Re: [FW1] question on upgrading checkpoint 4.0 to 4.1 (solaris)

[Chris F <freaknetboy@FW1-NOSPAMyahoo.com>]

Hi CT --

See within:

--- "Sim, CT (Chee Tong)"
<CheeTong.Sim@sin.rabobank.com> wrote:
> 
> We would like to upgrading our existing Check Point
> from 4.0 to 4.1 on
> solaris box, I need to ask some questions to double
> check.  Quite a lot
> questions, just answer whatever u can
> 
> 1)What file or directory that we need to backup in
> our existing solaris, is
> that the whole $FWDIR or /opt/CKPfw and
> /var/opt/CKPfw directory??  or what
> else??

First, get your v.4.1 licenses before you do anything!
You MUST HAVE your v4.1 licenses for everything (e.g.
don't forget to have on for SecuRemote, if you use
it!)

Okay -- back to your questions...

Back up everything. You may have forgot that you
edited a certain file in some directory other that
$CONF.
Example: base.def in $FWLIB
Best to be sure you have everything just to be safe :)

> 2)After the upgrading, do we need to install the
> policy again, or we need to
> copy the old configuration to new directory again?

YES! You must reinstall the policy after upgrading!!
FW1 will work properly until you reinstall the policy.


Use the "InstallU" program on the v4.1 CD. It will
upgrade for you. It works. DO NOT use the pkgadd -- as
it doesn't upgrade properly, and InstallU is simple.

There are special things to consider if you want
backward compatibility with 4.0 -- I did NOT -- so I
can't help you here. "InstallU" will ask you if you
want it. If you won't need to manage older firewalls
in any way, say NO!


> 3)I read the documentation that if the cpconfig
> detect a previous version
> was installed, the configuration program will be
> shown like as below.  May I
> know whether we need to configure the individual
> item again like
> Administrator and etc.. or it will maintain the old
> setting?? I remember the
> version 4.0 got 10 options, but 4.1 seems to have 15
> options, for those
> extra, do we need to configure or just leave it if
> nothing change. 
> 
> Welcome to VPN-1/XXXXXXXXXX  configuration program
> ============================
> Configuration option
> 
> 
> (1)Licenses
> (2)Administrator   
> (3)XXXXXXX  etc

It will remember your "old" settings, such as GUI
administrators, etc. I cannot remember anything else.
I don't believe that I had to re-configure anything.

One difference in the newer cpconfig is the detail of
Security Servers -- different in cpconfig than in
fwconfig in the past. Just FYI.

I *never* get my license string in correctly for the
prompt above. Call me silly, but it doesn't take the
entire string, but parts of it. I always seem to give
the wrong parts of the string after I realize it :)

No biggie... I always upgrade then do the fw putlic
<string> -- and it always works for me!

> 4)Do we need to supply the new License key for
> upgrading? If yes, whether
> only Certificate Key is needed to generate the
> license key on the net?? What

Yes -- you need your Cert Key and license it on the
Internet at license.checkpoint.com. You'll also need
to use ALL Cert Keys you have for whatever CheckPoint
products you'll be using/upgrading and license them as
well.

For example, FW1 mod, FW1 mangmnt, and FW1 SecuRemote
-- all need v4.1 licenses.

> else we need to supply? Whether the licenses key
> generated today can be used
> tomorrow?

Once you generate your v4.1 keys -- they will be valid
forever -- basically :)


> 5)I have the following licenses key configuration,
> what is the meaning? Is
> that because we changed internet interface hme0's IP
> before from 213.40 XXX
> to 213.90 XXX before but it was install two times?? 

Yes -- the license doesn't forget :)
CP will list all your licensing activity -- which is
why the older unused licenses still appear. Just
ignore the older stuff :)


> Configuring Licenses...
> =======================
> The following licenses are installed on this host:
> 213.90.127.60    Never      4.x stdmad100
> 213.90.127.60    Never      4.x matif
> 213.40.220.130   Never      4.x matif
> 213.40.220.130   Never      4.x stdmad100
> 213.40.220.130   24Jul1999  4.x controlx pfmx oseu
> vpn connect motif
> embedded ram1 srunlim
> it
> 170.18.79.253     5Jul1999  4.x controlx pfmx oseu
> vpn connect motif
> embedded ram1 srunlim
> it
> 
> 6)What is the difference between CA key and license
> key? if that a must to
> have CA key? 

CA = Certificate Authority. Your Firewall can be a CA
if you're using SecuRemote, etc. It's a key for
encryption.

Your license key is so you can use FW (proves you paid
for the product).

Too many "keys", eh?  :)

> 
> Configuring CA Keys...
> ======================
> fw: no license for 'ca'
> Do you want to create an FWZ Certificate Authority
> key (y/n) [y] ?
> 
> 7)What is default filter for ?

When FW1 boots up, if you want a general filter to be
used.

> 
> Configuring Default Filter...
> =============================
> 
> Do you wish to modify your /etc/rcS.d boot scripts
> to allow a default
> filter to be automatically installed during boot
> (y/n) [y] ?
> 
> 8)what is the groups option in configuration program
> for, is that a must?

I think this is for the group ownership of the files
on your system. It's UNIX groups... a unix thing. You
know -- each file has an owner and a group. So, it's
asking what group permissions/name to store the files
under. The installation program is asking what you
want to use -- incase you created a special group. If
not, you can use the CP default.


That's it, I guess.

I did what you are trying to do. If you have any other
questions, let me know!

HTH -- Chris



__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================