[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] RE: [fw1-wizards] Upgrading
TF, The first thing you will need to do is upgrade to 4.0 SP6 or better. The upgrade to 4.1 will not work properly from 3.0. I have listed the procedure that I used to upgrade my 3 firewalls to version 4.1 SP2. I hope it helps. This is the way I do my Solaris machines and I am not sure if it will work for any other system. Plus, If this is a Solaris machine, you must be running Solaris 2.6 or better. Best regards, MJ The first thing is to make sure you have a valid license for FW1 and MOTIF. MOTIF is now a separate license issue for FW1 2000. Then you need to make sure that you are running at least SP6 on the 4.0 version. Now check the available disk space. You may need to upgrade the disks, like we did. Now you need to decide whether you are going to upgrade the OS. I upgraded ours to Solaris 7, which is the highest level supported by CheckPoint. Even the new version of the firewall will not run in 64 bit mode, so you can not use Solaris 8. If you are going to upgrade the OS, do this before anything else. If you do upgrade the OS, make sure you recreate the link for the sendmail.cf file in/etc/mail. OK, now you are ready to start the upgrade process. 1) Download the latest Service Pack from CheckPoint and put it on a tape. 2) Save the following files to a place that can be reached while you are upgrading: objects.C, *.W files, rulebases.fws and xlate.conf. I did not save the log files because they are not readable by the new version of the Firewall. Unless you push them out to a flat text file. 3) Now, if you need to, install SP6 for version 4.0. 4) reboot -- -r 5) Log in and bring up the GUI. Make sure all your rules look right. Make sure that all the networks are functioning properly. 6) Now, save the same files that you did in step #2. 7) Put the FW1 2000 CD in the drive. 8) cd /cdrom/cp2000_strong/solaris2 9) pkgadd -d . 10) Now choose the modules that you are going to install. ****NOTE**** Do not install backwards compatibility unless you manage 4.0 firewalls from the management server!!**** In my case, I chose #7 and #8 for the Firewall and the GUI. I do not reboot at this point, even though it says to. 11) Now change your root login shell environment variable to point to CPfw1 instead of the old 4.0 one. 12) Now run 'cpconfig' and answer the questions as you would a regular install. ***NOTE*** I only modify what I have to at this point. i.e. I add the Firewall and Motif licenses, I do not modify SNMP but I do make sure I answer #2 on the question that asks about allowing connections during the boot process. I do not allow any because we do not use network booting procedures. Make sure there are no errors reported during the portion when it asks you if you want to convert the files to 4.1. 13) Once you have finished with the question and answer session, reboot -- -r. 14) Bring up the GUI and make sure all your rules look right. Check to make sure that your interfaces on the firewall have the right anti-spoofing settings. They should be the same as before. Check the address translation tables in the GUI. This is where most of my problems occurred. Make sure that you have an external-net and an internal-net defined in the Network Objects window. I found that what used to work for xlate.conf no longer works for the NAT GUI. I had to modify many of the rules so that NAT did not take place while going or coming from the internal net. Then I had to modify the original rule to only translate when going to external-net. If you see packets being dropped on rule 0, you will know to look at the NAT tables. 14) You need to save the same files again that you saved in step #2. 15) Now you will need to do a 'pkgrm' on the firewall packages. Make sure you remove them in the right order. Take off the new ones first and then the older ones. Make sure you remove the GUI before the FW1 package. Make sure all the old directories are removed and there are no lingering files. 16) reboot -- -r 17) Now you have a clean system with no firewall installed. 18) Go back to the install procedure for FW1 in step #7. 19) When the firewall install is complete, put the converted files, that you saved, back in to the $FWDIR/conf directory. 20) fwstop 21) fwstart 22) Bring up the GUI and see if you have a policy. If not, try to load one. Well, that is what I did for all three of my firewalls. Well, I actually had to do mine a little longer version. I still had version 3.0b, so I had to start my procedure with reinstalling 4.0 first. If you have any questions, let me know. I actually learned most of this from my CCSA instructor. I can't say I like how long it takes, but I do like the fact that there were a lot less surprises this way. Marc Jacquard SR. Systems Engineer Fujitsu America, INC. Hilo Office email: [email protected] Telephone:Pager:-----Original Message----- From: Thierry FRACHE [mailto:[email protected]] Sent: Tuesday, October 03, 2000 1:34 AM To: < Subject: [fw1-wizards] Upgrading Hi, I've FW-1 3.0b and an upgrade to 4.1 SP2. Can you tell me what do I need to upgrade my product without problem ? Thx TF *********************************************************************** Cette note de fin de de page atteste que ce message et ses eventuelles pieces jointes ont ete verifies par un anti-virus. Cependant, ceci n' est pas une garantie et la responsabilite du Groupe LDI ne saurait etre recherchee en cas de presence de virus. *********************************************************************** --------------------------------------------------------------------- This email came from the FireWall-1 Wizards Mailing List To unsubscribe, e-mail: [email protected] For more information, email: [email protected] ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|