Search
	display results
words begin exact words any words part
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] remote upgrade question-pls help

To: [email protected]
Subject: Re: [FW-1] remote upgrade question-pls help
From: "Sim, CT (Chee Tong)" <[email protected]>
Date: Mon, 8 Apr 2002 14:30:38 +0800
Comments: To: Greg Polanski <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>
Dear all,

Some important and quick questions, I need to upgrade CP4.0 to CP2000 and
change its external IP at the same time. (license is tied to this external
IP)

I had worked out the following procedure and ask you some question.

1)First, I create a rule using the GUI client and change the FW gateway IP
to the new IP and save it as a new name for eg newfw.W without install.

2)Disable /etc/rc2.d/S00fw1bootd and /etc/rc3.d/S95firewall1  so that the fw
won't start after reboot (I still wonder this step is neccessary

3)fwstop the firewall.

3)change the firewall external IP and edit the /etc/hosts and hostname.hme0

4)Install the CP2000 software using InstallU.  But I have a question here.
If I have already fwstop the fw deamon and then perform the installation,
will it consider new installation or upgrade.  As I still need the old
configuration to be installed like newfw.W

5)Even we can retain the configuration file, can we still use our GUI client
to choose the new configuration file newfw.W and compile and install it.

What is the difference among
Fw load newfw.W--1
Fw load newfw.pf gateway1--2
Fw fetch gateway1--3

What is the difference between 2 and 3? Gateway1 is specified as the target
in 3. But How do I know what is my target name and for (1) how do the fw
which target it should install it.

Thnaks






-----Original Message-----
From: Greg Polanski [mailto:[email protected]]
Sent: Friday, April 05, 2002 10:52 PM
To: [email protected]
Subject: fwstop is probably good idea.

after thinking about the email

I would change   /etc/init.d/fw
so the firewall does not start automatically
and use plaintext telnet to
        fw fetch ....     get the rule with the new address first
        fwstart

greg

-----Original Message-----
From: Greg Polanski [mailto:[email protected]]
Sent: Friday, April 05, 2002 10:49 PM
To: [email protected]
Subject: Re: [FW-1] remote upgrade question-pls help

Here is the path that I would follow.

1.  add rule that permits plaintext telnet from
    the current external address of your firewall and
    from the address of an external ISP that you can
    access.

        set rule for both current IP address and new IP address

    If the rest of the instructions go bad, you can still get in

2.  Change IP first, the upgrade    or
    Upgrade first, then change IP.

3.  If the license is not tied to the external IP,
        (I am doing this from memory)

    edit address in /etc/hosts
    reboot
    change IP in FW rules on management station
    recompile and reload
    rebooted system should accept push

4.  Upgrade
        I have not done it yet

greg

"Sim, CT (Chee Tong)" wrote:
>
> Hi..
>
> I need to remotely upgrade my other branch's Checkpoint firewall (solaris)
> from CP4.0 to CP2000 and at the same time, its external IP of the firewall
> (which CP was installed on) needed to be changed. I need to ask a few
> questions about the upgrading procedure as it involves change of IP as
well.
> (The new license that we get is for the new IP).
>
> 1) At first, should I do upgrade first or change the IP first? If we
change
> the external IP without stopping FW service, the FW deamon will stop
right?
> If I fwstop the FW service first, will I be disconnected from my telnet
> session? I won't be able to log in to console as I am not at the branch. I
> think the FW control the access to the solaris box if the FW service fail
to
> run.  How to disable it?
>
> 2) Even, after we changed the external IP of the FW and start to upgrade
to
> CP2000, we need to install the old policy again, but the FW external IP in
> the old policy is the old one right? How we need to do about it.  Just
> change it to new FW IP in the policy and install it right?
>
> 3)How many free space we need for the upgrade to CP2000? I used to
encounter
> the following problem when I upgraded my FW from CP4.0 to CP2000, it
happen
> when I tried to install the old policy to the new CP2000.  How to avoid?
>
> Installing Security Policy foobar on all.all@firewall
> Has only loopback (lo) interface, aborting..
> Failed to load security policy: No such file or directory
> Fetching Security policy from firewall failed
>
> Thanks in advance
> Tong
>
> ==================================================================
> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
> is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
> onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en
> de afzender direct te informeren door het bericht te retourneren.
> ==================================================================
> The information contained in this message may be confidential
> and is intended to be exclusively for the addressee. Should you
> receive this message unintentionally, please do not use the contents
> herein and notify the sender immediately by return e-mail.
>
> ==================================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================

--
_______________________________________________________________
Greg Polanski                    mailto:[email protected]
ADC Telecommunications, IncMSFAX
PO Box 1cell/pager
Minneapolis, MN  [email protected]
_______________________________________________________________

==================================================================
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en
de afzender direct te informeren door het bericht te retourneren.
==================================================================
The information contained in this message may be confidential
and is intended to be exclusively for the addressee. Should you
receive this message unintentionally, please do not use the contents
herein and notify the sender immediately by return e-mail.


==================================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
Prev by Date: [FW-1] Log evaluation
Next by Date: Re: [FW-1] skl3948
Previous by thread: [FW-1] remote upgrade question-pls help
Next by thread: [FW-1] Problem with @ in a URL
Index(es):
- Date
- Thread