28 May 2020

60000/40000 SECURITY
PLATFORMS
R76SP.50

Upgrade Guide
Classification: [Protected]
CHAPTE R 1

2020 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No part
of this product or related documentation may be reproduced in any form or by any means without
prior written authorization of Check Point. While every precaution has been taken in the
preparation of this book, Check Point assumes no responsibility for errors or omissions. This
publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS
252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page https://www.checkpoint.com/copyright/ for a list of our trademarks.
Refer to the Third Party copyright notices
https://www.checkpoint.com/about-us/third-party-trademarks-and-copyrights/ for a list of
relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date
with the latest functional improvements, stability fixes, security enhancements and
protection against new and evolving attacks.

Check Point R76SP.50

For more about this release, see the R76SP.50 home page
http://supportcontent.checkpoint.com/solutions?id=sk115735.

Latest Version of this Document

Open the latest version of this document in a Web browser
https://sc1.checkpoint.com/documents/R76SP.50/CP_R76SP.50_SecuritySystem_Upg
radeGuide/html_frameset.htm.
Download the latest version of this document in PDF format
http://downloads.checkpoint.com/dc/download.htm?ID=54163.

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
mailto:[email protected]?subject=Feedback on 60000/40000
Security Platforms R76SP.50 Upgrade Guide.
Revision History
Date Description
28 May 2020 Updated:
 Upgrading the N+1 Chassis CMM Firmware (on page 36)
 Upgrading the N+N Chassis CMM Firmware (on page 42)
27 July 2019 Updated:
 Upgrading the N+1 Chassis CMM Firmware (on page 36)
 Upgrading the N+N Chassis CMM Firmware (on page 42)
27 May 2019 Improved:
 Formatting and layout
19 February 2018 Updated:
 Multiple Security Groups (on page 26)
 Upgrading the N+1 Chassis CMM Firmware (on page 36)
18 February 2018 Improved:
 Formatting and layout
Added:
 Multiple Security Groups (on page 26)
29 April 2018 General updates.
22 January 2018 Updated:
 Upgrading the N+N Chassis CMM Firmware (on page 42)
16 October 2017 Updated:
 Upgrading the N+1 Chassis CMM Firmware (on page 36)
 Upgrading the N+N Chassis CMM Firmware (on page 42)
01 October 2017 Updated:
 Upgrading the N+1 Chassis CMM Firmware (on page 36)
12 July 2017 Added:
 Upgrading SSM160 to SSM440 (on page 46)
21 June 2017 Added:
 Uninstalling a Hotfix on SGMs (on page 34)
23 April 2017 First release of this document
Contents
Important Information................................................................................................... 3
Introduction ................................................................................................................... 6
Syntax Notation ......................................................................................................... 6
R76SP.50 Upgrade Overview ..................................................................................... 6
Upgrading from Major Releases ................................................................................... 7
Preliminary Steps ..................................................................................................... 7
Upgrading Chassis B ................................................................................................. 8
Failing Over to Chassis B .......................................................................................... 9
Upgrading Chassis A ............................................................................................... 10
Failing Over to Chassis A......................................................................................... 11
Completing the Upgrade ......................................................................................... 11
Upgrading from a Minor Release ................................................................................ 12
Upgrading a Dual-Chassis System from a Minor Release ...................................... 12
Preliminary Steps ..........................................................................................................13
Upgrading Chassis B .....................................................................................................13
Failing Over to Chassis B ...............................................................................................14
Upgrading Chassis A......................................................................................................14
Failing Over to Chassis A ...............................................................................................15
Completing the Upgrade ................................................................................................15
Upgrading a Single Chassis System from a Minor Release .................................... 16
Preliminary Steps ..........................................................................................................16
Upgrading SGMs in Group B ..........................................................................................17
Failing Over to SGMs in Group B ....................................................................................17
Upgrading SGMs in Group A...........................................................................................18
Completing the Upgrade ................................................................................................19
Installing a Jumbo Hotfix Accumulator ....................................................................... 20
Installation on a Dual-Chassis System.................................................................... 20
Preliminary Steps ..........................................................................................................20
Installing the Jumbo Hotfix Accumulator on Chassis B .................................................21
Failing Over to Chassis B ...............................................................................................21
Installing the Jumbo Hotfix Accumulator on Chassis A .................................................22
Failing Over to Chassis A ...............................................................................................23
Completing the Installation ...........................................................................................23
Installing a Jumbo Hotfix Accumulator on a Single Chassis System ...................... 24
Multiple Security Groups............................................................................................. 25
Description .............................................................................................................. 25
Preliminary Steps ................................................................................................... 26
Upgrading Chassis B ............................................................................................... 27
Failing Over to Chassis B ........................................................................................ 28
Upgrading Chassis A ............................................................................................... 28
Failing Over to Chassis A......................................................................................... 30
Verification .............................................................................................................. 30
Enabling Multiple Security Groups.......................................................................... 30
Installing and Uninstalling a Hotfix on SGMs .............................................................. 31
Installing a Hotfix on SGMs ..................................................................................... 31
Uninstalling a Hotfix on SGMs ................................................................................. 33
Upgrading Hardware Components .............................................................................. 35
Upgrading the CMM Firmware on N+1 Chassis....................................................... 35
Procedure 1 - With Physical Access to the Chassis .......................................................36
Procedure 2 - No Physical Access to the Chassis ..........................................................38
Upgrading the CMM Firmware on N+N Chassis ...................................................... 41
Procedure 1 - With Physical Access to the Chassis .......................................................41
Procedure 2 - No Physical Access to the Chassis ..........................................................43
Upgrading SSM160 to SSM440 ................................................................................ 45
Upgrading SSM Firmware ....................................................................................... 46
CHAPTE R 2

Introduction
In This Section:
Syntax Notation ...............................................................................................................6
R76SP.50 Upgrade Overview ..........................................................................................6

Introducing the Check Point Scalable Platform, the world's fastest Threat Prevention platforms.
The carrier-class next generation Threat Prevention and Firewall solutions, provide the security
you need today and into the future.
Already supporting fast networking connectivity such as 40 GbE and 100 GbE, the 64000 and 44000
can be integrated with new and advanced solutions, both on premises or in the cloud.
These scalable platforms enable you to continue to grow your business, so when traffic volume or
security requirements increase, you can easily scale up the system capacity.
Welcome to the future of Cyber Security!

Syntax Notation
This table shows the syntax characters.

Character Name Description

| Pipe OR
{} Curly brackets Set of OR or AND operators
[] Square brackets Optional parameter
<variable> Angle brackets Variable
> Right angle Prompt: Run command in Clish or gClish (use in
bracket procedures or examples only)
# Hashtag Prompt: Run command in the Expert mode (Use in
procedures or examples only)
none Required parameter or option

R76SP.50 Upgrade Overview

This section shows the available upgrade procedure support.

Major Release Upgrade (R75.xx and R76SP to R76SP.50)

 Dual-Chassis - Supported (Zero Downtime)
 Single Chassis - Supported (Downtime during upgrade)

Minor Release Upgrade (R76SP.xx to R76SP.50)

 Dual-Chassis - Supported
 Single Chassis - Supported

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 7

CHAPTE R 3

Upgrading from Major Releases

In This Section:
Preliminary Steps ...........................................................................................................7
Upgrading Chassis B ......................................................................................................8
Failing Over to Chassis B ...............................................................................................9
Upgrading Chassis A ....................................................................................................10
Failing Over to Chassis A..............................................................................................11
Completing the Upgrade ..............................................................................................11

Use these procedures to upgrade a Dual-Chassis system from R75.0x, R75.40VS, and R76SP.10 to
R76SP.50. One Chassis is always Active during the upgrade, except for a brief period during a
manual failover.

To upgrade from a major release:

1. Upgrade Chassis B (Standby).
Chassis A (Active) handles traffic.
2. Fail over to Chassis B.
3. Upgrade Chassis A.
4. Fail over to Chassis A after the upgrade is complete.
To upgrade from a major release, use an ISO image on a bootable USB device. Download the ISO
image from the R76SP.50 60000/40000 Security Platforms Home Page
http://supportcontent.checkpoint.com/solutions?id=sk115735.

Preliminary Steps
Step Operation Command
1 Make sure that your Security Management # fwm ver
Servers are version R76 or higher.
If not, upgrade your Security Management
Servers.
2 Back up your Scalable Platform.
2a Create a snapshot of one SGM. > set global-mode 0
> add snapshot pre_upgrade
2b Make sure that the snapshot was created > show snapshots
successfully.
2c Export the snapshot. > set snapshot export pre_upgrade
path /var/log/
> show snapshots
> set global-mode 1
2d Copy the exported snapshot to external
media or a remote server:
/var/log/pre_upgrade.tgz

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 8

 Upgrading from Major Releases

Step Operation Command

2e Collect configuration settings and system > asg_info -f
status information into a data file:
/var/log/asg_report.<host_name>_<d
ate_stamp>_tar.gz
3 Send the output data file to Check Point
Support
https://www.checkpoint.com/support-servic
es/contact-support/.
The information is used to create a custom
configuration procedure for use during the
upgrade procedure.
4 Detect errors or other system issues. > asg diag verify
Resolve these issues before you start the
upgrade process.
5 Download the R76SP.50 ISO image or HFA
Upgrade package from the R76SP.50
60000/40000 Security Platforms Home Page
http://supportcontent.checkpoint.com/soluti
ons?id=sk115735.
You need image this during the upgrade
procedure.

Upgrading Chassis B
Notes:
 When the command includes -c, enter the Chassis ID only, not the word chassis.
For example: # asg chassis_admin -c 1 down
 When the command includes -b, enter the word Chassis and its ID of Chassis1 or Chassis2.
For example: # g_reboot -a -b chassis1

Step Operation Command

6 Set Chassis B to administratively DOWN # asg chassis_admin –c
state. <Chassis_B_ID> down

7 Disconnect the cables connected to all ports

on Chassis B (Management, Data and
Synchronization).
7a Connect to the serial port on SGM1 on
Chassis B.
7b Use a terminal emulation utility to open a
console session.

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 9

 Upgrading from Major Releases

Step Operation Command

8 Install the R76SP.50 image on the SGM from Install the image on all the SGMs at the
a removable media. same time, or create a bootable USB
media for each SGM.
9 When installation is complete on all SGMs, User name/password are admin/admin.
log into SGM1 from your console session.
10 Start the installation. > setup

11 Configure the setup to be similar to Chassis

A.
Apply all the configuration instructions that
Check Point Support gave you.
12 Reboot all SGMs. # g_reboot -a -b
Important - Wait until all SGMs are up and chassis<Chassis_B_ID>
running before you continue.
13 Make sure the installed version is correct. # asg_version -v

14 Upgrade the SSMs on Chassis B. # asg_ssm_upgrade ssm all

15 Upgrade CMM firmware (on page 35) on

Chassis B.
16 Install a policy on Chassis B.
17 Disconnect the Management port from
Chassis A.
Note - Logs are not saved during these
steps.
18 Connect the Management port to Chassis B.
19 In SmartDashboard, change the Security
Gateway object to version R76.
20 Establish SIC Trust.
21 Install the policy.

Failing Over to Chassis B

Step Operation
22 Disconnect the cables from all ports (Management, Data, and Synchronization) on
Chassis A's SSMs.
The 60000/40000 Security Platform is temporarily disconnected from the network.

23 Connect the data ports to Chassis B.

Note - Do not reconnect the Synchronization port to Chassis B.
24 Run post-upgrade tests to make sure that traffic flows normally on Chassis B.
Note - Chassis B is now handling the traffic.

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 10

 Upgrading from Major Releases

Upgrading Chassis A
Step Operation Command
25 Connect a console to the serial port on SGM1
on Chassis A.
Use a terminal emulation utility to open a
console session.
26 Install the R76SP.50 image from a Install the image on all SGMs at the same
removable media on each SGM. time, or create a bootable USB media for
each SGM.
27 Manually upgrade the SSMs on Chassis A.
27a Activate the private shell. unhide private (password = private)
Connect to the SSM with over SSH. show private shell
Press Ctrl+C to close the private shell. mount -rw -o remount /batm/
Enter log to close the SSM console session.
27b Copy the firmware upgrade file to both scp -P 2024
SSMs. /opt/CPsuite-R76/fw1/conf/hw_fi
rmware/2.4.C20.1.T-ATCA404.tar
When prompted, enter this password:
.bz2
thmhetafbzh
root@<SSM_IP>:/batm/current_ver
sion/
Where <SSM_IP>:
 198.51.100.32 for SSM1
 198.51.100.232 for SSM2
27c From a console session to an SSM, overwrite T-HUB4# file ls os-image
the default configuration. T-ATCA404# file
activate-os-image <Specify File
Name>
T-HUB4# config terminal
Entering configuration mode
terminal
T-HUB4(config)# system reload
manufacturing-defaults
Are you sure that you want to
delete existing configuration
and
reload manufacturing default
configuration (yes/no)? yes
27d Make sure that the firmware upgrade is # asg_version -v
successful.
27e Do these steps again on the other SSM.
28 Upgrade CMM firmware (on page 35) on
Chassis A.
29 Connect the Sync interface to Chassis B and
wait for all SGMs on Chassis A to reboot.

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 11

 Upgrading from Major Releases

Step Operation Command

30 Make sure the version is correct. # asg_version -v

31 Connect all Management and Data ports on

Chassis A.
32 Set Chassis A to administratively UP state.
33 Make sure that the 60000/40000 Security # asg diag verify
Platform works normally.
34 Upgrade SSM firmware to be aligned to # asg_ssm_upgrade
Chassis B firmware.

Failing Over to Chassis A

Step Operation Command
35 Manually fail over from Chassis B to Chassis # asg chassis_admin -c
A. <Chassis_B_ID> down
Chassis B is now the Standby Chassis.
36 Set Chassis B to administratively UP state. # asg chassis_admin –c
<Chassis_B_ID> up

Completing the Upgrade

Step Operation Command
37 Run post-upgrade tests to make sure traffic # asg diag verify
flows normally on Chassis A and that the
system works normally.

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 12

CHAPTE R 4

Upgrading from a Minor Release

In This Section:
Upgrading a Dual-Chassis System from a Minor Release .........................................12
Upgrading a Single Chassis System from a Minor Release .......................................16

To upgrade from a minor release, use an HFA Upgrade package. Download it from the R76SP.50
60000/40000 Security Platforms Home Page
http://supportcontent.checkpoint.com/solutions?id=sk115735.

Upgrading a Dual-Chassis System from a Minor

Release
Use this procedure to upgrade to R76SP.50 from: R76SP.10, R76SP.20, R76SP.30 and R76SP.40.
Notes:
 The minor upgrade procedure from R76SP should be done as a major upgrade (on page 7).
 Before you upgrade from R76SP.10 or R76SP.20, check that there are no Virtual Systems
running with the Initial Policy. Run: vsx stat -v
 In this procedure, upgrade one Chassis at a time. The other Chassis continues to handle
traffic.
Upgrade Chassis B through an SGM on Chassis A, and then upgrade Chassis A through an SGM
on Chassis B.
 Bond interfaces that are not connected to any Virtual System, should be deleted from the
topology before the upgrade procedure.
 Important for the VSX System in VSLS mode: The upgrade procedure will change the system
to the VSX High Availability mode.
Change the system back to VSX VSLS mode when the upgrade procedure is complete.
 When the command includes -c, enter the Chassis ID only, not the word chassis.
For example: # asg chassis_admin -c 1 down
 When the command includes -b, enter the word Chassis and its ID of Chassis1 or Chassis2.
For example: # g_reboot -a -b chassis1

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 13

 Upgrading from a Minor Release

Preliminary Steps
Step Operation Command
1 Make sure that all SGMs and SSMs are up to # asg diag verify
date and that the system is configured
correctly.
2 Copy the HFA Upgrade package to the SMO. Check_Point_R76SP_50_upgrade.linux.tgz

3 Create a temporary directory on the SMO in: # mkdir -v /home/admin/temp

/home/admin/
If a temporary directory already exists,
delete it first with this command:
# g_all rm -rf /home/admin/temp

4 Extract the HFA Upgrade package to the # tar -xvzf

temporary directory. /home/admin/Check_Point_R76SP_5
0_upgrade.linux.tgz -C
/home/admin/temp/
Best Practice - Connect over a console to the SMO and run the next steps through the console
connection.
5 Run the pre-installation script. # cd /home/admin/temp/
# ./AsgInstallScript pre_install

Upgrading Chassis B
Step Operation Command
6 Set Chassis B to administratively DOWN > asg chassis_admin -c
state. <Chassis_B_ID> down
7 Make sure that Chassis B is in > asg monitor -all
administratively DOWN state.
8 Upgrade Chassis B. # cd /home/admin/temp/
Note - Make sure to run the script from # ./AsgInstallScript –b
Chassis A and not Chassis B. chassis<Chassis_B_ID>

Confirm that the HFA Upgrade installation procedure completed successfully.

A summary message shows when the upgrade is complete.
9 If the installation was successful: If you do not upgrade the firmware now at
a. You are prompted to upgrade the SSM the prompt, upgrade it later with:
firmware. You can do this now or later. # asg_ssm_upgrade
b. Reboot the SGMs when prompted. Wait
until all SGMs are UP.
10 Make sure that all SGMs show the correct # asg_version -v
version.
Note - SGMs on Chassis A show as failed, or
show the previous version. This is normal,
and you can continue to the next step.

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 14

 Upgrading from a Minor Release

Failing Over to Chassis B

Step Operation Command
11 Set Chassis B to administratively UP state. > asg chassis_admin -c
<Chassis_B_ID> up

12 Run the diagnostics. # asg policy verify –a [-vs all]

# asg_route -a [--vs all]

13 Make sure that Chassis B is UP and enforces > asg stat -v

security.
Important - You must correct all errors
shown by the diagnostics before you
continue to the next step.
14 Set Chassis A to administratively DOWN > asg chassis_admin -c
state. <Chassis_A_ID> down
15 Make sure that all SGMs are UP, and that > asg monitor [-vs all]
traffic flows normally on Chassis B. > asg perf [-vs all] -v
Important - Make sure Chassis B works
correctly before you upgrade Chassis A.

Upgrading Chassis A
Step Operation Command
16 Copy the HFA Upgrade package to the SMO. Check_Point_R76SP_50_upgrade.li
nux.tgz
17 Create a temporary directory on the SMO in: # mkdir -v /home/admin/temp
/home/admin/ If a temporary directory already exists,
delete it first with this command:
# g_all rm -rf /home/admin/temp
18 Extract the HFA Upgrade package to the # tar -xvzf
temporary directory. /home/admin/Check_Point_R76SP_5
0_upgrade.linux.tgz -C
/home/admin/temp/
Best Practice - Connect over a console to the SMO and run the next steps through the console
connection.
19 Make sure that Chassis A is in > asg monitor -all
administratively DOWN state.
20 Upgrade Chassis A. # cd /home/admin/temp/
Note - Make sure to run the script from # ./AsgInstallScript -b
Chassis B and not Chassis A. chassis<Chassis_A_ID>

Confirm that the HFA Upgrade installation procedure completed successfully.

A summary message shows when the upgrade is complete.

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 15

 Upgrading from a Minor Release

21 If the installation was successful:
a. You are prompted to upgrade the SSM
firmware. You can do this now or later.
b. Reboot the SGMs when prompted. Wait
until all SGMs are UP.
If you do not upgrade the firmware now at
the prompt, upgrade it later with:
# asg_ssm_upgrade

Failing Over to Chassis A

Step Operation Command
22 Set Chassis A to administratively UP state. > asg chassis_admin -c
<Chassis_A_ID> up
23 Run the diagnostics. # asg policy verify –v [-vs all]
# asg_route
24 Make sure that Chassis A is UP and enforces > asg stat -v
security.
Important - You must correct all errors
shown by the diagnostics before you
continue to the next step.

Completing the Upgrade

Step Operation Command
25 Run the finalize step. # ./AsgInstallScript finalize
Note - This is a mandatory step.
26 Make sure all SGMs and SSMs are up to # asg diag verify
date, and that the system is configured
correctly.
27 Delete the upgrade files from all relevant # g_all rm -r /home/admin/temp/
SGMs. # g_rm
/home/admin/Check_Point_R76SP_5
0_upgrade.linux.tgz

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 16

 Upgrading from a Minor Release

Upgrading a Single Chassis System from a Minor

Release
To upgrade the Chassis, you must use two SGM groups.
You should not upgrade all the SGMs at the same time.
With this procedure, upgrade half of the SGMs at one time.
The other half continues to handle traffic.
Upgrade Group B SGMs through an SGM of Group A, and then upgrade Group A SGMs through an
SGM of Group B.

Preliminary Steps
Step Operation Command
1 Make sure that all SGMs and SSMs are up to > asg diag verify
date, and that the system is configured
correctly.
2 Divide the SGMs into two groups (A and B).
SGMs in Group A remain Active and continue
to handle traffic while you upgrade SGMs in
Group B. Then, fail over between SGMs from
Group A to Group B, which handles traffic
while you upgrade SGMs in Group A.
3 Copy the HFA Upgrade package to the SMO:
Check_Point_R76SP_50_upgrade.linu
x.tgz
Important - The SMO must be an SGM of
Group A.
4 Create a temporary directory on the SMO in: # mkdir -v /home/admin/temp
/home/admin/ If a temporary directory already exists,
delete it first with this command:
# g_all rm -rf /home/admin/temp

5 Extract the HFA Upgrade package to the # tar -xvzf

temporary directory. /home/admin/Check_Point_R76SP_5
0_upgrade.linux.tgz -C
/home/admin/temp/
Best Practice - Connect over a console to the SMO and run the next steps through the console
connection.
Console connection is not mandatory, if you skip the SSM firmware upgrade step in the upgrade
process.
6 Run the pre-installation procedure. # cd /home/admin/temp/
#./AsgInstallScript pre_install

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 17

 Upgrading from a Minor Release

Upgrading SGMs in Group B

Step Operation Command
7 Set SGMs in Group B to administratively > asg sgm_admin -b
DOWN state. <Group_B_SGM_IDs> down -p
8 Make sure that all SGMs in Group B are > asg monitor -all
DOWN.
9 Upgrade SGMs in Group B. # cd /home/admin/temp/
# ./AsgInstallScript –b
<Group_B_SGM_IDs> -a
Confirm that the HFA Upgrade installation procedure completed successfully.
A summary message shows when the upgrade is complete.
If the installation was successful, you are prompted to run SSM firmware upgrade checks.
Do not do that at this time.
10 When prompted, reboot SGMs in Group B. After reboot, the SGMs on Group B stay in the
administratively DOWN state.

Failing Over to SGMs in Group B

Step Operation Command
11 Run the diagnostics. > asg policy verify –a [-vs all]
-v
> asg_route -a

12 Set SGMs in Group B to administratively UP > asg sgm_admin -b

state. <Group_B_SGM_IDs> up -p
13 Make sure that all SGMs in Group B are UP > asg stat -v
and enforce security.
14 Set SGMs in Group A to administratively > asg sgm_admin -b
DOWN state. <Group_A_SGM_IDs> down -p
15 Make sure that the SGMs in Group B are UP > asg monitor [-vs all]
and enforce security. > asg perf [-vs all] -v
Important - Make sure SGMs in Group B
work correctly before you upgrade SGMs in
Group A.

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 18

 Upgrading from a Minor Release

Upgrading SGMs in Group A

Step Operation Command
16 Copy the HFA Upgrade package to the SMO:
Check_Point_R76SP_50_upgrade.linu
x.tgz
Note - The SMO must be an SGM of Group B.
17 Create a temporary directory on the SMO in: # mkdir -v /home/admin/temp
/home/admin/ If a temporary directory already exists,
delete it first with this command:
# g_all rm -rf /home/admin/temp
18 Extract the HFA Upgrade package to the # tar -xvzf
temporary directory. /home/admin/Check_Point_R76SP_5
0_upgrade.linux.tgz -C
/home/admin/temp/
Best Practice - Connect over a console to the SMO and run the next steps through the console
connection.
A console connection is not mandatory, if you skip the SSM firmware upgrade step in the upgrade
process.
19 Make sure that all SGMs in Group A are > asg monitor -all
DOWN.
20 Upgrade SGMs in Group A. # cd /home/admin/temp/
# ./AsgInstallScript –b
<Group_A_SGM_IDs> -a
Confirm that the HFA Upgrade installation procedure completed successfully.
A summary message shows when the upgrade is complete.
If the installation was successful, you are prompted to run SSM firmware upgrade checks.
Do not do this at this time.
21 When prompted, reboot Group A SGMs. After
reboot, the Group A SGMs stay in the Admin
DOWN state.

Note - You can run the SSM firmware upgrade now. Press Y at the prompt. This will cause some
downtime.

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 19

 Upgrading from a Minor Release

Completing the Upgrade

Step Operation Command
22 Run the finalize step. # ./AsgInstallScript finalize
Note - This is a mandatory step.
23 Make sure all SGMs and SSMs are up to # asg diag verify
date, and that the system is configured
correctly.
24 Delete the upgrade files on all SGMs on both # g_all rm -r /home/admin/temp/
the Active and Standby Chassis. # g_rm
/home/admin/Check_Point_R76SP_5
0_upgrade.linux.tgz

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 20

CHAPTE R 5

Installing a Jumbo Hotfix Accumulator

In This Section:
Installation on a Dual-Chassis System .....................................................................20
Installing a Jumbo Hotfix Accumulator on a Single Chassis System ........................24

Installation on a Dual-Chassis System

Notes:
 When the command includes -c, enter the Chassis ID only, not the word chassis.
For example: # asg chassis_admin -c 1 down
 When the command includes -b, enter the word Chassis and its ID of Chassis1 or Chassis2.
For example: # g_reboot -a -b chassis1

Preliminary Steps
Step Operation Command
1 Connect a console to the Active Chassis. # asg diag verify
Make sure that all SGMs and SSMs are up to
date and that the system is configured
correctly.
2 Upload the Jumbo Hotfix Accumulator
installation file to /home/admin/ directory
on the Active Chassis.
3 Make a temporary directory. # mkdir -v /home/admin/temp

4 Extract the Jumbo Hotfix Accumulator to the # tar -xzvf

temporary directory. /home/admin/Check_Point_R76SP_5
0_JHF.linux.tgz
-C /home/admin/temp/

Best Practice - Connect a console to the SMO and run the next steps through the console
connection.

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 21

 Installing a Jumbo Hotfix Accumulator

Installing the Jumbo Hotfix Accumulator on Chassis B

Step Operation Command
5 Set Chassis B to administratively DOWN > asg chassis_admin -c
state. <Chassis_B_ID> down
6 Make sure that Chassis B is in > asg monitor -all
administratively DOWN state.
7 Install the Jumbo Hotfix Accumulator on # cd /home/admin/temp/
Chassis B. # ./AsgInstallScript -b
Note - Make sure to run the script from chassis<Chassis_B_ID>
Chassis A and not Chassis B.
Make sure that the Jumbo Hotfix Accumulator installation procedure completed successfully.
A summary message shows when the installation is complete.
8 If the installation was successful: If you do not upgrade the firmware now at
a. You are prompted to upgrade the SSM the prompt, upgrade it later with:
firmware. You can do this now or later. # asg_ssm_upgrade
b. Reboot the SGMs when prompted. Wait
until all SGMs are UP.
9 Make sure that all SGMs show the correct # asg_version -v
version.
Note - SGMs on Chassis A show as failed or
show the old version. This is normal, and you
can go to the next step.

Failing Over to Chassis B

Step Operation Command
10 Set Chassis B to administratively UP state. > asg chassis_admin -c
<Chassis_B_ID> up
11 Run the diagnostics. # asg policy verify –v [-vs all]
# asg_route

12 Make sure that Chassis B is UP and enforces > asg stat -v

security.
Important - You must correct all errors
shown by the diagnostics before you
continue to the next step.
13 Set Chassis A to administratively DOWN > asg chassis_admin -c
state. <Chassis_A_ID> down
14 Make sure that all SGMs are UP, and that > asg monitor [-vs all]
traffic flows normally on Chassis B. > asg perf [-vs all] -v
Important - Make sure Chassis B works
correctly before you upgrade Chassis A.

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 22

 Installing a Jumbo Hotfix Accumulator

Installing the Jumbo Hotfix Accumulator on Chassis A

Step Operation Command
15 Upload the Jumbo Hotfix Accumulator
installation file to /home/admin/ directory
on the Active Chassis.
16 Make a temporary directory. # mkdir -v /home/admin/temp

17 Extract the Jumbo Hotfix Accumulator to the # tar -xzvf

temporary directory. /home/admin/Check_Point_R76SP_5
0_JHF.linux.tgz -C
/home/admin/temp/
18 Make sure that Chassis A is in > asg monitor -all
administratively DOWN state.
19 Install the Jumbo Hotfix Accumulator on # cd /home/admin/temp/
Chassis A. # ./AsgInstallScript -b
Note - Make sure to run the script from chassis<Chassis_A_ID>
Chassis B and not Chassis A.
Confirm that the Jumbo Hotfix Accumulator installation procedure completed successfully.
A summary message shows when the installation is complete.
20 If the installation was successful: If you do not upgrade the firmware now at
a. You are prompted to upgrade the SSM the prompt, upgrade it later with:
firmware. You can do this now or later. # asg_ssm_upgrade
b. Reboot the SGMs when prompted. Wait
until all SGMs are UP.
21 Make sure that all SGMs show the correct # asg_version -v
version.
Note - SGMs on Chassis B show as failed or
show the old version. This is normal, and you
can go to the next step.

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 23

 Installing a Jumbo Hotfix Accumulator

Failing Over to Chassis A

Step Operation Command
22 Set Chassis A to administratively UP state. > asg chassis_admin -c
<Chassis_A_ID> up
23 Run the diagnostics. # asg policy verify –v [-vs all]
# asg_route
24 Make sure that Chassis A is UP and enforces > asg stat -v
security.
Important - You must correct all errors
shown by the diagnostics before you
continue to the next step.

Completing the Installation

Step Operation Command
25 Make sure all SGMs and SSMs are up to date # asg diag verify
and that the system is configured correctly.
26 Delete the installation files from all # g_all rm –r /home/admin/temp/
applicable SGMs. # g_rm
/home/admin/Check_Point_R76SP50
_JHF.linux.tgz

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 24

 Installing a Jumbo Hotfix Accumulator

Installing a Jumbo Hotfix Accumulator on a Single

Chassis System
Step Operation Command
1 Connect a console to the Active Chassis. # asg diag verify
Make sure that all SGMs and SSMs are up to
date and that the system is configured
correctly.

2 Upload the Jumbo Hotfix Accumulator

installation file to /home/admin/ directory
on the Chassis.
3 Make a temporary directory. # mkdir -v /home/admin/temp

4 Extract the installation files to the temporary # tar -xzvf

directory. /home/admin/Check_Point_R76SP50
_JHF.linux.tgz -C
/home/admin/temp/
5 Go to the temporary directory and run the # cd /home/admin/temp
installation script. # ./AsgInstallScript -b
Note - <Group_SGMs> are all SGMs in Group <Group_SGMs>
A or Group B as applicable.
Best Practice - Connect a console to the SMO and run the next steps through the console
connection.
6 Install the Jumbo Hotfix Accumulator. # cd /home/admin/temp/
# ./AsgInstallScript –b
<Group_SGMs>
7 Confirm that the Jumbo Hotfix Accumulator installation procedure completed
successfully. A summary message shows when the installation is complete.
8 If the installation was successful: If you do not upgrade the firmware now at
a. You are prompted to upgrade the SSM the prompt, upgrade it later with:
firmware. You can do this now or later. # asg_ssm_upgrade
b. Reboot the SGMs when prompted. Wait
until all SGMs are UP.
9 Make sure that all SGMs show the correct # asg_version -v
version.
Best Practice - Install the Jumbo Hotfix Accumulator before executing the failover.

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 25

CHAPTE R 6

Multiple Security Groups

In This Section:
Description ....................................................................................................................25
Preliminary Steps .........................................................................................................26
Upgrading Chassis B ....................................................................................................27
Failing Over to Chassis B .............................................................................................28
Upgrading Chassis A ....................................................................................................28
Failing Over to Chassis A..............................................................................................30
Verification ....................................................................................................................30
Enabling Multiple Security Groups ..............................................................................30

For more information about the Multiple Security Groups, see the R76SP.50 Administration Guide
https://sc1.checkpoint.com/documents/R76SP.50/CP_R76SP.50_Security_System_AdminGuide/ht
ml_frameset.htm.
This section provides specific upgrade steps from the existing release to the new release with the
support of Multiple Security Groups.

Description
The Multiple Security Groups feature lets you configure more than one Security Group on the
same Scalable Platform.
 Up to 12 Security Groups are supported.
 All configured Security Groups share the same chassis resources.
 Each configured Security Group runs an independent SMO.
 Each configured Security Group runs as a Security Gateway or VSX Gateway.
 Different Security Groups can run with different types of SGMs.
Example:
 SecurityGroup1: SGM260
 SecurityGroup2: SGM400
 Different Security Groups can have different Chassis High Availability modes.
Example:
 SecurityGroup1: Active UP
 SecurityGroup2: VSLS
 Different Security Groups can share the same Trunk interface with different VLANs.
 Each Security Group uses its own independent license.

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 26

 Multiple Security Groups

To support Multiple Security Groups in R76SP.50, it is mandatory to install these on your Scalable
Platform:
1. R76SP.50 Take 148 and above. See sk115735
http://supportcontent.checkpoint.com/solutions?id=sk115735.
2. R76SP.50 Jumbo Hotfix Accumulator Take 161 and above. See sk117633
http://supportcontent.checkpoint.com/solutions?id=sk117633.
Important - Multiple Security Groups feature is not supported in R76SP.50 Build 84 and R76SP.50
Jumbo Hotfix Accumulator Takes 16 - 105. It is mandatory to re-image the SGMs with the required
R76SP.50 Take and install the required Jumbo Hotfix Accumulator Take. If you only install the
required Jumbo Hotfix Accumulator on top of R76SP.50 Build 84, attempt to enable Multiple
Security Groups is blocked.

Preliminary Steps
Important Note for VSX Virtual System Load Sharing mode - The upgrade procedure requires to
change the configuration from the VSX Virtual System Load Sharing mode to the VSX High
Availability mode. After the upgrade procedure is complete, manually configure the system from
the VSX High Availability mode back to the VSX Virtual System Load Sharing mode.
The upgrade procedure below applies to Dual Chassis setup.

Step Operation Command

1 Make sure that your Management Server # fwm ver
runs version R76 or higher.
If not, upgrade your Management Server.
2 Back up your 60000/40000 Security Platform.
2a On each Chassis, create a snapshot of one > set global-mode 0
SGM. > add snapshot pre_upgrade
Note - Run the commands on an arbitrary
SGM on Chassis A and on Chassis B.
2b On each Chassis, make sure that the > show snapshots
snapshot was created successfully.
2c On each Chassis, export the snapshot. > set snapshot export pre_upgrade
path /var/log/
> show snapshots
> set global-mode 1
2d On each Chassis, copy the exported snapshot
to an external media or a remote server:
/var/log/pre_upgrade.tgz
2e On each Chassis, collect configuration > asg_info -f
settings and system status information into a
data file:
/var/log/asg_report.<host_name>_<d
ate_stamp>_tar.gz

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 27

 Multiple Security Groups

Step Operation Command

3 On a Chassis in VSX VSLS mode only: > set chassis high-availability
mode 0
Change the VSX mode from the VSLS to the
High Availability.
4 Download the R76SP.50 ISO image required
for Multiple Security Groups from the
R76SP.50 60000/40000 Security Platforms
Home Page
http://supportcontent.checkpoint.com/soluti
ons?id=sk115735.
You need this image during the upgrade
procedure.

Upgrading Chassis B
Step Operation Command
5 Set Chassis B to administratively DOWN # asg chassis_admin –c
state. <Chassis_B_ID> down

6 On Chassis B, perform a Clean Install of the Install the image on all the SGMs at the
required R76SP.50 ISO on each SGM. same time, or create a bootable USB
media for each SGM.
7 On Chassis B, wait until all members are in > asg monitor
UP state and enforcing policy.
8 On Chassis B, reset the SSMs to factory > asg_chassis_ctrl
default. reload_ssm_default 1
Important - Run these commands from a > asg_chassis_ctrl
reload_ssm_default 2
serial connection on Chassis B. This reset
interrupts all traffic, including the SSH.
9 On Chassis B, install the required Jumbo
Hotfix Accumulator.
9a Copy the installation *.tgz package to the
SMO:
Check_Point_R76SP_50_upgrade.linu
x.tgz
9b Create a temporary directory on the SMO in > mkdir -v /home/admin/temp
the /home/admin/ directory. If such temporary directory already exists,
first delete it with this command:
> g_all rm -rf /home/admin/temp
9c Extract the *.tgz package to the temporary > tar -xvzf
directory. /home/admin/Check_Point_R76SP_5
0_upgrade.linux.tgz -C
/home/admin/temp/

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 28

 Multiple Security Groups

Step Operation Command

9d Start the Jumbo Hotfix Accumulator > cd /home/admin/temp/
installation script. > ./AsgInstallScript -b chassis
Important - Make sure to run the script from <Chassis_B_ID>
Chassis A and not Chassis B.
10 Make sure all SGMs show the correct # asg_version -v
version.
Note - SGMs on Chassis A show as failed
because at this time, SGMs on Chassis A and
SGMs on Chassis B have different versions.
This is normal. Continue to the next step.
11 Set Chassis B to administratively UP state. # asg chassis_admin –c
<Chassis_B_ID> up

12 On Chassis B, run the diagnostics. > asg policy verify –a [-vs all]
> asg_route -a [--vs all]
13 Make sure that Chassis B is UP and enforces > asg stat -v
security policy.
Important - You must correct all errors
shown by the diagnostics before you
continue to the next step.

Failing Over to Chassis B

Step Operation Command
14 Set Chassis A to administratively DOWN > asg chassis_admin -c
state. <Chassis_A_ID> down
15 On Chassis B, make sure that all SGMs are > asg monitor [-vs all]
UP, and that traffic flows normally. > asg perf [-vs all] -v
Important - Make sure Chassis B works
correctly before you upgrade Chassis A.

Upgrading Chassis A
Step Operation Command
16 Set Chassis A to administratively DOWN # asg chassis_admin –c
state. <Chassis_A_ID> down

17 On Chassis A, perform a Clean Install of the
required R76SP.50 ISO on each SGM.
18 On Chassis A, wait until all members are in
UP state and enforcing policy.
Install the image on all the SGMs at the
same time, or create a bootable USB
media for each SGM.
> asg monitor

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 29

 Multiple Security Groups

Step Operation Command

19 On Chassis A, reset the SSMs to factory > asg_chassis_ctrl
default. reload_ssm_default 1
Important - Run these commands from a > asg_chassis_ctrl
reload_ssm_default 2
serial connection on Chassis A. This reset
interrupts all traffic, including the SSH.
20 On Chassis A, install the required Jumbo
Hotfix Accumulator.
20a Copy the installation *.tgz package to the
SMO:
Check_Point_R76SP_50_upgrade.linu
x.tgz
20b Create a temporary directory on the SMO in > mkdir -v /home/admin/temp
the /home/admin/ directory. If such temporary directory already exists,
first delete it with this command:
> g_all rm -rf /home/admin/temp
20c Extract the *.tgz package to the temporary > tar -xvzf
directory. /home/admin/Check_Point_R76SP_5
0_upgrade.linux.tgz -C
/home/admin/temp/
20d Start the Jumbo Hotfix Accumulator > cd /home/admin/temp/
installation script. > ./AsgInstallScript -b chassis
Important - Make sure to run the script from <Chassis_A_ID>
Chassis A and not Chassis B.
21 Make sure all SGMs show the correct # asg_version -v
version.
Note - SGMs on Chassis B show as failed, or
show a previous version. This is normal.
Continue to the next step.
22 Set Chassis A to administratively UP state. # asg chassis_admin –c
<Chassis_A_ID> up

23 On Chassis A, run the diagnostics. > asg policy verify –a [-vs all]
> asg_route -a [--vs all]
24 Make sure that Chassis A is UP and enforces > asg stat -v
security policy.
Important - You must correct all errors
shown by the diagnostics before you
continue to the next step.

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 30

 Multiple Security Groups

Failing Over to Chassis A

Step Operation Command
25 Set Chassis B to administratively DOWN > asg chassis_admin -c
state. <Chassis_B_ID> down
26 On Chassis A, make sure that all SGMs are > asg monitor [-vs all]
UP, and that traffic flows normally. > asg perf [-vs all] -v

Verification
Step Operation Command
26 Make sure all SGMs show the correct > asg_version -v
version.
27 On a Chassis in VSX VSLS mode only: > set chassis high-availability
mode 4
Change the VSX mode from the High
Availability to the VSLS.
28 Make sure all SGMs and SSMs are up to > asg diag verify
date, and that the system is configured
correctly.

Enabling Multiple Security Groups

Follow the instructions in the R76SP.50 Administration Guide
https://sc1.checkpoint.com/documents/R76SP.50/CP_R76SP.50_Security_System_AdminGuide/ht
ml_frameset.htm - Chapter 60000/40000 Security Platforms - Section Multiple Security Groups.

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 31

CHAPTE R 7

Installing and Uninstalling a Hotfix on

SGMs
In This Section:
Installing a Hotfix on SGMs ..........................................................................................31
Uninstalling a Hotfix on SGMs .....................................................................................33

Installing a Hotfix on SGMs

Description
Use asg_hf_installer to install one Hotfix on SGMs.
Best Practice - We recommend you follow the directions that come with the Hotfix.

Syntax

# asg_hf_installer -b <SGM_IDs> install file <File_Name> [no_confirm]

[no_reboot] [force] [no_sync] [sync_reg] [admin_up] [no_admin_down]
[no_crs]

Parameters

Parameter Description
-b <SGM_IDs> Works with SGMs and/or Chassis as specified by <SGM_IDs>.
<SGM_IDs> can be:
 No <SGM_IDs> specified, or all - Applies to all SGMs and
Chassis
 One SGM (for example, 1_1)
 A comma-separated list of SGMs (for example, 1_1,1_4)
 A range of SGMs (for example, 1_1-1_4)
 One Chassis (chassis1, or chassis2)
 The active Chassis (chassis_active)
install Specifies to perform the installation of the Hotfix.
file <File_Name> Specifies the Hotfix path and file name.
This must be a .tgz file.
no_confirm Installs the Hotfix without asking any questions.
no_reboot Installs the Hotfix without reboot.
force Installs the Hotfix, even if it was installed already.
no_sync Does not synchronize files listed in the /etc/xfer_file_list
file during the next reboot.

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 32

 Installing and Uninstalling a Hotfix on SGMs

Parameter Description
sync-reg Synchronizes Check Point Registry during the next reboot.
Default: Check Point Registry is not synchronized.
admin-up Changes the state to Admin Up when you have finished the Hotfix
installation.
Default: Admin Down state.
no_admin_down Does not change the state to the Admin Down position at the
beginning of the Hotfix installation.
Default: Change to Admin Down state.
no_crs For internal Check Point use only.

Example
# asg_hf_installer -b chassis2 install file /var/log/fw1_wrapper_HOTFIX_R76SP_30_JHF.tgz
Hotfix Installation Wizard
==========================
Extracting fw1_wrapper_HOTFIX_R7... [OK]
Confirmation
============
You are about to perform Hotfix installation on blades: 2_01,2_02,2_03
Installing hotfix requires the following stages:
1. Setting to admin down SGMs: 2_01,2_02,2_03.
2. Rebooting of SGMs: 2_01,2_02,2_03.

Are you sure? (Y - yes, any other key - no) y

Hotfix installation requires auditing

Enter your full name: <name>
Enter reason for Hotfix installation [Maintenance]:
WARNING: Hotfix installation on blades: 2_01,2_02,2_03, User: <name>, Reason: Maintenance

Installing Hotfix
=================
Creating /tmp/hotfix/ on SGMS... [OK]
Copying fw1_wrapper_HOTFIX_R7 to SGMS... [OK]
Setting execution permission to fw1_wrapper_HOTFIX_R76SP_30_JHF... [OK]
Setting SGMs to down... [OK]
Installing hotfix on 2_01,2_02,2_03... [OK]
Reboot of SGMs 2_01,2_02,2_03 is necessary, reboot now?(y/n)
>y

Add registry commands to the registry commands file on requested SGMs [OK]
Deleting temp files... [OK]

Summary
=======

Installation of hotfix completed successfully

Rebooting SGMs: 2_01,2_02,2_03... [OK]

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 33

 Installing and Uninstalling a Hotfix on SGMs

Uninstalling a Hotfix on SGMs

Description
Use the asg_hf_installer command to uninstall one Hotfix on SGMs.
Best Practice - We recommend you follow the directions that come with the Hotfix.

Syntax
# asg_hf_installer <SGMS_IDs> uninstall file <Path_and_File_Name> [no_confirm]
[no_reboot] [no_sync ] [sync_reg ] [admin_up] [no_admin_down]
# asg_hf_installer <SGMS_IDs> uninstall name <Hotfix_Name> [no_confirm]
[no_reboot] [no_sync ] [sync_reg ] [admin_up] [no_admin_down]

Parameters
Parameter Description
-b <SGMS_IDs> Works with SGMs and/or Chassis as specified by <SGM_IDs>.
<SGM_IDs> can be:
 No <SGM_IDs> specified, or all - Applies to all SGMs and
Chassis
 One SGM (for example, 1_1)
 A comma-separated list of SGMs (for example, 1_1,1_4)
 A range of SGMs (for example, 1_1-1_4)
 One Chassis (chassis1, or chassis2)
 The active Chassis (chassis_active)
uninstall Uninstalls the specified Hotfix.
file Specifies the Hotfix full path and file name (as saved in Check Point
<Path_and_File_Name> Registry).
name <Hotfix_Name> Specifies the legal Hotfix name.
This Hotfix must be installed on the requested SGMs.
The Hotfix name is the same as that of the Hotfix name used during
the installation, but without the .tgz postfix.
no_confirm Uninstalls the Hotfix without asking any questions.
no_reboot Uninstalls the Hotfix without reboot.
no_sync Does not synchronize files listed in the /etc/xfer_file_list
file during the next reboot.
sync-reg Synchronizes Check Point Registry during the next reboot.
Default: Check Point Registry is not synchronized.
admin-up Changes the state to Admin Up when you have finished the Hotfix
uninstall.
Default: Admin Down state.
no_admin_down Does not change the state to the Admin Down position at the
beginning of the Hotfix uninstall.
Default: Change to Admin Down state.

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 34

 Installing and Uninstalling a Hotfix on SGMs

Syntax examples
# asg_hf_installer -b chassis2 uninstall name
fw1_wrapper_HOTFIX_R76SP_30_J50_012
# asg_hf_installer -b chassis2 uninstall file
$FWDIR/.../uninstall_fw1_wrapper_HOTFIX_R76SP_30_J50_012

Example output
# asg_hf_installer -b chassis2 uninstall name fw1_wrapper_HOTFIX_R76SP_30_J50_012
Hotfix Removal Wizard
==========================
Getting silent uninstall command on all requested SGMs [OK]
Check uninstall file exists on all requested SGMs [OK]
Confirmation
============
You are about to perform Hotfix installation on blades: 2_01,2_02,2_03
Removing hotfix requires the following stages:
1. Setting to admin down SGMs: 2_01,2_02,2_03.
2. Rebooting of SGMs: 2_01,2_02,2_03.
Are you sure? (Y - yes, any other key - no) y
Hotfix installation requires auditing
Enter your full name: <name>
Enter reason for Hotfix installation [Maintenance]:
WARNING: Hotfix installation on blades: 2_01,2_02,2_03, User: <name>, Reason: Maintenance
Removing Hotfix
=================
Setting SGMs to down... [OK]
Removing hotfix on 2_01,2_02,2_03... [OK]
Reboot of SGMs 2_01,2_02,2_03 is necessary, reboot now?(y/n)
>y
Add registry commands to the registry commands file on requested SGMs[OK]
Deleting temp files... [OK]
Summary
=======
Removal of hotfix completed successfully
Rebooting SGMs: 2_01,2_02,2_03... [OK]

Limitations
 Uninstalling a hotfix without understanding the implications may break the system.
 Uninstall of a Jumbo Hotfix Accumulator is not supported.

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 35

CHAPTE R 8

Upgrading Hardware Components

In This Section:
Upgrading the CMM Firmware on N+1 Chassis ..........................................................35
Upgrading the CMM Firmware on N+N Chassis .........................................................41
Upgrading SSM160 to SSM440 .....................................................................................45
Upgrading SSM Firmware ............................................................................................46

Upgrading the CMM Firmware on N+1 Chassis

You can upgrade or downgrade a CMM firmware version on an N+1 Chassis.
In a Dual-Chassis configuration, first upgrade the CMMs on the Standby Chassis, then fail over the
Active Chassis and upgrade it. All CMMs in both Chassis must have the same firmware version
after the upgrade or downgrade.
Important - At certain points during this procedure, the Chassis will not have a functional CMM. At
these times, hardware monitoring data is not collected and the Chassis fans rotate at maximum
speed.
Notes:
 When the command includes -c, enter the Chassis ID only, not the word chassis.
For example: # asg chassis_admin -c 1 down
 When the command includes -b, enter the word Chassis and it's ID of Chassis1 or Chassis2.
For example: # g_reboot -a -b chassis1
 There are two possible procedures to upgrade or downgrade the CMM Firmware.

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 36

 Upgrading Hardware Components

Procedure 1 - With Physical Access to the Chassis

Use this procedure to upgrade or downgrade the CMM Firmware on an N+1 Chassis, if there is
physical access to the Chassis.

Step Operation Command

1 Change the Standby Chassis to Admin DOWN # asg chassis_admin –c
state. <Chassis_B_ID> down

2 Connect to an SGM on the Standby Chassis

with SSH or a serial console.
3 Download the applicable firmware version.
Usually the latest recommended firmware
file is located at:
$FWDIR/conf/hw_firmware/SM_update
.tar
4 Copy and extract the file on the SGM to # tar -xvf
/var/log/. $FWDIR/conf/hw_firmware/
SM_update.tar -C /var/log/

5 Remove all CMMs from the Standby Chassis.

6 Reinstall one CMM into the Standby Chassis.
7 Copy the firmware files from the SGM to the # scp /var/log/sentry.shmm500.*
CMM /tmp/ directory. [email protected]:/tmp/
The password is: admin
8 Open a console connection to the serial port Use the Default parameters:
on the CMM front panel. 9600,8,N,1

9 Verify system health. # clia shelf info_force_update

This confirms that all upgrade files and # ls /tmp
sentry files successfully copied to the CMM.
Important - We recommend that you manually enter the commands below. Because of the
length of the command, copy/paste can cause unexpected behaviors.
10 Run these commands: # cd /tmp
# setenv rc2 /etc/rc.asis
# clia terminate
# rupgrade_tool -s -v
--r=sentry.shmm500.rfs
--k=sentry.shmm500.kernel
--u=sentry.shmm500.u-boot
--hook=erase
11 Run the firmware installation script. # install.sh

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 37

 Upgrading Hardware Components

Step Operation Command

12 Follow the instructions on the screen. Select one of following options.
1: Press 1 for AC1(Telkoor) or DC.
When prompted, select the applicable
2: Press 2 for AC2(Lambda).
Chassis parameters. 3: Press 3 for DC power records.
For more information about the PSU type,
see sk91980 Power records Modification
http://supportcontent.checkpoint.com/soluti 1: Press 1 for AC power records.
ons?id=sk91980. 2: Press 2 for DC power records.
Note - The screens that show can be slightly 3: Press 3 to skip.
different.
EEprom upgrading
1: Press 1 for EEProm upgrading.
2: Press 2 to skip.
13 If the Chassis ID is 2, change the Chassis ID # sed -i
setting. 's/CHASSID="1"/CHASSID="2"/g'
/etc/shmm.cfg
# reboot
# grep SHMM_CHASSID /etc/shmm.cfg
14 Make sure Chassis ID is correct.
Outputs of these commands must be the # clia shelfaddress
same and must show correct Chassis ID.
If the outputs do not match, stop the
procedure and contact Check Point Support
immediately.
15 To upgrade the second CMM:
 Remove the first upgraded CMM
 Install the second CMM
 Repeat Steps 7 - 13
16 Insert both of the CMMs and make sure the > asg_version -i
Active and Standby CMMs both have the
same firmware version.
17 Set the Standby Chassis to Admin UP state. > asg chassis_admin -c <Chassis_ID>
up
18 To upgrade the second (Active) Chassis
CMMs:
 Perform Chassis failover to the Standby
Chassis
 Repeat Steps 1 - 17 on the new Standby
Chassis

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 38

 Upgrading Hardware Components

Procedure 2 - No Physical Access to the Chassis

Use this procedure to upgrade or downgrade the CMM Firmware on an N+1 Chassis, if there is no
physical access to the Chassis.
This procedure requires a console connection to both CMMs.

Step Description Command

1 Set the Standby Chassis to administratively # asg chassis_admin –c
DOWN state. <Chassis_B_ID> down

2 Open a console connection to the serial port

on the Active and Standby CMMs on the
Standby chassis.
Note - Use the Default parameters:
9600,8,N,1
3 Connect to an SGM on the Standby chassis
over SSH, or a serial console.
4 Download the applicable firmware version.
The latest recommended firmware file is
usually located here:
$FWDIR/conf/hw_firmware/SM_update
.tar
5 Copy and extract the file on the SGM to # tar -xvf
/var/log. $FWDIR/conf/hw_firmware/
SM_update.tar -C /var/log/

6 Terminate the Standby CMM. To identify the Standby CMM:

# clia shmstatus
From the Standby CMM console
connection:
# clia terminate
7 Copy the firmware files from the SGM to the # scp /var/log/sentry.shmm500.*
active CMM in the /tmp/ directory. [email protected]:/tmp/
The password is: admin
8 Run these commands from the console # cd /tmp
connection to the Active CMM. # setenv rc2 /etc/rc.asis
# clia terminate
# rupgrade_tool -s -v
--r=sentry.shmm500.rfs
--k=sentry.shmm500.kernel
--u=sentry.shmm500.u-boot
--hook=erase
9 Run the firmware installation executable. # install.sh
Press Enter when prompted, to reboot the
CMM.

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 39

 Upgrading Hardware Components

Step Description Command

10 Follow the instructions on the screen. Select one of following options.
When prompted, select the applicable 1: Press 1 for AC1(Telkoor) or DC.
Chassis parameters. 2: Press 2 for AC2(Lambda).
For more information about the PSU type, 3: Press 3 for DC power records.
see sk91980
http://supportcontent.checkpoint.com/soluti Power records Modification
ons?id=sk91980. 1: Press 1 for AC power records.
Note - The screens that show can differ 2: Press 2 for DC power records.
slightly. 3: Press 3 to skip.

EEprom upgrading
1: Press 1 for EEProm upgrading.
2: Press 2 to skip.
11 If the Chassis ID is 2, change the Chassis ID # sed -i
setting. 's/CHASSID="1"/CHASSID="2"/g'
/etc/shmm.cfg
# reboot

# grep SHMM_CHASSID /etc/shmm.cfg

12 Make sure Chassis ID is correct.
Outputs of these commands must be the # clia shelfaddress
same and must show correct Chassis ID.
If the outputs do not match, stop the
procedure and contact Check Point Support
immediately.
13 Terminate the Active CMM. From the Active CMM console connection:
# clia terminate
# ifconfig eth0 down
# ifconfig eth1 down

14 Activate the Standby CMM, after reboot. From the Standby CMM console
This CMM will be the Active CMM. connection:
# reboot
15 Install the firmware on the Active CMM.
Do Steps 7-11.
16 Activate the Standby CMM. From the Standby CMM console
connection:
# reboot
17 Make sure that the Active and Standby CMMs # asg_version -i
both have the same firmware version.
18 Set the Standby Chassis to administratively # asg chassis_admin –c
UP state. <Chassis_B_ID> up

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 40

 Upgrading Hardware Components

Step Description Command

19 To upgrade the second (Active) Chassis
CMMs:
 Perform Chassis failover to the Standby
Chassis
 Repeat Steps 1 - 18 on the new Standby
Chassis

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 41

 Upgrading Hardware Components

Upgrading the CMM Firmware on N+N Chassis

You can upgrade or downgrade the CMM firmware version on an N+N Chassis.
In a Dual-Chassis configuration, upgrade the CMMs on the Standby Chassis first. Then fail over
the current Active Chassis and upgrade it. After the upgrade or downgrade, all CMMs in both
Chassis must have the same firmware version.
Important - At some stages during this procedure, the Chassis will not have a functional CMM. At
these times, hardware monitoring data is not collected and the Chassis fans rotate at maximum
speed.
Notes:
 When the command includes -c enter the Chassis ID only, not the word Chassis.
For example: # asg chassis_admin -c <1> OR <2> down
 There are two possible procedures to upgrade or downgrade the CMM Firmware.

Procedure 1 - With Physical Access to the Chassis

Use this procedure to upgrade or downgrade the CMM Firmware on an N+N Chassis, if there is
physical access to the Chassis.

Step Operation Command

1 Set the Standby Chassis to Admin DOWN # asg chassis_admin –c
state. <Chassis_B_ID> down

2 Connect to an SGM on the Standby Chassis

over SSH, or a serial console.
3 Download the applicable firmware version.
Usually the latest recommended firmware
file is located here:
$FWDIR/conf/hw_firmware/SM700CC_u
pdate.tar
4 Copy and extract the file on the SGM to # tar -xvf
/var/log/. $FWDIR/conf/hw_firmware/
SM700CC_update.tar -C /var/log/

5 Remove all CMMs from the Standby Chassis.

6 Reinstall one CMM into the Standby Chassis.

7 Copy the firmware files from the SGM to the # scp /var/log/sentry.shmm700.*
CMM in the /tmp/ directory. [email protected]:/tmp/
The password is: admin

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 42

 Upgrading Hardware Components

Step Operation Command

8 Open a console connection to the serial port # cd /tmp
on the CMM front panel and run the # clia terminate
following commands: # setenv custcnf C00013
Note - Use the default console parameters: # setenv rc2 /etc/rc.0000-14
9600,8,N,1 # rupgrade --erase-all --base
file:///tmp/sentry.shmm700. -k
kernel -r rfs -a app

9 Run the firmware installation executable. # install.sh

Note - If the screen becomes unreadable
during the upgrade procedure, change the
console screen baud rate.
10 If the Chassis ID is 2, change the Chassis ID # sed -i
setting. 's/CHASSID="1"/CHASSID="2"/g'
/etc/shmm.cfg
# reboot
# grep SHMM_CHASSID /etc/shmm.cfg
11 Make sure Chassis ID is correct.
Outputs of these commands must be the # clia shelfaddress
same and must show correct Chassis ID.
If the outputs do not match, stop the
procedure and contact Check Point Support
immediately.
12 To upgrade the second CMM:
 Remove the first upgraded CMM
 Install the second CMM
 Repeat Steps 7 - 10
13 Insert both of the CMMs and make sure that > asg_version -i
Active and Standby CMMs both have the
same firmware version.
14 Set the Standby Chassis to administratively # asg chassis_admin –c
UP state. <Chassis_B_ID> up
15 To upgrade the second (Active) Chassis
CMMs:
 Perform Chassis failover to the Standby
Chassis
 Repeat Steps 1 - 13 on the new Standby
Chassis

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 43

 Upgrading Hardware Components

Procedure 2 - No Physical Access to the Chassis

Use this procedure to upgrade or downgrade the CMM Firmware on an N+N Chassis, if there is no
physical access to the Chassis.
This procedure requires a console connection to both CMMs.

Step Description Command

1 Set the Standby Chassis to administratively # asg chassis_admin –c
DOWN state. <Chassis_B_ID> down

2 Open a console connection to the serial port

on the Active and Standby CMMs on the
Standby chassis.
Note - Use the Default parameters:
9600,8,N,1
3 Connect to an SGM on the Standby chassis
over SSH, or a serial console.
4 Download the applicable firmware version.
The latest recommended firmware file is
usually located here:
$FWDIR/conf/hw_firmware/SM700CC_u
pdate.tar
5 Copy and extract the file on the SGM to # tar -xvf
/var/log. $FWDIR/conf/hw_firmware/
SM700CC_update.tar -C /var/log/
6 Terminate the Standby CMM. To identify the Standby CMM:
# clia shmstatus
From the Standby CMM console
connection:
# clia terminate
7 Copy the firmware files from the SGM to the # scp /var/log/sentry.shmm700.*
active CMM in the /tmp/ directory. [email protected]:/tmp/
The password is: admin
8 Run these commands from the console # cd /tmp
connection to the Active CMM. # clia terminate
Note After CMM reboot, the following lines # setenv custcnf C00013
are displayed: # setenv rc2 /etc/rc.0000-14
<INFO> Write confirmed: 1 -> 0 # rupgrade --erase-all --base
[ALLOW] file:///tmp/sentry.shmm700. -k
<INFO> Write upgrade_state: "in kernel -r rfs -a app
progress" (2) -> "confirmed" (4)
[ALLOW]
<INFO> Write upgrade watchdog: 1 ->
0 [ALLOW]
Press Enter to get the login prompt.

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 44

 Upgrading Hardware Components

Step Description Command

9 Run the firmware installation executable. # install.sh
Press Enter when prompted, to reboot the
CMM.
Note - If the screen becomes unreadable
during the upgrade procedure, change the
console screen baud rate.
10 If the Chassis ID is 2, change the Chassis ID # sed -i
setting. 's/CHASSID="1"/CHASSID="2"/g'
/etc/shmm.cfg
# reboot
# grep SHMM_CHASSID /etc/shmm.cfg
11 Make sure Chassis ID is correct.
Outputs of these commands must be the # clia shelfaddress
same and must show correct Chassis ID.
If the outputs do not match, stop the
procedure and contact Check Point Support
immediately.
12 Terminate the Active CMM. From the Active CMM console connection:
# clia terminate
# ifconfig eth0 down
# ifconfig eth1 down

13 Activate the Standby CMM, after reboot. From the Standby CMM console
This CMM will be the Active CMM. connection:
# reboot
14 Install the firmware on the Active CMM.
Do Steps 7-10.
15 Activate the Standby CMM. From the Standby CMM console
connection:
# reboot
16 Make sure that the Active and Standby CMMs # asg_version -i
both have the same firmware version.
17 Set the Standby Chassis to administratively # asg chassis_admin –c
UP state. <Chassis_B_ID> up
18 To upgrade the second (Active) Chassis
CMMs:
 Perform Chassis failover to the Standby
Chassis
 Repeat Steps 1 - 17 on the new Standby
Chassis

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 45

 Upgrading Hardware Components

Upgrading SSM160 to SSM440

Important - Interfaces ethX-Mgmt1 and ethX-Mgmt2 are no longer available.

To upgrade from SSM160 to SSM440:

1. Run the asg diag verify command. This gives you data to compare after the upgrade.
If necessary, add licenses for 100G.
2. Put the Standby Chassis in administratively DOWN state.
3. Shut down all SGMs and SSMs on the Standby Chassis.
4. Replace the SSMs and wait until they are up.
With SmartConsole, wait about 2 minutes and check that the port links are up.
5. Start all SGMs on the Standby Chassis.
6. When the SGMs are up, reboot again (because of the SSM change).
7. Apply QSFB mode on the Standby Chassis to align with the Active Chassis.
If there are speed changes on ports 1 - 7 on SSM440, the SSM reboots again to align with the
Active Chassis configuration.
8. Change QSFP Mode based on the Active Chassis, one SSM at a time. The SSM reboots.
Initiate gClish on the Standby Chassis SGM. Use the set blade-range command in gClish
only.
9. Put the Standby Chassis in administratively UP state.

To verify the upgrade:

1. Run the asg diag verify command and compare with the results from Step 1. The following
tests can fail:
a) When you run asg_port_speed verify from the Active Chassis (with SSM160), all
should pass except for QSFP Mode.
b) When you run asg_port_speed verify from the Standby Chassis (with SSM440) all
should pass except for QSFP Mode and ports 17 - 40. (The Active Chassis should show
N/A).
c) The configuration file test on asg diag will fail due to differences in the
/config/active file (the SSM type, ports amount, port link speed, and SSM QSFP Mode).
d) SSM QoS test on asg diag will fail because of different port IDs between Chassis. After
you upgrade both Chassis, the SSM QoS will work.
e) The MAC setting test on asg diag will fail when you run it from the SSM440 Chassis. The
MAC will fail on the Chassis with SSM160 on ports 17 - 40.
2. Fail over and upgrade the other Chassis.
3. After both Chassis are upgraded, use gClish to increase the matrix size to 16K.
Note - To support 40 Back Plane speed with SGM400, see sk118435
http://supportcontent.checkpoint.com/solutions?id=sk118435.

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 46

 Upgrading Hardware Components

Upgrading SSM Firmware

Use the asg_ssm_upgrade utility to upgrade the SSM firmware to the most recent version. Do
the upgrade for one SSM at a time.

Syntax
# asg_ssm_upgrade ssm <SSM_ID> [chassis <Chassis_ID>] [file <Firmware File>]

Parameters
Parameter Description
<SSM_ID> SSM ID to be upgraded (1, 2, or all)
<Chassis_ID> Chassis ID (1, 2, or all)

<Firmware File> New firmware file name and fully qualified path

Notes:
 Before you upgrade, confirm that the new firmware file checksum is valid.
 You must copy the new firmware file to all SGMs.
 Console is mandatory if you upgrade the local Chassis SSM.
 The SSM automatically reboots after the upgrade. This can cause traffic interruption.

60000/40000 Security Platforms Upgrade Guide R76SP.50 | 47