Check Point R80.10 upgrade to R80.30 Distributed Deployment

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey guys how's it going hope everybody's having a great day so far welcome to another episode on the channel today what we'll be doing is we'll be looking at an upgrade of a pair of gateways set up in a high availability being managed by a separate manager so it's not on a standalone gateway deployment configuration this is the gns3 topology so you know real life this would kind of be going out to your isp so i just have a dedicated win switch here and then we have a data plan data plane with the management pc that will be running behind that as well as the separate manager and then it's going through this high availability pair of gateways here that's of course you know filtering the traffic from this switch and it's also directly connected with a sync cable alright so let's go ahead and jump into it so this is what we have based on again the topology that we just saw on gns3 so I just name this Colo firewall it has a virtual IP of 10003 with the separate individual IPS of 1000 1 and 1000 2 as well as the separate management running 1000 100 and right now these guys are all on our 80 10 latest version which is jumbo hotfix it's actually check jumbo hotfix 272 alright and so the goal of this series or this episode is going to be bumping D Management up to already 30 latest jumbo hotfix as well as the pair of gateways they're just doing basic sanity tests making sure that there's no inherent issue with this particular configuration going up to the latest jumbo just want to make sure that everything is running smoothly and those of you unfamiliar with the process get you guys a little more acclimated to it as well alright so without further ado the first thing we would want to do is upgrade the management so you always want to do that before doing the Gateway just in case the there's any in compatibility with the management being able to manage the gateways as far as official officially being a supported already dot analyst jumbo can actually manage all we have to already dot forty but you know just as far as best practice and and things like that you should always do the management first so so further ado what we'd have to do is actually get a migrate export off the management server that will basically extract all of your rules objects things like that so that in case there is a failure with the in-place upgrade and we needed to do let's say a fresh install or something like that we can always at least export those export your management database back in that being said we're not gonna actually have to import the database as long as everything in the in-place upgrade goes well if we were migrating from let's say our 7730 to our 80 then you would actually have to do a clean install and import the export that you have from the our 7730 gateway alright sorry management alright so let's go ahead and get into it so first thing I do is I open up putty we're gonna want to jump into the management okay and you're going to want to log into expert mode alright once you're here we're gonna want to go to fw dur slash bin we can go after the door with the dollar sign in front of it forward slash bin forward slash upgrade underscore tools okay you do LS alright so we can see here we're in the proper area if you see the migrated file there so it's pretty simple all you have to do is type in migrate space export and then the path to the file including the file name I'm just gonna save it in the same directory so we'll just do migrate and export demo tgz there we go so we had to do the period /my great space export interesting depending on the version that you're running you may or may not have to do that and it says you're required to close all clients to the security management server or execute CP stop so what I'll do is I'll actually just go ahead and close the smart console and I'll close just just for the heck of it okay let me do why it's gonna go ahead and export the database so for this demo I don't really have anything so it should be fairly quick all right operation completed successfully location is where we had it because we actually specify path so we can actually go ahead and grab that so to do that let's do winscp and by default it's not going to work you're gonna have to set change from clinch to tube in mode I can show you guys here okay okay to a batch mode sorry you could do that with the command I'm actually drawing a blank for a quick so I'll actually show you guys another way of doing it as well which you can do off of the GUI but I'll go ahead and drop the terminal command in the comments not to comment in the description below so if you guys want to do that you can do that as well but at least I'll give you another way if your type of user that likes to use more of a GUI so we'll go ahead and override this lock here and we can edit the admin from the default shell being click to bash bin bash okay and now should work all right so let's go ahead and navigate to the directory that it said says well FWD Road just so you guys know is located in opt CP suite are 80 depending on what version you're running if it's already 2:30 or something then it'll say CP suite - already 30 okay so now we're in essentially fw well sorry fw 1 now we're essentially an fw der so then we need to go to bin and upgrade tools ok so there we are and we have the demo tgz so I'm just going to go ahead and grab that off of the box put that somewhere safe and sound ok perfect I can actually go ahead and exit this now and that's pretty much it as far as backing up the management so we can dive right into the in-place upgrade by navigating to the Gaia web portal going to status and actions section under upgrades and you can actually just didn't already download the file you can just download it from here I've already download the file from support center checkpoint comm so I'm just going to import the package this is the file right here we'll go ahead and give it a minute or two all right so it went ahead and fully imported at this point you should see where it says downloaded successfully and we can actually just if you want to be safe just go ahead and right-click and do verifier it's gonna verify and make sure things compatible with your configuration should take too long give it a minute or two Topanga maybe on how large your rule base or something like that might take a look longer and so we see here cleanest saw installation is allowed oh and there we go actually found a bug so I actually forgot that there's a separate one for the security management so let me go ahead and download that well let's go ahead down that in here actually it's gonna do that all right so the download was successful now we can actually go ahead and run the verifier on this one now that's the right one so I've been doing a lot of already dot 40 upgrades and they use the same package for management and gateway so that threw me off a little bit but no biggie there we go installation is allowed for clean install and upgrade is allowed so we'll go ahead and click on upgrade and we'll let that right all right so after it's done installing it's gonna say please wait while the system reboots and there you go it should automatically bring you back into the login page here says upgrade is still running log into the status and actions page to see the progress so if we go back here go to all you can see here that it's still still doing a little upgrade that even after the reboot so we'll let that finish up all right and when that's done it's gonna go ahead and say installed self-test passed and it's going to start checking for new available packages and if there's also a new deployment agent it's going to go ahead and install that and once it's done doing that we can go ahead and either import or download the latest jumbo hotfix and apply that as well okay you can also pop in the event log you can kind of see if there's anything that's been done okay it doesn't look like it install the new deployment agent so that's okay we can just go ahead and start importing our jumbo hotfix for security management take one mighty one is the latest jumbo for already 30 at the time of this video alright it successfully imported and you should see it here as well download it successfully and we'll go ahead and install that all right it's going into the reboot cycle so I'll give it another minute all right and we're back to the login so I'll go ahead and pop in here and I don't think with the Jumbos it needs to do any it needs to do any cleaning up or anything so we can go to show oh yeah there's nothing running so that's it the management is officially done it's good to go running on the latest build installed self-test passed jumbo hotfix take 191 now keep in mind you're gonna have to use smart console already dot 30 you can find that download link I'll put that in the description below as well and there you have it we're rockin and rollin on the our ad 30 management I don't have any rules or anything in the policy I just changed the default one to accept but there we go it's up and running we can see here it's already established as already 30 version I'm sure in this in a minute or two we'll get the green checkmark but at this point we can go ahead and start rocking and rolling on the Gateway cluster so first things first let me check to make sure that I'm running the virtual IP 10003 on here yes I should have internet access that's tests yep cool so what we can do now is start the upgrading of the Gateway so what we want to do is SSH into the primary right now which is 1000 or 1 make sure that it's currently the X the active firewall all right so we can do cpha prog space state we can see here local this is the one that we're running it on so the 10.1 this is the this is the link interface so if we go back it's this interface here so don't not to be confused but I did basically name them the same as far as the dot 1 and dot too but yeah local is the one that we're running it off so we're running off to 1000 1 which is the primary and it says it's actually in standby mode and that the 1000 to gateway is inactive and we can actually just confirm this by opening up another session we can do to see PHA prog a state local is active ok so you know typically if your if your primary is going to be you know your active one we would start with that so let's actually just send me like that so what I'll do is I'll just do a CP stop on gate me number 2 and we should see it automatically failover so if we yeah ok yeah perfect so there we go so I ran cpha prop state again and this is too active and just make sure that traffic is still traversing Netflix it looks good and so we can actually do now is just start upgrading the standby also notice the secondary member at this point so we can do is pop over to 1000 - it's in CP stop right now it's fine it's not processing any traffic or anything like that and you can still upgrade it you don't need to do a CPS start so we can see here we are running our eighty ten jumbo hotfix 272 and we're basically just gonna do the same thing that we did with the management so we'll go ahead and import the package we have one specifically for the gateway which is the one I was trying to do the management before and really what we can do to accelerate this process is go to the primary and just start importing the package as well can't hurt you know as long as we don't reboot the machine or anything like that we'll have it ready to go once the standby is done so we'll do that as well and now we just wait all right package is successfully imported so we can go ahead and whoops go over here let's go ahead and do upgrade again you want to make sure you're running you're doing the standby first so we can't see here in the top left corner this is gateway 2 just in case make sure not to get confused with your separate tabs if you're if you're importing so this one's down there successfully but of course we're not going to do anything yet okay we're going into the reboot cycle now all right it's finished its initial reboot and it's gonna do the same thing as the management I believe so let's go ahead and it didn't actually give us anything it's installed already 30 fresh and Sun upgrade installed it doesn't have to do any cleaning up Wow cool so at this point what we'll do is we'll apply the jumbo this is going to download it from here since already I clicked install Update button it automatically went and proceeded to the install if you just want to download it by itself you can just right click and they're going to download but it's gonna go ahead and go forward with the installation and yeah that's a hang out for a couple minutes and we'll check back in alright the jumbo just finished installation it's going into its reboot and we'll check in in a minute alright reboots complete got this funky-looking screen here it's got refresh there you go let's pop in okay everything looks good and just like the actual upgrade to already 30 itself the Jumbo doesn't need any cleaning up or anything so let's go to show all just in case yep everything looks good installed self-test passed and we're pretty much ready to rock and roll and upgrade the 1000 won let's go ahead and give this another minute just to be safe and then we'll do the cut over with CP stop make sure traffic is still traversing and then we'll proceed to upgrade the primary alright I just took a quick break to let the Gateway marinate a little bit you obviously don't have to give it this much time you can give it a couple of minutes but it's up for 20 minutes now so we can basically do the cut over just to be safe what we actually wanted to do first is open up smart console and push policy to the gateway that had the upgrade so let's go ahead and do that real quick all right so first things first let's go we can actually edit the cluster now we'll put it to already 30 okay so I just have the cleanup that has action so we'll go ahead and push policy I'm gonna uncheck this okay because it's since we're on already 30 it's gonna show the exclamation mark on gateway 1 it's probably uh kind of you install the policy since it's done already 10 actually I'm curious let's see if it were I think it'll throw an error and not install on the secondary at all yeah okay cool at least I was able to show you guys that so let's go ahead and install policy uncheck this we should get it success on the secondary gateway alright excellent so now what we can do is go ahead and SH into 1000 won do a CP stop okay at this point in standby should have picked up traffic already so let's go ahead and open up on Netflix perfect excellent and just to confirm again we can just run the cpha probs state oh well it's not gonna run on this one you got to open up 1002 and we can see here the local one that we just ran it on is active perfect we can actually just close this for now and we can start doing the upgrade on 1000 won just do the same thing that we did we've already imported it here at this point so we'll just do the upgrade all right it's went into the reboot cycle and we'll check back in a minute all right so we're back up and running and just like we saw with the initial secondary gateway it doesn't have any cleaning up to do so let's go ahead and start checking for updates and we'll download the Jumbo Jimbo hotfix take 191 available for download it's gonna go straight for the install all right we're in the last official reboot cycle and that's it should be done so give us in a minute let it fully boot up and we'll push palsy alright the reboot is complete we can just double check we log in make sure everything's ok there we go installed self-test past perfect so that's it we're all up to date it's gonna close out of that we'll open up our smart console log into our management there we go everything is good to go what we want to do now is actually push policy and we can actually put this checkmark back because they're both on our d30 and there you have it everything is upgrade to already 30 latest jumbo hotfix take 191 and we're up and running again the standby the second area right now is processing the traffic so if you you know really want to get it to where the primary is the active and the secondary is standby you can simply just run a CP restart command on the 1000 - that will stop it so then the gateway one will take over as active and it'll automatically do a CP start again so it'll come back up as the standby other than that that's pretty much it we're done with the upgrade we're good to go and if you guys have any other questions or you want to see anything else feel free to to drop something in the comments below thank you and have a good day take care
Info
Channel: Chris Martel
Views: 2,699
Rating: undefined out of 5
Keywords:
Id: if7jRlAstx8
Channel Id: undefined
Length: 26min 8sec (1568 seconds)
Published: Mon May 18 2020
Related Videos
Check Point Firewall R81 | Upgrade R80.40 mgmt and log to R81
Magnus Holmberg
5.1K
How to upgrade Check Point R80.10 to r80.30 for MDS with CPUSE
Magnus Holmberg
2.9K
R80.10 Best Practices – Migrating from R77.30
Check Point Software Technologies, Ltd.
56K
How to Upgrade Checkpoint Firewall 🔥 with CPUSE
TechNet Guide
114
Check Point R77.30 FW HA Cluster upgrade to R80.30 Distributed Deployment
Chris Martel
752
Checkpoint Installation,Deployment and Configuration - cyber security detection, firewall, vpn
Technocraft
55K
Updating BIG-IP HA systems with a point release
AskF5
6K
How To Speak by Patrick Winston
MIT OpenCourseWare
5.1M
Check Point SAML Auth for Remote Access VPN
Chris Martel
718
Check Point Lab R80.40 - 11. IPS
Johnny Netsec
2.2K
CheckPoint Firewall Backup,Restore and Upgrade Tutorial
Technocraft
28K
Migrating from R77.3O to R80.10 Using Checkpoint Migration Tool
MSKTechMate
2.2K
I Built This From A 1972 Popular Mechanics Magazine Plan. Does It Work?
Fireball Tool
2.2M
Migrating from R80.10 to R80.40 Using Checkpoint Migration Tool
MSKTechMate
2K
AWS Site to Site VPN with Checkpoint Firewall
Tendai Musonza
3.4K
Checkpoint Firewall Upgrade CLI procedure
NetworkTalks
9.9K
Understanding fw monitor utility
Check Point Training Bytes
5.7K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.