NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Firewall upgrading



You should upgrade the OS first.  I have a procedure that works quite well
for stand alone machines.


The first thing is to make sure you have a valid license for FW1 and MOTIF.
MOTIF is now a separate license issue for FW1 2000.  Then you need to make
sure that you are running at least SP6 on the 4.0 version. Now check the
available disk space.  You may need to upgrade the disks, like we did.

Now you need to decide whether you are going to upgrade the OS.  I upgraded
ours to Solaris 7, which is the highest level supported by CheckPoint.  Even
the new version of the firewall will not run in 64 bit mode, so you can not
use Solaris 8. If you are going to upgrade the OS, do this before anything
else.  If you do upgrade the OS, make sure you recreate the link for the
sendmail.cf file in/etc/mail.

OK, now you are ready to start the upgrade process.

1) Download the latest Service Pack from CheckPoint and put it on a tape.

2) Save the following files to a place that can be reached while you are
upgrading: objects.C, *.W files, rulebases.fws and
   xlate.conf.  I did not save the log files because they are not readable
by the new version of the Firewall. Unless you
   push them out to a flat text file.

3) Now, if you need to, install SP6 for version 4.0.

4) reboot -- -r

5) Log in and bring up the GUI.  Make sure all your rules look right.  Make
sure that all the networks are functioning
   properly.

6) Now, save the same files that you did in step #2.

7) Put the FW1 2000 CD in the drive.

8) cd /cdrom/cp2000_strong/solaris2

9) pkgadd -d .

10) Now choose the modules that you are going to install.  ****NOTE**** Do
not install backwards compatibility unless you
    manage 4.0 firewalls from the management server!!**** In my case, I
chose #7 and #8 for the Firewall and the GUI.  I do
    not reboot at this point, even though it says to.

11) Now change your root login shell environment variable to point to CPfw1
instead of the old 4.0 one.

12) Now run 'cpconfig' and answer the questions as you would a regular
install.  ***NOTE***  I only modify what I have to
    at this point. i.e. I add the Firewall and Motif licenses, I do not
modify SNMP but I do make sure I answer #2
    on the question that asks about allowing connections during the boot
process.  I do not allow any because we do not
    use network booting procedures. Make sure there are no errors reported
during the portion when it asks you if you want
    to convert the files to 4.1.

13) Once you have finished with the question and answer session,
reboot -- -r.

14) Bring up the GUI and make sure all your rules look right.  Check to make
sure that your interfaces on the firewall have
    the right anti-spoofing settings.  They should be the same as before.
Check the address translation tables in the GUI.
    This is where most of my problems occurred.  Make sure that you have an
external-net and an internal-net defined in the
    Network Objects window.  I found that what used to work for xlate.conf
no longer works for the NAT GUI.  I had to modify
    many of the rules so that NAT did not take place while going or coming
from the internal net.  Then I had to modify the
    original rule to only translate when going to external-net.  If you see
packets being dropped on rule 0, you will know to
    look at the NAT tables.

14) You need to save the same files again that you saved in step #2.

15) Now you will need to do a 'pkgrm' on the firewall packages.  Make sure
you remove them in the right order.  Take off the
    new ones first and then the older ones.  Make sure you remove the GUI
before the FW1 package.  Make sure all the old
    directories are removed and there are no lingering files.

16) reboot -- -r

17) Now you have a clean system with no firewall installed.

18) Go back to the install procedure for FW1 in step #7.

19) When the firewall install is complete, put the converted files, that you
saved, back in to the $FWDIR/conf directory.

20) fwstop

21) fwstart

22) Bring up the GUI and see if you have a policy.  If not, try to load one.


Well, that is what I did for all three of my firewalls. Well, I actually had
to do mine a little longer version.  I still had
version 3.0b, so I had to start my procedure with reinstalling 4.0 first.

Of you have any questions, let me know.  I actually learned most of this
from my CCSA instructor.  I can't say I like how long it takes, but I do
like the fact that there were a lot less surprises this way.



Marc Jacquard
SR. Systems Engineer
Fujitsu America, INC.
Hilo Office
email: [email protected]
Telephone:Pager:-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of
Carlos Infante
Sent: Thursday, October 05, 2000 10:48 PM
To: [email protected]
Subject: [FW1] Firewall upgrading



Dear everybody,
I want to upgrade both the Solaris 2.6 to Solaris 2.7 and the Checkpoint 4.0
to 4.1, Which of the upgrades do I need to do first?. I have one management
station and two firewall modules. Will work the modules (with 4.0) properly
with the management station (running now the upgraded 4.1) in the meanwhile
I upgrade the two firewall modules?
Thanks in advance

___________________________________
Carlos Infante Bello
Network Systems Engineer
NPS, Lucent Technologies
Ronda de Valdecarrizo, 6
28760 Tres Cantos (Madrid) Spain
Tel: +34 91 807 8221
Mobile: +34 646 485 207
e-mail: [email protected]
____________________________________



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents � 2003 Network Presence, LLC. All rights reserved.