206: tricks and traps when upgrading from r65 to r75 yasushi kono (computerlinks frankfurt)

206: 206: Tricks and Traps When Tricks and Traps When Upgrading from R65 to R75 Upgrading from R65 to R75 Yasushi Kono Yasushi Kono

(ComputerLinks Frankfurt)(ComputerLinks Frankfurt)

Who am I?Who am I?

Yasushi Kono (CCSE R71 since Dec. 2010)Yasushi Kono (CCSE R71 since Dec. 2010)Working at ComputerLinks Germany since Working at ComputerLinks Germany since

March 1999March 1999Working with Check Point Firewalls since Working with Check Point Firewalls since

version 4.1xversion 4.1xBesides Check Point, Specialist for RSA Besides Check Point, Specialist for RSA

SecurID, Juniper Netscreen, Novell NetWareSecurID, Juniper Netscreen, Novell NetWare

• Target Audience of this Target Audience of this Presentation:Presentation:

Every Technical Support Personnel in charge of Upgrading a Production Environment to R75

• Disclaimer Disclaimer This presentation is based on experiences This presentation is based on experiences made in the field. Because production made in the field. Because production environments in general are unlikely to be environments in general are unlikely to be similar to each other, the experiences I made similar to each other, the experiences I made are somewhat unique to particular systems.are somewhat unique to particular systems.

All Gateways based on Check Point R65.xAll Gateways based on Check Point R65.xSmartCenter on Windows R65, Gateways in the HQ based on SmartCenter on Windows R65, Gateways in the HQ based on IPSO 4.2 Build 111IPSO 4.2 Build 111

Tasks to be Accomplished:Tasks to be Accomplished:• Backing up the production environment`s config.Backing up the production environment`s config.• Upgrading R65 Licenses to SW-Blade LicsUpgrading R65 Licenses to SW-Blade Lics• Restoring the SMS onto a test equipmentRestoring the SMS onto a test equipment• Testing the SMS base functionalityTesting the SMS base functionality• Doing the Initial Installation of the new SMS based Doing the Initial Installation of the new SMS based

on a Smart-1 Applianceon a Smart-1 Appliance• Restoring the Config onto the Smart-1 ApplianceRestoring the Config onto the Smart-1 Appliance

Tasks to be Accomplished (cont.):Tasks to be Accomplished (cont.):• Installing SmartEvent and SmartReporter on Installing SmartEvent and SmartReporter on

another Smart-1 Applianceanother Smart-1 Appliance• Integrating SmartEvent into the Check Point Integrating SmartEvent into the Check Point

InfrastructureInfrastructure• Installing the new IP Appliances from ScratchInstalling the new IP Appliances from Scratch• Importing the IPSO config file into the new IP Importing the IPSO config file into the new IP

AppliancesAppliances• Upgrade the Branch Office GatewaysUpgrade the Branch Office Gateways

Tasks to be Accomplished:Tasks to be Accomplished:• Backing up the production environment`s config.Backing up the production environment`s config.• Upgrading R65 Licenses to SW-Blade LicsUpgrading R65 Licenses to SW-Blade Lics• Restoring the SMS onto a test equipmentRestoring the SMS onto a test equipment• Testing the SMS base functionalityTesting the SMS base functionality• Doing the Initial Installation of the new SMS based Doing the Initial Installation of the new SMS based

on a Smart-1 Applianceon a Smart-1 Appliance• Restoring the Config onto the Smart-1 ApplianceRestoring the Config onto the Smart-1 Appliance

Task to be Accomplished:Task to be Accomplished:• Backing up the production environment`s config.Backing up the production environment`s config.On Management Server: On Management Server: $FWDIR/bin/upgrade_tools/upgrade_export <Name of File>

On SPLAT Gateways:On SPLAT Gateways:[Expert@MyFirewall]#backup[Expert@MyFirewall]#backup

On IPSO Gateways:On IPSO Gateways:Via Voyager > Configuration > System Configuration > Configuration Sets

Tasks to be Accomplished:Tasks to be Accomplished:• Backing up the production environment`s config.Backing up the production environment`s config.• Upgrading R65 Licenses to SW-Blade LicsUpgrading R65 Licenses to SW-Blade Lics• Restoring the SMS onto a test equipmentRestoring the SMS onto a test equipment• Testing the SMS base functionalityTesting the SMS base functionality• Doing the Initial Installation of the new SMS based Doing the Initial Installation of the new SMS based

on a Smart-1 Applianceon a Smart-1 Appliance• Restoring the Config onto the Smart-1 ApplianceRestoring the Config onto the Smart-1 Appliance

• Free Upgrade did not work as Free Upgrade did not work as assumed:assumed:

R65:R65:SmartDefense license was attached to SmartDefense license was attached to the Security Management Serverthe Security Management Server

R75:R75:IPS license is bound to individual nodes, IPS license is bound to individual nodes, therefore only one node with IPS!therefore only one node with IPS!

So, what are the consequences of So, what are the consequences of that?that?

• Only one node has IPS license attachedOnly one node has IPS license attached• In failover scenarios not predictable, In failover scenarios not predictable,

which packet is being inspected by the which packet is being inspected by the IPS engine and which one notIPS engine and which one not

Tasks to be Accomplished:Tasks to be Accomplished:• Backing up the production environment`s config.Backing up the production environment`s config.• Upgrading R65 Licenses to SW-Blade LicsUpgrading R65 Licenses to SW-Blade Lics• Restoring the SMS onto a test equipmentRestoring the SMS onto a test equipment• Testing the SMS base functionalityTesting the SMS base functionality• Doing the Initial Installation of the new SMS based Doing the Initial Installation of the new SMS based

on a Smart-1 Applianceon a Smart-1 Appliance• Restoring the Config onto the Smart-1 ApplianceRestoring the Config onto the Smart-1 Appliance

• You have to copy the output file created You have to copy the output file created with the upgrade_export command in a with the upgrade_export command in a local folder and do an upgrade_import local folder and do an upgrade_import onto the test machine.onto the test machine.

Tasks to be Accomplished:Tasks to be Accomplished:• Backing up the production environment`s config.Backing up the production environment`s config.• Upgrading R65 Licenses to SW-Blade LicsUpgrading R65 Licenses to SW-Blade Lics• Restoring the SMS onto a test equipmentRestoring the SMS onto a test equipment• Testing the SMS base functionalityTesting the SMS base functionality• Doing the Initial Installation of the new SMS based Doing the Initial Installation of the new SMS based

on a Smart-1 Applianceon a Smart-1 Appliance• Restoring the Config onto the Smart-1 ApplianceRestoring the Config onto the Smart-1 Appliance

• Compare the FingerprintCompare the Fingerprintcp_conf finger get

• Log in via SmartConsoleLog in via SmartConsole• Is it possible to authenticate?• Can you see all objects and rules?• Can you install the latest policy

onto a Security Gateway?

Tasks to be Accomplished:Tasks to be Accomplished:• Backing up the production environment`s config.Backing up the production environment`s config.• Upgrading R65 Licenses to SW-Blade LicsUpgrading R65 Licenses to SW-Blade Lics• Restoring the SMS onto a test equipmentRestoring the SMS onto a test equipment• Testing the SMS base functionalityTesting the SMS base functionality• Doing the Initial Installation of the new SMS based Doing the Initial Installation of the new SMS based

on a Smart-1 Applianceon a Smart-1 Appliance• Restoring the Config onto the Smart-1 ApplianceRestoring the Config onto the Smart-1 Appliance

• Smart-1 Appliances come in two Smart-1 Appliances come in two Flavours:Flavours:

Same Hardware, but Different Products:Same Hardware, but Different Products:•SmartEvent and SmartReporter on one BoxSmartEvent and SmartReporter on one Box•Security Management Server on another BoxSecurity Management Server on another Box

Both machines had had two Both machines had had two different SecurePlatform Pro different SecurePlatform Pro versions, but not the latest ones….versions, but not the latest ones….

……so, I had to install the boxes from so, I had to install the boxes from scratch. Why not just doing an scratch. Why not just doing an inplace upgrade? How to do that?inplace upgrade? How to do that?

Tasks to be Accomplished:Tasks to be Accomplished:• Backing up the production environment`s config.Backing up the production environment`s config.• Upgrading R65 Licenses to SW-Blade LicsUpgrading R65 Licenses to SW-Blade Lics• Restoring the SMS onto a test equipmentRestoring the SMS onto a test equipment• Testing the SMS base functionalityTesting the SMS base functionality• Doing the Initial Installation of the new SMS based Doing the Initial Installation of the new SMS based

on a Smart-1 Applianceon a Smart-1 Appliance• Restoring the Config onto the Smart-1 ApplianceRestoring the Config onto the Smart-1 Appliance

• After having installed the Appliance After having installed the Appliance functioning as the Security functioning as the Security Management Server, the next step Management Server, the next step is to import the Configuration via is to import the Configuration via the upgrade_import command.the upgrade_import command.

Tasks to be Accomplished (cont.):Tasks to be Accomplished (cont.):• Installing SmartEvent and SmartReporter on Installing SmartEvent and SmartReporter on

another Smart-1 Applianceanother Smart-1 Appliance• Integrating SmartEvent into the Check Point Integrating SmartEvent into the Check Point

InfrastructureInfrastructure• Installing the new IP Appliances from ScratchInstalling the new IP Appliances from Scratch• Importing the IPSO config file into the new IP Importing the IPSO config file into the new IP

AppliancesAppliances• Upgrade the Branch Office GatewaysUpgrade the Branch Office Gateways

• Mentioned previously already.Mentioned previously already.

Tasks to be Accomplished (cont.):Tasks to be Accomplished (cont.):• Installing SmartEvent and SmartReporter on Installing SmartEvent and SmartReporter on

another Smart-1 Applianceanother Smart-1 Appliance• Integrating SmartEvent into the Check Point Integrating SmartEvent into the Check Point

InfrastructureInfrastructure• Installing the new IP Appliances from ScratchInstalling the new IP Appliances from Scratch• Importing the IPSO config file into the new IP Importing the IPSO config file into the new IP

AppliancesAppliances• Upgrade the Branch Office GatewaysUpgrade the Branch Office Gateways

• Establish SIC between both Smart-1 Establish SIC between both Smart-1 AppliancesAppliances

Define Correlation Unit and Log Define Correlation Unit and Log Server in SmartEvent GUIServer in SmartEvent GUI

Define the Internal Networks:Define the Internal Networks:

Tasks to be Accomplished (cont.):Tasks to be Accomplished (cont.):• Installing SmartEvent and SmartReporter on Installing SmartEvent and SmartReporter on

another Smart-1 Applianceanother Smart-1 Appliance• Integrating SmartEvent into the Check Point Integrating SmartEvent into the Check Point

InfrastructureInfrastructure• Installing the new IP Appliances from ScratchInstalling the new IP Appliances from Scratch• Importing the IPSO config file into the new IP Importing the IPSO config file into the new IP

AppliancesAppliances• Upgrade the Branch Office GatewaysUpgrade the Branch Office Gateways

• The New IP Appliances purchased The New IP Appliances purchased recently came along with IPSO 4.2 recently came along with IPSO 4.2 and Check Point R65and Check Point R65

So, you should upgrade the Boot So, you should upgrade the Boot Manager first. Therefore, obtain the Manager first. Therefore, obtain the appropriate Boot Manager file, namely appropriate Boot Manager file, namely nkipflash-6.2.bin.nkipflash-6.2.bin.

• This file has to be copied to the This file has to be copied to the local drive. Could be done via FTP.local drive. Could be done via FTP.

• Then, the following command must Then, the following command must be used:be used:

upgrade_bootmgr wd0 nkipflash-6.2.bin

• The next step is to install IPSO 6.2 The next step is to install IPSO 6.2 from scratch:from scratch:nokia[admin]#newimage –i –knokia[admin]#newimage –i –k

• After IPSO Installation, the next After IPSO Installation, the next step is to install Check Point step is to install Check Point Software. Therefore, you can Software. Therefore, you can employ the following command:employ the following command:nokia[admin]#newpkgnokia[admin]#newpkg

Tasks to be Accomplished (cont.):Tasks to be Accomplished (cont.):• Installing SmartEvent and SmartReporter on Installing SmartEvent and SmartReporter on

another Smart-1 Applianceanother Smart-1 Appliance• Integrating SmartEvent into the Check Point Integrating SmartEvent into the Check Point

InfrastructureInfrastructure• Installing the new IP Appliances from ScratchInstalling the new IP Appliances from Scratch• Importing the IPSO config file into the new IP Importing the IPSO config file into the new IP

AppliancesAppliances• Upgrade the Branch Office GatewaysUpgrade the Branch Office Gateways

• Finally, import the Configuration Finally, import the Configuration file created previously. Copy the file created previously. Copy the appropriate file into the /config/db appropriate file into the /config/db directory and use the following directory and use the following CLISH command:CLISH command:clish>load cfgfiles r65backupclish>load cfgfiles r65backup

Tasks to be Accomplished (cont.):Tasks to be Accomplished (cont.):• Installing SmartEvent and SmartReporter on Installing SmartEvent and SmartReporter on

another Smart-1 Applianceanother Smart-1 Appliance• Integrating SmartEvent into the Check Point Integrating SmartEvent into the Check Point

InfrastructureInfrastructure• Installing the new IP Appliances from ScratchInstalling the new IP Appliances from Scratch• Importing the IPSO config file into the new IP Importing the IPSO config file into the new IP

AppliancesAppliances• Upgrading the Branch Office GatewaysUpgrading the Branch Office Gateways

• In order to Upgrade Remote In order to Upgrade Remote Gateways, you could do an inplace Gateways, you could do an inplace upgrade or accomplish this task via upgrade or accomplish this task via SmartUpdate. This should no SmartUpdate. This should no longer be challenging, anymore.longer be challenging, anymore.

• One Great Problem arouse after an One Great Problem arouse after an apparently successful Migrationapparently successful Migration

Outlook 2010 Clients are disconnected from Outlook 2010 Clients are disconnected from MS Exchange 2010 Server!!!!MS Exchange 2010 Server!!!!

• To Make Things Worse: To Make Things Worse: This Problem Turned to be a Global One!This Problem Turned to be a Global One!

• The Administrators were aware of The Administrators were aware of that problem, since they had the that problem, since they had the same one with R65.same one with R65.

• They solved it by creating They solved it by creating appropriate DCE-RPC service appropriate DCE-RPC service objects…objects…

• ……and created a firewall rule by and created a firewall rule by inserting these new objects into the inserting these new objects into the service column.service column.

• But, for some reason, this rule did But, for some reason, this rule did not match anymore after not match anymore after upgrading!upgrading!

• There are some articles in There are some articles in SecureKnowledge describing the SecureKnowledge describing the same behaviour!same behaviour!

sk42222sk42222

sk43344sk43344

sk43344 (cont.)sk43344 (cont.)

• As some of you might have As some of you might have imagined, both SecureKnowledge imagined, both SecureKnowledge articles did not lead to any articles did not lead to any solution! solution!

• To be honest, this problem is not To be honest, this problem is not yet solved!yet solved!

• Just deactivating Microsoft-specific Just deactivating Microsoft-specific IPS features did not work! IPS features did not work!

The IPS protection mechanism was still The IPS protection mechanism was still active!active!

• As a work around, I have As a work around, I have configured Network Exceptions in configured Network Exceptions in IPS in order to bypass IPS settings IPS in order to bypass IPS settings within distinct networks.within distinct networks.

• This step turned to become This step turned to become necessary, but not sufficient! The necessary, but not sufficient! The Outlook clients are remaining Outlook clients are remaining disconnected from the MS disconnected from the MS Exchange Server!Exchange Server!

• The Reason:The Reason:Due to the numerous reconnect Due to the numerous reconnect attempts made by the Outlook attempts made by the Outlook clients, the Exchange Server could clients, the Exchange Server could not handle these requests!not handle these requests!

• This forced the Exchange Server to This forced the Exchange Server to dismount the Information Store!dismount the Information Store!

• Unfortunately, Microsoft has Unfortunately, Microsoft has forgotten to implement an auto forgotten to implement an auto mount feature!mount feature!

• With this information in mind, you With this information in mind, you hopefully have just to remount the hopefully have just to remount the store!store!

• Finally, the Migration Task Finally, the Migration Task could be considered to be a could be considered to be a success. success.

• No need to escape from No need to escape from the customer‘s premisesthe customer‘s premises

• No need of facial surgeryNo need of facial surgery• No need of acquiring new No need of acquiring new

identityidentity

Any Questions?Any Questions?

• Thanks a lot for your Thanks a lot for your attention!!!attention!!!