Hello Magnus Thankyou for sharing good informative video. I would like to ask you if you have any dedicated video on ./upgrade export and migrate import? please share me the link if you have already made for it.
Hi, I want to configure manual nat. For ex. We have configured one server with port no 80 and want to nat with port no 8081 for public user. How to create nat rule.
If you check the nat rules you see that you can pick original destination port, and then change it to translate to another port. So you are able to have like ANY -> Server IP port: 8081 -> Translate to keep org source -> Server IP port:80
Hello, Magnus. In your experience, to do a version upgrade in a SMS, for example from version R80.30 to version R81. Is it always advisable to use the CPUSE method for the upgrade? Or is it more advisable to do a FRESH INSTALL to the SMS from 0, to upgrade the version you want to use? Thanks for your comments.
I have done upgrade with cpuse for my installations. How ever of you are going from something that did not have 3.1 kernel and the new file system. I would do a fresh install and import everything to get the new file system as it’s quicker to run on and have some advantages when it comes to size.
Hi Magnus, in this lab you took directly upgrade method, but in practice, which method is more preferable in customers` environemnt mostly? clean install migrate export then import method or directly upgrade via cpuse? One more quick question 43:34 you said that, if you do rollback again, you need to do a case to checkpoint. I did not get it, why you need a case to checkpoint for rollback. Can you revert the snapshot to older version by yourself? is it just for guarantee that you need to do a case to checkpoint?
For real production I actually do upgrade aswell, I run my mgmt/logs in VMware so I don’t change hardware on them so there is no need for clean install
@@Starmen2000 if you come from a very old version. It’s good to make clean install so you do get the new filesystem :) I made clean when upgrading to R80.30 3.10 kernel.
It has been to update the objects for the mgmt server, so the version etc is correct. Something I always done and it has been standing in documentation before. But I seen now atleast when upgrading to r81.10 on MDS, that the installation have added the step of installing the database of all CMA by itself, so it should not be needed to do manual later on, atleast on newer upgrades :)
brother, I need your support. I need to work on upgrading active /active CP R77.30 to R80.30. Customer concern as below 1. Direct upgrade from version R.77 to R.80:30 it’s not supported and need to use the configuration conversion tool to achieve that. 2. As discussed earlier, our DR site CP setup is Active/Active only, so this plan will not fit. 3. Rollback plan will have dependency as same as point no. 1
Magnus, I have two Security Gateway with running R80.30 but they are running with kernel 2.6, I could have a problem upgrade using CPUSE? or you recommend a clean install in this case?
should work just fine with CPUSE to upgrade. The gw will not sync between eachother so you will have a short outage of the traffic. (i always use CPUSE myself for our gw and mgmt stations, clean installation you normally want to have physical or console/ilo access) The thing to be carefull about is that the gw go active / active. So sometime i try to shutdown the switchports going to production traffic to be on the safe side and just keep the sync interfaces up so its possible to see how the gw see eachother. But this really depends on how you split up the interfaces availible on the gw, if you have this possibility. On older versions i would recommend a clean install, but now adays after r80.10 upgrades should work just fine. the CPUSE on the new versions is more or less like a clean install according to R&D.
Hi Magnus I have one query My checkpoint Management server is behind checkpoint gateway there is 2nd checkpoint firewall that i wanted to integrate with Management server over a WAN i am able to reach the remote checkpoint from management server but SIC status goes into the unknown state need solution or suggestion for the same Thanks in advance.
Do you see the communication from and to the mgmt within the firewall that is facing it? All should be nice and green. If the firewall infront of it is manage by the same mgmt server it should go on default policy. (Meaning you don’t even need to make a rule for it) If you are trying to connect a cluster, make sure you are actually connecting to the right interfaces, in this case it should be the external IP addresses and external interface of the firewall. I would post a thread on the checkmate community, then you can add a topology drawing and some print screens that makes it a lot easier :)
Hello, Magnus. I currently have some equipment on R80.10 version and I want to bring it to R81. Is it necessary to upgrade to R80.40 first, to make sure that there are no problems with the BACKUP of policies of my equipment that are in R80.10? I have understood that to make the correct migration of policies to R81, I must use the "migration tools", is this true?
Check this one out it will give you the correct files to be used and what steps is needed to take in upgrades if any. supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doShowupgradewizard
In regards to policy, not sure what you mean by that. Policy’s are moved over correctly either way. There is a new file system when going from r80.10 to r81. This you will not get if just using CPUSE and upgrade. For gateways this is not an issue. For mgmt servers it can be good to get the new file system as is allows for larger discs etc. if so a clean install with migrate export / import is needed to get that
@@Hunti21 when installing checkpoint you do get trail licenses that works for 14 days. You are also able to generate demo licenses if you have an account.
Your videos are really helpful for my daily job. Thx.
Your welcome :)
Keep up the good work.Great lectures.
Thank you :)
Thanks for this Content 👍
Thank you, next video its time to upgrade some gateways :)
Need to test some of the new functions within R81.
@@MagnusHolmberg-NetSec Great will wait for it eagerly 👍
@@MagnusHolmberg-NetSec when wiil you upload those video, i really need to upgrade gateways in cluster
Thanks Mag !!!
Thank you, :)
In this case i havn´t seen R81 live before so it was an interesting upgrade.
Very similar from R80.30 to R80.40 but still :)
Thanks and keep up the good work.
Hello Magnus Thankyou for sharing good informative video. I would like to ask you if you have any dedicated video on ./upgrade export and migrate import? please share me the link if you have already made for it.
Hi, i dont think i have made any advance upgrade video, i think thats within the CCSE and havn´t really made any videos for it as of yet.
great video. which gaia version introduced mvc ?
I believe it was r80.40 but when you upgrading you can upgrade from lower versions.
Hi,
I want to configure manual nat.
For ex. We have configured one server with port no 80 and want to nat with port no 8081 for public user.
How to create nat rule.
If you check the nat rules you see that you can pick original destination port, and then change it to translate to another port.
So you are able to have like
ANY -> Server IP port: 8081 -> Translate to
keep org source -> Server IP port:80
for questions like this i would really recommend checkmate community so can attach pictures/drawings etc.
Thanks for this Video ...
Hello, Magnus.
In your experience, to do a version upgrade in a SMS, for example from version R80.30 to version R81.
Is it always advisable to use the CPUSE method for the upgrade?
Or is it more advisable to do a FRESH INSTALL to the SMS from 0, to upgrade the version you want to use?
Thanks for your comments.
I have done upgrade with cpuse for my installations.
How ever of you are going from something that did not have 3.1 kernel and the new file system. I would do a fresh install and import everything to get the new file system as it’s quicker to run on and have some advantages when it comes to size.
Hi Magnus, in this lab you took directly upgrade method, but in practice, which method is more preferable in customers` environemnt mostly? clean install migrate export then import method or directly upgrade via cpuse?
One more quick question 43:34 you said that, if you do rollback again, you need to do a case to checkpoint. I did not get it, why you need a case to checkpoint for rollback. Can you revert the snapshot to older version by yourself? is it just for guarantee that you need to do a case to checkpoint?
For real production I actually do upgrade aswell, I run my mgmt/logs in VMware so I don’t change hardware on them so there is no need for clean install
Before it was recommended to do clean install etc, but after r80.x I don’t think this recommendation exists anymore.
@@MagnusHolmberg-NetSec thank you
@@Starmen2000 if you come from a very old version. It’s good to make clean install so you do get the new filesystem :)
I made clean when upgrading to R80.30 3.10 kernel.
awesome Magnus
Thank you :)
Hi Magnus, what are the specs of your PC (or server) to have the 4 virtual machines in your VMWare?. I'd like to start with it, thank you!
Am running my labs on my PC.
AMD 3900X (12 core / 24 threads, 3.8ghz)
64Gb ram
2TB nvme
thanks!
your welcome :)
Hi Sir Mag, what is the purpose of installing the database on management server? Thanks
It has been to update the objects for the mgmt server, so the version etc is correct. Something I always done and it has been standing in documentation before. But I seen now atleast when upgrading to r81.10 on MDS, that the installation have added the step of installing the database of all CMA by itself, so it should not be needed to do manual later on, atleast on newer upgrades :)
Well explained👍
Thank you! took longer then expected but pretty seamless atleast :)
@@MagnusHolmberg-NetSec when can we expect a video on VPN.
brother, I need your support. I need to work on upgrading active /active CP R77.30 to R80.30.
Customer concern as below
1. Direct upgrade from version R.77 to R.80:30 it’s not supported and need to use the configuration conversion tool to achieve that.
2. As discussed earlier, our DR site CP setup is Active/Active only, so this plan will not fit.
3. Rollback plan will have dependency as same as point no. 1
I would upgrade to a path that is supported, in this case R77.30 towards R80.40 and then go to R81
Magnus, I have two Security Gateway with running R80.30 but they are running with kernel 2.6, I could have a problem upgrade using CPUSE? or you recommend a clean install in this case?
should work just fine with CPUSE to upgrade.
The gw will not sync between eachother so you will have a short outage of the traffic.
(i always use CPUSE myself for our gw and mgmt stations, clean installation you normally want to have physical or console/ilo access)
The thing to be carefull about is that the gw go active / active. So sometime i try to shutdown the switchports going to production traffic to be on the safe side and just keep the sync interfaces up so its possible to see how the gw see eachother.
But this really depends on how you split up the interfaces availible on the gw, if you have this possibility.
On older versions i would recommend a clean install, but now adays after r80.10 upgrades should work just fine. the CPUSE on the new versions is more or less like a clean install according to R&D.
And going from 2.6 to 3.1 in cpuse upgrade is no issue.
I believe you don’t get the new file system when upgrading, but it’s not important on a gw.
Hi Magnus I have one query My checkpoint Management server is behind checkpoint gateway there is 2nd checkpoint firewall that i wanted to integrate with Management server over a WAN i am able to reach the remote checkpoint from management server but SIC status goes into the unknown state need solution or suggestion for the same Thanks in advance.
Do you see the communication from and to the mgmt within the firewall that is facing it? All should be nice and green.
If the firewall infront of it is manage by the same mgmt server it should go on default policy. (Meaning you don’t even need to make a rule for it)
If you are trying to connect a cluster, make sure you are actually connecting to the right interfaces, in this case it should be the external IP addresses and external interface of the firewall.
I would post a thread on the checkmate community, then you can add a topology drawing and some print screens that makes it a lot easier :)
I want to make an upgrade on EveLab. Can I upgrade or restore from a backup without a License?
I would say that you should be able to do that, because it will be like a new installation and then you have 15days trail period.
Hello, Magnus.
I currently have some equipment on R80.10 version and I want to bring it to R81.
Is it necessary to upgrade to R80.40 first, to make sure that there are no problems with the BACKUP of policies of my equipment that are in R80.10?
I have understood that to make the correct migration of policies to R81, I must use the "migration tools", is this true?
Check this one out it will give you the correct files to be used and what steps is needed to take in upgrades if any.
supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doShowupgradewizard
In regards to policy, not sure what you mean by that. Policy’s are moved over correctly either way.
There is a new file system when going from r80.10 to r81. This you will not get if just using CPUSE and upgrade.
For gateways this is not an issue. For mgmt servers it can be good to get the new file system as is allows for larger discs etc. if so a clean install with migrate export / import is needed to get that
do you need a licences to setup such a lab?
@@Hunti21 when installing checkpoint you do get trail licenses that works for 14 days. You are also able to generate demo licenses if you have an account.