1 / 61

206: Tricks and Traps When Upgrading from R65 to R75 Yasushi Kono (ComputerLinks Frankfurt)

206: Tricks and Traps When Upgrading from R65 to R75 Yasushi Kono (ComputerLinks Frankfurt). Yasushi Kono (CCSE R71 since Dec . 2010) Working at ComputerLinks Germany since March 1999 Working with Check Point Firewalls since version 4.1x

noah
Télécharger la présentation

206: Tricks and Traps When Upgrading from R65 to R75 Yasushi Kono (ComputerLinks Frankfurt)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 206: Tricks and Traps When Upgrading from R65 to R75 Yasushi Kono (ComputerLinks Frankfurt)

  2. Yasushi Kono (CCSE R71 sinceDec. 2010) Working at ComputerLinks Germany since March 1999 Working with Check Point Firewalls sinceversion 4.1x Besides Check Point, Specialistfor RSA SecurID, JuniperNetscreen, Novell NetWare Who am I?

  3. Target AudienceofthisPresentation: Every Technical Support Personnel in chargeofUpgrading a Production Environment to R75

  4. Disclaimer This presentation is based on experiences made in the field. Because production environments in general are unlikely to be similar to each other, the experiences I made are somewhat unique to particular systems.

  5. All Gateways based on Check Point R65.x SmartCenter on Windows R65, Gateways in the HQ based on IPSO 4.2 Build 111

  6. Tasks tobeAccomplished: • Backinguptheproductionenvironment`sconfig. • Upgrading R65 Licensesto SW-Blade Lics • Restoringthe SMS onto a testequipment • Testingthe SMS basefunctionality • Doingthe Initial Installation ofthenew SMS based on a Smart-1 Appliance • RestoringtheConfigontothe Smart-1 Appliance

  7. Tasks tobeAccomplished (cont.): • InstallingSmartEventandSmartReporter on another Smart-1 Appliance • IntegratingSmartEventintothe Check Point Infrastructure • Installingthenew IP AppliancesfromScratch • Importingthe IPSO configfileintothenew IP Appliances • Upgrade theBranch Office Gateways

  8. Tasks tobeAccomplished: • Backinguptheproductionenvironment`sconfig. • Upgrading R65 Licensesto SW-Blade Lics • Restoringthe SMS onto a testequipment • Testingthe SMS basefunctionality • Doingthe Initial Installation ofthenew SMS based on a Smart-1 Appliance • RestoringtheConfigontothe Smart-1 Appliance

  9. Task tobeAccomplished: • Backinguptheproductionenvironment`sconfig. On Management Server: $FWDIR/bin/upgrade_tools/upgrade_export <Name of File> On SPLAT Gateways: [Expert@MyFirewall]#backup On IPSO Gateways: Via Voyager > Configuration > System Configuration > Configuration Sets

  10. Tasks tobeAccomplished: • Backinguptheproductionenvironment`sconfig. • Upgrading R65 Licensesto SW-Blade Lics • Restoringthe SMS onto a testequipment • Testingthe SMS basefunctionality • Doingthe Initial Installation ofthenew SMS based on a Smart-1 Appliance • RestoringtheConfigontothe Smart-1 Appliance

  11. Free Upgrade did not workasassumed: R65: SmartDefenselicense was attachedtothe Security Management Server R75: IPS licenseisboundto individual nodes, thereforeonlyonenodewith IPS!

  12. So, whataretheconsequencesofthat? • Onlyonenodehas IPS licenseattached • In failoverscenarios not predictable, which packet isbeinginspectedbythe IPS engineandwhichone not

  13. Tasks tobeAccomplished: • Backinguptheproductionenvironment`sconfig. • Upgrading R65 Licensesto SW-Blade Lics • Restoringthe SMS onto a testequipment • Testingthe SMS basefunctionality • Doingthe Initial Installation ofthenew SMS based on a Smart-1 Appliance • RestoringtheConfigontothe Smart-1 Appliance

  14. Youhavetocopytheoutputfilecreatedwiththeupgrade_exportcommand in a localfolderand do an upgrade_importontothetestmachine.

  15. Tasks tobeAccomplished: • Backinguptheproductionenvironment`sconfig. • Upgrading R65 Licensesto SW-Blade Lics • Restoringthe SMS onto a testequipment • Testingthe SMS basefunctionality • Doingthe Initial Installation ofthenew SMS based on a Smart-1 Appliance • RestoringtheConfigontothe Smart-1 Appliance

  16. Comparethe Fingerprint cp_conf finger get • Log in via SmartConsole • Is itpossibletoauthenticate? • Can yousee all objectsandrules? • Can youinstallthelatestpolicyonto a Security Gateway?

  17. Tasks tobeAccomplished: • Backinguptheproductionenvironment`sconfig. • Upgrading R65 Licensesto SW-Blade Lics • Restoringthe SMS onto a testequipment • Testingthe SMS basefunctionality • Doingthe Initial Installation ofthenew SMS based on a Smart-1 Appliance • RestoringtheConfigontothe Smart-1 Appliance

  18. Smart-1 Appliancescome in twoFlavours: • Same Hardware, but Different Products: • SmartEventandSmartReporter on one Box • Security Management Server on another Box

  19. Bothmachineshadhadtwo different SecurePlatform Pro versions, but not thelatestones…. …so, I hadtoinstalltheboxesfromscratch. Why not just doing an inplaceupgrade? Howto do that?

  20. Tasks tobeAccomplished: • Backinguptheproductionenvironment`sconfig. • Upgrading R65 Licensesto SW-Blade Lics • Restoringthe SMS onto a testequipment • Testingthe SMS basefunctionality • Doingthe Initial Installation ofthenew SMS based on a Smart-1 Appliance • RestoringtheConfigontothe Smart-1 Appliance

  21. After havinginstalledthe Appliance functioningasthe Security Management Server, thenextstepistoimporttheConfiguration via theupgrade_importcommand.

  22. Tasks tobeAccomplished (cont.): • InstallingSmartEventandSmartReporter on another Smart-1 Appliance • IntegratingSmartEventintothe Check Point Infrastructure • Installingthenew IP AppliancesfromScratch • Importingthe IPSO configfileintothenew IP Appliances • Upgrade theBranch Office Gateways

  23. Mentionedpreviouslyalready.

  24. Tasks tobeAccomplished (cont.): • InstallingSmartEventandSmartReporter on another Smart-1 Appliance • IntegratingSmartEventintothe Check Point Infrastructure • Installingthenew IP AppliancesfromScratch • Importingthe IPSO configfileintothenew IP Appliances • Upgrade theBranch Office Gateways

  25. Establish SIC betweenboth Smart-1 Appliances

  26. DefineCorrelation Unit and Log Server in SmartEvent GUI

  27. Definethe Internal Networks:

  28. Tasks tobeAccomplished (cont.): • InstallingSmartEventandSmartReporter on another Smart-1 Appliance • IntegratingSmartEventintothe Check Point Infrastructure • Installingthenew IP AppliancesfromScratch • Importingthe IPSO configfileintothenew IP Appliances • Upgrade theBranch Office Gateways

  29. The New IP Appliancespurchasedrecentlycamealongwith IPSO 4.2 and Check Point R65 So, youshouldupgradethe Boot Manager first. Therefore, obtaintheappropriate Boot Manager file, namely nkipflash-6.2.bin.

  30. Thisfilehastobecopiedtothelocaldrive. Couldbedone via FTP. • Then, thefollowingcommand must beused: upgrade_bootmgr wd0 nkipflash-6.2.bin

  31. The nextstepistoinstall IPSO 6.2 fromscratch: nokia[admin]#newimage –i –k

  32. After IPSO Installation, thenextstepistoinstall Check Point Software. Therefore, youcanemploythefollowingcommand: nokia[admin]#newpkg

  33. Tasks tobeAccomplished (cont.): • InstallingSmartEventandSmartReporter on another Smart-1 Appliance • IntegratingSmartEventintothe Check Point Infrastructure • Installingthenew IP AppliancesfromScratch • Importingthe IPSO configfileintothenew IP Appliances • Upgrade theBranch Office Gateways

  34. Finally, importtheConfigurationfilecreatedpreviously. Copytheappropriatefileintothe /config/dbdirectoryandusethefollowing CLISH command: clish>loadcfgfiles r65backup

  35. Tasks tobeAccomplished (cont.): • InstallingSmartEventandSmartReporter on another Smart-1 Appliance • IntegratingSmartEventintothe Check Point Infrastructure • Installingthenew IP AppliancesfromScratch • Importingthe IPSO configfileintothenew IP Appliances • UpgradingtheBranch Office Gateways

  36. In order to Upgrade Remote Gateways, youcould do an inplaceupgradeoraccomplishthistask via SmartUpdate. Thisshouldnolongerbechallenging, anymore.

  37. One Great Problem arouse after an apparentlysuccessful Migration

  38. Outlook 2010 Clients aredisconnectedfrom MS Exchange 2010 Server!!!!

  39. ToMake Things Worse: This Problem Turnedtobe a Global One!

  40. The Administrators wereawareofthatproblem, sincetheyhadthe same onewith R65.

  41. Theysolveditbycreatingappropriate DCE-RPC serviceobjects…

  42. …andcreated a firewallrulebyinsertingthesenewobjectsintotheservicecolumn.

  43. But, forsomereason, thisruledid not matchanymore after upgrading!

  44. Therearesomearticles in SecureKnowledgedescribingthe same behaviour!

  45. sk42222

  46. sk43344

  47. sk43344 (cont.)

  48. As someofyoumighthaveimagined, bothSecureKnowledgearticlesdid not leadtoanysolution!

  49. Tobe honest, thisproblemis not yetsolved!

More Related