{"id":342,"date":"2019-10-25T15:38:00","date_gmt":"2019-10-25T15:38:00","guid":{"rendered":"https:\/\/jay-miah.co.uk\/?p=342"},"modified":"2024-11-17T17:29:41","modified_gmt":"2024-11-17T17:29:41","slug":"migrating-checkpoint-r77-30-to-r80-30","status":"publish","type":"post","link":"https:\/\/jay-miah.co.uk\/index.php\/migrating-checkpoint-r77-30-to-r80-30\/","title":{"rendered":"Migrating Checkpoint R77.30 to R80.30"},"content":{"rendered":"\n

<\/p>\n\n\n

R77.30 is now EoL and no longer supported by Checkpoint, the recommendation is to migrate any existing management servers, or upgrade security gateways on to R80.x<\/p>\n

The recommendation is also to migrate any Windows management servers to GAIA as going forward Checkpoint will not support this type of deployment.<\/p>\n

In this step-by-step guide, we will be migrating a R77.30 Windows management server onto a R80.30 GAIA virtual appliance, we will also upgrade the gateway to R80.20.<\/p>\n

We will not be migrating out the logs, I will cover the import process for logs in a separate post.<\/p>\n

The current topology is setup as below:<\/p>\n

<\/p>\n

The Windows 2008 R2 Server is a virtual machine within Hyper V running as the Checkpoint management server, the gateway is a virtual appliance managed using the Checkpoint management server and the Windows 10 Client is running the Checkpoint \u201cSmart tools\u201d for management access.<\/p>\n

We will initially use migration tools on the Windows 2008 R2 server to perform verification that the migration Is possible. Following the success, we will export out the R77.30 database from the Windows management server. We will build a new VM on R80.30 running GAIA OS, this will be used to import the exported database. New Smart tools will be installed onto the windows client machine ,once the Import process is successful, we will test and push out policies from the new GAIA management server. The final steps will be to upgrade the gateway to R80.20 using the CPUSE.<\/p>\n

Please note that the same IP address and hostname will need to be used for the new GAIA management server, therefore there will be a requirement to isolate each device.<\/p>\n

<\/p>\n

Lets get started!<\/p>\n

Preparation<\/strong><\/p>\n

Step 1.<\/strong>\u00a0Download the migration tools for the windows platform,<\/p>\n

To download the migration tools for Windows, you will need to navigate to the checkpoint R80.30 product page, this is\u00a0sk144293, you will need a valid support contract to download the relevant files.<\/p>\n

https:\/\/supportcenter.checkpoint.com\/supportcenter\/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144293&partition=General&product=All%22<\/a><\/p>\n

on the page scroll down to\u00a0\u201cAdditional Download and Products\u201d, and download R80.30 management Server Migration Tool \u2013\u00a0\u201cAll Windows versions (TGZ)\u201d<\/p>\n

<\/p>\n

Step 2.<\/strong>\u00a0Once the file has downloaded, extract the files.<\/p>\n

<\/p>\n

I preferred to rename the folder to make navigation easier due to the length of the original filename.<\/p>\n

<\/p>\n

Copy this extracted folder in the following directory on the Windows Management Server,<\/p>\n

\u201cC:\\Windows\\FW1\\R77\\fw1\\bin\\upgrade_tools\u201d<\/p>\n

<\/p>\n

Step 3.<\/strong>\u00a0Launch a command prompt as Administrator and change to the directory where the new tools have been placed.<\/p>\n

#cd %FWDIR%\\bin\\upgrade_tools\\upgrade_tools<\/p>\n

<\/p>\n

To ensure we are in the correct directory, issue<\/p>\n

#dir<\/p>\n

<\/p>\n

We should see a list files such as\u00a0\u201cmigrate.exe\u201d \u201cpre_upgrade_verifier\u201d<\/p>\n

Step 4.<\/strong>\u00a0The Pre Upgrade Verifier is the most essential tool, as it will run a scan of the current environment and advise if the upgrade path that we have chosen is possible. It will also highlight any issues that need to be rectified before an upgrade can take place.<\/p>\n

If we run the tool, we can see what the usage requirements are, including syntax<\/p>\n

#pre_upgrade_verifier.exe<\/p>\n

<\/p>\n

Once we have determined our requirements we can run the tool with the correct syntax<\/p>\n

#pre_upgrade_verifier.exe \u2013p %FWDIR% -c R77 \u2013t R80<\/p>\n

Above we have specified the following<\/p>\n

pre_upgrade_verifier.exe<\/strong>\u00a0\u2013 run the tool<\/p>\n

\u2013p %FWDIR%\u00a0<\/strong>\u2013 the current location of R77.30 is in the following path<\/p>\n

-c R77<\/strong>\u00a0\u2013 Current installed version is R77<\/p>\n

\u2013t R80<\/strong>\u00a0\u2013 target version we wish to upgrade to is R80<\/p>\n

<\/p>\n

We can see that the tool has run successfully and an output file is placed in the following location<\/p>\n

\u201cC:\\Windows\\FW1\\R77\\log\u201d.<\/p>\n

<\/p>\n

If we launch the pre_upgrade_verification_report in html we can view it with a web browser<\/p>\n

<\/p>\n

From the report it is clear that this environment can be successfully upgraded to R80.30, there are a few warnings \u2013 these warning refer to legacy default profiles, as we don\u2019t use them this issue will not affect us.<\/p>\n

We can safely move onto migrating out the database.<\/p>\n

Exporting out the database<\/strong><\/p>\n

Step 1.<\/strong>\u00a0To ensure the database is exported out correctly, close down all connections to Smart Dashboard. On the Windows Management Server, stop the checkpoint services, by clicking\u00a0\u201cStart\u201d\u00a0\u2013\u00a0\u201cCheckpoint\u201d\u00a0\u2013\u00a0\u201cStop Security Management Server\u201d<\/p>\n

<\/p>\n

<\/p>\n

Step 2.<\/strong>\u00a0From command prompt, run the migrate tool to see what options are available and the syntax that is required for the export.<\/p>\n

#migrate.exe<\/p>\n

<\/p>\n

From the output we can see the following:<\/p>\n

-l<\/strong>\u00a0\u2013 This option allows the export\/import to be completed with logs but without the log indexes.<\/p>\n

-x<\/strong>\u00a0\u2013 This option allows the export\/import to be completed with logs and the log indexes<\/p>\n

Both of the above options are for exporting\/importing the logs, however option \u2013x should be used if\u00a0\u201cSmart Log\u201d\u00a0is being used, this will ensure the indexes are carried across with the export.<\/p>\n

As we are not using smart log and we are migrating the logs separately, we can simply bypass these options and export out the database only.<\/p>\n

#migrate.exe export R80.30<\/p>\n

Migrate.exe<\/strong>\u00a0\u2013 we are saying, run the import\/export tool<\/p>\n

Export\u00a0<\/strong>\u2013 export out the database<\/p>\n

R80.30<\/strong>\u00a0\u2013 Filename of the exported file<\/p>\n

The location the file will be placed into will be the root folder of where the tool is running from, ensure you have enough disk space to allow this to complete successfully. Alternatively, you can specify a path.<\/p>\n

<\/p>\n

Select\u00a0\u201cy\u201d\u00a0at the prompt<\/p>\n

<\/p>\n

The process will run, this can take a long time depending on how big the database is. Let it run and be patient, the process is not highly interactive.<\/p>\n

<\/p>\n

Once complete it will specify the operation completed successfully and the location of where the exported file has been exported to.<\/p>\n

<\/p>\n

If we navigate to the location of the exported file,<\/p>\n

\u201cC:\\Windows\\FW1\\R77\\fw1\\bin\\upgrade_tools\\upgrade_tools\\R80.30.tgz\u201d<\/p>\n

we can see that a .tgz file is now available. This file size will vary and depends on how large the environment is \u2013 we only have a few objects within this database however if this was a real production database this could be a few gigabytes.<\/p>\n

<\/p>\n

Step 4<\/strong>. To ensure our file is not corrupted during the transfer and import process, we can capture the MD5 hash of the file for comparison later.\u00a0 Using a MD5 hash tool, check the hash key and save the MD5 Hash to a text file.<\/p>\n

<\/p>\n

Step 5.<\/strong>\u00a0As we will be using the same IP address we need to ensure the Windows management server is isolated, therefore store the required files within a specific folder and copy them off the Windows management server, this can be copied to a central location such as a shared folder or a client machine that will be used to access the new GAIA management server on R80.30.<\/p>\n

<\/p>\n

Step 6<\/strong>. Isolate the Windows Management Server,<\/p>\n

i.e if within a virtual environment \u2013 disconnect the virtual NIC<\/p>\n

if within a physical environment \u2013 disconnect the network cable\/shutdown the switch port<\/p>\n

Build the new GAIA Management Server<\/strong><\/p>\n

Step 1.<\/strong>\u00a0Create a new VM, within Hyper V, Click\u00a0\u201cNew\u201d\u00a0and select\u00a0\u201cVirtual Machine\u201d<\/p>\n

<\/p>\n

Give the new machine a name, in this case\u00a0\u201cR80.30-MGMT Server\u201d\u00a0and select a location to store the virtual machine. Click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

Note that when using Hyper V either Generation 1 or 2 will can be used, if using VMware Linux Red Hat will need to be selected.<\/p>\n

Full recommended specs can be found here:<\/p>\n

https:\/\/sc1.checkpoint.com\/documents\/R80.30\/WebAdminGuides\/EN\/CP_R80.30_RN\/html_frameset.htm?topic=documents\/R80.30\/WebAdminGuides\/EN\/CP_R80.30_RN\/215443<\/a><\/p>\n

<\/p>\n

Select\u00a0\u201cGeneration 1\u201d\u00a0and click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

Specify the required memory, minimum recommended memory for the Security Management Server is 6GB, click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

Select the correct network or virtual switch and click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

Create a new virtual hard disk (VHD) or select an existing one, depending on the environment this will vary, the minimal recommended size is 500GB, in this case we are creating a new VHD with 80GB disk space. Specify the location to store this and click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

Attach the ISO file \u201cCheck_Point_R80.30_T200_Security_Management.iso\u201d\u00a0and click\u00a0\u201cNext\u201d<\/p>\n

The ISO can be downloaded directly from Checkpoint.<\/p>\n

https:\/\/supportcenter.checkpoint.com\/supportcenter\/portal?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=84064<\/a><\/p>\n

<\/p>\n

Review the summary and click\u00a0\u201cFinish\u201d<\/p>\n

<\/p>\n

Step 2.<\/strong>\u00a0Right click the VM and\u00a0\u201cConnect\u201d\u00a0to the Virtual Machine<\/p>\n

<\/p>\n

Select\u00a0\u201cFile\u201d\u00a0and click\u00a0\u201cSettings\u201d<\/p>\n

<\/p>\n

Select \u201cProcessor\u201d\u00a0and increase the number of processors to 4, click\u00a0\u201cApply\u201d\u00a0and hit\u00a0\u201cOK\u201d<\/p>\n

<\/p>\n

Step 3.<\/strong>\u00a0Start the Virtual machine<\/p>\n

<\/p>\n

At the prompt select\u00a0\u201dInstall Gaia on this system\u201d<\/p>\n

<\/p>\n

At the prompt, select\u00a0\u201cOK\u201d<\/p>\n

<\/p>\n

Select\u00a0\u201cUS\u201d\u00a0and it\u00a0\u201cOK\u201d<\/p>\n

<\/p>\n

At the disk partitions page you will need to work out how to allocate this, it will depend on your logging and backup requirements.<\/p>\n

In this case we are using the default settings, select\u00a0\u201cOK\u201d<\/p>\n

<\/p>\n

Specify the password for the local Admin account and select\u00a0\u201cOK\u201d<\/p>\n

<\/p>\n

Specify the management IP address and subnet mask, we don\u2019t need a default gateway unless we are managing this device from a different subnet.<\/p>\n

As we will be using this machine to migrate the existing R77.30 environment onto, the IP address must match the current device.<\/p>\n

Click\u00a0\u201cOK\u201d<\/p>\n

<\/p>\n

Select\u00a0\u201cOK\u201d\u00a0to start the installation<\/p>\n

<\/p>\n

<\/p>\n

At the prompt select\u00a0\u201cReboot\u201d<\/p>\n

<\/p>\n

Prepare the new GAIA Management Server<\/strong><\/p>\n

Step 1.<\/strong>\u00a0Open a browser and navigate to the IP address of the GAIA Management Server,\u00a0\u201chttps:\/\/192.168.1.101\u201d<\/p>\n

Click\u00a0\u201cAdvanced\u201d\u00a0and select\u00a0\u201cProceed to 192.168.1.101 (unsafe)\u201d<\/p>\n

<\/p>\n

At the login prompt login using the admin credentials created earlier.<\/p>\n

<\/p>\n

Step 2.<\/strong>\u00a0Upon login the\u00a0\u201cFirst Time Configuration Wizard\u201d\u00a0will automatically run, click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

Select\u00a0\u201cContinue with R80.30 Configuration\u201d, click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

Review the IP address details and click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

Specify the host name of the device, and DNS information. As we are performing a migration the host name must match the current R77.30 Windows Management Server<\/p>\n

Click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

Ensure the date and time settings are correct and click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

Select\u00a0\u201cSecurity Management\u201d\u00a0and click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

Click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

Leave the default\u00a0\u201cUse Gaia Administrator\u201d\u00a0and click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

You may specify the networks\/hosts that are allowed to connect to the device, or you may leave this for later once the migration is complete. In this case we can leave it as\u00a0\u201cAny IP Address\u201d\u00a0and click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

Click\u00a0\u201cFinish\u201d\u00a0to begin configuration<\/p>\n

<\/p>\n

Select\u00a0\u201cYes\u201d<\/p>\n

<\/p>\n

Once the configuration is complete, at the prompt click\u00a0\u201cOK\u201d<\/p>\n

<\/p>\n

The device does not need a reboot and will normally redirect you to the main page.<\/p>\n

<\/p>\n

Step 3.<\/strong>\u00a0In some cases, you may find that the management server fails to load after a first reboot, this normally indicates a bad installation, to verify that the server has installed and configured successfully \u2013 this will be a good time to test this.<\/p>\n

From the CLI issue a reboot, alternatively we can do a CPSTOP\/CPSTART<\/p>\n

#reboot<\/p>\n

#y<\/p>\n

<\/p>\n

Step 4.<\/strong>\u00a0Once the device is back up and running issue the following commands to check the status of the server.<\/p>\n

#$MDS_FWDIR\/scripts\/cpm_status.sh<\/p>\n

#$MDS_FWDIR\/scripts\/server_status.sh<\/p>\n

<\/p>\n

Smart Console Installation<\/strong><\/p>\n

Step 1.<\/strong>\u00a0On the Windows client machine that will be used to run smart console, install the application.<\/p>\n

Download the correct version of the application and double click to run the installation wizard.<\/p>\n

<\/p>\n

At the security prompt select\u00a0\u201cYes\u201d<\/p>\n

<\/p>\n

Smart Console normally requires additional pre-requisites such as C++ select\u00a0\u201cOK\u201d\u00a0at the prompt to continue.<\/p>\n

<\/p>\n

Select the installation directory and click\u00a0\u201cinstall\u201d, the location specified below is the default.<\/p>\n

<\/p>\n

The installation will run and will take some time to complete.<\/p>\n

<\/p>\n

Once the installation is complete, click\u00a0\u201cFinish\u201d\u00a0and launch the application<\/p>\n

<\/p>\n

Step 2.<\/strong>\u00a0Now that we have the GAIA management server ready and the smart console application for R80.30 is installed on our client device, we can login to the new server and verify its all working before we begin importing in the database.<\/p>\n

At the login window, specify username and password that was created earlier on the new management server and specify the IP address of the device, click\u00a0\u201clogin\u201d<\/p>\n

<\/p>\n

During the first initial connection, the certificate fingerprint will be shown to verify you are connecting to the correct device. Before clicking proceed, you can match the fingerprint to ensure it is correct.<\/p>\n

<\/p>\n

Step 3.<\/strong>\u00a0On the console window of the management server, login and type<\/p>\n

#cpconfig<\/p>\n

<\/p>\n

Select option\u00a0\u201c(7) Certificate\u2019s Fingerprint\u201d\u00a0from the presented menu, you may save this fingerprint to a file or simply compare with the smart console warning message.<\/p>\n

Step 4.<\/strong>\u00a0Click\u00a0\u201cProceed\u201d\u00a0on the smart console window and connect to the management server.<\/p>\n

Smart console will now load, as you can see below, there is no configuration and no gateways present.<\/p>\n

<\/p>\n

We have now confirmed, this device is ready and available for our migration of R77.30. close all the windows and sessions<\/p>\n

Importing the Database<\/strong><\/p>\n

Step 1<\/strong>. In order to be able to transfer the database onto the GAIA appliance, we need to use an application such as WINSCP, this requires the user to connect as\u00a0\u201cBash\u201d\u00a0this essentially means connecting to the Linux shell, to do this we can elevate the permissions to take the user straight to bash upon login.<\/p>\n

This can be done either the CLI or GUI,<\/p>\n

CLI \u2013<\/p>\n

Connect to the GAIA Management Server appliance using console\/SSH and<\/p>\n

#set expert-password<\/p>\n

#expert<\/p>\n

#chsh \u2013s \/bin\/bash admin<\/p>\n

<\/p>\n

GUI \u2013<\/p>\n

Login into the GAIA management Server Web GUI, navigate to\u00a0\u201cUsers\u201d\u00a0select the\u00a0\u201cadmin\u201d\u00a0user and hit\u00a0\u201cEdit\u201d\u00a0from the left hand side under\u00a0\u201cShell\u201d\u00a0select\u00a0\u201c\/bin\/bash\u201d<\/p>\n

Click\u00a0\u201cOK\u201d.<\/p>\n

<\/p>\n

Step 2.<\/strong>\u00a0Run WINSCP, specify the IP address of the GAIA Management Server, specify the username, password and click\u00a0\u201cLogin\u201d<\/p>\n

<\/p>\n

Step 3.<\/strong>\u00a0From the left hand window, navigate and locate the exported database, on the right hand window locate the directory to copy the database to, in this case we will use \/home\/admin\/<\/p>\n

Drag the file from the source directory into the destination directory to begin uploading<\/p>\n

<\/p>\n

Verify the file has completed the transfer, it should be visible in the target directory.<\/p>\n

<\/p>\n

Step 4.<\/strong>\u00a0The shell can now be turned back from bash to clish<\/p>\n

#chsh -s \/etc \/etc\/cli.sh admin<\/p>\n

<\/p>\n

Lets now compare the MD5 hash of the transferred file against the exported file hash, this way we can verify the transfer process was successful and the integrity of the file is still intact. The GAIA management server has this tool integrated therefore we can simply run the check using the following:<\/p>\n

#md5 \/home\/admin\/R80.30.tgz<\/p>\n

<\/p>\n

If we now compare the output against our previously exported has, this should match \u2013 if there is any inconsistency between the two, repeat the above steps<\/p>\n

<\/p>\n

Step 5. Once the file integrity has been verified, we can begin the import process of the database. The migration tools already exist as part of the software; therefore, we do not need to download\/install these. If we change our directory as below, we can run the application.<\/p>\n

#cd $FWDIR\/bin\/upgrade_tools\/\u00a0\u2013 change to the directory to run the migration tools<\/p>\n

#unset TMOUT\u00a0\u2013 do not timeout the connection during the import process<\/p>\n

#.\/migrate import \/home\/admin\/R80.30.tgz\u00a0\u2013 import the database, filename is R80.30.tgz<\/p>\n

At the prompt to stop all Checkpoint services, select\u00a0\u201cY\u201d<\/p>\n

<\/p>\n

The database will begin extracting and the importing process will begin. This can take a long time so if there is no activity for long periods its best to keep waiting until confirmation is displayed.<\/p>\n

Once the import process is successful, at the prompt select\u00a0\u201cY\u201d\u00a0to restart the Checkpoint services.<\/p>\n

<\/p>\n

Step 6.<\/strong>\u00a0The services can take some time to come back up therefore it\u2019s a good idea to check the status using the below<\/p>\n

#$MDS_FWDIR\/scripts\/cpm_status.sh<\/p>\n

#$MDS_FWDIR\/scripts\/server_status.sh<\/p>\n

<\/p>\n

Step 7.<\/strong>\u00a0Launch\u00a0\u201cSmart Console\u201d\u00a0from the Windows client machine and connect to the new GAIA management server, note that the fingerprint has now changed, before clicking proceed again its best to verify the certificate fingerprint one more time.<\/p>\n

<\/p>\n

#cpconfig<\/p>\n

Select option\u00a0\u201c(7) Certificate\u2019s Fingerprint\u201d\u00a0from the menu and compare with the smart console warning message.<\/p>\n

At the prompt\u00a0\u201cDo you want to save it to a file?\u201d\u00a0Select\u00a0\u201cn\u201d<\/p>\n

Select option\u00a0\u201c(9) Exit\u201d<\/p>\n

<\/p>\n

Step 8.<\/strong>\u00a0Click\u00a0\u201cProceed\u201d\u00a0at the fingerprint warning message and connect to the GAIA management server<\/p>\n

From the console we can see that our rules have been successfully migrated.<\/p>\n

<\/p>\n

If we navigate the\u00a0\u201cGATEWAYS & SERVERS\u201d\u00a0tab we can see that our gateway is now present, SIC did not require re-establishment the original connection was maintained as part of the migration. You may notice that the GAIA management servers is running R80.30 however the gateway is still running R77.30, this is not a problem and the gateways will continue to work with the management server although this is of a higher software version. However we will look at upgrading the gateway too.<\/p>\n

<\/p>\n

Step 9.<\/strong>\u00a0From the menu, select\u00a0\u201cInstall database\u201d<\/p>\n

<\/p>\n

Select the gateway and click\u00a0\u201cInstall\u201d<\/p>\n

<\/p>\n

You can monitor the task at the bottom left hand pane, this should install successfully<\/p>\n

<\/p>\n

If we click\u00a0\u201cDetails\u201d\u00a0we can see the full window and further details, click\u00a0\u201cClose\u201d<\/p>\n

<\/p>\n

Step 10.\u00a0<\/strong>Lets now install a policy and verify this is successful, click the\u00a0\u201cInstall Policy\u201d<\/p>\n

<\/p>\n

Select\u00a0\u201cAccess Control\u201d\u00a0and\u00a0\u201cThreat Prevention\u201d\u00a0(Although Threat Prevention will only install if it is enabled and the gateway is running R80.x) Click\u00a0\u201cInstall\u201d<\/p>\n

<\/p>\n

From the\u00a0\u201cRecent Tasks\u201d\u00a0pane click\u00a0\u201cDetails\u201d<\/p>\n

<\/p>\n

The access policy installation should be successful, this indicates the GAIA management server is able to communicate with the gateway correctly and that policies can be applied successfully.<\/p>\n

<\/p>\n

Step 11.<\/strong>\u00a0If we take a look on the gateway, we can verify the policy installation was successful<\/p>\n

#fw stat<\/p>\n

<\/p>\n

Now that the policy is installed the new GAIA management server will start capturing the logs for the traffic identified under each access rule. We can see these flowing in<\/p>\n

<\/p>\n

Upgrading the gateway<\/strong><\/p>\n

There are two ways of upgrading the security gateway devices, whether they are single devices or as part of a cluster you may perform one of the following:<\/p>\n

Use CPUSE \u2013 Checkpoint Update Service Engine, this is the live method by contacting Checkpoint services online directly from the gateway and obtaining the correct download files and installing them via an interactive session, this can be carried out via the web GUI or CLI. A valid service contract is required for this functionality.<\/p>\n

Manually upload the correct upgrade software on to the security gateway and run the installation either via the GUI or CLI using an interactive session.<\/p>\n

In this example we will use the CPUSE, we will also jump to R80.20 for the gateway, to ensure we are at least one version behind.<\/p>\n

Step 1.<\/strong>\u00a0Login to the gateway and navigate to\u00a0\u201cUpgrades (CPUSE)\u201d\u00a0\u2013\u00a0\u201cStatus and Actions\u201d<\/p>\n

From the list we can see that CPUSE has made contact with the checkpoint servers and is able to provide a list of recommended upgrades, this includes minor versions and major versions.<\/p>\n

<\/p>\n

Select and highlight the correct version,\u00a0\u201cR80.20 Fresh Install and Upgrade for Security Gateways and Standalone\u201d, right click and select\u00a0\u201cVerifier\u201d\u00a0to ensure upgrade is possible.<\/p>\n

<\/p>\n

Once the tool provides verification that the installation is allowed, select\u00a0\u201cOK\u201d<\/p>\n

<\/p>\n

Step 2.<\/strong>\u00a0Right click the version again and select\u00a0\u201cDownload\u201d<\/p>\n

<\/p>\n

The download process should begin, this may take some time depending on the bandwidth available, the file is is above 2GB<\/p>\n

<\/p>\n

Once the download has completed successfully, this will be displayed under the status for the file.<\/p>\n

<\/p>\n

Step 3.<\/strong>\u00a0Right click the file once again and select\u00a0\u201cUpgrade\u201d\u00a0to begin upgrading the gateway.<\/p>\n

<\/p>\n

At the warning prompt notification, select \u201cOK\u201d the device will automatically reboot once the installation is complete.<\/p>\n

<\/p>\n

The installation will run, and the progress can be tracked on the same page, if the device times out and logs out, simply log back in and navigate back. This may be required multiple times.<\/p>\n

<\/p>\n

Once the installation is complete, the system will go down for a reboot, from the right hand pane we can see that the package installation is complete.<\/p>\n

<\/p>\n

<\/p>\n

Once the gateway is back up, login to the new version of the gateway<\/p>\n

<\/p>\n

On the main page, we can the device now is running R80.20 and the interfaces has changed to the new version.<\/p>\n

<\/p>\n

Step 4.<\/strong>\u00a0If we navigate to the smart console and take a look at the gateway, its still displayed as R77.30, to update this, we need to right click the gateway and select\u00a0\u201cEdit\u201d<\/p>\n

<\/p>\n

At this point the smart console should detect the new version of the gateway, if it does not we can simply click\u00a0\u201cGet\u201d<\/p>\n

Click\u00a0\u201cOK\u201d\u00a0on both windows and close them<\/p>\n

<\/p>\n

At the gateway information this should now display the correct version, select\u00a0\u201cInstall Policy\u201d\u00a0to install this and verify policy installation is still working after upgrading.<\/p>\n

<\/p>\n

At the window, select\u00a0\u201cPublish & Install\u201d<\/p>\n

<\/p>\n

Click\u00a0\u201cInstall\u201d<\/p>\n

<\/p>\n

The installation should be successful, click\u00a0\u201cClose\u201d<\/p>\n

<\/p>\n

 <\/p>","protected":false},"excerpt":{"rendered":"

R77.30 is now EoL and no longer supported by Checkpoint, the recommendation is to migrate any existing management servers, or upgrade security gateways on to<\/p>\n","protected":false},"author":1,"featured_media":461,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,6],"tags":[39,53,54,51,52],"class_list":["post-342","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-checkpoint-firewall","category-security","tag-checkpoint","tag-checkpoint-migration","tag-gaia","tag-r77-30","tag-r80-30"],"_links":{"self":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/342","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=342"}],"version-history":[{"count":2,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/342\/revisions"}],"predecessor-version":[{"id":460,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/342\/revisions\/460"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media\/461"}],"wp:attachment":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=342"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=342"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=342"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}