Support Center > Search Results > SecureKnowledge Details
R80.x Pre-Upgrade Verifier notifications and their solutions Technical Level
Solution

This article describes the notifications received from the Pre-Upgrade verifier and how to address them in order to successfully upgrade to R80.x

"Errors" are issues that must be addressed. "Warnings" are issues that will not fail the upgrade but it is highly recommended to address them. "Information" are notifications that just provide information about actions done by the upgrade process.

Table of Contents:

  • Errors - Products and features Check Point no longer supports
  • Errors - Products and features that are not supported yet in R80.x
  • Errors - Configuration issues
  • Warnings
  • Information
  • Multi-Domain Security Management Server


Errors - Products and features Check Point no longer supports

Products and features that are no longer supported in R80.10 / R80.20 / R80.30 / R80.40. Refer to the solution column in order to fix the issues and proceed with the upgrade.

Displayed Error Cause Solution

"Rule action 'Session Auth' is not supported in R80.30 and higher.
Rules that use the 'Session Auth' action must be changed to use
a different action (see sk98263) before upgrade to R80.30"

Issue ID: 01483092

 Firewall rulebase contains rule(s) with the Session Auth action that is no longer supported. In R77.30 SmartDashboard, refer to the Policy Package listed in the error message:
  1. In Firewall tab, click on Policy
  2. Refer to rules listed in error message
  3. Replace Session Auth action with other supported action
  4. Save the changes: go to File menu - click on Save
  5. Run the upgrade again
Or refer to sk98263.

Objects not supported.
Some legacy Check Point network objects in this Security Management Server version are no longer supported.
Please upgrade or remove the following Check Point network objects before proceeding with an upgrade procedure.
Leaving those unsupported objects in the database may cause error messages and policy installation problems.

Issue ID: 01541341

The following products are no longer supported in R80.x:

  • Connectra gateways
  • DLP-1 appliances
  • IPS-1 Sensor
 Remove these products:
  1. In R77.30 SmartDashboard, go to Manage menu - click on Network Objects...
  2. In Show: field, select Check Points
  3. Locate the unsupported objects (open the object - look at the type at the top)
  4. Delete the unsupported objects
  5. Save the changes: go to File menu - click on Save
  6. Run the upgrade again

UTM-1 Edge X / W Series are no longer supported.

Description: The Database includes UTM-1 Edge X / W Series objects. UTM-1 Edge X / W Series are no longer available.
If there are UTM-1 Edge X / W Series , upgrade will fail. Delete all UTM-1 Edge X / W Series objects before upgrade.

Issue ID: 01686331

 The Database includes UTM-1 Edge X / W Series objects, which are no longer supported.

Replace these devices with supported devices.

If you would like to remove these objects to proceed with the upgrade:

  1. In R77.30 SmartDashboard, go to Manage menu - click on Network Objects...
  2. In Show: field, select UTM-1 Edge Gateways
  3. Locate the unsupported objects (open the object - look at the type at the top)
  4. Delete the unsupported objects
  5. Save the changes: go to File menu - click on Save
  6. Run the upgrade again

Rulebase contains unsupported services or group of services that must be removed

Issue ID: 01372828

 The rulebase contains services or group of services which are no longer supported and must be removed.
For the list of unsupported services, refer to sk103766.
  1. Open the pre_upgrade_verification_report
  2. Go to the relevant policy and rule number described in the error message.
  3. Remove the service from the rulebase.

 

Errors - Products and features that are not supported yet

If you are using these products or features, consider upgrading to the relevant release when it is available. Otherwise, refer to the solution column to proceed with the upgrade.

Displayed Error Cause Solution R80.10 R80.20 R80.30 R80.40

Modbus is not supported yet

Issue ID: 01730543

 The Modbus feature is enabled, or a Modbus application exists while the upgrade path for this feature is not supported

If you use the Modbus feature, consider deleting the configuration and re-create it in R80.x where it is available via API (see the ICS User Guide for details).

Follow the below instructions to disable this feature in order to proceed with the upgrade:

  1. Close all SmartConsole windows
  2. Connect with GuiDBedit Tool to Security Management Server / Domain Management Server
  3. In the upper left pane, go to Table - Global Properties Objects - properties
  4. In the upper right pane, click on firewall_properties
  5. Search for modbus_applications_enabled 
  6. In the lower pane, right-click on the modbus_applications_enabled - select Edit... - select "false" - click on OK
  7. Save the changes: go to File menu - click on Save All
  8. Close the GuiDBedit Tool
  9. Connect with SmartConsole to Security Management Server / Domain Management Server
  10. Go to Application & URL Filtering tab
  11. Click on Applications/Sites
  12. Delete all applications with Type Modbus Application
  13. Save the changes: go to File menu - click on Save
  14. Run the upgrade again

LSM Profiles are not yet supported in R80.10

Issue ID: 01692823

The Database includes LSM Profiles that are not supported in the destination version.


Consider upgrading to R80.20 and higher, where the LSM product is supported (see sk117159 for details).
Otherwise, follow the below instructions to remove the LSM profiles and proceed with the upgrade.

  1. In R77.30 SmartDashboard, go to Manage menu - click on Network Objects...
  2. In Show: field, select Check Points
  3. Locate the unsupported objects (open the object - look at the type at the top)
  4. Delete the unsupported objects
  5. Save the changes: go to File menu - click on Save
  6. Run the upgrade again

Cloud Connector is not supported yet

Issue ID: 01730543

 The Database includes one or more Cloud connectors which are not supported.

Follow the below instructions to proceed with the upgrade:

  1. In R77.30 SmartDashboard, go to Application & URL Filtering tab
  2. In the left tree, expand Advanced
  3. Click on Cloud Connector
  4. In the displayed view, delete Cloud Connector applications
  5. Save the changes: go to File menu - click on Save
  6. Run the upgrade again

LTE is not supported yet

Issue ID: 01730543

 The rulebase contains one of the following GTP services:
  • GTPv2
  • GTP_MM_V2
  • GTP_ADDITIONAL_V2
  • SCTP
  • Diameter

Follow the below instructions to proceed with the upgrade:

  1. In R77.30 SmartDashboard, go to Firewall tab and click on Policy
  2. Locate the rules that contain one of the following LTE services in Service column:
    • GTPv2
    • GTP_MM_V2
    • GTP_ADDITIONAL_V2
    • SCTP
    • Diameter
  3. Remove these LTE services from the policy (pay attention not to decrease the security of your environment)
  4. It is also recommended to delete all instances of the those LTE services that were created by the user (default objects are removed automatically):
    1. Go to Manage menu - click on Services...
    2. In Show: field, select User defined services
    3. Locate the user-defined LTE services
    4. Delete the user-defined LTE services
  5. Save the changes: go to File menu - click on Save
  6. Run the upgrade again

Large Scale VPN (LSV) Profiles are not yet supported

Issue ID: 01730543

 There is an LSV profile object that is used in a VPN community which is not supported yet.

Follow the below instructions to proceed with the upgrade:

  1. In R77.30 SmartDashboard, go to Manage menu - click on Network Objects...
  2. In Show: field, select Interoperable Devices
  3. Locate the LSV profile objects
  4. Delete the LSV profile objects
  5. Save the changes: go to File menu - click on Save
  6. Run the upgrade again
CGNAT and NAT64 are not yet supported

 

Issue ID: 01730543

 

 There are CGNAT rules in the NAT policy

Follow the below instructions to proceed with the upgrade:

  1. In R77.30 SmartDashboard, go to Firewall tab
  2. Click on NAT
  3. Refer to Translated Packet - check the Source column
  4. Search for objects that are signed with NAT state as  CG (for CGNAT)
  5. Delete the NAT rules that are defined as CGNAT.
  6. Save the changes: go to File menu - click on Save
  7. Run the upgrade again
There are NAT64 rules in the NAT policy

Consider upgrading to R80.20 or higher, where NAT64 rules are supported.
Otherwise, follow the below instructions to proceed with the upgrade:

  1. In R77.30 SmartDashboard, go to Firewall tab
  2. Click on NAT
  3. Refer to Translated Packet - check the Source column
  4. Search for objects that are signed with NAT state as 64 (for NAT64)
  5. Delete the NAT rules that are defined as NAT64
  6. Save the changes: go to File menu - click on Save
  7. Run the upgrade again

Syslog Server is temporarily not supported

Issue ID: 01730543

 Use of Syslog server as log destination in the Security Gateway properties is not supported in R80.x.  

If you are logging to a Syslog server, consider upgrading to R80.20 or higher, where it is available (see sk117159 for details).
Otherwise, implement the following instructions to proceed with the upgrade.

  1. In R77.30 SmartDashboard, go to Manage menu - click on Servers and OPSEC Applications...
  2. In Show: field, select Syslog servers
  3. Locate the Syslog servers that are listed in the Pre-Upgrade Verification message
  4. Select each listed Syslog server - click on Actions... button - click on Where Used... - write down the name of each involved Security Gateway object
  5. Close the Servers and OPSEC Applications... window
  6. In R77.30 SmartDashboard, go to Manage menu - click on Servers and OPSEC Applications...
  7. In Show: field, select Check Points
  8. Locate the involved Security Gateway objects
  9. Edit the involved Security Gateway objects
  10. In Security Gateway properties, go to Logs pane
  11. Remove all Syslog servers
  12. Click on OK
  13. Now you can delete the Syslog server objects
  14. Save the changes: go to File menu - click on Save
  15. Run the upgrade again

Data Center Objects Are Not yet Supported

Issue ID: 01932943

 Data Center objects, Data Center groups and Virtual Cloud objects on vSEC Controller R77.30 are supported only for upgrade to R80.10 + Jumbo Hotfix Accumulator for R80.10 Take 53 or later. Upgrade to R80.20 or higher

Error in database
Inconsistency found in the database - the table mobile_push_notifications.C should be removed.

Issue ID: 01817921

After upgrading from R77.20.01, or R77.30 to a newer version, SmartDashboard crashes when navigating to "Mobile Access Blade" tab -> "Capsule Workspace Settings".

 Refer to sk108698.

Log Servers on Domain Management Server level are not yet supported

Issue ID: 02437834

 Log Servers is configured on one or more of of the Multi-Domain Management Server Domains.

Follow the below instructions to proceed with the upgrade:

  1. Connect with the R77.30 SmartDashboard to the relevant Domain Management Server
  2. Locate the the unsupported objects listed in the error message
  3. Delete the the unsupported objects listed in the error message
  4. Save the changes: go to the File menu - click on the Save
  5. Run the upgrade again

Backup Security Management Server on Domain Management Server level is not yet supported

Issue ID: 02437834

 Backup Security Management is configured on one or more of of the Multi-Domain Management Server Domains.

Follow the below instructions to proceed with the upgrade:

  1. Connect with the R77.30 SmartDashboard to the relevant Domain Management Server
  2. Locate the the unsupported objects listed in the error message
  3. Delete the the unsupported objects listed in the error message
  4. Save the changes: go to the File menu - click on the Save
  5. Run the upgrade again

Threat Emulation not yet supported in R80.10 on the 61000 and 41000 Security Systems

Issue ID: 02509476

 There is one or more 41000 / 44000 / 61000 / 64000 R76SP.40 Gateway with enabled threat emulation blade.

If you are using Threat Emulation blade on the 60000 / 40000 Security Systems, consider upgrading to the relevant release when it is available (see sk117159).

Otherwise, implement the following instructions to proceed with the upgrade:

  1. In R77.30 SmartDashboard, go to the Manage menu - click on the Network Objects...
  2. In the Show: field, select the Check Points
  3. Locate the 60000 / 40000 Security System object
  4. Disable the Threat Emulation blade in the 60000 / 40000 Security System object (or delete this objects)
  5. Save the changes: go to the File menu - click on the Save
  6. Run the upgrade again

 

Errors - Configuration Issues

These issues require a manual adjustment to enable the upgrade to R80.10 / R80.20 / R80.30 / R80.40

Displayed Error Cause Solution
Application is not supported in application group Upgrade is blocked due to existence of application groups that contain deprecated applications that will be replaced with a service. The listed applications were removed from the Application Control package.

Before upgrade:

  1. In R7X SmartDashboard, go to Application & URL Filtering tab
  2. Click on Applications/Sites
  3. Locate the application groups mentioned in the Pre-Upgrade Verification message
  4. Remove the deprecated applications from from the application groups mentioned in the Pre-Upgrade Verification message
  5. Save the changes: go to File menu - click on Save
  6. Run the upgrade again
Users database needs to be fixed Objects that are referenced in the $FWDIR/conf/fwauth.NDB file do not exist in the $FWDIR/conf/objects_5_0.C file. Refer to sk106158.
Cluster member that is not part of a cluster is not supported Database contains cluster members which are not part of a cluster (unused).

These cluster members are not used in your current deployment and can safely be deleted. Delete these objects before upgrade - either in SmartDashboard, or in GuiDBedit Tool.

Refer to sk108612.
Standby Management Server R77X Standby Management Server should not be upgraded. It should synchronize with the Active Management Server after it is upgraded.

Either:

  • Perform clean install of R80.10/R80.20/R80.30
  • Set it as Secondary Management Server in the First Time Wizard
  • Synchronize the Secondary Management Server with the Primary Management Server

Or:

  • Promote the Standby Management Server to be Active.
Empty SIC The SIC name with the Management Server has been lost.

Reset SIC on R7X Security Management Server:

  1. [Expert@HostName:0]# fwm sic_reset
  2. [Expert@HostName:0]# cp_conf ca init
Empty IPv4 address The Management Server has no IPv4 address defined.
  1. In R7X SmartDashboard, go to Manage menu - click on Network Objects...
  2. In Show: field, select Check Points
  3. Locate and edit the object of the Management Server
  4. Define the IPv4 address and click on OK
  5. Save the changes: go to File menu - click on Save
  6. Run the upgrade again
Duplicate object IDs There are duplicate objects with the same object ID.

Contact Check Point Support for assistance, or follow these steps on R7X Management Server:

  1. Collect complete backup (refer to sk108902). At the very least, backup the $FWDIR/conf/objects_5_0.C file
  2. Generate a new UID using the following online generator: http://www.guidgen.com
  3. Edit the $FWDIR/conf/objects_5_0.C file using and advanced text editor (Vi, Notepad++, etc.)
  4. Change the duplicate UID to the generated UID
Corrupted object IDs

There are objects with corrupted UID.
For example:

  • UID string length is not 38
  • UID string does not start with "{", does not end with "}"
  • hyphens are not in the right places
  • hex digits are not in the right places

Contact Check Point Support for assistance, or follow the below procedure:

Background

The Object's UID should look like this:
{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
The length of the entire string is 38 characters:
  • 2 brackets - positions 1 and 38
  • 4 hyphens - positions 10, 15, 20 and 25
  • 8 hex digits - positions 2 - 9
  • 4 hex digits - positions 11 - 14
  • 4 hex digits - positions 16 - 19
  • 4 hex digits - positions 21 - 24
  • 8 hex digits - positions 26 - 37
  • allowed hex digits - 0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f

Procedure

  1. Collect complete backup (refer to sk108902). At the very least, backup the $FWDIR/conf/objects_5_0.C file
  2. Generate a new UID using the following online generator: http://www.guidgen.com
  3. Edit the $FWDIR/conf/objects_5_0.C file using and advanced text editor (Vi, Notepad++, etc.)
  4. Change the corrupted UID to the generated UID
Duplicate GUI Clients GUI Clients are configured more than once Edit the $FWDIR/conf/gui-clients file and delete the duplicate lines listed in the error message.
Objects with non-Unicode characters Database contains objects with non-Unicode characters. Follow sk109795 - define encoding used for non-Unicode characters.
Unsupported character encoding User did not follow steps in sk109795 correctly and defined unsupported encoding Follow sk109795.
HTTPS Inspection policy contains unsupported objects HTTPS Inspection policy contains the listed objects, which are no longer supported.
  1. In R7X SmartDashboard, go to Application & URL Filtering tab.
  2. In the left pane, expand Advanced
  3. Expand HTTPS Inspection
  4. Click on Policy
  5. Remove the listed objects from the policy
Unsupported NAT rules 'Source' / 'Destination' address column in the Manual NAT rule either has corrupted values, or is empty
  1. In R7X SmartDashboard, go to File menu - click on Open... - select the Policy Package listed in the error message
  2. Go to Firewall tab - in the left pane, click on NAT
  3. Locate the NAT rules listed in the error message
  4. Re-assign the Source / Destination address values as listed in the error message
IPS package version is not supported Database contains an unsupported IPS version
  1. In R7X SmartDashboard, go to the IPS tab
  2. In the left pane, click on Download Updates
  3. Click on the Update Now to perform the IPS Update
  4. Save the changes: go to the File menu - click on the Save
Missing IP address for network objects Network objects were created in previous version(s) without an IP address (e.g., using GuiDBedit Tool, or dbedit) 

For each network object with no IP address: 

  1. In R7X SmartDashboard, locate the problematic network object
  2. Either edit the object and define an IP address, or delete it (if it is not used)
  3. Save the changes: go to the File menu - click on the Save
  4. Run the upgrade again
Firewall policies with Traditional VPN mode  Firewall policies with Traditional VPN mode should not include 'Encrypt' or 'Client Encrypt' actions 

Before upgrade:

  • Either convert the listed Firewall policies from the Traditional VPN mode to the Simplified VPN mode
  • Or replace the 'Encrypt' / 'Client Encrypt' actions 
Malformed entities found in Threat Prevention rulebase Threat Prevention policy contains an invalid reference For R80.10: refer to sk117167
For R80.20 and higher: adjusted automatically



Warnings

Warnings are issues that will not fail the upgrade but it is highly recommended to address them.

The below table is relevant for R80.10 / R80.20 / R80.30 / R80.40

Displayed Warning Cause Solution

Before upgrade:

Warning that lists all the services and services groups, whose names conflict with the new default objects added by Check Point and should be changed to another name

After upgrade:

The name of the services and services group, whose names were not changed before upgrade will contain underscore character ('_') as post-fix.

Issue ID: 01843066

 New services and protocols were added to the default database. If there are services with the same names, the user can change the service / service group name before upgrade.
Otherwise, the upgrade process will append to the user services the underscore character ('_') as post-fix.

If there are naming conflicts with the new default objects and you would like to change the names rather than using our default "_" appendix to the name:

  • Before upgrade:

    1. In R7X SmartDashboard, go to Manage menu - click on Services...
    2. Locate the services and services groups that are listed in the Pre-Upgrade Verification message
    3. Change the names of the listed services and services groups

  • After upgrade:

    1. In R80.x SmartConsole, go to the Object Explorer
    2. Locate for the services and services groups that are listed in the Pre-Upgrade Verification message
    3. Change the names of the listed services and services groups
      (their names will contain '_' as postfix)

Warning during upgrade of Security Management Server to R80.x:

  • "At least one of the services contains invalid Match expression"
  • "To resolve, fix the Match expression of the unsupported service(s) (Other Service Properties > Advanced) or delete them"

Error during policy installation on R80.x Security Gateway:

Rule <Rule Number> in Network Security policy will not be enforced, because service <Service Name> has unknown match/action

Issue ID: 01854373

The database contains Other Service objects with non-empty Match field (open Other Service properties - click on Advanced... button), which are not part of Check Point default services.

In R80.x, the Other Service object definition has been modified - the Match field has been split into two fields: Match and Action.

Conversion of objects from R77 (and lower) version to R80.x is done automatically, but for user-defined services it may be incorrect. Therefore, the user is warned.

 After a successful Upgrade to R80.x, verify the objects were converted correctly, or manually convert the user-defined Other Service objects per sk109195.
"The unsupported IPS protections will be removed from the "Protections" view" Some IPS protections are no longer available. Refer to sk103766.

Deactivating IPS protections by categories in a Threat Prevention profile will not take effect in IPS Protections view, and will not be enforced on Security Gateway running R80.X

Issue ID: 01564375

 Deactivating IPS protections by categories are supported only for Security Gateways R75.X / R76 / R77.X It is recommended to use the enhanced R80.x tag based activation for IPS protections.
Refer to Threat Prevention Administration Guide for more info.

Administrators in user group are not supported

Issue ID: 01679646

 User group contains an administrator user. The upgrade operation will remove those administrators.

Legacy Default Profiles are not supported

Issue ID: 01621844

 Legacy default EndPoint profiles and legacy default profiles that are not used will be deleted The upgrade operation will remove those profiles.

In this version, you cannot set administrator group permissions to install policy on a specific gateway. The gateway property 'Permissions to Install' is ignored.

Issue ID: 01869271

 In R80.x, administrator group permissions cannot be set to install policy on a specific Security Gateway. The Security Gateway property 'Permissions to Install' is ignored.
"The following Snort protections will be removed:"

Issue ID: 01912816

 Snort protections are not supported in the destination version. Snort protections will be removed from the database.

Before upgrade:

Warning that lists all objects of type "ActiveSync" and "Business Mail", which contain different ports from the default ones (443, 80, 8080).

After upgrade:

Objects that were listed before upgrade now contain service 'https' with port 443 (navigate to the object in the objects bar - open the object's editor - service 'https' appears in service's combo box)

 

Issue ID: 01920887

 In R80.x, those objects contain a service, which holds the port. ActiveSync and Business Mail applications with one of the default ports will get the appropriate service, which contains the same port. All of the applications that hold a different port, will get the service 'https' as default.

If you would like to use a different port than the default:

  • Before upgrade (optional):

    1. In R77.30 SmartDashboard, go to Mobile Access tab
    2. Click on Applications
    3. Locate the objects that are listed in the Pre-Upgrade Verification message
    4. Edit the listed objects
    5. Change their port to one of the defaults: 443, 80, 8080
    6. Save the changes: go to File menu - click on Save
    7. Run upgrade again

  • After upgrade:

    1. In R80.x SmartConsole, open Object Explorer
    2. Create a new service, which contains the desired port
    3. Navigate to objects bar (right pane)
    4. Locate the objects that are listed in the Pre-Upgrade Verification message
    5. Edit the listed objects
    6. In service's combo box, select the new service - click OK

Log indexing is not activated after upgrade:

In LOGS & MONITOR view, when clicking on the Logs tab, a yellow strip with the following message is displayed:

"Searches might be slow when working with log files"

Issue ID: 02015620

 Log indexing is disabled by default, when upgrading to R80.x in order to improve performance

To enable it again:

  1. In SmartConsole, edit the Management Server network object
  2. Go to the Logs pane
  3. Select Enable Log Indexing 
  4. Click OK 
Before upgrade:

Warning that lists all the profiles that deactivate IPS protections by Client/Server type

After Upgrade:

Deactivating IPS protections by Client/Server types will not take effect in the IPS 'Protections' view and will not be enforced on Security Gateway running R80.x 

Issue ID: TPM-47

 Deactivating IPS protections by type (Client/Server) is not supported for Security Gateway R80.x and higher. Use tag based activations instead.

After upgrade:

  1. In R80.10 SmartConsole, go to the SECURITY POLICIES app
  2. In the upper section, click Threat Prevention
  3. In the lower section Threat Tools, click Profiles
  4. Right-click on the relevant profile - select Edit...
  5. Go to the IPS pane
  6. Select the checkbox Activate IPS protections according to the following additional properties
  7. In the Protections to deactivate section, add the Protected Asset - Client tag / Protected Asset - Server tag to protections that should be deactivated
  8. Click on OK
  9. Publish the changes
  10. Install the policy

After upgrade:

Applications and categories from sk110778, which were selected in the Application Control & URL Filtering policy may be replaced to new services.

Deprecated applications and categories may not be available for adding new instances after application update. 

Issue ID: 02471697

 Applications and categories are replaced by Firewall services with protocol signatures and their default ports After a successful upgrade to R80.x, verify that the objects were converted correctly, or manually convert the user-defined objects

After upgrade: 

Application widgets can not be selected in the Application Control & URL Filtering policy - widgets that are used, will be enforced after the upgrade

Issue ID: 02508608

 Creating new Application widgets or adding them to Access Policy rule is not supported since R80.10 Remove the widgets before the upgrade, or after the successful upgrade. Widgets that used, will be enforced after the upgrade.

Warning during database export:

Legacy DHCP Relay services were found in the security rule base. Action is required in order for DHCP Relay to function properly post-upgrade

There are two possible options to solve the problem:

  1. Remove all legacy DHCP Relay services and add new ones instead. See sk104114 for instructions. This is the recommended action for managing R77.20 gateways and higher.
  2. Keep the legacy DHCP Relay services and change the Gateways and the Security Management Servers accordingly. See sk98839 for instructions. Do this for gateways which are older than R77.20

Issue ID: PMTR-2392

 Legacy DHCP Relay services were found in the security rule base. Action is required in order for DHCP Relay to function properly post-upgrade

Two possible options to solve the problem:

  1. Remove legacy DHCP Relay services and add new DHCP Relay services. See sk104114 for instructions.
    This is the recommended action if managing only R77.20 gateways and higher

  2. Keep legacy DHCP Relay services and make changes to the Gateways and the Security Management Servers. See sk98839 for instructions.
    Do this if managing any gateways which are older than R77.20 
Before upgrade:

All the categories that are deprecated and will be changed in the upgrade process, and the categories that are deprecated and should be deleted before/after upgrade.

After upgrade:

Categories that were listed in the Pre-Upgrade Verification message as those that should be deleted, will be found in the rulebase, but they have no affect on the Security Gateway after policy installation. These categories should be deleted.

Issue ID: 01690538

 The listed categories were removed from / replaced in the Application Control package.

For unsupported categories refer to sk106783.

  • Before upgrade (optional):

    1. In R77.30 SmartDashboard, go to the Application & URL Filtering tab
    2. Click on Policy
    3. Search for the categories listed in the Pre-Upgrade Verification message
    4. Delete those categories from the rules
    5. Save the changes: go to File menu - click on Save
    6. Run upgrade again

  • After upgrade:

    1. In R80.x SmartConsole, go to Application layer
    2. Search for the categories listed as those that should be deleted
    3. Delete them from the rulebase
    4. Publish the changes

 

Information

Notifications about actions done during the upgrade process. No action is required.

Displayed Message Cause Solution

'Send error page' UI configuration was removed from protections

Issue ID: 01555668

 Database contains protections with enabled 'Send error page' This is no longer supported and will be disabled

 

Multi-Domain Security Management Server

Errors and  Configuration issues

These issues require a manual adjustment to enable the upgrade to R80.x

Pre-upgrade verification error Cause Solution

Migrate is not supported from version R65

Issue ID: 00434025

Upgrade from the source version to the target version is not allowed.

The Supported Upgrade Paths are documented in the Release Notes for each version.
  1. Upgrade to one of the listed versions that can be upgraded to R80.x
  2. Upgrade to R80.x

Found domains without management servers

Issue ID: 01638801

 There are Domains without any Domain Management Servers
  1. Stop the database export.
  2. Connect with SmartDomain Manager to the Multi-Domain Server.
  3. Remove the Domains listed in the message.

Found Domain Server hosted by non existing Multi Domain servers

Issue ID: 01638801

 

 There are Domains that are not hosted on any Multi-Domain Server Refer to sk106077 

Found Domains with out of date Global Policies

Issue ID: 01724190


 Global Policy was edited and was not installed Install Global Policy for the mentioned Domains

There are gateways enabled for Global Use

Issue ID: 01606491

Either one or more of the following files contains an empty set:

  • $MDSDIR/conf/mdsdb/exported.C
  • $MDSDIR/conf/mdsdb/exported_domains.C
  • $MDSDIR/conf/exported.C
  • $MDSDIR/conf/exported_domains.C
Or there are gateways enabled for Global Use.		 On R80.10:
  1. Log in to the Multi-Domain Server
  2. In the General tab, under 'Domain Contents', sort the contents of the table by the "Global Name" column
  3. For each object that has a global name, right-click and select Disable Global Use
Resolved starting from R80.20

cma migrate command on R80.x prints a warning during pre-upgrade verification:

Global policy was detected on the source database		 The Domain Management Server after migration will have Global rules and/or objects, but there will be no indication that a Global Policy is assigned to it After migration, to have a Global Policy assigned on this Domain, use either the Assign Global Policy option, or the Stop the migration process and remove the global policy from the source database

Non updated renamed global objects were detected on the source database

Issue ID: 00766013

 Some of the Global objects in the Global Policy were renamed and were not assigned to the Domains Stop the migration process and reassign the Global Policy on the source database

You configured these Domains to get only the global objects of their assigned global policies:...

Issue ID: 01606491

 Assigning of used global objects is no longer supported

Remove the objects that should be segregated from the Global Domain

 

You are about to import a database which contains a CA key that is identical to another Domain's CA key

 Duplicate CA key. If you choose to continue the import operation, you should re-create the Domain Management Server's CA database by executing the 'sic_reset' as described in sk17197.

A Domain Management Server/Security Management database that contains references to the SmartUpdate Package Repository can not be migrated

 The referenced object is not present on the original Security Management Server / Domain Management Server - neither in the SmartDashboard, nor in the SmartUpdate GUI Refer to sk106640.

Management with VSX objects detected.

 Database contains object of type vs_netobj, or vs_cluster_netobj - importing those objects without their "twin objects" vs_slot_obj at the Main Domain will cause database corruption. Follow the instructions in How to VSX Migration for Multi-Domain Management document.

Found Corrupted Domain Management Servers

 There are Domain directories that do not exist in the database. Delete the Domain directories from the $FWDIR/ directory

Found corrupted domain management servers

 The /conf/mdsdb/objects_5_0.C file contains references to Domains that do not exist in the customers.C file Contact Check Point Support for assistance 

The High Availability state of the Global database on your Multi-Domain Server is in Standby mode

Issue ID: 01906025

 The High Availability state of the Global database on your Multi-Domain Server is in Standby mode
  1. Import the Active Multi-Domain Server.
  2. Then, import this server with the "-secondary" flag, or switch it to Active before export.

Found Domain Management Servers with non-existent global policies

Issue ID: 01948068

 A Global Policy assigned to a Domain does not exist Contact Check Point Support for assistance

Found Domain Management Server IP which is different than defined in MDS database

Issue ID: ACM-1227

 One or more Domain Servers have different IP than the one defined in MDS database

Modify the IP address of the Domain object in the Management database on Domain Management Server - $FWDIR/conf/objects_5_0.C (use dbedit, GuiDBedit Tool, or Vi editor)

 

Not all domains are active

Issue ID: 01906025

 One or more Domain Servers is in Standby mode while Global gateway is assigned to them. 

On the Primary MDS, either disable the globally used on the gateways or activate the standby domains. 
To disable the globally used on the gateways, connect to the Multi-Domain Server General view, then right-click on the gateways and click 'Disable global use'.

On the Secondary MDS: After fixing the Primary MDS errors, this message shouldn't be shown on the Secondary MDS.

Contact Check Point Support if you still see this error message.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment 

SECURE YOUR EVERYTHING

©

Copyright | Privacy Policy
Follow Us