Upgrading the Firewall

Previous page
Table of content
Next page


This section is dedicated to upgrading your FireWall-1 software on your NSP. We'll start by assuming that you are running FireWall-1 4.1 SP-6 on IPSO 3.4.1 FCS10 or later. If you are on a prior version of FireWall-1 4.1, you should start by upgrading your IPSO to the latest 3.4.1 and then upgrading to SP-6. If you are on FireWall-1 4.0, you need to upgrade to 4.1 before upgrading to NG. Don't get overzealous; be careful and take small steps, and you will be better off in the long run. You can upgrade from 4.1 SP-6 to NG FP1, FP2, or FP3. We recommend that you first go to the FP2 bundle (which actually installs the FP1 packages as well) before moving on to newer Feature Packs.

The first thing you should do once you are on 4.1 SP-6 is to run your configuration through one of the upgrade verification tools that Check Point provides. This might catch errors that could cause the upgrade to fail or cause the resulting configuration to be unusable after the upgrade. There is a tarball named upgrade_verifiers_NG_FP2_nokia.tgz for IPSO 3.4.x and 3.5 and associated release notes. You should only run this on your Nokia if you have a management server installed. This script checks the $FWDIR/conf directory on your management console. Download this bundle to your Nokia management server and gunzip and untar it into its own directory. You can obtain this file from www.checkpoint.com/techsupport/downloadsng/utilities.html#upgrade_verify:

  1. If the upgrade_verifiers_NG_FP2_Nokia.tgz file is in your /var/admin directory, create a subdirectory and put it in there: mkdir upgrade_verifiers; mv upgrade_verifiers_* upgrade_verifiers; cd upgrade_verifiers.

  2. Now run gunzip * to uncompress the file.

  3. Extract the tarball with the command tar –xvf upgrade*.

  4. Run the pre_upgrade_verifier script with the following syntax: pre_upgrade_verifier –p $FWDIR –c 4.1 –t NG_FP2 –f upgrade.txt.

  5. Look in the upgrade.txt file to determine what you might need to change before beginning the upgrade process.

Remember to read any release notes before you begin the upgrade procedure. You could have certain configuration options that require special attention before you begin upgrading. Here's a brief list of some common configuration issues that you will need to resolve in 4.1 before you install NG FP2 or later:

  • Disable all FWZ configurations. NG FP2 and later no longer support FWZ for VPNs.

  • Disable objects that have certificates configured for Hybrid IKE. You might even be better off to delete these objects and recreate them once you've upgraded to NG.

  • Disable any SKIP or manual IPSec VPN configurations. Only IKE is supported in NG FP2 and FP3.

  • Ensure that your firewall object names match exactly the host name of the firewall modules. This name mapping should be in the hosts file on both the management and firewall modules as well. You cannot change the host name or object name once you have upgraded to NG due to the certificates' dependence on this information.

Upgrading from 4.1 SP6 to NG FP2

If you have a separate management server, always make sure that you upgrade that management server before you upgrade any firewall modules. Once you are confident that you are ready to upgrade to NG, download the NG FP2 or FP3 wrapper package to your Nokia and follow the instructions provided. Here we use the NG FP2 wrapper for demonstration, and we recommend that you go to FP2 before FP3 to ensure that your configuration is merged successfully at each step. You can follow this procedure whether your Nokia is a stand-alone or distributed installation:

  1. Since you are on IPSO 3.4.1, the first thing you need to do is upgrade your IPSO image to the latest 3.6 release.

  2. Start now with the wrapper package for NG FP2 named CP_FP2_IPSO.tgz. Ensure that this is the only package in your /var/admin directory before you begin. Then run newpkg –i from the /var/admin directory.

  3. Press 4 and then press Enter to install from the local file system.

  4. When asked to enter a pathname to the package, simply enter a single dot (.) and press Enter.

  5. Now choose 2 and press Enter to upgrade from an old package.

  6. Choose the FireWall-1-strong.v4.1.SP-6 - Check Point FireWall-1 (Strong) Version 4.1 SP-6 (Wed May 15 16:10:58 IDT 2002 Build 41617) package from the list of packages you can upgrade from. In our list it is number 1, so we choose 1 and press Enter to continue.

  7. Next, the upgrade program will verify that you really want to perform this upgrade with the following question: "Do you want to upgrade from FireWall-1-strong.v4.1.SP-6 to CP_FP2_IPSO? [y/n]." Enter y for yes and press Enter to continue. As the packages are being upgraded and installed, you will receive a lot of messages on the console. There is no more text for you to input at this time. All you can do is sit patiently and wait for the upgrade to complete. You will see a message that the WebTheater service is no longer supported and that it will be deleted. You will also see a notice that the system failed to find an Internal CA in objects_5_0.C file, but it will be created after cpstart. You can safely ignore both messages. The following packages are installed while you wait:

    • NG FP1 SVN Foundation

    • NG FP1 VPN-1/FireWall-1

    • NG FP2 SVN Foundation

    • NG FP2 VPN-1/FireWall-1

    • NG FP2 Backward Compatibility with 4.1 package

    • NG FP2 Policy Server

    • NG FP2 FloodGate-1

    • NG FP2 Real Time Monitor

  8. When the newpkg program exits, you will be brought back to a shell prompt. Both the SVN Foundation and VPN-1/FireWall-1 packages are already enabled in Voyager. You need to log out and log back in to the Nokia to obtain the latest environment variables. So, type exit and then log in again.

  9. Run cpconfig. If you need help with any of the options here, read the section on cpconfig earlier in this chapter. You need to add a new license because 4.1 licenses will not function on NG.

  10. Reboot. When the system comes back up it will not load the last policy you had installed in 4.1. It will load the defaultfilter policy instead. You need to push the policy to the firewall the first time after the upgrade.

  11. Log into your management server from your NG FP2 Policy Editor Management Client. Accept the fingerprint and verify that your policy appears to be intact after the upgrade.

  12. Select Install from the Policy menu to push a policy.

  13. Test communication through your firewall. You might need to reconstruct VPN settings and set up Hybrid IKE again to get things working the way they were prior to the upgrade.

Note

If you receive a verification error that says "Missing IP protocol for user defined service MSExchange-DirectoryRef," simply delete this service from the Manage | Services window and restart the installation.

If you upgraded from 4.1 directly to FP3, you might need to configure interfaces in the Topology tab on your Check Point Gateway object before you can install a policy.

Upgrading from NG FP2 to NG FP3

The upgrade procedure for FP3 is very simple. You begin as you did with the FP2 upgrade—by downloading the FP3 wrapper package called CP_FP3_IPSO.tgz. You can run this wrapper to upgrade from 4.1 SP-6, NG FP1, or NG FP2 or to install NG FP3 from scratch on your Nokia firewall. We took you through the procedure of a fresh install at the beginning of the chapter. To upgrade to FP3 instead, run newpkg –i as you normally do to install a new package, but when prompted whether to install or upgrade, select 2 and press Enter to upgrade from an old package.

After upgrading to FP3, the FP3 SVN Foundation and VPN-1/FireWall-1 packages will already be enabled in Voyager. All you need to do is exit your login session and log back in to obtain the correct environment variables. Run cpconfig and if there is nothing new to configure, exit cpconfig and reboot. When the system comes back up, the InitialPolicy will be loaded, which means that you need to push a policy after the upgrade.

Backing Out from NG to 4.1

If you need to back out from a recent upgrade for some reason, the procedure on a Nokia is quite simple. First, you need to disable any NG components such as Policy Server and FloodGate-1 and Apply and Save your changes. Next, disable NG VPN-1/FireWall-1 and Apply and Save, and then finally disable the NG SVN Foundation package and Apply and Save.

Now you can enable the old 4.1 package and Apply and Save your changes. Then you must reboot the box. When the box comes back up, the FireWall-1 services will not be started. You must log in to Voyager and go to the Check Point FireWall-1 configuration screen found under the Security and Access Configuration heading. Click the option button next to Start FireWall-1 automatically at reboot? to On, then Apply and Save. Finally, log in to the Nokia and run fwstart from the command line. The firewall will load the last 4.1 policy you had configured, pick up where you left off before the upgrade, and start automatically on the next reboot. You can go back into Voyager and delete any disabled packages for cleanup if you don't want to save them for another try later.



Previous page
Table of content
Next page
The Best Damn Firewall Book Period
The Best Damn Firewall Book Period
ISBN: 1931836906
EAN: 2147483647
Year: 2003
Pages: 240
Authors: Cherie Amon, Thomas W. Shinder, Anne Carasik-Henmi
BUY ON AMAZON
Kanban Made Simple: Demystifying and Applying Toyotas Legendary Manufacturing Process
The Complete Cisco VPN Configuration Guide
Cisco CallManager Fundamentals (2nd Edition)
Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
.NET-A Complete Development Cycle
DNS & BIND Cookbook
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy