Support Center > Search Results > SecureKnowledge Details
R80.10 Pre-Upgrade Verifier notifications and their solutions
Solution

This article describes the notifications received from the R80.10 Pre-Upgrade Verifier and how to address them in order to successfully upgrade to R80.10.

  • "Errors" are issues that must be addressed.
  • "Warnings" are issues that will not fail the upgrade, but it is highly recommended to address them.
  • "Information" are notifications that just provide information about actions performed by the upgrade process.

Table of Contents:

  • Errors - Products and features Check Point no longer supports
  • Errors - Products and features that are not supported yet in R80.10
  • Errors - Configuration issues
  • Warnings
  • Information
  • R80.10 Multi-Domain Security Management Server
  • Related Solutions

 

Errors - Products and features Check Point no longer supports

Products and features that are no longer supported in R80.10. Refer to the solution column in order to fix the issues and proceed with the upgrade to R80.10

Title Cause Solution
Firewall rule Action is no longer supported Firewall rulebase contains rule(s) with the Session Auth action that is no longer supported in R80.10

In R7X SmartDashboard, refer to the Policy Package listed in the error message:

  1. Go to the Firewall tab
  2. In the left pane, click on the Policy
  3. Refer to rules listed in the error message
  4. Replace the Session Auth action with other supported action
  5. Save the changes: go to the File menu - click on the Save
  6. Run the upgrade again

Or refer to sk98263.

Access Policy action is not supported Firewall rules that contain the Client Auth action when the Sign-On method is set to Agent Automatic Sign On, Fully Automatic, or Single Sign On are no longer supported in R80.10
  1. In R7X SmartDashboard, go to the Firewall tab
  2. In the left pane, click on the Policy
  3. Locate the rules listed in the error message
  4. Right-click on the Client Auth action - click on the Edit properties...
  5. In the Sign On Method section, replace the method to either Manual, or Partially automatic
  6. Save the changes: go to the File menu - click on the Save
  7. Run the upgrade again
Objects are not supported

The following products are no longer supported by R80.10:

  • Connectra gateway
  • DLP-1 appliance
  • IPS-1 Sensor

Remove these products:

  1. In R7X SmartDashboard, go to the Manage menu - click on the Network Objects...
  2. In the Show: field, select the Check Points
  3. Locate the unsupported objects (open the object - look at the type at the top)
  4. Delete the unsupported objects
  5. Save the changes: go to the File menu - click on the Save
  6. Run the upgrade again
UTM-1 Edge X / W Series devices are not supported The Database includes UTM-1 Edge X / W Series objects, which are no longer supported in R80.10

Replace these devices with supported devices.

In case you would like to remove these objects to proceed with the upgrade:

  1. In R7X SmartDashboard, go to Manage menu - click on Network Objects...
  2. In the Show: field, select UTM-1 Edge Gateways
  3. Locate the unsupported objects (open the object - look at the type at the top)
  4. Delete the unsupported objects
  5. Save the changes: go to the File menu - click on the Save
  6. Run the upgrade again
Services are no longer supported The rulebase contains services or group of services, which are no longer supported Refer to sk103766

 

Errors - Products and features that are not supported yet in R80.10

These products or features are not supported yet in R80.10 and will be supported in an upcoming R80.10 release.

If you are using these products or features, consider upgrading to the relevant release when it is available.
Otherwise, refer to the solution column to proceed with the upgrade to R80.10

Title Cause Solution
Modbus is not supported yet The Modbus feature is enabled, or a Modbus application exists while this feature is not supported yet in R80.10

If you are using the Modbus feature, consider upgrading to the relevant release when it is available (see sk117159 for details).
Otherwise, implement the following instructions to proceed with the upgrade to R80.10:

Before upgrade:

  1. Close all SmartConsole windows
  2. Connect with the GuiDBedit Tool to Security Management Server / Domain Management Server
  3. In the upper left pane, go to the Table - Global Properties Objects - properties
  4. In the upper right pane, click on the firewall_properties
  5. Press CTRL+F (or go to Search menu - Find) - paste modbus_applications_enabled - click on the Find Next
  6. In the lower pane, right-click on the modbus_applications_enabled - select Edit... - select "false" - click on OK
  7. Save the changes: go to the File menu - click on the Save All
  8. Close the GuiDBedit Tool
  9. Connect with the SmartDashboard to the Security Management Server / Domain Management Server
  10. Go to the Application & URL Filtering tab
  11. Click on the Applications/Sites
  12. Delete all applications with the Type Modbus Application
  13. Save the changes: go to the File menu - click on the Save
  14. Run the upgrade again
LSM Profiles are not supported yet

The Database includes LSM Profiles.

The LSM product is not supported yet in R80.10.

If you are using the LSM product, consider upgrading to the relevant release when it is available (see sk117159 for details).
Otherwise, implement the following instructions to proceed with the upgrade to R80.10:

To proceed with the upgrade, remove the LSM profiles:

  1. In R7X SmartDashboard, go to the Manage menu - click on the Network Objects...
  2. In the Show: field, select the Check Points
  3. Locate the unsupported objects (open the object - look at the type at the top)
  4. Delete the unsupported objects
  5. Save the changes: go to the File menu - click on the Save
  6. Run the upgrade again
Cloud Connector objects are not supported yet The Cloud Connector product is not supported yet in R80.10

If you are using Cloud Connector, consider upgrading to the relevant release when it is available (see sk117159 for details).
Otherwise, implement the following instructions to proceed with the upgrade to R80.10:

  1. In R77.30 SmartDashboard, go to the Application & URL Filtering tab
  2. In the left tree, expand the Advanced
  3. Click on the Cloud Connector
  4. In the displayed view, delete the Cloud Connector applications
  5. Save the changes: go to the File menu - click on the Save
  6. Run the upgrade again
LTE Services are not supported yet

LTE is not supported yet in R80.10.
The rulebase contains one of the following GTP services:

  • GTPv2
  • GTP_MM_V2
  • GTP_ADDITIONAL_V2
  • SCTP
  • Diameter

If you are using LTE, consider upgrading to the relevant release when it is available (see sk117159 for details).
Otherwise, implement the following instructions to proceed with the upgrade to R80.10:

  1. In R77.30 SmartDashboard, go to the Firewall tab
  2. In the left pane, click on the Policy
  3. Locate the rules that contain one of the following GTP services in the Service column:
    • GTPv2
    • GTP_MM_V2
    • GTP_ADDITIONAL_V2
    • SCTP
    • Diameter
  4. Remove these GTP services from the policy (pay attention not to decrease the security of your environment)
  5. It is also recommended to delete all instances of the those GTP services that were created by the user (default objects are removed automatically):
    1. Go to the Manage menu - click on the Services...
    2. In the Show: field, select the User defined services
    3. Locate the user-defined GTP services
    4. Delete the user-defined GTP services
  6. Save the changes: go to the File menu - click on the Save
  7. Run the upgrade again
LSV Profile is not supported yet There is an LSV profile object that is used in a VPN community

If you are using LSV, consider upgrading to the relevant release when it is available (see sk117159 for details).
Otherwise, implement the following instructions to proceed with the upgrade to R80.10:

  1. In R77.30 SmartDashboard, go to the Manage menu - click on the Network Objects...
  2. In the Show: field, select the Interoperable Devices
  3. Locate the LSV profile objects
  4. Delete the LSV profile objects
  5. Save the changes: go to the File menu - click on the Save
  6. Run the upgrade again
CGNAT and NAT64 are not supported yet CGNAT or NAT64 rules in NAT policy are not supported yet in R80.10

If you are using CGNAT or NAT64 rules, consider upgrading to the relevant release when it is available (see sk117159 for details).
Otherwise, implement the following instructions to proceed with the upgrade to R80.10:

  1. In R77.30 SmartDashboard, go to the Firewall tab
  2. In the left pane, click on the NAT
  3. Refer to the Translated Packet - check the Source column
  4. Search for objects that are signed with NAT state as CG (for CGNAT), or 64 (for NAT64)
  5. Delete the NAT rules that are defined as CGNAT, or NAT64
  6. Save the changes: go to the File menu - click on the Save
  7. Run the upgrade again
Syslog Server is not supported yet Use of Syslog server as log destination in the Security Gateway properties is not supported yet in R80.10

If you are logging to a Syslog server, consider upgrading to the relevant release when it is available (see sk117159 for details).
Otherwise, implement the following instructions to proceed with the upgrade to R80.10:

  1. In R77.30 SmartDashboard, go to the Manage menu - click on the Servers and OPSEC Applications...
  2. In the Show: field, select the Syslog servers
  3. Locate the Syslog servers that are listed in the Pre-Upgrade Verification message
  4. Select each listed Syslog server - click on the Actions... button - click on the Where Used... - write down the name of each involved Security Gateway object
  5. Close the Servers and OPSEC Applications... window
  6. In R77.30 SmartDashboard, go to the Manage menu - click on the Servers and OPSEC Applications...
  7. In the Show: field, select the Check Points
  8. Locate the involved Security Gateway objects
  9. Edit the involved Security Gateway objects
  10. In Security Gateway properties, go to the Logs pane
  11. Remove all Syslog servers
  12. Click on OK
  13. Now you can delete the Syslog server objects
  14. Save the changes: go to the File menu - click on the Save
  15. Run the upgrade again
Data Center Objects Are Not Supported Data Center objects on vSEC Controller R77.30 are supported only for upgrade to R80.10 + Jumbo Hotfix Accumulator for R80.10 (take 53 or later) - Data Center objects, Data Center groups, and Virtual Cloud objects
Contact Check Point Support for assistance.
Error in database

After upgrading from R77.20.01, or R77.30 EA to a newer version, SmartDashboard crashes when navigating to "Mobile Access Blade" tab -> "Capsule Workspace Settings".

Refer to sk108698
Log Server on Domain Management Server Log Servers on Domain Management Server level are not yet supported in R80.10

If you are using Log Servers on Domain Management Server level, consider upgrading to the relevant release when it is available (see sk117159 for details). Otherwise, implement the following instructions to proceed with the upgrade to R80.10:

  1. Connect with the R7X SmartDashboard to the relevant Domain Management Server
  2. Locate the the unsupported objects listed in the error message
  3. Delete the the unsupported objects listed in the error message
  4. Save the changes: go to the File menu - click on the Save
  5. Run the upgrade again
Backup Security Management Server on Domain Management Server Backup Security Management Server on Domain Management Server level is not yet supported in R80.10

If you are using Backup Security Management Server on Domain Management Server, consider upgrading to the relevant release when it is available (see sk117159 for details).

Otherwise, implement the following instructions to proceed with the upgrade to R80.10:

  1. Connect with the R7X SmartDashboard to the relevant Domain Management Server
  2. Locate the the unsupported objects listed in the error message
  3. Delete the the unsupported objects listed in the error message
  4. Save the changes: go to the File menu - click on the Save
  5. Run the upgrade again
Threat Emulation not yet supported in R80.10 on the 61000 and 41000 Security Systems Threat Emulation blade on the 41000 / 44000 / 61000 / 64000 Security Systems running R76SP.40 and above is not yet supported by the R80.10 Management Server

If you are using Threat Emulation blade on the 60000 / 40000 Security Systems, consider upgrading to the relevant release when it is available (see sk117159 for details).

Otherwise, implement the following instructions to proceed with the upgrade to R80.10:

  1. In R7X SmartDashboard, go to the Manage menu - click on the Network Objects...
  2. In the Show: field, select the Check Points
  3. Locate the 60000 / 40000 Security System object
  4. Disable the Threat Emulation blade in the 60000 / 40000 Security System object (or delete this objects)
  5. Save the changes: go to the File menu - click on the Save
  6. Run the upgrade again

 

Errors - Configuration Issues

These issues require a manual adjustment to enable the upgrade to R80.10.

Title Cause Solution
Protocols are not supported Database contains services with unsupported protocol type For unsupported protocols refer to sk103595
Application is not supported in application group Upgrade is blocked due to existence of application groups that contain deprecated applications that will be replaced with a service. The listed applications were removed from the Application Control package.

Before upgrade:

  1. In R7X SmartDashboard, go to the Application & URL Filtering tab
  2. Click on the Applications/Sites
  3. Locate the application groups mentioned in the Pre-Upgrade Verification message
  4. Remove the deprecated applications from from the application groups mentioned in the Pre-Upgrade Verification message
  5. Save the changes: go to the File menu - click on the Save
  6. Run the upgrade again
Users database needs to be fixed Objects that are referenced in the $FWDIR/conf/fwauth.NDB file do not exist in the $FWDIR/conf/objects_5_0.C file Refer to sk106158
Cluster member not part of a cluster is not supported Database contains cluster members, which are not part of a cluster (unused)

These cluster members are not used in your current deployment and can be safely deleted. Delete these objects before upgrade - either in SmartDashboard, or in GuiDBedit Tool.

Refer to sk108612.
Standby Management Server Standby Management Server should not be upgraded. It should synchronize with the Active Management Server after it is upgraded
  • Either:

    1. Perform clean install of R80.10
    2. Set it as Secondary Management Server in the First Time Configuration Wizard
    3. Synchronize the Secondary Management Server with the Primary Management Server
  • Or:

    • Promote the Standby Management Server to be Active.
Empty SIC The SIC name with the Management Server has been lost

Reset SIC on R7X Security Management Server:

  1. [Expert@HostName:0]# fwm sic_reset
  2. [Expert@HostName:0]# cp_conf ca init
Empty IPv4 address The Management Server has no IPv4 address defined
  1. In R7X SmartDashboard, go to the Manage menu - click on the Network Objects...
  2. In the Show: field, select the Check Points
  3. Locate and edit the object of the Management Server
  4. Define the IPv4 address and click on OK
  5. Save the changes: go to the File menu - click on the Save
  6. Run the upgrade again
Duplicate object IDs There are duplicate objects with the same object ID

Contact Check Point Support for assistance, or follow these steps on R7X Management Server:

  1. Collect the complete backup (refer to sk108902).
  2. Generate a new UID using the following online generator: http://www.guidgen.com
  3. Edit the $FWDIR/conf/objects_5_0.C file using and advanced text editor (Vi, Notepad++, etc.)
  4. Change the duplicate UID to the generated UID
Corrupted object IDs

There are objects with corrupted UID.
For example:

  • UID string length is not 38
  • UID string does not start with "{", does not end with "}"
  • hyphens are not in the right places
  • hex digits are not in the right places

Contact Check Point Support for assistance, or follow the below procedure:

Background

The Object's UID should look like this:
{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
The length of the entire string is 38 characters:
  • 2 brackets - at positions 1 and 38
  • 4 hyphens - at positions 10, 15, 20 and 25
  • 8 hex digits - at positions 2 - 9
  • 4 hex digits - at positions 11 - 14
  • 4 hex digits - at at positions 16 - 19
  • 4 hex digits - at positions 21 - 24
  • 8 hex digits - at positions 26 - 37
  • allowed hex digits - 0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f

Procedure

  1. Collect the complete backup (refer to sk108902).
  2. Generate a new UID using the following online generator: http://www.guidgen.com
  3. Edit the $FWDIR/conf/objects_5_0.C file using and advanced text editor (Vi, Notepad++, etc.)
  4. Change the corrupted UID to the generated UID
Duplicate GUI Clients GUI Clients are configured more than once Edit the $FWDIR/conf/gui-clients file and delete the duplicate lines listed in the error message
Objects with non-Unicode characters Database contains objects with non-Unicode characters Follow sk114739 - define encoding used for non-Unicode characters
Unsupported character encoding User did not follow steps in sk114739 correctly and defined an unsupported encoding Follow sk114739
HTTPS Inspection policy holds unsupported objects HTTPS Inspection policy holds the listed objects, which are not supported
  1. In R7X SmartDashboard, go to the Application & URL Filtering tab.
  2. In the left pane, expand the Advanced
  3. Expand the HTTPS Inspection
  4. Click on the Policy
  5. Locate the unsupported objects (they should reside within a group) listed in the error message
  6. Remove the unsupported objects from group or remove group from the relevant rule
  7. Save the changes: go to the File menu - click on the Save
  8. Run the upgrade again
Unsupported NAT rules 'Source' / 'Destination' address column in the Manual NAT rule either has corrupted values, or is empty
  1. In R7X SmartDashboard, go to the File menu - click on the Open... - select the Policy Package listed in the error message
  2. Go to the Firewall tab
  3. In the left pane, click on NAT
  4. Locate the NAT rules listed in the error message
  5. Re-assign the Source / Destination address values as listed in the error message
Malformed entities found in Threat Prevention rulebase Threat Prevention policy contains an invalid reference Refer to sk117167
IPS package version is not supported Database contains an unsupported IPS version
  1. In R7X SmartDashboard, go to the IPS tab
  2. In the left pane, click on Download Updates
  3. Click on the Update Now to perform the IPS Update
  4. Save the changes: go to the File menu - click on the Save
  5. Run the upgrade again
Missing IP address for network objects Network objects were created in previous version(s) without an IP address (e.g., using GuiDBedit Tool, or dbedit)

For each network object with no IP address:

  1. In R7X SmartDashboard, locate the problematic network object
  2. Either edit the object and define an IP address, or delete it (if it is not used)
  3. Save the changes: go to the File menu - click on the Save
  4. Run the upgrade again
Firewall policies with Traditional VPN mode
Firewall policies with Traditional VPN mode should not include 'Encrypt' or 'Client Encrypt' actions

Before upgrade:

  • Either convert the listed Firewall policies from the Traditional VPN mode to the Simplified VPN mode
  • Or replace the 'Encrypt' / 'Client Encrypt' actions

 

Warnings

Warnings are issues that will not fail the upgrade but it is highly recommended to address them.

Title Symptom (user experience) Cause Solution
Names conflicts with new default objects

Before upgrade:

Warning that lists all the services and services groups, whose names conflict with the new default objects added by Check Point and should be changed to another name

 

After upgrade:


The name of the services and services group, whose names were not changed before upgrade will contain underscore character ('_') as post-fix
New services and protocols were added to the default database. If there are services with the same names, the user can change the service / service group name before upgrade.
Otherwise, the upgrade process will append to the user services the underscore character ('_') as post-fix.

If there are conflicts in names with the new default objects, and you would like to change the names rather than using the default "_" appendix in the name:

  • Before upgrade:

    1. In R7X SmartDashboard, go to the Manage menu - click on the Services...
    2. Locate the services and services groups listed in the warning message
    3. Change the names of the services and services groups
    4. Save the changes: go to the File menu - click on the Save
    5. Run the upgrade again
  • After upgrade:

    1. In R80.10 SmartConsole, go to the the Object Explorer
    2. Locate for the services and services groups listed in the warning message
    3. Change the names of the listed services and services groups (their names will contain '_' as postfix)
Other Services are not supported

Warning during upgrade of Security Management Server to R80.10 that Other Services are not supported:

  • "At least one of the services contains invalid Match expression"
  • "To resolve, fix the Match expression of the unsupported service(s) (Other Service Properties > Advanced) or delete them"

Error during policy installation on R80.10 Security Gateway that Other Service is unknown:

Error: Rule <Number of Rule> in Network Security policy will not be enforced, because service <Name of Service> has unknown match/action

The database contains Other Service objects with non-empty Match field (open Other Service properties - click on the Advanced... button), which are not part of Check Point default services.

In R80.10, the Other Service object definition has been modified - the Match field has been split into two fields: Match and Action.

Conversion of objects from R77 (and lower) version to R80.10 is done automatically, but for user-defined services it may be incorrect. Therefore, the user is warned.

After a successful upgrade to R80.10, verify the objects were converted correctly, or manually convert the user-defined Other Service objects per sk109195
Unsupported IPS protections The unsupported IPS protections will be removed from the "Protections" view Some IPS protections are no longer available in R80.10 Refer to sk103766
Deactivate IPS protections by categories Deactivating IPS protections by categories in a Threat Prevention profile will not take effect in IPS Protections view, and will not be enforced on Security Gateway running R80.X Deactivating IPS protections by categories will be supported only for Security Gateways R75.X / R76 / R77.X It is recommended to use the enhanced R80.10 tag based activation for IPS protections
Administrators in user group are not supported "pre_upgrade_verifier" command on R80.10 during the pre-upgrade verification prints a warning with "Administrators in user group are not supported" User group contains an administrator user The upgrade operation will remove those administrators
Legacy Default Profiles are not supported "pre_upgrade_verifier" command on R80.10 during pre-upgrade verification prints a warning with "Legacy Default Profiles are not supported" Legacy default EndPoint profiles and legacy default profiles that are not used will be deleted The upgrade operation will remove those profiles
Check Point Gateway Objects - Permissions to Install Warning during database export. After upgrade, the 'Permissions to Install' page was removed in the Security Gateway properties (it still exists in the schema, but it is ignored) In R80.10, administrator group permissions can not be set to install policy on a specific Security Gateway The Security Gateway property 'Permissions to Install' is ignored
Snort protections are not yet supported   Snort protections are not yet supported in R80.10 Snort protections will be removed from database
Mobile applications with unsupported ports

Before upgrade:

Warning that lists all objects of type "ActiveSync" and "Business Mail", which contain different ports than the default ports 443, 80, 8080

 

After upgrade:


Objects that were listed before upgrade, now contain service 'https' with port 443 (navigate to the object in the objects bar - open the object's editor - service 'https' appears in service's combo box)
In R80.10, those objects contain a service, which holds the port. ActiveSync and Business Mail applications with one of the default ports will get the appropriate service, which contains the same port. All of the applications that hold a different port, will get the service 'https' as default.

If you would like to use a different port than the default:

  • Before upgrade (optional):

    1. In R77.30 SmartDashboard, go to the Mobile Access tab
    2. In the left pane, click on Applications
    3. Locate the objects listed in the warning message
    4. Edit the listed objects
    5. Change their port to one of the default ports: 443, 80, 8080
    6. Save the changes: go to the File menu - click on the Save
    7. Run the upgrade again
  • After upgrade:

    1. In R80.10 SmartConsole, open the Object Explorer
    2. Create a new service, which contains the desired port
    3. Navigate to objects bar (right pane)
    4. Locate the objects listed in the warning message
    5. Edit the listed objects
    6. In service's combo box, select the new service
    7. Click on OK
Standalone Security Management Upgrade

If not activated after upgrade:

In SmartConsole, go to the LOGS & MONITOR app - click on the Logs tab - a yellow strip with the following message will be be displayed:

"Searches might be slow when working with log files"
To improve performance, the upgrade process disables the Log Indexing To enable it again, edit the Management Server network object - go to the Logs pane - select the Enable Log Indexing - click on OK
Deactivating IPS protections by type (Client/Server) will be supported for pre R80 gateways only

Before upgrade:

Warning that lists all the profiles that deactivate IPS protections by Client/Server type

 

After Upgrade:

Deactivating IPS protections by Client/Server types will not take effect in the IPS 'Protections' view and will not be enforced on Security Gateway running R80.10

Deactivating IPS protections by type (Client/Server) is not supported for Security Gateway R80.10 and above. Use tag based activations instead.

After upgrade:

  1. In R80.10 SmartConsole, go to the SECURITY POLICIES app
  2. In the upper section, click on the Threat Prevention
  3. In the lower section Threat Tools, click on the Profiles
  4. Right-click on the relevant profile - select Edit...
  5. Go to the IPS pane
  6. Check the box Activate IPS protections according to the following additional properties
  7. In the Protections to deactivate section, add the Protected Asset - Client tag / Protected Asset - Server tag to protections that should be deactivated
  8. Click on OK
  9. Publish the changes
  10. Install the policy
Applications and categories port enforcement changes

After upgrade:

Applications and categories from sk110778, which were selected in the Application Control & URL Filtering policy may be replaced to new services.

Deprecated applications and categories may not be available for adding new instances after application update.

Applications and categories are replaced by Firewall services with protocol signatures and their default ports After a successful upgrade to R80.10, verify that the objects were converted correctly, or manually convert the user-defined objects
Limited Application widgets support in R80.10

After upgrade:

Application widgets can not be selected in the Application Control & URL Filtering policy - widgets that are used, will be enforced after the upgrade
Creating new Application widgets or adding them to Access Policy rule is not supported since R80.10 Remove the widgets before the upgrade, or after the successful upgrade. Widgets that used, will be enforced after the upgrade.
Legacy DHCP Relay Services - Change in behavior in R80 and higher   Legacy DHCP Relay services were found in the security rule base. Action is required in order for DHCP Relay to function properly post-upgrade 

Two possible options to solve the problem:

  1. Remove legacy DHCP Relay services and add new DHCP Relay services. See sk104114 for instructions. This is the recommended action if managing only R77.20 gateways and above.
  2. Keep legacy DHCP Relay services and make changes to the Gateways and the Security Management Servers. See sk98839 for instructions. Do this if managing any gateways which are older than R77.20 

 

Information

Notifications about actions performed during the upgrade process. No action is required.

Title Symptom (user experience) Cause Solution
Deprecated categories in Application Control

Before upgrade:

All the categories that are deprecated and will be changed during the upgrade process, and the categories that are deprecated and should be deleted before/after the upgrade.

 

After upgrade:

Categories that were listed in the Pre-Upgrade Verification message as those that should be deleted, will be found in the rulebase, but they will have no effect on the Security Gateway after policy installation. These categories should be deleted.
The listed categories were removed from / replaced in the Application Control package

For unsupported categories, refer to sk106783.

  • Before upgrade (optional):

    1. In R7x SmartDashboard, go to the Application & URL Filtering tab
    2. In the left pane, click on Policy
    3. Search for the categories listed in the message
    4. Delete those categories from the rules
    5. Save the changes: go to the File menu - click on the Save
    6. Run the upgrade again
  • After upgrade:

    1. In R80.10 SmartConsole, go to the Application layer
    2. Search for the categories listed as those that should be deleted
    3. Delete those categories from the rulebase
    4. Publish the changes
'Send error page' option is no longer supported 'Send error page' UI configuration was removed from protections Database contains protections with enabled 'Send error page' This is no longer supported and will be disabled

 

R80.10 Multi-Domain Security Management Server

Title Symptom (user experience) Cause Solution
Errors - Products and features Check Point no longer supports
Products and features that are no longer supported in R80.10 and need to be removed to proceed with the upgrade to R80.10
Global IPS Modes Detector The following Domains are subscribed to Global IPS Subscription to Global IPS using Merge or Override modes is no longer supported
  1. Domains, which are subscribed to these legacy Global IPS modes, will now use Exclusive mode (for more information about Exclusive mode, refer to the R80.10 Multi-Domain Security Management Administration Guide).
  2. After the upgrade is completed, make sure to re-assign the Global Policy to all Domain Management Servers that are subscribed to Global IPS and have an assigned Global Policy.
Errors - Configuration issues
These issues require a manual adjustment to enable the upgrade to R80.10
Source Version Upgrade Path Checker Migrate is not supported from version R65 Upgrade from the source version to the target version is not allowed.
The Supported Upgrade Paths are documented in the R80.10 Release Notes.
  1. Upgrade to one of the listed versions that can be upgraded to R80.10
  2. Upgrade to R80.10
Test for Domains without Domain Management Servers Found domains without management servers There are Domains without any Domain Management Servers
  1. Stop the database export
  2. Connect with SmartDomain Manager to the Multi-Domain Server
  3. Remove the Domains listed in the message
Test for Domains with no Hosting Multi-Domain Servers Found Domain Server hosted by non existing Multi Domain servers There are Domains that are not hosted on any Multi Domain Server Follow sk106077
Test for Domains with Out of Date Global Policies Found Domains with out of date Global Policies Global Policy was edited and was not installed Install Global Policy for the mentioned Domains
Test for "Enable for Global Use" Feature There are gateways enabled for Global Use

Either one or more of the following files contains an empty set:

  • $MDSDIR/conf/mdsdb/exported.C
  • $MDSDIR/conf/mdsdb/exported_domains.C
  • $MDSDIR/conf/exported.C
  • $MDSDIR/conf/exported_domains.C

Or there are Security Gateways that enabled for Global Use

  1. Log in to the Multi-Domain Server
  2. In the "General" tab, under 'Domain Contents', sort the contents of the table by the "Global Name" column
  3. For each object that has a global name, right-click and select "Disable Global Use"
Global Policy on Source Database Detector

"cma migrate" command on R80.10 prints a warning during pre-upgrade verification:

Global policy was detected on the source database
The Domain Management Server after migration will have Global rules and/or objects, but there will be no indication that a Global Policy is assigned to it After migration, in order to have a Global Policy assigned on this Domain, use either the Assign Global Policy, or the Stop the migration process and remove the global policy from the source database
Renamed Global Objects Detector Non updated renamed global objects were detected on the source database Some of the Global objects in the Global Policy were renamed and were not assigned to the Domains Stop the migration process and reassign the Global Policy on the source database
Assign Only Used Global Objects Feature Detector If you want to make sure that administrators can use only objects in assigned Global Policies, you must manually separate the global objects and global policies to multiple global Domains Assigning of used global objects is no longer supported Remove the objects that should be segregated from the Global Domain
Multiple Domain Management Servers with the same ICA Keys Detector You are about to import a database which contains a CA key that is identical to another Domain's CA key Duplicate CA key If you choose to continue the import operation, you should re-create the Domain Management Server's CA database by executing the 'sic_reset' as described in sk17197
Firmware References Detector A Domain Management Server/Security Management database that contains references to the SmartUpdate Package Repository can not be migrated The referenced object is not present on the original Security Management Server / Domain Management Server - neither in the SmartDashboard, nor in the SmartUpdate GUI Follow sk106640
VSX Objects Detector Management with VSX objects detected Database contains object of type vs_netobj, or vs_cluster_netobj - importing those objects without their "twin objects" vs_slot_obj at the Main Domain will cause database corruption Follow the instructions in How to VSX Migration for Multi-Domain Management document
Test for Domain Servers Missing from Database Found Corrupted Domain Management Servers There are Domain directories that do not exist in the database Delete the Domain directories from the $FWDIR/ directory
Test for Physically Deleted Domain Management Servers Found corrupted domain management servers The /conf/mdsdb/objects_5_0.C file contains references to Domains that do not exist in the customers.C file Contact Check Point Support for assistance or remove the object from the management database - $FWDIR/conf/objects_5_0.C (use dbedit, GuiDBedit Tool, or Vi editor)
Test for High Availability state of the Global database The High Availability state of the Global database on your Multi-Domain Server is in Standby mode The High Availability state of the Global database on your Multi-Domain Server is in "Standby" mode
  1. Import the Active Multi-Domain Server
  2. Import this server with the "-secondary" flag, or switch it to Active before export
Test for Non Existent Assigned Global Policies Found Domain Management Servers with non-existent global policies A Global Policy assigned to a Domain does not exist Contact Check Point Support for assistance, or remove the relevant policy from the management database on Domain Management Server - $FWDIR/conf/objects_5_0.C (use dbedit, GuiDBedit Tool, or Vi editor) - find "gp_name" attribute with the relevant policy and delete it

 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment