NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] RE: [fw1-wizards] Upgrading



TF,

The first thing you will need to do is upgrade to 4.0 SP6 or better.  The
upgrade to 4.1 will not work properly from 3.0. I have listed the procedure
that I used to upgrade my 3 firewalls to version 4.1 SP2.  I hope it helps.
This is the way I do my Solaris machines and I am not sure if it will work
for any other system.  Plus, If this is a Solaris machine, you must be
running Solaris 2.6 or better.

Best regards,

MJ


The first thing is to make sure you have a valid license for FW1 and MOTIF.
MOTIF is now a separate license issue for FW1 2000.  Then you need to make
sure that you are running at least SP6 on the 4.0 version. Now check the
available disk space.  You may need to upgrade the disks, like we did.

Now you need to decide whether you are going to upgrade the OS.  I upgraded
ours to Solaris 7, which is the highest level supported by CheckPoint.  Even
the new version of the firewall will not run in 64 bit mode, so you can not
use Solaris 8. If you are going to upgrade the OS, do this before anything
else.  If you do upgrade the OS, make sure you recreate the link for the
sendmail.cf file in/etc/mail.

OK, now you are ready to start the upgrade process.

1) Download the latest Service Pack from CheckPoint and put it on a tape.

2) Save the following files to a place that can be reached while you are
upgrading: objects.C, *.W files, rulebases.fws and
   xlate.conf.  I did not save the log files because they are not readable
by the new version of the Firewall. Unless you
   push them out to a flat text file.

3) Now, if you need to, install SP6 for version 4.0.

4) reboot -- -r

5) Log in and bring up the GUI.  Make sure all your rules look right.  Make
sure that all the networks are functioning
   properly.

6) Now, save the same files that you did in step #2.

7) Put the FW1 2000 CD in the drive.

8) cd /cdrom/cp2000_strong/solaris2

9) pkgadd -d .

10) Now choose the modules that you are going to install.  ****NOTE**** Do
not install backwards compatibility unless you
    manage 4.0 firewalls from the management server!!**** In my case, I
chose #7 and #8 for the Firewall and the GUI.  I do
    not reboot at this point, even though it says to.

11) Now change your root login shell environment variable to point to CPfw1
instead of the old 4.0 one.

12) Now run 'cpconfig' and answer the questions as you would a regular
install.  ***NOTE***  I only modify what I have to
    at this point. i.e. I add the Firewall and Motif licenses, I do not
modify SNMP but I do make sure I answer #2
    on the question that asks about allowing connections during the boot
process.  I do not allow any because we do not
    use network booting procedures. Make sure there are no errors reported
during the portion when it asks you if you want
    to convert the files to 4.1.

13) Once you have finished with the question and answer session,
reboot -- -r.

14) Bring up the GUI and make sure all your rules look right.  Check to make
sure that your interfaces on the firewall have
    the right anti-spoofing settings.  They should be the same as before.
Check the address translation tables in the GUI.
    This is where most of my problems occurred.  Make sure that you have an
external-net and an internal-net defined in the
    Network Objects window.  I found that what used to work for xlate.conf
no longer works for the NAT GUI.  I had to modify
    many of the rules so that NAT did not take place while going or coming
from the internal net.  Then I had to modify the
    original rule to only translate when going to external-net.  If you see
packets being dropped on rule 0, you will know to
    look at the NAT tables.

14) You need to save the same files again that you saved in step #2.

15) Now you will need to do a 'pkgrm' on the firewall packages.  Make sure
you remove them in the right order.  Take off the
    new ones first and then the older ones.  Make sure you remove the GUI
before the FW1 package.  Make sure all the old
    directories are removed and there are no lingering files.

16) reboot -- -r

17) Now you have a clean system with no firewall installed.

18) Go back to the install procedure for FW1 in step #7.

19) When the firewall install is complete, put the converted files, that you
saved, back in to the $FWDIR/conf directory.

20) fwstop

21) fwstart

22) Bring up the GUI and see if you have a policy.  If not, try to load one.


Well, that is what I did for all three of my firewalls. Well, I actually had
to do mine a little longer version.  I still had
version 3.0b, so I had to start my procedure with reinstalling 4.0 first.

If you have any questions, let me know.  I actually learned most of this
from my CCSA instructor.  I can't say I like how long it takes, but I do
like the fact that there were a lot less surprises this way.


Marc Jacquard
SR. Systems Engineer
Fujitsu America, INC.
Hilo Office
email: [email protected]
Telephone:Pager:-----Original Message-----
From: Thierry FRACHE [mailto:[email protected]]
Sent: Tuesday, October 03, 2000 1:34 AM
To: <
Subject: [fw1-wizards] Upgrading


Hi,

I've FW-1 3.0b and an upgrade to 4.1 SP2. Can you tell me what do I need to
upgrade my product without problem ?

Thx

TF

***********************************************************************
Cette note de fin de de page atteste que ce message et ses
eventuelles pieces jointes ont ete verifies par un anti-virus.
Cependant, ceci n' est pas une garantie et la responsabilite
du Groupe LDI ne saurait etre recherchee en cas de
presence de virus.
***********************************************************************


---------------------------------------------------------------------
This email came from the FireWall-1 Wizards Mailing List
To unsubscribe, e-mail: [email protected]
For more information, email: [email protected]



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents � 2003 Network Presence, LLC. All rights reserved.