C, and will fail on member A. 7. Using the cphaprob stat command (executed on a cluster member), verify that the status of cluster member A is Active or Active Attention. The remaining cluster members will have a Ready status. The status Active Attention is given if member As synchronization interface reports that its outbound status is down, because it is no longer communicating with other cluster members.
Chapter 12
8. Execute the cphastop command on cluster member A. Machines B and/or C start to process traffic (depending on whether this is a Load Sharing or High Availability configuration). 9. It is recommended that you do not install a new policy on the cluster until the last member has been upgraded. If you must install a new policy, perform the following steps: a. Run cpstop on the old Check Point gateway. b. Run fw ctl set int fwha_conf_immediate 1 on all new Check Point gateways. c. Install the policy. Note - It is recommended that you minimize the time in which cluster members are
running different versions.
To upgrade the final cluster member: 1. Upgrade cluster member A by either: Using SmartUpdate In Place
2. Reboot cluster member A. 3. Run cphaconf set_ccp multicast followed by cphastart on all cluster members. This returns the cluster control protocol to multicast (instead of broadcast). This step can be skipped if you prefer to remain working with the cluster control protocol in the broadcast mode.
216
Chapter 12
Supported Modes
FCU is supported on all modes of ClusterXL, including IPSOs IP clustering and VRRP. Legacy High Availability is not supported in FCU. For other third-party support, refer to the third-party documentation.
The exact same products must be installed on the OM and on the NM. For example, it is not possible to perform an FCU from a Check Point Gateway that has Floodgate-1 installed to a newer Check Point Gateway that does not have Floodgate-1 installed. Verify the installed products by running the command fw ctl conn on both cluster members. An example output on the NM:
Registered connections modules: No. Name Newconn Packet End Reload Dup Type Dup Handler 0: Accounting 00000000 00000000 d08ff920 00000000 Special d08fed58 1: Authentication d0976098 00000000 00000000 00000000 Special d0975e7c 00000000 00000000 d0955370 00000000 Special d0955520 3: NAT 4: SeqVerifier d091e670 00000000 00000000 d091e114 Special d091e708 6: Tcpstreaming d0913da8 00000000 d09732d8 00000000 None 7: VPN 00000000 00000000 d155a8d0 00000000 Special d1553e48
Verify that the list of Check Point Gateway names is the same for both cluster members.
218
All the Gateway configuration parameters should have the same values on the NM and the OM. The same rule applies to any other local configurations you may have set. For example, having the attribute block_new_conns with different values on the NM and on the OM might cause the FCU to fail since gateway behavior cannot be changed during the upgrade.
A cluster that performs static NAT using the gateways automatic proxy ARP feature requires special considerations: cpstop the old Check Point Gateway right after running cphastop. Running cphastop is part of the upgrade procedure described in Zero Downtime Upgrade on a ClusterXL Cluster on page 214. Failure to do this may cause some of the connections that rely on proxy ARP to fail and may cause other connections that rely on proxy ARP not to open until the upgrade process completes. Note, however, that running cpstop on the old Check Point Gateway rules out the option to rollback to the OM while maintaining all live connections that were originally created on the OM.
Chapter 12
2. First upgrade only one member, following the steps outlined in Zero Downtime Upgrade on a ClusterXL Cluster on page 214. Before you get to step 8 on page 216 (executing cphastop), run the following command on all the upgraded members: fw fcu <other member ip on sync network>. Then continue with step 8 on page 216 on all remaining OMs. For more than three members, divide the upgrade of your members so that the active cluster members can handle the amount of traffic during the upgrade. Note - cphastop can also be executed from the Cluster object in the SmartConsole. Once cphastop is executed, do not run cpstart or cphastart again or reboot the machine.
The command output includes the following parameters: During FCU: This should be yes only after running the fw fcu command and before running cphastop on the final OM. In all other cases it should be no. Number of connection modules: Safe to ignore. Connection module map: The output reveals a translation map from the OM to the NM. For additional information, refer to Full Connectivity Upgrade Limitations on page 218.
220
Table id map: This shows the mapping between the gateways kernel table indices on the OM and on the NM. Having a translation is not mandatory. Table handlers: This should include a sip_state and connection table handlers. In a security gateway configuration, a VPN handler should also be included. Global handlers: Reserved for future use.
Options
-t - table -u - unlimited entries -s - (optional) summary of the number of connections For further information on the fw tab -t connections command, refer to the Command Line Interface Book.
Chapter 12
222
13
223
Introduction
Introduction
There are a number of reasons for performing an advanced upgrade, for example if you need to: Upgrade to R70 while replacing the Operating System on which the current Security Management Server is installed. Upgrade to R70 while migrating to a new server. Upgrade to R70 while avoiding unnecessary risks to the production Security Management server in case of failure during the upgrade process.
To avoid unnecessary risks, it is possible to migrate the current configuration of the production Security Management server, to a new Security Management server. Warning - When performing an advanced upgrade using the import-export tool, it is vital that the target machine has the same exact configuration as the source machine. For example, the same products should be installed on both. A products mismatch may result in a corrupt database.
224
Introduction
This section describes the advanced upgrade procedure for Security Management Server. The advanced upgrade procedure involves two machines. The first machine is the working production machine, the source. The second machine, the destination, is off-line, and only contains the operating system of the latest release, in this case R70. Security Management server is installed on the second (destination) machine and the configuration of the first machine (the source) is imported. Advanced upgrade on all platforms except IPSO involves: Performing a new installation, and manually importing a previously exported configuration, or: Performing a new installation and upgradingthrough the wrapper. The wrapper automatically performs the install, and the upgrade_import process.
When migrating to a new Security Management server, the destination server should have the same IP configuration as the original Security Management server. If you are migrating to a new machine with a different IP address, see: See Migration to a New Machine with a Different IP Address on page 238.
Chapter 13
Warning: An advanced upgrade of Security Management server influences the behavior of the Eventia Reporter Server in regard to consolidation sessions. If you are deploying Eventia Reporter, before you perform an advanced upgrade of Security Management server, you must first remove Eventia Reporters consolidation session. See Advanced Eventia Reporter Upgrade on page 301 for how to remove the consolidation session.
226
i.
On the R70 Security Management server, locate the upgrade_export tool in the $FWDIR/bin/upgrade_tools directory.
ii. Copy upgrade_export tool to the same directory on the source machine. (Before doing this, it is recommended to preserve the old upgrade tools by renaming them.) iii. Run the upgrade_export tool:
Chapter 13
9. Specify the Security Management Server type to install: Primary Security Management Secondary Security Management Log server
10. Enter n. 11. Enter n to validate the products to install. 12. After product installation, the Check Point Configuration Program opens. Use the Check Point Configuration program to: a. Add licenses: The Check Point Configuration Program only manages local licenses on this machine. The recommended way of managing licenses is through SmartUpdate. b. Configure GUI clients: A list of hosts which will be able to connect to this Security Management server using SmartConsole. c. Configure group permissions: Specifies a group name. d. Configure a pool of characters: For use in cryptographic operations. Type randomly until the progress bar is full. e. Configure the Certificate Authority: Saves the CAs Fingerprint to a file. f. Start the installed products.
13. Log in again to the root account to set the new environment variables. 14. Transfer the exported configuration to the new Solaris installation, for example through FTP. 15. Change directory to /opt/CPsuite-R70/fw1/bin/upgrade tools Verify that the upgrade tools in this directory are the R70 upgrade tools, taken from the installation CD or downloaded from the Check Point website: http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/utilities.html 16. Run ./upgrade_import <name_of_exported_configuration_file.tgz> 17. Enter y to stop all Check Point services. The license upgrade wrapper runs. 18. Enter c to continue, or q to quit. 19. Wait for the message: upgrade_import finished successfully! 20. Enter y to restart Check Point Services.
228
6. Enter n. 7. For the installation option, select Installation Using Imported Configuration. 8. To import a Security Management Server configuration and upgrade it, enter the path to, and name of, the compressed file that contains the exported configuration. Enter n. The license upgrade wrapper runs. 9. Enter c to continue, or q to quit. 10. Select a source for the upgrade utilities. While the R65 upgrade utilities are on the R70 CD, it is recommended to download the latest tools from the Check Point website: http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/utilities.html 11. Enter n. 12. The pre-upgrade verification process runs automatically. View the results and follow the recommendations. 13. Enter n. 14. Specify an upgrade option: Upgrade installed products Upgrade installed products and install new products
Chapter 13
17. After product installation, the Check Point Configuration Program opens. Use the Check Point Configuration program to: a. Add licenses: The Check Point Configuration Program only manages local licenses on this machine. The recommended way of managing licenses is through SmartUpdate. b. Configure GUI clients: A list of hosts which will be able to connect to this Security Management server using SmartConsole. c. Configure group permissions: Specifies a group name. d. Configure a pool of characters: For use in cryptographic operations. Type randomly until the progress bar is full. e. Configure the Certificate Authority: Saves the CAs Fingerprint to a file. f. Start the installed products.
18. Reboot. 19. Log in again to the root account to set the new environment variables. 20. To start Check Point Services, run: cpstart.
230
ii. Export the configuration iii. Upgrade the installation 9. Enter c to agree to the license upgrade. The license upgrade process also handles gateway licenses in the SmartUpdate license repository. Select one of the following: Enter [L] to view the licenses installed on your machine. Enter [C] to check if currently installed licenses have been upgraded. Enter [S] to simulate the license upgrade. Enter [U] to perform the license upgrade, or generate a license file that can be used to upgrade licenses on a machine with no Internet access to the User Center.
Chapter 13
Enter [O] to perform the license upgrade on a license file that was generated on machine with no Internet access to the User Center. Enter [Q] to quit.
10. Select a source for the upgrade utilities. Either download the most updated files from the Check Point website or use the upgrade tools contained on the CD. The exported configuration is automatically imported during the upgrade process. 11. Open SmartUpdate and attach the new licenses to the gateways. To perform an advanced upgrade on SecurePlatform by manually importing the database: 1. On the R70 Security Management server, locate the upgrade_export tool in the $FWDIR/bin/upgrade_tools directory. 2. Copy upgrade_export tool to the same directory on the source machine. (Before doing this, it is recommended to preserve the old upgrade tools by renaming them.) 3. Run the upgrade_export tool:
232
9. Select the installation type: Stand Alone or Distributed. 10. Select Security Management Server from the list. 11. Specify the Security Management Server type as Primary or Secondary. 12. Add Licenses. 13. Configure an administrator name and password. 14. Configure the GUI clients and hosts which can access the Security Management server management component. 15. Configure Group Permissions. 16. Configure a pool of characters for use in cryptographic operations. Type randomly until the progress bar is full. 17. Configure the Certificate Authority, and save the CAs Fingerprint to a file.
Chapter 13
18. When prompted, do not start the installed products. 19. From $FWDIR/bin/upgrade_tools, run upgrade_import. 20. Reboot. 21. Start the installed products by running cpstart.
234
10. Enter n. 11. Enter n to validate the products to install. 12. After product installation, the Check Point Configuration Program opens. Use the Check Point Configuration program to: a. Add licenses: The Check Point Configuration Program only manages local licenses on this machine. The recommended way of managing licenses is through SmartUpdate. b. Configure GUI clients: A list of hosts which will be able to connect to this Security Management server using SmartConsole. c. Configure group permissions: Specifies a group name. d. Configure a pool of characters: For use in cryptographic operations. Type randomly until the progress bar is full. e. Configure the Certificate Authority: Saves the CAs Fingerprint to a file. f. Start the installed products.
13. Log in again to the root account to set the new environment variables.
Chapter 13
14. Transfer the exported configuration to the new Solaris installation, for example, using FTP. 15. Change the directory to /opt/CPsuite-R70/fw1/bin/upgrade tools. Verify that the upgrade tools in this directory are the R70 upgrade tools taken from the installation CD or downloaded from the Check Point website. 16. Run ./upgrade_import <name_of_exported_configuration_file.tgz> 17. Enter y to stop all Check Point services. The license upgrade wrapper runs. 18. Enter c to continue, or q to quit. 19. Wait for the message: upgrade_import finished successfully! 20. Enter y to restart Check Point Services.
236
10. The pre-upgrade verification process runs automatically. View the results and follow the recommendations. 11. Enter n. 12. Specify an upgrade option: Upgrade installed products Upgrade installed products and install new products
13. Enter n. 14. Enter n to validate the products to install. 15. After product installation, the Check Point Configuration Program opens. Use the Check Point Configuration program to: a. Add licenses: The Check Point Configuration Program only manages local licenses on this machine. The recommended way of managing licenses is through SmartUpdate. b. Configure GUI clients: A list of hosts which will be able to connect to this Security Management server using SmartConsole. c. Configure group permissions: Specifies a group name. d. Configure a pool of characters: For use in cryptographic operations. Type randomly until the progress bar is full. e. Configure the Certificate Authority: Saves the CAs Fingerprint to a file. f. Start the installed products.
16. Reboot. 17. Log in again to the root account to set the new environment variables. 18. To start Check Point Services, run: cpstart.
Chapter 13
238
4. On the new Security Management Server, remove the object you created to represent the new Security Management Servers IP address. 5. On the new Security Management Server update the primary Security Management Server object so that its IP Address and topology match its new configuration. 6. On the DNS, map the Security Management Servers DNS to the new IP address.
Chapter 13
This section covers the advanced upgrade procedure for security gateways. The advanced upgrade procedure involves two machines. The first machine is the working production machine. The second machine is off-line, and only contains the operating system. The Security Management server is freshly installed on the second machine and the configuration of the first machine is imported.
240
Perform a fresh install of the security gateway, and import the configuration file. When prompted, select Installation using Imported Configuration. This option prompts you for the location of the imported .tgz configuration file and then automatically installs the new software and utilizes the imported .tgz configuration file. Perform a fresh install of security gateway, and manually import the configuration file using the upgrade_import tool on the R70 CD.
Warning - The configuration file (.tgz) file contains your security configuration. It is highly recommended to delete it after completing the import process.
Chapter 13
To perform a new installation and manually import the configuration: 1. Insert CD2 of the R70 media kit into the CD drive, and mount the CD. 2. Run UnixInstallScript. The wrapper welcome message is displayed. 3. Enter n. 4. Enter y to agree to the End-user License Agreement. 5. Select New installation as the installation option. 6. Enter n. 7. From the list of products, select Security Management Server and Security gateway. 8. Enter n. 9. Specify the Security Management Server type to install: Primary Security Management Secondary Security Management Log server
10. Enter n. 11. Enter n to validate the products to install. 12. After the installation is complete, the Check Point Configuration Program opens. Use the Check Point Configuration program to: a. Add licenses: The Check Point Configuration Program only manages local licenses on this machine. The recommended way of managing licenses is through SmartUpdate. b. Configure GUI clients: A list of hosts which will be able to connect to this Security Management server using SmartConsole. c. Configure group permissions: Specifies a group name.
242
d. Configure a pool of characters: For use in cryptographic operations. Type randomly until the progress bar is full. e. Configure the Certificate Authority: Saves the CAs Fingerprint to a file. f. Start the installed products.
13. Log in again to the root account to set the new environment variables. 14. Transfer the exported configuration to the new solaris installation, for example through FTP. 15. Change directory to /opt/CPsuite-R70/fw1/bin/upgrade tools Make sure that the upgrade tools in this directory are the R70 upgrade tools, taken from the installation CD or downloaded from the Check Point website. 16. Run ./upgrade_import <name_of_exported_configuration_file.tgz> 17. Enter y to stop all Check Point services. The license upgrade wrapper runs. 18. Enter c to continue, or q to quit. 19. Wait for the message: upgrade_import finished successfully! 20. Enter y to restart Check Point Services. To perform a new installation and upgrade using the wrapper: 1. Insert CD2 of the R70 media kit into the CD drive, and mount the CD. 2. Run UnixInstallScript. The wrapper welcome message is displayed. 3. Enter n. 4. Enter y to agree to the End-user License Agreement. 5. Select Installation Using Imported Configuration, for the installation option. 6. To import a Security Management Server configuration and upgrade it, enter the path to, and name of, the compressed file that contains the exported configuration. Enter n. The license upgrade wrapper runs. 7. Enter c to continue, or q to quit. 8. Select a source for the upgrade utilities. While the R65 upgrade utilities are on the R70 CD, it is recommended to download the latest tools from the Check Point website:
Chapter 13
http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/utilities.html 9. Enter n. 10. The pre-upgrade verification process runs automatically. View the results and follow the recommendations. 11. Enter n. 12. Specify an upgrade option: Upgrade installed products Upgrade installed products and install new products
13. Enter n. 14. Enter n to validate the products to install. 15. After the installation is complete, the Check Point Configuration Program opens. Use the Check Point Configuration program to: a. Add licenses: The Check Point Configuration Program only manages local licenses on this machine. The recommended way of managing licenses is through SmartUpdate. b. Configure GUI clients: A list of hosts which will be able to connect to this Security Management server using SmartConsole. c. Configure group permissions: Specifies a group name. d. Configure a pool of characters: For use in cryptographic operations. Type randomly until the progress bar is full. e. Configure the Certificate Authority: Saves the CAs Fingerprint to a file. f. Start the installed products.
16. Reboot. 17. Log in again to the root account to set the new environment variables. 18. To start Check Point Services, run: cpstart.
244
ii. Export the configuration. iii. Upgrade the installation. 9. Enter c to agree to the license upgrade. The license upgrade process also handles gateway licenses in the SmartUpdate license repository. Select one of the following: Enter [L] to view the licenses installed on your machine. Enter [C] to check if currently installed licenses have been upgraded. Enter [S] to simulate the license upgrade. Enter [U] to perform the license upgrade, or generate a license file that can be used to upgrade licenses on a machine with no Internet access to the User Center.
Chapter 13
Enter [O] to perform the license upgrade on a license file that was generated on machine with no Internet access to the User Center. Enter [Q] to quit.
10. Select a source for the upgrade utilities. Either download the most updated files from the Check Point website or use the upgrade tools contained on the CD. The exported configuration is automatically imported during the upgrade process. 11. Open SmartUpdate and attach the new licenses to the gateways.
246
13. Configure the GUI clients and hosts that can access the Security Management server management component. 14. Configure Group Permissions. 15. Configure a pool of characters for use in cryptographic operations. Type randomly until the progress bar is full. 16. Configure the Certificate Authority, and save the CAs Fingerprint to a file. 17. When prompted, do not start the installed products. 18. From $FWDIR/bin/upgrade_tools, run upgrade_import. 19. Reboot. 20. Start the installed products by running cpstart.
Chapter 13
248
14
page 250 page 251 page 264 page 272 page 275 page 276 page 277 page 281 page 282
249
Introduction
Introduction
This chapter describes methods and utilities for upgrading Provider-1 to the current version.
In This Section
Supported Versions and Platforms Before You Begin page 250 page 250
The latest information regarding supported platforms is always available in the Check Point Release Notes at http://support.checkpoint.com.
250
In This Section
Pre-Upgrade Verifiers and Fixing Utilities Installation Script export_database migrate_assist cma_migrate migrate_global_policies Backup and Restore page 251 page 252 page 253 page 256 page 257 page 262 page 262
Chapter 14
Installation Script
Installation Script
Use the mds_setup installation script for MDS. Note - When installing MDS on SecurePlatform, the installation is performed using the SecurePlatform installer on the CD. Do not run the mds_setup script directly. For
additional information, refer to Provider-1 Upgrade Practices on page 264.
To run mds_setup: 1. Mount the Provider-1 CD from the relevant subdirectory. 2. Change the directory to the mounted directory. 3. Browse to either the Solaris or Linux directory, depending on the operating system of your MDS machine. 4. Run the installation script: ./mds_setup. When mds_setup is executed, it first checks for an existing installation of MDS: If no such installation exists, mds_setup asks you to confirm a fresh installation of MDS. If a previous version of MDS is detected, you are prompted to select one of the following options (Pre-Upgrade Verification Only, Upgrade or Backup) listed below.
5. Exit all shell sessions. Open a new shell in order for the new environment to be set.
252
export_database
Upgrade
When the upgrade option is used, mds_setup runs the Pre-Upgrade Verifier and if no errors are found, the upgrade process proceeds. In case of errors, mds_setup stops the installation until all the errors are fixed. In some cases, mds_setup suggests automatically fixing the problem using a fixing utility. Fixing utilities that affect the existing installation can also be run from the command line. You can choose to stop the installation and run the fixing utility from the command line. There are two important things to remember after changing your existing installation: Verify your changes in the existing installation before you upgrade. Synchronize global policies. If you make changes in global policies, reassign these global policies to customers. If you have a multi-MDS environment: Synchronize databases between MDSs in High Availability. Synchronize databases between CMAs in High Availability. Install the database on CLMs.
Backup
Prior to performing an upgrade, back up your MDS. The backup option from mds_setup runs the mds_backup process (refer to mds_backup). Backup is also used for replication of your MDS to another machine. Manual operations are necessary if you are switching IP addresses or network interface names. For additional information, refer to Changing the MDS IP Address and External Interface on page 281.
export_database
The export_database utility allows you to export an entire database into one .tgz file that can be imported into a different MDS machine. The following files can be exported:
Chapter 14
export_database
An entire CMA database An entire Security Management database An MDS Global Policy database
This tool can be used instead of migrate_assist, which exports the database remotely, file by file, whereas export_database creates one comprehensive file on the source machine. The export_database tool is supported on LInux and Solaris 2. If you are running other platforms, use migrate_assist to export all files, including the global policy. Before using the export_database utility, you must: 1. Copy the export tool .tgz file for your operating system to the source CMA or Security Management server. The export tool files can be found on your installation CD or on the Check Point support website, http://support.checkpoint.com. 2. Unntar the export tool .tgz file to some path in the source machine. A directory called export_tools is extracted. 3. Run the export_database commands from the export_tools directory. After exporting the databases using export_database, transfer the .tgz files to the target machine. Import the CMA or Security Management files using cma_migrate and import the Global Policy file using the migrate_global_policies command.
Usage
Exporting a CMA:
254
merge_plugin_tables
Other flags: Table 14-1 export_database flags Flag -h -b -l -m Meaning Display usage Batch mode Include the log database Include the SmartMap database
Example
To export the database of a CMA, CMA1, including its log database to a file path, /var/tmp, use the following command: ./export_database.sh /var/tmp c CMA1 -l To export a Security Management database, including its Smartmap database, to a file path, /var/tmp, use the following command: ./export_database.sh /var/tmp -m To export an MDSs Global Policy to a file path, /var/for_export, use the following command:
./export_database.sh /var/for_export g
merge_plugin_tables
The merge_plugin_tables utility is included in the export_database utility. It searches for all CMA or Security Management Plug-ins and merges the Plug-in tables with the CMA or Security Management tables. In Linux and Solaris 2, the merge_plugin_tables tool runs automatically when you run the export_database tool and its output becomes part of the CMA database .tgz file. If you have a Security Management server running on FreeBSD, IPSO 6, or WIN32 you can and should use merge_plugin_tables to consolidate your Plug-in information before exporting files using migrate_assist.
Chapter 14
migrate_assist
Before using the merge_plugin_tables utility, you must: 1. Copy the export tool .tgz file for your operating system to the source CMA or Security Management server. The export tool files can be found on your installation CD or on the Check Point support website, http://support.checkpoint.com. 2. Unntar the export tool .tgz file to some path in the source machine. A directory called export_tools is extracted. 3. Run the merge_plugin_tables command from the export_tools directory.
Usage
merge_plugin_tables <-p conf_dir> [-s] [-h]
where <-p conf_dir> is the path of $FWDIR directory of the CMA/Security Management, -s performs the utility in silent mode (default is interactive mode), and -h displays usage.
Example
To merge the Plug-in tables of a CMA, CMA1, run the following commands:
mdsenv cma1 merge_plugin_tables -p "$FWDIR"
migrate_assist
This utility is a helper utility for cma_migrate. It can be used to pull the original management directories to the current disk storage using FTP. When you finish running migrate_assist, it is possible to run cma_migrate (refer to cma_migrate on page 257), the input directory of which will be the output directory of migrate_assist. You can use export_database instead of migrate_assist to export a CMA, Security Management, or Global Policy database if your source machine is running on LInux 30 or Solaris 2. See export_database on page 253 for more information. Note - Before running migrate_assist, stop source management processes and merge
Plug-in tables.
256
cma_migrate
Usage
migrate_assist <source machine name/ip> <source FWDIR folder> <user name> <password> <target folder> <source CPDIR folder>
Example
To import a Security Management server with the IP address 192.168.0.5 of version NGX R60, use the following command:
Note - When the source management is a Security Management version R70 or higher,
running on Windows, the following procedure should be done before running
migrate_assist:
1. Run the command: cpprod_util CPPROD_GetInstalledPlugIns > plugins.txt. 2. Copy the resulting file (plugins.txt) to %FWDIR%\conf directory. 3. If you have Plug-ins installed, run merge_plugin_tables before running migrate_assist.
cma_migrate
This utility is used to import an existing Security Management server or CMA into a Provider-1 MDS so that it will become one of its CMAs. If the imported Security Management or CMA is of a version earlier than the MDS to which it is being imported, then the Upgrade process is performed as part of the import. The available versions are listed in Supported Versions and Platforms on page 250. It is recommended to run cma_migrate to import CMA or Security Management database files created using the export_database tool. Bear in mind that the source and target platforms may be different. The platform of the source management to be imported can be Solaris, Linux, Windows, SecurePlatform or IPSO.
Chapter 14
cma_migrate
Before running cma_migrate, create a new customer and a new CMA. Do not start the CMA, or the cma_migrate will fail. If you are migrating a CMA to a new CMA with a different IP address, follow the instructions in Migration to a New Machine with a Different IP in the Check Point Internet Security Products Upgrade Guide. The source databases subdirectories to be migrated are conf, database, registry, and log. The $CPDIR/conf directory should be named conf.cpdir and placed inside <old source database directory path> to avoid overwriting the $FWDIR/conf directory.
Note - The registry directory is required only if you are upgrading from version R70 or
higher.
When the source management is a Security Management version R70 or higher, running on Windows, the following procedure should be done before creating <source management directory path>: 1. Run: cpprod_util CPPROD_GetInstalledPlugIns > plugins.txt. 2. Copy the resulting file (plugins.txt) to %FWDIR%\conf directory.
Usage
cma_migrate <source management directory path> <target CMA FWDIR directory>
258
cma_migrate
Example
cma_migrate /tmp/exported_smc.22Jul2007-224020.tgz /opt/CPmds-FLO/customers/cma2/CPsuite-FLO/fw1
The first argument (<source management directory path>)specifies a path on the local MDS machine, where the data of the source management data resides. Use migrate_assist to build this source directory or build it manually. Set the structure under the source management directory as described in Table 14-2. Table 14-2 Source Management Structure directory conf contents This directory contains the information that resides in $FWDIR/conf of the source management. This directory contains the information that resides in $FWDIR/database of the source management. This directory contains the information that resides in$FWDIR/log of the source management or is empty if you do not wish to maintain the logs. This directory contains the information that resides in $CPDIR/conf of the source management. This directory is required only if you are upgrading from version R70 or higher. It contains the information that resides in $CPDIR/registry of the source management.
database
log
conf.cpdir
registry
The second argument (<target CMA FWDIR directory>) is the FWDIR of the newly created CMA. Note - To run the cma_migrate utility from the MDG, right-click a CMA and select Import Customer Management Add-on from the menu. You can also run mdscmd migratecma to
import files to an MDS.
Additional Information
When running cma_migrate, pre-upgrade verification takes place. If no errors are found, then the migration continues. If errors are found, changes must be performed on the original Security Management server.
Chapter 14
cma_migrate
260
cma_migrate
Chapter 14
migrate_global_policies
migrate_global_policies
The migrate_global_policies command transfers (and upgrades, if necessary) a global policies database from one MDS to another. If the global policies database on the target MDS has polices that are assigned to customers, migrate_global_policies aborts. This is done to ensure that the Global Policy used at the Customer's site is not deleted. Note - When executing the migrate_global_policies utility, the MDS will be stopped. The CMAs can remain up and running.
Usage
migrate_global_policies <path global policies conf database>
<path global policies conf database>: Specifies the fully qualified path to the directory where the global policies files, originally exported from the source MDS ($MDSDIR/conf), are located. Note - Migrate_global_policies fails if there is a global policy assigned to a Customer, Do not to create and assign any Global Policy to a Customer before you run migrate_global_policies.
mds_backup
This utility stores binaries and data from your MDS installation. Running mds_backup requires superuser privileges. This utility runs the gtar command on the root directories of data and binaries. Any extra information located under these directories is backed up, except from files that are specified in mds_exclude.dat ($MDSDIR/conf) file. The collected information is wrapped in a single zipped tar file. The name of the created backup file comprises the date and time of the backup, followed by the extension .mdsbk.tgz. For example: 13Sep2002-141437.mdsbk.tgz. The file is placed in the current working directory, thus it is important not to run mds_backup from one of the directories that is to be backed up.
Usage mds_backup
mds_restore
Restores an MDS that was previously stored with mds_backup. For correct operation, mds_restore requires a fresh installation of an MDS from the same version of the MDS to be restored.
Chapter 14
In-Place Upgrade
The in-place upgrade process takes place on the existing MDS machine. The MDS with all CMAs are upgraded during a single upgrade process. Note - When upgrading Provider-1, all SmartUpdate packages on the MDS (excluding SofaWare firmware packages) are deleted from the SmartUpdate Repository. 1. Run the Pre-upgrade verification only option from mds_setup. In a multi-MDS environment, perform this step on all MDSes (refer to Upgrading in a Multi-MDS Environment on page 271 for details). 2. Make the changes required by the pre-upgrade verification, and if you have High Availability, perform the required synchronizations. 3. Test your changes as follows: a. Assign the global policy b. Install policies to CMAs c. Verify logging using SmartView Tracker d. View status using the MDG or SmartView Monitor 4. Back up your system either by selecting the backup options in mds_setup or by running mds_backup. 5. Perform the in-place upgrade. For Solaris or Linux, use mds_setup (See Installation Script on page 252). For SecurePlatform, run patch add cd (See Upgrading to R70 on SecurePlatform on page 265).
6. After the upgrade completes, retest using the sub-steps in step 3 above.
264
Chapter 14
3. Restore the MDS on the target machine. Copy the file created by the backup process to the target machine and run mds_restore, or run mds_setup and select the Restore option. 4. If your target machine and the source machine have different IP addresses, follow the steps listed in IP Address Change on page 281 to adjust the restored MDS to the new IP address. If your target machine and the source machine have different interface names (e.g. hme0 and hme1), follow the steps listed in Interface Change on page 281 to adjust the restored MDS to the new interface name. 5. Test to confirm that the replication has been successful: a) Start the MDS. b) Verify that all CMAs are running and that you can connect to the MDS with MDG and Global SmartDashboard. c) Connect to CMAs using SmartDashboard. 6. Upgrade your MDS. Stop the MDS on the target machine and employ an In-Place Upgrade (for additional information, refer to In-Place Upgrade on page 264). 7. Copy the /opt/CPmds-R70/conf/mdsdb/cp-admins.C file to the same location ion the destination MDS. 8. Start the MDS.
$CPDIR/conf/lic_cache.C
All CMA and MDS licenses reside in cp.license, and all licenses appear in the cache. 3. On the target MDS, create a customer and CMA but do not start the CMA. 4. Use the export_database utility to export the CMA database into a .tgz file and transfer the file from the source machine to the destination machine. For additional information, refer to export_database on page 253. This process transfers the licenses for both the CMA and the CMA repository. 5. Use cma_migrate to import the CMA. For additional information, refer to cma_migrate on page 257. 6. Start the CMA and run:
mdsenv mdsstart
7. Use migrate_global_policies to import the global policies.
2. If some of your CMAs have already been migrated and some have not and you would like to use the Global Policy, make sure that it does not contain gateways of non-existing customers. To test for non-existing customers, assign this Global Policy to a customer. If the assignment operation fails and the error message lists problematic gateways, you have at least one non-existing customer. If this occurs:
Chapter 14
a. Run the where used query from the Global SmartDashboard > Manage > Network Objects > Actions to identify where the problematic gateway(s) are used in the Global Policy. Review the result set, and edit or delete list items as necessary. Make sure that no problematic gateways are in use. b. The gateways must be disabled from global use: i. From the MDGs General View, right-click a gateway and select Disable Global Use.
ii. If the globally used gateway refers to a gateway of a customer that was not migrated, you can remove the gateway from the global database by issuing a command line command. First, make sure that the Global SmartDashboard is not running, and then execute the command: mdsenv; remove_globally_used_gw <Global name of the gateway> 3. When issuing the command: migrate_global_policies where the existing Global Policy contains Global Communities, the resulting Global Policy contains: the globally used gateways from the existing database the globally used gateways from the migrated database
As a result of the migration, the Global Communities are overridden by the migrated database. 4. The gradual upgrade does not restore the Global Communities statuses, therefore, if either the existing or the migrated Global Policy contains Global Communities, reset the statuses from the command line (with MDS live): mdsenv; fwm mds rebuild_global_communities_status all
Before migrating the management part of the standalone gateway to the target CMA, some adjustments are required: 1. Make sure that:
268
FTP access is allowed from the MDS machine (on which the target CMA is located) and the standalone machine. (This is only necessary if you plan to use migrate_assist.) The target CMA is able to communicate with and install policy on all gateways.
2. Add an object representing the CMA (name and IP address) and define it as a Secondary Security Management server. 3. Install policy on all managed gateways. 4. Delete all objects or access rules created in steps 1 and 2. 5. If the standalone gateway already has Check Point Security Gateway installed: Clear the Firewall option in the Check Point Products section of the gateway object. You may have to first remove it from the Install On column of your rulebase (and then add it again). If the standalone gateway participates in a VPN community, in the IPSec VPN tab, remove it from the community and erase its certificate. Note these changes in order to undo them after the migration.
6. Save and close SmartDashboard. Do not install policy. 7. To migrate the management part to the CMA, run: migrate_assist <Standalone_GW_NAME><Standalone_GW_FWDIR><username> <password><target_dir><Standalone_GW_CPDIR> command. 8. Create a new CMA on the MDS, but do not start it. 9. Migrate the exported database into the CMA. Use cma_migrate or the import operation from the MDG, specifying as an argument the database location you used as <target_dir> in the migrate_assist command. 10. To configure the CMA after migration, start the CMA and launch SmartDashboard. 11. In SmartDashboard, under Network Objects, locate: An object with the Name and IP address of the CMA primary management object (migrated). Previous references to the standalone management object now refer to this object. An object for each gateway managed previously by Security Management.
12. Edit the Primary Management Object and remove all interfaces (Network Object > Topology > Remove). 13. Create an object representing the gateway on the standalone machine (From New > Check Point > Gateway), and:
Chapter 14 Upgrading Provider-1 269
Assign a Name and IP address for the gateway. Select the appropriate Check Point version. Select the appropriate Check Point Products you have installed. If the object previously belonged to a VPN Community, add it back. Do not initialize communication.
14. Run Where Used on the primary management object and, in each location, consider changing to the new gateway object. 15. Install the policy on all gateways, except for the standalone gateway. You may see warning messages about this gateway because it is not yet configured. These messages can be safely ignored. 16. Uninstall the standalone gateway. 17. Install a gateway only on the previous standalone machine. 18. From the CMA SmartDashboard, edit the gateway object created in step 12 and establish trust with that gateway. 19. On the same object, define the gateway's topology. 20. Install the Policy on the gateway.
270
Multi-MDS environments may contain components of High Availability in MDS or at the CMA level. It may also contain different types of MDSes: managers, containers, or combinations of the two. In general, High Availability helps to reduce down-time during an upgrade. This section provides guidelines for performing an upgrade in a multi-MDS environment. Specifically, it explains the order of upgrade and synchronization issues.
Chapter 14
272
$MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL
To update CLM/CMA objects that are located on a specific MLM/MDS, (in case other MDSs were not yet upgraded) run:
Chapter 14
The database to import is the database belonging to the primary CMA/Security Management Server. Before importing, verify that the database has been synchronized. Also perform these steps if you want to migrate your current High Availability environment to a CMA High Availability on a different MDS. Then, continue with a High Availability deployment (for more information, see the High Availability chapter in the Check Point Provider-1/SiteManager-1 Administration Guide).
274
Restarting CMAs
Restarting CMAs
After completing the upgrade process, CMAs should be started sequentially using the command mdsstart -s.
Chapter 14
276
Renaming Customers
Renaming Customers
In This Section
Identifying Non-Compliant Customer Names High Availability Environment Automatic Division of Non-Compliant Names Resolving Non-Compliance Advanced Usage page 277 page 277 page 277 page 278 page 279
Earlier Provider-1 versions allowed customer names or CMA names in to contain illegal characters, such as spaces and certain keyword prefixes. The current version does not permit this. It is necessary to rename customer and CMA names to comply the current version naming restrictions.
Chapter 14
Resolving Non-Compliance
Resolving Non-Compliance
During the upgrade procedure, after selecting Option 2 - Upgrade to R70 on the mds_setup menu, the resolution of compliant names is performed. The translation prompt is only displayed if a non-compliant name is detected. Note - Nothing is changed in the existing installation when translating customer names.
Any changes are applied only to the upgraded installation.
Translation prompt - Enter a name to replace the non-compliant name, or enter the '-' sign to get a menu of additional options. The new name is checked for naming restrictions compliance and is not accepted until you enter a compliant name. Additional Options Menu Edit another name - The customer names are presented in alphabetical order. Choose this option to edit a customer name that was already translated, or any other customer name. Skip this name - Choose this option if you are not sure what to do with this name and want to come back to it later. The upgrade cannot take place until all non-compliant customer names are translated. Quit session and save recent translations - Choose this option if you want to save all the work that was done in this session and resume later. Quit session and throw away recent translations - Choose this option if you want to abort the session and undo all the translations that you entered during this session. Return to translation prompt - Choose this option if you want to return to the customer name you were prompted with when you entered '-'. Note - The pre-upgrade tool allows only non-compliant customer names to be translated.
If the session is exited before all the translations are done, the mds_setup utility exits with an error message stating that the MDS verification failed. To return to the tool, simply run mds_setup again and choose Option 2 - Upgrade to R70.
High Availability
After completing the translations on the first MDS, copy the following files to the other MDSes. If the MDSes are properly synchronized, no additional work is required.
278
Advanced Usage
Files to be copied:
/var/opt/CPcustomers_translated.txt /var/opt/CPcustomers_translated.md5
When running the tool a second time, the customer names that have already been translated are shown before the first non-compliant name is displayed. This is also the case when running on an additional MDS.
Advanced Usage
An advanced user may choose to directly edit the translation file, /var/opt/CPcustomers_translated.txt. In this case, all the translations are verified when mds_setup is run again. Translations file format - The file is structured line-wise. Each line's meaning is indicated by its first character. An empty line is ignored. Any line that does not obey the syntax causes the file to be rejected with an appropriate message. Table 14-3 Line Prefixes Line Prefix # Meaning A comment line. Existing non-compliant name. Comment May be inserted anywhere. Must exactly match an existing non-compliant name, otherwise it will be rejected. If the entry does not comply with the naming restrictions, it is ignored.
Chapter 14
Advanced Usage
The '-' and '+' lines must form pairs. Otherwise, the file is rejected. If the translations file is manually modified, the mds_setup detects it and displays the following menu: 1. Use the translations file anyway - Choose this option only if an authorized person modified it. This option reads the file, verifies its content and uses the translations therein. 2. Ignore the translations file and generate a new one - Choose this option to overwrite the contents of the file. 3. Quit and leave the translations file as it is - Choose this option to exit mds_setup and leave the translations file as is for now. Run mds_setup again when you are sure that option 1 or option 2 is suitable.
280
IP Address Change
If your target machine and the source machine have different IP addresses, follow the steps listed below it to adjust the restored MDS to the new IP address. To change the IP address: 1. The MDS must be stopped. Stop the MDS by running mdsstop. 2. Change the IP address in $MDSDIR/conf/LeadingIP file to the new IP address. 3. Edit the $MDSDIR/conf/mdsdb/mdss.C file. Find the MDS object that has the source MDS IP address and change its IP address to the new IP address. Do not change the name of the MDS. 4. Install a new license on the target MDS with the new MDS IP address. 5. For multiple MDS/MLM environments, repeat steps 1 to 4 on each MDS/MLM for the MDS/MLM for which you changed the IP.
Interface Change
If your target machine and the source machine have different interface names (e.g., hme0 and hme1), follow the steps listed below to adjust the restored MDS to the new interface name. To change the interface: 1. Change the interface name in file $MDSDIR/conf/external.if to the new interface name. 2. For each CMA, replace the interface name in $FWDIR/conf/vip_index.conf.
Chapter 14
IPS in Provider-1
IPS in Provider-1
When upgrading to R70, the previous IPS configuration of the Customer is overridden on the first Global Policy Assign. It is recommended to save each Customers Security Policy so that the settings can be restored after upgrade. To do so, from the MDG, go to Customer Configuration window > Assign Global Policy tab, and enable Create database version. Customers who are upgrading to Provider-1 R70 should note that the IPS subscription has changed. All customers subscribed to IPS are automatically assigned to an Exclusive subscription Override and Merge subscriptions are no longer supported. See the Global Policy Chapter of the Provider-1 R70 Administration Guide for detailed information.
282
283
When upgrading VPN-1 Power/UTM ROBO gateways, the upgrade process removes the initial Plug & Play license from your gateway. Trying to perform a remote upgrade on a gateway without a valid NGX license will succeed, but this gateway will not be able to load the correct policy after the upgrade. Make sure that all gateways have valid permanent NG and NGX licenses installed before the upgrade.
284
Chapter 15
The added assigned licenses are shown grayed-out because they are not yet attached. 4. Click OK to attach the Assigned Licenses to this ROBO. The ROBO gateway now has both NG and NGX licenses. The Licenses window shows that the NGX license is Attached, and the NG license is Obsolete, meaning that it is no longer needed. The NG license is useful because if you need to downgrade the Gateway version, the Gateway will keep on working. 5. Repeat from step 2 for each ROBO gateway.
286
Full Upgrade
This method automatically performs all the required checks and actions for you. When it successfully completes, the upgraded ROBO Gateway is ready for use. This is the recommended method to upgrade VPN-1 Power/UTM ROBO Gateways. To perform a full upgrade: 1. From SmartProvisioning, select the line representing the VPN-1 Power/UTM ROBO Gateway to be upgraded. 2. Select Actions > Packages > Upgrade All Packages. This selection can also be done through the right-click menu, or the Upgrade All Packages icon in the toolbar. The upgrade process begins with a verification stage, checking which version is currently installed on the gateway and whether the required packages exist in your Package Repository. When it completes, a Verification Details window opens, showing you the verification results. 3. Select Change to a new Profile after upgrade, and select the appropriate new SmartLSM Profile from the list. 4. Select Allow reboot if required. 5. Click the Continue button.
Chapter 15
The Upgrade process begins. Its stages and completion status can be seen in the Action Status pane, at the bottom of SmartLSM. The entire progress report can be seen at any time by viewing the Action History (right-click on the respective line in the Action Status pane, and select Action History).
Specific Installation
This method can be used to install a specific product on a ROBO Gateway. To perform a specific installation: 1. From SmartLSM, select the line representing the VPN-1 Power/UTM ROBO gateway you want to upgrade. 2. Select Actions > Packages > Get Gateway Data to fetch information about Packages currently installed on the VPN-1 Power/UTM ROBO gateway. 3. Select Actions > Packages > Distribute Package or right-click menu, and select Distribute Package, or click the icon in the toolbar. The Distribute Package window opens. This window displays the relevant packages from the Package Repository that can be installed on your VPN-1 Power/UTM ROBO gateway. 4. In the Distribute Package window, select the package you want to install. You can then select one of the following actions: Distribute and install packages Only distribute packages (install later) Install previously distributed packages
5. The Allow Reboot if required option should be selected only when upgrading VPN-1. If you do not select this option, manually reboot the gateway from its console. The gateway is rebooted after the package installation is completed. Note - If you are doing a step-by-step upgrade, do not select Allow Reboot if required.
6. If the operating system is SecurePlatform, you can select Backup image for automatic revert, in case the installation does not succeed. 7. The option Change to a new profile after install lets you select the SmartLSM Profile that will be assigned to the package upon installation. When upgrading the VPN-1 Power/UTM ROBO gateway, you must provide a suitable SmartLSM
288
Profile from the target version. If you are installing a package that does not require changing the SmartLSM Profile of the VPN-1 Power/UTM ROBO gateway, this field remains disabled. 8. Click the Start button. 9. The Install process begins. Its stages and completion status can be seen in the Action Status pane, at the bottom of SmartLSM. The whole progress report can be seen at any time by viewing the Action History (right-click on the respective line in the Action Status pane, and select Action History). Note - You can verify if the installation will succeed before actually upgrading the ROBO Gateway by choosing Actions > Packages > Verify Installation.
Chapter 15
290
For general usage and help, type the command LSMcli --help.
Chapter 15
The LSMcli command line arguments are fully described in the Command Line Reference chapter of the R70 SmartProvisioning Administration Guide. A partial list of arguments is shown in Table 15-1, which lists only the arguments that are important for performing upgrades. Table 15-1 LSMcli Command line arguments for upgrades Argument -d Server User Password ROBO -F Firmware -P=Profile Meaning (Optional) Run the command with debug output. The IP or hostname of the Security Management server. The username and password of a Security Management Server Administrator. The name of the ROBO Gateway to be upgraded. The firmware version of the UTM-1 Edge ROBO Gateway. (Optional) The SmartLSM Profile name the ROBO Gateway will be mapped to after a successful upgrade. You must specify the new SmartLSM Profile when upgrading the VPN-1 version. This is not necessary when installing Hotfixes or other packages. -boot (Optional) Use this option only when upgrading VPN-1. If you do not use this option, manually reboot the gateway from its console. (Optional) Install previously distributed packages. To view the list of packages available in the repository, use the ShowRepository LSMcli command. (Command usage is described in the R70 SmartProvisioning Administration Guide).
Export
The export tool is located in your SmartLSM application, under File > Export to File. Use this tool to export a ROBO Gateways properties into a text file that you can turn into a script in order to perform batch upgrades.
292
To see which product packages are available in your package repository, execute:
LSMcli [-d] <Server> <User> <Password> ShowRepository
To view a list of packages that can be installed on a specific ROBO gateway, execute:
LSMcli [-d] <Server> <User> <Password> GetCandidates <ROBO>
Note - It is recommended to use the Full Upgrade method to upgrade VPN-1 Power/UTM
ROBO Gateways.
Chapter 15
Where: MyServer = the name of my Security Management server. John = the administrators name. mypassword = the administrators password. VerifyUpgrade = the Full Upgrade verification command. Upgrade = the Full Upgrade command. ROBO17 = the VPN-1 Power/UTM ROBO Gateway to be upgraded. MyNewProfile = the new SmartLSM Profile that ROBO17 will be mapped to after the upgrade.
294
Where: MyServer = the name of my Security Management server. John = the administrator's name. mypassword = the administrator's password. ModifyROBO VPN1Edge = the command to modify a property on a UTM-1 Edge ROBO gateway. ROBO101 = the Edge ROBO Gateway to be upgraded. EdgeNewProfile = the new SmartLSM Profile that ROBO101 will be mapped to after the upgrade (optional). 4.0.23 = the name of the new Firmware package. Restart = the command to restart the gateway.
Example: Using the LSM CLI to write a script to upgrade multiple ROBO Gateways
Create the following script and run it:
LSMcli MyServer John mypassword Upgrade ROBO17 -P=MyNewProfile LSMcli MyServer John mypassword Upgrade ROBO18 -P=MyNewProfile LSMcli MyServer John mypassword Upgrade ROBO19 -P=MyOtherProfile
Chapter 15
LSMcli MyServer John mypassword AttachAssignedLicenses VPN1 ROBO17 LSMcli MyServer John mypassword AttachAssignedLicenses VPN1 ROBO18 LSMcli MyServer John mypassword AttachAssignedLicenses VPN1 ROBO19
296
16
page 298 page 298 page 304
297
Overview
Overview
When upgrading products of the Eventia suite, note that: Eventia Reporter of version R56 and higher can be upgraded to R70. Eventia Analyzer of version 1.0 and higher can be upgraded to R70.
In This Section
Windows Platform Solaris / Linux Platform SecurePlatform page 298 page 299 page 299
Windows Platform
1. In order to begin the installation, login as an administrator and launch the wrapper by double-clicking on the setup executable. 2. Agree to the License Agreement and click Forward. 3. Select Upgrade and click Forward. 4. Continue following the instructions. The instructions that appear will differ according to your deployment.
298
5. Indicate whether to add new products by selecting the Add new products option and click Forward. A list of the products that will be upgraded appears. Click Forward. Depending on the components that you have chosen to install, you may need to take additional steps (such as installing other components and/or license management). 6. Verify the default directory, or browse to new location in which Eventia Reporter will be installed. 7. Verify the default directory, or browse to new location in which the output files created by Eventia Reporters output will be generated. Click Next and reboot the machine in order to complete the installation of the Eventia Reporter and to continue with the next phase of the installation. 8. Launch SmartDashboard. 9. Install the Security Policy, (Policy > Install) or install the database (Policy > Install Database) in order to make the Eventia Reporter fully functional.
SecurePlatform
1. After you install SecurePlatform from the CD, select the Eventia Reporter product from cpconfig or from the SecurePlatform Web GUI. 2. Continue from step 3 on page 298 in order to complete the process.
Chapter 16
To upgrade Eventia Reporter in a distributed deployment, install R70 on the old Reporter Server and migrate the previous add-on from the Security Management server to the Reporter Server.
300
Note - After upgrading Eventia Reporter in a Provider-1 environment you should select a customer(s) that will initiate a synchronization with the CMA of the selected customer. To do this select Tools > Customer Activation in the Eventia Reporter client, select the relevant customers and click OK.
Chapter 16
v.
The innodb_data_file_path variable contains a list of files. If there is more than one entry (separated by commas) in the innodb_data_file_path variable, locate these files and include them in the compressed tar file.
3. Copy the my.cnf (or my.ini) file located in $RTDIR/Database/conf to a backup location and rename it to my.cnf.old (or my.ini.old).
Note - The .ini or .cnf suffix should be added to the file according to target platform. For example, if the source machine is Solaris you have a my.cnf file. If the target machine is Windows, then you backup the my.cnf file as my.ini.old. If the target machine is UNIX, the name should be my.cnf.old.
4. Copy any company logo image file(s) in $RTDIR/bin. to a backup location. 5. Copy any custom distribution scripts in $RTDIR/DistributionScripts to a backup location. 6. If the source Reporter resides on a management machine: a. Export the database by running: upgrade_export <yyyy.tgz> as described in Advanced Upgrade of Management servers & Standalone Gateways on page 223. b. Copy the created .tgz file <yyyy.tgz> to the target machine and save it in $FWDIR/bin/upgrade_tools. c. On the target machine run: upgrade_import <yyyy.tgz>. d. When prompted to run cpstart, select: no. 7. If Reporter is installed in a distributed configuration: a. Copy the evr_addon_export script located in $RTDIR/conf on the target machine, and: i. For versions prior to NGX R65, place the evr_addon_export script on the management machine.
ii. If the upgrade is from R65, place the script on the Reporter machine. b. Run evr_addon_export. A file named tables.tgz is created. c. Place tables.tgz on the target machine in $RTDIR/bin. d. From inside the $RTDIR/bin directory run: svr_install -import tables.tgz. 8. On the target machine, run: cpstop. 9. Place the file my.cnf.old (or my.ini.old) in the $RTDIR/Database/conf/ directory of the target machine.
302
10. Copy the compressed database files <xxxx.tgz> to the target machine. 11. Enter the installation directory on the target machine: For Windows: C:\Program Files\CheckPoint\EventiaSuite\R70\bin Other platforms: /opt/CPrt-R70/bin
12. Run: EVR_DB_Upgrade -mysql "<path of <xxxx.tgz> file/<xxxx.tgz>>" For example, if you chose to place R60_Backup.tgz in $RTDIR/tmp, run: EVR_DB_Upgrade -mysql "$RTDIR/tmp/R60_Backup.tgz" 13. If necessary, modify the following fields in the mysql configuration file to match the locations of the database data files: datadir= innodb_log_group_home_dir= innodb_data_file_path=
The locations were copied in step 2 on page 301. 14. Run cpstart.
1. cpstop 2. evconfig
While running evconfig, enable Analyzer Server or the Correlation Unit.
3. cpstart
Chapter 16
Prerequisites
Before upgrading to Analyzer R70, note the path to the current database file: $RTDIR/events_db/events.sql, where $RTDIR is a variable that contains the path of the previous Eventia Analyzer installation. In R63, the default path: For Windows is C:\Program Files\CheckPoint\EventiaSuite\R63 For Unix platforms is /opt/CPrt-R63
5. Read and accept the license agreement. 6. Select the first option: upgrade. 7. Download or import a service contract file, or choose to continue without one. 8. Select a source for the R70 upgrade utilities. 9. Select Upgrade Installed Products. 10. Validate the products in the products list. 11. Reboot once the upgrade is complete.
Chapter 16
8. Validate the products in the products list. 9. Once upgrade has completed, login again to the root account. 10. Run cpstart to activate the installed products.
306
17
page 308 page 308 page 308 page 309 page 309 page 311
307
3. Login root (or admin). 4. Unzip and untar the file. For non-SPLAT systems, use the GNU tar located in: /opt/CPips1-R65/bin/gtar. 5. Move to the resulting ips1_r65_hfa1 directory. 6. Run: ./install_ips1_r65_hfa1.sh If IPS-1 is running the script will stop it. 7. Restart the IPS-1 application, and log in using an IPS-1 HFA1 level Dashboard.
308
For a Remote Upgrade, follow the instructions in Remotely Upgrading an IPS-1 Power Sensor on page 309 . For a Full Upgrade, follow the instructions for reinstallation in the Reinstalling an IPS-1 Power Sensor on page 310, using a newer version of the installation source.
3. From the root directory of the CD, run: ./upgrade_sensor -d $IPS1DIR/alcr -u <upgrade_file.tar> <Sensor_name>
Chapter 17
The upgrade_sensor script will verify that the given IPS-1 Sensor is upgradeable, transfer the necessary files from the IPS-1 Sensor CD to the Sensor and tell it to complete the upgrade. If the upgrade_sensor script finishes without any errors, the IPS-1 Sensor will reboot itself. When it comes back up, it will be running a new version of the IPS-1 Sensor software. If, for some reason, the upgrade fails, you may need to do a full re-installation of the IPS-1 Sensor.
To reinstall (or perform a Full Upgrade): 1. If you are going to be installing from a network server (not from an LDP), obtain a Check Point IPS-1 Power Sensor installation CD, and extract the Power-Sensor - <version_number>.tar file to a network server accessible from the Power Sensors management interface by FTP, HTTP, or NFS. 2. Connect to the IPS-1 Power Sensor with a Serial Console. 3. Boot the Power Sensor. During disk initialization, you will see the following:
Press ESC twice to enter the ROM Menu, or any other key to auto boot.... Seconds Remaining until Auto Boot: 5
Within 5 seconds, press ESC twice. 4. When prompted for the ROM menu password, if you havent set one, just press Enter. The main ROM menu appears. 5. Select Boot in Rescue Mode. 6. When the next menu appears, select (Re)Install System (manual).
310
7. Set the various date and time values, as prompted. Then confirm the date and time. 8. Available LDP images are listed, with their software version and build numbers. Select an LDP image number, or n to install from a network source. 9. In a network installation, you will be prompted for network information to enable the installation, as follows: a. Set IP information for the Power Sensors management interface. b. Optionally, set a host and domain name. For example: mysensor.example.com c. Type the default gateway address. d. Type the IP address of the installation source. e. Type the path on the installation source computer to the directory containing NR-INSTALL-DIRECTORY . Something like: /root/Power-Sensor.5.0.7/Install f. Type the protocol to be used - ftp, nfs, or http. Depending on the selected protocol, you may be prompted for additional information.
10. Select the installation type. There should be only one choice (1). 11. In most cases, select to install to the Multiple Disk Array. 12. Select to install to the root partition. Wait for the system to complete formatting the partition. In most cases, do not create a local installation image. Select n. The system installs the packages and reboots twice. When finished, the system is at the same state as when shipped. Continue setting up the Sensor by following the instructions in Initial Configuration of IPS-1 Power Sensor.
Chapter 17
200F
310C
320C
320F
312
Chapter 17
314