16 February 2020

INSTALLATION AND
UPGRADE GUIDE
R80.10
Protected
CHAPTE R 1

2020 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No part
of this product or related documentation may be reproduced in any form or by any means without
prior written authorization of Check Point. While every precaution has been taken in the
preparation of this book, Check Point assumes no responsibility for errors or omissions. This
publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS
252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page https://www.checkpoint.com/copyright/ for a list of our trademarks.
Refer to the Third Party copyright notices
https://www.checkpoint.com/about-us/third-party-trademarks-and-copyrights/ for a list of
relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date
with the latest functional improvements, stability fixes, security enhancements and
protection against new and evolving attacks.

Check Point R80.10

For more about this release, see the R80.10 home page
http://supportcontent.checkpoint.com/solutions?id=sk111841.

Latest Version of this Document

Open the latest version of this document in a Web browser
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_Inst
allation_and_Upgrade_Guide/html_frameset.htm.
Download the latest version of this document in PDF format
http://downloads.checkpoint.com/dc/download.htm?ID=54829.

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
mailto:[email protected]?subject=Feedback on Installation and
Upgrade Guide R80.10 .

Searching in Multiple PDFs

To search for text in all the R80.10 PDF documents, download and extract the
complete R80.10 documentation package
http://downloads.checkpoint.com/dc/download.htm?ID=54846.
Use Shift-Control-F in Adobe Reader or Foxit reader.

Revision History
Date Description

16 February 2020 Updated:

• Backing Up and Restoring (on page 17)
• Before Upgrading (on page 87)
• Service Contract Files (on page 95)
• Management Server Migration Tool (on page 91)
• Upgrading an R77.xx Multi-Domain Security Management with Migration
(on page 102)
• Migrating an R77.xx Domain Management Server Database (on page 108)
• Working with Licenses (on page 185)
• Using SmartUpdate (on page 191)
Date Description

03 June 2019 Updated:

• Before Upgrading (on page 87)
• Migrating Each Domain Management Server Gradually (on page 106)
• Upgrading 32/64-bit Cluster Members (on page 130)
Added:
• R80.10 Software Images (on page 14)
• Configuring Gaia for the First Time (on page 25)
18 December 2018 Improved formatting and document layout.
Updated:
• Product Deployment Scenarios (on page 15).
• Backing Up and Restoring (on page 17).
• Enabling IPv6 on Gaia (on page 44).
• Installing Endpoint Security (on page 54).
• Post-Installation Configuration (on page 69).
• Upgrade Utilities (on page 91).
• Using the Pre-Upgrade Verifier (on page 92).
• Enabling IPv6 on Multi-Domain Security Management (on page 120).
• Optimal Service Upgrade Limitations (on page 137).
Added:
• Running the Gaia First Time Configuration Wizard (on page 25).
• Installing Software Packages on Gaia (on page 74).
• Supported Versions for Connectivity Upgrade (on page 148).
• Supported Versions for Optimal Service Upgrade (on page 136).
• Configuring Link State Propagation (on page 173).
• Using Monitor Mode (on page 158).
• Security Before Firewall Activation (on page 176).
Removed:
• Installing and Upgrading with CPUSE (replaced with Installing Software
Packages on Gaia (on page 74)).
• Configuring your Check Point Appliance (see The Gaia Operating System
(on page 19)).
24 July 2018 • Removed: All references to IP Series appliances, because they are not
supported by R80 and above.
• Added: Feedback link in the WEB guide, at the bottom of each page.
Date Description

11 July 2018 • Removed: Section Converting a Security Management Server to

Multi-Domain Server on Smart-1 Appliance, because it is not supported
for R80 and above.
• Improved: vSEC Controller upgrade instructions (on page 94).
31 May 2018 • Removed: Section Removing Earlier Version Multi-Domain Server
Installations, because it does not apply to Multi-Domain Server on Gaia.
• Updated: Licensing Terms for SmartUpdate (on page 194).
31 May 2018 Added:
• Install Database requirement after Upgrading Gaia Security Management Server and
Standalone (on page 99).
• Install Database requirement after Importing the Security Management Server Database.
• License requirement prior to importing database on Multi-Domain Servers (on page 102).
• mdsstop and mdsstart commands needed before synchronizing Standby Domain (on page
116).
• Sync details when doing Upgrade of primary and secondary servers (on page 102).
• Commands to run when upgrading from R80 -> R80.10 - Migrating Global Policies (on
page 107).

12 November 2017 General updates.

08 November 2017 Improved formatting and document layout.

Updated:
• Upgrading a VSX Gateway (on page 124)
• Upgrading Gaia Security Management Server and Standalone (on page 99)
• Upgrading Multi-Domain Security Management (on page 100)
• Upgrading a VSX Cluster (on page 152)

03 September Added information on upgrading from R80 to R80.10 in:

2017 • Added CLI commands (on page 209)
• Upgrading Gaia Security Management Server and Standalone (on page 99)
• Upgrading from R80 (on page 101)
• Upgrading Management with High Availability (on page 122)
• Upgrading SmartEvent Server

14 May 2017 First release of this document.

Contents
Important Information................................................................................................... 3
Terms .......................................................................................................................... 11
Getting Started ............................................................................................................ 13
Welcome ................................................................................................................. 13
R80.10 Documentation ............................................................................................ 13
R80.10 Software Images ......................................................................................... 14
For New Check Point Customers ............................................................................ 14
Disk Space ............................................................................................................... 14
Product Deployment Scenarios ............................................................................... 15
Backing Up and Restoring ........................................................................................... 17
The Gaia Operating System ......................................................................................... 19
Installing the Gaia Operating System ...................................................................... 20
Installing the Gaia Operating System on Appliances............................................... 21
Installing the Gaia Operating System on an Open Server ....................................... 22
Installing a Blink Image to Configure a Check Point Gateway Appliance ................ 23
Changing Disk Partition Sizes During the Installation of Gaia Operating System ... 24
Configuring Gaia for the First Time ......................................................................... 25
Running the First Time Configuration Wizard in Gaia Portal .........................................25
Running the First Time Configuration Wizard in CLI Expert mode .................................33
Configuring the IP Address of the Gaia Management Interface .............................. 41
Changing the Disk Partition Sizes on an Installed Gaia ........................................... 43
Enabling IPv6 on Gaia .............................................................................................. 44
Installing a Management Server on Gaia .................................................................... 45
Installing a Management Server on Linux................................................................... 47
Installing a Multi-Domain Security Management ........................................................ 48
Installing a Multi-Domain Server on Smart-1 Appliances ...................................... 48
Installing a Multi-Domain Server on Open Servers................................................. 51
Installing a Multi-Domain Log Server ..................................................................... 53
Installing Endpoint Security ........................................................................................ 54
Installing a Log Server or SmartEvent Server ............................................................ 56
Installing a Standalone ............................................................................................... 57
Configuring a Standalone Appliance in Standard Mode .......................................... 57
Configuring a Standalone Appliance in Quick Setup Mode ...................................... 60
Installing Security Gateways ....................................................................................... 61
Installing Security Gateways on Appliances............................................................ 61
Installing Security Gateways on Open Servers........................................................ 63
Installing VSX Gateways .............................................................................................. 64
Installing Security Gateways on Appliances............................................................ 64
Installing Security Gateways on Open Servers........................................................ 66
Installing SmartConsole ............................................................................................. 67
Logging in to SmartConsole .................................................................................... 68
Troubleshooting SmartConsole .............................................................................. 68
Post-Installation Configuration ................................................................................... 69
Installing Software Packages on Gaia ......................................................................... 74
High Availability .......................................................................................................... 77
 Configuring Management High Availability ............................................................. 77
Understanding Full High Availability Cluster on Appliances................................... 79
Installing Full High Availability on Gaia Appliances ................................................ 80
Configuring Full High Availability on Appliances .................................................... 83
Removing a Cluster Member .........................................................................................84
Adding a New Appliance to a High Availability Cluster...................................................84
Recommended Logging Options for High Availability ....................................................85
Upgrading Full High Availability on Appliances ...................................................... 86
Upgrading Prerequisites ............................................................................................. 87
Before Upgrading .................................................................................................... 87
Management Server Migration Tool........................................................................ 91
Using the Pre-Upgrade Verifier .............................................................................. 92
Upgrading Successfully .......................................................................................... 93
Upgrading the vSEC Controller ............................................................................... 94
vSEC Controller and Supported Security Gateways .......................................................94
Service Contract Files ............................................................................................. 95
Working with Contract Files ..........................................................................................96
Installing a Contract File on the Security Management Server ......................................96
Installing a Contract File on Security Gateways.............................................................97
Upgrading Security Management Servers .................................................................. 98
Using the Upgrade Verification Service ................................................................... 98
Upgrading Gaia Security Management Server and Standalone .............................. 99
Upgrading a Multi-Domain Server or Multi-Domain Log Server ............................... 100
Upgrading Multi-Domain Security Management with CPUSE ............................... 101
Upgrading an R77.xx Multi-Domain Security Management with Migration........... 102
Exporting the Multi-Domain Server Databases ...........................................................102
Importing the Database to the Primary Multi-Domain Server ..................................... 104
Importing the Database to Secondary Multi-Domain Servers and Multi-Domain Log
Servers ........................................................................................................................105
Migrating Each Domain Management Server Gradually .............................................. 106
Migrating Global Policies .............................................................................................107
Upgrading Global Policy from R77.xx to R80.10 ...........................................................108
Migrating an R77.xx Domain Management Server Database ....................................... 108
Migrating an R80.10 Database to another R80.10 Server ............................................. 114
Upgrading a High Availability Deployment ............................................................ 115
Pre-Upgrade Verification and Tools.............................................................................115
Multi-Domain Server High Availability .........................................................................115
Upgrading Multi-Domain Servers and Domain Management Servers.......................... 116
Updating Objects in the Domain Management Server Databases ................................ 116
Managing Domain Management Servers During the Upgrade Process........................ 117
Restarting Domain Management Servers ............................................................. 118
Changing the Leading Interface on Multi-Domain Server or Multi-Domain Log
Server ................................................................................................................... 119
Saving the Multi-Domain Security Management IPS Configuration ...................... 120
Enabling IPv6 on Multi-Domain Security Management ......................................... 120
Upgrading Management with High Availability ......................................................... 122
Upgrading from R80 to R80.10 .............................................................................. 122
Upgrading from R77.xx to R80.10 ......................................................................... 122
Upgrading Security Gateways ................................................................................... 123
Configuring SmartUpdate for Versions R77.30 and Lower ................................... 123
Upgrading a VSX Gateway ..................................................................................... 124
Upgrading Full High Availability ................................................................................ 126
Upgrading with Minimal Downtime ....................................................................... 126
Upgrading with a Clean Installation ...................................................................... 127
Upgrading ClusterXL Deployments ........................................................................... 128
Planning a Cluster Upgrade .................................................................................. 129
Ready State During Cluster Upgrade/Rollback Operations.......................................... 130
Upgrading 32/64-bit Cluster Members ........................................................................130
Upgrading Third-Party and OPSEC Certified Cluster Products .................................... 130
Upgrading Clusters on Appliances ..............................................................................131
Minimal Effort Upgrade on a ClusterXL Cluster.................................................... 132
Zero Downtime Upgrade on a Cluster ................................................................... 133
Upgrading Clusters with Minimal Connectivity Loss ............................................. 135
ClusterXL Optimal Service Upgrade ..................................................................... 136
Supported Versions for Connectivity Upgrade .............................................................136
Optimal Service Upgrade Limitations ..........................................................................137
Upgrading the Cluster from R75.40VS and above ........................................................140
Upgrade Workflow from VSX R67.10............................................................................142
Troubleshooting the OSU Upgrade ..............................................................................146
Connectivity Upgrade ............................................................................................ 147
Supported Versions for Connectivity Upgrade .............................................................148
Upgrading ClusterXL High Availability Using Connectivity Upgrade ............................ 150
Upgrading a VSX Cluster..............................................................................................152
Connectivity Upgrade Commands ................................................................................153
Special Scenarios for Security Gateways .................................................................. 157
Using Monitor Mode .............................................................................................. 158
Configuring Monitor Mode ...........................................................................................158
Supported Software Blades for Monitor Mode .............................................................159
Unsupported Software Blades for Monitor Mode .........................................................160
Unsupported Deployments for Monitor Mode ..............................................................160
Deploying a Security Gateway or a ClusterXL in Bridge Mode .............................. 161
Supported Software Blades in Bridge Mode ................................................................161
Limitations in Bridge Mode ..........................................................................................163
Configuring a Single Security Gateway in Bridge Mode ...............................................164
Configuring a ClusterXL in Bridge Mode ......................................................................165
Routing and Bridge Interfaces .....................................................................................168
Configuring Link State Propagation (LSP) ............................................................ 173
Security Before Firewall Activation ...................................................................... 176
Boot Security ...............................................................................................................176
The Initial Policy ..........................................................................................................181
Monitoring Security .....................................................................................................182
Unloading Default Filter or Initial Policy......................................................................183
Troubleshooting: Cannot Complete Reboot .................................................................184
Working with Licenses .............................................................................................. 185
Viewing Licenses in SmartConsole ....................................................................... 185
Monitoring Licenses in SmartConsole .................................................................. 187
Configuring Licenses - Gaia Portal ....................................................................... 190
Using SmartUpdate ................................................................................................... 191
Accessing SmartUpdate ........................................................................................ 192
Licenses Stored in the Licenses & Contracts Repository...................................... 193
Licensing Terms for SmartUpdate ........................................................................ 194
Managing Licenses Using SmartUpdate ............................................................... 196
 Adding New Licenses to the Licenses & Contracts Repository .................................... 196
Deleting a License from the Licenses & Contracts Repository .................................... 199
Upgrading a License ....................................................................................................199
Exporting a License to a File........................................................................................199
Checking for Expired Licenses ....................................................................................199
Attaching a License to a Security Gateway ............................................................ 200
Retrieving License Data from a Check Point Security Gateway.................................... 200
Detaching Licenses from a Security Gateway ....................................................... 201
Upgrading with SmartUpdate for R77.30 and Below ............................................. 202
Upgrading a Single Package on a Check Point Remote Gateway ................................. 202
Upgrading All Packages on a Check Point Remote Gateway ........................................ 202
Prerequisites for Remote Upgrades ............................................................................203
Distributions and Upgrades .........................................................................................203
Canceling and Uninstalling ..........................................................................................203
Restarting the Check Point Security Gateway ..............................................................203
Using the Package Repository .....................................................................................204
Generating CPInfo .......................................................................................................206
Check Point Cloud Services....................................................................................... 207
Automatic Downloads ........................................................................................... 207
Sending Data to Check Point ................................................................................. 208
CLI Commands .......................................................................................................... 209
cpconfig ................................................................................................................. 210
cplic ....................................................................................................................... 212
cplic check ...................................................................................................................213
cplic db_add ................................................................................................................214
cplic db_print ..............................................................................................................215
cplic db_rm .................................................................................................................216
cplic del .......................................................................................................................217
cplic del <object name> ...............................................................................................218
cplic get .......................................................................................................................219
cplic put .......................................................................................................................220
cplic put <object name> ...............................................................................................222
cplic print ....................................................................................................................224
cplic upgrade ...............................................................................................................225
cppkg ..................................................................................................................... 227
cppkg add ....................................................................................................................227
cppkg delete ................................................................................................................228
cppkg get .....................................................................................................................228
cppkg getroot ..............................................................................................................228
cppkg print ..................................................................................................................229
cppkg setroot...............................................................................................................229
cprid ...................................................................................................................... 230
cpridrestart .................................................................................................................230
cpridstart.....................................................................................................................230
cpridstop .....................................................................................................................230
cprinstall ............................................................................................................... 231
cprinstall boot .............................................................................................................232
cprinstall cpstart .........................................................................................................233
cprinstall cpstop ..........................................................................................................234
cprinstall get ...............................................................................................................235
cprinstall install ..........................................................................................................236
cprinstall uninstall ......................................................................................................237
 cprinstall verify ...........................................................................................................238
cprinstall snapshot ......................................................................................................239
cprinstall show ............................................................................................................240
cprinstall revert ..........................................................................................................241
cprinstall transfer .......................................................................................................242
control_bootsec .................................................................................................... 243
fwboot bootconf..................................................................................................... 244
comp_init_policy ................................................................................................... 245
cpstop -fwflag default and cpstop -fwflag proc .................................................... 246

Terms
Administrator
A SmartConsole user with permissions to
manage Check Point security products and
the network environment.
ClusterXL
Cluster of Check Point Security Gateways
that work together in a redundant
configuration. The ClusterXL both handles
the traffic and performs State
Synchronization.
These Check Point Security Gateways are
installed on Gaia OS:
• ClusterXL supports up to 5 Cluster
Members.
• VRRP Cluster supports up to 2 Cluster
Members.
• VSX VSLS cluster supports up to 13
Cluster Members.
Note - In ClusterXL Load Sharing mode,
configuring more than 4 Cluster Members
significantly decreases the cluster
performance due to amount of Delta Sync
traffic.
Database Migration
Process of:
1. Installing the latest Security Management
Server or Multi-Domain Server version
from the distribution media on a separate
computer from the existing Security
Management Server or Multi-Domain
Server
2. Exporting the management database
from the existing Security Management
Server or Multi-Domain Server
3. Importing the management database to
the new Security Management Server or
Multi-Domain Server
This upgrade method minimizes upgrade
risks for an existing deployment.
Distributed Deployment
The Check Point Security Gateway and
Security Management Server products are
deployed on different computers.
Domain
A network or a collection of networks related
to an entity, such as a company, business
unit or geographical location.
Domain Log Server
A Log Server for a specified Domain. It stores
and processes logs from Security Gateways
that are managed by the corresponding
Domain Management Server.
Domain Management Server
A virtual Security Management Server that
manages Security Gateways for one Domain,
as part of a Multi-Domain Security
Management environment.
Global Policy
All Policies defined in the Global Domain that
can be assigned to Domains, or to specified
groups of Domains.
ICA
Internal Certificate Authority - A component
on Check Point Management Server that
issues certificates for authentication.
Multi-Domain Log Server
A computer that runs Check Point software
to store and process logs in Multi-Domain
Security Management environment. The
Multi-Domain Log Server consists of Domain
Log Servers that store and process logs from
Security Gateways that are managed by the
corresponding Domain Management Servers.
Multi-Domain Security Management
A centralized management solution for
large-scale, distributed environments with
many different Domain networks.
Multi-Domain Server
A computer that runs Check Point software
to host virtual Security Management Servers
called Domain Management Servers.
Open Server
A physical computer manufactured and
distributed by a company, other than Check
Point.

Package Repository
A SmartUpdate repository on the Security
Management Server that stores uploaded
packages. These packages are then used by
SmartUpdate to perform upgrades of Check
Point Small Office Appliances.

Security Gateway
A computer that runs Check Point software
to inspect traffic and enforces Security
Policies for connected network resources.

Security Management Server

A computer that runs Check Point software
to manage the objects and policies in Check
Point environment.

Security Policy
A collection of rules that control network
traffic and enforce organization guidelines
for data protection and access to resources
with packet inspection.

SmartConsole
A Check Point GUI application used to
manage Security Policies, monitor products
and events, install updates, provision new
devices and appliances, and manage a
multi-domain environment and each domain.
CHAPTE R 2

Getting Started
In This Section:
Welcome ........................................................................................................................13
R80.10 Documentation .................................................................................................13
R80.10 Software Images...............................................................................................14
For New Check Point Customers ................................................................................14
Disk Space .....................................................................................................................14
Product Deployment Scenarios ...................................................................................15

Before you install or upgrade to R80.10:

1. Read the R80.10 Release Notes
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_ReleaseNot
es/html_frameset.htm.
2. Back up (on page 17) the current system.

Welcome
Thank you for choosing Check Point Software Blades for your security solution. We hope that you
will be satisfied with this solution and our support services. Check Point products provide your
business with the most up to date and secure solutions available today.
Check Point also delivers worldwide technical services including educational, professional, and
support services through a network of Authorized Training Centers, Certified Support Partners,
and Check Point technical support personnel to ensure that you get the most out of your security
investment.
For additional information on the Internet Security Product Suite and other security solutions, go
to https://www.checkpoint.com https://www.checkpoint.com or call Check Point at 1(800)
429-4391. For additional technical information, visit the Check Point Support Center
https://supportcenter.checkpoint.com.
Welcome to the Check Point family. We look forward to meeting all of your current and future
network, application, and management security needs.

R80.10 Documentation
This guide is for administrators responsible for installing R80.10 on appliances and open servers
that run the Gaia Operating System.
To learn what is new in R80.10, see the R80.10 Release Notes
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_ReleaseNotes/h
tml_frameset.htm.
See the R80.10 Home Page SK http://supportcontent.checkpoint.com/solutions?id=sk111841 for
information about the R80.10 release.

Installation and Upgrade Guide R80.10 | 13

 Getting Started

R80.10 Software Images

You can use the Upgrade/Download Wizard
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doShowupgradewizard
to download the applicable installation and upgrade images.

For New Check Point Customers

New Check Point customers can access the Check Point User Center
https://usercenter.checkpoint.com to:
• Manage users and accounts
• Activate products
• Get support offers
• Open service requests
• Search the Technical Knowledge Base

Disk Space
When you install or upgrade R80.10, the installation or upgrade wizard makes sure that there is
sufficient space on the hard disk to install the Check Point products.
If there is not sufficient space on the hard disk, an error message is shown. The message states:
• The amount of disk space necessary to install the product.
• The directory where the product is installed.
• The amount of free disk space that is available in the directory.
To learn how to remove old Check Point packages and files, see sk91060
http://supportcontent.checkpoint.com/solutions?id=sk91060.
After there is sufficient disk space, install or upgrade the Check Point product.

Installation and Upgrade Guide R80.10 | 14

 Getting Started

Product Deployment Scenarios

There are different deployment scenarios for Check Point software products.

Distributed Deployment
The Security Management Server (1) and the Security Gateway (3) are installed on different
computers, with a network connection (2).

Standalone Deployment
The Security Management Server (1) and the Security Gateway (3) are installed on the same
computer (2).

Management High Availability

A Primary Security Management Server (1) has a direct or indirect connection (2) to a Secondary
Security Management Server (3).
The databases of the Security Management Servers are synchronized, manually or on a schedule,
to back up one another.
The administrator makes one Security Management Server Active and the others Standby.
If the Active Security Management Server is down, the administrator can promote the Standby
server to be Active.

Installation and Upgrade Guide R80.10 | 15

 Getting Started

Full High Availability

In a Full High Availability Cluster on two Check Point Appliances, each appliance runs both as a
ClusterXL Cluster Member and as a Security Management Server, in High Availability mode.
This deployment lets you reduce the maintenance required for your systems.
In the image below, the appliances are denoted as (1) and (3).
The two appliances are connected with a direct synchronization connection (2) and work in High
Availability mode:
• The Security Management Server on one appliance (for example, 1) runs as Primary, and the
Security Management Server on the other appliance (3) runs as Secondary.
• The ClusterXL on one appliance (for example, 1) runs as Active, and the ClusterXL on the other
appliance (3), runs as Standby.
• The ClusterXL Cluster Members synchronize the information about the traffic over the
synchronization connection (2).

Installation and Upgrade Guide R80.10 | 16

CHAPTE R 3

Backing Up and Restoring

Best Practices:
Step Description
1 Save a snapshot and a backup of your source system as the first step of an upgrade.

2 Save a second snapshot and a backup immediately after the Pre-Upgrade Verifier
successfully completes with no further suggestions.

3 Transfer the snapshot, backup files, and exported database files to external storage
devices. Make sure to transfer the files in the binary mode.

Important notes about backing up and restoring in Management High Availability environment:
• To back up and restore a consistent environment, make sure to collect and restore the
backups and snapshots from all servers in the High Availability environment at the same time.
(This does not apply to Multi-Domain Log Servers.)
• Make sure other administrators do not make changes in SmartConsole until the backup
operation is completed.
For more information:
• About Gaia Backup and Gaia Snapshot, see the R80.10 Gaia Administration Guide
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_Gaia_Admin
Guide/html_frameset.htm.
• About the migrate export and migrate import commands, see the R80.10 CLI Reference
Guide
https://sc1.checkpoint.com/documents/R77/CP_R77_CLI_ReferenceGuide_WebAdmin/html_fr
ameset.htm.
• About the mds_backup and mds_restore commands, see the R80.10 Multi-Domain Security
Management Administration Guide
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_Multi-Domai
nSecurityManagement_AdminGuide/html_frameset.htm.
• About Virtual Machine Snapshots, see the vendor documentation.

For more information, see:

1. sk108902: Best Practices - Backup on Gaia OS
http://supportcontent.checkpoint.com/solutions?id=sk108902.
2. Gaia Administration Guide (see the Documentation section in the Home Page SK for your
current version).
3. sk54100: How to back up your system on SecurePlatform
http://supportcontent.checkpoint.com/solutions?id=sk54100.
4. SecurePlatform Administration Guide (see the Documentation section in the Home Page SK
for your current version).
5. Multi-Domain Security Management Administration Guide (see the Documentation section in
the Home Page SK for your current version) - Chapter Multi-Domain Management Commands
and Utilities - Section Command Line Reference - Sub-Section mds_backup.

Installation and Upgrade Guide R80.10 | 17

 Backing Up and Restoring

6. Command Line Interface Reference Guide (R77 versions

https://sc1.checkpoint.com/documents/R77/CP_R77_CLI_ReferenceGuide_WebAdmin/html_fr
ameset.htm, R80.20
https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_CLI_Ref
erenceGuide/html_frameset.htm) - see the migrate command.
7. sk110173: How to migrate the events database from SmartEvent server R7x to SmartEvent
R80 and above server http://supportcontent.checkpoint.com/solutions?id=sk110173.
8. sk100395: How to backup and restore VSX gateway
http://supportcontent.checkpoint.com/solutions?id=sk100395.

To back up a Security Management Server:

Operating System Backup Recommendations
Gaia 1. Take the Gaia snapshot.
2. Collect the backup with the migrate export command.

SecurePlatform 1. Take the SecurePlatform snapshot.

2. Collect the backup with the migrate export command.

Linux Collect the backup with the migrate export command.

Windows Collect the backup with the migrate export command.

To back up a Multi-Domain Server:

Operating System Backup Recommendations
Gaia 1. Take the Gaia snapshot.
2. Collect the full backup with the mds_backup command.

SecurePlatform 1. Take the SecurePlatform snapshot.

2. Collect the full backup with the mds_backup command.

Linux Collect the full backup with the mds_backup command.

To back up a Security Gateway or a Cluster Member:

Operating System Backup Recommendations
Gaia Take the Gaia snapshot.

To back up a VSX environment:

Follow sk100395: How to backup and restore VSX gateway
http://supportcontent.checkpoint.com/solutions?id=sk100395.

Installation and Upgrade Guide R80.10 | 18

CHAPTE R 4

The Gaia Operating System

In This Section:
Installing the Gaia Operating System ..........................................................................20
Installing the Gaia Operating System on Appliances ..................................................21
Installing the Gaia Operating System on an Open Server ..........................................22
Installing a Blink Image to Configure a Check Point Gateway Appliance .................23
Changing Disk Partition Sizes During the Installation of Gaia Operating System ....24
Configuring Gaia for the First Time .............................................................................25
Configuring the IP Address of the Gaia Management Interface ................................41
Changing the Disk Partition Sizes on an Installed Gaia .............................................43
Enabling IPv6 on Gaia ...................................................................................................44

Installation and Upgrade Guide R80.10 | 19

 The Gaia Operating System

Installing the Gaia Operating System

Check Point appliances come with the Gaia operating system already installed. If you have an
Open Server, you have to install Gaia.

Installation and Upgrade Guide R80.10 | 20

 The Gaia Operating System

Installing the Gaia Operating System on Appliances

You can clean install R80.10 on Gaia Check Point appliances. For a list of supported appliances,
see the R80.10 Release Notes
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_ReleaseNotes/h
tml_frameset.htm.

To reset the appliance to factory defaults:

1. Open a Serial connection to the appliance.
2. Restart the appliance.
3. When prompted, press any key to enter the Boot menu.
4. Within 4 seconds, press any key to access the menu.
5. Select Reset to factory defaults - Security Management Server and press Enter.
6. Type yes and press Enter.
The Security Management Server image is selected for the appliance and the appliance resets.
7. Configure the Management IP Address (on page 41).
8. Run the First Time Configuration Wizard.

To install R80.10 on 2012 and 3000 series appliances that run an earlier version of
Gaia:
1. Download the Gaia Operating System ISO file from the R80.10 Home sk111841
http://supportcontent.checkpoint.com/solutions?id=sk111841.
2. See sk65205 http://supportcontent.checkpoint.com/solutions?id=sk65205 to create a USB
removable device.
3. Connect a computer to the console port on the front of the appliance through the supplied DB9
serial cable.
4. Connect to the appliance through a Serial connection, using these connection settings:
a) Connection type - Select or enter a serial port.
b) Define the serial port settings - 9600 BPS, 8 bits, no parity, 1 stop bit.
c) From the Flow control list, select None.
5. Connect the installation media to the USB port on the appliance.
6. Reboot the appliance. The appliance begins the boot process and status messages show in the
terminal emulation window.
For installation from a removable USB device - In the boot screen, enter serial at the boot
prompt and press Enter.
The R80.10 ISO file is installed on the appliance, and the version and build number show in the
terminal emulation window and on the LCD screen.
7. Reboot the appliance - Press CTRL+C.
The appliance reboots and shows the model number on the LCD screen.

Installation and Upgrade Guide R80.10 | 21

 The Gaia Operating System

Installing the Gaia Operating System on an Open Server

Important - When you start the Gaia installation on an Open Server, select Gaia and press Enter
within 60 seconds. Otherwise the server tries to start from the hard drive. The timer countdown
stops when you press Enter. There is no time limit for the next steps.
1. Start the server using the installation media.
2. When the first screen shows, select Install Gaia on the system and press Enter.
3. Press OK to continue with the installation.
4. Select a keyboard language. English US is the default.
5. Configure the hard disk partitions (on page 24).
6. Enter and confirm the password for the admin account.
7. Select the management interface. The default is eth0.
8. Configure the management IP address, net mask and default gateway.
You can define the DHCP server on this interface.
9. Select OK to format the hard drive and installation of the Gaia operating system.
10. Reboot to complete the installation.

Installation and Upgrade Guide R80.10 | 22

 The Gaia Operating System

Installing a Blink Image to Configure a Check Point

Gateway Appliance
Blink is a Gaia fast deployment procedure. With Blink utility, you can quickly deploy clean Check
Point Security Gateways on appliances that have not yet been configured with the First Time
Configuration Wizard. Blink deploys within 5-7 minutes.
When Blink utility completes the installation, clean Security Gateways, Hotfixes, and updated
Software Blade signatures are installed. Blink utility configures an appliance automatically in
place of the manual execution of the Gaia First Time Configuration Wizard.
You can run the Blink Gaia image from a USB or download it to your appliance.
Note - For an appliance with R80.10 Take 462 or above, if you add the Blink image to a USB and
insert the USB into the appliance before the First Time Configuration Wizard shows, the process
begins automatically.
After the installation is complete, connect with your web browser to the Check Point appliance to
complete the simplified Blink configuration.
In addition, the Blink utility lets you use a special XML file to run an unattended installation with
predefined parameters for an appliance:
• Host name
• Gaia administrator password
• Network options - IP address, Subnet, Default gateway
• SIC key
• Cluster membership
• Upload to Check Point approval
• Download from Check Point approval
For complete information, see sk120193
http://supportcontent.checkpoint.com/solutions?id=sk120193.

Installation and Upgrade Guide R80.10 | 23

 The Gaia Operating System

Changing Disk Partition Sizes During the Installation of

Gaia Operating System
Check the partition sizes on your appliance before you start the Gaia installation. On Check Point
appliances, the size of the disk partitions is predefined. On Smart-1 50/150/3050/3150 and
525/5050/5150 appliances, you can modify the default disk partitions within the first 20 seconds.
Then the non-interactive installation then continues.
When installing Gaia on an open server, these partitions have default sizes:
• System-swap
• System-root
• Logs
• Backup and upgrade
You can change the System-root and the Logs partition sizes. The storage size assigned for
backup and upgrade is updated accordingly.
To change the partition size, see sk95566
http://supportcontent.checkpoint.com/solutions?id=sk95566.

Installation and Upgrade Guide R80.10 | 24

 The Gaia Operating System

Configuring Gaia for the First Time

After you install Gaia for the first time, use the First Time Configuration Wizard to configure the
system and the Check Point products on it.

Running the First Time Configuration Wizard in Gaia Portal

To start the Gaia First Time Configuration Wizard:
Step Instructions
1 Connect a computer to the Gaia computer.
You must connect to the interface you configured during the Gaia installation (for example,
eth0).

2 On your connected computer, configure a static IPv4 address in the same subnet as the
IPv4 address you configured during the Gaia installation.

3 On your connected computer, in a web browser, connect to the IPv4 address you
configured during the Gaia installation:
https://<IPv4_Address_of_Gaia>

4 Enter the default username and password: admin and admin.

5 Click Login.
The Check Point First Time Configuration Wizard opens.

6 Follow the instructions on the First Time Configuration Wizard windows.

See the applicable chapters below for installing specific Check Point products.

Below you can find the description of the First Time Configuration Wizard windows and their fields.

Deployment Options window:

In this window, you select how to deploy Gaia Operating System.

Section Options Description

Setup Continue with R80.10 Use this option to configure the installed Gaia
configuration and Check Point products.

Install Install from Check Point Cloud Use these options to install a Gaia version.
Install from USB device

Recovery Import existing snapshot Use this option to import an existing Gaia
snapshot.

Installation and Upgrade Guide R80.10 | 25

 The Gaia Operating System

If in the Deployment Options window, you selected Install from Check Point Cloud, the First
Time Configuration Wizard asks you to configure the connection to Check Point Cloud. These
options appear (applies only to Check Point appliances that you configured as a Security Gateway):
• Install major version - This option let you choose and install major versions available on
Check Point Cloud. The Gaia CPUSE performs the installation.
• Pull appliance configuration - This option lets you to apply initial deployment configuration
including different OS version on the appliance. You must prepare the initial deployment
configuration with the Zero Touch Cloud Service. For more information, see sk116375
http://supportcontent.checkpoint.com/solutions?id=sk116375.

Management Connection window:

In this window, you select and configure the main Gaia Management Interface. You connect to this
IP address to open the Gaia Portal or CLI session.

Field Description
Interface By default, First Time Configuration Wizard selects the interface you
configured during the Gaia installation (for example, eth0).
Note - After you complete the First Time Configuration Wizard and reboot, you
can select another interface as the main Gaia Management Interface and
configure its IP settings.

Configure IPv4 Select how the Gaia Management Interface gets its IPv4 address:
• Manually - You configure the IPv4 settings in the next fields.
• Off - None.
IPv4 address Enter the desired IPv4 address.

Subnet mask Enter the applicable IPv4 subnet mask.

Default Enter the IPv4 address of the applicable default gateway.

Gateway

Configure IPv6 Select how the Gaia Management Interface gets its IPv6 address:
• Manually - You configure the IPv6 settings in the next fields.
• Off - None.
IPv6 Address Enter the desired IPv6 address.

Mask Length Enter the applicable IPv6 mask length.

Default Enter the IPv6 address of the applicable default gateway.

Gateway

Installation and Upgrade Guide R80.10 | 26

 The Gaia Operating System

Internet Connection window:

Optional: In this window, you configure the interface that connects the Gaia computer to the
Internet.

Field Description
Interface Select the applicable interface on this computer.

Configure IPv4 Select how the applicable interface gets its IPv4 address:
• Manually - You configure the IPv4 settings in the next fields.
• Off - None.
IPv4 address Enter the desired IPv4 address.

Subnet mask Enter the applicable IPv4 subnet mask.

Configure IPv6 Optional. Select how the applicable interface gets its IPv6 address:
• Manually - You configure the IPv6 settings in the next fields.
• Off - None.
IPv6 Address Enter the desired IPv6 address.

Subnet Enter the applicable IPv6 subnet mask.

Device Information window:

In this window, you configure the Host name, the DNS servers and the Proxy server on the Gaia
computer.

Field Description
Host Name Enter the desired distinct host name.

Domain Name Optional: Enter the applicable domain name.

Primary DNS Enter the applicable IPv4 address of the primary DNS server.
Server

Secondary DNS Optional: Enter the applicable IPv4 address of the secondary DNS server.
Server

Tertiary DNS Optional: Enter the applicable IPv4 address of the tertiary DNS server.
Server

Use a Proxy Optional: Select this option to configure the applicable Proxy server.
server

Address Enter the applicable IPv4 address or resolvable hostname of the Proxy server.

Port Enter the port number for the Proxy server.

Installation and Upgrade Guide R80.10 | 27

 The Gaia Operating System

Date and Time Settings window:

In this window, you configure the date and time settings on the Gaia computer.

Field Description
Set the time Select this option to configure the date and time settings manually.
manually

Date Select the correct date.

Time Select the correct time.

Time Zone Select the correct time zone.

Use Network Select this option to configure the date and time settings automatically with
Time Protocol NTP.
(NTP)

Primary NTP Enter the applicable IPv4 address or resolvable hostname of the primary NTP
server server.

Version Select the version of the NTP for the primary NTP server.

Secondary NTP Optional: Enter the applicable IPv4 address or resolvable hostname of the
server secondary NTP server.

Version Select the version of the NTP for the secondary NTP server.

Time Zone Select the correct time zone.

Installation Type window:

In this window, you select which type of Check Point products you wish to install on the Gaia
computer.

Field Description
Security Select this option to install:
Gateway
• A Single Security Gateway.
and/or
Security • A Cluster Member.
Management
• A Security Management Server, including Management High Availability.
• An Endpoint Security Management Server.
• An Endpoint Policy Server.
• CloudGuard Controller.
• A dedicated single Log Server.
• A dedicated single SmartEvent Server.
• A Standalone.

Installation and Upgrade Guide R80.10 | 28

 The Gaia Operating System

Field Description
Multi-Domain Select this option to install:
Server
• A Multi-Domain Security Management Server, including Management High
Availability.
• A dedicated single Multi-Domain Log Server.

Products window:
In this window, you continue to select which type of Check Point products you wish to install on the
Gaia computer.
If in the Installation Type window, you selected Security Gateway and/or Security
Management, these options appear:

Field Description
Security Select this option to install:
Gateway
• A single Security Gateway.
• A Cluster Member.
• A Standalone.
Security Select this option to install:
Management
• A Security Management Server, including Management High Availability.
• An Endpoint Security Management Server.
• An Endpoint Policy Server.
• CloudGuard Controller.
• A dedicated single Log Server.
• A dedicated single SmartEvent Server.
• A Standalone.
Unit is a part This option is available only if you selected Security Gateway.
of a cluster
Select this option to install a cluster of dedicated Security Gateways, or a Full
High Availability Cluster.
Select the cluster type:
• ClusterXL - For a cluster of dedicated Security Gateways, or a Full High
Availability Cluster.
• VRRP Cluster - For a VRRP Cluster on Gaia.

Installation and Upgrade Guide R80.10 | 29

 The Gaia Operating System

Field Description
Define Security Select Primary to install:
Management
• A Security Management Server.
as
• An Endpoint Security Management Server.
• An Endpoint Policy Server.
• CloudGuard Controller.
Select Secondary to install:
• A Secondary Management Server in Management High Availability.
Select Log Server / SmartEvent only to install:
• A dedicated single Log Server.
• A dedicated single SmartEvent Server.
If in the Installation Type window, you selected Multi-Domain Server, these options appear:

Field Description
Primary Select this option to install a Primary Multi-Domain Server in Management
Multi-Domain High Availability.
Server

Secondary Select this option to install a Secondary Multi-Domain Server in Management

Multi-Domain High Availability.
Server

Multi-Domain Select this option to install a dedicated single Multi-Domain Log Server.
Log Server

Note - By default, the option Automatically download Blade Contracts and other important
data is enabled. See sk111080 http://supportcontent.checkpoint.com/solutions?id=sk111080.

Dynamically Assigned IP window:

In this window, you select if this Security Gateway gets its IP address dynamically (DAIP gateway).

Field Description
Yes Select this option, if this Security Gateway gets its IP address dynamically
(DAIP gateway).

No Select this option, if you wish to configure this Security Gateway with a static
IP address.

Installation and Upgrade Guide R80.10 | 30

 The Gaia Operating System

Secure Internal Communication (SIC) window:

In this window, you configure a one-time Activation Key. You must enter this key later in
SmartConsole when you create the corresponding object and initialize SIC.

Field Description
Activation Key Enter the desired one-time activation key (between 4 and 127 characters
long).

Confirm Enter the same one-time activation key again.

Activation Key

Security Management Administrator window:

In this window, you configure the main administrator for this Security Management Server.

Field Description
Use Gaia Select this option, if you wish to use the default Gaia administrator (admin).
administrator:
admin

Define a new Select this option, if you wish to configure an administrator username and
administrator password manually.

Security Management GUI Clients window:

In this window, you configure which computers are allowed to connect with SmartConsole to this
Security Management Server.

Field Description
Any IP Address Select this option to allow all computers to connect.

This machine Select this option to allow only a specific computer to connect.
By default, the First Time Configuration Wizard uses the IPv4 address of your
computer. You can change it to another IP address.

Network Select this option to allow an entire IPv4 subnet of computers to connect.
Enter the applicable subnet IPv4 address and subnet mask.

Range of IPv4 Select this option to allow a specific range of IPv4 addresses to connect.
addresses
Enter the applicable start and end IPv4 addresses.

Leading VIP Interfaces Configuration window:

In this window, you select the main Leading VIP Interface on this Multi-Domain Server.

Field Description
Select leading Select the desired interface.
interface

Installation and Upgrade Guide R80.10 | 31

 The Gaia Operating System

Multi-Domain Server GUI Clients window:

In this window, you configure which computers are allowed to connect with SmartConsole to this
Multi-Domain Server.

Field Description
Any host Select this option to allow all computers to connect.

IP address Select this option to allow only a specific computer to connect.

By default, the First Time Configuration Wizard uses the IPv4 address of your
computer. You can change it to another IP address.

First Time Configuration Wizard Summary window:

In this window, you can see the installation options you selected.
By default, the option Improve product experience by sending data to Check Point is
enabled. See sk111080 http://supportcontent.checkpoint.com/solutions?id=sk111080.

Notes:
• At the end of the First Time Configuration Wizard, the Gaia computer reboots and the
initialization process is performed in the background for several minutes.
• If you installed the Gaia computer as a Security Management Server or Multi-Domain Server,
only read-only access is possible with SmartConsole during this initialization time.
• To verify that the configuration is finished:
a) Connect to the command line on the Gaia computer.
b) Log in to the Expert mode.
c) Check that the bottom section of the /var/log/ftw_install.log file contains one of
these sentences: "installation succeeded" or "FTW: Complete".
Run:
# cat /var/log/ftw_install.log | egrep --color "installation succeeded|FTW:
Complete"

Example output from a Security Gateway or Cluster Member:

[Expert@GW:0]# cat /var/log/ftw_install.log | egrep --color "installation succeeded|FTW:
Complete"
Apr 06, 18 19:19:51 FTW: Complete
[Expert@GW:0]#

Example output from a Security Management Server or a Standalone:

[Expert@SA:0]# cat /var/log/ftw_install.log | egrep --color "installation succeeded|FTW:
Complete"
May 01, 2018 03:48:38 PM installation succeeded.
05/01/18 15:48:39 FTW: Complete
[Expert@SA:0]#

Example output from a Multi-Domain Server:

[Expert@MDS:0]# cat /var/log/ftw_install.log | egrep --color "installation succeeded|FTW:
Complete"
Apr 08, 2018 07:43:15 PM installation succeeded.
[Expert@MDS:0]#

Installation and Upgrade Guide R80.10 | 32

 The Gaia Operating System

Running the First Time Configuration Wizard in CLI Expert mode

Description
Use this command in Expert mode to test and to run the First Time Configuration Wizard on a Gaia
system for the first time after the system installation.
Notes:
• The config_system utility is not an interactive configuration tool. It helps automate the first
time configuration process.
• The config_system utility is only for the first time configuration, and not for ongoing system
configurations.

Syntax
• To list the command options, run one of these:
Form Command
Short form config_system -h

Long form config_system --help

• To run the First Time Configuration Wizard from a specified configuration file, run one of
these:
Form Command
Short form config_system -f <Path and Filename>

Long form config_system --config-file <Path and Filename>

• To run the First Time Configuration Wizard from a specified configuration string, run one of
these:
Form Command
Short form config_system -s <String>

Long form config_system --config-string <String>

• To create a First Time Configuration Wizard Configuration file template in a specified path, run
one of these:
Form Command
Short form config_system -t <Path>

Long form config_system --create-template <Path>

• To verify that the First Time Configuration file is valid, run:

config_system --dry-run

Installation and Upgrade Guide R80.10 | 33

 The Gaia Operating System

• To list configurable parameters, run one of these:

Form Command
Short form config_system -l

Long form config_system --list-params

To run the First Time Configuration Wizard from a configuration string:

Step Description
1 Run this command in Expert mode:
config_system --config-string <String of Parameters and Values>
A configuration string must consist of parameter=value pairs, separated by the
ampersand (&).
You must enclose the whole string between quotation marks.
For example:
"hostname=myhost&domainname=somedomain.com&timezone='America/Indi
ana/Indianapolis'&ftw_sic_key=aaaa&install_security_gw=true&gatew
ay_daip=false&install_ppak=true&gateway_cluster_member=true&insta
ll_security_managment=false"
For more information on valid parameters and values, see the config_system.

2 Reboot the system.

To run the First Time Configuration Wizard from a configuration file:

Step Description
1 Run this command in Expert mode:
config_system -f <File Name>

2 Reboot the system.

If you do not have a configuration file, you can create a configuration template and fill in the
parameter values as necessary.
Before you run the First Time Configuration Wizard, you can validate the configuration file you
created.

Installation and Upgrade Guide R80.10 | 34

 The Gaia Operating System

To create a configuration file:

Step Description
1 Run this command in Expert mode:
config_system -t <File Name>

2 Open the file you created in a text editor.

3 Edit all parameter values as necessary.

4 Save the updated configuration file.

To validate a configuration file:

Run this command in Expert mode:
config_system --config-file <File Name> --dry-run

Parameters
A configuration file contains the <parameter>=<value> pairs described in the table below.
Note - The config_system parameters can change from Gaia version to Gaia version. Run
config_system --help to see the available parameters.

Parameter Description Valid values

install_security_gw Installs Security Gateway, • true
if set to true.
• false
gateway_daip Configures the Security • true
Gateway as Dynamic IP
• false
(DAIP) Security Gateway, if
set to true. Note - Must be set to
false, if ClusterXL or
Security Management
Server is enabled.

gateway_cluster_member Configures the Security • true

Gateway as member of
• false
ClusterXL, if set to true.

install_security_managment Installs Security • true

Management Server, if set
• false
to true.

Installation and Upgrade Guide R80.10 | 35

 The Gaia Operating System

Parameter Description Valid values

install_mgmt_primary Makes the installed • true
Security Management
• false
Server the Primary one.
Note - Can only be set to
Note - The
install_security_ma true, if the
install_mgmt_second
nagment must be set to
ary is set to false.
true.

install_mgmt_secondary Makes the installed • true

Security Management
• false
Server a Secondary one.
Note - Can only be set to
Note - The
install_security_ma true, if the
install_mgmt_primar
nagment must be set to
y is set to false.
true.

install_mds_primary Makes the installed • true

Security Management
• false
Server the Primary
Multi-Domain Server. Note - Can only be set to
true, if the
Note - The install_mds_seconda
install_security_ma
ry is set to false.
nagment must be set to
true.

install_mds_secondary Makes the installed • true

Security Management
• false
Server a Secondary
Multi-Domain Server. Note - Can only be set to
true, if the
Note - The install_mds_primary
install_security_ma
is set to false.
nagment must be set to
true.

install_mlm Installs Multi-Domain Log • true

Server, if set to true.
• false

install_mds_interface Specifies Multi-Domain Name of the interface

Server management exactly as it appears in the
interface. device configuration.
Examples:
eth0, eth1

Installation and Upgrade Guide R80.10 | 36

 The Gaia Operating System

Parameter Description Valid values

download_info Downloads Check Point • true
Software Blade contracts
• false
and other important
information, if set to true
(Best Practice - Optional,
but highly recommended).
For more information, see
sk94508
http://supportcontent.chec
kpoint.com/solutions?id=s
k94508.

upload_info Uploads data that helps • true

Check Point provide you
• false
with optimal services, if
set to true (Best Practice
- Optional, but highly
recommended).
For more information, see
sk94509
http://supportcontent.chec
kpoint.com/solutions?id=s
k94509.

mgmt_admin_radio Configures Management Set to gaia_admin, if you

Server administrator. wish to use the Gaia
Note - Must be provided, if admin account.
you install a Management Set to new_admin, if you
Server. wish to configure a new
admin account.

mgmt_admin_name Sets management A string of alphanumeric

administrator's username. characters.
Note - Must be provided, if
install_security_ma
nagment is set to true.

mgmt_admin_passwd Sets management A string of alphanumeric

administrator's password. characters.
Note - Must be provided, if
install_security_ma
nagment is set to true.

mgmt_gui_clients_radio Specifies SmartConsole • any

clients that can connect to
• range
the Security Management
Server. • network
• this
Installation and Upgrade Guide R80.10 | 37
 The Gaia Operating System

Parameter Description Valid values

mgmt_gui_clients_first_ip_fiel Specifies the first address Single IPv4 address of a
d of the range, if host.
mgmt_gui_clients_ra
Example:
dio is set to range.
192.168.0.10

mgmt_gui_clients_last_ip_field Specifies the last address Single IPv4 address of a

of the range, if host.
mgmt_gui_clients_ra
Example:
dio is set to range.
192.168.0.20

mgmt_gui_clients_ip_field Specifies the network IPv4 address of a network.

address, if
Example:
mgmt_gui_clients_ra
192.168.0.0
dio is set to network.

mgmt_gui_clients_subnet_field Specifies the netmask, if A number from 1 to 32.

mgmt_gui_clients_ra
dio is set to network.

mgmt_gui_clients_hostname Specifies the netmask, if Single IPv4 address of a

mgmt_gui_clients_ra host.
dio is set to this.
Example:
192.168.0.15

ftw_sic_key Sets a secure Internal A string of alphanumeric

Community key, if characters.
install_security_ma
nagment is set to false.

admin_hash Sets administrator's A string of alphanumeric

password. characters, enclosed
between single quotation
marks.

iface Interface name (optional). Name of the interface

exactly as it appears in the
device configuration.
Examples:
eth0, eth1

ipstat_v4 Turns on static IPv4 • manually

configuration, if set to
• off
manually.

ipaddr_v4 Sets IPv4 address of the Single IPv4 address.

management interface.

Installation and Upgrade Guide R80.10 | 38

 The Gaia Operating System

Parameter Description Valid values

masklen_v4 Sets IPv4 mask length for A number from 0 to 32.
the management
interface.

default_gw_v4 Specifies IPv4 address of Single IPv4 address.

the default gateway.

ipstat_v6 Turns static IPv6 • manually

configuration on, if set to
• off
manually.

ipaddr_v6 Sets IPv6 address of the Single IPv6 address.

management interface.

masklen_v6 Sets IPv6 mask length for A number from 0 to 128.

the management
interface.

default_gw_v6 Specifies IPv6 address of Single IPv6 address.

the default gateway.

hostname Sets the name of the local A string of alphanumeric

host (optional). characters.

domainname Sets the domain name Fully qualified domain

(optional). name.
Example:
somedomain.com

timezone Sets the Area/Region The Area/Region must be

(optional). enclosed between single
quotation marks.
Examples:
'America/New_York'
'Asia/Tokyo'
Note - To see the available
Areas and Regions,
connect to any Gaia
computer, log in to Gaia
Clish, and run (names of
Areas and Regions are
case-sensitive):
set timezone
Area<SPACE><TAB>

ntp_primary Sets the IP address of the IPv4 address.

primary NTP server
(optional).

Installation and Upgrade Guide R80.10 | 39

 The Gaia Operating System

Parameter Description Valid values

ntp_primary_version Sets the NTP version of • 1
the primary NTP server
• 2
(optional).
• 3
• 4
ntp_secondary Sets the IP address of the IPv4 address.
secondary NTP server
(optional).

ntp_secondary_version Sets the NTP version of • 1

the secondary NTP server
• 2
(optional).
• 3
• 4
primary Sets the IP address of the IPv4 address.
primary DNS server
(optional).

secondary Sets the IP address of the IPv4 address.

secondary DNS server
(optional).

tertiary Sets the IP address of the IPv4 address.

tertiary DNS server
(optional).

proxy_address Sets the IP address of the IPv4 address, or

proxy server (optional). Hostname.

proxy_port Sets the port number of A number from 1 to 65535.

the proxy server (optional).

reboot_if_required Reboots the system after • true

the configuration, if set to
• false
true (optional).

Installation and Upgrade Guide R80.10 | 40

 The Gaia Operating System

Configuring the IP Address of the Gaia Management

Interface
The Gaia Management Interface is pre-configured with the IP address 192.168.1.1. You can
change this IP address during or after you run the Gaia First Time Configuration Wizard. If you
must access the Gaia computer over the network, assign the applicable IP address to that
interface before you connect the Gaia computer to the network.
If you change the IP address of the Gaia Management Interface during the First Time
Configuration Wizard, this warning shows:
Your IP address has been changed. In order to maintain the browser connection, the
old IP address will be retained as a secondary IP address.

You can change the IP address of the Gaia Management Interface after you run the Gaia First Time
Configuration Wizard.
• In Gaia Portal:
Step Description
1 In your web browser, connect the Gaia Portal to the current IP address of the Gaia
management interface:
https://<IP Address of Gaia Management Interface>

2 In the left navigation tree, go to Network Management > Network Interfaces.

3 In the Management Interface section, click Set Management Interface.

4 Select the desired interface.

5 Click OK.

6 In the Interfaces section, select the Management Interface and click Edit.

7 Assign the applicable IP address.

8 Click OK.

• In Gaia Clish:
Step Description
1 Connect to the command line on the Gaia computer.
• Over SSH to the current IP address of the Gaia Management Interface
• Over a console
2 Log in to Gaia Clish.

3 Get the name of the current Gaia Management Interface:

show management interface

4 Select another Gaia Management Interface:

set management interface <Interface Name>
Installation and Upgrade Guide R80.10 | 41
 The Gaia Operating System

Step Description
5 Assign another IP address to the Gaia Management Interface:
set interface <Interface Name> ipv4-address <IPv4 address> subnet-mask
<Mask>

6 Save the changes in the Gaia database:

save config

For more information:

See the R80.10 Gaia Administration Guide
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_Gaia_AdminGui
de/html_frameset.htm.

Installation and Upgrade Guide R80.10 | 42

 The Gaia Operating System

Changing the Disk Partition Sizes on an Installed Gaia

To see the size of the system-root and log partitions on an installed system:
1. Enter expert mode.
2. Run: df -h
Most of the remaining space on the disk is reserved for backup images and upgrade.

To see the disk space assigned for backup images:

1. Connect to the Gaia Portal.
2. From the menu at the left, select Maintenance > Snapshot Management view.
On an Open Server, the available space in the Snapshot Management page is less than the
space you defined when installing Gaia. The difference is the space reserved for upgrades. The
amount of reserved space equals the size of the system-root partition.
Note - The minimum recommended space in /var/log to support upgrade is 4 GB.
To manage the partition size on your system, see sk95566
http://supportcontent.checkpoint.com/solutions?id=sk95566.

Installation and Upgrade Guide R80.10 | 43

 The Gaia Operating System

Enabling IPv6 on Gaia

IPv6 is automatically enabled if you configure IPv6 addresses in the Gaia First Time Configuration
Wizard.
If you did not do this, manually enable the IPv6 support in Gaia.

In Gaia Portal:
1. With a web browser, connect to Gaia Portal at:
https://<IP address of Gaia Management Interface>
2. From the navigation tree, click System Management > System Configuration.
3. In the IPv6 Support section, select On.
4. Click Apply.
5. When prompted, select Yes to reboot.

In Gaia Clish:
1. Connect to the command line on the Gaia computer.
2. Log in to Gaia Clish.
3. Enable the IPv6 support:
set ipv6-state on
4. Save the changes:
save config
5. Reboot:
reboot

For more information:

See the R80.10 Gaia Administration Guide
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_Gaia_AdminGui
de/html_frameset.htm.

Installation and Upgrade Guide R80.10 | 44

CHAPTE R 5

Installing a Management Server on Gaia

If you use a Check Point appliance, Gaia automatically identifies the model when you start the
First Time Configuration Wizard. Only some appliance models support a Security Management
Server. To install and configure Check Point appliances on Gaia, from the Gaia Portal use the First
Time Configuration Wizard (on page 25).

To install a Security Management Server or Multi-Domain Server:

1. Open a browser to the Gaia Portal: https://<management IP address>
2. In the Gaia Portal window, log in with the administrator name and password that you defined
during the Gaia installation.
3. The Portal shows the First Time Configuration Wizard. Click Next.
4. From the Deployment Options window, select Continue with R80.10 configuration.
Click Next.
5. From the Management Connection window, enter an IPv4 address for the management
interface.
If you change the management IP address, the new IP address is assigned to the interface. The
old IP address is added as an alias and is used to maintain connectivity.
Optional:
• Configure an Internet Connection in the next window.
6. From the Device Information window, enter the host name of the server.
Optional:
• Enter the Domain Name, and IPv4 address for the DNS servers.
• Set the IP Address and port for a Proxy Server.
7. Click Next.
8. Configure the Date and Time Settings manually, or enter the hostname and IPv4 address of
the NTP server. Click Next.

To configure a Security Management Server:

1. From the Installation Type window, select Security Gateway and/or Security
Management.
2. Click Next.
3. From the Products page, select Security Management Server.
Note - To configure a Security Gateway, see the installation instructions (on page 61).
4. Make sure Security Management is the only product selected. Click Next.
5. In the Security Management Administrator page, define an administrator who can connect
to the server with SmartConsole clients.
Note - If you did not change the default administrator password, do it now.
6. Click Next.
7. In the Security Management GUI Clients page, define which IP addresses a client can log
into.
8. Click Next.

Installation and Upgrade Guide R80.10 | 45

 Installing a Management Server on Gaia

9. In the First Time Configuration Wizard Summary page, review your choices.
You can select Improve product experience by sending data to Check Point. Check
Point recommends that you select this option. No data is made accessible to third parties.
10. Click Finish.
License activation is automatic on Check Point appliances.
11. To start the configuration, click Yes.
A progress bar tracks the configuration of each task.
12. Click OK.
Security Management Server or Multi-Domain Server is installed on the appliance.

To configure a Multi-Domain Server:

See the Installing a Multi-Domain Security Management (on page 48).

Installation and Upgrade Guide R80.10 | 46

CHAPTE R 6

Installing a Management Server on

Linux
To install a Security Management Server or Multi-Domain Server on Red Hat Enterprise Linux:
1. See sk44925 http://supportcontent.checkpoint.com/solutions?id=sk44925.
2. Follow sk98760 http://supportcontent.checkpoint.com/solutions?id=sk98760.
3. Contact Check Point Support https://www.checkpoint.com/support-services/contact-support/
for specific installation instructions.

Installation and Upgrade Guide R80.10 | 47

CHAPTE R 7

Installing a Multi-Domain Security

Management
In This Section:
Installing a Multi-Domain Server on Smart-1 Appliances .........................................48
Installing a Multi-Domain Server on Open Servers ....................................................51
Installing a Multi-Domain Log Server .........................................................................53

Installing a Multi-Domain Server on Smart-1

Appliances
Install a Multi-Domain Server on supported Smart-1 models. See the R80.10 Release Notes
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_ReleaseNotes/h
tml_frameset.htm.

To reset a Smart-1 appliance to factory defaults:

The Gaia operating system comes pre-installed on your appliance.
1. Connect with a Serial or console connection to your appliance.
2. Power on the appliance.
3. When prompted, press any key to enter the boot menu.
4. Select Reset to factory defaults - Multi-Domain Server and press Enter.
5. Type yes and press Enter.
The Multi-Domain Server is installed on the appliance and then the appliance resets.

To start the Gaia First Time Configuration Wizard:

1. Connect a standard network cable to the appliance's MGMT interface and to your
management network.
2. In your web browser, connect to the default management IP address:
https://192.168.1.1
3. Log in to the system using the default login name/password: admin and admin.
Note - You can use the Gaia Portal menu to configure the appliance settings. In your web
browser, connect to the https://<appliance_ip_address>:4434
4. Set the username and password for the administrator account.
5. Click Save and Login.
The First Time Configuration Wizard opens.

Installation and Upgrade Guide R80.10 | 48

 Installing a Multi-Domain Security Management

To configure a Multi-Domain Server on Smart-1 appliances:

1. Configure these options in the Gaia Portal on the Image Management page.
In the Deployment Options page, select Continue with Gaia configuration.
Other options are:
Clean install
• Install a version from the Check Point Cloud.
• Install from a USB device.
Recovery
• Automatic version recovery from the Check Point Cloud.
• Import an existing snapshot.
2. Click Next.
3. In the Authentication Details page, change the default administrator password.
Click Next.
4. In the Management Connection page, set an IPv4 and an IPv6 address for the management
interface, or set one IP address (IPv4).
You can change the Management IP address. Gaia automatically creates a secondary interface
to keep connectivity when the management interface is not available. After you complete the
First Time Configuration Wizard, you can remove this interface in the Interface
Management > Network Interfaces page.
5. Optional: In the Connection to User Center page, configure an external interface to connect
to the Check Point User Center. Use this connection to download a license and activate it.
Alternatively, use the trial license. To connect to the User Center, you must also configure
DNS and (if applicable) a Proxy Server, in the Device Information page of the First Time
Configuration Wizard.
6. In the Device Information page, set the Host Name for the appliance.
Optional:
• Set the domain name, and IPv4 or IPv6 addresses for the DNS servers.
• To connect to the User Center, set the IP Address and Port for a Proxy Server. Do this if you
want to activate the appliance by downloading a license from the User Center.
Click Next.
7. In the Date and Time Settings page, set the date and time manually, or enter the hostname,
IPv4 address or IPv6 address of the NTP server.
Click Next.
8. In the Products page, select Multi-Domain Server and Primary.
For R77.10 and higher: Automatically download Blade Contracts and other important
data. Check Point highly recommends that you select Automatic Downloads (on page 207).
9. In the Security Management Administrator page, define the name and password of a
Superuser administrator that can connect to the Multi-Domain Server using SmartConsole
clients.
Click Next.
10. In the Multi-Domain Server GUI Clients page, define IP addresses from which
SmartConsole clients can log in to the Multi-Domain Server.
• If you select This machine or Network, define an IPv4 or an IPv6 address.
• You can also select a range of IPv4 addresses.
Click Next.

Installation and Upgrade Guide R80.10 | 49

 Installing a Multi-Domain Security Management

11. In the Appliance Activation page, get a license automatically from the User Center and
activate it, or use the 15 day trial license.
Click Next.
12. In the Summary page, review your choices. Click Finish.
Optional: Improve product experience by Sending Data to Check Point (on page 208).
13. To start the configuration, click Yes > OK.
A progress bar tracks the configuration of each task.
14. Download SmartConsole from the Gaia Portal.
a) In your web browser, connect to the Gaia Portal:
https://<management_ip_address>
b) In the Overview page, click Download Now!

To configure a Secondary Multi-Domain Server on Smart-1 appliances:

Use the same procedure as for the primary Multi-Domain Server with these changes:
• Use a different IP address for the management interface on the secondary appliance.
• Select Secondary Multi-Domain Server.
• Define the Secure Internal Communication (SIC) Activation Key that is used by the
Multi-Domain Server object in SmartConsole and then click Next.
This key is necessary to configure the appliances in SmartConsole.

Installation and Upgrade Guide R80.10 | 50

 Installing a Multi-Domain Security Management

Installing a Multi-Domain Server on Open Servers

To install and configure Check Point products on Gaia, use the First Time Configuration Wizard or
configure the operating system and install the products in the Gaia Portal.
For hardware requirements, see the R80.10 Release Notes
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_ReleaseNotes/h
tml_frameset.htm.

To install Multi-Domain Server on an Open Server:

1. In your web browser, connect to the Gaia Portal:
https://<Gaia management IP address>
2. In the Gaia Portal window, log in with the administrator name and password that you defined
during Gaia installation.
3. The First Time Configuration Wizard opens.
4. Click Next.
5. Select Continue with R80.10 configuration.
6. Click Next.
7. Set an IPv4 address for the management interface.
If you change the management IP address, the new IP address is assigned to the interface. The
old IP address is added as an alias and is used to maintain connectivity.
Click Next.
8. Enter the Host Name of the server.
Optional:
• Enter the Domain Name, and IPv4 addresses for the DNS servers.
• Set the IP Address and Port for a Proxy Server.
Click Next.
9. Set the date and time manually, or enter the hostname and IPv4 address of the NTP server.
Click Next.
10. Enter the username and password for the Multi-Domain Server administrator account. Click
Next.
11. For Installation Type, select Multi-Domain Server. Click Next.
12. For the type of server, select Primary Multi-Domain Server.
13. Select the Leading VIP Interfaces.
Leading interfaces are physical interfaces that connect to the external network. These
interfaces are for Domain Management Server virtual IP addresses. Each leading VIP interface
can have up to 250 virtual IP addresses (250 Domain Management Servers).
14. Configure the GUI clients that can log into the Multi-Domain Server. Click Next.
15. Set the Name and Password for the Multi-Domain Server administrator account. Click Next.
16. Review the summary and then click Finish.
17. Click Yes when prompted to start the configuration process.
A progress bar tracks the configuration of each task.

Installation and Upgrade Guide R80.10 | 51

 Installing a Multi-Domain Security Management

18. Click OK.

19. If the Help Check Point Improve window opens, click Yes or No. Check Point recommends
that you click Yes. Your data is never shared with third parties.

Installation and Upgrade Guide R80.10 | 52

 Installing a Multi-Domain Security Management

Installing a Multi-Domain Log Server

You can install a dedicated Multi-Domain Log Server on a Check Point Appliance or Open Server.
Start to install the products as for a Multi-Domain Server, but stop at the step where you select
components.

To install a Multi-Domain Log Server:

1. In the First Time Configuration Wizard Products page, select Multi-Domain Log Server.
2. In the Secure Internal Communication (SIC) page, define the Activation Key.

Installation and Upgrade Guide R80.10 | 53

CHAPTE R 8

Installing Endpoint Security

The Network Security Management Server can also be an Endpoint Security Management Server.

Installing Endpoint Security Servers:

Use the installation instructions in this guide to install Security Management Servers (on page 57).
You can enable the Endpoint Security Management Server after the Security Management Server
installation is completed.

To enable an Endpoint Security Management Server:

1. In SmartConsole, open the Security Management Server object.
2. Enable the Endpoint Policy Management blade.
3. In SmartConsole, install policy.

Check Point Cloud Services for Endpoint:

After the Endpoint Security Management Server is enabled on the Security Management Server,
these components communicate with the Check Point cloud services:
• Endpoint Anti-Malware Software Blade – Downloads updates from the Check Point Malware
Update Server. These updates are mandatory for the correct functioning of the Anti-Malware
Software Blade. Preventing these updates causes severe security issues, because the blade
does not operate with the latest malware information database.
• Endpoint Anti-Malware Software Blade – Sends suspected malware to the Check Point
ThreatCloud Server. These updates increase the accuracy of malware detection by Check Point
Endpoint Security clients and Check Point Security Appliances. To turn them off, modify the
Anti-Malware rule in the Organizational Security Policy in SmartEndpoint.
• Endpoint Application Control Software Blade – Downloads information about classified known
applications from the Check Point ThreatCloud Server and sends unknown applications for
analysis. These updates are mandatory for the correct functioning of the Endpoint Application
Control Software Blade. Without these updates, the blade is unable to classify malicious
applications and automatically distinguish between them and non-malicious ones.

To enable an Endpoint Policy Server:

1. Use the instructions in this guide to install a Log Server.
2. Connect from SmartConsole to the Endpoint Security Management Server.
3. Create a new Log Server object.
4. Enable the Endpoint Policy Management and Logging & Status management Software
Blades.
5. Install policy

Installation and Upgrade Guide R80.10 | 54

 Installing Endpoint Security

Services Connection Port on an Endpoint Security Management Server:

When you enable the Endpoint Policy Management blade on a Security Management Server,
the connection to these services automatically changes from the default port 443 to port 4434:

Service URL
Gaia Portal Defaul
https://<Gaia IP Address>
t

New https://<Gaia IP Address>:4434

SmartView Web Defaul

https://<Management Server IP Address>/smartview/
Application t

https://<Management Server IP
New
Address>:4434/smartview/

Management API Web

Services
Defaul https://<Management Server IP
https://sc1.checkpoint.
t Address>/web_api/<command>
com/documents/latest
/APIs/index.html

https://<Management Server IP
New
Address>:4434/web_api/<command>

If you disable the Endpoint Policy Management blade, the services connection port
automatically changes back to the default 443.

Disk Space for Endpoint Security:

We recommend that you have at least 10 GB available for Endpoint Security in the Root disk
partition. Client packages and release files are stored under the Root partition.
The files include:
• 4 GB - Security Management Server installation files.
• 2 GB or more - Client files (each additional version of client packages requires 1GB of disk
space).
• 1 GB - Logs.
• 1 GB - High Availability support (more can be required in large environments).
Note - To make future upgrades easier, we recommend that you use a larger disk size than
necessary in this deployment.

Installation and Upgrade Guide R80.10 | 55

CHAPTE R 9

Installing a Log Server or SmartEvent

Server
You can install a dedicated Log Server or SmartEvent Server on Check Point appliances or Open
Servers.

To install a Log Server or SmartEvent Server:

1. In the Gaia First Time Configuration Wizard, on the Products page, select Products >
Security Management > Define Security Management as: > Log Server/SmartEvent
only.
Note - Do not select Security Gateway.
2. Click Next.
3. After you move forward and get to the Secure Internal Communication (SIC) page, define
the Activation Key. Use this key to configure the object of a dedicated Log Server or
SmartEvent Server in SmartConsole.
The Security Management Server or Log Server with log indexing enabled, creates and uses index
files for fast access to log file content. Index files are located by default in the
$RTDIR/log_indexes/ directory.
To make sure that there is always sufficient disk space on the server, the server that stores the
log index deletes the oldest index entries when the available disk space is less than a specified
minimum. The default minimum value is 5000 MB, or 15% of the available disk space.

To change the minimum available disk space for logs and indexes:
1. In SmartConsole, edit the Security Management Server or Log Server or SmartEvent network
object.
2. From the Gateways & Servers double-click an object. The Check Point Host window opens.
3. Click Logs > Storage.
4. Select When disk space is below <number> Mbytes, start deleting old files.
5. Change the disk space value.
6. Click OK.
Note - In a Multi-Domain Security Management environment, the disk space for logs and
indexes is controlled by the Multi-Domain Server, and applies to all Domain Management
Servers. Configure the disk space in the Multi-Domain Server object.

Installation and Upgrade Guide R80.10 | 56

CHAPTE R 10

Installing a Standalone
In This Section:
Configuring a Standalone Appliance in Standard Mode .............................................57
Configuring a Standalone Appliance in Quick Setup Mode ........................................60

Important - These instructions apply to Open Servers and Check Point appliances except Smart-1
appliances.
See the R80.10 Release Notes
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_ReleaseNotes/h
tml_frameset.htm for the supported Check Point appliances and Open Server requirements for a
Standalone deployment.
You can configure a Check Point Standalone deployment using the Check Point First Time
Configuration Wizard.
• Standard (on page 57) - Supported on Check Point appliances, Open Servers, and VMs that
meet the requirements listed in the Release Notes.
• Quick Setup (on page 60) - Installs a Security Gateway and a Security Management Server on a
single appliance in Bridge Mode. Supported on Check Point appliances that support
Standalone configuration.
For more on Gaia Quick Standalone Setup on appliances, see sk102231
http://supportcontent.checkpoint.com/solutions?id=sk102231.

Configuring a Standalone Appliance in Standard Mode

To configure a Standalone system using the First Time Configuration Wizard in the
Standard mode:
Step Action
1 On a computer that is connected to the management network, open a web browser to the
management IP address (on page 41) (default is 192.168.1.1)
The Gaia Portal login page opens.

2 Log in with the default credentials.

• username: admin
• password: admin

3 Click Login.
The First Time Configuration Wizard starts and the Welcome screen shows.
Click Next.

4 In the Setup section of Deployment Options view, select Install a version available
locally on your device.
Click Next.

Installation and Upgrade Guide R80.10 | 57

 Installing a Standalone

Step Action
5 If the Available Releases view shows, select Continue with configuration of Gaia
R80.10.
Click Next.

6 In the Authentication Details view, select Change the default administrator

password.
Enter a strong password.
Click Next.

7 Configure the Management Connection settings.

7a Enter the IPv4 address and Subnet mask of the management interface.
Note - You can leave the IP address and the subnet mask unchanged. It is the factory
default address or the latest address that the administrator configured.

7b Enter the IPv4 address of the Default Gateway.

7c In Configure IPv6, select On from the drop-down menu (by default, it is off), if you have
IPv6 in your environment.

7d Enter the IPv6 address and Subnet mask of the management interface.

7e Optional: Enter the IPv6 address of the Default Gateway.

Click Next.

8 Optional: In the Internet Connection view, configure the interface to connect to the
Internet.
Click Next.

8a In Interface, select an interface on the system.

8b In Configure IPv4, select On from the drop-down menu (by default, it is off). Enter the
IPv4 address and Subnet mask of the interface.

8c If you already assigned an IPv6 address, in Configure IPv6, select On from the
drop-down menu (by default, it is Off). Enter the IPv6 address and Subnet mask of the
interface.

9 In the Device Information view, enter the applicable information:

• Host Name
• Domain Name
• Primary DNS Server
• Secondary DNS Server
• Tertiary DNS Server
• Proxy Settings
Click Next.

Installation and Upgrade Guide R80.10 | 58

 Installing a Standalone

Step Action
10 Configure the Date and Time Settings.
Select Manually or Use Network Time Protocol (NTP).
Click Next.

11 In the Products window, select both these products: Security Gateway and Security
Management Server.

11a If you configure Security Management in High Availability, define this server as
Primary, or Secondary.
If you configure a Dedicated Server, select SmartEvent or Log Server.
Click Next.

11b Optional: If you configure a Full High Availability cluster, select Unit is a part of a
cluster and select the cluster type ClusterXL.
If you have several clusters on the same network, enter the unique Cluster Global ID.
Click Next.

12 In the Security Management Administrator view, either Use Gaia administrator:

admin or define new log in credentials for the Security Management Server administrator
account.
Click Next.

13 In the Security Management GUI Clients view, define which GUI clients can connect to
the Security Management Server.
Click Next.

13a Note - For Check Point appliances only:

• Get a license automatically from the User Center https://usercenter.checkpoint.com and activate it, or use
the trial license.
• If there is a proxy server between the appliance and the Internet, enter its IP address and port.
• Click Yes to start the configuration process.
• A progress bar tracks the configuration of each task.

14 In the Summary view, confirm the system configuration.

Click Finish.

15 After the First Time Configuration Wizard completes and reboots the system, you can
download the SmartConsole from the Gaia Portal.

Installation and Upgrade Guide R80.10 | 59

 Installing a Standalone

Configuring a Standalone Appliance in Quick Setup

Mode
For more on Gaia Quick Standalone Setup on appliances, see sk102231
http://supportcontent.checkpoint.com/solutions?id=sk102231.

Installation and Upgrade Guide R80.10 | 60

CHAPTE R 11

Installing Security Gateways

In This Section:
Installing Security Gateways on Appliances ...............................................................61
Installing Security Gateways on Open Servers ...........................................................63

After you install the Gaia operating system, install the Security Gateways.

Installing Security Gateways on Appliances

For a list of supported appliances, see the R80.10 Release Notes
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_ReleaseNotes/h
tml_frameset.htm.

To start the First Time Configuration Wizard on Gaia:

1. Connect a standard network cable to the appliance management interface and to your
management network.
• The management interface is marked MGMT.
• This interface is preconfigured with the IP address 192.168.1.1
Note - Make sure that the management interface on the computer is on the same network
subnet as the appliance. For example: IP address 192.168.1.x and Netmask
255.255.255.0
You can change the interface in the Gaia Portal, after you complete the First Time
Configuration Wizard.

To configure Gaia Security Gateway appliances:

To install a Security Gateway:

1. Open a browser to the Gaia Portal: https://<management IP address>
2. In the Gaia Portal window, log in with the administrator name and password that you defined
during the Gaia installation.
3. The Portal shows the First Time Configuration Wizard. Click Next.
4. From the Deployment Options window, select Continue with R80.10 configuration.
Click Next.
5. From the Management Connection window, enter an IPv4 address for the management
interface.
If you change the management IP address, the new IP address is assigned to the interface. The
old IP address is added as an alias and is used to maintain connectivity.
Optional:
• Configure an Internet Connection in the next window.

Installation and Upgrade Guide R80.10 | 61

 Installing Security Gateways

6. From the Device Information window, enter the host name of the server.
Optional:
• Enter the Domain Name, and IPv4 address for the DNS servers.
• Set the IP Address and port for a Proxy Server.
7. Click Next.
8. Configure the Date and Time Settings manually, or enter the hostname and IPv4 address of
the NTP server. Click Next.
9. For the Installation Type, select Security Gateway.
Optional: If you have to configure a cluster:
• Select Unit is a part of a cluster
• Select ClusterXL or VRRP Cluster
Click Next.
10. From the Dynamically Assigned IP window, answer yes or no. Click Next.
11. From the Secure Internal Communication (SIC) window, enter the Activation Key that
you will use later in the Security Gateway object in SmartConsole. Click Next.
12. The First Time Configuration Wizard Summary window shows the selected settings for
the system.
13. Click Finish.

Installation and Upgrade Guide R80.10 | 62

 Installing Security Gateways

Installing Security Gateways on Open Servers

This procedure explains how to install a Security Gateway in a distributed deployment after you
install the Operating System.

To install a Security Gateway on Gaia:

1. In your web browser, connect to the Gaia Portal:
https://<Gaia management IP address>
2. In the Gaia Portal window, log in with the administrator name and password that you defined
during the Gaia installation.
3. The First Time Configuration Wizard opens.
4. Click Next.
5. Select Continue with R80.10 configuration, and click Next.
6. Configure the Management Connection.
Optional: Configure an Internet Connection.
7. Enter the Device information:
• Host Name
• Domain Name
• Primary DNS Server
• Secondary DNS Server
• Tertiary DNS Server
• Proxy Settings
8. Configure the Date and Time Settings.
9. For the Installation Type, select only Security Gateway.
Optional: If you configure a cluster:
• Select Unit is a part of a cluster
• Select ClusterXL or VRRP Cluster
Click Next.
10. Answer yes or no to the Dynamically Assigned IP question.
11. Define the Secure Internal Communication (SIC) Activation Key that you will use later in the
Security Gateway object in SmartConsole.
12. The Summary window shows the selected settings for the system.
13. Click Finish.

Installation and Upgrade Guide R80.10 | 63

CHAPTE R 12

Installing VSX Gateways

In This Section:
Installing Security Gateways on Appliances ...............................................................64
Installing Security Gateways on Open Servers ...........................................................66

A VSX Gateway can be installed on certain Check Point Appliances and Open Servers that meet the
minimum requirements listed in the R80.10 Release Notes
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_ReleaseNotes/h
tml_frameset.htm.

Installing Security Gateways on Appliances

After you install the Gaia operating system, install the VSX Gateways.
For a list of supported appliances, see the R80.10 Release Notes
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_ReleaseNotes/h
tml_frameset.htm.

To start the Gaia First Time Configuration Wizard:

1. Connect a standard network cable to the appliance management interface and to your
management network.
• The management interface is marked MGMT.
• This interface is preconfigured with the IP address 192.168.1.1
Note - Make sure that the management interface on the computer is on the same network
subnet as the appliance. For example: IP address 192.168.1.x and Netmask
255.255.255.0
You can change the interface in the Gaia Portal, after you complete the First Time
Configuration Wizard.
2. Open a connection from a browser to the management IP address.
The login page opens.
3. Log in to the system with the default username and password: admin and admin.
4. Click Login.
The First Time Configuration Wizard opens.
5. Follow the instructions on the screen.
Note - Settings that you configure in the First Time Configuration Wizard can be changed later
in the Gaia Portal. In your web browser, connect to the https://<appliance_ip_address>.

To configure Gaia Security Gateway appliances:

1. In your web browser, connect to the Gaia Portal: https://<management IP address>
2. In the Gaia Portal window, log in with the administrator name and password that you defined
during the Gaia installation.
3. The First Time Configuration Wizard opens.
4. Click Next.

Installation and Upgrade Guide R80.10 | 64

 Installing VSX Gateways

5. Select Continue with R80.10 configuration, and click Next.

6. Configure the Management Connection.
Optional: Configure an Internet Connection.
7. Enter the Device information:
• Host Name
• Domain Name
• Primary DNS Server
• Secondary DNS Server
• Tertiary DNS Server
• Proxy Settings
8. Configure the Date and Time Settings manually, or use the Network Time Protocol (NTP).
9. For the Installation Type, select only Security Gateway.
Optional: If you configure a cluster:
• Select Unit is a part of a cluster
• Select only ClusterXL
Click Next.
10. Answer no to the Dynamically Assigned IP question.
11. Define the Secure Internal Communication (SIC) Activation Key that you will use later in the
VSX Gateway object in SmartConsole.
12. The Summary window shows the selected settings for the system.
13. Click Finish.

Installation and Upgrade Guide R80.10 | 65

 Installing VSX Gateways

Installing Security Gateways on Open Servers

This procedure explains how to install a Security Gateway in a distributed deployment after you
install the Operating System.

To install a Security Gateway on Gaia:

1. In your web browser, connect to the Gaia Portal:
https://<Gaia management IP address>
2. In the Gaia Portal window, log in with the administrator name and password that you defined
during the Gaia installation.
3. The First Time Configuration Wizard opens.
4. Click Next.
5. Select Continue with R80.10 configuration, and click Next.
6. Configure the Management Connection.
Optional: Configure an Internet Connection.
7. Enter the Device information:
• Host Name
• Domain Name
• Primary DNS Server
• Secondary DNS Server
• Tertiary DNS Server
• Proxy Settings
8. Configure the Date and Time Settings.
9. For the Installation Type, select only Security Gateway.
Optional: If you configure a cluster:
• Select Unit is a part of a cluster
• Select only ClusterXL
Click Next.
10. Answer no to the Dynamically Assigned IP question.
11. Define the Secure Internal Communication (SIC) Activation Key that you will use later in the
VSX Gateway object in SmartConsole.
12. The Summary window shows the selected settings for the system.
13. Click Finish.

Installation and Upgrade Guide R80.10 | 66

CHAPTE R 13

Installing SmartConsole
In This Section:
Logging in to SmartConsole.........................................................................................68
Troubleshooting SmartConsole ...................................................................................68

SmartConsole is a GUI client you use to manage the Check Point environment.
For SmartConsole requirements, see the R80.10 Release Notes
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_ReleaseNotes/h
tml_frameset.htm.
You can download the SmartConsole installation package from:
• R80.10 Home Page SK http://supportcontent.checkpoint.com/solutions?id=sk111841
• Check Point Support Center http://supportcenter.checkpoint.com
• Gaia Portal of your Security Management Server or Multi-Domain Server

To download SmartConsole package from the Gaia Portal of your Management

Server:
Step Description
1 In your web browser, connect to:
https://<IP Address of Gaia Management Interface>

2 On the Overview page, click Download Now!

3 Save the SmartConsole installation file.

To install the SmartConsole clients on Windows platforms:

Step Description
1 Transfer the SmartConsole installation file to a Windows-based computer you wish to use
as a SmartConsole Client.

2 Run the SmartConsole installation file with Administrator privileges.

3 Follow the instructions on the screen.

Installation and Upgrade Guide R80.10 | 67

 Installing SmartConsole

Logging in to SmartConsole
Step Description
1 Open the SmartConsole application.

2 Enter the IP address or resolvable hostname of the Security Management Server or

Multi-Domain Server.
The Management Server authenticates the connection when you log in for the first time.
Multiple administrators can be logged in at the same time.

3 Enter your administrator credentials, or select the certificate file.

4 Click Login.

5 If necessary, confirm the connection using the fingerprint generated during the
installation.
You see this only the first time that you log in from a SmartConsole client.

For more information:

See the R80.10 Security Management Administration Guide
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_SecurityManage
ment_AdminGuide/html_frameset.htm.

Troubleshooting SmartConsole
Make sure the SmartConsole client can access these ports on the Management Server:
• 18190
• 18264
• 19009
For more information, see:
• sk52421: Ports used by Check Point software
http://supportcontent.checkpoint.com/solutions?id=sk52421
• sk43401: How to completely disable FireWall Implied Rules
http://supportcontent.checkpoint.com/solutions?id=sk43401

Installation and Upgrade Guide R80.10 | 68

CHAPTE R 14

Post-Installation Configuration
After the installation is complete, and you rebooted the Check Point computer:
• Configure the applicable settings in the Check Point Configuration Tool.
• Check the recommended and available software packages in CPUSE (on page 74).

The Check Point Configuration Tool lets you configure these settings:
Check Point computer Commands Available Configuration Options
Security Management cpconfig (1) Licenses and contracts
Server, (2) Administrator
Dedicated Log Server, (3) GUI Clients
Dedicated SmartEvent (4) SNMP Extension
Server (5) Random Pool
(6) Certificate Authority
(7) Certificate's Fingerprint
(8) Automatic start of Check Point
Products

(9) Exit

Multi-Domain Server, 1. mdsenv (1) Leading VIP Interfaces

Multi-Domain Log 2. mdsconfig (2) Licenses
Server (3) Random Pool
(4) Groups
(5) Certificate's Fingerprint
(6) Administrators
(7) GUI clients
(8) Automatic Start of Multi-Domain Server
(9) P1Shell
(10) Start Multi-Domain Server Password
(11) IPv6 Support for Multi-Domain Server
(12) IPv6 Support for Existing Domain
Management Servers

(13) Exit

Installation and Upgrade Guide R80.10 | 69

 Post-Installation Configuration

Check Point computer Commands Available Configuration Options

Security Gateway, cpconfig (1) Licenses and contracts
Cluster Member (2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Disable cluster membership for this
gateway
(7) Enable Check Point Per Virtual System
State
(8) Enable Check Point ClusterXL for
Bridge Active/Standby
(9) Check Point CoreXL
(10) Automatic start of Check Point Products

(11) Exit

Explanation about the Configuration Options on a Security Management Server,

dedicated Log Server or SmartEvent Server:
For more information, see the R80.10 Security Management Administration Guide
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_SecurityManage
ment_AdminGuide/html_frameset.htm.

Configuration Options Description

(1) Licenses and contracts Add or delete licenses and contracts for this server.

(2) Administrator Configure administrators for this server.

These administrators must have Read/Write
permissions to create the first Security Policy

(3) GUI Clients Configure the computers that are allowed to connect
with the SmartConsole to this server.

(4) SNMP Extension Obsolete. Do not use this option.

(5) Random Pool Configure the random data to be used for various
cryptographic operations on this server.

(6) Certificate Authority Reset SIC on this server.

(7) Certificate's Show the SIC certificate's fingerprint for this server.
Fingerprint
This fingerprint verifies the identity of this server when
you connect to it with SmartConsole for the first time.

Installation and Upgrade Guide R80.10 | 70

 Post-Installation Configuration

Configuration Options Description

(8) Automatic start of Check Select which of the installed Check Point products start
Point Products automatically during boot.
This option is for Check Point Support use.

(9) Exit Exit from the Check Point Configuration Tool.

Explanation about the Configuration Options on a Multi-Domain Server or

Multi-Domain Log Server:
For more information, see the R80.10 Multi-Domain Security Management Administration Guide
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_Multi-DomainSe
curityManagement_AdminGuide/html_frameset.htm.

Configuration Options Description

(1) Leading VIP Interfaces Configure the Leading VIP Interfaces on this server.

(2) Licenses Add or delete licenses for this server.

(3) Random Pool Configure the random data to be used for various
cryptographic operations on this server.

(4) Groups Configure whether to remove group permissions for

access and execution on this server.

(5) Certificate's Show the SIC certificate's fingerprint for this server.
Fingerprint
This fingerprint verifies the identity of this server when
you connect to it with SmartConsole for the first time.

(6) Administrators Configure administrators for this server.

These administrators must have Read/Write
permissions to create the first Security Policy.

(7) GUI clients Configure the computers that are allowed to connect
with the SmartConsole to this server.

(8) Automatic Start of Select whether to start the Multi-Domain Server

Multi-Domain Server product automatically during boot.
This option is for Check Point Support use.

(9) P1Shell Enable or disable P1shell.

(10) Start Multi-Domain Server Configure the mdsstart password.

Password

(11) IPv6 Support for R80.10 Multi-Domain Server does not support IPv6.
Multi-Domain Server
Do not use this option (Known Limitation PMTR-14989).

Installation and Upgrade Guide R80.10 | 71


Configuration Options
(12) IPv6 Support for Existing R80.10 Multi-Domain Server does not support IPv6.
Domain Management Servers
(13) Exit
Explanation about the Configuration Options on a Security Gateway or Cluster
Member:
Configuration Options
(1) Licenses and contracts
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal
Communication
(6) Enable cluster membership Configure this Security Gateway as part of a Check
for this gateway
(6) Disable cluster
membership for this gateway
(7) Enable Check Point Per
Virtual System State
(7) Disable Check Point Per
Virtual System State
Post-Installation Configuration
Description
Do not use this option (Known Limitation PMTR-14989).
Exit from the Check Point Configuration Tool.
Description
Add or delete licenses and contracts for this computer.
Obsolete. Do not use this option.
Configure a PKCS#11 Token for a VPN cryptographic
device.
Configure the random data to be used for various
cryptographic operations on this server.
Reset and configure the one-time activation key
(between 4 and 127 characters long) for Secure Internal
Communication (SIC) with a Management Server.
For more information, see the R80.10 Security
Management Administration Guide
https://sc1.checkpoint.com/documents/R80.10/WebAd
minGuides/EN/CP_R80.10_SecurityManagement_Admi
nGuide/html_frameset.htm.
Point cluster.
For more information, see the R80.10 ClusterXL
Administration Guide
https://sc1.checkpoint.com/documents/R80.10/WebAd
minGuides/EN/CP_R80.10_ClusterXL_AdminGuide/htm
l_frameset.htm.
Configure the VSX Virtual System Load Sharing on this
VSX Gateway.
For more information, see the R80.10 VSX
Administration Guide
https://sc1.checkpoint.com/documents/R80.10/WebAd
minGuides/EN/CP_R80.10_VSX_AdminGuide/html_fram
eset.htm
Installation and Upgrade Guide R80.10 | 72

Configuration Options
(8) Enable Check Point
ClusterXL for Bridge
Active/Standby
(8) Disable Check Point
ClusterXL for Bridge
Active/Standby
(9) Check Point CoreXL
(10) Automatic start of Check Select which of the installed Check Point products start
Point Products
(11) Exit
Post-Installation Configuration
Description
Configure this Security Gateway as part of a ClusterXL
in Bridge Mode.
For more information, see the R80.10 ClusterXL
Administration Guide
https://sc1.checkpoint.com/documents/R80.10/WebAd
minGuides/EN/CP_R80.10_ClusterXL_AdminGuide/htm
l_frameset.htm.
Configure the CoreXL.
For more information, see the R80.10 Performance
Tuning Administration Guide
https://sc1.checkpoint.com/documents/R80.10/WebAd
minGuides/EN/CP_R80.10_PerformanceTuning_Admin
Guide/html_frameset.htm.
automatically during boot.
This option is for Check Point Support use.
Exit from the Check Point Configuration Tool.
Installation and Upgrade Guide R80.10 | 73
CHAPTE R 15

Installing Software Packages on Gaia

You can install Software Packages in these ways on Gaia R80.10:

Installation Description
Local You use the CPUSE (sk92449
http://supportcontent.checkpoint.com/solutions?id=sk92449) on each Gaia
computer to install the applicable packages.

Central You use the Central Deployment Tool (sk111158

http://supportcontent.checkpoint.com/solutions?id=sk111158) on the
Management Server to deploy the applicable packages to the desired managed
Security Gateways and Clusters.

To install Software Packages locally, on each Gaia computer

Use the CPUSE. See sk92449 http://supportcontent.checkpoint.com/solutions?id=sk92449 for
detailed steps.

Internet connection Installation Action plan

methods
Gaia computer You can 1. Connect to the Gaia Portal or Gaia Clish on your
perform Gaia computer.
is connected
an on-line 2. Verify the applicable CPUSE Software Packages.
to the Internet installation. 3. Download the applicable CPUSE Software
Packages.
4. Install the applicable CPUSE Software Packages.

You can See the instructions for a Gaia computer that is not
perform connected to the Internet.
an offline
installation.

Installation and Upgrade Guide R80.10 | 74

 Installing Software Packages on Gaia

Internet connection Installation Action plan

methods
Gaia computer You can If you plan to install CPUSE packages in Gaia Portal:
perform
is not connected a) Use the computer, from which you connect to
only
Gaia Portal.
to the Internet an offline
installation. b) Download the applicable CPUSE Software
Packages from the Check Point Support Center
http://supportcenter.checkpoint.com:
R80.10 Home Page SK
http://supportcontent.checkpoint.com/soluti
ons?id=sk111841
Upgrade Wizard
https://supportcenter.checkpoint.com/suppo
rtcenter/portal?eventSubmit_doShowupgrad
ewizard
c) Connect to Gaia Portal on your Gaia computer.
d) Import the applicable CPUSE Software
Packages.
e) Verify the applicable CPUSE Software Packages.
f) Install the applicable CPUSE Software
Packages.

Installation and Upgrade Guide R80.10 | 75

 Installing Software Packages on Gaia

Internet connection Installation Action plan

methods
If you plan to install CPUSE packages in Gaia Clish:
a) Use a computer to download the applicable
CPUSE Offline Software Packages from the
Check Point Support Center
http://supportcenter.checkpoint.com:
R80.10 Home Page SK
http://supportcontent.checkpoint.com/soluti
ons?id=sk111841
Upgrade Wizard
https://supportcenter.checkpoint.com/suppo
rtcenter/portal?eventSubmit_doShowupgrad
ewizard
b) Transfer the applicable CPUSE Offline Software
Packages to your Gaia computer to some
directory (for example,
/var/log/path_to_CPUSE_packages/).
Make sure to transfer the packages in the binary
mode.
c) Connect to Gaia Clish on your Gaia computer.
d) Import the applicable CPUSE Software
Packages.
e) Verify the applicable CPUSE Software Packages.
f) Install the applicable CPUSE Software
Packages.

To install Software Packages centrally, from the Management Server on each

managed Security Gateway and Cluster Member
Use the Central Deployment Tool. See sk111158
http://supportcontent.checkpoint.com/solutions?id=sk111158 for detailed steps.

Installation and Upgrade Guide R80.10 | 76

CHAPTE R 16

High Availability
In This Section:
Configuring Management High Availability .................................................................77
Understanding Full High Availability Cluster on Appliances .....................................79
Installing Full High Availability on Gaia Appliances ...................................................80
Configuring Full High Availability on Appliances ........................................................83
Upgrading Full High Availability on Appliances ..........................................................86

Configuring Management High Availability

You can install a Primary and Secondary server on two Smart-1 appliances or two open servers.
The databases are synchronized. If the Primary is Active and goes down, you can set the
Secondary server to be Active.

Prerequisites for Management High Availability

• The Primary and Secondary servers must be R80.10 clean installed from the same ISO. If they
are open servers, they must have the same operating system.
• SmartEvent and SmartReporter are not supported in Management High Availability
environment (see sk25164 http://supportcontent.checkpoint.com/solutions?id=sk25164 ).

High-Level Workflow to install and configure Management High Availability:

1. Configure the primary server with the First Time Configuration Wizard.
2. Configure the secondary server with the First Time Configuration Wizard:
• In the Management Connection page, use a different IP address for the management
interface on the secondary appliance.
• In the Products page, select Secondary.
If prompted to install a Primary Multi-Domain Server, enter no.
• In the Secure Internal Communication (SIC) page, define the Activation Key. Use
this key to configure the secondary server object in SmartConsole.
3. From SmartConsole:
a) Log in to the primary server.
b) Create a Check Point Host object for the secondary server.
c) Initialize SIC with the secondary server.

To set the Secondary server to be Active:

1. Open the SmartConsole and log in to the Secondary server.
2. Click Menu > Management High Availability.
3. In the High Availability Status window > Connected To, click Actions > Set Active.
For more about configuring High Availability for Security Management Servers, see the R80.10
Security Management Administration Guide
http://downloads.checkpoint.com/dc/download.htm?ID=54842.
Installation and Upgrade Guide R80.10 | 77
 High Availability

For about how to configure High Availability for Multi-Domain Security Management, see the
R80.10 Multi-Domain Server Administration Guide
http://downloads.checkpoint.com/dc/download.htm?ID=54841.

Installation and Upgrade Guide R80.10 | 78

 High Availability

Understanding Full High Availability Cluster on

Appliances
In a Full High Availability Cluster on two Check Point Appliances, each appliance runs both as a
ClusterXL Cluster Member and as a Security Management Server, in High Availability mode.
Important - You can deploy and configure a Full High Availability Cluster only on Check Point
Appliances that support Standalone (on page 57) configuration. See the R80.10 Release Notes
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_ReleaseNotes/h
tml_frameset.htm.
This deployment lets you reduce the maintenance required for your systems.
In the image below, the appliances are denoted as (1) and (3).
The two appliances are connected with a direct synchronization connection (2) and work in High
Availability mode:
• The Security Management Server on one appliance (for example, 1) runs as Primary, and the
Security Management Server on the other appliance (3) runs as Secondary.
• The ClusterXL on one appliance (for example, 1) runs as Active, and the ClusterXL on the other
appliance (3), runs as Standby.
• The ClusterXL Cluster Members synchronize the information about the traffic over the
synchronization connection (2).

For information on ClusterXL functionality, see the R80.10 ClusterXL Administration Guide
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_ClusterXL_Admi
nGuide/html_frameset.htm.
For information on Security Management Servers, see the R80.10 Security Management
Administration Guide
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_SecurityManage
ment_AdminGuide/html_frameset.htm.
Important - SmartEvent Server is not supported in Management High Availability and Full High
Availability Cluster environments (sk25164
http://supportcontent.checkpoint.com/solutions?id=sk25164). For these environments, install
SmartEvent Server and SmartReporter on dedicated machines.

Installation and Upgrade Guide R80.10 | 79

 High Availability

Installing Full High Availability on Gaia Appliances

To configure the primary management:
1. Connect the appliance to your management network through the management interface,
which is marked MGMT.
2. In your web browser, connect to the management IP address:
https://<appliance_ip_address>
The login page opens.
3. Log in to the system with the default username and password: admin and admin
4. Click Login.
The First Time Configuration Wizard opens.
5. Select Continue with configuration of Gaia R80.10.
6. Click Next.
7. Set the username and password for the administrator account. Click Next.
8. Set an IPv4 address for the management interface.
The IP address is automatically taken from the Gaia operating system. If you change the
management IP address, the new IP address is assigned to the interface. The old IP address is
added as an alias and is used to maintain connectivity.
9. Internet Connection - Optionally, define a second interface for the appliance.
10. Set the host name for the appliance.
Optional:
• Set the domain name and IP addresses for the DNS servers.
• Set the IP Address and port for a Proxy Server
11. Click Next.
12. Set the date and time manually, or enter the hostname and IPv4 address of the NTP server.
Click Next.
13. Select Security Gateway and Security Management.
14. Configure these Advanced settings:
• Select Unit is part of a cluster
• Select ClusterXL
• Select Primary
15. Click Next.
16. Set the username and password for the Security Management Server administrator account
and then click Next.
17. Define IP addresses from which SmartConsole clients can log in to the Security Management
Server.
• Any IP Address
• If you select This machine or Network, define an IPv4 address.
• You can also select a range of IPv4 addresses.
18. Click Next.
19. Click Next.
20. Review the summary and, if correct, click Finish.

Installation and Upgrade Guide R80.10 | 80

 High Availability

21. To start the configuration process, click Yes.

A progress bar tracks the configuration of each task.
22. When prompted to reboot, click OK.
Gaia R80.10 is installed on the appliance.
23. Log in to the Gaia Portal with the new management IP address that you entered in the First
Time Configuration Wizard.
24. Double-click the SYNC or eth1 interface and configure the settings. This interface is used to
synchronize with the other appliance. Click Apply.
25. Configure the settings for other interfaces that you are using.
26. Use a cross-over cable to connect the SYNC or eth1 interfaces on the two appliances.
27. If necessary, download SmartConsole from the Gaia Portal.
a) In your web browser, connect to the Gaia Portal: https://<management_ip_address>
b) In the Overview page, click Download Now!

To configure the secondary management:

1. Connect the appliance to your management network through the management interface,
which is marked MGMT.
2. In your web browser, connect to the management IP address:
https://<appliance_ip_address>
The login page opens.
3. Log in to the system with the default username and password: admin and admin
4. Click Login.
The First Time Configuration Wizard opens.
5. Select Continue with configuration of Gaia R80.10.
6. Click Next.
7. In the First Time Configuration Wizard, set the username and password for the administrator
account and then click Next.
8. Set an IPv4 address for the management interface.
The primary and secondary management servers must have different IP addresses.
9. Internet Connection - optionally define a second interface for the appliance.
10. Set the host name for the appliance.
Optional:
• Set the domain name, and IPv4 addresses for the DNS servers.
• Set the IP Address and Port for a Proxy Server
11. Click Next.
12. Set the date and time manually, or enter the hostname and IPv4 address of the NTP server.
13. Click Next.
14. Select Security Gateway and Security Management.
15. Configure these Advanced settings:
• Select Unit is part of a cluster
• Select ClusterXL
• Select Secondary
Click Next.

Installation and Upgrade Guide R80.10 | 81

 High Availability

16. Define the Secure Internal Communication (SIC) Activation Key that is used by the gateway
object in SmartConsole and then click Next.
17. Review the summary and, if correct, click Finish.
18. To start the configuration process, click Yes.
A progress bar tracks the configuration of each task.
19. Click OK.
Gaia R80.10 is installed on the appliance.
20. Log in to the Gaia Portal with the new management IP address that you entered in the First
Time Configuration Wizard.
21. Double-click the SYNC or eth1 interface and configure the settings. This interface is used to
synchronize with the other appliance.
Use a different IP address for the SYNC or eth1 interface on the secondary appliance. Make
sure that the primary and secondary appliances are on the same subnet.
Click Apply.
22. Configure the settings for other interfaces that you are using.
23. Make sure a cross-over cable connects the SYNC or eth1 interfaces on the two appliances.
24. If necessary, download SmartConsole from the Gaia Portal.
a) In your web browser, connect to the Gaia Portal: https://<management_ip_address>
b) In the Overview page, click Download Now!

Installation and Upgrade Guide R80.10 | 82

 High Availability

Configuring Full High Availability on Appliances

After you set up the appliances for Full High Availability, configure this deployment in
SmartConsole. You must configure both cluster members before you open the cluster
configuration wizard in SmartConsole.
The LAN1 interface serves as the SYNC interface between cluster members. If not configured,
SYNC interfaces are automatically set to 10.231.149.1 and 10.231.149.2. If these addresses are
already in use, their values can be manually adjusted. If you manually adjust the default IP SYNC
addresses, verify that both reside on the same subnet.
Note - All interfaces in the cluster must have unique IP addresses. If the same IP address is used
twice, policy installation will fail. This error message will show: A load on gateway failed
The cluster has a unique IP address, visible to the internal network. The unique Virtual IP address
makes the cluster visible to the external network, and populates the network routing tables. Each
member interface also has a unique IP address, for internal communication between the cluster
members. These IP addresses are not in the routing tables.

To configure Full High Availability:

1. Open SmartConsole and connect to the primary appliance and then click Approve to accept
the fingerprint as valid.
The Security Cluster wizard opens. Click Next.
2. Enter the name of the Full High Availability configuration. Click Next.
3. Configure the settings for the secondary appliance:
a) In Secondary Member Name, enter the hostname.
b) In Secondary Member Name IP Address, enter the IP address of the management
interface.
c) Enter and confirm the SIC activation key.
4. Click Next.
5. Configure the IP address of the paired interfaces on the appliances. Select one of these
options:
• Cluster Interface with Virtual IP - Enter a virtual IP address for the interface.
• Cluster Sync Interface - Configure the interface as the synchronization interface for the
appliances.
• Non-Cluster Interface - Use the configured IP address of this interface.
6. Click Next.
7. Do step 5 again for all the interfaces. Click Finish.

Installation and Upgrade Guide R80.10 | 83

 High Availability

Removing a Cluster Member

You can remove one of the two members of a cluster without deleting the cluster object. A cluster
object can have only a primary member, as a placeholder, while you do maintenance on an
appliance. You must remove the cluster member in the Gaia Portal and in the CLI.

To remove a cluster member:

1. Open the Gaia Portal of the member to keep.
2. Open Product Configuration > Cluster.
3. Click Remove Peer.
• If the current member is the primary member, the secondary member is deleted.
• If the current member is the secondary member, the secondary member is promoted to
primary. Then the peer is deleted.
Services running on the appliance are restarted.
4. Open SmartConsole.
5. Delete the peer cluster member from the cluster object.
6. Publish (Ctrl+S).
7. On the appliance command line, run: cp_conf fullha disable
This command changes back the primary cluster member to a Standalone configuration.
8. Reboot.
The former cluster object is now a locally managed gateway and Security Management Server.

Adding a New Appliance to a High Availability Cluster

You can add a Standalone appliance to a cluster, after the High Availability cluster is defined. You
can change which member is primary.

To add an existing appliance to a cluster:

1. Open the Gaia Portal of the appliance.
2. On the Product Configuration, Cluster page, select Make this Appliance the primary
member of a High Availability Cluster.
3. Click Apply.
4. Reboot the appliance.
5. In SmartConsole, open the object of the primary member.
The first-time cluster configuration wizard opens.
6. Complete the wizard to configure the secondary cluster member.

Troubleshooting network objects:

In SmartConsole, the network object of the Standalone appliance is converted to a cluster object.
If the Standalone appliance was in the Install On column of a rule, or in the Gateways list of an
IPSec VPN community, the cluster object is updated automatically. For all other uses, you must
manually change the Standalone object to the cluster object. These changes can affect policies.

Installation and Upgrade Guide R80.10 | 84

 High Availability

To see objects and rules that use the object to change:

1. Right-click the Standalone object and select Where Used.
2. Select a line and click Go To.
3. In the window that opens, replace the Standalone object with the cluster object.
If the Where Used line is a:
• Host, Network, Group - Browse through the pages of the properties window that opens,
until you find the object to change.
• Policy (for example, dlp_policy) - Open the Gateways page of the Software Blade. Remove
the Standalone object. Add the cluster object.
4. In Where Used > Active Policies, see the rules that use the Standalone object.
5. Select each rule and click Go To.
6. Edit those rules to use the cluster object.
Note - The icon in SmartConsole changes to show new status of the appliance as a primary
cluster member. The Name and UID of the object in the database stay the same.

Recommended Logging Options for High Availability

In High Availability, log files are not synchronized between the two cluster members. For this
reason, we recommend that you configure the logs of the cluster.
To forward cluster logs to an external log server:
1. Open the properties of the cluster object.
2. Open Logs > Additional Logging.
3. Click Forward log files to Log Server, and select the Log Server.
4. Select or define a time object for Log forwarding schedule.
Or:
Configure SmartEvent and SmartReporter with standard reports, to use only one of the cluster
members as a source for log file correlation and consolidation.

Installation and Upgrade Guide R80.10 | 85

 High Availability

Upgrading Full High Availability on Appliances

After upgrading a Full High Availability deployment to R80.10, you must re-establish SIC between
the Active and Standby cluster members.

Installation and Upgrade Guide R80.10 | 86

CHAPTE R 17

Upgrading Prerequisites
In This Section:
Before Upgrading .........................................................................................................87
Management Server Migration Tool ............................................................................91
Using the Pre-Upgrade Verifier ...................................................................................92
Upgrading Successfully ................................................................................................93
Upgrading the vSEC Controller ....................................................................................94
Service Contract Files ..................................................................................................95

Note - You can use the Upgrade/Download Wizard

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doShowupgradewizard
to download the applicable installation and upgrade images.

Before Upgrading
Before you upgrade:
• Make sure that you have the latest version of this document.
• See the R80.10 Release Notes
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_ReleaseNote
s/html_frameset.htm for:
• Supported upgrade paths
• Minimum hardware and operating system requirements
• Supported Security Gateways
• Licenses and Service Contracts:
• Make sure you have valid licenses installed on all applicable Check Point computers -
source and target.
• Make sure you have a valid Service Contract that includes software upgrades and major
releases registered to your Check Point User Center account. (on page 96)
The contract file is stored on the Management Server and downloaded to Check Point
Security Gateways during the upgrade process.
For more information about Service Contracts, see sk33089
http://supportcontent.checkpoint.com/solutions?id=sk33089.
• Make sure that the target server meets the minimum hardware and operating system
requirements and is configured identically to the source server.
If the target server uses a different leading IP address than the source, change the target IP
address and the external interface.
• If SmartConsole connects to the Management Server (you plan to upgrade) through an R7x
Security Gateway or Cluster, then follow these steps:
a) Connect to the Management Server that manages the R7x Security Gateway or Cluster

Installation and Upgrade Guide R80.10 | 87

 Upgrading Prerequisites

b) Add a new explicit Firewall rule:

Source Destination VPN Service Action Install On

SmartConsole Management Any TCP 19009 Accept R7x Security
Host object Server object Traffic Gateway or
Cluster

c) Install the modified Firewall policy on the R7x Security Gateway or Cluster.
d) If later you upgrade this R7x Security Gateway or Cluster to R80.10 or higher, delete this
explicit rule.
• Upgrade all Management Servers in your deployment, including those in High Availability
configuration:
• Upgrade R80 and higher Secondary Security Management Servers.
• For Secondary Security Management Servers of R77.xx and lower, do a clean installation
and re-establish the SIC trust. Management High Availability synchronization will start
automatically.
• Upgrade Secondary Multi-Domain Security Management servers from R80, and R77.xx and
lower.
• For upgrade of Management Servers in High Availability configuration:
If the Primary management server was upgraded from R80 (with or without the Jumbo Hotfix
Accumulator) to R80.10, you must upgrade the Secondary management server in the same
way.
Important - To back up and restore a consistent environment, make sure to collect and
restore the backups and snapshots from all servers in the High Availability environment at the
same time.

Installation and Upgrade Guide R80.10 | 88

 Upgrading Prerequisites

• Before you upgrade a Multi-Domain Server, we recommend the steps below to optimize the
upgrade process:
Step Description
1 Delete all unused Threat Prevention Profiles on the Global Domain:
On R80.x Multi-Domain Server:
a) Connect with SmartConsole to the Global Domain.
b) From the left navigation panel, click Security Policies.
c) Open every policy.
d) In the top section, click Threat Prevention.
e) In the bottom section Threat Tools, click Profiles.
f) Delete all unused Threat Prevention Profiles.
g) Publish the session.
h) Close SmartConsole.
On R77.x Multi-Domain Server:
a) Connect with SmartDashboard to the Global Domain.
b) Go to Threat Prevention tab.
c) From the left tree, click Profiles.
d) Delete all unused Threat Prevention Profiles.
e) Save the changes (click File > Save).
f) Close SmartDashboard.

2 Disable the Staging Mode for IPS protections (see sk142432

http://supportcontent.checkpoint.com/solutions?id=sk142432):
a) Connect with SmartConsole to every Domain.
b) From the left navigation panel, click Security Policies.
c) Open every policy.
d) In the top section, click Threat Prevention.
e) In the bottom section Threat Tools, click Profiles.
f) Edit every profile.
g) From the left tree, click IPS > Updates.
h) Clear the box Set activation as staging mode (Detect).
i) Click OK.
j) Publish the session.
k) Close SmartConsole.

• Make sure you have valid licenses installed on all applicable Check Point computers - source
and target.
• Make sure you have a valid Service Contract that includes software upgrades and major
releases registered to your Check Point User Center account (on page 96).

Installation and Upgrade Guide R80.10 | 89

 Upgrading Prerequisites

The contract file is stored on the Management Server and downloaded to Check Point Security
Gateways during the upgrade process.
For more on Service Contracts, see sk33089
http://supportcontent.checkpoint.com/solutions?id=sk33089.
• Before you start an upgrade or migration procedure on your Management Servers, you must
close all GUI clients (SmartConsole applications) connected to your Check Point computers.
• Before you start an upgrade of your Security Gateway and Cluster Members, you must upgrade
the Management Server.
• On Smart-1 appliances with Multi-Domain Server or Multi-Domain Log Server installed, if you
configured an interface other than Mgmt as the Leading interface, the upgrade process or
clean install process (with CPUSE) configures the interface Mgmt to be the Leading interface.
To configure another interface as the Leading interface after the upgrade, see sk107336
http://supportcontent.checkpoint.com/solutions?id=sk107336.

Warning:

If you upgrade from R7x versions and have files in the $FWDIR/lib/ directory and/or the
$FWDIR/conf/ directory that you changed manually, the changes will be lost. Make sure you
save the customized INSPECT files on an external storage and understand how to replicate the
required changes.

Important - If you use the Mobile Access Software Blade and you edited the configurations,
review the edits before you upgrade to R80.10.
1. Open these files on the computer to upgrade and make note of custom changes:
$CVPNDIR/conf/cvpnd.C (Gateway configuration)
$CVPNDIR/conf/httpd.conf (Apache configuration)
$CVPNDIR/conf/includes/* (Apache configuration)
$CVPNDIR/var/ssl/ca-bundle/ (Local certificate authorities)
$CVPNDIR/conf/SmsPhones.lst (DynamicID - SMS OTP - Local Phone List)
/var/ace/sdconf.rec (RSA configuration)
All PHP files
All replaced image files (*.gif, *.jpg)
2. Upgrade to R80.10.
3. Update Mobile Access Endpoint Compliance:
a) In SmartConsole, from the left Navigation Toolbar, click Security Policies.
b) In the Shared Policies section, click Mobile Access > Open Mobile Access Policy in
SmartConsole.
c) In SmartConsole, click Mobile Access tab > expand Endpoint Security On Demand >
click Endpoint Compliance Updates > click Update Databases Now.
d) Close SmartConsole.
4. Manually edit the new versions of the files, to include your changes.
Do not overwrite the R80.10 files with your customized files!

Installation and Upgrade Guide R80.10 | 90

 Upgrading Prerequisites

Management Server Migration Tool

Important - You must always use the Management Server Migration Tool of the version, to
which you upgrade.
Download the applicable package from the R80.10 Home Page
http://supportcontent.checkpoint.com/solutions?id=sk111841.

Before an upgrade, a set of utilities search your installation for known upgrade issues. The output
of the utilities is saved to a log file and an HTML file, with these message types:
• Action items before the upgrade: Errors that you must repair before the upgrade (for
example, an invalid policy name), and warnings of issues for you to decide whether to fix before
upgrade. Some messages recommend that you run utilities to fix an issue. In most cases, you
must fix the issues manually.
• Action items after the upgrade: Errors and warnings, to be handled after the upgrade.
• Information messages: Items to be aware of. For example, an object type is not supported in
the upgraded version but is in your database and is converted during the upgrade.
When you open the Management Server Migration Tool package, you see these files:

Package Description
migrate Exports and imports the management database and applicable
Check Point configuration.

migrate.conf Contains configuration settings for Advanced Upgrade /

Database Migration.

ips_upgrade_tool Runs the IPS database upgrade.

pre_upgrade_verifier Analyzes compatibility of the currently installed configuration

with the version, to which you upgrade.
pre_upgrade_verifier -p $FWDIR -c <Current Version>
-t <Target Version>
Note - This tool is required only when you upgrade from
R77.30 (or lower) version to R80.10.

puv_report_generator Runs in the end of pre_upgrade_verifier and converts the

text report file to HTML.
Note - This tool is required only when you upgrade from
R77.30 (or lower) version to R80.10.

Installation and Upgrade Guide R80.10 | 91

 Upgrading Prerequisites

Using the Pre-Upgrade Verifier

The Pre-Upgrade Verifier runs automatically during the upgrade process. You can also run it
manually.
Run this command and use the applicable syntax based on the instructions on the screen:
[Expert@HostName:0]# ./pre_upgrade_verifier -h

Note - This is required only when you upgrade from R77.30 (or lower) version to R80.10.

Installation and Upgrade Guide R80.10 | 92

 Upgrading Prerequisites

Upgrading Successfully
• When upgrading a Security Management Server, IPS profiles remain in effect on earlier
Gateways and can be managed from the IPS tab. When the gateway is upgraded, install the
policy to get the new IPS profile.
• When upgrading a Security Gateway, remember to change the gateway object in SmartConsole
to the new version.
If you encounter unforeseen obstacles during the upgrade process, consult the Support Center
http://supportcontent.checkpoint.com/solutions?id=sk111841 or contact your Reseller.

Installation and Upgrade Guide R80.10 | 93

 Upgrading Prerequisites

Upgrading the vSEC Controller

Upgrading from R80 to R80.10
To upgrade the vSEC Controller v1 and v2 from R80 to R80.10, see sk111841
http://supportcontent.checkpoint.com/solutions?id=sk111841 for upgrade instructions.

Important Information
1. When you upgrade the vSEC Controller to R80.10 the following files are overwritten with
default values:
• vSEC Controller v1
 $VSECDIR/conf/vsec.conf
• vSEC Controller v2
 $VSECDIR/conf/vsec.conf
 $MDS_FWDIR/conf/tagger_db.C
Before you begin the upgrade, back up any files that you have changed.
2. A Multi-Domain Server that contains imported Data Center objects in the Global Domain is not
supported in the upgrade to R80.10. You must remove objects from the Global Domain before
you install the upgrade.
3. Before you perform the upgrade on the Management server, if you have a Cisco APIC server,
keep only one URL. After the upgrade, add the other URLs.
4. For upgrades from the vSEC Controller v1, manually connect again to each Data Center
Server. For those servers that communicate with HTTPS, in SmartConsole double-click the
Data Center object and trust the certificate again.
Note - During the upgrade, the vSEC Controller does not communicate with the Data Center.
Therefore, Data Center objects are not updated on the Security Management Server or the
Security Gateways.

Upgrading from R77.30 to R80.10

For information on upgrading from R77.30 to R80.10, contact Check Point Support
https://www.checkpoint.com/support-services/contact-support/.

vSEC Controller and Supported Security Gateways

The vSEC Controller works with:
• R77.20 gateways
• R77.30 gateways
• R80.10 gateways
• 60000/40000 Scalable Platforms R76SP.50 (starting with Jumbo Hotfix Accumulator, Take 20)
Important - To use the vSEC Controller with R77.20 and R77.30 gateways (R77.30 gateways with
Jumbo Hotfix Accumulator below Take 309) install the R80.10 vSEC Controller v1 Enforcer Hotfix.
See sk120464 http://supportcontent.checkpoint.com/solutions?id=sk120464.

Installation and Upgrade Guide R80.10 | 94

 Upgrading Prerequisites

Service Contract Files

Before you upgrade your Management Server to R80.10, you must have a valid Support Contract
that includes software upgrades and major releases registered to your Check Point User Center
account. For more on service contracts, see sk33089
http://supportcontent.checkpoint.com/solutions?id=sk33089.
By verifying your status with the User Center, the contract file enables you to remain compliant
with current Check Point licensing standards.
As in all upgrade procedures, first upgrade your Security Management Server or Multi-Domain
Server before upgrading the Security Gateways.
When you upgrade a Management Server, the upgrade process checks to see whether a Contract
File is already present.
If a Contract File is not present, later you can download a Contract File manually from the Check
Point User Center and import it.
If a Contract File does not cover the Management Server, a message informs you that the
Management Server is not eligible for upgrade.
Important - The absence of a valid Contract File does not prevent upgrade. You can download a
valid Contract File later.
Note - In most cases, you do not need to worry about your Service Contract File. Your
Management Server is configured to communicate with the User Center automatically, and
download the most current file. This allows the Management Server to enable the purchased
services properly.

Option Description
Download a If you have Internet access and a valid User Center
contract file from https://usercenter.checkpoint.com account, download a Contract File
the User Center directly from your User Center account:

Import a local If the Management Server does not have Internet access:
contract file
a) On a computer with Internet access, log in to your User Center
https://usercenter.checkpoint.com account.
b) In the top menu, click Assets/Info > Download Contract File and
follow the instructions on the screen.
c) Transfer the downloaded contract file to your Management Server.
d) Select Import a local contracts file.
e) Enter the full path to the location where you stored the contract file.

Continue without Select this option, if you intend to get and install a valid Contract File later.
contract Note that at this point your managed Security Gateways are not strictly
information eligible for an upgrade. You may be in violation of your Check Point
Licensing Agreement, as shown in the final message of the upgrade
process.

Installation and Upgrade Guide R80.10 | 95

 Upgrading Prerequisites

Working with Contract Files

As in all upgrade procedures, first upgrade your Security Management Server or Multi-Domain
Server before upgrading the Security Gateways. Once the Management Server is upgraded and
contains a Contract File, it transfers this Contract File to the managed Security Gateways when
they are upgraded.

Installing a Contract File on the Security Management Server

When you upgrade a Management Server, the upgrade process checks to see whether a Contract
File is already present on the v. If not, you get the main options for getting a contract. You can
download a Contract File or import it.
If the Contract File does not cover the Management Server, a message informs you that the
Management Server is not eligible for upgrade. The absence of a valid Contract File does not
prevent upgrade. You can download a valid Contract File later in SmartUpdate.
• To download a contracts file from the User Center
If you have Internet access and a valid user account, download a Contract File directly from
your User Center https://usercenter.checkpoint.com account. If you choose to download the
contract information from the User Center, you are prompted to enter your:
• User name
• Password
• Proxy server address (if applicable)
• To import a local contract file
If the Management Server does not have Internet access:
a) On a computer with Internet access, log in to the User Center
https://usercenter.checkpoint.com.
b) In the top menu, click Assets/Info > Download Contract File and follow the instructions on
the screen.
c) Transfer the downloaded file to the Management Server.
d) After selecting Import a local contracts file, enter the full path to the location where you
stored the file.
• To continue without contract information
Select this option if you intend to get and install a valid Contract File at a later date. Note that
at this point your Security Gateways are not strictly eligible for an upgrade; you may be in
violation of your Check Point Licensing Agreement, as shown in the final message of the
upgrade process.

Installation and Upgrade Guide R80.10 | 96

 Upgrading Prerequisites

Installing a Contract File on Security Gateways

After you accept the End User License Agreement (EULA), the upgrade process searches for a
valid contract on the gateway. If a valid contract is not located, the upgrade process attempts to
retrieve the latest contract file from the Security Management Server. If not found, you can
download or import a contract.
If the contract file does not cover the gateway, a message informs you (on Download or Import)
that the gateway is not eligible for upgrade. The absence of a valid contract file does not prevent
upgrade. When the upgrade is complete, contact your local support provider to obtain a valid
contract. Use SmartUpdate to install the contract file.
Use the download or import instructions for installing a contract file on a Security Management
Server.
If you continue without a contract, you install a valid contract file later. But the gateway is not
eligible for upgrade. You may be in violation of your Check Point Licensing Agreement, as shown in
the final message of the upgrade process. Contact your reseller.

Installation and Upgrade Guide R80.10 | 97

CHAPTE R 18

Upgrading Security Management

Servers
In This Section:
Using the Upgrade Verification Service .......................................................................98
Upgrading Gaia Security Management Server and Standalone .................................99

Using the Upgrade Verification Service

The Upgrade Verification Service helps you upgrade successfully to R80.10.
We evaluate your environment and send you an email that shows if you are ready to upgrade, or
what you must do first. For more details, see sk110267
http://supportcontent.checkpoint.com/solutions?id=sk110267.

Installation and Upgrade Guide R80.10 | 98

 Upgrading Security Management Servers

Upgrading Gaia Security Management Server and

Standalone
A Security Management Server upgraded to R80.10 can enforce and manage Gateways from
earlier versions. You do not have to upgrade the Security Management Server and all of the
Gateways at the same time. Gateways that runs versions lower than the version of their
Management Server, cannot support all new features.
Important - Before you upgrade:
• Back up your current configuration (on page 17).
• See the R80.10 Release Notes
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_ReleaseNote
s/html_frameset.htm for the supported appliances, system and memory requirements, and
deployments.
• Use the Pre-Upgrade Verification tool to reduce the risk of incompatibility with your existing
environment. The Pre-Upgrade Verification tool generates a detailed report of the actions to
take before an upgrade (on page 92).
• For upgrades from an R80 Security Management Server to R80.10:
• Upgrades are only supported with CPUSE - In-place upgrade of the Security Management
Server.
To learn how to upgrade with CPUSE, see sk92449
http://supportcontent.checkpoint.com/solutions?id=sk92449.
• Use the Sessions view in SmartConsole to publish or discard all sessions before you start
the upgrade. In SmartConsole, go to the Manage & Settings tab > Sessions > Actions.
• Upgrades from R77.x to R80.10 are supported with:
• CPUSE - In-place upgrade of the Security Management Server.
• Advanced migration - Export of the database from the source R77.x Security Management
Server and import to the target 80.10 Security Management Server.
Note - After the upgrade of the Security Management Server is complete, make sure to run
Install Database.

Installation and Upgrade Guide R80.10 | 99

CHAPTE R 19

Upgrading a Multi-Domain Server or

Multi-Domain Log Server
In This Section:
Upgrading Multi-Domain Security Management with CPUSE .................................101
Upgrading an R77.xx Multi-Domain Security Management with Migration ............102
Upgrading a High Availability Deployment ................................................................115
Restarting Domain Management Servers .................................................................118
Changing the Leading Interface on Multi-Domain Server or Multi-Domain Log Server 119
Saving the Multi-Domain Security Management IPS Configuration ........................120
Enabling IPv6 on Multi-Domain Security Management ............................................120

Installation and Upgrade Guide R80.10 | 100

 Upgrading a Multi-Domain Server or Multi-Domain Log Server

Upgrading Multi-Domain Security Management with

CPUSE
Best Practice - To make sure the Security Gateways of the source Multi-Domain Server are not
affected until the upgrade is done, put the target Multi-Domain Server on an isolated network
segment.
Upgrades from R80 to R80.10 are only supported with CPUSE.
Upgrades from R77.x to R80.10 are supported with:
• CPUSE - In-place upgrade on the Multi-Domain Security Management.
• Advanced migration (on page 102) - Export of the database from the source R77.x
Multi-Domain Security Management and import to the target R80.10 Multi-Domain Security
Management.
To learn how to upgrade with CPUSE, see sk92449
http://supportcontent.checkpoint.com/solutions?id=sk92449.
Important - Before you upgrade:
• Back up your current configuration (on page 17).
• For upgrades from R80, use the Sessions view in SmartConsole to publish or discard all
sessions. In SmartConsole, go to the Manage & Settings tab > Sessions > Actions.
• For upgrades from R80, if vSEC Controller is used in your environment, in SmartConsole that
is connected to the Global Domain, remove all global Data Centers and global Data Center
Objects.

Installation and Upgrade Guide R80.10 | 101

 Upgrading a Multi-Domain Server or Multi-Domain Log Server

Upgrading an R77.xx Multi-Domain Security

Management with Migration
You can upgrade R77.xx to R80.20 with a migration procedure. Versions higher than R77.30 cannot
be migrated.
A basic migration is when you upgrade the database from a source Security Management Server
to a target Security Management Server of the same version.
In an advanced upgrade, the database from an R77.xx Security Management Server is migrated to
an R80.10 server. When you migrate, you are exporting the upgrade from the source server and
importing it to the target server.
We recommend that you use database export/import to upgrade.
Note - There has to be a valid license on the Multi-Domain Servers before you import the database
(on page 185).
To make sure a valid license is installed, run:
mdsenv && cplic print
If it is not already installed, then install a valid license now.
Important! In R80.10, the order that you import servers is crucial:
• First you must import the Primary Multi-Domain Server.
• Then you can import the Secondary Multi-Domain Servers and Multi-Domain Log Servers. If
there are active Domain Management Servers on the Secondary Multi-Domain Servers, they
must be upgraded before you upgrade the Multi-Domain Log Servers.
If there is no Primary Multi-Domain Server, you must first promote a Secondary Multi-Domain
Server to be the Primary. See R80.10 Multi-Domain Security Management Administration Guide
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_Multi-DomainSe
curityManagement_AdminGuide/html_frameset.htm.

Exporting the Multi-Domain Server Databases

Export current Multi-Domain Server extracts the database and configuration settings from a
Multi-Domain Server and its associated Domain Management Servers. It then stores this data in a
single TGZ file. You can import this TGZ file to a newly installed Multi-Domain Server.
Note - In a High Availability deployment, you must export the primary Multi-Domain Server. If the
target Multi-Domain Server uses a different leading IP address than the source server, you must
change the Multi-Domain Server IP address and the external interface.
You can include the log files in the exported TGZ file. These log files are likely to be very large.
• Export one database at a time. Start with the Primary Multi-Domain Server.
• Make sure the Global Domain Management Server is Active on the Primary Multi-Domain
Server.

Installation and Upgrade Guide R80.10 | 102

 Upgrading a Multi-Domain Server or Multi-Domain Log Server

To create the export file on a source Multi-Domain Server:

1. Stop all Check Point services:
# mdsstop
2. Go to the Multi-Domain Server context:
# mdsenv
# mcd
3. Mount the ISO file:
# mount -o loop /path_to/Check_Point_R80.10_Gaia.iso /mnt/cdrom
4. Go to the installation folder:
# cd /mnt/cdrom/linux/p1_install
5. Run the installation script:
# ./mds_setup
6. Run the Pre-Upgrade Verifier > enter 1 when this menu shows:
(1) Run Pre-upgrade verification only [recommended before upgrade]
(2) Upgrade to R80.10
(3) Backup current Multi-Domain Server
(4) Export current Multi-Domain Server
Or 'Q' to quit.
The pre-upgrade verifier analyzes compatibility of the management database and its current
configuration. A detailed report shows the steps to do before and after the upgrade.
Note - The pre-upgrade verification is required when you upgrade to a new version. You do not
need to run the verification when you migrate to the same version (without upgrading).
7. Read the Pre-Upgrade Verifier output and fix all errors according to the instructions.
8. After fixing the errors, open SmartConsole and reassign the Global Policy on all Domains.
9. Stop the services again:
# mdsstop
10. Run the installation script:
# ./mds_setup
11. Export the current Multi-Domain Server configuration > enter 4 when this menu shows:
(1) Run Pre-upgrade verification only [recommended before upgrade]
(2) Upgrade to R80.10
(3) Backup current Multi-Domain Server
(4) Export current Multi-Domain Server
Or 'Q' to quit.
12. Answer the interactive questions:
Would you like to proceed with the export now [yes/no] ? yes
Please enter target directory for your Multi-Domain Server export (or 'Q'
to quit): /var/log
Do you plan to import to a version newer than R80.10 [yes/no] ? no
Using migrate_tools from disk.
Do you wish to export the log database [yes/no] ? yes or no
If you enter no to export the logs, the configuration is still exported.

Installation and Upgrade Guide R80.10 | 103

 Upgrading a Multi-Domain Server or Multi-Domain Log Server

13. Make sure this export file is created.:

# ls -l /var/log/exported_mds.DDMMYYY-HHMMSS.tgz
14. Calculate the MD5 for this file:
# md5sum /var/log/exported_mds.DDMMYYY-HHMMSS.tgz

Importing the Database to the Primary Multi-Domain Server

Import the Multi-Domain Server configuration that you exported.
Important - When you transfer the exported database from the source to the target, use binary
mode during the transfer.

To import the Multi-Domain Server configuration:

1. Install R80.10 Multi-Domain Security Management on the target Multi-Domain Server (on page
48).
When you complete the upgrade process for the Primary Multi-Domain Server, the Multi-Site
upgrade is not finished. You can only access objects that are stored on other Multi-Domain
Servers when the upgrade process for the other Multi-Domain Servers is complete.
2. Log in to Expert Mode.
3. Transfer (with FTP, SCP, or similar) the exported configuration file collected from the source
to the new server:
exported_mds.DDMMYYY-HHMMSS.tgz
4. Calculate the MD5 for the transferred file and compare to the MD5 that was calculated on
original server:
# md5sum /<directory>/exported_mds.DDMMYYY-HHMMSS.tgz
5. Make sure a valid license is installed:
# mdsenv
# cplic print
If it is not already installed, then install a valid license now.
6. Import the configuration:
$MDSDIR/scripts/mds_import.sh
<path_exported_database>/exported_mds.DDMMYYY-HHMMSS.tgz
7. Test the target installation.
8. Disconnect the source server from the network.
9. Connect the target server to the network.
10. On the target server, run: mdsstart

Installation and Upgrade Guide R80.10 | 104

 Upgrading a Multi-Domain Server or Multi-Domain Log Server

Importing the Database to Secondary Multi-Domain Servers and

Multi-Domain Log Servers
Import the Multi-Domain Server configuration that you exported to a Secondary Multi-Domain
Server or Multi-Domain Log Server. If you have multiple servers, import the database to one
server at a time.
Important - When you transfer the exported database from the source to the target, use binary
mode during the transfer.
Before you begin:
1. In the Primary Multi-Domain Server.
2. Log into Expert Mode.
3. Back it up:
# mds_backup -b –d /var/log
4. Install R80.10 Multi-Domain Security Management on the target Multi-Domain Server.
5. Make sure the Primary Multi-Domain Server is running.
6. Make sure that the Primary Multi-Domain Server has the correct license to work in Multi-Site
environment.
7. Make sure that there is good connectivity between all the Multi-Domain Servers. System
databases, logs, and Global Domains are upgraded only on the Primary Multi-Domain Server.
The connection is necessary to synchronize the other Multi-Domain Servers and Multi-Domain
Log Servers.
8. The IP address of the source and target Secondary Multi-Domain Servers and Multi-Domain
Log Servers must be the same.
9. Make sure a valid license is installed on the Secondary Multi-Domain Server:
# mdsenv
# cplic print
If it is not already installed, then install a valid license now.

To import the Multi-Domain Server configuration:

1. Log in to Expert Mode.
2. Transfer (with FTP, SCP, or similar) the exported configuration file collected from the source
to the new server:
exported_mds.DDMMYYY-HHMMSS.tgz
3. Make sure the transferred file is not corrupted. Calculate the MD5 for the transferred file and
compare to the MD5 that was calculated on the source Multi-Domain Server:
# md5sum /<directory>/exported_mds.DDMMYYY-HHMMSS.tgz
4. Make sure that there is connectivity to the newly upgraded Primary Multi-Domain Server.
5. Import the configuration:
# $MDSDIR/scripts/mds_import.sh -primaryip <IP_primary_server>
<path_to_exported_database>/exported_mds.DDMMYYYY-HHMMSS.tgz
6. On the Primary Multi-Domain Server, make sure that the Full Sync task completes
successfully.
7. Test the target installation.
8. Disconnect the source server from the network.
9. Connect the target server to the network and run the mdsstart command on it.

Installation and Upgrade Guide R80.10 | 105

 Upgrading a Multi-Domain Server or Multi-Domain Log Server

After you complete the upgrade of all secondary Multi-Domain Servers and the Multi-Domain Log
Servers, you must update the version of the Domain Management Server and the Domain Log
Server objects.

To update the version of the Domain Management Server and Domain Log Server
objects on the Multi-Domain Servers:
1. Connect to the command line on the Primary Multi-Domain Server, and make sure that all the
Domain Management Servers are up. Run:
# mdsstat
2. Make sure to disconnect all SmartConsoles.
3. Go to the main Multi-Domain Server context:
# mdsenv
4. On each Domain Management Server and Domain Log Server that you import, upgrade the
attributes of all managed objects:
# $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL -n <Name of Domain
Management Server or Domain Log Server>
Note - Because the command prompts you for a 'yes/no' for each Domain and each object in
the Domain, you can explicitly provide the 'yes' answer to all questions with this command:
# yes | $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL -n <Name of Domain
Management Server or Domain Log Server>
5. Open SmartConsole and make sure that the version for each of the upgraded objects is
R80.10.

Migrating Each Domain Management Server Gradually

Attention:

This upgrade method is supported only when you upgrade from R7x versions.
We recommend to upgrade the entire Multi-Domain Server at once with one of these methods:
• Upgrading Multi-Domain Security Management with CPUSE (on page 101)
• Upgrading an R77.xx Multi-Domain Security Management with Migration (on page 102)
Because upgrade of the entire Multi-Domain Server at once is the default recommended method,
use the Gradual Migration of Domain Management Servers only in these cases:
• The entire Multi-Domain Server cannot be upgraded at once because of a business impact.
• During the upgrade, you need to rename some or all of the Domain Management Servers.
• In Multi-Domain Server High Availability deployment, you need to change the number of
Domain Management Servers on Multi-Domain Servers.

Installation and Upgrade Guide R80.10 | 106

 Upgrading a Multi-Domain Server or Multi-Domain Log Server

If you use the Gradual Migration method:

• You must migrate the Global Policies before you migrate the databases from other Domains.
• You can migrate the Global Policies only one time from the R7x Multi-Domain Server.
• Until the entire migration procedure is completed, you cannot make changes in the Global
Policies on the source Multi-Domain Servers.
If you need to make changes on the source Multi-Domain Servers, follow these guidelines:
• If you deleted or modified a global object in the source R7x Multi-Domain Server database,
you must make the same changes in the migrated Global Policies on the target R80.10
Multi-Domain Server.
• If you added a global object in the source R7x Multi-Domain Server database, you must
delete that global object before you export the databases from other Domains.

Notes:
In a gradual upgrade, you export each Domain Management Server one at a time from the source
Multi-Domain Server to a target Multi-Domain Server of the latest version.
The gradual upgrade does not keep all data.

Data that is not exported To get this data in the new environment
Multi-Domain Server administrators and Redefine and reassign to Domains after the upgrade.
management consoles

Status of global communities Run these commands:

mdsenv
fwm mds rebuild_global_communities_status
all

Migrating Global Policies

You can migrate the global policy only one time. We recommend that you do not change the global
policy on R77.xx until you move all the Domain Management Servers to the R80.10 Multi-Domain
Server.
If you have to change the global policy after you have migrated it, follow these guidelines:
• If the global object was deleted or edited on the source Multi-Domain Server, you have to make
the same change manually on the R80.10 Multi-Domain Server.
• If you added new objects to the global policy, you have to remove them from the policy before
you export the Domain Management Servers. Otherwise, cma_migrate on the target
Multi-Domain Server fails.
migrate_global_policies upgrades a global policy database from a Multi-Domain Server
and imports it to an R80.10 Multi-Domain Server.
Note - When you execute the migrate_global_policies utility, the Multi-Domain Server is
stopped.
Before you run the migrate_global_policies utility, make sure that you remove all the data
from the global database of the R80.10 Multi-Domain Server.

Installation and Upgrade Guide R80.10 | 107

 Upgrading a Multi-Domain Server or Multi-Domain Log Server

Upgrading Global Policy from R77.xx to R80.10

Upgrading the global policy is supported for R77.xx only. You cannot upgrade the global policy
when the source is R80.xx.

To upgrade Global Policies from R77.xx to R80.10:

1. On the R77.xx Multi-Domain Server, extract the Management Server Migration Tool from the
R80.10 ISO (on page 91), if you did not do this already (on page 108).
2. Go to the main Multi-Domain Server context:
# mdsenv
3. Run:
# cd <full path to migrate command>
# ./migrate export <output file>
4. Copy the TGZ file from the R77.xx server to the R80.10 Multi-Domain Server.
5. On the R80.10 Multi-Domain Server, g to the main Multi-Domain Server context:
# mdsenv
6. Make sure a valid license is installed:
mdsenv
cplic print
If it is not already installed, then install a valid license now.
7. Migrate the Global Policies:
# migrate_global_policies <full_path_exported_tgz>
8. Start the Multi-Domain Server:
# mdsstart
9. If there is a Secondary Multi-Domain Server, synchronize the global databases in
SmartConsole.

Migrating an R77.xx Domain Management Server Database

This procedure exports, updates, and imports the database of an R77.xx Domain Management
Server to an R80.10 Domain Management Server.
Important - This procedure is not supported for migration of versions R80 and above.

Before you begin:

• Make sure that there is one Active Domain Management Server in each Domain to be
migrated.
• If you want to import logs with the database, run a log switch before you export.
• Make sure that you migrate the database only on one Domain Management Server. If you
migrate a database to more than one Domain Management Server, the import fails and shows
an error message.
• Initialize the ICA (on page 110).

Installation and Upgrade Guide R80.10 | 108

 Upgrading a Multi-Domain Server or Multi-Domain Log Server

To import from R77.xx Domain Management Server to R80.10:

1. On the Multi-Domain Server with the active global policy, get the Management Server
Migration Tool from the R80.10 CD or ISO (on page 91).
2. Extract the tools.
Extraction makes the upgrade_tools subdirectory.
In this path, extract the Multi-Domain Security Management tools - p1_upgrade_tools.tgz
For example:
Install from CD:
# gtar xvfz /mnt/cdrom/linux/upgrade_tools/linux/p1_upgrade_tools.tgz -C
/var/opt/export_tools
Install from DVD:
# gtar xvfz /mnt/cdrom/Linux/linux/upgrade_tools/linux/p1_upgrade_tools.tgz -C
/var/opt/export_tools
3. Go to the context of the Domain Management Server. Run:
# mdsenv <IP address or Name of Domain Management Server>
4. Run:
# cd <full path to migrate command>
# ./migrate export [-l] <output file>
 The migrate export command exports one Domain Management Server database to
a TGZ file.
 The output file must be specified with the fully qualified path. Make sure there is
sufficient disk space for the output file.
 The optional –l flag includes closed log files and SmartLog data from the source
Domain Management Server in the output archive.
5. On the R80.10 Multi-Domain Server, run this (long) API command
https://sc1.checkpoint.com/documents/R80/APIs/#introduction to create a new Domain and a
new Domain Management Server (without starting it):
# mgmt_cli --root true add domain name <my_domain_name> servers.ip-address
<my_IP_address> servers.name <my_domain_server_name> servers.multi-domain-server
<R80.10_multi-domain-server_Name> servers.skip-start-domain-server true
Important! - After you create the new Domain with this command, do not change the Domain
IP address until you run the cma_migrate command.
6. Copy the TGZ file from the source Domain Management Server to the R80.10 Multi-Domain
Server. Import the exported database:
# unset TMOUT
# cma_migrate <source management tgz file> <target Domain Management Server $FWDIR
directory>
For example:
# cma_migrate tmp/orig_mgmt.tgz
/opt/CPmds-R80/customers/cma1/CPsuite-R80/fw1

This command updates the database schema before it imports. First, the command runs
pre-upgrade verification. If no errors are found, migration continues. If there are errors, you
must change the source Domain Management Server according to instructions in the error
messages. Then do this procedure again.

Installation and Upgrade Guide R80.10 | 109

 Upgrading a Multi-Domain Server or Multi-Domain Log Server

7. Upgrade the attributes of all managed objects in each target Domain Management Server:
# mdsenv
# $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL -n <Name of Domain
Management Server>
Note - Because the command prompts you for a 'yes/no' for each Domain and each object in
the Domain, you can explicitly provide the 'yes' answer to all questions with this command:
# yes | $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL -n <Name of Domain
Management Server>
8. If the R80.10 server has a different IP address than the R77.xx server, establish trust with the
Security Gateways (on page 110).
9. If the R77.xx server managed VPN gateways, configure the keys (on page 111).
Important - To do a Domain Management Server migration on a Secondary Multi-Domain Server,
you must set the state of its Global Domain to Active.
Procedure:
1. Connect to the command line on the Secondary Multi-Domain Server.
2. Log in to Expert Mode.
3. Run this command before you perform the first migration on the Secondary Multi-Domain
Server:
# mdsenv && $CPDIR/bin/cpprod_util CPPROD_SetValue FW1 LastIpsUpdate 1
`date +%s` 1
4. Connect with SmartConsole to the Secondary Multi-Domain Server.
5. From the left Navigation Toolbar, click Multi Domain > Domains.
6. Right-click the global domain of the Secondary Multi-Domain Server and click Connect to
Domain.
A window shows for the global domain.
7. Click Menu > Management High Availability.
8. In the Management High Availability status window, select Actions > Set Active for the
Connected Domain.

Certificate Authority Data

The cma_migrate process does not change the Certificate Authority or key data. The R80.10
Domain Management Server has SIC with Security Gateways. If the IP address of the R80.10
server is not the same as the IP address of the R77.xx server, you must establish trust between
the new server and the gateways.
Before you begin, see sk17197 http://supportcontent.checkpoint.com/solutions?id=sk17197 to
make sure the environment is prepared.

To initialize a Domain Management Server Internal Certificate Authority:

1. Remove the current Internal Certificate Authority for the specified environment, run:
# mdsstop_customer <IP address or Name of Domain Management Server>
# mdsenv <IP address or Name of Domain Management Server>
# fwm sic_reset
2. Create a new Internal Certificate Authority, run:
# mdsconfig -ca <Name of Domain Management Server> <IP address f Domain
Management Server>
# mdsstart_customer <IP address or Name of Domain Management Server>
Installation and Upgrade Guide R80.10 | 110
 Upgrading a Multi-Domain Server or Multi-Domain Log Server

Resolving Issues with IKE Certificates

With a VPN tunnel that has an externally managed, third-party gateway and a Check Point Security
Gateway, there can be an issue with the IKE certificates after you migrate the management
database.
The Security Gateway presents its IKE certificate to its peer. The third-party gateway uses the
FQDN of the certificate to retrieve the host name and IP address of the Certificate Authority. If the
IKE certificate was issued by a Check Point Internal CA, the FQDN contains the host name of the
original management server. The peer gateway will fail to contact the original server and will not
accept the certificate.
To fix:
• Update the external DNS server to resolve the host name to the IP address of the relevant
Domain Management Server.
• Revoke the IKE certificate for the gateway and create a new one.

Migrating from Standalone to Domain Management Server

Migration from Standalone to R80.10 Domain Management Server is supported only from R77.30
and lower versions. You need to separate the Security Management Server and Security Gateway
on the Standalone. Then you manage the former-Standalone computer as a Security Gateway
from the R80.10 Domain Management Server.
Note - To undo the separation of the Security Management Server and Security Gateway on the
Standalone, back up the Standalone computer before you migrate.

Before migrating:
1. Make sure that the target Domain Management Server IP address can communicate with all
Gateways.
2. Add an object to represent the Domain Management Server (name and IP address) and define
it as a Secondary Security Management Server.
3. Install policy on all managed Gateways.
4. Delete all objects or access rules created in Steps 1 and 2.
5. If the Standalone computer already has Security Gateway installed:
• Clear the Firewall option in the Check Point Products section of the gateway object. You
may have to first remove it from the Install On column of your Rule Base (and then add it
again).
• If the gateway participates in a VPN community, remove it from the community and erase
its certificate. Note these changes, to undo them after the migration.
6. Save and close SmartConsole. Do not install policy.

To migrate the management database to the Domain Management Server:

1. Go to the fully qualified path of the migrate export command.
2. Run:
# ./migrate export [-l] <output file>

Installation and Upgrade Guide R80.10 | 111

 Upgrading a Multi-Domain Server or Multi-Domain Log Server

3. On the R80.10 Multi-Domain Server, run these API commands

https://sc1.checkpoint.com/documents/R80/APIs/#introduction to create a new Domain and a
new Domain Management Server (without starting it):
# mgmt_cli --root true add domain name <my_domain_name> servers.ip-address
<my_IP_address> servers.name <my_domain_server_name>
servers.multi-domain-server <R80.10_multi-domain-server_Name>
servers.skip-start-domain-server true
Important! After you create the new domain with this command, do not change the domain
IP address until you run the cma_migrate command.
4. Migrate the TGZ file from the source Domain Management Server to the R80.10 Multi-Domain
Server.
5. Import the exported database:
# unset TMOUT
# cma_migrate <source management tgz file> <target Domain Management Server $FWDIR
directory>
For example:
# cma_migrate tmp/orig_mgmt.tgz
/opt/CPmds-R80/customers/cma1/CPsuite-R80/fw1
This command updates the database schema before it imports. First, the command runs
pre-upgrade verification. If no errors are found, migration continues. If there are errors, you
must change the source Domain Management Server according to instructions in the error
messages. Then do this procedure again.
6. If the R80.10 server has a different IP address than the R77.xx server, establish trust with the
Security Gateways (on page 110).
7. If the R77.xx server managed VPN gateways, configure the keys (on page 111).
8. In SmartConsole, from the left navigation panel, click Gateways & Servers and locate:
• An object with the Name and IP address of the Domain Management Server primary
management object (migrated).
Previous references to the Standalone management object now refer to this object.
• An object for each Security Gateway managed previously by Security Management Server.
9. Edit the object of the Primary Management Server and remove all interfaces (Network
Management > Topology > select an interface > Remove).
10. Create an object for the Security Gateway on the Standalone machine (from New > Gateway),
and:
• Assign a Name and IP address for the Security Gateway.
• Select the appropriate Check Point version.
• Enable the installed Software Blades.
• If the Security Gateway belonged to a VPN Community, add it back.
• Do not initialize the Secure Internal Communication (SIC).
11. Run Domain Management Server on the Primary management object. In each location,
consider changing to the new Security Gateway object.
12. Install the policy on all other Security Gateways, not the new one.
Note - If you see warning messages about this Security Gateway because it is not yet
configured, ignore them.
13. Uninstall the Standalone deployment.
14. Install a Security Gateway on the previous Standalone machine.
Installation and Upgrade Guide R80.10 | 112
 Upgrading a Multi-Domain Server or Multi-Domain Log Server

15. From the Domain Management Server SmartConsole, edit the Security Gateway object, define
its topology, and establish trust between the Domain Management Server and the Security
Gateway.
16. Install the policy on the Security Gateway.

Installation and Upgrade Guide R80.10 | 113

 Upgrading a Multi-Domain Server or Multi-Domain Log Server

Migrating an R80.10 Database to another R80.10 Server

You can migrate the R80.10 Security Management Server database to a different R80.10 server.
The procedure is similar to upgrading from an earlier version to R80.10.
1. Create a backup file of the current system settings from the Gaia Portal.
For Multi-Domain Server, run: mds_backup
2. Do the steps to migrate to another R80.10 Security Management Server or Multi-Domain
Server.

Installation and Upgrade Guide R80.10 | 114

 Upgrading a Multi-Domain Server or Multi-Domain Log Server

Upgrading a High Availability Deployment

Multi-Domain Security Management High Availability gives you management redundancy for all
Domains. Multi-Domain Security Management High Availability operates at these levels:
• Multi-Domain Server High Availability - By default, Multi-Domain Servers are automatically
synchronized with each other. One Multi-Domain Server is always defined as the Active
Multi-Domain Server and all other Multi-Domain Servers are Standby Multi-Domain Servers.
You can connect to an Active or Standby Multi-Domain Server to work on Domain management
tasks.
You can only do Global policy and global object management tasks using the active
Multi-Domain Server. In the event that the active Multi-Domain Server is unavailable, you must
change one of the standby Multi-Domain Servers to active.
• Domain Management Server High Availability - Multiple Domain Management Servers give
Active/Standby redundancy for Domain management. One Domain Management Server for
each Domain is Active. The other, fully synchronized Domain Management Servers for that
Domain, are standbys. In the event that the Active Domain Management Server becomes
unavailable, you must change one of the standby Domain Management Servers to active.
You can also use ClusterXL to give High Availability redundancy to your Domain Security Gateways.
You use SmartConsole to configure and manage Security Gateway High Availability for Domain
Management Servers.

Pre-Upgrade Verification and Tools

Run the pre-upgrade verification on all Multi-Domain Servers before upgrading any Multi-Domain
Servers. Select the Pre-Upgrade Verification Only option from mds_setup. Upgrade the
primary Multi-Domain Server only after you have fixed all errors and reviewed all warnings for all
Multi-Domain Servers.

Multi-Domain Server High Availability

Multi-Domain Servers can only communicate and synchronize with other Multi-Domain Servers
running the same version. If your deployment has more than one Multi-Domain Server, make sure
they are upgraded to the same version.

To upgrade multiple Multi-Domain Servers:

1. Upgrade the primary Multi-Domain Server.
2. Upgrade the other Multi-Domain Servers.
During the upgrade process, we recommend that you do not use any of the Multi-Domain Servers
to make changes to the databases. This can cause inconsistent synchronization between
Multi-Domain Servers.
Important - Before you upgrade a Multi-Domain Server in High Availability Mode, all Domain
Management Servers must be Active on the Primary Multi-Domain Server.
Note - You must upgrade your Multi-Domain Log Servers to the same version as the Multi-Domain
Servers.

Installation and Upgrade Guide R80.10 | 115

 Upgrading a Multi-Domain Server or Multi-Domain Log Server

Upgrading Multi-Domain Servers and Domain Management

Servers
To upgrade a Multi-Domain Server and a Domain Management Server:
1. Run pre-upgrade verification for all Multi-Domain Servers.
2. If a change to the global database is necessary, synchronize the Multi-Domain Servers
immediately after making these changes. Update the database on one Multi-Domain Server
and start synchronization. The other Multi-Domain Servers will get the database changes
automatically.
3. If global database changes affect a global policy assigned to a Domain, assign the global policy
again to all affected Domains.
4. If the verification command finds Domain Management Server level errors (for example,
Gateways that are no longer supported by the new version):
a) Make the required changes on the Active Domain Management Server.
b) Synchronize the Active Domain Management Server with all Standby Domain Management
Servers.
5. If a Domain has Log Servers:
a) In the Domain SmartConsole, manually install the new database: select Policy > Install
Database.
b) Select all Log Servers.
c) Make sure that the change to the Log Server is successful.
Note - When synchronizing, make sure that you have only one active Multi-Domain Server and one
active Domain Management Server for each Domain.
Change the active Multi-Domain Server and Domain Management Server, and then synchronize
the Standby computers.

Updating Objects in the Domain Management Server Databases

After upgrading the Multi-Domain Servers and Domain Management Servers, you must update the
objects in all Domain Management Server databases. This is necessary because upgrade does not
automatically update the object versions attribute in the databases. If you do not manually update
the objects, the standby Domain Management Servers and Log Servers will show the outdated
versions.
Update the objects with these steps on each Multi-Domain Server.

To update Domain Management Server and Log Server objects:

1. Make sure that all Domain Management Servers are up: mdsstat
If a Domain Management Server is down, resolve the issue, and start the Domain Management
Server: mdsstart_customer <DMSNAME>
2. Go to the top-level CLI: mdsenv
3. Run: $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL
Optional: Update one Domain Management Server or Log Server at a time with this
command:
$MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL -n <server_name>

Installation and Upgrade Guide R80.10 | 116

 Upgrading a Multi-Domain Server or Multi-Domain Log Server

4. After running the command and before synchronizing the Standby domains, run:
mdsstop;mdsstart. See sk121718
http://supportcontent.checkpoint.com/solutions?id=sk121718.
5. Synchronize all Standby Domain Management Servers.
6. Install the database in SmartConsole for the applicable Domain Management Server.

Managing Domain Management Servers During the Upgrade

Process
The best practice is to avoid making any changes to Domain Management Server databases during
the upgrade process. If your business model cannot support management down-time during the
upgrade, you can continue to manage Domain Management Servers during the upgrade process.
This creates a risk of inconsistent Domain Management Server database content between
instances on different Multi-Domain Servers. The synchronization process cannot resolve these
inconsistencies.
After successfully upgrading one Multi-Domain Server, you can set its Domain Management
Servers to Active while you upgrade the others. Synchronization between the Domain
Management Servers occurs after all Multi-Domain Servers are upgraded.
If, during the upgrade process, you make changes to the Domain Management Server database
using different Multi-Domain Servers, the contents of the two (or more) databases will be
different. Because you cannot synchronize these databases, some of these changes will be lost.
The Domain Management Server High Availability status appears as Collision.
You must decide which database version to retain and synchronize it to the other Domain
Management Servers. You then must re-enter the lost changes to the synchronized database.

Installation and Upgrade Guide R80.10 | 117

 Upgrading a Multi-Domain Server or Multi-Domain Log Server

Restarting Domain Management Servers

After completing the upgrade process, start Domain Management Servers:
mdsstart_customer <DomainServer Name or IP>

Installation and Upgrade Guide R80.10 | 118

 Upgrading a Multi-Domain Server or Multi-Domain Log Server

Changing the Leading Interface on Multi-Domain Server

or Multi-Domain Log Server
This procedure lets you change the current Leading Interface on a Multi-Domain Server or
Multi-Domain Log Server.
1. Connect to the command line on the Multi-Domain Server.
2. Log in to the Expert mode.
3. Stop the Multi-Domain Server:
# mdsstop
4. Modify the $MDSDIR/conf/LeadingIP file:
a) Back up the file:
# cp -v $MDSDIR/conf/LeadingIP{,_BKP}
b) Edit the file:
# vi $MDSDIR/conf/LeadingIP
c) Change the current IP address to the new IP address.
d) Save the changes and exit the Vi editor.
5. Modify the $MDSDIR/conf/mdsdb/mdss.C file:
a) Back up the file:
# cp -v $MDSDIR/conf/mdsdb/mdss.C{,_BKP}
b) Edit the file:
# vi $MDSDIR/conf/mdsdb/mdss.C
c) Find the Multi-Domain Server object that has the source Multi-Domain Server's IP address.
d) Change the object's IP address to the new IP address.
e) Do not change the Multi-Domain Server's name.
f) Save the changes and exit the Vi editor.
6. Install a new license on the target Multi-Domain Server issued for the new Multi-Domain
Server IP address.
7. For multiple Multi-Domain Server environments, repeat Steps 1 to 5 for each Multi-Domain
Server that has a changed IP address.
If your target machine and the source machine have different interface names (for example, eth0
and eth1), follow the steps listed below to adjust the restored Multi-Domain Server to the new
interface name.

To change the interface:

1. Change the interface name in file $MDSDIR/conf/external.if to the new interface name.
2. For each Domain Management Server, replace the interface name in the
$FWDIR/conf/vip_index.conf file.

Installation and Upgrade Guide R80.10 | 119

 Upgrading a Multi-Domain Server or Multi-Domain Log Server

Saving the Multi-Domain Security Management IPS

Configuration
When upgrading to R80.10, the previous Domain IPS configuration is overridden when you first
assign a Global Policy.
Best Practice - Save each Domain IPS configuration, so that you can restore the settings after the
upgrade:
1. Connect with Multi-Domain Server to R7x Multi-Domain Server.
2. Click Global Policies tab > Global Policies.
3. Click the [+] near the Domain name.
4. Right-click the Domain Management Server > click Configure Domain.
5. Click the Global Policy tab.
6. In the Revision Control section, select Create a database version before assigning
global policy.
7. Click OK.
Notes:
• If you manage IPS globally, you must reassign the global policy before installing the policy on
the managed Security Gateways.
• Customers upgrading to the current version should note that the IPS subscription has
changed. All Domains subscribed to IPS are automatically assigned to an "Exclusive"
subscription. The "Override" and "Merge" subscriptions are no longer supported.
For more on IPS in Multi-Domain Server environment, see the R80.10 Multi-Domain Server
Administration Guide http://downloads.checkpoint.com/dc/download.htm?ID=54841.

Enabling IPv6 on Multi-Domain Security Management

If your Multi-Domain Security Management environment uses IPv6 addresses, you first must
enable IPv6 support for the Multi-Domain Servers and for existing Domain Management Servers.
It is not necessary to enable IPv6 support for Domain Management Servers that you create after
IPv6 is enabled on the Multi-Domain Server, because this is handled automatically.
Important - You must assign an IPv4 address for each Multi-Domain Server, Multi-Domain Log
Servers, Domain Management Server and Domain Log Server. The IPv6 address is optional.

Preliminary steps:
1. Enable the IPv6 support in Gaia (on page 44).
2. Assign an IPv6 address and default gateway to the Leading Interface (typically, eth0).
3. Assign an IPv6 address and default gateway to the management interfaces.
4. Write down the Multi-Domain Server IPv6 address, the host names and IPv6 addresses for all
Domain Management Servers.
This is necessary because the system restarts after you enable IPv6 support.

Installation and Upgrade Guide R80.10 | 120

 Upgrading a Multi-Domain Server or Multi-Domain Log Server

To enable IPv6 support for the Multi-Domain Server:

1. Connect to the command line on the Primary Multi-Domain Server over SSH or console.
2. Log in to Gaia Clish or Expert mode.
3. Run: mdsconfig
4. Select IPv6 Support for the Multi-Domain Server.
5. Enter y when prompted to change the IPv6 preferences.
Enter y again to confirm.
6. When prompted for the Leading Interface name, enter the name of the management interface
(typically, eth0).
7. When prompted, enter the management interface IPv6 address.
8. Press y to restart Check Point services.

To enable IPv6 support for existing Domain Management Servers:

1. Connect to the command line on the Primary Multi-Domain Server over SSH or console.
2. Log in to Gaia Clish or Expert mode.
3. Run: mdsconfig
4. Select IPv6 Support for Existing Domain Management Servers.
5. Enter y when asked to change the IPv6 preferences for Domain Management Servers.
6. Enter a to add support to an existing Domain Management Server.
7. Enter y to add support to all Domain Management Servers at once.
Enter y again to confirm.
8. Do one of these:
• Enter m to manually add IPv6 addresses,
• Press r to automatically assign IPv6 address from a specified range.
9. Follow the instructions on the screen to enter the IPv6 addresses or a range of IPv6
addresses.

To manually enable IPv6 support for specified Domain Management Servers:

1. Connect to the command line on the Primary Multi-Domain Server over SSH or console.
2. Log in to Gaia Clish or Expert mode.
3. Run: mdsconfig
4. Select IPv6 Support for Existing Domain Management Servers.
5. At the prompt, enter y to change the IPv6 preferences for Domain Management Servers.
6. Enter a to add support to an existing Domain Management Server.
7. Enter n when asked to enable IPv6 support for all Domain Management Servers at once.
Enter y to confirm.
8. At the prompt, enter the Domain Management Server name.
The available Domain Management Servers show above prompt. You can copy and paste the
name.
9. Enter the IPv6 address.
10. At the prompt, enter one of these:
• Enter y to enable another Domain Management Server.
• Enter n to complete the procedure.

Installation and Upgrade Guide R80.10 | 121

CHAPTE R 20

Upgrading Management with High

Availability
In This Section:
Upgrading from R80 to R80.10 ...................................................................................122
Upgrading from R77.xx to R80.10 ..............................................................................122

Upgrading from R80 to R80.10

1. Upgrade the primary management server to R80.10 using CPUSE
http://supportcontent.checkpoint.com/solutions?id=sk92449.
2. Do a clean R80.10 installation on the secondary management.
Install the secondary Security Management Server the same way you installed the primary. For
the primary, if you:
• Did a clean install of R80
• Added the R80 Jumbo Hotfix Accumulator
• Upgraded to R80.10
Repeat the same procedure for the secondary management server. If you do not install the
secondary management server in the same way you installed the primary, the servers will fail
to synchronize after SIC.
3. Connect the secondary to the primary server.
Note - You can reuse the same network object in SmartConsole.
4. Initiate SIC between the primary and secondary management servers and wait for the two
servers to synchronize.

Upgrading from R77.xx to R80.10

The Pre-Upgrade Verifier prevents the upgrade of a secondary management server in a
Management High Availability deployment. To upgrade such a deployment you need to:
1. Upgrade the primary management server using CPUSE
http://supportcontent.checkpoint.com/solutions?id=sk92449
2. Do a clean R80.10 installation on the secondary management
3. Initiate SIC between the primary and secondary management servers and wait for the two
servers to synchronize

Installation and Upgrade Guide R80.10 | 122

CHAPTE R 21

Upgrading Security Gateways

In This Section:
Configuring SmartUpdate for Versions R77.30 and Lower ......................................123
Upgrading a VSX Gateway ..........................................................................................124

Important - Before you upgrade your Security Gateways, you must upgrade your Security
Management Server (on page 99) or Multi-Domain Server (on page 100). You can also upgrade
your High Availability system (on page 115).
You can upgrade all Security Gateways with CPUSE.
Best Practice - Before you upgrade, back up your configuration (on page 17).

Configuring SmartUpdate for Versions R77.30 and

Lower
Important - Installing software packages using SmartUpdate is not supported for Security
Gateways running on Gaia Operating System.

To configure the Security Management Server for SmartUpdate:

1. Install the latest version of SmartConsole.
2. Define the remote Check Point Gateways in SmartConsole (for a new Security Management
Server installation).
3. Verify that the Administrator SmartUpdate permissions (as defined in the cpconfig
configuration tool) are Read/Write.
4. To enable SmartUpdate connections to the Gateways:
a) Go to the menu > Global Properties > firewall.
b) Go to Track and check the box: Log Implied Rules.
c) Click OK.
Use SmartUpdate to add packages to and delete packages from the Package Repository:
• Directly from the Check Point Download Center website (Packages > Add > From Download
Center)
• When you import a file (Packages > Add > From File).
When you add the package to the Package Repository, the package file is transferred to the
Security Management Server. When the Operation Status window opens, you can verify the
success of the operation. The Package Repository shows the new package object after it
updates.

Installation and Upgrade Guide R80.10 | 123

 Upgrading Security Gateways

Upgrading a VSX Gateway

Important:
• Before you begin, make sure the target VSX or Virtual Devices objects in SmartConsole are
currently not edited or locked by other administrators. The vsx_util command cannot
modify the management database if the database is locked. When the locked VSX and Virtual
Devices objects become available, begin the vsx_util procedure again.
• Before you begin, make sure to back up the entire VSX environment (on page 17) - both the
Management Server and the target VSX Gateways / VSX Cluster Members.

To upgrade a VSX Gateway to R80.10:

1. On the Management Server, log in to Expert mode.
2. On a Multi-Domain Server, go to the context of the Main Domain Management Server that
manages the object of the target VSX Gateway / VSX Cluster:
# mdsenv <IP address or Name of Main Domain Management Server>
3. Run:
# vsx_util upgrade
When prompted, enter this information:
a) IP address or Name of Security Management Server / Main Domain Management Server
b) Administrator name and password for Security Management Server / Main Domain
Management Server
c) Target VSX Gateway / VSX Cluster Member object
d) Version to which you need to upgrade - R80.10
4. Wait for the operation to complete successfully and for this message to show:
Do you wish to reconfigure the gateway/cluster members? (y|n)
5. If you are using CPUSE to upgrade the VSX Gateway / VSX Cluster Member, skip this step.
To use clean install, enter y.
When prompted, enter this information:
a) IP address or Name of Security Management Server / Main Domain Management Server
b) Administrator name and password for Security Management Server / Main Domain
Management Server
c) SIC activation key for the upgraded VSX Gateway / VSX Cluster Member
The operation completes successfully, and this message shows:
Reconfigure module operation completed successfully
d) Install the necessary licenses.
e) Reboot the reconfigured VSX Gateway / VSX Cluster Member.

Installation and Upgrade Guide R80.10 | 124

 Upgrading Security Gateways

6. If you are using CPUSE to upgrade the VSX Gateway / VSX Cluster Member, enter n and follow
these instructions:
a) In Gaia Clish, switch to the main VSX context:
set virtual-system 0
b) Import the upgrade file into the CPUSE repository:
installer import local <file_name>
c) Make sure that the file is in the repository:
show installer packages
d) Start the upgrade. Enter:
installer upgrade <package_number>
e) Press the Tab key to see the upgrade options.
f) From the list, select the file to install.

Installation and Upgrade Guide R80.10 | 125

CHAPTE R 22

Upgrading Full High Availability

In This Section:
Upgrading with Minimal Downtime ...........................................................................126
Upgrading with a Clean Installation ..........................................................................127

To upgrade Full High Availability for cluster members in Standalone configurations, there are
different options:
• Upgrade one machine and synchronize the second machine with minimal downtime.
• Upgrade with a clean installation on one machine and synchronize the second machine with
system downtime.

Upgrading with Minimal Downtime

You can do a Full High Availability upgrade with minimal downtime on the cluster members.

To upgrade Full High Availability with minimal downtime:

1. Check the status of the cluster members. Run: cphaprob state
Make sure the Primary cluster member is Active and the Secondary cluster member is
Standby.
2. Start failover to the Secondary cluster member.
On the Primary cluster member, run: cpstop
The Secondary cluster member becomes the new Active member and processes all the traffic.
3. Log in with SmartConsole to the Security Management Server of the Secondary cluster
member.
4. Click Change to Active.
5. Configure the Security Management Server on the Secondary cluster member to be Active.
Note - We recommend that you export the database using the Management Server Migration
Tool (on page 91).
6. Upgrade the Primary cluster member to the desired Check Point version.
7. Log in with SmartConsole to the Security Management Server of the Primary cluster member.
Make sure you use the SmartConsole of the same Check Point version as the Security
Management Server.
8. Open the cluster object.
9. Change the version of the object to the new version and click OK.
10. Install the Access Policy on the cluster object.
Note - Make sure that the For Gateway Clusters install on all the members option is
cleared. The Primary cluster member now processes all the traffic.
11. Upgrade the Secondary cluster member to the desired Check Point version.
Synchronization for Management High Availability starts automatically.

Installation and Upgrade Guide R80.10 | 126

 Upgrading Full High Availability

Upgrading with a Clean Installation

You can do a Full High Availability upgrade with a clean installation on the secondary cluster
member and synchronize the primary cluster member. This type of upgrade causes downtime to
the cluster members.

To upgrade Full High Availability with a clean installation:

1. Make sure the primary cluster member is active and the secondary is standby: check the
status of the members.
2. Start failover to the second cluster member.
The secondary cluster member processes all the traffic.
3. Log in with SmartConsole to the management server of the secondary cluster member.
4. Click Change to Active.
5. Configure the secondary cluster member to be the active management server.
Note - We recommend that you export the database using the Management Server Migration
Tool (on page 91).
6. Upgrade the primary cluster member to the appropriate version.
7. Log in with SmartConsole to the management server of the primary cluster member.
Make sure version of the SmartConsole is the same as the server.
8. Upgrade the version of the object to the new version.
9. Install the policy on the cluster object.
The primary cluster member processes all the traffic.
Note - Make sure that the For Gateway Clusters install on all the members option is
cleared. Selecting this option causes the installation to fail.
10. Install the secondary member.
11. From SmartConsole, configure the cluster object.
a) Change the secondary details (if necessary).
b) Establish SIC.
Synchronization for Management High Availability starts automatically.

Installation and Upgrade Guide R80.10 | 127

CHAPTE R 23

Upgrading ClusterXL Deployments

In This Section:
Planning a Cluster Upgrade .......................................................................................129
Minimal Effort Upgrade on a ClusterXL Cluster .......................................................132
Zero Downtime Upgrade on a Cluster .......................................................................133
Upgrading Clusters with Minimal Connectivity Loss ................................................135
ClusterXL Optimal Service Upgrade ..........................................................................136
Connectivity Upgrade .................................................................................................147

Installation and Upgrade Guide R80.10 | 128

 Upgrading ClusterXL Deployments

Planning a Cluster Upgrade

Important - Before you upgrade your Cluster members, you must upgrade your Security
Management Server (on page 99) or Multi-Domain Server (on page 100). You can also upgrade
your High Availability system (on page 115).
Before you upgrade a ClusterXL, consider the available upgrade options.

Upgrades that guarantee minimal connectivity loss

• Optimal Service Upgrade (OSU) (on page 136) - Select this option if security is of utmost
concern. During this type of upgrade two cluster members process network traffic.
Connections that are initiated during the upgrade stay up through the upgrade. A minimal
number of connections that were initiated before the upgrade get dropped after the upgrade.
• Connectivity Upgrade (CU) (on page 147) - Select this option, if you need to upgrade a Security
Gateway or a VSX cluster to any version, and guarantee connection failover. Connections that
were initiated before the upgrade are synchronized with the upgraded Security Gateways and
cluster members so that no connections are dropped.
Note - Before you select the Connectivity Upgrade (CU) option, see sk107042 ClusterXL
upgrade methods and paths http://supportcontent.checkpoint.com/solutions?id=sk107042 for
limitations.

Effort and time efficient upgrades with some loss of connectivity

• Simple Upgrade (with downtime) (on page 123) - Select this option if you have a period of time
during which network downtime is allowed. This method is the simplest, because each cluster
member is upgraded as an independent Gateway.
• Zero Downtime - Select this option if you cannot have any network downtime and need to
complete the upgrade quickly, with a minimal number of dropped connections. During this type
of upgrade, there is always at least one active member that handles traffic. Connections are
not synchronized between cluster members running different Check Point software versions.
Note - Connections that were initiated on a cluster member running the old version get
dropped when the cluster member is upgraded to a new version. Network connectivity,
however, remains available during the upgrade, and connections initiated on an upgraded
cluster member are not dropped.
An administrator can customize the Firewall, VPN, CoreXL, and SecureXL configuration on cluster
members by configuring the relevant kernel parameters in special configuration files -
$FWDIR/boot/modules/fwkern.conf, $FWDIR/boot/modules/vpnkern.conf,
$PPKDIR/boot/modules/simkern.conf, $FWDIR/conf/fwaffinity.conf. For examples,
see sk25977 http://supportcontent.checkpoint.com/solutions?id=sk25977. During the upgrade, all
customized configuration files are overwritten with the default configuration files.
If you upgrade the cluster through CLI, you can preserve the customized configuration. To do that,
you must back up the configuration files before the upgrade and restore them manually
immediately after upgrade, before the cluster members are rebooted. See sk42498
http://supportcontent.checkpoint.com/solutions?id=sk42498 for details.
If you upgrade the cluster gateways through Gaia Portal, they are rebooted automatically
immediately after the upgrade, and the customized configuration is lost.

Installation and Upgrade Guide R80.10 | 129

 Upgrading ClusterXL Deployments

Note - If configuration customizations are lost during the upgrade, different issues can occur in
the upgraded cluster. Cluster members can stop detecting each other, cluster members can move
to undesired state, and traffic can be dropped.

Ready State During Cluster Upgrade/Rollback Operations

When cluster members of different versions are on the same network, cluster members of the
new (upgraded) version remain in the state Ready, and cluster members of the previous version
remain in state Active Attention. Cluster members in the state Ready do not process traffic and
do not synchronize with other cluster members.

To prevent cluster members from being in the state "Ready":

Option Instructions
1 1. Connect over the console to the cluster member.
2. Physically disconnect the cluster member from the network (unplug all cables).

2 1. Connect over the console to the cluster member.

2. Log in to Gaia Clish.
3. Shut down all interfaces:
set interface <Interface_Name> state off

For more information, see sk42096: Cluster member is stuck in 'Ready' state
http://supportcontent.checkpoint.com/solutions?id=sk42096.

Upgrading 32/64-bit Cluster Members

Cluster deployments are supported on 32-bit and 64-bit kernel Gaia operating systems. Make sure
that all cluster members are running the same 32-bit or the same 64-bit operating system. If the
kernel versions are different among the cluster members, those that are running the 64-bit
version will stay in the state Ready and will not synchronize with the other cluster members and
will not process traffic sent to the cluster Virtual IP addresses.
Important - If you perform a major upgrade, first complete the upgrade of all cluster members
and only then change the Gaia kernel edition to 64-bit.

Upgrading Third-Party and OPSEC Certified Cluster Products

• When upgrading 3rd party and OPSEC clusters, use the Zero Downtime or the Minimal Effort
procedure.
• When upgrading other third-party clustering products, use the Minimal Effort procedure. If the
third party vendor has an alternative for the Zero Downtime Upgrade, refer to their
documentation for upgrading.

Installation and Upgrade Guide R80.10 | 130

 Upgrading ClusterXL Deployments

Upgrading Clusters on Appliances

Important - Before you upgrade your Cluster members, you must upgrade your Security
Management Server (on page 99) or Multi-Domain Server (on page 100). You can also upgrade
your Management High Availability system.
If the appliance to upgrade was not the primary member of a cluster before, export its database
before you upgrade. If it was the primary member before, you do not have to do this.
To upgrade an appliance and add it to a cluster:
1. If the appliance was not the primary member of a cluster, export the Security Management
Server database.
2. Upgrade the Appliance.
3. If the appliance was not the primary member of a cluster, Import the database.
4. Using the Gaia Portal, on the Cluster page, configure the appliance to be the primary member
of a new cluster.
5. Connect a second appliance to the network.
• If the second appliance is based on an earlier version: get the relevant upgrade package
from the Download Center, save it to a USB stick, and reinstall the appliance as a
secondary cluster member.
• If the second appliance is upgraded: run the first-time wizard and select Secondary
Cluster Member.

Installation and Upgrade Guide R80.10 | 131

 Upgrading ClusterXL Deployments

Minimal Effort Upgrade on a ClusterXL Cluster

If you can afford to have a period of time during which network downtime is allowed, and choose to
perform a Minimal Effort Upgrade, each cluster member is upgraded as an individual gateway. For
additional instructions, refer to Upgrading Security Gateways (on page 123).

Installation and Upgrade Guide R80.10 | 132

 Upgrading ClusterXL Deployments

Zero Downtime Upgrade on a Cluster

Zero Downtime Upgrade is supported on all Check Point clusters and third-party clustering
products.
During a Zero Downtime Upgrade, one cluster member remains Active, while the other cluster
members get upgraded. The Active cluster member is upgraded last.
The procedure below describes a cluster with three members. However, it can be used for
clusters with two or more members.
• In High Availability mode, cluster member M1 is the Active member and is upgraded last.
Cluster members M2 and M3 are Standby.
• In Load Sharing mode, all members are Active. Randomly choose one of the cluster members
to upgrade last. Call it M1.

To upgrade a cluster with the Zero Downtime method:

1. Upgrade the licenses of all cluster members. A convenient time to do this is during the
upgrade of the Security Management Server.
To avoid possible problems with switches around the cluster, we recommend changing the
CCP protocol to Broadcast mode on all cluster members. Run cphaconf set_ccp
broadcast on all cluster members.
Note - cphaconf set_ccp starts working immediately. It does not require a reboot, and it
will survive the reboot. If you want to switch the CCP protocol back to Multicast mode on all
cluster members after the upgrade, then run cphaconf set_ccp multicast on all cluster
members.
2. Attach the upgraded licenses to all cluster members:
a) Connect to the Security Management Server through SmartUpdate. The updated licenses
are displayed as Assigned.
b) Use the Attach assigned licenses option to attach the assigned licenses to the cluster
members.
3. Upgrade M2.
After the upgrade, reboot M2.
4. Upgrade M3.
After the upgrade, reboot M3
5. In SmartConsole:
a) In the Gateway Cluster General Properties window, change the Cluster version to
R80.10.
b) In the Install Policy window, clear these options: For Gateway Clusters, install on all
the members, Install on each selected Module independently > if it fails do not
install at all.
c) Install the security policy on the cluster.
The policy successfully installs on M2 and M3. Policy installation fails on M1 and generates a
warning. You can safely ignore the warning.

Installation and Upgrade Guide R80.10 | 133

 Upgrading ClusterXL Deployments

6. On M1, run: cphaprob state

Verify that the status of cluster M1 is Active or Active Attention.
Active Attention means that the outbound status of the synchronization interface on M1 s
down. This is because M1 stopped communicating with other cluster members.
7. On M1, run: cpstop
This forces a failover to M2 or M3 (in High Availability mode) or to M2 and M3 (in Load Sharing
mode).
Make sure that one member is Active (in High Availability) or that all members are Active (in
Load Sharing).
8. On M2 and M3, run: cphaprob state
9. Upgrade M1.
10. Reboot M1.
11. Optional: To return the cluster control protocol to multicast (instead of broadcast), run
cphaconf set_ccp multicast on all cluster members.

Installation and Upgrade Guide R80.10 | 134

 Upgrading ClusterXL Deployments

Upgrading Clusters with Minimal Connectivity Loss

For minimal loss of connectivity, Check Point provides these cluster upgrade methods:
• ClusterXL Optimal Service Upgrade
• Connectivity Upgrade
To select the correct facility, refer to the table below:

Upgrade Name From version(s) To version(s)

ClusterXL Optimal Service R67.10 (VSX only) R77 and later
Upgrade
R75.40VS R80.10 minor versions
R76
R77

Connectivity Upgrade R75.40VS R77.20 and later

R76 R80.10 minor versions

Installation and Upgrade Guide R80.10 | 135

 Upgrading ClusterXL Deployments

ClusterXL Optimal Service Upgrade

Use the Optimal Service Upgrade feature to upgrade a Security Gateway or VSX cluster from
R75.40VS to R80.10 and future major releases. This feature upgrades the cluster with a minimum
loss of connectivity.
When you upgrade the cluster, two cluster members are used to process the network traffic. New
connections that are opened during the upgrade procedure are maintained after the upgrade is
finished. Connections that were opened on the old version are discarded after the upgrade.
You can also use the Optimal Service Upgrade feature to upgrade a VSX cluster from R67.10 to
R80.10. When you use this feature to upgrade from VSX R67.10, download the R67.10 upgrade
Hotfix and install it on one VSX cluster member. For more about upgrading to R67.10, see the
R67.10 Release Notes http://supportcontent.checkpoint.com/documentation_download?ID=11753.
For more about the Optimal Service Upgrade and to download the R67.10 upgrade Hotfix, go to
sk74300 http://supportcontent.checkpoint.com/solutions?id=sk74300.

Supported Versions for Connectivity Upgrade

Optimal Service Upgrade supports these releases:

Upgrade to version
Upgrade from
R76 R77 R77.10 R77.20 R77.30 R80.10
version
R77.30 x x x x x OSU

R77.20 x x x x OSU OSU

R77.10 x x x OSU OSU OSU

R77 x x OSU OSU OSU OSU

R76 x OSU OSU OSU OSU OSU

R75.40VS OSU OSU OSU OSU OSU OSU

VSX R67.10 OSU OSU OSU OSU OSU x

Notes:
• For supported upgrade paths, see the Release Notes for the version, to which you wish to
upgrade.
• "x" denotes that such upgrade path is not supported.
• "OSU" denotes Optimal Service Upgrade.

Installation and Upgrade Guide R80.10 | 136

 Upgrading ClusterXL Deployments

Optimal Service Upgrade Limitations

• Implement the Optimal Service Upgrade procedure when there is minimal network traffic.
• The Optimal Service Upgrade procedure does not provide redundancy, if a Cluster Member
fails during the upgrade.
• Do not make configuration changes during the upgrade process.
• Optimal Service Upgrade does not support:
• VPN connections
• Dynamic Routing connections
• Complex connections
For example: DHCP, DCE RPC, SUN RPC, Back Web, IIOP, FreeTel, WinFrame, NCP
• Bridge mode (Layer 2) configuration

Upgrade Workflow from R75.40VS and above

Use the Optimal Service Upgrade to upgrade a cluster from R75.40VS and above to R80.10, with a
minimal loss of connectivity.
Two cluster members are used to maintain connectivity, while you upgrade all the other cluster
members.
• OLD cluster member - Cluster member before the upgrade.
• NEW cluster member - Cluster member that has been upgraded.
Step Diagram of Cluster Members Summary

Cluster with four members (OLD).

1 • Leave one cluster member (OLD)

connected to the network and
disconnect all other cluster members
from the network. The connected
1a cluster member continues to process
the current connections.
• For upgrades from R77.30, make sure
1b that the cluster ID (the value of the
cluster_id parameter) is the same
on all cluster members.
• For upgrades from R77.20 or an earlier
version, make sure that the value of the
fwha_mac_magic parameter is the
same on all cluster members.

Installation and Upgrade Guide R80.10 | 137

 Upgrading ClusterXL Deployments

Step Diagram of Cluster Members Summary

2 • Upgrade the cluster members that are
disconnected from the network (NEW).
2a
• For upgrades to R77.30 or a later
version, make sure that the cluster ID
(the value of the cluster_id
2b parameter) is the same on all the
upgraded cluster members. Change it,
if necessary.
• For upgrades to R77.20 or an earlier
version, make sure that the value of the
fwha_mac_magic parameter on all
the upgraded cluster members is the
same. Change it, if necessary.
3 • Connect one upgraded (NEW) cluster
member to the network.
4
• On the active (OLD) cluster member,
turn off fwaccel on all Virtual Systems.
This allows the active (OLD) cluster
member synchronize all delayed
connections with the upgraded (NEW)
cluster member.
5 Note - If there are a lot of connections
on the Virtual Systems, turning off
fwaccel will cause all the connections
to be forwarded to the firewall. In this
case, run the cpstop command to turn
off the firewall.
• On the active (OLD) cluster member,
start the Optimal Service Upgrade
procedure.
6 • On the upgraded cluster member
(NEW) that you connected to the
network, start the Optimal Service
Upgrade procedure. The upgraded
cluster member begins to process new
connections.

7 • Check the number of active connection

on the old cluster member. When this
cluster member almost stops
8 processing connections, stop the
Optimal Service Upgrade procedure on
it.
• Disconnect the old cluster member
from the network.

Installation and Upgrade Guide R80.10 | 138

 Upgrading ClusterXL Deployments

Step Diagram of Cluster Members Summary

9 • Reconnect the other upgraded cluster
members to the network.

10 • Upgrade the old cluster member.

11 • Connect all the cluster members to the
network.
12
• Install the Access Control Policy.

Installation and Upgrade Guide R80.10 | 139

 Upgrading ClusterXL Deployments

Upgrading the Cluster from R75.40VS and above

Two cluster members are used to maintain connectivity, while you upgrade all the other cluster
members.

To use the Optimal Service Upgrade to upgrade the cluster members:

1. Disconnect all cluster members from the network, except for one cluster member.
Make sure that the management interfaces are not connected to the network.
2. On the old cluster member (connected to the network), configure kernel parameters:
• Upgrade to R77.30:
Run: cphaconf cluster_id get
Make sure all cluster members have the same cluster ID. If the cluster ID value is different
on a cluster member, run this command to configure the correct value: cphaconf
cluster_id set <value>
• Upgrade to R77.20 and lower:
Make sure all cluster members use the same value for the fwha_mac_magic parameter.
Run: fw ctl get int fwha_mac_magic
The default value for the fwha_mac_magic parameter is 254. If your configuration uses a
different value, on each member, run: fw ctl set int fwha_mac_magic <value>
For more about the cluster_id and fwha_mac_magic parameters, see the
R80.10ClusterXL Administration Guide
http://downloads.checkpoint.com/dc/download.htm?ID=54804 and sk25977
http://supportcontent.checkpoint.com/solutions?id=sk25977.
3. Install R80.10 on all the cluster members that are not connected to the network.
4. Make sure that all the cluster members use the same kernel parameter values:
• Upgrade to R77.30 and higher: Make sure all cluster members have the same cluster ID.
On each member, run: cphaconf cluster_id get
If a member has a different ID, run: cphaconf cluster_id set <value>
• Upgrade to R77.20 and lower: Make sure all cluster members have the same value for this
parameter: fw ctl get int fwha_mac_magic
If a member has a different value, run: fw ctl set int fwha_mac_magic <value>
5. Prepare the old cluster member for synchronization of old connections with the upgraded
cluster member:
a) On the old cluster member, disable SecureXL - run: fwaccel off -a
b) On the old cluster member, start the Optimal Service Upgrade - run: cphaosu start
6. Reconnect the SYNC interface of one new cluster member to the network.

Installation and Upgrade Guide R80.10 | 140

 Upgrading ClusterXL Deployments

7. Move traffic to the new cluster member that is connected to the network. Do these steps:
a) Make sure the new cluster member is in Ready state. Run: cphaprob state
b) Connect the other new cluster member interfaces to the network.
c) On the new cluster member, run cphaosu start
d) On the old cluster member, run cphaosu stat
The network traffic statistics are shown.
e) When the old cluster member does not have many connections, run cphaosu finish
8. On the new cluster member, run cphaosu finish
9. Disconnect the old cluster member from the network.
10. Reconnect the other new cluster members to the network one at a time. Do these steps on
each cluster member:
a) Run cphastop
b) Connect the new cluster member to the network.
c) Run cphastart
d) In SmartConsole, change the version of the cluster object to R80.10 and install the Policy.
11. Upgrade the old cluster member and reconnect it to the network.
12. If the cluster has two members: In SmartConsole, change the version to R80.10.
13. Install the Access Control Policy.

Installation and Upgrade Guide R80.10 | 141

 Upgrading ClusterXL Deployments

Upgrade Workflow from VSX R67.10

Use the Optimal Service Upgrade to upgrade a VSX cluster from R67.10 to a later version, without
loss of connectivity. When you upgrade the cluster, use two cluster members to process the
network traffic.
• OLD cluster member - The R67.10 VSX Gateway on which you install the Optimal Service
Upgrade Hotfix http://supportcontent.checkpoint.com/solutions?id=sk74300.
• NEW cluster member - VSX Gateway that is upgraded to R80.10 and processes new
connections.
Step Diagram of Cluster Members

VSX cluster with four R67.10 VSX

Gateways (OLD).

1 • Install the Optimal Service Upgrade

Hotfix on the cluster member that will
stay connected to the network during
the upgrade.

2 • Leave the cluster with the Hotfix

connected to the network, and
disconnect all other cluster members
2a from the network.
• For upgrades to R77.30, make sure
2b that the cluster ID (the value of the
cluster_id parameter) is the same
on all cluster members.
• For upgrades to R77.20 or an earlier
version, make sure that the value of
the fwha_mac_magic parameter is
the same on all cluster members.
3 • Upgrade the cluster members that
are disconnected from the network
3a
(NEW).
• For upgrades to R77.30 or a later
version, make sure the cluster ID (the
3b value of the cluster_id parameter)
is the same on all the upgraded
cluster members. Change it, if
necessary.
• For upgrades to R77.20 or an earlier
version, make sure that the value of
the fwha_mac_magic parameter on
all the upgraded cluster members is
the same. Change it, if necessary.
Installation and Upgrade Guide R80.10 | 142
 Upgrading ClusterXL Deployments

Step Diagram of Cluster Members

4 • Connect one upgraded (NEW) cluster
member to the network.
5
• On the active (OLD) cluster member,
turn off fwaccel on all Virtual
Systems. This allows the active (OLD)
cluster member synchronize all
delayed connections with the
upgraded (NEW) cluster member.
Note - If there are a lot of connections
on the Virtual Systems, turning off
6
fwaccel will cause all the
connections to be forwarded to the
firewall. In this case, run the cpstop
command to turn off the firewall.
• On the active (OLD) cluster member,
start the Optimal Service Upgrade
procedure.
7 • On the upgraded cluster member
(NEW) that you connected to the
network, start the Optimal Service
Upgrade procedure. The upgraded
cluster member begins to process
new connections.

8 • Check the number of active

connection on the old cluster
member. When this cluster member
9 almost stops processing connections,
stop the Optimal Service Upgrade
procedure on it.
• Disconnect the old cluster member
from the network.
10 • Reconnect the other upgraded cluster
members to the network.

11 • Upgrade the old cluster member.

12 • Connect all the cluster members to
the network.
13
• Install the policy.

Upgrading the Cluster from VSX R67.10

Two cluster members are used to maintain connectivity, while you upgrade all the other cluster
members.

Installation and Upgrade Guide R80.10 | 143

 Upgrading ClusterXL Deployments

To use the Optimal Service Upgrade to upgrade the VSX cluster members from
R67.10:
1. Install the Optimal Service Upgrade Hotfix on a cluster member. This is the old cluster
member with Hotfix.
For instructions and download links, refer to sk74300
http://supportcontent.checkpoint.com/solutions?id=sk74300.
2. Disconnect all old cluster members from the network, except for one cluster member.
Make sure that the management interfaces are not connected to the network.
3. On the old cluster member, configure kernel parameters:
• Upgrade to R77.30:
Run: cphaconf cluster_id get
If the cluster ID value is not as expected, run: cphaconf cluster_id set <value>
Make sure all cluster members have the same cluster ID. If a member has a different ID,
run this set command to configure the correct value.
• Upgrade to R77.20 and lower:
Make sure all cluster members use the same value for the fwha_mac_magic parameter.
Run: fw ctl get int fwha_mac_magic
The default value for the fwha_mac_magic parameter is 254. If your configuration uses a
different value, on each member, run: fw ctl set int fwha_mac_magic <value>
For more about the cluster_id and fwha_mac_magic parameters, see the
R80.10 ClusterXL Administration Guide
http://downloads.checkpoint.com/dc/download.htm?ID=54804
and sk25977 http://supportcontent.checkpoint.com/solutions?id=sk25977.
4. Install R80.10 on all the cluster members that are not connected to the network.
5. Prepare the old cluster member for synchronization of old connections with the upgraded
cluster member:
a) On the old cluster member, turn off fwaccel - run: fwaccel off -a
b) On the old cluster member, start the Optimal Serve Upgrade - run: cphaosu start
6. Reconnect the SYNC interface of one new cluster member to the network.
7. Move traffic to the new cluster member that is connected to the network. Do these steps:
a) Make sure the new cluster member is in ready state.
b) Connect the other new cluster member interfaces to the network.
c) On the new cluster member, run cphaosu start
d) On the old cluster member, run cphaosu stat
The network traffic statistics are shown.
e) When the old cluster member does not have many connections, run cphaosu finish
8. On the new cluster member, run cphaosu finish
9. Disconnect the old cluster member from the network.
10. Reconnect the other new cluster members to the network one at a time. Do these steps on
each cluster member:
a) Run cphastop
Installation and Upgrade Guide R80.10 | 144
 Upgrading ClusterXL Deployments

b) Connect the new cluster member to the network.

c) Run cphastart
11. Upgrade the old cluster member and reconnect it to the network.

Installation and Upgrade Guide R80.10 | 145

 Upgrading ClusterXL Deployments

Troubleshooting the OSU Upgrade

Use these cphaosu commands if there are problems during the OSU upgrade process:
• If it is necessary to roll the update back, run the cphaosu cancel command on the new
upgraded Cluster Member. The old Cluster Member processes all the traffic.
• After you run the cpshaosu finish command on the old Cluster Member, you can continue
to process the old traffic on the old Cluster Member and the new traffic on the new upgraded
Cluster Member. Run the cphaosu restart command on the old Cluster Member.

Installation and Upgrade Guide R80.10 | 146

 Upgrading ClusterXL Deployments

Connectivity Upgrade
Before you run Connectivity Upgrade:
• Make sure that the cluster has two members, one Active and one Standby
• Read sk107042 ClusterXL upgrade methods and paths
http://supportcontent.checkpoint.com/solutions?id=sk107042
• Read sk101209 R77.20 Known Limitations
http://supportcontent.checkpoint.com/solutions?id=sk101209
• Read sk104860 R77.30 Known Limitations
http://supportcontent.checkpoint.com/solutions?id=sk104860
Check Point Connectivity Upgrade (CU) synchronizes existing connections to maintain connectivity
during cluster upgrades.
Connectivity Upgrade is supported during these upgrades:

Upgrade from Version R77.20 R77.30 R80.10

R75.40VS CU CU CU

R75.46 CU CU CU

R75.47 CU CU CU

R76 CU CU CU

R77 - CU CU

R77.10 - CU CU

R77.20 - CU CU

R77.30 - - CU

Notes -
• Software Blade information does not get synchronized. If a connection needs to be inspected
by a Software Blade, and this Software Blade is configured in SmartConsole to Prefer
Connectivity Over Security, then the connection is accepted without the inspection. Otherwise,
the connection is dropped.
• All member gateways must have the same number of CoreXL Firewall instances.
• All member gateways must run the same 32-bit or 64-bit kernel edition.

Installation and Upgrade Guide R80.10 | 147

 Upgrading ClusterXL Deployments

Supported Versions for Connectivity Upgrade

Check Point Connectivity Upgrade (CU) synchronizes existing connections to maintain connectivity
during cluster upgrades.
Connectivity Upgrade supports these releases:

Upgrade to version

Upgrade from
R77.20 R77.20DR R77.30 R77.30DR R80.10
Version
R77.30DR x x x x CU + DR

R77.30 x x x x CU + DR

R77.20DR x x CU CU + DR CU + DR

R77.20 x x CU CU + DR CU + DR

R77.10 x x CU CU + DR CU + DR

R77 x x CU CU + DR CU + DR

R76 CU CU + DR CU CU + DR CU + DR

R75.47 CU CU + DR CU CU + DR CU + DR

R75.46 CU CU + DR CU CU + DR CU + DR

R75.40VS CU CU + DR CU CU + DR CU + DR

Installation and Upgrade Guide R80.10 | 148

 Upgrading ClusterXL Deployments

Notes:
• For supported upgrade paths, see the Release Notes for the version, to which you wish to
upgrade.
• For upgrade action plans, during which the Dynamic Routing information is synchronized, see
sk107042 http://supportcontent.checkpoint.com/solutions?id=sk107042.
• "R77.20DR" denotes R77.20 with Take 200 (or higher) of R77.20 Jumbo Hotfix Accumulator
(sk101975 http://supportcontent.checkpoint.com/solutions?id=sk101975).
• "R77.30DR" denotes R77.30 with Take 198 (or higher) of R77.30 Jumbo Hotfix Accumulator
(sk106162 http://supportcontent.checkpoint.com/solutions?id=sk106162).
• "x" denotes that such upgrade path is not supported.
• "CU" denotes Connectivity Upgrade, during which the Dynamic Routing information is not
synchronized.
• "CU with DR" denotes Connectivity Upgrade, during which the Dynamic Routing information is
synchronized.
• Notes for VRRP clusters on Gaia:
• Connectivity Upgrade without Dynamic Routing synchronization supports:
 upgrades to R80.10, and above
 upgrades to "R77.30DR"
 upgrades to "R77.20DR"
• Connectivity Upgrade with Dynamic Routing synchronization supports only:
 upgrades from R80.10 to next versions
 upgrades from R77.30 to R80.10, and above

Installation and Upgrade Guide R80.10 | 149

 Upgrading ClusterXL Deployments

Upgrading ClusterXL High Availability Using Connectivity Upgrade

Before you upgrade:
Make sure that the cluster has 2 members, one of which is Active and the other is Standby.

To check the cluster member status:

On each cluster member, run: cphaprob state

To upgrade the cluster:

1. Upgrade the Standby cluster member.
Reboot the Standby cluster member after the upgrade.
2. In SmartConsole:
a) Open the cluster object.
b) In the General Properties window, change the Cluster version to the upgraded version.
c) Click Install Policy.
d) In the Install Policy window, go to Installation Mode > Install on each selected
gateway independently section and make sure to clear the checkbox For Gateway
Clusters install on all the members, if it fails do not install at all.
e) Install the Access Policy on the cluster object.
Note - The policy successfully installs on the upgraded cluster member and fails to install on
the Active cluster member. This is expected. Ignore the warning.
3. On the Active cluster member, run: cphaprob state
Make sure the status is Active or Active Attention. Record the IP address of the Sync interface
and the Member ID of the cluster member.
4. On the upgraded cluster member, run: cphaprob state
Make sure the status is Ready.
5. On the upgraded cluster member, configure dynamic routing.
For BGP, you must configure graceful restart, for BGP routes to remain after failover.
6. On the upgraded cluster member, run: cphacu start [no_dr]
If dynamic routing synchronization is not required, use the no_dr option.
The Connectivity Upgrade runs, and shows this message when it finishes: Connectivity
upgrade status: Ready for Failover
7. On the upgraded cluster member, run: cphacu state
Make sure that the Active cluster member handles the traffic.

Installation and Upgrade Guide R80.10 | 150

 Upgrading ClusterXL Deployments

8. On the Active cluster member, run these commands:

a) cphaprob state
Make sure the local member is in Active or Active Attention state, and the upgraded
member is in Down state.
b) fwaccel off -a
Turns off fwaccel on all Virtual Systems, so that the delayed connections are
synchronized to the upgraded cluster member that is now in Ready state.
c) cpstop
The connections fail over to the upgraded cluster member.
9. On the upgraded cluster member, run: cphaprob state
Make sure that it is now in the Active state.
10. On the upgraded cluster member, run: cphacu stat
Make sure it handles the traffic.
11. Upgrade the former Active cluster member.
Make sure to reboot it, after the upgrade finishes.
12. In SmartConsole, install Access Policy on this cluster object.
After the cluster upgrade is complete, the Cluster Control Protocol (CCP) run in the broadcast
mode. To return it to the multicast mode, on all cluster members, run (this configuration survives
reboot): cphaconf set_ccp multicast

Installation and Upgrade Guide R80.10 | 151

 Upgrading ClusterXL Deployments

Upgrading a VSX Cluster

This Procedure is applicable to both High Availability and Load Sharing modes.
Before you upgrade:
Make sure that the cluster has 2 members, one of which is Active and the other is in Standby.

To check the cluster member status:

On each cluster member, run: cphaprob state

To upgrade the cluster:

1. Upgrade the Standby cluster member with CPUSE or a clean install.
2. On the upgraded cluster member, run: cphaprob state
Make sure the status is Ready.
3. Configure dynamic routing.
For BGP, you must configure graceful restart, for BGP routes to remain after failover.
4. Run: cphacu start [no_dr]
If dynamic routing synchronization is not required, use the no_dr option.
The Connectivity Upgrade runs, and shows this message when it finishes: Connectivity
upgrade status: Ready for Failover
5. On the Active cluster member, run these commands:
a) cphaprob state
Make sure the local member is in Active or Active Attention state, and the upgraded
member is in Down state.
b) fwaccel off -a
Turns off SecureXL on all Virtual Systems so that the delayed connections are synchronized
to the upgraded member that is now in Ready state.
c) cpstop
The connections fail over to the upgraded member.
6. On the upgraded cluster member, run: cphaprob state
Make sure that it is now in Active state.
7. On the new Active cluster member, run: cphacu stat
Make sure that it handles the traffic. See cphacu stat (on page 156).
8. Upgrade the former Active cluster member with a clean install.
Reboot the gateway after the upgrade.

To make sure all cluster members are up and in VSX High Availability mode:
On each cluster member, run: cphaprob state
If the state of a cluster member is HA not started, run: cphastart

Installation and Upgrade Guide R80.10 | 152

 Upgrading ClusterXL Deployments

Connectivity Upgrade Commands

cphacu start
Description Runs Connectivity Upgrade on a cluster member.
Syntax
cphacu start [no_dr]
Notes
If dynamic routing synchronization is not required, use the no_dr option.
Output
cphacu start command outputs this information:
• Dynamic Routing synchronization status
• Performing Full Sync on VSID <VSID number>
• Connectivity Upgrade Status -
• Disabled - Connectivity Upgrade is not running on this cluster member
• Enabled, ready for failover - Connectivity Upgrade completed successfully, and the Active
member can now do the failover
• Not enabled since member is Active - Connectivity Upgrade cannot run, because this
member is Active
• Full sync for connectivity upgrade is still in progress. Wait until full sync finishes
• The peer member is handling the traffic - Shows which cluster member currently handles the
traffic and the version of the Cluster Control Protocol for each member
• Connection table - Shows the summary of the connections table for each Virtual System
Example 1 - VSX High Availability
[Expert@gw2:0]# cphacu start

Starting Connectivity Upgrade...

Dynamic routes synchronization started...

=========================================

Finished Dynamic routes synchronization.

Performing Full Sync

====================
Performing Full Sync on
number of connections);
Performing Full Sync on
number of connections);
Performing Full Sync on
number of connections);
VSID 0. This may take several minutes (depending on the
please wait...
VSID 2. This may take several minutes (depending on the
please wait...
VSID 3. This may take several minutes (depending on the
please wait...

==============================================================================
Full Sync ended (Delta Sync is enabled)
For delayed connections (Templates) to be synchronized it is recommended to turn
off SecureXL
on the old member before doing a failover. Run: 'fwaccel off' on the old member
Please note: turning SecureXL off might slow down existing connections.
Installation and Upgrade Guide R80.10 | 153
 Upgrading ClusterXL Deployments

==============================================================================

Connectivity upgrade status: Enabled, ready for failover

========================================================

The peer member is handling the traffic

=======================================
Version of the local member: 3122
Version of the peer member : 2502

Connections table
=================
VS HOST NAME ID #VALS #PEAK #SLINKS
0 localhost connections 8158 30 103 34
2 localhost connections 8158 0 1 0
3 localhost connections 8158 1 2 2

Example 2 - ClusterXL High Availability

[Expert@HostName]# cphacu start
Starting Connectivity Upgrade...

Dynamic routes synchronization started...

=========================================

Finished Dynamic routes synchronization.

Performing Full Sync

====================
Performing Full Sync. This may take several minutes (depending on the number of
connections); please wait...

==============================================================================
==
Full Sync ended (Delta Sync is enabled)
For delayed connections (Templates) to be synchronized it is recommended to turn
off SecureXL
on the old member before doing a failover. Run: 'fwaccel off' on the old member
Please note: turning SecureXL off might slow down existing connections.
==============================================================================
==

Connectivity upgrade status: Enabled, ready for failover

========================================================

The peer member is handling the traffic

=======================================
Version of the local member: 3121
Version of the peer member : 2910

Connections table
=================
HOST NAME ID #VALS #PEAK #SLINKS
localhost connections 8158 34 38
37

Installation and Upgrade Guide R80.10 | 154

 Upgrading ClusterXL Deployments

Example 3 - No Dynamic Routing VSX

[Expert@gw2:0]# cphacu start no_dr

Starting Connectivity Upgrade...

Dynamic routing synchronization is disabled!

Performing Full Sync

====================
Performing Full Sync on VSID 0. This may take several minutes (depending on the
number of connections); please wait...
Performing Full Sync on VSID 2. This may take several minutes (depending on the
number of connections); please wait...
Performing Full Sync on VSID 3. This may take several minutes (depending on the
number of connections); please wait...

==============================================================================
==
Full Sync ended (Delta Sync is enabled)
For delayed connections (Templates) to be synchronized it is recommended to turn
off SecureXL
on the old member before doing a failover. Run: 'fwaccel off' on the old member
Please note: turning SecureXL off might slow down existing connections.
==============================================================================
==

Connectivity upgrade status: Enabled, ready for failover

========================================================

The peer member is handling the traffic

=======================================
Version of the local member: 3122
Version of the peer member : 2502

Connections table
=================
VS HOST NAME ID #VALS #PEAK #SLINKS
0 localhost connections 8158 28 103 30
2 localhost connections 8158 0 1 0
3 localhost connections 8158 1 2 2

Installation and Upgrade Guide R80.10 | 155

 Upgrading ClusterXL Deployments

cphacu stat
Description Shows the status of Connectivity Upgrade.
Syntax
cphacu stat
Example 1 - VSX High Availability
[Expert@HostName]# cphacu stat

Connectivity upgrade status: Disabled

=====================================

The peer member is handling the traffic

=======================================
Version of the local member: 2907
Version of the peer member : 2502

Connection table
================
VS HOST NAME ID #VALS #PEAK #SLINKS
0 localhost connections 8158 16 56 16
1 localhost connections 8158 0 3 0
2 localhost connections 8158 0 0 0
3 localhost connections 8158 0 0 0
4 localhost connections 8158 0 0 0
5 localhost connections 8158 0 0 0
6 localhost connections 8158 0 1

Example 2 - ClusterXL High Availability

[Expert@HostName]# cphacu stat

Connectivity upgrade status: Disabled

=====================================

The peer member is handling the traffic

=======================================
Version of the local member: 2907
Version of the peer member : 2502

Connection table
================
HOST NAME ID #VALS #PEAK #SLINKS
localhost connections 8158 16 56

Installation and Upgrade Guide R80.10 | 156

CHAPTE R 24

Special Scenarios for Security

Gateways
In This Section:
Using Monitor Mode ...................................................................................................158
Deploying a Security Gateway or a ClusterXL in Bridge Mode.................................161
Configuring Link State Propagation (LSP) ................................................................173
Security Before Firewall Activation ...........................................................................176

Installation and Upgrade Guide R80.10 | 157

 Special Scenarios for Security Gateways

Using Monitor Mode

Configure Monitor Mode on Security Gateway interfaces, to monitor traffic from a mirror port or
span port on a switch. Use Monitor Mode to analyze network traffic without changing the
production environment. The mirror port on a switch duplicates the network traffic and sends it to
the monitor interface on the gateway to record the activity logs.
You can use mirror ports:
• To monitor the use of applications as a permanent part of your deployment
• To evaluate the capabilities of the Application Control and IPS blades before you buy them
The mirror port does not enforce a policy or run active operations (prevent, drop, reject) on
network traffic. It can be used only to evaluate the monitoring and detecting capabilities of the
Software Blades. All duplicated packets that arrive at the monitor interface of the gateway are
terminated and will not be forwarded. The Security Gateway does not send traffic through the
monitor interface.
For more information, see:
• R80.10 Gaia Administration Guide
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_Gaia_Admin
Guide/html_frameset.htm > Chapter Network Management > Section Network Interfaces >
Subsection Physical Interfaces.
• sk101670: Monitor Mode on Gaia OS and SecurePlatform OS
http://supportcontent.checkpoint.com/solutions?id=sk101670.

Configuring Monitor Mode

You can configure a mirror or TAP port to duplicate network traffic that is sent to a Security
Gateway. The gateway inspects the traffic but does not drop packets.
Connect the Security Gateway to a mirror port on the switch that duplicates the ports and VLANs.

Installation and Upgrade Guide R80.10 | 158

 Special Scenarios for Security Gateways

Item Description
1 Switch with mirror port

2 Computers

3 Servers

4 Security Gateway in monitor mode

5 Management for Security Gateway

Note - Make sure that one mirror port on the switch is connected to one interface on the Security
Gateway.

To enable Monitor Mode on the Security Gateway from the Gaia Portal:
1. From the navigation tree, click Network Management > Network Interfaces.
2. Select the interface and click Edit.
3. Click the Ethernet tab and check Monitor Mode.
4. Click OK.

To enable monitor mode on the Security Gateway from the Gaia Clish:
# set interface <interface name> monitor-mode on

Supported Software Blades for Monitor Mode

These Software Blades support Monitor mode for Security Gateway deployment:

Supported Blade Supports Gateways in Supports Virtual System in

Monitor Mode Monitor Mode
Firewall Yes Yes

IPS Yes Yes

URL Filtering Yes Yes

DLP Yes No

Anti-Bot Yes Yes

Application Control Yes Yes

Identity Awareness Yes No

Threat Emulation Yes Yes

Installation and Upgrade Guide R80.10 | 159

 Special Scenarios for Security Gateways

Unsupported Software Blades for Monitor Mode

These features, Software Blades, and deployments are not supported in Monitor mode:
• NAT
• IPsec VPN
• HTTPS Inspection
• Mobile Access
• DLP with FTP
• HTTP/HTTPS proxy
• Anti-Spam and Email Security
• QoS
• Traditional Anti-Virus
• User Authentication
• Client Authentication

Unsupported Deployments for Monitor Mode

These are deployments do not support Monitor Mode:
• Access to Portals
• Multiple TAP interfaces when the same traffic is monitored

Installation and Upgrade Guide R80.10 | 160

 Special Scenarios for Security Gateways

Deploying a Security Gateway or a ClusterXL in Bridge

Mode
If you install a new Security Gateway in a network and cannot change the IP routing scheme, use
bridge mode. A Security Gateway in bridge mode is invisible to Layer-3 traffic. When authorized
traffic arrives, the Security Gateway passes it to the next interface through bridging. This creates a
Layer-2 relationship between two or more interfaces. Traffic that enters one interface exits the
other interface. Bridging lets the Security Gateway inspect and forward traffic, without the original
IP routing.
Before configuring the bridge, install the Security Gateway.
To manage the gateway in bridge mode:
• The gateway must have a separate, routed IP address
• You must configure the bridged interfaces

To configure a bridge interface in the Gaia Portal:

1. In the Gaia Portal navigation tree, select Network Interfaces.
2. Click Add > Bridge, or select an interface and click Edit.
The Add (or Edit) Bridge window opens.
3. On the Bridge tab, enter or select a Bridge Group ID (unique integer between 1 and 1024).
4. Select the interfaces from the Available Interfaces list and then click Add.
5. Click the IPv4 or IPv6 tabs, and then enter the IP addresses and subnet.
Or click Obtain IP Address automatically.
6. Click OK.

To configure a bridge interface with the CLI:

1. Run: add bridging group <Group Name> interface <physical interface name>
2. Run again for each interface in the bridge.
3. Run: save config
4. Add a bridge interface IP address:
• IPv4: set interface <Group Name> ipv4-address <IP> subnet-mask <Mask>
• IPV6: set interface <Group Name> ipv6-address <IP> mask-length <Prefix>
5. Run: save config

Supported Software Blades in Bridge Mode

This table lists Software Blades, features, and their support for the Bridge Mode. This table
applies to single Security Gateway deployment, ClusterXL (with one switch) in Active/Active and
Active/Standby deployment, and ClusterXL with four switches.

Installation and Upgrade Guide R80.10 | 161

 Special Scenarios for Security Gateways

Software Blade Support of a Support of a Support of VSX

Security ClusterXL Virtual
Gateway in Bridge Mode Systems
in Bridge Mode in Bridge Mode
Firewall Yes Yes Yes

IPS Yes Yes Yes

URL Filtering Yes Yes Yes

DLP Yes Yes No

Anti-Bot Yes Yes Yes

Anti-Virus Yes (1) Yes (1) Yes (1)

Application Control Yes Yes Yes

HTTPS Inspection Yes (2) Yes (2) No

Identity Awareness Yes (3) Yes (3) No

Threat Emulation - Yes Yes Yes in

Active/Active
ThreatCloud emulation
Bridge Mode
No in
Active/Standby
Bridge Mode

Threat Emulation - Yes Yes No in all

Bridge Modes
Local emulation

Threat Emulation - Yes Yes Yes in

Active/Active
Remote emulation
Bridge Mode
No in
Active/Standby
Bridge Mode

UserCheck Yes Yes No

QoS Yes (see No (see No (see

sk89581 sk89581 sk79700
http://supportc http://supportc http://supportc
ontent.checkp ontent.checkp ontent.checkp
oint.com/soluti oint.com/soluti oint.com/soluti
ons?id=sk8958 ons?id=sk8958 ons?id=sk7970
1) 1) 0)

HTTP / HTTPS proxy Yes Yes No

Installation and Upgrade Guide R80.10 | 162

 Special Scenarios for Security Gateways

Software Blade Support of a Support of a Support of VSX

Security ClusterXL Virtual
Gateway in Bridge Mode Systems
in Bridge Mode in Bridge Mode
Security Servers - SMTP, HTTP, FTP, POP3 Yes Yes No

Client Authentication Yes Yes No

User Authentication Yes Yes No

Multi-Portal (Mobile Access Portal, Identity Yes No No

Awareness Captive Portal, Data Loss
Prevention Portal, and so on)

IPsec VPN No No No

Mobile Access No No No

Notes:
1. Does not support the Anti-Virus in Traditional Mode.
2. HTTPS Inspection in Layer 2 works as Man-in-the-Middle, based on MAC addresses:
• Client sends a TCP [SYN] packet to the MAC address X.
• Security Gateway creates a TCP [SYN-ACK] packet and sends it to the MAC address X.
• Security Gateway in Bridge Mode does not need IP addresses, because CPAS takes the
routing and the MAC address from the original packet.
Note - To be able to perform certificate validation (CRL/OCSP download), Security Gateway
needs at least one interface to be assigned with an IP address. Probe bypass can have issues
with Bridge Mode. Therefore, we do not recommend Probe bypass in Bridge Mode
configuration.
3. Identity Awareness in Bridge Mode supports only the AD Query authentication.
For more information, see sk101371: Bridge Mode on Gaia OS and SecurePlatform OS
http://supportcontent.checkpoint.com/solutions?id=sk101371.

Limitations in Bridge Mode

You can configure only two slave interfaces in a single Bridge interface. You can think of this
Bridge interface as a two-port Layer 2 switch. Each port can be a Physical interface, a VLAN
interface, or a Bond interface.
These features and deployments are not supported in Bridge Mode:
• Assigning an IP address to a Bridge interface in ClusterXL.
• NAT rules (specifically, FireWall kernel in logs shows the traffic as accepted, but Security
Gateway does not actually forward it). For more information, see sk106146
http://supportcontent.checkpoint.com/solutions?id=sk106146.
• Access to Multi-Portal (Mobile Access Portal, Identity Awareness Captive Portal, Data Loss
Prevention Portal, and so on) from bridged networks, if the bridge does not have an assigned
IP address.
• Clusters with more than two Cluster Members.

Installation and Upgrade Guide R80.10 | 163

 Special Scenarios for Security Gateways

• Full High Availability Cluster.

• Asymmetric traffic inspection in ClusterXL in Active/Active Bridge Mode. (Asymmetric traffic
inspection is any situation, where the Client-to-Server packet is inspected by one Cluster
Member, while the Server-to-Client packet is inspected by the other Cluster Member. In such
scenarios, several security features do not work.)
For more information, see sk101371: Bridge Mode on Gaia OS and SecurePlatform OS
http://supportcontent.checkpoint.com/solutions?id=sk101371.

Configuring a Single Security Gateway in Bridge Mode

Item Description
1 Security Gateway that bridges Layer 2 traffic between the two network segments

2 and 3 Switches that connect the network segments to the Security Gateway in Bridge Mode

4 Network divided into two segments by the Security Gateway in Bridge Mode

To define the bridge topology:

1. Configure a dedicated management interface.
2. Configure the bridge interface. It must be in the bridged subnet. Only the bridge interface has
an IP address. The bridge ports must not have IP addresses.
3. Configure the bridge topology in the properties of the network object:
• If a bridge port connects to the Internet, set the interface to External.
• If the Security Gateway is in rules with Internet objects, set the interface to External.
• If the topology uses Anti-Spoofing for the internal port (interface), set the interface to
Internal and select the network that connects to the port.
• If the topology does not use Anti-Spoofing, disable Anti-Spoofing on the bridge port.
For example:
Bridge Interface - eth0 - External - 192.0.2.0.208/24
Bridge Port to Internet - eth1 - External - 0.0.0.0/0
Bridge Port with Anti-Spoofing - eth2 - Internal to CP_default_Office network - 0.0.0.0/0

Installation and Upgrade Guide R80.10 | 164

 Special Scenarios for Security Gateways

Configuring a ClusterXL in Bridge Mode

You can configure ClusterXL in Bridge Mode in different cluster deployments:

ClusterXL in Bridge Mode Number of Supported Switches

Active / Standby Two only

Active / Active Two, or Four

For instructions, see:

• Configuring ClusterXL in Bridge Mode - Active/Standby with Two Switches (on page 165)
• Configuring ClusterXL in Bridge Mode - Active/Active with Two Switches (on page 166)
• Configuring ClusterXL in Bridge Mode - Active/Active with Four Switches (on page 167)

Configuring ClusterXL in Bridge Mode - Active/Standby with Two Switches

Example for deployment Active/Standby mode with two switches:

Item Description
1 and 2 Switches

Cluster members that bridge Layer 2 traffic

3 and 4 The slaves of the bridge interface (for example, eth1 and eth2)

5 The ClusterXL Sync interfaces (for example, eth3)

This is the preferred mode in topologies that support it.

In Active/Standby mode, ClusterXL decides the cluster state. The standby member drops all
packets. It does not pass any traffic, including STP/RSTP/MSTP. If there is a failover, the switches
are updated by the Security Gateway to forward traffic to the new active member.
If you use this mode, it is best to disable STP/RSTP/MSTP on the adjacent switches.

Installation and Upgrade Guide R80.10 | 165

 Special Scenarios for Security Gateways

To configure Active/Standby mode:

1. Install the cluster members.
2. In SmartDashboard, configure the ClusterXL object in High Availability mode and install policy
on the cluster object.
3. On each cluster member, run: cpconfig
4. Enter 8, to select Enable Check Point ClusterXL for Bridge Active/Standby.
5. Confirm: y
6. Reboot each cluster member.
7. In SmartDashboard, install policy on the cluster object.
8. On each cluster member, examine the cluster state. Run: cphaprob state
The output should be similar to:
Cluster Mode: High Availability (Active Up, Bridge Mode) with IGMP Membership
Number Unique Address Firewall State (*)
1 (local> 2.2.2.3 Active
2 2.2.2.2 Standby

Configuring ClusterXL in Bridge Mode - Active/Active with Two Switches

When you define a bridge interface on a Security Gateway cluster, Active/Active mode is activated
by default.
Before you begin, install ClusterXL High Availability on a Gaia appliance or open server.

To configure Active/Active mode, do these steps on each member of the cluster:

1. Install the cluster members.
2. Configure dedicated Management and Sync interfaces.
3. Add a bridge interface, as in a single gateway deployment (on page 164).
Do not configure an IP address on the newly created bridge interface.
4. In SmartDashboard:
a) Create the ClusterXL object.
b) In the Cluster Mode page, select High Availability.
c) In the Topology page, get the cluster topology.
d) Make sure the dedicated Management and Sync interfaces are configured.
e) Make sure the Bridge interface and bridge slave interfaces are not in the topology.
Bridge interface topology cannot be defined. It is External by default.
5. Install policy on the cluster object.
6. On each cluster member, examine the cluster state. Run: cphaprob state
The output should be similar to:
Cluster Mode: High Availability (Active Up, Bridge Mode) with IGMP
Membership
Number Unique Address Firewall State (*)
1 (local> 2.2.2.3 Active
2 2.2.2.2 Active

Installation and Upgrade Guide R80.10 | 166

 Special Scenarios for Security Gateways

Configuring a ClusterXL in Bridge Mode - Active/Active with Four Switches

You can configure a bridged cluster between four switches, in Active/Active mode.
In the Bridge Active/Active mode, ClusterXL works in Load Sharing mode.
Note - Active/Standby mode is not supported with four switches.
Example topology:

Item Description
1, 2, 3, 4 Switches

Cluster members that bridge Layer 2 traffic

5 and 6 The slaves of the bridge interface (for example, eth1 and eth2)

7 The ClusterXL Sync interfaces (for example, eth3)

The workflow and detailed instructions are the same as in the Configuring ClusterXL in Bridge
Mode - Active/Active with Two Switches (on page 166).
See also: Link Aggregation with ClusterXL in Layer 2
http://supportcontent.checkpoint.com/documentation_download?ID=23341.

Installation and Upgrade Guide R80.10 | 167

 Special Scenarios for Security Gateways

Routing and Bridge Interfaces

Security Gateways with a Bridge interface can support Layer 3 routing over non-bridged
interfaces. If you configure a Bridge interface with an IP address on a Security Gateway (not on
Cluster Members), the Bridge interface functions as a regular Layer 3 interface. It participates in
IP routing decisions on the Security Gateway and supports Layer 3 routing.
• Cluster deployments do not support this configuration.
• You cannot configure the Bridge interface to be the nexthop gateway for a route.
• A Security Gateway can support multiple Bridge interfaces, but only one Bridge interface can
have an IP address.
• A Security Gateway cannot filter or transmit packets that it inspected before on a Bridge
interface (to avoid double-inspection).

Procedure for Security Gateways R80.10

Configure the Security Gateway to reroute packets on the Bridge interface. Set the value of the
kernel parameter fwx_bridge_reroute_enabled to 1. The Security Gateway makes sure that
the MD5 hash of the packet that leaves the Management Interface and enters the Bridge interface
is the same. Other packets in this connection are handled by the Bridge interface without using
the router.
Notes:
• To make the change permanent (to survive reboot), you configure the value of the required
kernel parameter in the configuration file. This change applies only after a reboot.
• To apply the change on-the-fly (does not survive reboot), you configure the value of the
required kernel parameter with the applicable command.
Procedure:

Step Description
1 Connect to the command line on the Security Gateway.

2 Log in to the Expert mode.

3 Modify the $FWDIR/boot/modules/fwkern.conf file.

3A Back up the current $FWDIR/boot/modules/fwkern.conf file:

# cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}
Important - If this file does not exit, create it. Run:
# touch $FWDIR/boot/modules/fwkern.conf

3B Edit the current $FWDIR/boot/modules/fwkern.conf file:

# vi $FWDIR/boot/modules/fwkern.conf

3C Add this line in the file:

fwx_bridge_reroute_enabled=1
Important - This configuration file does not support spaces or comments.

Installation and Upgrade Guide R80.10 | 168

 Special Scenarios for Security Gateways

Step Description
3D Save the changes in the file.

3E exit the Vi editor.

4 Set the value of the required kernel parameter on-the-fly:

# fw ctl set int fwx_bridge_reroute_enabled 1

5 Make sure the Security Gateway loaded the new configuration:

# fw ctl get int fwx_bridge_reroute_enabled

6 Reboot the Security Gateway when possible.

After reboot, make sure the Security Gateway loaded the new configuration:
# fw ctl get int fwx_bridge_reroute_enabled

Procedure for Security Gateways R77.10, R77.20 and R77.30

To resolve this issue, configure the Security Gateway to recognize that the first packet is from the
Management Interface. The Security Gateway makes sure that the MD5 hash of the packet that
leaves the Management Interface and enters the Bridge interface is the same. Other packets in
this connection are handled by the Bridge interface without using the router.

Step Description
1 Connect to the command line on the Security Gateway.

2 Log in to the Expert mode.

3 Modify the $FWDIR/boot/modules/fwkern.conf file.

3A Back up the current $FWDIR/boot/modules/fwkern.conf file:

# cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}
Important - If this file does not exit, create it. Run:
# touch $FWDIR/boot/modules/fwkern.conf

3B Edit the current $FWDIR/boot/modules/fwkern.conf file:

# vi $FWDIR/boot/modules/fwkern.conf

3C Add the applicable line in the file.

Important - This configuration file does not support spaces or comments.
For IPv4 traffic:
fwx_bridge_reroute_ipv4=<IPv4 address of the Management interface on the
Security Gateway>
For IPv6 traffic:
fwx_bridge_reroute_ipv6=<IPv6 address of the Management interface on the
Security Gateway>

Installation and Upgrade Guide R80.10 | 169

 Special Scenarios for Security Gateways

Step Description
3D Save the changes in the file.

3E exit the Vi editor.

4 Reboot the Security Gateway.

5 Make sure the Security Gateway loaded the new configuration:

# fw ctl get int fwx_bridge_reroute_ipv4
# fw ctl get int fwx_bridge_reroute_ipv6

Procedure for Security Gateways R77 and Lower

To resolve this issue, you can disable inspection on the Management Interface and disable local
Anti-Spoofing.
Important - This procedure removes inspection from the Management Interface and could
compromise Security Gateway's security. If you are unsure whether your environment is safe to
use this method, contact Check Point Support
https://www.checkpoint.com/support-services/contact-support/.

Step Description
1 Connect to the command line on the Security Gateway.

2 Log in to the Expert mode.

3 Modify the $PPKDIR/boot/modules/simkern.conf file.

3A Back up the current $PPKDIR/boot/modules/simkern.conf file:

# cp -v $PPKDIR/boot/modules/simkern.conf{,_BKP}
Important - If the file does not exist, create it:
# touch $PPKDIR/boot/modules/simkern.conf

3B Edit the current $PPKDIR/boot/modules/simkern.conf file:

# vi $PPKDIR/boot/modules/simkern.conf

3C Add this line:

simlinux_excluded_ifs_list=<Name of Management Interface>
Notes:
• This configuration file does not support spaces or comments.
• This change excludes the Management Interface from SecureXL (see sk33541
http://supportcontent.checkpoint.com/solutions?id=sk33541).
3D Save the changes and exit the Vi editor.

4 Modify the $FWDIR/boot/modules/fwkern.conf file.

Installation and Upgrade Guide R80.10 | 170

 Special Scenarios for Security Gateways

Step Description
4A Back up the current $FWDIR/boot/modules/fwkern.conf file:
# cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}
Important - If the file does not exist, create it:
# touch $FWDIR/boot/modules/fwkern.conf

4B Edit the current $FWDIR/boot/modules/fwkern.conf file:

# vi $FWDIR/boot/modules/fwkern.conf

4C Add these three lines:

fwx_bridge_use_routing=0
fw_local_interface_anti_spoofing=0
fwlinux_excluded_ifs_list=<Name of Management Interface>
Notes:
• This configuration file does not support spaces or comments.
• This change disables routing on Bridge interfaces.
• This change disables local Anti-Spoofing.
• This change excludes the Management Interface from Firewall (see sk33541
http://supportcontent.checkpoint.com/solutions?id=sk33541).
4D Save the changes and exit the Vi editor.

5 Reboot the Security Gateway.

Installation and Upgrade Guide R80.10 | 171

 Special Scenarios for Security Gateways

IPv6 Neighbor Discovery

Neighbor discovery works over the ICMPv6 Neighbor Discovery protocol, which is the functional
equivalent of the IPv4 ARP protocol. ICMPv6 Neighbor Discovery Protocol must be explicitly
permitted in the Access Control Rule Base for all bridged networks. This is different from ARP.
ARP traffic is Layer 2 only, therefore it permitted regardless of the Rule Base.
This is an example of an explicit Rule Base that permits ICMPv6 Neighbor Discovery protocol:

Source Destination Services and Applications Action

Network object Network object neighbor-advertisement Accept

that represents that represents neighbor-solicitation

the Bridged the Bridged router-advertisement

router-solicitation
Network Network
redirect6

Installation and Upgrade Guide R80.10 | 172

 Special Scenarios for Security Gateways

Configuring Link State Propagation (LSP)

On a Check Point Appliances that run as a Security Gateway or ClusterXL Cluster Members, you
can bind together in Bridge mode two physical ports on a Check Point Line Card. When the link
state for one bridged slave port goes down, the other bridged slave port also goes down. This lets
a switch detect and react faster to a link failure on the other side of a bridge or another part of the
network.
Link State Propagation is supported on Check Point appliances with these Line Cards:

Line Card SKU Description Driver

CPAC-4-1C 4 Port 10/100/1000 Base-T Ethernet (RJ45) interface card IGB

CPAC-8-1C 8 Port 10/100/1000 Base-T Ethernet (RJ45) interface card IGB

CPAC-4-1F 4 Port 1000 Base-F Fiber (SFP) interface card IGB

CPAC-4-10F 4 Port 10G Base-F Fiber (SFP+) interface card IXGBE

You can configure the Link State Propagation in one of these modes:

LSP Mode Description

Automatic port Security Gateways and Cluster Members automatically assign all
detection bridged Line Card ports to port pairs
and port pair creation

Manual port pair You manually configure the assignment of bridged Line Card ports to
creation port pairs.
Note - You can configure up to four port pairs.

Important:
• In a cluster environment, you must configure all the Cluster Members in the same way.
• Link State Propagation does not support Bond interfaces.

To configure Link State Propagation for automatic port detection:

Step Description
1 Connect to the command line on the Security Gateway or each Cluster Member.

2 Log in to the Expert mode.

3 Back up the current $FWDIR/boot/modules/fwkern.conf file:

# cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}
Important - If this file does not exist, create it:
# touch $FWDIR/boot/modules/fwkern.conf

4 Edit the current $FWDIR/boot/modules/fwkern.conf file:

# vi $FWDIR/boot/modules/fwkern.conf

Installation and Upgrade Guide R80.10 | 173

 Special Scenarios for Security Gateways

Step Description
5 Add this line:
fw_link_state_propagation_enabled=1

6 Save the changes in the file and exit the Vi editor.

7 Reboot the Security Gateway or each Cluster Member.

8 Make sure the Security Gateway or Cluster Members loaded the new configuration:
# fw ctl get int fw_link_state_propagation_enabled

To configure Link State Propagation for manual port detection:

Step Description
1 Connect to the command line on the Security Gateway or each Cluster Member.

2 Log in to the Expert mode.

3 Back up the current $FWDIR/boot/modules/fwkern.conf file:

# cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}
Important - If this file does not exist, create it:
# touch $FWDIR/boot/modules/fwkern.conf

4 Edit the current $FWDIR/boot/modules/fwkern.conf file:

# vi $FWDIR/boot/modules/fwkern.conf

5 Add these three lines (you can configure up to four pairs):

fw_link_state_propagation_enabled=1
fw_manual_link_state_propagation_enabled=1
fw_lsp_pair1="<interface_name1,interface_name2>"
fw_lsp_pair2="<interface_name3,interface_name4>"
fw_lsp_pair3="<interface_name5,interface_name6>"
fw_lsp_pair4="<interface_name7,interface_name8>"
Example:
fw_lsp_pair1="eth1,eth2"
fw_lsp_pair2="eth3,eth4"

6 Save the changes in the file and exit the Vi editor.

7 Reboot the Security Gateway or each Cluster Member.

Installation and Upgrade Guide R80.10 | 174

 Special Scenarios for Security Gateways

Step Description
8 Make sure the Security Gateway or Cluster Members loaded the new configuration:
# fw ctl get int fw_link_state_propagation_enabled
# fw ctl get int fw_manual_link_state_propagation_enabled
# fw ctl get str fw_lsp_pair1
# fw ctl get str fw_lsp_pair2
# fw ctl get str fw_lsp_pair3
# fw ctl get str fw_lsp_pair4

For more information:

See sk108121: How to configure Link State Propagation (LSP) in a Bridge interface on Gaia OS and
SecurePlatform OS http://supportcontent.checkpoint.com/solutions?id=sk108121.

Installation and Upgrade Guide R80.10 | 175

 Special Scenarios for Security Gateways

Security Before Firewall Activation

Boot Security
The Boot Security protects the Security Gateway and its networks, during the boot:
• Disables the IP Forwarding in Linux OS kernel
• Loads the Default Filter Policy
For additional information, see these commands in the R80.10 Command Line Reference Guide:

Command Description
$FWDIR/bin/control_bootsec {-r | -R} Disables the boot security

$FWDIR/bin/control_bootsec [-g | -G] Enables the boot security

$FWDIR/bin/comp_init_policy [-u | -U] Deletes the local state policy

$FWDIR/bin/comp_init_policy [-g | -G] Creates the local state Initial Policy

Control of IP Forwarding on Boot

Boot Security disables IP forwarding in the Linux OS kernel. There is never a time when IP
Forwarding is active without a security policy. This protects the networks connected to the
Security Gateway.

The Default Filter

The Default Filter Policy protects the Security Gateway from the time it boots up until it installs the
security policy.
Boot Security disables IP Forwarding and loads the Default Filter Policy.
There are three Default Filters templates on the Security Gateway:

Default Filter Mode Default Filter Policy File Description

Boot Filter $FWDIR/lib/defaultfilte This filter:
r.boot
• Drops all incoming packets that have
the same source IP addresses as the IP
addresses assigned to the Security
Gateway interfaces
• Allows all outbound packets from the
Security Gateway
Drop Filter $FWDIR/lib/defaultfilte This filter drops all inbound and outbound
r.drop packets on the Security Gateway.
Best Practice - If the boot process requires
that the Security Gateway communicate
with other hosts, do not use the Drop Filter.

Installation and Upgrade Guide R80.10 | 176

 Special Scenarios for Security Gateways

Default Filter Mode Default Filter Policy File Description

Filter for $FWDIR/lib/defaultfilte This filter for Security Gateways with
Dynamically r.dag Dynamically Assigned IP address:
Assigned Gateways
• Allows all DHCP Requests
(DAG)
• Allows all DHCP Replies
• Uses Boot Filter:
a) Drops all incoming packets that
have the same source IP addresses
as the IP addresses assigned to the
Security Gateway interfaces
b) Allows all outbound packets from
the Security Gateway

Selecting the Default Filter

Important - In a cluster, you must configure all the Cluster Members in the same way.

Step Description
1 Make sure to configure and install a Security Policy on the Security Gateway.

2 Connect to the command line on the Security Gateway.

3 Log in to the Expert mode.

4 Back up the current Default Filter Policy file:

# cp -v $FWDIR/conf/defaultfilter.pf{,_BKP}

5 Create a new Default Filter Policy file.

• To create a new Boot Filter, run:
# cp -v $FWDIR/lib/defaultfilter.boot $FWDIR/conf/defaultfilter.pf
• To create a new Drop Filter, run:
# cp -v $FWDIR/lib/defaultfilter.drop $FWDIR/conf/defaultfilter.pf
• To create a new DAG Filter, run:
# cp -v $FWDIR/lib/defaultfilter.dag $FWDIR/conf/defaultfilter.pf

6 Compile the new Default Filter file:

# fw defaultgen
• The new complied Default Filter file for IPv4 traffic is:
$FWDIR/state/default.bin
• The new complied Default Filter file for IPv6 traffic is:
$FWDIR/state/default.bin6

Installation and Upgrade Guide R80.10 | 177

 Special Scenarios for Security Gateways

Step Description
7 Get the path of the Default Filter Policy file:
# $FWDIR/boot/fwboot bootconf get_def
Example:
[Expert@MyGW:0]# $FWDIR/boot/fwboot bootconf get_def
/etc/fw.boot/default.bin
[Expert@MyGW:0]#

8 Copy new complied Default Filter file to the path of the Default Filter Policy file.
• For IPv4 traffic, run:
# cp -v $FWDIR/state/default.bin /etc/fw.boot/default.bin
• For IPv6 traffic, run:
# cp -v $FWDIR/state/default.bin6 /etc/fw.boot/default.bin6

9 Make sure to connect to the Security Gateway over a serial console.

If the new Default Filter Policy fails and blocks all access through the network interfaces,
you can unload that Default Filter Policy and install the working policy.

10 Reboot the Security Gateway.

Defining a Custom Default Filter

Administrators with Check Point INSPECT language knowledge can define customized Default
Filters.
Important - Make sure your customized Default Filter policy does not interfere with the Security
Gateway boot process.

Step Description
1 Make sure to configure and install a Security Policy on the Security Gateway.

2 Connect to the command line on the Security Gateway.

3 Log in to the Expert mode.

4 Back up the current Default Filter Policy file:

# cp -v $FWDIR/conf/defaultfilter.pf{,_BKP}

5 Create a new Default Filter Policy file.

• To use the Boot Filter as a template, run:
# cp -v $FWDIR/lib/defaultfilter.boot $FWDIR/conf/defaultfilter.pf
• To use the Drop Filter as a template, run:
# cp -v $FWDIR/lib/defaultfilter.drop $FWDIR/conf/defaultfilter.pf
• To use the DAG Filter as a template, run:
# cp -v $FWDIR/lib/defaultfilter.dag $FWDIR/conf/defaultfilter.pf

Installation and Upgrade Guide R80.10 | 178

 Special Scenarios for Security Gateways

Step Description
6 Edit the new Default Filter Policy file to include the desired INSPECT code.
Important - Your customized Default Filter must not use these functions:
• Logging
• Authentication
• Encryption
• Content Security
7 Compile the new Default Filter file:
# fw defaultgen
• The new complied Default Filter file for IPv4 traffic is:
$FWDIR/state/default.bin
• The new complied Default Filter file for IPv6 traffic is:
$FWDIR/state/default.bin6

8 Get the path of the Default Filter Policy file:

# $FWDIR/boot/fwboot bootconf get_def
Example:
[Expert@MyGW:0]# $FWDIR/boot/fwboot bootconf get_def
/etc/fw.boot/default.bin
[Expert@MyGW:0]#

9 Copy new complied Default Filter file to the path of the Default Filter Policy file.
• For IPv4 traffic, run:
# cp -v $FWDIR/state/default.bin /etc/fw.boot/default.bin
• For IPv6 traffic, run:
# cp -v $FWDIR/state/default.bin6 /etc/fw.boot/default.bin6

10 Make sure to connect to the Security Gateway over a serial console.

If the new Default Filter Policy fails and blocks all access through the network interfaces,
you can unload that Default Filter Policy and install the working policy.

11 Reboot the Security Gateway.

Installation and Upgrade Guide R80.10 | 179

 Special Scenarios for Security Gateways

Using the Default Filter for Maintenance

It is sometimes necessary to stop the Security Gateway for maintenance. It is not always practical
to disconnect the Security Gateway from the network (for example, if the Security Gateway is on a
remote site).
To stop the Security Gateway for maintenance and maintain security, you can run:

Command Description

cpstop -fwflag • Shuts down Check Point processes

–default
• Loads the Default Filter policy (defaultfilter)
cpstop -fwflag -proc • Shuts down Check Point processes
• Keeps the currently loaded kernel policy
• Maintains the Connections table, so that after you run the
cpstart command, you do not experience dropped packets
because they are "out of state"
Note - Only security rules that do not use user space processes
continue to work.

Installation and Upgrade Guide R80.10 | 180

 Special Scenarios for Security Gateways

The Initial Policy

Until the Security Gateway administrator installs the security policy on the gateway for the first
time, security is enforced by an Initial Policy. The Initial Policy operates by adding the predefined
implied rules to the Default Filter. These implied rules forbid most communication, yet allow the
communication needed for the installation of the security policy. The Initial Policy also protects a
Security Gateway during Check Point product upgrades, when a SIC certificate is reset on the
Security Gateway, or in the case of a Check Point product license expiration.
Note - During a Check Point upgrade, a SIC certificate reset, or license expiration, the Initial Policy
overwrites the user-defined policy.
The sequence of actions during boot of the Security Gateway until a security policy is loaded for
the first time:

Step Description
1 The Security Gateway boots up.

2 The Security Gateway disables IP Forwarding and loads the Default Filter.

3 The Security Gateway configures the interfaces.

4 The Security Gateway services start.

5 The fetches the Initial Policy from the local directory.

6 Management Server installs the user-defined security policy.

The Security Gateway enforces the Initial Policy until administrator installs a user-defined policy.
In subsequent boots, the Security Gateway loads the user-defined policy immediately after the
Default Filter.
There are different Initial Policies for Standalone and distributed setups:
• In a Standalone configuration, where the Security Management Server and the Security
Gateway are on the same computer, the Initial Policy allows CPMI management
communication only. This permits SmartConsole clients to connect to the Security
Management Server.
• In a distributed configuration, where the Security Management Server is on one computer and
the Security Gateway is on a different computer, the Initial Policy:
• Allows cpd and fwd daemons to communicate for SIC (to establish trust) and for Policy
installation.
• Does not allow CPMI connections through the Security Gateway. The SmartConsole will not
be able to connect to the Security Management Server, if the SmartConsole must access
the Security Management Server through a Security Gateway with the Initial Policy.

Installation and Upgrade Guide R80.10 | 181

 Special Scenarios for Security Gateways

Monitoring Security
You can see that the Default Filter or the Initial Policy are loaded on a non-production Security
Gateway. Restart the computer before you install policy and run:
$FWDIR/bin/fw stat
If the output shows defaultfilter for the Default Filter status and InitialPolicy for the installed
policy, the computer is running on the default, pre-Firewall security.

Installation and Upgrade Guide R80.10 | 182

 Special Scenarios for Security Gateways

Unloading Default Filter or Initial Policy

To unload a Default Filter or an Initial Policy from the kernel, use the command to unloading a
regular policy. Do this only if you are sure that the security of the Default Filter or Initial Policy is
not required.
To unload the Default Filter locally: fw unloadlocal
To unload an Initial Policy from a remote Security Management Server: fwm unload <gateway>
Where gateway is the name of the gateway object.

Installation and Upgrade Guide R80.10 | 183

 Special Scenarios for Security Gateways

Troubleshooting: Cannot Complete Reboot

In some configurations, the Default Filter prevents the Security Gateway from completing the
reboot after installation.
First, look at the Default Filter. Does the Default Filter allow traffic required by the boot
procedures?
If the boot process cannot finish successfully, remove the Default Filter:

Step Description
1 Connect to the Security Gateway over serial console.

2 Reboot the Security Gateway.

3 During boot, press any key to enter the Boot Menu.

4 Select the Start in maintenance mode.

5 Enter the Expert mode password.

6 Set the Default Filter to not load again:

a) cd /opt/CPsuite-<VERSION>/fw1/
b) ./fwboot bootconf set_def

7 In the $FWDIR/boot/boot.conf file, examine the value of the

DEFAULT_FILTER_PATH:
a) cd /opt/CPsuite-<VERSION>/fw1/
b) grep DEFAULT_FILTER_PATH boot/boot.conf

8 Reboot the Security Gateway.

Installation and Upgrade Guide R80.10 | 184

CHAPTE R 25

Working with Licenses

In This Section:
Viewing Licenses in SmartConsole............................................................................185
Monitoring Licenses in SmartConsole ......................................................................187
Configuring Licenses - Gaia Portal ...........................................................................190

You can manage licenses on your Security Gateways in a few ways.

• In SmartConsole (on page 185) you can activate your licenses.
• In the Gaia Portal (on page 190), you can activate, add, or delete your licenses.
• In Gaia Clish or the Expert Mode (on page 212), you can add or delete your licenses with the
cplic command.
• When Security Gateways are not connected to the Internet, you can add, delete, attach, and
detach your licenses in SmartUpdate (on page 191).
When Security Gateways are connected to the Internet, they are able to get and update their
licenses and contracts without SmartUpdate.

Viewing Licenses in SmartConsole

To view license information:
Step Description
1 In SmartConsole, from the left navigation panel, click Gateways & Servers.

2 From the Columns drop-down list, select Licenses.

You can see these columns:

Column Description
License Status The general state of the Software Blade licenses:
• OK - All the blade licenses are valid.
• Not Activated - Blade licenses are not installed. This is only possible in
the first 15 days after the establishment of the SIC with the Security
Management Server. After the initial 15 days, the absence of licenses
will result in the blade error message.
• Error with <number> blade(s) - The specified number of blade
licenses are not installed or not valid.
• Warning with <number> blade(s) - The specified number of blade
licenses have warnings.
• N/A - No available information.
CK Unique Certificate Key of the license instance.

Installation and Upgrade Guide R80.10 | 185

 Working with Licenses

Column Description
SKU Catalog ID from the Check Point User Center.

Account ID User's account ID.

Support Level Check Point level of support.

Support Date when the Check Point support contract expires.

Expiration

To view license information for each Software Blade:

Step Description
1 Select a Security Gateway or a Security Management Server.

2 In the Summary tab below, click the object's License Status (for example: OK).
The Device & License Information window opens. It shows basic object information
and License Status, license Expiration Date, and important quota information (in the
Additional Info column) for each Software Blade.
Notes:
• Quota information, quota-dependent license statuses, and blade information messages
are only supported for R80.
• The tooltip of the SKU is the product name.
The possible values for the Software Blade License Status are:

Status Description
Active The Software Blade is active and the license is valid.

Available The Software Blade is not active, but the license is valid.

No License The Software Blade is active but the license is not valid.

Expired The Software Blade is active, but the license expired.

About to Expire The Software Blade is active, but the license will expire in thirty days
(default) or less (7 days or less for an evaluation license).

Quota Exceeded The Software Blade is active, and the license is valid, but the quota of
related objects (gateways, files, virtual systems, and so on, depending on the
blade) is exceeded.

Quota Warning The Software Blade is active, and the license is valid, but the number of
objects of this blade is 90% (default) or more of the licensed quota.

N/A The license information is not available.

Installation and Upgrade Guide R80.10 | 186

 Working with Licenses

Monitoring Licenses in SmartConsole

To keep track of license issues, you can use these options:
• License Status view - To see and export license information for Software Blades on each
specific Security Management Server, gateway, or Log Server object.
• License Status report - To see, filter and export license status information for all configured
Security Management Server, gateway, or Log Server objects.
• License Inventory report - To see, filter and export license information for Software Blades
on all configured Security Management Server, gateway, or Log Server objects.
The SmartEvent Software Blade lets you customize the License Status and License Inventory
information from the Logs & Monitor view of SmartConsole.
It is also possible to view license information from the Gateways & Servers view of
SmartConsole without enabling the SmartEvent blade on Security Management Server.

The Gateways & Servers view in SmartConsole lets you see and export the License
Inventory report.
1. To see the License Inventory report from the Gateways & Servers view:
a) In SmartConsole, from the left Navigation Toolbar, click Gateways & Servers.
b) From the top toolbar, click Actions > License Report.
c) Wait for the SmartView to load and show this report.
By default, this report contains:
 Inventory page: Blade Names, Devices Names, License Statuses
 License by Device page: Devices Names, License statuses, CK, SKU, Account ID,
Support Level, Next Expiration Date
2. To export the License Inventory report from the Gateways & Servers view:
a) In the top right corner, click the Options button.
b) Select the applicable export option - Export to Excel, or Export to PDF.

The Logs & Monitor view in SmartConsole lets you see, filter and export the License
Status report.
1. To see the License Status report from the Logs & Monitor view:
a) In SmartConsole, from the left Navigation Toolbar, click Logs & Monitor
b) At the top, open a new tab by clicking New Tab, or [+].
c) In the left section, click Views.
d) In the list of reports, double-click License Status.
e) Wait for the SmartView to load and show this report.
By default, this report contains:
 Names of the configured objects, License status for each object, CK, SKU, Account ID,
Support Level, Next Expiration Date
2. To filter the License Status report in the Logs & Monitor view:
a) In the top right corner, click the Options button > View Filter.
Installation and Upgrade Guide R80.10 | 187
 Working with Licenses

The Edit View Filter window opens.

b) Select a Field to filter results. For example, Device Name, License Status, Account ID.
c) Select the logical operator - Equals, Not Equals, or Contains.
d) Select or enter a filter value.
Note - Click the X icon to delete a filter.
e) Optional: Click the + icon to configure additional filters.
f) Click OK to apply the configured filters.
The report is filtered based on the configured filters.
3. To export the License Status report in the Logs & Monitor view:
a) In the top right corner, click the Options button.
b) Select the applicable export option - Export to Excel, or Export to PDF.

The Logs & Monitor view in SmartConsole lets you see, filter and export the License
Inventory report.
1. To see the License Inventory report from the Logs & Monitor view:
a) In SmartConsole, from the left Navigation Toolbar, click Logs & Monitor
b) At the top, open a new tab by clicking New Tab, or [+].
c) In the left section, click Reports.
d) In the list of reports, double-click License Inventory.
e) Wait for the SmartView to load and show this report.
By default, this report contains:
 Inventory page: Blade Names, Devices Names, License Statuses
 License by Device page: Devices Names, License statuses, CK, SKU, Account ID,
Support Level, Next Expiration Date
2. To filter the License Inventory report in the Logs & Monitor view:
a) In the top right corner, click the Options button > Report Filter.
The Edit Report Filter window opens.
b) Select a Field to filter results. For example, Blade Name, Device Name, License
Overall Status, Account ID.
c) Select the logical operator - Equals, Not Equals, or Contains.
d) Select or enter a filter value.
Note - Click the X icon to delete a filter.
e) Optional: Click the + icon to configure additional filters.
f) Click OK to apply the configured filters.
The report is filtered based on the configured filters.
3. To export the License Inventory report in the Logs & Monitor view:
a) In the top right corner, click the Options button.
b) Select the applicable export option - Export to Excel, or Export to PDF.

Installation and Upgrade Guide R80.10 | 188

 Working with Licenses

Installation and Upgrade Guide R80.10 | 189

 Working with Licenses

Configuring Licenses - Gaia Portal

If you need to get a license, visit the User Center https://usercenter.checkpoint.com.
See the R80.10 Gaia Administration Guide
http://downloads.checkpoint.com/dc/download.htm?ID=54824.

To add a license:
Step Description
1 In the left navigation tree, click Maintenance > Licenses.

2 Click New.
The Add License window opens.

3 Enter the license data manually, or click Paste License to enter the data automatically.
The Paste License button only shows in Internet Explorer. For other web browsers, paste
the license strings into the empty text field.

4 Click OK.

To delete a license:
Step Description
1 In the left navigation tree, click Maintenance > Licenses.

2 Select a license in the table.

3 Click Delete.

Installation and Upgrade Guide R80.10 | 190

CHAPTE R 26

Using SmartUpdate
In This Section:
Accessing SmartUpdate .............................................................................................192
Licenses Stored in the Licenses & Contracts Repository ........................................193
Licensing Terms for SmartUpdate ............................................................................194
Managing Licenses Using SmartUpdate ...................................................................196
Attaching a License to a Security Gateway ...............................................................200
Detaching Licenses from a Security Gateway ...........................................................201
Upgrading with SmartUpdate for R77.30 and Below ................................................202

When Security Gateways are not connected to the Internet, you can add, delete, attach, and detach
your licenses in SmartUpdate.
When Security Gateways are connected to the Internet, they are able to get and update their
licenses and contracts without SmartUpdate.
SmartUpdate automatically distributes applications and updates for Check Point and OPSEC
Certified products and manages product licenses.
SmartUpdate provides a centralized way to guarantee that Internet security throughout the
enterprise network is always up to date.
These features and tools are available in SmartUpdate:
• Maintaining licenses
• Upgrading packages for R77.30 and below (on page 202)
• Adding packages to Package Repository for R77.30 and below (on page 204)
Important -
• The SmartUpdate GUI shows two tabs - Package Management and Licenses & Contracts.
• For versions R80.10 and above, the tools in the Package Management tab are no longer
supported.
• To install packages on Gaia OS, use CPUSE (see sk92449
http://supportcontent.checkpoint.com/solutions?id=sk92449), or Central Deployment Tool
(see sk111158 http://supportcontent.checkpoint.com/solutions?id=sk111158).
For further information, see Installing Packages on R80.10 and above (on page 74).

Installation and Upgrade Guide R80.10 | 191

 Using SmartUpdate

Accessing SmartUpdate
Step Description
1 Open the SmartUpdate in one of these ways:
• In SmartConsole, in the top left corner, click Menu > Manage licenses & packages.
• On the SmartConsole client, run this executable file directly:
• On Windows OS 32-bit:
C:\Program
Files\CheckPoint\SmartConsole\<RXX>\PROGRAM\SmartDistributor.
exe
• On Windows OS 64-bit:
C:\Program Files
(x86)\CheckPoint\SmartConsole\<RXX>\PROGRAM\SmartDistributor.
exe

2 In the top left corner, click Menu > View > Menu Bar.
The menu names appear at the top of the GUI.

Installation and Upgrade Guide R80.10 | 192

 Using SmartUpdate

Licenses Stored in the Licenses & Contracts Repository

When you add a license with SmartUpdate, it is stored in the Licenses & Contracts Repository.
The SmartUpdate provides a global view of all licenses available and all of the assigned licenses.
To activate the license once it is in the Repository, it has to be attached to a Security Gateway and
registered with the Management Server.
There are two license types available:

License type Description

Central The Central license is the preferred method of licensing.
• A Central license is tied to the IP address of the Management Server.
• There is one IP address for all licenses.
• The license remains valid if you change the IP address of the Security
Gateway.
• A license can be moved from one Check Point Security Gateway to another
easily.
• Maximum flexibility.
Local The Local license is an older method of licensing that is still supported.
• A Local license is tied to the IP address of the specific Security Gateway.
• Cannot be transferred to a gateway with a different IP address.

Installation and Upgrade Guide R80.10 | 193

 Using SmartUpdate

Licensing Terms for SmartUpdate

• Add (on page 196)
You can add any license that you receive from the User Center
https://usercenter.checkpoint.com to the License & Contract Repository first.
• You can add the licenses directly from a User Center account (on page 198).
• You can add the licenses from a file (on page 198) that you receive from the User Center.
• You can add the licenses manually (on page 198) by pasting or typing the license details.
When you add the Local license to the License & Contract Repository, it also attaches it to the
Security Gateway with the IP address, for which the license was issued.
• Attach
You can attach a license from the License & Contract Repository to a managed Security
Gateway.
• Detach (on page 201)
When you detach a license from a managed Security Gateway, you have to uninstall the license
from that Security Gateway. If this is a Central license, this operation makes that license in the
License & Contract Repository available to other managed Security Gateways.
• Get
You can add information from your managed Security Gateways about the licenses you
installed locally. This updates the License & Contract Repository with all local licenses across
the installation. The Get operation is a two-way process that places all locally installed
licenses in the License & Contract Repository and removes all locally deleted licenses from
the License & Contract Repository.
• Delete (on page 199)
You can delete a license from the License & Contract Repository.
• Export
You can export a license from the License & Contract Repository to a file.
• License Expiration
Licenses expire on a particular date, or never. If a license expires, the applicable products and
features stop working on the Check Point computer, to which the license is attached.
• State
The license state depends on whether the license is associated with a managed Security
Gateway in the License & Contract Repository, and whether the license is installed on that
Security Gateway. The license state definitions are as follows:
• Attached indicates that the license is associated with a managed Security Gateway in the
License & Contract Repository, and is installed on that Security Gateway.
• Unattached indicates that the license is not associated with managed Security Gateways in
the License & Contract Repository, and is not installed on managed Security Gateways.
• Assigned is a license that is associated with a managed Security Gateway in the License &
Contract Repository, but has not yet been installed on a Security Gateway.
• Upgrade Status
This is a field in the License & Contract Repository that contains an error message from the
User Center when the License Upgrade process fails.

Installation and Upgrade Guide R80.10 | 194

 Using SmartUpdate

• Central License
Attach a Central License to the IP address of your Management Server.
• Local License
A Local License is tied to the IP address of the specific Security Gateway. You can only use a
local license with a Security Gateway or a Security Management Server with the same address.
• Multi-License File
This is a license files that contains more than one license.
The cplic put, and cplic add commands support these files.
• Certificate Key
This is a string of 12 alphanumeric characters. The number is unique to each package.
• Features
This is a character string that identifies the features of a package.
• cplic
A CLI utility to manage local licenses on Check Point computers.

Installation and Upgrade Guide R80.10 | 195

 Using SmartUpdate

Managing Licenses Using SmartUpdate

Licenses are stored in the License Repository. You can open the Repository from SmartUpdate. Go
to the Licenses & Contracts tab. From the menu at the top, click the icon. The License &
Contract Repository window shows.
From the Repository you can do the following:
• View Repository contents.
• Add a new license to the Repository (on page 196).
• Delete a license from the Repository (on page 199).
• Upgrade a license (on page 199).
• Export a license to a file (on page 199).
• Check for an expired license (on page 199).
• Maintain the license.
• Attach a license to a Security Gateway (on page 200).
• Detach a license (on page 201).
• Viewing license properties (on page 200).

Adding New Licenses to the Licenses & Contracts Repository

To install a license, you must first add it to the Licenses & Contracts Repository.
You can add any license that you receive from the User Center https://usercenter.checkpoint.com
to the Licenses & Contracts Repository.
• You can add the licenses directly from a User Center account.
• You can add the licenses from a file that you receive from the User Center.
• You can add the licenses manually by pasting or typing the license details.
Notes:
• Unattached Central licenses appear in the Licenses & Contracts Repository.
• When you add the Local license to the Licenses & Contracts Repository, the Management
Server attaches it to the Security Gateway with the IP address, for which the license was
issued.
• All licenses are assigned a default name in the format SKU@ Time Date, which you can modify
at a later time.

Installation and Upgrade Guide R80.10 | 196

 Using SmartUpdate

To add a license directly from a User Center account:

1. Open the SmartUpdate (on page 192)
2. Click Licenses & Contracts menu > Add License > From User Center.
3. Enter your User Center credentials.
4. Click Assets / Info > Product Center.
5. Perform one of the following:
• Generate a new license, if there are no identical licenses. This adds the license to the
Licenses & Contracts Repository.
• Change the IP address of an existing license with Move IP.
• Change the license from Local to Central.

To add a license from a file:

1. In the applicable User Center account:
a) Generate a license.
b) Click the License Information tab.
c) Click Get Last License.
d) Click Get License File.
e) Save the CPLicenseFile.lic file.
2. Open the SmartUpdate (on page 192).
3. Click Licenses & Contracts menu > Add License > From File.
4. Locate and select the downloaded CPLicenseFile.lic file.
5. Click Open.
6. Follow the instructions in the SmartUpdate.
Note - A License File can contain multiple licenses.

To add a license manually:

1. Generate a license in the User Center.
Notes:
• User Center sends you an e-mail with the license information.
• You can also click the License Information tab to see and copy this information.
2. Open the SmartUpdate (on page 192).
3. Click Licenses & Contracts menu > Add License > Manually.
4. In the Add License window you can:
• Copy the applicable string from the User Center e-mail and click Paste License.
• Paste the applicable information you copied from the User Center.
Note - If you leave the Name field empty, the license is assigned a name in the format SKU@
Time Date.
5. Click OK.

Installation and Upgrade Guide R80.10 | 197

 Using SmartUpdate

Download a License From the User Center

To download a license from the User Center:
1. From SmartUpdate, click the icon at the top of the screen to Add License From User
Center.
2. Enter your credentials.
3. Perform one of the following:
• Generate a new license if there are no identical licenses. This adds the license to the
Licenses & Contracts Repository.
• Change the IP address of an existing license, that is, Move IP.
• Change the license from Local to Central.

Importing License Files

To import license files:
1. Select Licenses & Contract > Add License > From File.
2. Browse to the location of the license file, select it, and click Open.
A license file can contain multiple licenses. Unattached Central licenses appear in the Licenses &
Contracts Repository, and Local licenses are automatically attached to their Check Point
Security Gateway. All licenses are assigned a default name in the format SKU@ time date, which
you can modify at a later time.

Adding License Details Manually

If you receive a license by email, you can add it. The email contains the license installation
instructions.
1. Locate the license:
• In the email, copy the license to the clipboard. Copy the string that starts with cplic
putlic... and ends with the last SKU/Feature. For example: cplic putlic 1.1.1.1
06Dec2002 dw59Ufa2-eLLQ9NB-gPuyHzvQ-WKreSo4Zx CPSUITE-EVAL-3DES-NGX
CK-1234567890
• If you have a hard copy printout, continue to step 2.
2. Select the Network Objects License & Contract tab in SmartUpdate.
3. Select Licenses > Add License > Manually. The Add License window shows.
4. Enter the license details:
• If you copied the license to the clipboard, click Paste License. The fields will be populated
with the license details.
• Alternatively, enter the license details from a hard-copy printout.
5. Click Calculate, and make sure the result matches the validation code received from the User
Center.
6. You may assign a name to the license, if desired. If you leave the Name field empty, the
license is assigned a name in the format SKU@ time date.
7. Click OK to complete the operation.

Installation and Upgrade Guide R80.10 | 198

 Using SmartUpdate

Deleting a License from the Licenses & Contracts Repository

You can delete a license that is no longer attached to, or needed, from a Check Point Security
Gateway.

To delete a license:
1. Right-click anywhere in the Licenses & Contracts Repository and select View
Unattached Licenses.
2. Select the unattached licenses that you want to delete, and click Delete.

Upgrading a License
SmartUpdate can upgrade licenses that are in the Licenses & Contracts Repository.
SmartUpdate attempts to upgrade them with the use of the Upgrade tool.

Exporting a License to a File

You can export a license to a file and import it at a later time to the Licenses & Contracts
Repository. This can be useful for administrative or support purposes.

To export a license to a file:

1. In the Licenses Repository, select one or more licenses, right-click, and from the menu
select Export to File.
2. In the Export Licenses to File window, name the file (or select an existing file).
3. Click Save.
All the licenses that you select are exported. If the file already exists, the new licenses are added
to the file.

Checking for Expired Licenses

After a license has expired, the functionality of the Check Point package will be impaired.
Therefore, it is advisable to be aware of the pending expiration dates of all licenses.
To check for an expired license, select Licenses > Show Expired Licenses.
To check for licenses nearing their dates of expiration:
1. In the License Expiration window, set the Search for licenses expiring within the next
x days property.
2. Click Apply to run the search.
To delete an expired license from the License Expiration window, click Delete.

Installation and Upgrade Guide R80.10 | 199

 Using SmartUpdate

Attaching a License to a Security Gateway

You can select one or more licenses to attach to a gateway. When you attach a license, it is
attached to the remote managed gateway.
New licenses have to be attached when:
• An existing license expires.
• An existing license is upgraded to a newer license.
• A Local license is replaced with a Central license.
• The IP address of the Security Management Server or Check Point Security Gateway changes.
To attach a license:
1. Add the license to the License & Contract Repository.
2. Get the gateway data from the managed gateway.
3. Attach the license to the gateway:
a) From SmartUpdate, select Licenses & Contract.
b) Right-click and select Attach.
c) Select the licenses to attach.

Retrieving License Data from a Check Point Security Gateway

Go to License Properties on the remote gateways to retrieve license data.
From SmartUpdate, double-click a gateway and the License Properties window opens.
To retrieve license data from a single remote gateway, right-click on the gateway and select Get
Licenses.

Installation and Upgrade Guide R80.10 | 200

 Using SmartUpdate

Detaching Licenses from a Security Gateway

If you want to detach a license, delete a single Central license from a remote Check Point Security
Gateway and mark it as unattached in the License & Contract Repository. You can now use this
license by any Check Point Security Gateway.

To detach a license:
• From SmartConsole, select Licenses & Contract. Right-click and select Detach, and select
the licenses to detach.

Installation and Upgrade Guide R80.10 | 201

 Using SmartUpdate

Upgrading with SmartUpdate for R77.30 and Below

You can remotely upgrade all Check Point packages on a single remote gateway, other than the
operating system, in a single operation. The Upgrade all Packages function allows you to
simultaneously distribute or upgrade multiple packages to the latest management version.

Upgrading a Single Package on a Check Point Remote Gateway

Use this procedure to select the specific package that you want to apply to a single package. The
Distribute function allows you to:
• Upgrade the OS
• Upgrade a package to a management version other than the latest
• Apply Hot Fix Accumulators (HFAs)

To update a single package on a remote gateway:

1. In the Package Management window, right-click the Check Point Security Gateway to
upgrade.
2. Select Distribute Package.
3. From the Distribute Package window, select the package to distribute.
Use the Ctrl and Shift key to select multiple packages.
4. Click Distribute.
The installation proceeds only if the upgrade packages selected are available in the Package
Repository.

Upgrading All Packages on a Check Point Remote Gateway

You can remotely upgrade all Check Point packages on a single remote gateway, other than the
operating system, in a single operation. The Upgrade all Packages function allows you to
simultaneously distribute or upgrade multiple packages to the latest management version.
1. Click Packages > Upgrade all Packages.
2. From the Upgrade All Packages window, select the Check Point Security Gateways that you
want to upgrade. Use the Ctrl and Shift keys to select multiple devices.
Note - The Reboot if required option (selected by default) is required, to activate the newly
distributed package.
3. If one or more of the required packages are missing from the Package Repository, the
Download Packages window opens. Download the required package directly to the
Package Repository.
4. Click Upgrade.
The installation proceeds only if the upgrade packages for the selected packages are available
in the Package Repository.

Installation and Upgrade Guide R80.10 | 202

 Using SmartUpdate

Prerequisites for Remote Upgrades

Make sure that SmartUpdate connections are allowed.
1. In SmartConsole, click Menu > Global properties > Track > Log Implied Rules.
2. Make sure that Accept SmartUpdate Connections is selected.
Secure Internal Communication (SIC) must be established between the Security Management
Server and remote Check Point Security Gateways.

Distributions and Upgrades

You can upgrade all packages on one remote gateway, or you can distribute specific packages
one-by-one for all Gateways.

Canceling and Uninstalling

You can stop a Distributed installation or upgrade while in progress.

To stop a Distributed installation or upgrade:

From the SmartUpdate Menu, select Operation > Stop Operation.

To uninstall a package:
From the SmartUpdate Menu, select Packages > Uninstall.
Note - Uninstallation restores the gateway to the last management version distributed.

Restarting the Check Point Security Gateway

After you Distribute an upgrade or uninstall, reboot the gateway.

To restart the gateway:

• Select Reboot if required at the final stage of upgrade or uninstall.
• Select Packages > Reboot Gateway.

Installation and Upgrade Guide R80.10 | 203

 Using SmartUpdate

Using the Package Repository

Retrieving Package Data from Check Point Security Gateways
You can find details about the gateway, such as OS, vendor and management version from the
Package Repository in SmartUpdate.
From SmartUpdate, go to the menu > Packages. Make sure that View Repository is checked.
You can also find the Package Repository by clicking the icon at the top of the screen.
To find Operation Status of the gateway, go to the Package Management tab. Right-click on a
gateway and select Get Gateway Data.

Transferring Files from the Package Repository to Remote Devices

When you are ready to upgrade or distribute packages from the Package Repository, we
recommend that you transfer the package files to the devices to be that you want to upgrade.
When you place the file on the remote device, the overall installation time is less, the Security
Management Server is free to do other operations, and there is less of a chance of a
communications error during the distribute/upgrade process. Once the package file is located on
the remote device, you can activate the distribute/upgrade whenever it is convenient.
Transfer the package file(s) to the directory $SUROOT/tmp on the remote device. If this directory
does not exist, do one of the following:
• For Windows Gateways, place the package file in the directory SYSTEMDRIVE\temp
(SYSTEMDRIVE is usually C:\)
• For UNIX Gateways, place the package file in the directory /opt/.

Verifying the Viability of a Distribution from the Package Repository

Verify that the distribution (installation) or upgrade is viable based upon the Check Point Security
Gateway data retrieved. The verification process checks that:
• The Operating System and currently distributed packages are appropriate for the package
to be distributed.
• There is sufficient disk space.
• The package is not already distributed.
• The package dependencies are fulfilled.
To manually verify a distribution, from the SmartUpdate Menu, select Packages > Pre-Install
Verifier.

Installation and Upgrade Guide R80.10 | 204

 Using SmartUpdate

Adding New Packages to the Package Repository

To distribute (install) or upgrade a package, you must first add it to the Package Repository. You
can add packages from these locations:

Download Center
Select Packages > New Package > Add from Download Center.
1. Accept the Software Subscription Download Agreement.
2. Enter your user credentials.
3. Select the packages to be downloaded. Use the Ctrl and Shift keys to select multiple files.
You can also use the Filter to show just the packages you need.
4. Click Download to add the packages to the Package Repository.

User Center
Use this procedure for adding OPSEC packages and Hotfixes to the Package Repository.
1. Open a browser to the Check Point Support Center http://supportcenter.checkpoint.com.
2. Select the package you want to upgrade.
3. Enter your user credentials.
4. Accept the Software Subscription Download Agreement.
5. Choose the appropriate platform and package, and save the download to the local disk.
6. Select Packages > New Package > Import File.
7. In the Add Package window, navigate to the desired .tgz file and click Open to add the
packages to the Package Repository.

Deleting Packages from the Package Repository

To clear the Package Repository of extraneous or outdated packages, select a package, or
Ctrl-select multiple packages and select Packages > Delete Package. This operation cannot be
undone.

Installation and Upgrade Guide R80.10 | 205

 Using SmartUpdate

Generating CPInfo
CPInfo is a support tool that gathers into one text file a wide range of data concerning the Check
Point packages in your system. When speaking with a Check Point Technical Support Engineer,
you may be asked to run CPInfo and transmit the data to the Support Center. Download the tool
from the Support Center http://supportcontent.checkpoint.com/solutions?id=sk30567.
To launch CPInfo, select Tools > Generate CPInfo.
1. Choose the directory to which you want to save the output file.
2. Choose between two methods to name the file:
• based on the SR number the technician assigns you, or
• a custom name that you define.
3. Optionally, you may choose to add:
• log files to the CPInfo output.
• the registry to the CPInfo output.
For more information about the CPInfo Utility, see sk92739
http://supportcontent.checkpoint.com/solutions?id=sk92739.

Sending CPinfo to Check Point Automatically

SmartUpdate lets you automatically generate and send CPinfo to Check Point Technical support.

To automatically generate and send CPinfo:

1. Open SmartUpdate.
2. Right click a Security Gateway or Security Management Server.
3. Select Upload CPInfo to Check Point.
The Upload CPinfo from... window opens.
4. Enter your User Center authentication credentials (email and password) and SR number.
5. Select Download and install latest CPInfo package.
6. Enter an SR Number if you have one.
7. Click Upload More files if you want to send additional files.
Click Add to enter the full path to the remote file on the remote gateway or Security
Management Server.
8. Click OK.
The Operation Status window opens.
• CPinfo generates the data, encrypts and transfers the data to the User Center.
• After the secure file upload successfully completes, an email notification is sent to the
email address specified in step 3.

Installation and Upgrade Guide R80.10 | 206

CHAPTE R 27

Check Point Cloud Services

In This Section:
Automatic Downloads .................................................................................................207
Sending Data to Check Point......................................................................................208

Automatic Downloads
Check Point products connect to Check Point cloud services to download and upload information.
You can enable or disable Automatic Downloads in the Gaia First Time Configuration Wizard, on
the Products page. We recommend that you enable Automatic Downloads, so that you can use
these features:
• Blade Contracts are annual licenses for Software Blades and product features. If there is no
valid Blade contract, the applicable blades and related features will work, but with some
limitations.
• CPUSE lets you manage upgrades and installations on Gaia OS. See sk92449
http://supportcontent.checkpoint.com/solutions?id=sk92449.
• Data updates and Cloud Services are necessary for the full functionality of these Software
Blades and features:
• Application & URL Filtering • Threat Prevention (Anti-Bot, • HTTPS Inspection
• Application Database Anti-Virus, Anti-Spam, IPS, Threat • Compliance
Emulation)
• URL Filtering database • SmartEndpoint
• AppWiki • ThreatWiki

The Automatic Downloads feature is applicable to the Security Management Servers,

Multi-Domain Servers, Log Servers, and Security Gateways.
If you disabled Automatic Downloads in the Gaia First Time Configuration Wizard, you can enable it
again in SmartConsole Global properties:
1. Click Menu > Global properties > Security Management Access.
2. Select Automatically download Contracts and other important data.
3. Click OK.
4. Close the SmartConsole.
5. Connect with the SmartConsole to your Management Server.
6. Install the Access Control Policy.
To learn more, see sk94508 http://supportcontent.checkpoint.com/solutions?id=sk94508.

Installation and Upgrade Guide R80.10 | 207

 Check Point Cloud Services

Sending Data to Check Point

In the Gaia First Time Configuration Wizard, on the Summary page, you can enable or disable
data uploads to Check Point. This feature is enabled by default. The CPUSE statistics require this
feature.
In R77 and above, this setting activates the Check Point User Center Synchronization Tool. It
updates your User Center https://usercenter.checkpoint.com account with information from your
Security Gateways, mapping your SKUs to your actual deployment.
This setting of a Security Management Server applies to all its managed Security Gateways
(running R77 and above).
You can always change this setting in SmartConsole:

Step Description
1 In the top left corner, click Menu > Global properties > Security Management
Access.

2 Select or clear Improve product experience by sending data to Check Point.

3 Click OK.

4 Close the SmartConsole.

5 Connect with SmartConsole to your Management Server.

6 Install the Access Control Policy.

To learn more, see sk94509 http://supportcontent.checkpoint.com/solutions?id=sk94509.

Note - In some cases, the download process sends a minimal amount of required data about your
Check Point installation to the Check Point User Center.

Installation and Upgrade Guide R80.10 | 208

CHAPTE R 28

CLI Commands
In This Section:
cpconfig .......................................................................................................................210
cplic .............................................................................................................................212
cppkg ...........................................................................................................................227
cprid .............................................................................................................................230
cprinstall .....................................................................................................................231
control_bootsec ..........................................................................................................243
fwboot bootconf ..........................................................................................................244
comp_init_policy .........................................................................................................245
cpstop -fwflag default and cpstop -fwflag proc ........................................................246

All management operations can be executed via the command line. There are three main
commands:
• cppkg to work with the Packages Repository.
• cprinstall to perform remote installations of packages.
• cplic for license management.

Installation and Upgrade Guide R80.10 | 209

 CLI Commands

cpconfig
Description
This command starts the Check Point Configuration Tool. This tool lets you configure specific
settings for the installed Check Point products
The options shown depend on the configuration and installed products:

Menu Option Description

Licenses and contracts Manages Check Point licenses and contracts.

Administrator Configures Check Point system administrators

for the Security Management Server.

GUI Clients Configures the GUI clients that can use

SmartConsoles to connect to the Security
Management Server.

SNMP Extension Do not use this option anymore.

To configure SNMP, see the R80.10 Gaia
Administration Guide
https://sc1.checkpoint.com/documents/R80.10/
WebAdminGuides/EN/CP_R80.10_Gaia_AdminG
uide/html_frameset.htm - Chapter System
Management - Section SNMP.

Random Pool Configures the RSA keys, to be used by Gaia OS.

Certificate Authority Initializes the Internal Certificate Authority (ICA)

and configures the Certificate Authority's (CA)
Fully Qualified Domain Name (FQDN).

Certificate's Fingerprint Shows the ICA's Fingerprint. This fingerprint is

a text string derived from the Security
Management Server or Domain Management
Server ICA certificate. This fingerprint verifies
the identity of the Security Management Server
or Domain Management Server when you
connect to it with a SmartConsole.

Automatic start of Check Point Products Shows and controls which of the installed
Check Point products start automatically during
boot.

Exit Exits from the Check Point Configuration Tool.

Installation and Upgrade Guide R80.10 | 210

 CLI Commands

Syntax
cpconfig

Note - On Multi-Domain Server, run the mdsconfig command.

Example - Menu on a Security Management Server

[Expert@MyMGMT:0]# cpconfig
This program will let you re-configure
your Check Point Security Management Server configuration.

Configuration Options:
----------------------
(1) Licenses and contracts
(2) Administrator
(3) GUI Clients
(4) SNMP Extension
(5) Random Pool
(6) Certificate Authority
(7) Certificate's Fingerprint
(8) Automatic start of Check Point Products

(9) Exit

Enter your choice (1-9) :

Installation and Upgrade Guide R80.10 | 211

 CLI Commands

cplic
The cplic command lets you manage Check Point licenses. The cplic command can be run in
Gaia Clish or in Expert Mode.
Best Practice - Manage licenses in the SmartUpdate GUI.
License Management is divided into three types of commands:
• Local licensing commands are executed on the Check Point computers.
• Remote licensing commands are executed on the Security Management Server, and affect the
managed Security Gateways.
• License Repository commands are executed on the Security Management Server, and affect
the licenses stored in the local license repository.
For more about managing licenses, see the R80.10 Security Management Administration Guide
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_SecurityManage
ment_AdminGuide/html_frameset.htm.

Syntax for Local Licensing

cplic
-h
put <options>
del <options>
print <options>
check <options>
contract <options>

Syntax for Remote Licensing

cplic
-h
put <Object Name> ...
del <Object Name> <options>
get {<IP Address> | <Host Name> | -all}
upgrade -l <Input File>

Syntax for License Database Operations

cplic
-h
db_add <options>
db_rm <options>
db_print <options>

Note - For help on commands, add the -h option.

Installation and Upgrade Guide R80.10 | 212

 CLI Commands

cplic check
Description
Confirms that the license includes the feature on the local Security Gateway or Security
Management Server.

Syntax
cplic check [-p <Product>] [-v <Version>] [-c | -count] [-t <Date>] [-r | -routers]
[-S | -SRusers] <Feature>

Parameters
Parameter Description

-p <Product> Product, for which license information is requested.

Example: fw1, netso

-v <Version> Product version, for which license information is requested.

-c | -count Outputs the number of licenses connected to this feature.

-t <Date> Checks license status on future date.

Use the format ddmmyyyy.
A feature can be valid on a given date on one license, but invalid
on another.

-r | -routers Checks how many routers are allowed.

The <Feature> option is not needed.

-S | -SRusers Checks how many SecuRemote users are allowed.

<Feature> Feature, for which license information is requested.

Installation and Upgrade Guide R80.10 | 213

 CLI Commands

cplic db_add
Description
Adds one or more licenses to the license repository on the Security Management Server.
When local licenses are added to the license repository, they are automatically attached to the
intended Check Point Security Gateway. Central licenses have to undergo the attachment process.
This command is a license repository command and can only be executed on the Security
Management Server.

Syntax
cplic db_add -l <License File> [<Host>] [<Expiration Date>] [<Signature>]
[<SKU/Features>]

Parameters
Parameter Description

-l <License File> Name of the file that contains the license.

<Host> Security Management Server hostname or IP address.

<Expiration Date> The license expiration date.

<Signature> The license signature string. For example:

aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m
The string is case sensitive and the hyphens are optional.

<SKU/Features> The SKU of the license summarizes the features included in the license.
For example, CPSUITE-EVAL-3DES-vNG

Example
If the file 192.0.2.11.lic contains one or more licenses, the command cplic db_add -l
192.0.2.11.lic produces output similar to:
gaia> cplic db_add -l 192.0.2.11.lic
Adding license to database ...
Operation Done

Installation and Upgrade Guide R80.10 | 214

 CLI Commands

cplic db_print
Description
Displays the details of Check Point licenses stored in the license repository on the Security
Management Server.

Syntax
cplic db_print <Object Name | -all> [-n | -noheader] [-x] [-t | -type] [-a |
-attached]

Parameters
Parameter Description

<Object Name> Prints only the licenses attached to <Object Name>.

<Object Name> is the name of the Check Point Security Gateway object
as defined in SmartConsole.

-all Prints all the licenses in the license repository.

-n | -noheader Prints licenses with no header.

-x Prints licenses with their signatures.

-t | -type Prints licenses with their type: Central or Local.

-a | -attached Shows to which object the license is attached.

Useful, if the -all option is specified.

Note - This command is a license repository command and can only run on the Security
Management Server.

Installation and Upgrade Guide R80.10 | 215

 CLI Commands

cplic db_rm
Description
Removes a license from the license repository on the Security Management Server. It can be
executed ONLY after the license was detached using the cplic del command. Once the license
is removed from the repository, it can no longer be used.

Syntax
cplic db_rm <Signature>

Parameters
Parameter Description

<Signature> The signature string within the license.

Example
gaia> cplic db_rm 2f540abb-d3bcb001-7e54513e-kfyigpwn

Note - This command is a license repository command and can only run on the Security
Management Server.

Installation and Upgrade Guide R80.10 | 216

 CLI Commands

cplic del
Description
Deletes a single Check Point license on a host, including unwanted evaluation, expired, and other
licenses. Used for both local and remote machines

Syntax
cplic del [-F <Output File>] <Signature> <Object Name>

Parameters
Parameter Description

-F <Output File> Sends the output to <output file> instead of the screen.

<Signature> The signature string within the license.

To see the license signature string, run the cplic print -x command.

<Object Name> The name of the Check Point Security Gateway object as defined in
SmartConsole.

Installation and Upgrade Guide R80.10 | 217

 CLI Commands

cplic del <object name>

Description
Detaches a Central license from a Check Point Security Gateway. When this command is executed,
the license repository is automatically updated. The Central license remains in the repository as
an unattached license. This command can only run on a Security Management Server.

Syntax
cplic del <Object Name> [-F <Output File>] [-ip <Dynamic IP Address>] <Signature>

Parameters
Parameter Description

<Object Name> The name of the Check Point Security Gateway object as defined in
SmartConsole.

-F <Output File> Diverts the output to outputfile rather than to the screen.

-ip <Dynamic IP Deletes the license on the Check Point Security Gateway with the
Address> specified IP address. Use this parameter to delete a license on a DAIP
Check Point Security Gateway.
Note - If this parameter is used, then object name must be a DAIP
Security Gateway.

<Signature> The signature string within the license.

Note - This is a Remote Licensing command, which affects remote managed machines. It is
executed on the Security Management Server.

Installation and Upgrade Guide R80.10 | 218

 CLI Commands

cplic get
Description
Retrieves all licenses from Security Gateways into the license repository on the Security
Management Server. This command helps to synchronize the repository with the Check Point
Security Gateways. When the command is run, all local changes are updated.

Syntax
cplic get {<IP Address> | <Host Name> | -all} [-v41]

Parameters
Parameter Description

<IP Address> The IP address of the Check Point Security Gateway, from which licenses are to
be retrieved.

<Host Name> The name of the Check Point Security Gateway object as defined in
SmartConsole, from which licenses are to be retrieved.

-all Retrieves licenses from all Check Point Security Gateways in the managed
network.

-v41 Retrieves version 4.1 licenses from the NF Check Point Security Gateway. Used
to upgrade version 4.1 licenses.

Example
If the Check Point Security Gateway with the object name caruso contains four Local licenses,
and the license repository contains two other Local licenses, the command cplic get caruso
produces output similar to this:
gaia> cplic get caruso
Get retrieved 4 licenses.
Get removed 2 licenses.

Note - This is a Remote Licensing Command, which affects remote machines. It is executed on the
Security Management Server.

Installation and Upgrade Guide R80.10 | 219

 CLI Commands

cplic put
Description
Installs one or more local licenses on a local machine.

Syntax
cplic put [-o|-overwrite] [-c|-check-only] [-s|-select] [-F <Output File>]
[-P|-Pre-boot] [-k|-kernel-only] -l <License File> [<Host>] [<Expiration Date>]
[<Signature>] [<SKU/Features>]

Parameters
Parameter Description

-o | -overwrite On a Security Management Server, this erases all existing licenses and
replaces them with the new licenses.
On a Check Point Security Gateway, this erases only the local licenses,
but not central licenses that are installed remotely.

-c | -check-only Verifies the license. Checks if the IP of the license matches the machine
and if the signature is valid.

-s | -select Selects only the local license whose IP address matches the IP address
of the machine.

-F <Output File> Outputs the result of the command to the designated file rather than to
the screen.

-P | -Pre-boot Use this option after you have upgraded and before you reboot the
machine. Use of this option will prevent certain error messages.

-K | -kernel-only Pushes the current valid licenses to the kernel.

For use by Check Point Support only.

-l <License File> Name of the file that contains the license.

<Host> Hostname or IP address of Security Management Server.

<Expiration Date> The license expiration date.

<Signature> The license signature string. For example:

aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m
(The string is case sensitive and the hyphens are optional).

<SKU/Features> The SKU of the license summarizes the features included in the license.
For example: CPSUITE-EVAL-3DES-vNG

Installation and Upgrade Guide R80.10 | 220

 CLI Commands

Copy and paste the parameters from the license received from the User Center:

Parameter Description
host One of these:
• All platforms - The IP address of the external interface (in dot
notation). The last part cannot be 0 or 255.
• Solaris2 - The response to the hostid command (beginning with
0x).
expiration date The license expiration date. It can be never.

signature The license signature string.

For example: aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m
(Case sensitive. The hyphens are optional.)

SKU/features A string listing the SKU and the Certificate Key of the license. The SKU
of the license summarizes the features included in the license.
For example: CPSB-SWB CPSB-ADNC-M CK0123456789ab

Example
gaia> cplic put -l License.lic
Host Expiration SKU
192.168.2.3 14Jan2016 CPSB-SWB CPSB-ADNC-M CK0123456789ab
gaia>

Installation and Upgrade Guide R80.10 | 221

 CLI Commands

cplic put <object name>

Description
Attaches one or more central or local licenses remotely. When this command is executed, the
license repository is also updated.

Syntax
cplic put <Object Name> [-ip Dynamic IP] [-F <Output File>] -l <License File>
[<Host>] [<Expiration Date>] [<Signature>] [<SKU/Feature>]

Parameters
Parameter Description

<Object Name> The name of the Check Point Security Gateway object, as defined in
SmartConsole.

-ip <Dynamic IP> Installs the license on the Check Point Security Gateway with the specified
IP address. This parameter is used for installing a license on a DAIP
Check Point Security Gateway.
Note - If this parameter is used, then the object name must be a DAIP
Check Point Security Gateway.

-F <Output File> Diverts the output to <outputfile> rather than to the screen.

-l <license File> Installs the licenses from <license file>.

<Host> Hostname or IP address of Security Management Server.

<Expiration Date> The license expiration date.

<Signature> The license signature string.

For example: aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m
The string is case sensitive and the hyphens are optional.

<SKU/Features> The SKU of the license summarizes the features included in the license.
For example: CPSUITE-EVAL-3DES-vNG

Note - This is a remote licensing command, which affects remote machines. It is executed on the
Security Management Server. More than one license can be attached.

Installation and Upgrade Guide R80.10 | 222

 CLI Commands

Copy and paste the parameters from the license received from the User Center:

Parameter Description
host One of these:
• All platforms - The IP address of the external interface (in dot
notation). The last part cannot be 0 or 255.
• Solaris2 - The response to the hostid command (beginning with
0x).
expiration date The license expiration date. It can be never.

signature The license signature string.

For example: aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m
(Case sensitive. The hyphens are optional.)

SKU/features A string listing the SKU and the Certificate Key of the license. The SKU
of the license summarizes the features included in the license.
For example: CPSB-SWB CPSB-ADNC-M CK0123456789ab

Installation and Upgrade Guide R80.10 | 223

 CLI Commands

cplic print
Description
The cplic print command prints details of Check Point licenses on the local machine.

Syntax
cplic print [-n|-noheader][-x][-t|-type][-F <Output File>] [-p|-preatures]

Parameters
Parameter Description

-n|-noheader Prints licenses with no header.

-x Prints licenses with their signature.

-t|-type Prints licenses showing their type: Central or Local.

-F <Output File> Diverts the output to <Output File>.

-p|-preatures Prints licenses resolved to primitive features.

Note - On a Check Point Security Gateway, this command prints all licenses that are installed on
the local machine, both local and central licenses.

Installation and Upgrade Guide R80.10 | 224

 CLI Commands

cplic upgrade
Description
Upgrades licenses in the license repository with licenses in a license file from the user center.

Syntax
cplic upgrade –l <Input File>

Parameters
Parameter Description

–l <Input File> Upgrades the licenses in the license repository and Check Point Security
Gateways to match the licenses in <Input File>.

Example
This example explains the procedure to upgrade the licenses in the license repository. There are
two Software Blade licenses in the file. One does not match any license on a remote Security
Gateway, the other matches a version NGX license on a Security Gateway that has to be upgraded.
• Upgrade the Security Management Server to the latest version.
Ensure that there is connectivity between the Security Management Server and the Security
Gateways with the previous product versions.
• Import all licenses into the license repository. This can also be done after upgrading the
products on the remote Security Gateways.
• Run this command:
cplic get -all

Example:
[Expert@MyMGMT]# cplic get -all
Getting licenses from all modules ...
MyGW:
Retrieved 1 licenses

• To see all the licenses in the repository, run this command:

cplic db_print -all -a

Example:
[Expert@MyMGMT]# cplic db_print -all -a
Retrieving license information from database ...

The following licenses appear in the database:

==================================================
Host Expiration Features
192.0.2.11 Never CPFW-FIG-25-53 CK49C3A3CC7121 golda
192.0.2.11 26Nov2017 CPSB-SWB CPSB-ADNC-M CK0123456789ab count

• In the User Center https://usercenter.checkpoint.com, view the licenses for the products that
were upgraded from version NGX to a Software Blades license. You can also create new
upgraded licenses.
• Download a file containing the upgraded licenses. Only download licenses for the products that
were upgraded from version NGX to Software Blades.

Installation and Upgrade Guide R80.10 | 225

 CLI Commands

• If you did not import the version NGX licenses into the repository, import the version NGX
licenses now. Use the command cplic get -all
• Run the license upgrade command: cplic upgrade –l <inputfile>
• The licenses in the downloaded license file and in the license repository are compared.
• If the certificate keys and features match, the old licenses in the repository and in the
remote Security Gateways are updated with the new licenses.
• A report of the results of the license upgrade is printed.
Note - This is a remote licensing command, which affects remote Security Gateways. It is
executed on the Security Management Server.
For more about managing licenses, see the R80.10 Security Management Administration Guide
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_SecurityManage
ment_AdminGuide/html_frameset.htm.

Installation and Upgrade Guide R80.10 | 226

 CLI Commands

cppkg
Description Manages the product repository. It is always executed on the Security Management
Server.
Important - This command is not supported for gateways running on Gaia OS.

cppkg add
Description Adds a product package to the product repository. You can only add SmartUpdate
packages to the product repository.
Add products to the repository by importing a file downloaded from the Download Center. Add the
package file to the repository directly from a DVD or from a local or network drive.
Syntax:
> cppkg add {<package-full-path>|<CD drive> [product]}

Parameter Description

package-full-pat If the package you want to add to the repository is on a local disk or
h network drive, type the full path to the package.

CD drive If the package you want to add to the repository is on a DVD:

• For Windows machines type the DVD drive letter, for example: d:\
• For UNIX machines, type the DVD root path, for example:
/caruso/image/CPsuite-R80.10
You are asked to specify the product and appropriate operating system
(OS).

Note - cppkg add does not overwrite existing packages. To overwrite existing packages, you
must first delete existing packages.
Example:
[d:\winnt\fw1\ng\bin]cppkg add l:\CPsuite-R80.10\
Enter package name:
----------------------
(1) SVNfoundation
(2) firewall
(3) floodgate
(4) rtm

(e) Exit
Enter your choice : 1
Enter package OS :
----------------------
(1) win32
(2) linux
(3) ipso

(e) Exit
Enter your choice : 1
You choose to add 'SVNfoundation' for 'win32' OS. Is this correct? [y/n] : y

Installation and Upgrade Guide R80.10 | 227

 CLI Commands

cppkg delete
Description Deletes a product package from the repository. To delete a product package you
must specify a number of options. To see the format of the options and to view the contents of the
product repository, use the cppkg print command.
Syntax:
> cppkg delete <vendor> <product> <version> <os> [sp]

Parameter Description

vendor Package vendor. For example, checkpoint

product Package name.

version Package version.

os Package Operating System. Options are: win32, solaris, ipso, linux

sp Package minor version.

Note - It is not possible to undo the cppkg del command.

cppkg get
Description Synchronizes the Package Repository database with the content of the actual
package repository under $SUROOT
Syntax:
> cppkg get

cppkg getroot
Description Finds the location of the product repository. The default product repository location
on Windows machines is C:\SUroot. On UNIX machines it is /var/SUroot.
Syntax:
> cppkg getroot
Example:
> cppkg getroot
Current repository root is set to : /var/suroot/

Installation and Upgrade Guide R80.10 | 228

 CLI Commands

cppkg print
Description Lists the contents of the product repository.
Use cppkg print to see the product and OS strings required to install a product package
using the cprinstall command, or to delete a package using the cppkg delete
command.
Syntax:
> cppkg print

cppkg setroot
Description Creates a new repository root directory location and moves existing product
packages into the new repository.
The default product repository location is created when the Security Management Server is
installed. On Windows machines the default location is C:\SUroot and on UNIX machines it is
/var/SUroot. Use this command to change the default location.
When changing repository root directory:
• The content of the old repository is copied into the new repository.
• The $SUROOT environment variable gets the value of the new root path.
• A product package in the new location is overwritten by a package in the old location, if the
packages are the same (they have the same ID strings).
The repository root directory should have at least 200 Mbyte of free disk space.
Syntax:
> cppkg setroot <repository>

Parameter Description

<repository> The full path for the desired location for the
product repository.

Note - It is important to reboot the Security Management Server after using this command. This
sets the new $SUROOT environment variable.
Example:
cppkg setroot /var/new_suroot
Repository root is set to : /var/new_suroot/

Note: When changing repository root directory :

1. Old repository content will be copied into the new repository.
2. A package in the new location will be overwritten by a package in the old
location, if the packages have the same name.

Change the current repository root ? [y/n] : y

The new repository directory does not exist. Create it ? [y/n] : y

Repository root was set to : /var/new_suroot

Notice : To complete the setting of your directory, reboot the machine!

Installation and Upgrade Guide R80.10 | 229

 CLI Commands

cprid
cpridrestart
Description Stops and starts the Check Point Remote Installation Daemon cprid. This is the
daemon that is used for remote upgrade and installation of products. In Windows it is a service.

cpridstart
Description Starts the Check Point Remote Installation Daemon (cprid). This is the service
that allows for the remote upgrade and installation of products. In Windows it is a service.
Syntax:
> cpridstart

cpridstop
Description Stops the Check Point Remote Installation Daemon cprid. This is the service
that allows for the remote upgrade and installation of products. In Windows it is a service.
Syntax:
> cpridstop

Installation and Upgrade Guide R80.10 | 230

 CLI Commands

cprinstall
Description Use cprinstall commands to perform remote installation of product
packages and associated operations.
Important - This command is not supported for gateways running on Gaia OS.
On the Security Management Server, cprinstall commands require licenses for
SmartUpdate.
On the remote Check Point gateways the following are required:
• Trust must be established between the Security Management Server and the Check Point
gateway.
• cpd must run.
• cprid remote installation daemon must run.

Installation and Upgrade Guide R80.10 | 231

 CLI Commands

cprinstall boot
Description Boot the remote computer.
Syntax:
> cprinstall boot <object name>

Parameter Description

<object name> Object name of the Check Point Security Gateway defined in SmartConsole.

Example:
> cprinstall boot harlin

Installation and Upgrade Guide R80.10 | 232

 CLI Commands

cprinstall cpstart
Description Enables cpstart to be run remotely.
All products on the Check Point Security Gateway must be of the same version.
Syntax:
> cprinstall cpstart <object name>

Parameter Description

<Object name> Object name of the Check Point Security Gateway defined in SmartConsole.

Installation and Upgrade Guide R80.10 | 233

 CLI Commands

cprinstall cpstop
Description Enables cpstop to be run remotely.
All products on the Check Point Security Gateway must be the same version.
Syntax:
> cprinstall cpstop {-proc|-nopolicy} <object name>

Parameter Description

-proc Kills Check Point daemons and security servers while it maintains the active
Security Policy running in the kernel. Rules with generic allow/reject/drop
rules, based on services continue to work.

-nopolicy

Object name Object name of the Check Point Security Gateway defined in SmartConsole.

Installation and Upgrade Guide R80.10 | 234

 CLI Commands

cprinstall get
Description Gets details of the products and the operating system installed on the specified
Check Point Security Gateway. It also updates the database.
Syntax:
> cprinstall get <object name>

Parameter Description

<object name> The name of the Check Point Security Gateway object defined in
SmartConsole.

Example:
cprinstall get gw1
Checking cprid connection...
Verified
Operation completed successfully
Updating machine information...
Update successfully completed
'Get Gateway Data' completed successfully
Operating system Major Version Minor Version
------------------------------------------------------------------------
SecurePlatform R75.20 R75.20

Vendor Product Major Version Minor Version

------------------------------------------------------------------------
Check Point VPN-1 Power/UTM R75.20 R75.20
Check Point SecurePlatform R75.20 R75.20
Check Point SmartPortal R75.20 R75.20

Installation and Upgrade Guide R80.10 | 235

 CLI Commands

cprinstall install
Description Installs Check Point products on remote Check Point Security Gateways.
To install a product package you must specify a number of options. Use the cppkg print
command and copy the required options.
Syntax:
> cprinstall install [-boot] <Object name> <vendor> <product> <version> [sp]

Parameter Description

-boot Boots the remote computer after installing the package.

Note - Only boot after ALL products have the same version. Boot will be
canceled in certain scenarios.

Object name Object name of the Check Point Security Gateway defined in SmartConsole.

vendor Package vendor. For example, checkpoint

product Package name.

version Package version.

sp Package minor version.

Note - Before transferring any files, this command runs the cprinstall verify command
to verify that the operating system is appropriate and that the product is compatible with
previously installed products.

Example:
# cprinstall install -boot fred checkpoint firewall R70

Installing firewall R75.20 on fred...

Info : Testing Check Point Gateway
Info : Test completed successfully.
Info : Transferring Package to Check Point Gateway
Info : Extracting package on Check Point Gateway
Info : Installing package on Check Point Gateway
Info : Product was successfully applied.
Info : Rebooting the Check Point Gateway
Info : Checking boot status
Info : Reboot completed successfully.
Info : Checking Check Point Gateway
Info : Operation completed successfully.

Installation and Upgrade Guide R80.10 | 236

 CLI Commands

cprinstall uninstall
Description Uninstalls products on remote Check Point Security Gateways.
To uninstall a product package you must specify a number of options. Use the cppkg print
command and copy the required options.
Syntax:
> cprinstall uninstall [-boot] <Object name> <vendor> <product> <version> [sp]

Parameter Description

-boot Boots the remote computer after installing the package.

Note - Only boot after ALL products have the same version. Boot will be
canceled in certain scenarios. See the Release Notes for details.

Object name Object name of the Check Point Security Gateway defined in SmartConsole.

vendor Package vendor. For example, checkpoint

product Package name.

version Package version.

sp Package minor version.

Note - Before uninstalling any files, this command runs the cprinstall verify command.
It verifies that the operating system is appropriate and that the product is installed.
After uninstalling, retrieve the Check Point Security Gateway data by running cprinstall get

Example
# cprinstall uninstall fred checkpoint firewall R75.20

Uninstalling firewall R75.20 from fred...

Info : Removing package from Check Point Gateway
Info : Product was successfully applied.
Operation Success. Please get network object data to complete the operation.

Installation and Upgrade Guide R80.10 | 237

 CLI Commands

cprinstall verify
Description Confirms these operations were successful:
• If a specific product can be installed on the remote Check Point Security Gateway.
• That the operating system and currently installed products are appropriate for the package.
• That there is enough disk space to install the product.
• That there is a CPRID connection.
Syntax:
> cprinstall verify <Object name> <vendor> <product> <version> [sp]

Parameter Description
Object name Object name of the Check Point Security Gateway defined in SmartConsole.

vendor Package vendor. For example, checkpoint

product Package name.

Options are: SVNfoundation, firewall, floodgate

version Package version.

sp Package minor version. This parameter is optional.

Example:
Successful - Verify succeeds
cprinstall verify harlin checkpoint SVNfoundation R75.20

Verifying installation of SVNfoundation R75.20 on jimmy...

Info : Testing Check Point Gateway.
Info : Test completed successfully.
Info : Installation Verified, The product can be installed.

Unsuccessful - Verify fails

cprinstall verify harlin checkpoint SVNfoundation R75.20

Verifying installation of SVNfoundation R75.20 on jimmy...

Info : Testing Check Point Gateway
Info : SVN Foundation R70 is already installed on 192.0.2.134
Operation Success. Product cannot be installed, did not pass dependency check.

Installation and Upgrade Guide R80.10 | 238

 CLI Commands

cprinstall snapshot
Description Creates a snapshot <filename> on the Check Point Security Gateway.
Syntax:
> cprinstall snapshot <object name> <filename>

Parameter Description

Object name Object name of the Check Point Security Gateway defined in SmartConsole.

filename Name of the snapshot file

Note - Supported on SecurePlatform only.

Installation and Upgrade Guide R80.10 | 239

 CLI Commands

cprinstall show
Description Displays all snapshot (backup) files on the Check Point Security Gateway.
Syntax:
> cprinstall show <object name>

Parameter Description

Object name Object name of the Check Point Security Gateway defined in SmartConsole.

Note - Supported on SecurePlatform only.

Example:
# cprinstall show GW1
SU_backup.tzg

Installation and Upgrade Guide R80.10 | 240

 CLI Commands

cprinstall revert
Description Restores the Check Point Security Gateway from a snapshot.
Syntax:
> cprinstall revert <object name> <filename>

Parameter Description

<object name> Object name of the Check Point Security Gateway defined in SmartConsole.

<filename> Name of the snapshot file.

Note - Supported on SecurePlatform only.

Installation and Upgrade Guide R80.10 | 241

 CLI Commands

cprinstall transfer
Description Transfers a package from the repository to a Check Point Security Gateway without
installing the package.
Syntax:
> cprinstall transfer <object name> <vendor> <product> <version> [sp]

Parameter Description

Object name Object name of the Check Point Security Gateway defined in SmartConsole.

vendor Package vendor. For example, checkpoint

product Package name.

version Package version.

sp Package minor version. This parameter is optional.

Installation and Upgrade Guide R80.10 | 242

 CLI Commands

control_bootsec
Enables or disables Boot Security. The command affects both the Default Filter and the Initial
Policy.
$FWDIR/bin/control_bootsec [-r] [-g]

Options Description
-r Removes boot security

-g Enables boot security

Installation and Upgrade Guide R80.10 | 243

 CLI Commands

fwboot bootconf
Configure boot security options. This command is in $FWDIR/boot.
$FWDIR/bin/fwboot bootconf <command> [value]

Commands Values Description

Get_ipf none Reports if firewall controls IP Forwarding.
• Returns 1 if IP Forwarding control is enabled on boot.
• Returns 0 if IP Forwarding is not controlled on boot.
Set_ipf 0|1 Turns off/on control of IP forwarding for the next boot.
0 - Turns off
1 - Turns on

Get_def none Returns the full path to the Default Filter that will be used on boot.

Set_def <filename> Loads the file as the Default Filter in the next boot. The only safe and
recommended directory is $FWDIR/boot. (The default.bin
filename is a default name.)
Note - Do NOT move these files.

Installation and Upgrade Guide R80.10 | 244

 CLI Commands

comp_init_policy
Use the comp_init_policy command to generate and load, or to remove, the Initial Policy.
This command generates the Initial Policy. It ensures that it will be loaded when the computer is
booted, or any other time that a Policy is fetched, for example, at cpstart, or with the fw fetch
localhost command. After running this command, cpconfig adds an Initial Policy if there is no
previous Policy installed.
$FWDIR/bin/comp_init_policy [-u | -g]

Options Description

-u Removes the Initial Policy, and makes sure that it will not be generated in the future
when cpconfig is run.

-g Generates the Initial Policy and makes sure that it is loaded the next time a policy is
fetched (cpstart, reboot, fw fetchlocalhost). After running this command,
cpconfig adds an Initial Policy when needed.

The comp_init_policy -g command will only work if there is no previous policy. If there is a policy,
make sure that after removing the policy, you delete the folder $FWDIR/state/local/FW1/. The
$FWDIR/state/local/FW1/ folder contains the policy that will be fetched when fw fetch localhost is
run.
The fw fetch localhost command is the command that installs the local policy. cpstart.
comp_init_policy creates the initial policy, but has a safeguard so that the initial policy will not
overwrite a regular user policy (since initial policy is only used for fresh installations or upgrade).
For this reason, you must delete the $FWDIR/state/local/FW1/ directory if there is a previous
policy, otherwise comp_init_policy will detect that the existing user policy and will not overwrite it.
If you do not delete the previous policy, the original policy will be loaded.

Installation and Upgrade Guide R80.10 | 245

 CLI Commands

cpstop -fwflag default and cpstop -fwflag proc

To stop all firewall processes but leave the Default Filter running, run: cpstop -fwflag
-default
To stop all Security Gateway processes but leave the security policy running, run:
cpstop -fwflag -proc
To stop and start all Check Point processes, run: cpstop and cpstart
cpstop -fwflag [-default | -proc]

Options Description

-default Kills firewall processes (such as fwd, fwm, vpnd, snmpd). Logs, kernel traps,
resources, and security server connections stop.
The security policy in the kernel is replaced with the Default Filter.

-proc Kills firewall processes. Logs, kernel traps, resources, and security server
connections stop.
The security policy remains loaded in the kernel. Allow, reject, and drop rules
that do not use resources, only services, continue to work.

Installation and Upgrade Guide R80.10 | 246