Monday, January 10, 2011

Check Point changes upgrade tools, silently, without documenting

You may not be aware of some major changes happening to Check Point management upgrade tools with R7x versions.

On R65 and bellow if was quite simple. You have had two different scripts in $FWDIR/bin/upgrade/tools, upgrade_export and upgrade_import.

Upgrade_export script packs your MGMT database, ICA and registry into a single .tgz file that you can import later on another HW, even on higher version of Check Point MGMT. The export files are also widely used as an alternative backup on the field. Check Point also mentions is as a backup tool in the SecureKnowledge case sk30571.

I love these tools for their flexibility and easiness, and you may too. But the strange thing is that the tools are only mentioned in upgrade guides. CLI reference guide does not mention them, same for Administration guides.

 Although Check Point recommends to use the latest upgrade tools from the target version, till R70 it did not matter. You could export your MGMT data from R55 without replacing the native upgrade tools and then import it to R65 almost without any trouble.

"Almost" here means that there are some known issues with MGMT plugins introduced with R65, but people get used to work them around.

But if you try to do the same between R65 and R75, the import will fail. You can only perform advanced upgrade between these versions if you have used R75 export tool on R65.



The reason for this is that Check Point silently replaced the utility with a new one, completely new. In fact, two utilities are replaced with a single migrate binary. To keep this issue quite there are three, not two binaries now: migrate, upgrade_export and upgrade_import. in fact they are the same. upgrade_export now just mimics migrate export command, and upgrade_import in fact performs migrate import.

The result file now looks completely different also. Instead of simple readable structure path like FWDIR or CPDIR is replaced with more generic variables. the famous .configuration file is different as well. It is the sole reason the migration files between the versions are now incompatible. The most important, this file now lies about MGMT version. Just two weeks ago I was troubleshooting migration issues and got scared hell when findind R75(!) version stamp in .configuration file made on R71.

For a moment I thought the customer has EA version of FOX.

So guys, be prepared for some surprises when doing advanced upgrades on the newest versions.

25 comments:

  1. This has been the case for a while now. I did a move from R65 to R70 nearly 12 months ago and we had this :), even the Check Point guy we had with us was caught out :). The best migration tools are for VSX :), if your appliance dies, vsx_util reconfigure pushes 99% of the settings back onto the new hardware and does the SIC magic in the background.

    ReplyDelete
  2. vsx_util is great, but it is a recovery, not migration tool.

    ReplyDelete
  3. Hi
    So, in order to perform the upgrade, what should I do? Use the Upgrade_export tool that was provided with R65, copy the *.tgz file that was created to the R75 machine and then use migrate_import command?

    Thanks!

    ReplyDelete
  4. No. You need no use target version migration script for both export and import. Read the upgrade guide, it is all there

    ReplyDelete
  5. Hi,
    We have procured new smart-1 appliances (SPLAT based) CP version R75 management server.We already have one windows based CP version R65 management server in setup.

    I need to replace windows based R65 management server with new smart-1 R75 management server. There is no change in topology. I just need to migrate existing configured policies of windows based R65 management server to new smart-1 management server and do policy push.

    I need detail procedure to do this. Any help highly appreciated.

    Regards,
    Nick

    ReplyDelete
  6. Hi Nick!

    The task is actually simple. You have to use R75 migration tools on R65 to collect the migration files.

    It is all in the Upgrade guide. You copy R75 migration tools to R65 (including migrate.conf file), run migrate export, get the result file out, copy it to R75 fresh installed MGMT server, run migrate import and live happily ever after :-)

    Good luck,
    V.L.

    ReplyDelete
  7. Hi Valeri

    I've been trying to upgrade from R65 to R75 for some days. I'm following the Upgrade guide and your suggestions. Everything seems fine, but when I verify the policy I get the error: "The Converter failed to convert policy".
    Any idea please?

    Many thanks and regards,
    Luca

    ReplyDelete
  8. Hi Luca!

    what is the upgrade path? upgrade in place or advanced? What is HFA level of R65?

    Before you answer, just an idea, try to go to R71 first, then to R75

    ReplyDelete
  9. Hi

    Advanced upgrade, HFA70

    Many thanks and regards,
    Luca

    ReplyDelete
  10. Try intermediate step with R70 or R71, use migration tools from there.

    Yet another CP migration bug

    ReplyDelete
  11. Hi V.L,

    1. I have downloaded migration tool file “Check_Point_migration_tools_R75_WIN32.tgz” to migrate database from Windows based R65 management server to Smart-1 (SPLAT based) R75 management server. Is this file is correct?

    2. I have extract migration tool file “Check_Point_migration_tools_R75_WIN32.tgz” and found total five files (migrate.conf, migrate.exe, pre_upgrade_verifier.exe, upgrade_export.exe, upgrade_import.exe).
    Migrate_export and migrate_import files are not present in this. So how can I get migrate_export and migrate_import files?
    Can I run upgrade_export and upgrade_import instead of migrate_export and migrate_import ?

    3. Migration file which I mentioned in point 1 is correct then in to which folder/directory of Windows based R65 management server I have to copy this file? I guess there are upgrade_export & upgrade_import files already present in windows R65 management server just to check files should not overwrite.

    Many thanks & Regards,
    Nick

    ReplyDelete
  12. answers to Nick:

    Hi V.L,

    > 1. I have downloaded migration tool file “Check_Point_migration_tools_R75_WIN32.tgz” to migrate database from Windows based R65 management server to Smart-1 (SPLAT based) R75 management server. Is this file is correct?

    Yes

    > 2. I have extract migration tool file “Check_Point_migration_tools_R75_WIN32.tgz” and found total five files (migrate.conf, migrate.exe, pre_upgrade_verifier.exe, upgrade_export.exe, upgrade_import.exe).
    Migrate_export and migrate_import files are not present in this. So how can I get migrate_export and migrate_import files?
    Can I run upgrade_export and upgrade_import instead of migrate_export and migrate_import ?

    Yes you can. in fact, upgrade_export is the same as "migrate.exe export" command.

    3. Migration file which I mentioned in point 1 is correct then in to which folder/directory of Windows based R65 management server I have to copy this file? I guess there are upgrade_export & upgrade_import files already present in windows R65 management server just to check files should not overwrite.

    Any folder is good, it does not matter.

    Many thanks & Regards,
    Nick

    ReplyDelete
  13. Migration from R65 to R70 completed without errors!
    Next days I'll try R70 to R75

    Many thanks and regards
    Luca

    ReplyDelete
  14. Hi V.L,

    Your inputs will be very useful for me. I will try this and let you know.

    One more question I forgot to asked you. Once exported (.tgz) file generated from windows R65 management server using upgrade_export command, After that in which folder I can copy this exported (.tgz) file in Smart-1(SPLAT) R75 management server and run upgrade_import.

    Thanks & Regards,
    Nick

    ReplyDelete
  15. Hi V.L,
    I have recently started to study checkpoint concepts and i found that there 3 tools ie export, import and migrate but i did't get a concept of migration.
    I would appreciate if you describe a concept of migration in checkpoint.

    Regards
    Shashank

    ReplyDelete
    Replies
    1. Hi SJ.

      In a few words, migration utility allows you to move your MGMT around between versions and platforms. The only not supported route is to a lower SW version, the rest is quite flexible.

      For more details please refer to Installation and Upgrade Guides of the version you are working with.

      Delete
  16. Hi,V.L
    your blog site is extremely useful for novice like me.
    i have query regarding the SMS( SM503) up gradation R75.45(Gaia) to R75.47.
    1. Alredy donwloaded the R75.47 Migration tool from Checkpoint site and unzip at /var/tmp @ SMS .
    2. when i running the ./pre_upgrade_verifier its shows like this....

    =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.11.28 16:13:15 =~=~=~=~=~=~=~=~=~=~=~=
    ./pre_upgrade_verifier

    This is Check Point Pre-Upgrade Verifier for version R75.40.

    Usage: pre_upgrade_verifier -p SecurityManagementPath -c CurrentVersion -t TargetVersion [-u | -a][-f FileName] [-w]
    Or: pre_upgrade_verifier -p SecurityManagementPath -c CurrentVersion -i [-f FileName] [-w]
    -p Path of the installed Security Management Server (FWDIR).
    -c Currently installed version.
    -t Target version.
    -i Check originality of Inspect files only.
    -u Perform plug-in related checks.
    -a Skip main train version checks, perform plug-in related checks only.
    -f Output in file.
    -w Web format file.

    where the Currently installed version is one of the following:
    NGX_R65 (aliases: 6.0.1.0)
    R70 (aliases: R70_R70, 6.0.1.6)
    R71 (aliases: R71_R71, 6.0.1.7)
    R75 (aliases: R75_R75, 6.0.2.0)
    R75.20 (aliases: R75.20_R75.20, 6.0.2.1)

    where the Target version is one of the following:
    R70 (aliases: R70_R70, 6.0.1.6)
    R71 (aliases: R71_R71, 6.0.1.7)
    R75 (aliases: R75_R75, 6.0.2.0)
    R75.20 (aliases: R75.20_R75.20, 6.0.2.1)
    R75.40 (aliases: R75.40_R75.40, 6.0.2.5)
    ]0;

    3. should i have to copy the pre_verifier_tool into the current upgrade_tool

    ReplyDelete
  17. Hi Valeri Loukine ,

    I need Difference between R65, R75 and R75 GAIA.. ?

    ReplyDelete
    Replies
    1. Hi Shiva, you need to read the release notes of the mentioned products, "what's new" part.

      Also I would kindly ask you not to post your questions in my blog more than once. Thanks a lot.

      Delete
    2. Thanks Valeri,

      I got it ...but i need Technical specification ...in between R65 and R70 & R75 GAIA

      Delete
    3. The best source of info is the official documentation.

      Delete
  18. Hi VL,

    I am performing a migration from R75.47 IPSO 6.2 standalone to R77.10 Gaia distributed environment. Gaia management server running on open platform And gateway on 4000 series appliance. For the purpose of the migration, hostname of the new mgmt server is same as the standalone mgmt server but IP address is different.

    I was able to migrate export db successfully from R75.47, updated the configuration and configuration2 from the exported tgz files to remove traces of security gateway, tar files and ran migrate import successfully on target mgmt server.

    However, when I try to connect from smartdashboard, authentication fails. I can login using same admin account via ssh and Gaia web portal but cannot login via smartdashboard.

    Not sure if I have missed a step during migration or if there is a better way to achieve this? Your help is much appreciated.

    ReplyDelete
    Replies
    1. Hi,

      There can be multiple reasons why you cannot connect. Check the basics: GUI client definitions, admin account, fwm process running, local policy on the box. If you cannot catch an error, open a support call

      Delete