Thursday, August 25, 2011

Multiple issues with R71 upgrades

Hi all!

I was thinking about writing this post for some time now, hesitating to do this. I am trying to stay positive towards Check Point, but it looks I get enough of it now.

Certainly, my experiences may not be objective, especially considering I am usually dealing with complex environments and high profile customers. But here is something:

During the last year I am facing all kind of issues with R71 upgrades. Most of them are on MGMT side. This affects both simple SmartCenter servers and Multi-Domain systems. These are all kind of troubles:

  • systems cannot be upgraded in place from R65, 
  • HFA 40 cannot be applied
  • migrations fail
  • previously working migration paths become non usable
  • policies cannot be compiled or installed, etc.

It fact, during the year I have not seen a single painless R71 upgrade. It works fairly well with R70 and R75, but not with R71. That is a shame, especially considering most of the customers tend to stay on X-1 release, considering that a good practice.

Please share your R71 experience with  me. Thanks.


8 comments:

  1. Hello, I have upgraded 4 SmartCenters from R65 to R71.20 with no problems at all...
    I fear the upgrade on the Firewalls module! Which I did not do yet.

    ReplyDelete
  2. Glad for you. Enforcement upgrade did not make me any issue. Only MGMT part. There are two different issues:

    R65->R71.10, migration or in place
    R71.10->R71.40, in place

    ReplyDelete
  3. I've done the upgrade from R65 to R71.30 in my test environment. According to the documentation, I had to go from R65 to R71 to R71.30.

    SmartCenter upgrade:
    I didn't want into any real issues as part of the upgrade (though they removed the UDP out of state options from the Global Properties). The big problem I had was when I attempted to test the back out. The documentation talked about just using "Add/Remove" programs to remove all the R71-related components, and after that was done, SmartCenter would not start. Check Point ended up recommending that I run their program to wipe out all Check Point programs and then re-install and restore from upgrade_import. Oh, and it seems to install parts of SmartReporter, which causes SmartView Monitor to report that the EMC had issues when SmartReporter didn't start up. And I couldn't easily disable SmartReporter, as it came back after I did a cpstop/cpstart.

    Firewall module:
    Once again, the upgrade went smoothly (with the only issue that the cluster was messed up until both members were upgraded), but the documentation for the back out was really, really bad. The commands for backing up the configuration were purposely disabled, and the images that the upgrade process created could not be moved off the server, as it was in a special file format. The actual back out itself was pretty painless, as it only involved reverting to an older image.

    I also had to update some of our automation scripts that were hardcoded to point to the R65 directory.

    ReplyDelete
  4. I , ve recently migrated our corporate FW .
    R65 - > R75 , first in lab enviroment , then on the floor.

    Only two real issues worth mentioning , I had to extract policy from R65 with R75 utilities and the licenses took hold on new Gateways , only after second-third attempt.

    ReplyDelete
  5. I upgraded two clusters running ngx r61 and it was a disaster. A lot of work and once I finally got the rule base imported it didnt work gave me errors related to ws_objects. I debugged it for 2 days (no info on the net about it) until I decided to just blow it all away and rebuild new rulebase. I also had lots of issues with checkpoint and the new blade licensing system. Checkpoint are trying hard to push customers away.

    I spend a lot of time replacing checkpoint with fortinet these days and will continue to push customers away from checkpoint. Great product but overly complicated at times

    ReplyDelete
  6. R61 is not supported for several years now. What was the reason to keep it so long?

    Also if you have read the lasted Gartner report, you can see Fortinet is not an alternative. I personally feel sorry for your customers moving to it.

    ReplyDelete
  7. Hi Valeri,
    I should say your knowledge and your blog is very interesting. I hope some days can be like you.
    I am a new in the checkpoint world. : ) and I am happy about it.
    I am a network engineer and have experience with cisco near 7 years.
    At work, I am responsible for routing and switching.
    But for some reasons, my manager assigned a new task and it is “I have to upgrade Checkpoint FW “
    Could you please help me? if it is possible for you give me some advice.

    What is my scenario?
    We have 4 checkpoint UTM
    2 utm-1 3070 (cluster) and 2 Utm-1 1070 (Cluster) .all of them have R70.1
    I have to upgrade them to R75.
    I have studied CCSA and learn many things(Self Study).But there are lack of information and really confused.:(
    What do you suggest me to do this task in best condition?
    Is it need to upgrade to r71.X and then to r75 ?
    Is it need to remove from clustering ?if yes, how can i do that ? what is the best way ?
    is it need to upgrade Smart Centre (installed on 3070)first ?

    I really appreciate your help

    Regards
    Medwin
    medwinha@gmail.com

    ReplyDelete
  8. Hi Medwin, thanks or all the good words. Concerning the advise, it is quite simple.

    First, you MUST to start with MGMT upgrade. For the rest of the questions, please follow the upgrade guide, which is part of Check Point documentation for your target version. It inlcudes the upgrade path. Should be quite straight forward.

    ReplyDelete