r75.30 release notes - check point...
TRANSCRIPT
© 2012 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.
Important Information Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Latest Documentation
The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=12964
For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).
Revision History
Date Description
16 April 2012 Update to Endpoint Connect compatibility table
02 April 2012 Added release of dual boot, fixed IP appliance support for Disk Based only models
14 March 2012 Added Clean Install instructions
8 March 2012 Updates to Required Disk Space
26 February 2012 Added IPSO 6.2 support for SmartWorkflow
7 February 2012 Update to installation instructions
29 January 2012 Added R75.20 to the list of Gateway versions supported by this release of management
16 January 2012 Added gateway/client compatibility
12 January 2012 Added upgrade instructions for maintaining customizations
9 January 2012 Update to Disk Space requirements, added supported appliances
5 January 2012 First release of this document
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments (mailto:[email protected]?subject=Feedback on R75.30 Release Notes).
Contents
Important Information ............................................................................................. 3 Introduction ............................................................................................................. 5
What's New ......................................................................................................... 5 Important Solutions.............................................................................................. 5
Supported Upgrade Path ........................................................................................ 5 Compatibility with Gateways and Endpoint Clients .............................................. 6
Supported Security Products by Platform ............................................................ 7 Supported OS on Open Servers .......................................................................... 7 Supported Appliances ......................................................................................... 8 Security Gateway Software Blades ...................................................................... 9 Security Management Software Blades ..............................................................10 Clients and Consoles by Windows Platform .......................................................11
Required Disk Space ............................................................................................ 12 Console Requirements ......................................................................................... 12 Build Numbers ...................................................................................................... 13 Installing R75.30 ................................................................................................... 14
New Installation ..................................................................................................14 Cleaning IPSO Flash-Based Gateways .........................................................14 Downloading the Clean Install Package .........................................................14 Clean Install on Flash-Based with CLI ...........................................................15 Clean Install on Flash-Based with Manual Download .....................................15 Clean Install on Disk-Based with Network Voyager ........................................15 Installing the Client Applications ....................................................................16
Upgrading ...........................................................................................................17 Before You Upgrade! .....................................................................................17 Downloading the Upgrade Package ...............................................................17 Upgrading with CLI ........................................................................................18 Upgrading with CLI for IPSO Flash-Based .....................................................19 Upgrading with SmartUpdate .........................................................................20 Upgrading with the SecurePlatform Web User Interface ................................20
Troubleshooting IPS-1 Sensor ............................................................................. 21 Uninstalling ........................................................................................................... 22
Introduction
R75.30 Release Notes | 5
Introduction Thank you for updating to Check Point version R75.30. This version resolves issues for R75.20. Please read this document carefully before installing R75.30.
Important - Check Point software versions R75.10 or higher must have a valid Software Blades license. Users with NGX licenses cannot install the software. To migrate NGX licenses to Software Blades licenses, see Software Blade Migration (http://www.checkpoint.com/products/promo/software-blades/upgrade/index.html) or contact Account Services.
If you manage GX gateways from a Security Management server, you must regenerate your GX licenses in the User Center to be compliant with Software Blades. This procedure is optional for Multi-Domain Servers and Domain Management Servers.
What's New This release has numerous resolutions to known limitations of earlier releases.
Dual Boot on appliances:
Check Point appliances are preinstalled with two images: R71.40 and R75.30.
To learn how to change images on an appliance, see the relevant R75.30 Image Management Guide.
Important Solutions Check Point R75.30 Home Page - sk66283 (http://supportcontent.checkpoint.com/solutions?id=sk66283)
R75.30 Resolved Issues - sk66286 (http://supportcontent.checkpoint.com/solutions?id=sk66286)
R75.30 Known Limitations - sk66284 (http://supportcontent.checkpoint.com/solutions?id=sk66284)
Supported Upgrade Path R75.20 Security Gateways, Security Management servers, and Multi-Domain Servers can be upgraded to R75.30.
Important - If you installed any hotfix post R75.20, run the Validation utility (http://supportcontent.checkpoint.com/documentation_download?ID=13681).
Supported Upgrade Path
R75.30 Release Notes | 6
Compatibility with Gateways and Endpoint Clients R75.30 Management servers (Security Management server and Multi-Domain Server) can manage Check Point gateways and Endpoint Security clients of these versions.
Release Version
Gateways
Security Gateway NGX R65, R70, R70.1, R70.20, R70.30, R70.40, R71, R71.10, R71.20, R71.30, R75, R75.10, R75.20
DLP-1 R71 and higher
IPS-1 R71
Series 80 R71
VSX VSX NGX R65, VSX NGX R67
Connectra Centrally Managed NGX R66
UTM-1 Edge 7.5.x and above *
GX 4.0
Endpoint Clients
SecureClient up to SecureClient NGX R60 HFA 3 with support for Windows 7 32-bit
Endpoint Connect up to Endpoint Connect R73 HFA1
Endpoint Security up to R73 HFA1
*- UTM-1 Edge and Safe@ devices that use locally configured VPN connections with download configuration settings, may experience VPN connectivity failure with R75.30 Security Gateways. To enable this configuration with R75.30, see sk65369 (http://supportcontent.checkpoint.com/solutions?id=sk65369).
Supported Security Products by Platform
R75.30 Release Notes | 7
Supported Security Products by Platform
These tables show the security products related to this release and on which platforms they are supported.
Supported OS on Open Servers You can install these Check Point components on a platform that supports and is running these operating systems.
OS \ Component Security Management Server
Security Gateway Multi-Domain Security Management
SecurePlatform
MS Windows Server 2003 SP1* or SP2, on 32-bit
MS Windows Server 2008, MS Windows Server 2008 R2 SP1 or SP2
32 or 64
32-bit
MS Windows XP Professional SP3 32-bit
MS Windows 7 Professional, Enterprise, Ultimate, 32 or 64
Red Hat EL 5.0 32-bit
Red Hat EL 5.4 kernel 2.6.18, 32-bit
Crossbeam X-series
Solaris Ultra-SPARC 8, 9, 10 (on Sun M-Series)
* - For Windows 2003 SP1, you must install the hotifx specified in Microsoft KB 906469 (http://support.microsoft.com/kb/906469).
Supported Security Products by Platform
R75.30 Release Notes | 8
Supported Appliances
Platform Security Management Server
Security Gateway Multi-Domain Security Management
2200 Appliance
4000 Appliances
12000 Appliances
21400 Appliance
Smart-1 Appliances 5, 25, 50 50, 150
IP150, IP280, IP290, IP390, IP560, IP690, IP1280, IP2450
(on IPSO Disk-
Based)
(on IPSO Disk-Based or
Flash-Based*)
Power-1 Appliances
UTM-1 Appliances
* - 1G of RAM is enough to run Firewall, IPS and VPN blades only. To activate more blades, 2G of RAM is required on IP290, IP390, and IP560 flash-based appliances.
You cannot upgrade these appliances to R75.30:
Series 80
UTM-1 Edge
IPS-1 Sensor
VSX-1
DLP-1
Supported Security Products by Platform
R75.30 Release Notes | 9
Security Gateway Software Blades
Software Blade Operating System
Check Point Microsoft Crossbeam
Secure Platform
IPSO 6.2 Disk- based
IPSO 6.2 Flash- based
Windows Server 2003
Windows Server 2008
X-series
Firewall
Identity Awareness
IPSec VPN
IPS4
Mobile Access
DLP1
Application Control4
Anti-Virus & Anti-Malware
URL Filtering4
Anti-Spam & Email Security
Web Security
Advanced Networking - QOS
Advanced Networking - Dynamic Routing and Multicast Support
Acceleration & Clustering 2
2
3
Notes about Security Gateway Software Blades
1. DLP supports High-Availability clusters, including Full HA.
DLP supports Load Sharing clusters in the Detect mode.
On UTM-1 130/270, you can use DLP with Firewall and other Security Gateway software blades, or with Firewall and Security Management software blades.
The DLP portal supports these web browsers: Internet Explorer 6, 7, 8, 9; Firefox 3,4; Chrome 8; and Safari 5.
2. Only Clustering is supported on Windows. Acceleration is not supported.
3. Only third-party clustering is supported on Crossbeam.
4. HTTPS Inspection is not supported Windows.
Supported Security Products by Platform
R75.30 Release Notes | 10
Security Management Software Blades
Software Blade Operating System
Check Point Microsoft RedHat Linux
Solaris
Secure Platform
IPSO 6.2 Disk- based
Windows Server 2003
Windows Server 2008
Windows XP, 7
RHEL 5.0, 5.4
Ultra- SPARC
Network Policy Management
Endpoint Policy Management
Logging & Status
Monitoring
SmartProvisioning
Management Portal*
User Directory
SmartWorkflow
SmartEvent **
SmartReporter
* Management Portal is supported on the following Web browsers: Internet Explorer 7, and Firefox 1.5 - 3.0
** SmartEvent is supported on 32-bit only.
Supported Security Products by Platform
R75.30 Release Notes | 11
Clients and Consoles by Windows Platform
Check Point Product
XP Home (SP3) 32-bit
XP Pro (SP3) 32-bit
Server 2003 (SP1-2) 32-bit
Server 2008 (SP1-2) 32-bit
Vista (SP1) 32-bit
Vista (SP1) 64-bit
Windows 7
Ultimate & Enterprise 32-bit
Windows 7 Ultimate & Enterprise 64-bit
SmartConsole 1
2
2
SmartDomain Manager
SecureClient
Endpoint Security VPN
3
3
SSL Network Extender
3
3
DLP User Check
DLP Exchange Agent
4
4
Identity Agent 3
3
Remote Access Clients E75.x
3
3
Notes about Clients and Consoles
1. SmartConsole supports Windows Server 2008 R2.
2. SmartConsole supports Windows 7 Professional (32 and 64 bit).
3. Endpoint Security VPN, SSL Network Extender, and Identity Agent clients support all editions of Windows 7.
4. DLP Exchange Agent supports Exchange Server 2007 and Exchange Server 2010 on both Windows Server 2003 64-bit (SP1-2) and Windows Server 2008 64-bit (SP1-2). A 32-bit version is available for demo or educational purposes.
Required Disk Space
R75.30 Release Notes | 12
Required Disk Space
Note - It is safe to delete the downloaded .tgz file after it is extracted, to have more disk space for installation.
Required Disk Space for Installation on Security Management Server
Operating System Packed and Extracted .tgz File
During Installation* Final Used Disk Space
SecurePlatform/
Linux
/var - 700 MB
root - 160 MB
/opt - 745 MB
/var - 300 MB
root - 4.7 MB
/opt - 351 MB
/var - 100 MB
IPSO Disk-based
/var - 540 MB
/opt - 400 MB
/var - 100 MB
/opt - 150 MB
/var - 100 MB
Windows 630 MB 690 MB 600 MB
Solaris
/var - 300 MB
/opt - 345 MB
/var - 400 MB
/opt - 190 MB
/var - 400 MB
* During installation, the process may use additional disk space that will be released when installation ends.
Required Disk Space for Installation on Security Gateway
Operating System Packed and Extracted .tgz File
During Installation* Final Used Disk Space
SecurePlatform
/var - 1.3 GB
root - 170 MB
/opt - 700 MB
/var - 1 GB
root - 12 MB
/opt - 500 MB
/var - 700 MB
IPSO Disk-based
/var 700 MB
/opt - 345 MB
/var - 500 MB
/opt - 185 MB
/var - 400 MB
IPSO Flash-based /preserve - 295 MB /preserve - 700 MB
/opt - 20 MB
/var - 400 MB
/preserve - 6 MB
/opt - 16 MB
/var - 170 MB
Windows 590 MB 680 MB 520 MB
* During installation, the process may use additional disk space that will be released when installation ends.
Console Requirements This table shows the minimum hardware requirements for console applications: SmartDashboard, SmartView Tracker, SmartView Monitor, SmartProvisioning, SmartReporter, and SmartEvent, SecureClient Packaging Tool, SmartUpdate, and SmartDomain Manager.
Build Numbers
R75.30 Release Notes | 13
Component Windows
CPU Intel Pentium Processor E2140 or 2 GHz equivalent processor
Memory 1024MB
Available Disk Space 900MB
Video Adapter Minimum resolution: 1024 x 768
Build Numbers This table contains the R75.30 software products updated in this release and their build numbers. To confirm that the hotfix is installed, run the version command for each product. If the command returns the build number shown here, or the last three digits of the build number, the hotfix is installed.
Software Blade / Product Upgrade Clean Install Version Command*
Security Gateway 983625066 983625126 fw ver -k
Security Management 983625008 983625008 fwm ver
SmartConsole Applications
983625020 983625022 Help > About Check Point <Application Name>
Multi-Domain Server 983625022 983625022 fwm mds ver
SmartDomain Manager 983625012 983625012 Help > About Check Point SmartDomain Manager
SecurePlatform 983625007 983625023 upgrade - splat_ver
clean install - ver
* When you run the command on a CLI, it shows only the last three digits of the build number.
Installing R75.30
R75.30 Release Notes | 14
Installing R75.30
In This Section
New Installation 14
Upgrading 17
Important - Check Point software versions R75.10 or higher must have a valid Software Blades license. Users with NGX licenses cannot install the software. To migrate NGX licenses to Software Blades licenses, see Software Blade Migration (http://www.checkpoint.com/products/promo/software-blades/upgrade/index.html) or contact Account Services.
If you manage GX gateways from a Security Management server, you must regenerate your GX licenses in the User Center to be compliant with Software Blades. This procedure is optional for Multi-Domain Servers and Domain Management Servers.
New Installation R75.30 is released as:
an upgrade to version R75.20
a clean installation for IPSO Flash-based appliances, including 1GB and 2GB Flash appliances (IP29x,IP39x and IP56x)
Cleaning IPSO Flash-Based Gateways
To install on IPSO, clean the Security Gateway of Check Point installations, TGZ files, and unused IPSO images. You use Network Voyager or the command shell. (Use Voyager to delete unused IPSO images.)
To delete Check Point packages using Network Voyager:
1. Click Configuration > System Configuration > Packages > Delete Packages.
2. Select an installation package to delete, and click Apply.
3. Delete TGZ files.
4. Click Apply.
To delete Check Point packages using command shell:
1. Run: newpkg -q
The output is the list of installed packages. Use this output in the next commands.
2. Run: newpkg -u <package name>
3. Run: rm opt/packages/<tgz name>
To delete unused IPSO images using Network Voyager:
1. Click Configuration > System Configuration > Images > Manage Images.
2. Click Delete IPSO Images.
3. Select the IPSO image to delete, and click Apply.
Downloading the Clean Install Package
Download the R75.30 Full ISO package for your platform from the Check Point Support Center.
Installing R75.30
R75.30 Release Notes | 15
Platform Package
Power-1, UTM-1, 2012 Models Check_Point_R75.30_Appliance.iso
Smart-1 Appliances Check_Point_R75.30_Smart-1.iso
IPSO 6.2 Disk-based Check_Point_R75.30_IPSO6.2.tgz
IPSO 6.2 Flash-based Check_Point_R75.30_Fresh.IPSO6_2.tgz
Clean Install on Flash-Based with CLI
To install on IPSO Flash-based Security Gateway with CLI:
1. If there are installed Check Point installations, TGZ files, or unused IPSO images, clean the gateway ("Cleaning IPSO Flash-Based Gateways" on page 14).
2. Make sure there is enough free disk space for installation.
3. Download the R75.30 Fresh Install Package for IPSO 6.2 Flash-based Systems (Check_Point_R75.30_Fresh.IPSO6_2_Flash.tgz ) to /preserve/opt/packages.
4. Run: newpkg
5. Type the number (1 - 3) for the FTP server or local path where the TGZ is.
6. Enter the IP address, credentials, and pathnames when prompted.
7. Type y to download the TGZ. The file is downloaded and installation starts.
8. When prompted for installation type, type 1 to select Install this as a new package.
R75.30 is installed under /opt.
Clean Install on Flash-Based with Manual Download
To install on IPSO Flash-based Security Gateway with manual download:
1. Download the R75.30 Fresh Install Package for IPSO 6.2 Flash-based Systems (Check_Point_R75.30_Fresh.IPSO6_2_Flash.tgz).
2. Install the package:
Network Voyager - See "Installation on IPSO" in the R75.20 Installation and Upgrade Guide.
Command Line add package - Copy the file to an ftp server and run:
add package media ftp addr <ip_address> user <username> password
<password> name Check_Point_R75.30_Fresh.IPSO6_2_Flash.tgz
Clean Install on Disk-Based with Network Voyager
To install on IPSO disk-based appliances with Network Voyager:
1. Download the package: Check_Point_R75.30_IPSO6.2.tgz.
2. Put the downloaded package on an FTP site or on your local disk.
3. Log in to your appliance using Network Voyager.
4. In the Network Voyager tree, select Configuration > System Configuration > Packages > Install Package.
5. Upload the package file using one of these methods:
Upload from an FTP site:
a) In the Voyager Install Package window, select FTP.
b) Enter the name or IP address of the FTP server.
c) Enter the path to the directory on the FTP server where the packages are stored.
d) If necessary, enter the applicable user name and password.
e) Click Apply. The names of the available packages show in the Site Listing window.
Installing R75.30
R75.30 Release Notes | 16
f) Select the package .tgz file in the Site Listing window and click Apply.
g) When the <package name> downloaded to message shows, click it and then click Apply again.
Upload from a local disk:
(i) In the Voyager Install Package window, select Upload.
(ii) Click Browse and navigate to the package .tgz file.
(iii) Click Apply.
(iv) Select the package .tgz file in the Unpack Package window and click Apply.
6. Click the Click here to install/upgrade link to continue with the installation.
7. In the Package Installation and Upgrade pane, select Install and then click Apply.
8. Click the Install Package branch in the Voyager tree to see the installation progress.
9. Go to the Manage Packages page.
The R75.30 and Check Point CPInfo packages are automatically activated during installation (disk-based appliances only).
Enable other packages, with the compatibility packages, as needed for your deployment.
Important - When you install a package using Network Voyager, this message shows:
Voyager environment has been updated with the latest package
info.
The telnet session environment will be updated by:
logging out and logging in again the telnet session.
This message can be misleading. Click Manage Packages to verify that the package is actually installed correctly. Refresh the page periodically until you see that the installation is complete.
10. Log out of Network Voyager and then log in again.
Installing the Client Applications
The client applications for this release are part of the Check Point SmartConsole.
To manually install the SmartConsole:
1. Download R75.30 SmartConsole for Windows: Check_Point_SmartConsole_R75.30.Windows.exe
2. Double-click the file to install the SmartConsole.
To install the Multi-Domain Security Management SmartDomain Manager:
1. Download R75.30 SmartDomain Manager for Windows: Check_Point_R75.30_SmartDomain_Manager.Windows.exe
2. Double-click the file to install the SmartDomain Manager.
Installing R75.30
R75.30 Release Notes | 17
Upgrading
Important - If you installed any hotfix post R75.20, run the Validation utility (http://supportcontent.checkpoint.com/documentation_download?ID=13681).
We recommend that you back up your system before installing this release package. Save a manually created image before you install.
Before You Upgrade!
If you use the Mobile Access Software Blade and you edited the R75.20 configurations, make sure that you review the edits before you upgrade to R75.30.
1. Open these files and make note of your changes.
Data Path
Gateway Configurations $CVPNDIR/conf/cvpnd.C
Apache Configuration Files $CVPNDIR/conf/httpd.conf
$CVPNDIR/conf/includes/*
Local certificate authorities $CVPNDIR/var/ssl/ca-bundle/
DynamicID (SMS OTP) Local Phone List $CVPNDIR/conf/SmsPhones.lst
RSA configuration /var/ace/sdconf.rec
Any PHP files that were edited
Any image file that was replaced (*.gif, *.jpg)
2. Upgrade to R75.30.
3. Update Endpoint Compliance (SmartDashboard > Mobile Access > Endpoint Security On Demand > Update Databases Now).
4. Manually edit the new versions of the files, to include your changes.
Do not overwrite the R75.30 files with your customized files!
Downloading the Upgrade Package
Download the R75.30 upgrade package for your platform from the Check Point Support Center.
Platform R75.30 Upgrade Package Upgrade Procedure
SecurePlatform, Linux on open server
Appliances: Power-1, UTM-1, Smart-1, 21000, 12000 appliances, 40000 appliances
Check_Point_Upgrade_for_R75.30_Splat.tgz SecurePlatform
Web UI
CLI
SmartUpdate
IPSO 6.2 Disk-based
Check_Point_R75.30_Upgrade.IPSO6_2.tgz CLI
SmartUpdate
Installing R75.30
R75.30 Release Notes | 18
Platform R75.30 Upgrade Package Upgrade Procedure
IPSO 6.2 Flash-based (*) Check_Point_R75.30_Upgrade.IPSO6_2_Flash.tgz IPSO Flash-
Based CLI
SmartUpdate
Windows Check_Point_R75.30_Upgrade.Windows.tgz CLI
SmartUpdate
Solaris Check_Point_R75.30_Upgrade.Solaris.tgz CLI
* This upgrade package is only for appliances with 4GB Flash (IP69x, IP128x and IP245x). For appliances with 2GB Flash (IP29x, IP39x and IP56x), you must do a clean install.
Upgrading with CLI
You can use these instructions to install R75.30 using the CLI on open servers and IP series appliances, except for IPSO Flash-based appliances. To install on IPSO flash-based appliances, you must use the CLI instructions for IPSO flash-based appliances.
To install on Check Point appliances with SecurePlatform, use the Web User Interface or SmartUpdate.
To install on IPSO platforms, use the command line. Network Voyager is not supported.
You can safely delete the .tgz file after you extract the package (step 6).
To install R75.30 using the CLI:
1. Log onto the target machine.
2. If you are installing on SecurePlatform:
a) Run idle 120 to make sure that the installation is not interrupted by the automatic logon timeout.
b) Run expert to enter expert mode.
3. Verify that the target computer contains sufficient free disk space.
4. Create a temporary directory in the /var partition on non-Windows platforms, or in the c:\ partition on
Windows platforms.
5. Copy the upgrade package for your platform to the temporary directory using SFTP, SCP, or another secure utility.
6. Go to the temporary directory and extract the .tgz package.
On non-Windows platforms, run: gtar -zxvf <file name>
On Windows platforms, use an archive utility such as WinZip.
Important - Before installing on Multi-Domain Security Management, run mdsenv and then
mdsstop.
If this is not done, the system will experience functionality issues.
We recommend that you back up the system before installation: mds_backup
7. Start installation:
On non-Windows platforms, run: ./UnixInstallScript.
You must run this command from the /var partition.
On Windows platforms, run: Setup.exe
8. Do the instructions on the screen to install the applicable components. Only those components required for a specific target (management or gateway) are installed automatically.
When the installation finishes, each successfully installed component appears in a list followed by the word Succeeded.
9. When prompted, reboot the computer.
10. Open SmartDashboard and log in to the R75.30 Security Management server that controls the upgraded gateways.
11. Open the gateway object properties window for an upgraded gateway and change the version to R75.30.
Installing R75.30
R75.30 Release Notes | 19
12. Repeat the above steps for all management servers, log servers and gateways.
13. Install the security policy on upgraded gateways and servers.
14. Install the database on the Security Management server.
Upgrading with CLI for IPSO Flash-Based
Notes
IPSO Flash-based platforms are supported for use as Security Gateways only.
Installation using Network Voyager is not supported and may result in system instability. You must install this version using the CLI only.
Only use this upgrade procedure for appliances with 4GB Flash (IP69x, IP128x and IP245x). For appliances with 2GB Flash (IP29x, IP39x and IP56x), you must do a clean install.
Before installing on an IPSO Flash-based Appliance:
1. Delete any Check Point packages that are earlier than R75.20, and then delete any previous tgz files. You can do this using Network Voyager or using the command shell:
Using Network Voyager:
a) Choose Configuration > System Configuration > Packages > Delete Packages.
b) Select a previous installation package to delete, and click Apply.
c) Delete the any tgz files.
d) Click Apply.
Using the command shell, run:
newpkg -q
newpkg -u <previous package name>
rm opt/packages/<previous tgz name>
newpkg -q prints a list of the installed packages.
2. If there is an IPSO image on the machine that is not in use, delete it using Network Voyager:
a) Choose Configuration > System Configuration > images > Manage Images.
b) Click Delete IPSO Images.
c) Select the IPSO image to delete, and click Apply.
3. Verify that there is enough free disk space for the installation of the packages. ("Required Disk Space" on page 12)
4. The installation package must be in the /var/tmp directory.
To install and activate this version on an IPSO Flash-based Appliance:
1. Using the command shell, copy the upgrade package for IPSO Flash-based appliances to /var/tmp on
the IP Appliance through ftp.
2. Navigate to the /var/tmp directory.
3. Extract the tgz package by running:
tar -zxvf <file name>
4. Delete the tgz package by running:
rm -rf <file name>
5. Run ./UnixInstallScript
6. Follow the instructions on the screen to install the appropriate components. When prompted, stop all Check Point processes.
Only those components required for a specific target (management or gateway) are installed automatically. When the installation finishes, each successfully installed component appears in a list followed by the word 'Succeeded'.
7. When prompted, reboot the computer by pressing y.
Installing R75.30
R75.30 Release Notes | 20
Upgrading with SmartUpdate
You can use SmartUpdate to remotely install this version on Security Gateways installed on all supported platforms.
To install with SmartUpdate:
1. Install the upgrade package for your platform on the Security Management Server using the Command Line ("Upgrading with CLI" on page 18).
2. Open SmartUpdate and close SmartDashboard.
3. Click Packages > Get Data from All.
When the Operation Status of the known gateways is Done, the installed packages and their
versions are listed.
4. Open the Package Repository: Packages > View Repository.
5. Add the installation package file (*.tgz) for each required gateway platform to the Package Repository
(Packages > Add; or drag-and-drop).
Wait until the Operation Status of adding the package is Done. The packages appear in the Package Repository. This can take a few minutes.
6. Right-click the package and choose Distribute.
7. From the Distribute Package window, select the devices on which you want to install this version.
8. Click Distribute.
The installation package is distributed to and installed on the selected Security Gateways. The Security Gateways are rebooted automatically, except for those that are installed on Windows. You must manually reboot Security Gateways installed on Windows.
Note - On a Windows platform, if the gateway does not accept traffic after installing this version, re-install the policy.
Upgrading with the SecurePlatform Web User Interface
You can install R75.30 on SecurePlatform Security Gateways and Security Management open servers and appliances using the Web User Interface.
Important - Safe Upgrade is not supported from R75.20 to R75.30. Make a manual snapshot of the machine before you upgrade.
To install R75.30 using the Web User Interface:
1. Make sure all GUI applications are closed.
2. Download the upgrade package for your platform.
3. Connect to the SecurePlatform Web User Interface:
Open server: https://<IP>
Appliance: https://<IP>:4434
4. Open the Upgrade page:
Open server: Device > Upgrade
Appliance: Appliance > Upgrade
5. In the Upgrade Steps pane, browse to the downloaded file.
6. Click the Upload package button.
7. Click Start Upgrade.
At the end of the installation, the device automatically reboots.
8. Re-login to the machine.
Important - After upgrading, move the snapshot file from the Desktop to a pathname without spaces. This must be done before attempting to restore the machine.
To uninstall afterwards, revert to the snapshot manually.
Troubleshooting IPS-1 Sensor
R75.30 Release Notes | 21
Troubleshooting IPS-1 Sensor If install policy fails on an IPS-1 Sensor appliance at the Verification step, do these steps:
1. Remove profiles associated with IPS-1 sensor. For example: IPS-1_Recommended and sofa
2. Remove the IPS-1 sensor object.
3. Run: cpstop
4. Delete the FWDIR/conf/CPMIL* file.
5. Run: cpstart
6. Configure the object again.
7. Install policy.
Uninstalling
R75.30 Release Notes | 22
Uninstalling
Notes -
Uninstallation from IPSO flash-based appliances is not supported.
Uninstallation of IPS pattern granularity is not supported. After uninstall of R75.30, the patterns remain converted to protections.
To uninstall R75.30 in Security Management Server deployments:
1. Disable the IPS Event Analysis and/or SmartWorkflow Software Blades. If you already disabled them before upgrading to R75.30, you do not need to disable the Software Blades.
To do this, disable the Software Blades in the Security Management server's object.
2. On each management server and dedicated log server:
All non-Windows platforms:
Run: /opt/CPUninstall/R75.30/UnixUninstallScript
Windows platforms:
(i) Go to: C:\Program files\CheckPoint\CPUninstall\R75.30
(ii) Run: Uninstall.bat
To uninstall R75.30 in Multi-Domain Security Management deployments:
1. Disable the R75.30 from each CMA as follows:
a) Login to the Multi-Domain Security Management MDG.
b) In Versions & Blades Updates, right click and select Deactivate.
2. Run this command on each Multi-Domain Server, Domain Log Server and Multi-Domain Log Server:
/opt/CPUninstall/R75.30/UnixUninstallScript
3. Activate Software Blades that were active before the upgrade to R75.30.
Note - After uninstalling this release from a SecurePlatform machine, the command line login prompt and the Web interface Welcome screen will still display Check Point SecurePlatform R75.30 as the installed version. This is because packages related to the SecurePlatform operating system are not uninstalled during the uninstallation process. Use
the fw ver command to see the current version of your software.
To uninstall with SmartUpdate:
You can use SmartUpdate to remotely uninstall on gateways of all platforms, except IPSO.
1. Make sure SmartDashboard is closed.
2. Open SmartUpdate.
3. From the Packages menu choose Get Data From All.
4. Right-click each package with Minor_Version value of R75.30 and select Uninstall, in this order:
Security Gateway
Mobile Access (for SecurePlatform gateways, if installed)
all other Minor_Version products
Note - All packages must be uninstalled except for the SecurePlatform package that cannot be uninstalled from SecurePlatform gateways.
5. On Windows platforms, reboot manually.