Support Center > Search Results > SecureKnowledge Details
Security Management upgrade from/to Management Feature Release
Solution

Table of Contents

  • Introduction
  • Procedures:
    • Upgrading a Security Management Server with CPUSE
    • Upgrading a Security Management Server with Advanced Upgrade
  • Known Limitations

 

Introduction

Check Point has enhanced its Security Management upgrade process by creating a new mechanism.

The supported upgrades paths are:

  • R80.20.M1 to R80.20
  • R80.20 to R80.20.M2
  • R80.20.M1 to R80.20.M2

The upgrade is done using the new management upgrade mechanism, which is expected to serve upgrades between future R8X versions (post R80.20).

The new Security Management Upgrade mechanism provides several benefits:

  • Allows faster general availability of new features by Check Point Security Management. 
  • Allows Check Point to introduce new features that are focused on the Security Management upgrade experience.
  • Basis for Domain Migration Tools for Multi-Domain customers. Tools such as per-domain export and import will be available later.
  • Security Management Servers with online access to checkpoint.com will be able to fetch the latest available upgrade packages automatically, eliminating the need for an administrator to download and import upgrade packages manually.


The new Security Management Upgrade mechanism applies to the following products:

  • Security Management Server (primary only)
  • Multi-Domain Security Management (primary only)
  • Log Server
  • SmartEvent
  • Endpoint Security Management Server
  • CloudGuard Controller 


General Notes: 

  • As part of the new mechanism, the instructions for Advanced Upgrade are different than pre-R80.20 upgrades. For more information see the Upgrading a Security Management Server with Advanced Upgrade section.

  • For more information, see the R80.20 Installation and Upgrade Administration Guide

 

Procedures

Upgrading with CPUSE

  1. Backup your Security Management Server
    It is recommended that you backup your existing Security Management Server by taking a snapshot using the Gaia Backup and Restore web page.

  2. Make sure that this server has the latest Deployment Agent package.
    For more information, see sk92449 and navigate to "Download the latest build of CPUSE Agent".

  3. Perform the upgrade.
    CPUSE saves a snapshot in case the upgrade fails, exports your configuration to a temporary location on your Security Management Server, creates a new partition, imports the exported configuration, verifies the completeness of the upgrade, and finally, replaces your existing partition with the new partition.

    An upgrade to the next major version should appear at the Status and Actions web page. For more information about in-place upgrades with CPUSE, see the R80.20 Installation and Upgrade Administration Guide.

  4. Connect with R80.20 or R80.20.M2 SmartConsole to your upgraded Security Management Server.
    The SmartConsole package can be downloaded from sk122485.

    Note: Your Security Management Server may not be ready for connecting with SmartConsole immediately after upgrade. To check its readiness to accept client connections, run this script:  $MDS_FWDIR/scripts/cpm_status.sh

 

Upgrading with Advanced Upgrade

  1. Backup your Security Management Server
    It is recommended that you backup your existing Security Management Server by taking a snapshot using the Gaia Backup and Restore web page.

  2. Perform the upgrade

    1. Export your configuration from your source Security Management Server:

      1. Make sure that this server has the latest Deployment Agent package. For more information, see sk92449 and navigate to "Download the latest build of CPUSE Agent".

        Note: If your Security Management Server does not have access to Check Point Download Center, see how to download and install the latest relevant Upgrade Tools package at sk135172.

      2. Verify that your Security Management Server is ready for upgrade by running the following command:

        [Expert@MGMT:0]# $MDS_FWDIR/scripts/migrate_server verify -v <version>

        <version>
        can be R80.20 or R80.20.M2

        Notes:
        • This step is recommended, but is not mandatory. The next step, which exports the configuration, starts with running the verification, however Check Point recommends that you prepare for the upgrade by performing the verification as a separate step.
        • Prior to R80, there used to be a command named pre_upgrade_verifier. It has been deprecated since R80. Attempts to run pre_upgrade_verifier on a Security Management Server with version R80 and above will fail

      3. Export the Security Management configuration on your source machine by running the following command:

        [Expert@MGMT:0]# $MDS_FWDIR/scripts/migrate_server export -v <version> <output export path>

        <version>
        can be R80.20 or R80.20.M2

        Syntax options:

        • -v - Specifies the version, to which you plan to upgrade.
        • -skip_upgrade_tools_check - Does not try to connect to Check Point Cloud to check for a more recent version of the upgrade tools
        • -l - Exports the Check Point logs without log indexes in the $FWDIR/log/ directory.
          Tis command can export only closed logs (to which the information is not currently written).
        • -x - Exports the Check Point logs with their log indexes in the $FWDIR/log/ directory.
          This command can export only closed logs (to which the information is not currently written).


        Note: the name of the command has changed in R80.20 from migrate export to migrate_server export. Attempts to run migrate export" on an R80.20.M1 or R80.20 Security Management Server with the R80.20 tools will fail.

    2. Import your configuration to your target Security Management Server:

      1. Make sure that this server has the latest Deployment Agent package.
        For more information, see sk92449 and navigate to "Download the latest build of CPUSE Agent".

        To upgrade, make sure that the latest package is installed on your Server.
        To do so, log in to the Expert mode via SSH and run the following command:

        [Expert@MGMT:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-<version> BuildNumber 1

        <version>
        can be R80.20 or R80.20.M2

        If the output is not 99200004or higher, download and install the latest relevant Upgrade Tools package as described in sk135172.

      2. Import the Security Management configuration on your destination machine by running the following command:

        [Expert@MGMT:0]# $MDS_FWDIR/scripts/migrate_server import <exported file from step 2.a.3>

        Syntax options:

        • -v - Specifies the version, to which you plan to upgrade.
        • -skip_upgrade_tools_check - Does not try to connect to Check Point Cloud to check for a more recent version of the upgrade tools.
        • -l - Imports the Check Point logs without log indexes in the $FWDIR/log/ directory.
        • -x - Imports the Check Point logs with their log indexes in the $FWDIR/log/ directory.

        Note: the name of the command has changed in R80.20 from "migrate import" to "migrate_server import". Attempts to run "migrate import" on an R80.20.M2 or R80.20 Security Management Server with the R80.20 tools will fail.

  3. Connect with R80.20/R80.20.M2 SmartConsole to your upgraded Security Management Server.

    Download R80.20 SmartConsole from sk122485.

    Note: Your Security Management Server may not be ready for connecting with SmartConsole immediately after upgrade. To check its readiness to accept client connections, run this script: $MDS_FWDIR/scripts/cpm_status.sh

 

 

Known Limitations

Listed below are Known Limitations when upgrading a Security Management Server via the supported upgrade paths:

  • To upgrade a secondary Multi-Domain Security Management Server from R80.20.M1/R80.20 to the next version, users must perform a clean install of the next version on their secondary Multi-Domain Server and connect it to their next version primary Multi-Domain Server.
  • To upgrade a Multi-Domain Log Server from R80.20.M1/R80.20 to the next version, users must perform a clean install of the next version on their Multi-Domain Log Server and connect it to their next version Multi-Domain Server.
  • To upgrade a secondary Security Management Server from R80.20.M1/R80.20 to the next version, users must perform a clean install of the next version on their secondary Security Management Server and connect it to their next version Security Management Server.
  • Database Revisions are not kept when upgrading from R80.20.M1/R80.20 to the next version. 
Applies To:
  • SMCUPG-500 , SMCUPG-502

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment