Hi Alfred,
Do not forget to read the release notes very carefully. Verify that you have
the correct NG
licenses. If you have less than 256MB memory, I would recommend a memory
upgrade (not a must).
Always take backups before the upgrade.
1- Upgrade your Checkpoints/Management to 4.1SP6
2- Run pre-upgrade verifiers from Check Point
3- Apply the recommended changes
4- Delete your mgmt object if you defined it as a node. Check all duplicate
objects esp if they
overlap with the gateway interfaces.
5- Test your sp6 conf, take full backup
6- Upgrade to a compatible IPSO version (a version which supports both 4.1 and
NG FP3 -- e.g.
3.5.FCS14- remember that if you have 256MB swapspace you need to wipe out all
IPSO and make fresh
installation to have 1GB swap. You can check swapspace with #swapinfo -k
command)
7- Upgrade your management server (now you have smartcenter ;-)
8- Test if your policies are intact
9- Upgrade/install NG FP3 on modules (I use fresh install after disabling 4.1
packages)
10 cpconfig on modules (enable CPHA for sync)
11- Change module objects to NG FP3 on smartcenter. SIC.
12- Test SIC (verify that time is synchronized on all systems- use NTP if
possible)
13- Verify your sync net on cluster object
14- Uncheck ClusterXL on gateway/cluster
15- Push the policy, check logging, sync,opsec servers, vpn, connectivity etc
16- Check Smartdefense, if you are blocking something
17- Run post upgrade verifiers if needed.
18- Check your scripts for backup, log switches etc..
19- Upgrade your clients/management server/modules to HFA 310 (instead of HF2)
20- Check your *.def changes in 4.1. Apply the corresponding changes in
NG.(they are deleted by
the upgrade)
21- If you have VPN problems check supernetting, *bare* minimum IKE settings
on both ends, and PFS.
22- Remember that management ports changed. If you have filters in between
change the allowed ports. Even Checkpoint firewall in between will drop
management ports, logging ,certificate pushes etc..
23- Replace fwstart scripts on modules for VRRP problem (cpha forwarding off
problem). New script
is available through Nokia Support)
24- Your generic* user should be deleted and use external user profile instead..
farewell to putkeys..
cheers,
- yinal ozkan
--- "NG, Alfred" <Alfred.Ng AT APA.GOV.AB DOT CA> wrote:
> Hi everyone,
> Just wondering what the steps are to upgrade to FP3 HF2 for Firewall-1
> in a redundant VRRP setup of 2 Nokia IP440 firewalls.
> Do I have to perform the upgrade on each server seperately? Or would I
> just perform it on the management console which would push the changes
> to the firewalls?
>
> Alfred
> NOTE: THIS MESSAGE IS INTENDED ONLY FOR THE ADDRESSEE, IT MAY CONTAIN
> PRIVILEGED OR CONFIDENTIAL
> INFORMATION.
> If you are not the intended recipient of this message, you should not: read
> it, distribute it,
> copy it or take any action in reliance on the content of this communication.
> If you have
> received this communication in error, please notify us at once by reply
> E-mail, then permanently
> delete the original, your reply and destroy any copy or printout.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
