Introduction

Check Point introduces a new upgrade mechanism for the Security Management server for upgrades between R8X versions (from R80.20 and higher).

The new Security Management Upgrade mechanism provides several benefits:

• Includes updatable code that allows faster release of upgrade-related features and fixes.
• Security Management Servers with online access to checkpoint.com will be able to fetch the latest available upgrade packages automatically, eliminating the need for an administrator to download and import upgrade packages manually.
• New dynamic HTML upgrade report that shows the current status while upgrade is in progress and the final report once upgrade is done.

Upgrade Paths

Below is the matrix of source versions, from which you can upgrade (appear in the left-most column) and target versions, to which you can upgrade (appear in other columns) using the new upgrade mechanism.

	Target Version →
Source Version ↓	R80.20	R80.20.M2	R80.30	R80.40	R81	R81.10	R81.20
R80.20.M1
R80.20
R80.20.M2
R80.30
R80.40
R81
R81.10

Legend:

• - This upgrade path is supported.

• - This upgrade path is not supported (the source version is higher than or equal to the target version).

• - This upgrade path is not handled by the "new upgrade", but by another mechanism.

In some cases, updating the Upgrade Tools manually to the latest is required to perform the upgrade. The cases are:

1. Poor Internet connectivity between the Management Server and Check Point Download Center.
2. The Management Server is not connected to the Internet.
3. The setting to perform an automatic update of the CPUSE Agent is disabled
   (Gaia Portal -> Upgrades (CPUSE) -> Software Updates Policy ->
   the checkbox "Automatically update Deployment Agent (recommended)" is cleared).

To install the latest version of the Check Point Upgrade Tools Package manually:

1. Make sure your Deployment Agent is up-to-date.
   To download latest Deployment Agent, refer to sk92449.

2. Download the applicable Check Point Upgrade Tools Package from the table below:

   Target Version (to which you upgrade)	Download Link
   R81.20	(TGZ)
   R81.10	(TGZ)
   R81	(TGZ)
   R80.40	(TGZ)
   R80.30	(TGZ)
   R80.20.M2	(TGZ)
   R80.20	(TGZ)

   IMPORTANT: Do NOT open the TGZ file and do NOT manually install the RPM file.
   Follow the instructions below to import and install the upgrade tools package with CPUSE only.
   If CPUSE cannot install this package, contact Check Point Support for assistance.

3. Make sure the hash checksum of the downloaded package is the same as appears on its download page in the fields MD5, SHA1, or SHA256.

   Hash	Expert Mode Command on Gaia OS	PowerShell Command on Windows OS
   MD5	md5sum <Name of TGZ File>	Get-FileHash <Path>\<Name of TGZ File> -Algorithm MD5
   SHA1	sha1sum <Name of TGZ File>	Get-FileHash <Path>\<Name of TGZ File> -Algorithm SHA1
   SHA256	sha256sum <Name of TGZ File>	Get-FileHash <Path>\<Name of TGZ File> -Algorithm SHA256

4. Import the Check Point Upgrade Tools Package on the Management Server in one of these ways:

   • In Gaia Portal:

     Refer to sk92449 - section (4-A-c) Show / Hide import instructions for Offline procedure - Gaia Portal

   • In Gaia Clish:

     Refer to sk92449 - section (4-A-d) Show / Hide import instructions for Offline procedure - Gaia Clish

5. Install the Check Point Upgrade Tools Package on the Management Server in one of these ways:

   • In Gaia Portal:

     Refer to sk92449 - section (4-B-a-i) Show / Hide installation instructions in Gaia Portal for Hotfixes

   • In Gaia Clish:

     Refer to sk92449 - section (4-B-a-iii) Show / Hide installation instructions in Gaia Clish for Hotfixes

6. Make sure the package is installed on the Management Server.
   Run in the Expert mode:

   cpprod_util CPPROD_GetValue CPupgrade-tools-<VERSION> BuildNumber 1

   <Version> is the target version, to which you plan to upgrade. One of these:
   R81.20, R81.10, R81, R80.40, R80.30, R80.20.M2, R80.20

   Example:

   [Expert@MyMgmt]# cpprod_util CPPROD_GetValue CPupgrade-tools-R81.20 BuildNumber 1
997000570
[Expert@MyMgmt]#

   The output must show the same build number you see in the name of the downloaded TGZ package.

   Important - Output of the "cpinfo -y all" command does not show the Upgrade Tools Package because it is not an update / hotfix package.

Note for the Advanced Upgrade

If you encountered one of the "Symptoms" of sk164932, use the '-skip_upgrade_tools_check' flag during any migration operation, after you update the Upgrade Tools package to the latest version:

Command	Syntax / Example
Verify	Syntax	$MDS_FWDIR/scripts/migrate_server verify -skip_upgrade_tools_check -v <Target Version> <Target Version> is the target version, to which you upgrade. One of these: R81.20, R81.10, R81, R80.40, R80.30, R80.20.M2, R80.20
	Example	[Expert@MyMgmt:0]# $MDS_FWDIR/scripts/migrate_server verify -skip_upgrade_tools_check -v R81.20
Export	Syntax	$MDS_FWDIR/scripts/migrate_server export -skip_upgrade_tools_check -v <Target Version> <Path and Name of the Export TGZ file>
	Example	[Expert@MyMgmt:0]# $MDS_FWDIR/scripts/migrate_server export -skip_upgrade_tools_check -v R81.20 /var/log/Export_for_Upgrade_from_R8020_to_R8120.tgz
Import	Syntax	$MDS_FWDIR/scripts/migrate_server import -skip_upgrade_tools_check -v <Target Version> <Path and Name of the Exported TGZ file>
	Example	[Expert@HostName:0]# $MDS_FWDIR/scripts/migrate_server import -skip_upgrade_tools_check -v R81.20 /var/log/Export_for_Upgrade_from_R8020_to_R8120.tgz

Notes:

• Refer to sk163814 - Security Management Upgrade troubleshooting (new upgrade process).

• Schedule a maintenance window. The "migrate_server" command may restart all Check Point services on your Management Server.

• On a Multi-Domain Security Management Server, the "migrate_server" command covers all Domains, as opposed to the previous "migrate" script that only collected the local Domain, to which you were currently logged in.