Support Center > Search Results > SecureKnowledge Details
Security Management upgrade from R80.20.M1 to R80.20
Solution

Table of Contents

  • Introduction
  • Procedures:
    • Upgrading a Security Management Server from R80.20.M1 to R80.20 with CPUSE
    • Upgrading a Security Management Server from R80.20.M1 to R80.20 with Advanced Upgrade
  • Known Limitations

 

Introduction

Check Point has enhanced its Security Management upgrade process by creating a new mechanism.
The upgrade from R80.20.M1 to R80.20 GA is done using the new management upgrade mechanism, which is expected to serve upgrades between future R8X versions (post R80.20).

The new Security Management Upgrade mechanism provides several benefits:

  • Allows faster general availability of new features by Check Point Security Management. 
  • Allows Check Point to introduce new features that are focused on the Security Management upgrade experience.
  • Basis for Domain Migration Tools for Multi-Domain customers. Tools such as per-domain export and import will be available later.
  • Security Management Servers with online access to checkpoint.com will be able to fetch the latest available upgrade packages automatically, eliminating the need for an administrator to download and import upgrade packages manually.


The new Security Management Upgrade mechanism applies to the following R80.20.M1 products:

  • Security Management Server
  • Log Server
  • SmartEvent
  • Endpoint Security Management Server
  • CloudGuard Controller 


General Notes: 

  • As part of the new mechanism, the instructions for Advanced Upgrade are different than pre-R80.20 upgrades. For more information see the Upgrading a Security Management Server from R80.20.M1 to R80.20 with Advanced Upgrade section.

  • Customers whose upgrade fails with the message "This upgrade path is not yet available publicly. To upgrade now, please contact Check Point support" are either:

    • Multi-Domain Management Server version R80.20.M1 customers. Show / Hide Instructions

      R80.20.M1 Multi-Domain Management Server customers who wish to upgrade to R80.20, should contact Check Point Support with a request to upgrade from R80.20.M1 to R80.20.

      Then:

      1. Check Point Support responds to the ticket and asks the user to collect several inputs from the customer's Management Server.
      2. Check Point verifies offline that the customer's configuration is valid for an upgrade.
      3. Check Point approves the upgrade. If needed, customers may be asked to run additional steps prior to the upgrade.

      Later on, Multi-Domain Management Server upgrade from R80.20.M1 to R80.20 will become available without the need of a support ticket.

      OR

    • Customers running an outdated upgrade package (see the procedures below on how to update to the latest upgrade package)

For more information, see the R80.20 Installation and Upgrade Administration Guide

 

Procedures

Upgrading a Security Management Server from R80.20.M1 to R80.20 with CPUSE

  1. Backup your Security Management Server
    It is recommended that you backup your existing Security Management Server by taking a snapshot using the Gaia Backup and Restore web page.

  2. Make sure that this server has the latest Deployment Agent package.
    For more information, see sk92449 and navigate to "Download the latest build of CPUSE Agent".

  3. Perform the upgrade.
    CPUSE saves a snapshot in case the upgrade fails, exports your configuration to a temporary location on your Security Management Server, creates a new partition, imports the exported configuration, verifies the completeness of the upgrade, and finally, replaces your existing partition with the new partition.

    An upgrade to major version R80.20 should appear at the Status and Actions web page. For more information about in-place upgrades with CPUSE, see R80.20 Installation and upgrade admin guide.

  4. Connect with R80.20 SmartConsole to your upgraded Security Management Server.
    Download R80.20 SmartConsole from sk122485.

    Note: Your Security Management Server may not be ready for connecting with SmartConsole immediately after upgrade. To check its readiness to accept client connections, run this script:  $MDS_FWDIR/scripts/cpm_status.sh

 

Upgrading a Security Management Server from R80.20.M1 to R80.20 with Advanced Upgrade

  1. Backup your Security Management Server
    It is recommended that you backup your existing Security Management Server by taking a snapshot using the Gaia Backup and Restore web page.

  2. Perform the upgrade

    1. Export your configuration from your Security Management Server running R80.20.M1:

      1. Make sure that this server has the latest Deployment Agent package. For more information, see sk92449 and navigate to "Download the latest build of CPUSE Agent".

        Note: If your Security Management Server does not have access to Check Point Download Center, see how to download and install the latest relevant Upgrade Tools package at sk135172.

      2. Verify that your Security Management Server is ready for upgrade by running the following command:

        $MDS_FWDIR/scripts/migrate_server verify -v R80.20

        Notes:
        • This step is recommended, but is not mandatory. The next step, which exports the configuration, starts with running the verification, however Check Point recommends that you prepare for the upgrade by performing the verification as a separate step.
        • Prior to R80, there used to be a command named pre_upgrade_verifier. It has been deprecated since R80. Attempts to run pre_upgrade_verifier on a Security Management Server with version R80 and above will fail

      3. Export the Security Management configuration on your source machine by running the following command:

        $MDS_FWDIR/scripts/migrate_server export -v R80.20 <output export path>

        Note: the name of the command has changed in R80.20 from migrate export to migrate_server export. Attempts to run migrate export" on an R80.20.M1 Security Management Server with the R80.20 tools will fail.

    2. Import your configuration to your Security Management Server running R80.20:

      1. Make sure that this server has the latest Deployment Agent package.
        For more information, see sk92449 and navigate to "Download the latest build of CPUSE Agent".

        To upgrade, make sure that the latest package is installed on your Server. To do so, log in to the Expert mode via SSH and run the following command:

        [Expert@Hostname:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R80.20 BuildNumber 1

        If the output is not 99200004or higher, download and install the latest relevant Upgrade Tools package as described in sk135172.

      2. Import the Security Management configuration on your destination machine by running the following command:

        $MDS_FWDIR/scripts/migrate_server import <exported file from step 2.a.3>

        Note: the name of the command has changed in R80.20 from "migrate import" to "migrate_server import". Attempts to run "migrate import" on an R80.20.M1 Security Management Server with the R80.20 tools will fail.

  3. Connect with R80.20 SmartConsole to your upgraded Security Management Server.

    Download R80.20 SmartConsole from sk122485.

    Note: Your Security Management Server may not be ready for connecting with SmartConsole immediately after upgrade. To check its readiness to accept client connections, run this script: $MDS_FWDIR/scripts/cpm_status.sh

 

 

Known Limitations

Listed below are Known Limitations when upgrading a Security Management Server from R80.20.M1 to R80.20:

  • To upgrade a Secondary Multi-Domain Server from R80.20.M1 to the next version, users must perform a clean install of the next version on their Secondary Multi-Domain Server and connect it to their next version Primary Multi-Domain Server.
  • To upgrade a Multi-Domain Log Server from R80.20.M1 to the next version, users must perform a clean install of the next version on their Multi-Domain Log Server and connect it to their next version Multi-Domain Server.
  • To upgrade a secondary Security Management Server from R80.20.M1 to the next version, users must perform a clean install of the next version on their Secondary Management Server and connect it to their next version Security Management Server.
  • Database Revisions are not kept when upgrading from R80.20.M1 to the next version. 
Applies To:
  • SMCUPG-500 , SMCUPG-502

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment