| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] Can you pls. share your experience on NG Upgrade with me?
Hello again,
On Thu, Nov 29, 2001 at 09:59:50AM +0900, Tan Tit Keat wrote:
>
> HI, Nico:
>
> I remeber you posted an email to the Check Point Mailing List asking about the NG Upgrade.
>
> HAve you successfully install/upgrade NG in your system?
>
> Can you pls. share your experience with me?
>
> If you have posted any Summary to the Check Point Mailing List, pls. tell me so, just in case I miss it.
I was going to post something (actualy I think I even promised a few
people I would do it), but in the end I forgot all about (been too busy :-( )
So I'll CC this e-mail to the mailing list, perhaps some other people
can benefit from it :-).
Anyway, yes we did more or less manage to do the upgrade.
The configuration we have now is:
- management station running NG (sol 8, 64-bit),
- 1 firewall/vpn module running 4.1 (sol 2.6, 32-bit) and
- 1 firewall/vpn module running NG (sol 8, 64-bit).
Upgrading the management station from 4.1 to NG did NOT work.
(Remark from a Checkpoint support person: "well, NG isn't exactly
meant ot be an upgrade" then why do they put a lable "upgrade" on the box?)
We could not load the ruleset afterwards. So we ended up installing a
fresh copy of the NG management console and then importing the ruleset
and objects from 4.1.
However: the ruleset from 4.1 contained a few "standard" rulesets that
were created automaticaly when starting the 4.1 gui for the first time
(or when doing the initial installation, I'm not sure actualy where
they came from but I didn't create them myself :-). These standard rulesets
contain lots of incompatabilities and need to be removed manualy before
doing the upgrade: edit rulebases.fws (from 4.1) and remove the section
for those unused rulesets. Unfortunately I know no easier way to remove
a ruleset :-(. Removing the .W file doesn't work since that actualy gets
generated from the rulebases.fws (weird, very weird). The same goes for
the objects.C file, this contains a few protocols that are not valid anymore.
(unfortunately I didn't wrote down which protocols since I didn't use
them, you might have to iterate through the whole process a couple of times :-).
So how do you import the old rulesets + objects into NG?
- start with a clean install of the NG management console
- cpstop
- copy <your 4.1 objects.c> to $FWDIR/conf/prev_ver_objects.c
- copy <your 4.1 rulebase.fws> to $FWDIR/conf/rulebases.fws
- copy <your 4.1 fwauth.NDB> to $FWDIR/conf/fwauth.NDB
- copy <the objects.C from a clean NG install> to $FWDIR/conf/empty_objects.C
- $FWDIR/bin/fw confmerge $FWDIR/conf/prev_ver_objects.c $FWDIR/conf/empty_objects.C > $FWDIR/conf/objects.C
(- rm object_5_0.C Note: I wrote this down in my notes but I'm not sure whether I eventualy
had to do this step or not)
- $FWDIR/bin/fw checkobj
- $FWDIR/bin/fw cpmi_upgrade
- cpstart
When you connect with the GUI you may get a number of errors regarding
either some rulesets or some objects. Try removing those and start all
over (and make frequent backups of the conf/ directory :-)
If you need some more info let me know (if I don't reply after a few
days send me an e-mail again, I get so many e-mails a day that I may look
over it :-)
Nico
---------------------------------------------------------
"It has been said that there are only two businesses that
refer to customers as users: illegal drug trade and
the computer industry."
---------------------------------------------------------
Nico De Ranter
Sony Service Center (SDCE/VPE-B)
Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne)
1130 Brussel (Bruxelles), Belgium, Europe, Earth
Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86
e-mail: [email protected]
===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================
|
|
