14 May 2024

INSTALLATION AND
UPGRADE GUIDE

R81
Check Point Copyright Notice
© 2020 - 2024 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No
part of this product or related documentation may be reproduced in any form or by any means
without prior written authorization of Check Point. While every precaution has been taken in
the preparation of this book, Check Point assumes no responsibility for errors or omissions.
This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at
DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:
Refer to the Copyright page for a list of our trademarks.
Refer to the Third Party copyright notices for a list of relevant copyrights and third-party
licenses.
 Important Information

Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-
date with the latest functional improvements, stability fixes, security
enhancements and protection against new and evolving attacks.

Certifications
For third party independent certification of Check Point products, see the Check
Point Certifications page.

Check Point R81

For more about this release, see the R81 home page.

Latest Version of this Document in English

Open the latest version of this document in a Web browser.
Download the latest version of this document in PDF format.

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments.

Installation and Upgrade Guide R81 | 3

 Important Information

Revision History

Date Description

26 Updated:
September
2023
n Renamed the cluster upgrade method "Minimal Effort" to "Minimum
Effort"
n "Minimum Effort Upgrade of a Security Gateway Cluster" on page 453
- Added the missing step to establish SIC with Cluster Members after
Clean Install
n "Minimum Effort Upgrade of a VSX Cluster" on page 460 - Added the
missing step to establish SIC with Cluster Members after Clean Install
n Renamed the cluster upgrade method "Zero Downtime" to "Minimum
Downtime" to show better the nature of this upgrade method
Note - Multi-Version Cluster (MVC) Upgrade is the Zero Downtime
Upgrade.
n "Minimum Downtime Upgrade of a Security Gateway Cluster" on
page 471 - Added the missing steps to establish SIC with Cluster
Members after Clean Install
n "Minimum Downtime Upgrade of a VSX Cluster" on page 484 - Added
the missing steps to establish SIC with Cluster Members after Clean
Instal

25 Updated:
September
2023
n "Installing a CloudGuard Controller" on page 97 - Updated the note
about the Known Limitation VSECPC-1341
n "Multi-Version Cluster Upgrade Procedure - Gateway Mode" on
page 410
n "Minimum Downtime Upgrade of a Security Gateway Cluster" on
page 471 - Updated the notes about changing the CCP mode to
Broadcast
n "Minimum Downtime Upgrade of a VSX Cluster" on page 484 -
Updated the notes about changing the CCP mode to Broadcast

21 February In the upgrade procedures for Management High Availability Servers,

2023 added this note:
Make sure the Security Management Servers can communicate with each
other and SIC works between these servers. For details, see sk179794.

12 October Updated:
2022
n "Multi-Version Cluster Limitations" on page 407

Installation and Upgrade Guide R81 | 4

 Important Information

Date Description

19 June 2022 Updated:

n "Backing Up and Restoring" on page 20
n "Prerequisites for Upgrading and Migrating of Management Servers
and Log Servers" on page 189
n "Configuring ClusterXL in Bridge Mode - Active / Active with Two or
Four Switches" on page 608 - the last step about the kernel
parameter "fwha_monitor_if_link_state"
n Upgrade procedures for Management Servers - if the
SmartProvisioning Software Blade is enabled, then must install
policies on all SmartLSM Security Profiles

Installation and Upgrade Guide R81 | 5

 Important Information

Date Description

23 January Updated:
2022
n "Installing Software Packages on Gaia" on page 185
n "Upgrade Options and Prerequisites" on page 188
n "Prerequisites for Upgrading and Migrating of Management Servers
and Log Servers" on page 189 - removed all references to R80.10
and lower versions
n "Prerequisites for Upgrading and Migrating of Security Gateways and
Clusters" on page 195 - removed all references to R80.10 and lower
versions
n "Upgrade Methods" on page 200
n "Upgrade Tools" on page 207
n "Upgrading one Multi-Domain Server from R80.20 and higher" on
page 249 - added a preliminary step to reassign all Global Policies to
all applicable Domains
n "Upgrading Multi-Domain Servers in High Availability from R80.20
and higher" on page 273 - added a preliminary step to reassign all
Global Policies to all applicable Domains
Removed (because upgrade or migration from versions R80 and R80.10 is
not supported):
n Prerequisites for Upgrading vSEC Controller R80.10 and lower
n Upgrading a Security Management Server or vSEC Controller from
R80.10 and lower
n Upgrading a Dedicated Log Server from R80.10 and lower
n Upgrading a Dedicated SmartEvent Server from R80.10 and lower
n Upgrading one Multi-Domain Server from R80.10 and lower
n Upgrading Multi-Domain Servers in High Availability from R80.10 and
lower
n Upgrading a Multi-Domain Log Server from R80.10 and lower
n Upgrading an Endpoint Security Management Server from R80.10
and lower
n Upgrading a Dedicated Endpoint Policy Server from R80.10 and
lower
n Upgrading a Standalone from R80.10 and lower

Installation and Upgrade Guide R81 | 6

 Important Information

Date Description

16 April 2021 Updated:

n "Installing Full High Availability Cluster" on page 169
n "Upgrade Methods" on page 200 - removed information about a
Gradual Upgrade from R7x versions because it is not supported
n The note "In a Management High Availability environment, the
SmartEvent Software Blade is supported only on the Active
Management Server (for more information, see sk25164)."
Removed (because upgrade or migration from R77.x versions is not
supported):
n Migrating Global Policies from an R7x Multi-Domain Server
n Migrating Database from an R7x Security Management Server to an
R81 Domain Management Server
n Migrating Database from an R7x Domain Management Server to an
R81 Domain Management Server
n Migrating Database from an R7x Standalone to an R81 Domain
Management Server

05 November Updated:
2020
n "Supported Versions in Multi-Version Cluster" on page 405

03 November Updated:
2020
n "Migrating Database from an R81 Domain Management Server to an
R81 Security Management Server" on page 521

Installation and Upgrade Guide R81 | 7

 Important Information

Date Description

02 November Added:
2020
n "Multi-Version Cluster Upgrade Procedure - VSX Mode" on page 426
n "Deploying a Domain Dedicated Log Server" on page 71
Updated:
n "Backing Up and Restoring" on page 20 - added link to sk127653
n "Prerequisites for Upgrading and Migrating of Management Servers
and Log Servers" on page 189
n "Upgrade Tools" on page 207
n "Upgrading a Security Management Server or Log Server from
R80.20 and higher" on page 210 - all procedures
n "Upgrading one Multi-Domain Server from R80.20 and higher" on
page 249 - all procedures
n "Upgrading Multi-Domain Servers in High Availability from R80.20
and higher" on page 273 - all procedures
n "Upgrading a Multi-Domain Log Server from R80.20 and higher" on
page 328 - all procedures
n "Upgrading an Endpoint Security Management Server or Endpoint
Policy Server from R80.20 and higher" on page 350 - all procedures
n "Migrating Database Between R81 Security Management Servers" on
page 510
n "Installing a VSX Gateway" on page 111 - updated notes
n "Installing a VSX Cluster" on page 139 - updated notes
n "Multi-Version Cluster Upgrade Procedure - Gateway Mode" on
page 410

21 October First release of this document

2020

Installation and Upgrade Guide R81 | 8

 Table of Contents

Table of Contents
Getting Started 16
Welcome 16
R81 Documentation 16
R81 Software Images 16
For New Check Point Customers 17
Disk Space 17
Product Deployment Scenarios 17
Backing Up and Restoring 20
The Gaia Operating System 23
Installing the Gaia Operating System on Check Point Appliances 24
Installing the Gaia Operating System on Open Servers 26
Installing a Blink Image to Configure a Check Point Gateway Appliance 28
Changing Disk Partition Sizes During the Installation of Gaia Operating System 29
Running an Unattended USB Installation of Gaia on Check Point Appliances 30
Configuring Gaia for the First Time 31
Running the First Time Configuration Wizard in Gaia Portal 32
Running the First Time Configuration Wizard in CLI Expert mode 44
Configuring the IP Address of the Gaia Management Interface 55
Changing the Disk Partition Sizes on an Installed Gaia 57
Enabling IPv6 on Gaia 58
Installing a Security Management Server 60
Installing One Security Management Server only, or Primary Security Management
Server in Management High Availability 61
Installing a Secondary Security Management Server in Management High Availability 63
Installing a Dedicated Log Server or SmartEvent Server 66
Deploying a Domain Dedicated Log Server 71
Introduction 71
Procedure for an R81 Multi-Domain Environment 71

Installation and Upgrade Guide R81 | 9

 Table of Contents

Procedure for an R77.x Multi-Domain Environment 72

Installing a Multi-Domain Server 76
Installing One Multi-Domain Server Only, or Primary Multi-Domain Server in
Management High Availability 77
Installing a Secondary Multi-Domain Server in Management High Availability 79
Installing a Multi-Domain Log Server 82
Installing an Endpoint Server 84
Installing an Endpoint Security Management Server 85
Installing a Secondary Endpoint Security Management Server in Management High
Availability 87
Installing an Endpoint Policy Server 90
Connection Port to Services on an Endpoint Security Management Server 92
Disk Space on an Endpoint Security Management Server 96
Installing a CloudGuard Controller 97
Installing a Management Server on Linux 99
Installing SmartConsole 100
Downloading SmartConsole 100
Installing SmartConsole 101
Logging in to SmartConsole 102
Troubleshooting SmartConsole 102
Installing a Security Gateway, VSX Gateway 103
Installing a Security Gateway 104
Installing a VSX Gateway 111
Installing a ClusterXL, VSX Cluster, VRRP Cluster 117
Installing a ClusterXL Cluster 118
Installing a VSX Cluster 139
Installing a VRRP Cluster 148
Full High Availability Cluster on Check Point Appliances 167
Understanding Full High Availability Cluster on Appliances 168
Installing Full High Availability Cluster 169
Recommended Logging Options for a Full High Availability Cluster 174

Installation and Upgrade Guide R81 | 10

 Table of Contents

Installing a Standalone 175

Post-Installation Configuration 179
Installing Software Packages on Gaia 185
Upgrade Options and Prerequisites 188
Prerequisites for Upgrading and Migrating of Management Servers and Log Servers 189
Prerequisites for Upgrading and Migrating of Security Gateways and Clusters 195
Prerequisites for Upgrading the Mobile Access Software Blade Configuration 198
Upgrade Methods 200
Contract Verification 205
Upgrade Tools 207
Upgrade of Security Management Servers and Log Servers 209
Upgrading a Security Management Server or Log Server from R80.20 and higher 210
Upgrading a Security Management Server or Log Server from R80.20 and higher
with CPUSE 211
Upgrading a Security Management Server or Log Server from R80.20 and higher
with Advanced Upgrade 217
Upgrading a Security Management Server or Log Server from R80.20 and higher
with Migration 229
Upgrading Security Management Servers in Management High Availability from
R80.20 and higher 241
Upgrade of Multi-Domain Servers and Multi-Domain Log Servers 248
Upgrading one Multi-Domain Server from R80.20 and higher 249
Upgrading one Multi-Domain Server from R80.20 and higher with CPUSE 250
Upgrading one Multi-Domain Server from R80.20 and higher with Advanced
Upgrade 255
Upgrading one Multi-Domain Server from R80.20 and higher with Migration 264
Upgrading Multi-Domain Servers in High Availability from R80.20 and higher 273
Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with
CPUSE 274
Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with
Advanced Upgrade 281
Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with
Migration 304

Installation and Upgrade Guide R81 | 11

 Table of Contents

Managing Domain Management Servers During the Upgrade Process 327

Upgrading a Multi-Domain Log Server from R80.20 and higher 328
Upgrading a Multi-Domain Log Server from R80.20 and higher with CPUSE 329
Upgrading a Multi-Domain Log Server from R80.20 and higher with Advanced
upgrade 333
Upgrading a Multi-Domain Log Server from R80.20 and higher with Migration 341
Upgrade of Endpoint Security Management Servers and Endpoint Policy Servers 349
Upgrading an Endpoint Security Management Server or Endpoint Policy Server from
R80.20 and higher 350
Upgrading an Endpoint Security Management Server or Endpoint Policy Server
from R80.20 and higher with CPUSE 351
Upgrading an Endpoint Security Management Server or Endpoint Policy Server
from R80.20 and higher with Advanced Upgrade 356
Upgrading an Endpoint Security Management Server or Endpoint Policy Server
from R80.20 and higher with Migration 367
Upgrading Endpoint Security Management Servers in Management High
Availability from R80.20 and higher 378
Upgrade of Security Gateways and Clusters 382
Upgrading a Security Gateway or VSX Gateway 383
Upgrading a Security Gateway with CPUSE 384
Upgrading a VSX Gateway with CPUSE 388
Upgrading ClusterXL, VSX Cluster, or VRRP Cluster 396
Planning a Cluster Upgrade 397
Multi-Version Cluster (MVC) Upgrade 403
Multi-Version Cluster Upgrade Prerequisites 403
Supported Versions in Multi-Version Cluster 405
Multi-Version Cluster Limitations 407
General limitations in Multi-Version Cluster configuration 407
Limitations during failover in Multi-Version Cluster 409
Multi-Version Cluster Upgrade Procedure - Gateway Mode 410
Multi-Version Cluster Upgrade Procedure - VSX Mode 426
Troubleshooting the Multi-Version Cluster 451

Installation and Upgrade Guide R81 | 12

 Table of Contents

Minimum Effort Upgrade 452

Minimum Effort Upgrade of a Security Gateway Cluster 453
Minimum Effort Upgrade of a VSX Cluster 460
Minimum Downtime Upgrade 470
Minimum Downtime Upgrade of a Security Gateway Cluster 471
Minimum Downtime Upgrade of a VSX Cluster 484
Upgrading a Full High Availability Cluster 503
Special Scenarios for Management Servers 504
Backing Up and Restoring a Domain 505
Migrating a Domain Management Server between R81 Multi-Domain Servers 508
Migrating Database Between R81 Security Management Servers 510
Migrating Database from an R81 Security Management Server to an R81 Domain
Management Server 515
Migrating Database from an R81 Domain Management Server to an R81 Security
Management Server 521
Changing the IP Address of a Multi-Domain Server or Multi-Domain Log Server 526
Changing the IP Address of a Domain Management Server or Domain Log Server 533
IPS in Multi-Domain Server Environment 538
Special Scenarios for Security Gateways 539
Deploying a Security Gateway in Monitor Mode 540
Introduction to Monitor Mode 540
Example Topology for Monitor Mode 541
Supported Software Blades in Monitor Mode 541
Limitations in Monitor Mode 543
Configuring a Single Security Gateway in Monitor Mode 544
Configuring a Single VSX Gateway in Monitor Mode 557
Configuring Specific Software Blades for Monitor Mode 569
Configuring the Threat Prevention Software Blades for Monitor Mode 570
Configuring the Application Control and URL Filtering Software Blades for Monitor
Mode 572
Configuring the Data Loss Prevention Software Blade for Monitor Mode 573

Installation and Upgrade Guide R81 | 13

 Table of Contents

Configuring the Security Gateway in Monitor Mode Behind a Proxy Server 575
Deploying a Security Gateway or a ClusterXL in Bridge Mode 576
Introduction to Bridge Mode 576
Supported Software Blades in Bridge Mode 576
Limitations in Bridge Mode 579
Configuring a Single Security Gateway in Bridge Mode 580
Configuring a ClusterXL in Bridge Mode 590
Configuring ClusterXL in Bridge Mode - Active / Standby with Two Switches 591
Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches 608

Accept, or Drop Ethernet Frames with Specific Protocols 635

Routing and Bridge Interfaces 636
Managing a Security Gateway through the Bridge Interface 637
IPv6 Neighbor Discovery 640
Managing Ethernet Protocols 640
Configuring Link State Propagation (LSP) 643
Security Before Firewall Activation 647
Boot Security 648
The Initial Policy 654
Troubleshooting: Cannot Complete Reboot 656
Working with Licenses 657
Viewing Licenses in SmartConsole 658
Viewing license information for VSX: 659
Monitoring Licenses in SmartConsole 660
Managing Licenses in SmartConsole 665
Managing Licenses in the Gaia Portal 669
Migrating a License to a New IP Address 670
Using Legacy SmartUpdate 673
Accessing SmartUpdate 674
Licenses Stored in the Licenses & Contracts Repository 675
Licensing Terms for SmartUpdate 676

Installation and Upgrade Guide R81 | 14

 Table of Contents

Viewing the Licenses & Contracts Repository 678

Adding New Licenses to the Licenses & Contracts Repository 679
Deleting a License from the Licenses & Contracts Repository 682
Attaching a License to a Security Gateway 683
Detaching a License from a Security Gateway 684
Getting Licenses from Security Gateways 685
Exporting a License to a File 686
Checking for Expired Licenses 688
Check Point Cloud Services 689
Automatic Downloads 689
Sending Data to Check Point 691
Glossary 692

Installation and Upgrade Guide R81 | 15

 Getting Started

Getting Started
Important - Before you install or upgrade to R81:
1. Read the R81 Release Notes.
2. Back up the current system. See "Backing Up and Restoring" on page 20.

Welcome
Thank you for choosing Check Point Software Blades for your security solution. We hope that
you will be satisfied with this solution and our support services. Check Point products provide
your business with the most up to date and secure solutions available today.

Check Point also delivers worldwide technical services including educational, professional,
and support services through a network of Authorized Training Centers, Certified Support
Partners, and Check Point technical support personnel to ensure that you get the most out of
your security investment.
For additional information on the Internet Security Product Suite and other security solutions,
go to https://www.checkpoint.com or call Check Point at 1(800) 429-4391.
For additional technical information, visit the Check Point Support Center.
Welcome to the Check Point family. We look forward to meeting all of your current and future
network, application, and management security needs.

R81 Documentation
This guide is for administrators responsible for installing R81 on appliances and open servers
that run the Gaia Operating System.
To learn what is new in R81, see the R81 Release Notes.
See the R81 Home Page SK for information about the R81 release.

R81 Software Images

You can use the Upgrade/Download Wizard to download the applicable installation and
upgrade images.

Installation and Upgrade Guide R81 | 16

 Getting Started

For New Check Point Customers

New Check Point customers can access the Check Point User Center to:
n Manage users and accounts
n Activate products
n Get support offers
n Open service requests
n Search the Technical Knowledge Base

Disk Space
When you install or upgrade R81, the installation or upgrade wizard makes sure that there is
sufficient space on the hard disk to install the Check Point products.
If there is not sufficient space on the hard disk, an error message is shown. The message
states:
n The amount of disk space necessary to install the product.
n The directory where the product is installed.
n The amount of free disk space that is available in the directory.
After there is sufficient disk space, install or upgrade the Check Point product.

Product Deployment Scenarios

There are different deployment scenarios for Check Point software products.
Distributed Deployment

The Security Management Server (1) and the Security Gateway (3) are installed on
different computers, with a network connection (2).

Installation and Upgrade Guide R81 | 17

 Getting Started

Standalone Deployment

The Security Management Server (1) and the Security Gateway (3) are installed on the
same computer (2).

Management High Availability

A Primary Security Management Server (1) has a direct or indirect connection (2) to a
Secondary Security Management Server (3).

The databases of the Security Management Servers are synchronized, manually or on a

schedule, to back up one another.
The administrator makes one Security Management Server Active and the others Standby.
If the Active Security Management Server is down, the administrator can promote the
Standby server to be Active.

Installation and Upgrade Guide R81 | 18

 Getting Started

Full High Availability

In a Full High Availability Cluster on two Check Point Appliances, each appliance runs both
as a ClusterXL Cluster Member and as a Security Management Server, in High Availability
mode.

Important - You can deploy and configure a Full High Availability Cluster only on
Check Point Appliances that support Standalone configuration. See the R81
Release Notes and "Installing a Standalone" on page 175.

This deployment reduces the maintenance required for your systems.

In the image below, the appliances are denoted as (1) and (3).
The two appliances are connected with a direct synchronization connection (2) and work in
High Availability mode:
n The Security Management Server on one appliance (for example, 1) runs as Primary,
and the Security Management Server on the other appliance (3) runs as Secondary.
n The ClusterXL on one appliance (for example, 1) runs as Active, and the ClusterXL on
the other appliance (3), runs as Standby.
n The ClusterXL Cluster Members synchronize the information about the traffic over the
synchronization connection (2).

Installation and Upgrade Guide R81 | 19

 Backing Up and Restoring

Backing Up and Restoring

Best Practices:

Step Instructions

1 Before the upgrade:

n Save a snapshot of your source system.
This backs up the entire configuration.
n Save a backup of your source system.
This file lets you extract the most important configuration easily.
n Collect the CPinfo file from your source system (see sk92739).
This file lets you see the most important configuration easily with the
DiagnosticsView tool (see sk125092).

2 Immediately after the Pre-Upgrade Verifier (PUV) finishes successfully and does
not show you further suggestions:
n Save a second snapshot of your source system.
n Save a second backup of your source system.
n Collect a second CPinfo file from your source system.

3 Transfer the CPinfo file, snapshot, backup files, and exported database files to
external storage devices. Make sure to transfer the files in the binary mode.

Backing up and restoring in Management High Availability environment:

n To back up and restore a consistent Management High Availability environment, make
sure to collect and restore the backups and snapshots from all Security Management
Servers or Multi-Domain Security Management Servers at the same time. (This does not
apply to Multi-Domain Log Servers.)
n Make sure other administrators do not make changes in SmartConsole until the backup
operation is completed.

Installation and Upgrade Guide R81 | 20

 Backing Up and Restoring

To back up a Security Management Server:

Operating
Backup Recommendations
System

Gaia 1. Take the Gaia snapshot.

2. Collect the management database with the "migrate_server
export" / "migrate export" command.
3. Collect the Log Exporter configuration (see sk127653).

SecurePlatform 1. Take the SecurePlatform snapshot.

2. Collect the management database with the "migrate_server
export" / "migrate export" command.

Linux 1. Collect the management database with the "migrate_server

export" / "migrate export" command.
2. Collect the Log Exporter configuration (see sk127653).

Windows Collect the management database with the "migrate export"

command.

To back up a Multi-Domain Server:

Operating System Backup Recommendations

Gaia 1. Take the Gaia snapshot.

2. Collect the full backup with the mds_backup
command.
3. Collect the Log Exporter configuration (see
sk127653).

SecurePlatform 1. Take the SecurePlatform snapshot.

2. Collect the full backup with the mds_backup
command.

Linux 1. Collect the full backup with the mds_backup

command.
2. Collect the Log Exporter configuration (see
sk127653).

To back up a Security Gateway or a Cluster Member:

Operating System Backup Recommendations

Gaia Take the Gaia snapshot.

Installation and Upgrade Guide R81 | 21

 Backing Up and Restoring

Operating System Backup Recommendations

SecurePlatform Take the SecurePlatform snapshot.

To back up a VSX environment:

Follow sk100395: How to backup and restore VSX Gateway.

To back up a Virtual Machine environment:

See the vendor documentation for your virtual platform.

For more information, see:

1. sk108902: Best Practices - Backup on Gaia OS

2. Gaia Administration Guide (see the Documentation section in the Home Page SK for
your current version)
3. sk54100: How to back up your system on SecurePlatform
4. SecurePlatform Administration Guide (see the Documentation section in the Home Page
SK for your current version)
5. Multi-Domain Security ManagementAdministration Guide (see the Documentation
section in the Home Page SK for your current version) - Chapter Command Line
Reference - Section mds_backup
6. Command Line Interface Reference Guide - the migrate command.
7. sk110173: How to migrate the events database from SmartEvent server R7x to
SmartEvent Server R80 and above.

8. sk100395: How to backup and restore VSX Gateway.

9. sk127653: How to back up and restore Log Exporter configuration.

Installation and Upgrade Guide R81 | 22

 The Gaia Operating System

The Gaia Operating System

This section provides instructions to install the Gaia Operating System and perform its initial
configuration:
n "Installing the Gaia Operating System on Check Point Appliances" on page 24
n "Installing the Gaia Operating System on Open Servers" on page 26
n "Installing a Blink Image to Configure a Check Point Gateway Appliance" on page 28
n "Changing Disk Partition Sizes During the Installation of Gaia Operating System" on
page 29
n "Running an Unattended USB Installation of Gaia on Check Point Appliances" on
page 30
n "Configuring Gaia for the First Time" on page 31
n "Configuring the IP Address of the Gaia Management Interface" on page 55
n "Changing the Disk Partition Sizes on an Installed Gaia" on page 57
n "Enabling IPv6 on Gaia" on page 58

Installation and Upgrade Guide R81 | 23

 Installing the Gaia Operating System on Check Point Appliances

Installing the Gaia Operating System on Check

Point Appliances
Note - These instructions do not apply to the Check Point appliance models that run
Gaia Embedded operating system.

For a list of supported appliances, see the R81 Release Notes.

To install a clean Gaia Operating System on a Check Point appliance, these options are
available:
Reset a Check Point appliance to factory defaults
Important - This operation reverts the appliance to the last Gaia version that was
installed using the Clean Install method.

Step Instructions

1 Connect to the appliance using the serial console.

2 Restart the appliance.

3 During boot, when prompted, press any key within 4 seconds to enter the Boot
menu:
Loading the system
Press any key to see the boot menu [Booting in 5
seconds]

4 Select Reset to factory defaults and press Enter.

5 Type yes and press Enter.

6 Run the Gaia First Time Configuration Wizard.

See "Configuring Gaia for the First Time" on page 31.

Installation and Upgrade Guide R81 | 24

 Installing the Gaia Operating System on Check Point Appliances

Clean install with a Bootable USB device

Step Instructions

1 Download the Gaia Operating System Clean Install ISO file from the R81
Home Page SK.

2 See sk65205 to create a bootable USB device.

Important - Always use the latest available build of the ISOmorphic Tool. If
you use an outdated build, the installation can fail.

3 Run the Gaia First Time Configuration Wizard. See "Configuring Gaia for the
First Time" on page 31.

Clean install with the CPUSE

This option is available if Gaia is already installed.

See "Installing Software Packages on Gaia" on page 185 and follow the applicable action
plan for the local installation.

Installation and Upgrade Guide R81 | 25

 Installing the Gaia Operating System on Open Servers

Installing the Gaia Operating System on Open

Servers
To install a clean Gaia Operating System on an Open Server, these options are available:
Clean Install with a DVD-ROM

Step Instructions

1 Download the Gaia Operating System Clean Install ISO file from the R81
Home Page SK.

2 Burn the ISO image onto a DVD disc.

3 Connect the DVD-ROM to your Open Server.

4 Reboot your Open Server.

5 Enter the BIOS and configure the DVD-ROM to be the first boot option.

6 Reboot your Open Server.

7 Your Open Server should boot from the DVD-ROM.

8 Gaia installation menu should appear.

9 Follow the instructions on the screen.

10 After Gaia installs and before the reboot, disconnect the DVD-ROM from your
Open Server.

11 Reboot your Open Server.

12 Enter the BIOS and configure the Hard Disk to be the first boot option.

13 Reboot your Open Server.

14 Your Open Server should boot the Gaia operating system.

15 Run the Gaia First Time Configuration Wizard.

See "Configuring Gaia for the First Time" on page 31.

Installation and Upgrade Guide R81 | 26

 Installing the Gaia Operating System on Open Servers

Clean Install with a bootable USB device

To prepare a Bootable USB device, see sk65205.

Step Instructions

1 Download the Gaia Operating System ISO file from R81 Home Page SK.

2 See sk65205 to create a bootable USB device.

Important - Always use the latest available build of the ISOmorphic
Tool. If you use an outdated build, the installation can fail.

3 Run the Gaia First Time Configuration Wizard.

See "Configuring Gaia for the First Time" on page 31.

Clean Install with the CPUSE

This option is available if Gaia is already installed.

See "Installing Software Packages on Gaia" on page 185 and follow the applicable action
plan for the local installation.

Installation and Upgrade Guide R81 | 27

 Installing a Blink Image to Configure a Check Point Gateway Appliance

Installing a Blink Image to Configure a Check

Point Gateway Appliance
Blink is a Gaia fast deployment procedure. With Blink utility, you can quickly deploy clean
Check Point Security Gateways on appliances that have not yet been configured with the First
Time Configuration Wizard. Blink deploys within 5-7 minutes.
When Blink utility completes the installation, clean Security Gateways, Hotfixes, and updated
Software Blade signatures are installed. Blink utility configures an appliance automatically in
place of the manual execution of the Gaia First Time Configuration Wizard.
You can run the Blink Gaia image from a USB or download it to your appliance.

Note - If you add the Blink image to a USB and insert the USB into the appliance
before the First Time Configuration Wizard shows, the process begins automatically.

After the installation is complete, connect with your web browser to the Check Point appliance
to complete the simplified Blink configuration.
In addition, the Blink utility lets you use a special XML file to run an unattended installation with
predefined parameters for an appliance:
n Host name
n Gaia administrator password
n Network options - IP address, Subnet, Default Gateway
n Secure Internal Communication (SIC) key
n Cluster membership
n Upload to Check Point approval
n Download from Check Point approval
For complete information, see sk120193.

Installation and Upgrade Guide R81 | 28

 Changing Disk Partition Sizes During the Installation of Gaia Operating System

Changing Disk Partition Sizes During the

Installation of Gaia Operating System
On Check Point appliances, the size of the disk partitions is predefined.
On these appliances, you can modify the default disk partitions within the first 20 seconds. If
you miss this window, the non-interactive installation then continues:
n Smart-1 525, Smart-1 5050, and Smart-1 5150
n Smart-1 50, Smart-1 150, Smart-1 3050, and Smart-1 3150
When installing Gaia on an Open Server, these partitions have default sizes:
n System-swap
n System-root
n Logs
n Backup and upgrade
You can change the sizes of the system-root and the logs partitions. The storage size
assigned for backup and upgrade partitions is updated accordingly.
To change the partition size, see sk95566.

Installation and Upgrade Guide R81 | 29

 Running an Unattended USB Installation of Gaia on Check Point Appliances

Running an Unattended USB Installation of

Gaia on Check Point Appliances
You can install a Gaia Operating System on Check Point appliances using an ISO on a
removable USB drive (see sk65205).

Important - Always use the latest available build of the ISOmorphic Tool. If you use
an outdated build, the installation can fail.

On Check Point appliances, the ISOmorphic tool lets an administrator run an unattended
installation.
In an unattended installation, an experienced Check Point system administrator:

Step Instructions

1 Prepares the USB with these pre-configured settings for a specified network
interface:
n IP address
n Network mask
n Default Gateway

2 Sends the USB drive to an administrator, who inserts the drive into the appliance
and reboots it.
The tool installs the Check Point Gaia OS and configures the appliance with the
predefined settings.
The LCD indicates a successful installation and interfaces blink in round-robin
fashion.

3 The first administrator then:

n Connects to the Gaia Portal and runs the First Time Configuration Wizard,
or
n Opens a command line to the appliance for further operating system level
configuration

Note - The ISOmorphic tool does not support unattended installation on Open Servers.

Installation and Upgrade Guide R81 | 30

 Configuring Gaia for the First Time

Configuring Gaia for the First Time

After you install Gaia for the first time, use the First Time Configuration Wizard to configure the
system and the Check Point products on it.
You can run the First Time Configuration Wizard in:
n Gaia Portal
n CLI Expert mode

Installation and Upgrade Guide R81 | 31

 Running the First Time Configuration Wizard in Gaia Portal

Running the First Time Configuration Wizard in Gaia Portal

To start the Gaia First Time Configuration Wizard:

Step Instructions

1 Connect a computer to the Gaia computer.

You must connect to the interface you configured during the Gaia installation (for
example, eth0).

2 On your connected computer, configure a static IPv4 address in the same subnet
as the IPv4 address you configured during the Gaia installation.

3 On your connected computer, in a web browser, connect to the IPv4 address you
configured during the Gaia installation:
https://<IP address of Gaia Management Interface>

4 Enter the default username and password: admin and admin.

5 Click Login.
The Check Point First Time Configuration Wizard opens.

6 Follow the instructions on the First Time Configuration Wizard windows.

See the applicable chapters below for installing specific Check Point products.

Below you can find the description of the First Time Configuration Wizard windows and their
fields.

Installation and Upgrade Guide R81 | 32

 Running the First Time Configuration Wizard in Gaia Portal

Deployment Options window

In this window, you select how to deploy Gaia Operating System.

Section Options Description

Setup Continue with R81 Use this option to configure the installed Gaia
configuration and Check Point products.

Install Install from Check Use these options to install a Gaia version.
Point Cloud
Install from USB
device

Recovery Import existing Use this option to import an existing Gaia

snapshot snapshot.

If in the Deployment Options window, you selected Install from Check Point Cloud, the
First Time Configuration Wizard asks you to configure the connection to Check Point Cloud.
These options appear (applies only to Check Point appliances that you configured as a
Security Gateway):
n Install major version - This option let you choose and install major versions available
on Check Point Cloud. The Gaia CPUSE performs the installation.
n Pull appliance configuration - This option applies the initial deployment configuration
that includes different OS version on the appliance. You must prepare the initial
deployment configuration with the Zero Touch Cloud Service. For more information,
see sk116375.

Installation and Upgrade Guide R81 | 33

 Running the First Time Configuration Wizard in Gaia Portal

Management Connection window

In this window, you select and configure the main Gaia Management Interface. You connect
to this IP address to open the Gaia Portal or CLI session.

Field Description

Interface By default, First Time Configuration Wizard selects the interface you
configured during the Gaia installation (for example, eth0).
Note - After you complete the First Time Configuration Wizard and
reboot, you can select another interface as the main Gaia
Management Interface and configure its IP settings.

Configure Select how the Gaia Management Interface gets its IPv4 address:
IPv4
n Manually - You configure the IPv4 settings in the next fields.
n Off - None.

IPv4 Enter the applicable IPv4 address.

address

Subnet Enter the applicable IPv4 subnet mask.

mask

Default Enter the IPv4 address of the applicable default gateway.

Gateway

Configure Select how the Gaia Management Interface gets its IPv6 address:
IPv6
n Manually - You configure the IPv6 settings in the next fields.
n Off - None.

IPv6 Enter the applicable IPv6 address.

Address

Mask Enter the applicable IPv6 mask length.

Length

Default Enter the IPv6 address of the applicable default gateway.

Gateway

Installation and Upgrade Guide R81 | 34

 Running the First Time Configuration Wizard in Gaia Portal

Internet Connection window

Optional: In this window, you configure the interface that connects the Gaia computer to the
Internet.

Interface Select the applicable interface on this computer.

Configure IPv4 Select how the applicable interface gets its IPv4 address:
n Manually - You configure the IPv4 settings in the next fields.
n Off - None.

IPv4 address Enter the applicable IPv4 address.

Subnet mask Enter the applicable IPv4 subnet mask.

Configure IPv6 Optional. Select how the applicable interface gets its IPv6 address:
n Manually - You configure the IPv6 settings in the next fields.
n Off - None.

IPv6 Address Enter the applicable IPv6 address.

Subnet Enter the applicable IPv6 subnet mask.

Installation and Upgrade Guide R81 | 35

 Running the First Time Configuration Wizard in Gaia Portal

Device Information window

In this window, you configure the Host name, the DNS servers and the Proxy server on the
Gaia computer.

Field Description

Host Name Enter the applicable distinct host name.

Domain Name Optional: Enter the applicable domain name.

Primary DNS Enter the applicable IPv4 address of the primary DNS server.
Server

Secondary DNS Optional: Enter the applicable IPv4 address of the secondary
Server DNS server.

Tertiary DNS Optional: Enter the applicable IPv4 address of the tertiary DNS
Server server.

Use a Proxy server Optional: Select this option to configure the applicable Proxy
server.

Address Enter the applicable IPv4 address or resolvable hostname of the

Proxy server.

Port Enter the port number for the Proxy server.

Installation and Upgrade Guide R81 | 36

 Running the First Time Configuration Wizard in Gaia Portal

Date and Time Settings window

In this window, you configure the date and time settings on the Gaia computer.

Field Description

Set the time manually Select this option to configure the date and time settings
manually.

Date Select the correct date.

Time Select the correct time.

Time Zone Select the correct time zone.

Use Network Time Select this option to configure the date and time settings
Protocol (NTP) automatically with NTP.

Primary NTP server Enter the applicable IPv4 address or resolvable hostname of
the primary NTP server.

Version Select the version of the NTP for the primary NTP server.

Secondary NTP Optional: Enter the applicable IPv4 address or resolvable

server hostname of the secondary NTP server.

Version Select the version of the NTP for the secondary NTP server.

Time Zone Select the correct time zone.

Installation and Upgrade Guide R81 | 37

 Running the First Time Configuration Wizard in Gaia Portal

Installation Type window

In this window, you select which type of Check Point products you wish to install on the Gaia
computer.

Field Description

Security Gateway and/or Select this option to install:

Security Management
n A Single Security Gateway.
n A Cluster Member.
n A Security Management Server, including
Management High Availability.
n An Endpoint Security Management Server.
n An Endpoint Policy Server.
n CloudGuard Controller.
n A dedicated single Log Server.
n A dedicated single SmartEvent Server.
n A Standalone.

Multi-Domain Server Select this option to install:

n A Multi-Domain Server, including
Management High Availability.
n A dedicated single Multi-Domain Log Server.

Products window

In this window, you continue to select which type of Check Point products you wish to install
on the Gaia computer.
n If in the Installation Type window, you selected Security Gateway and/or Security
Management, these options appear:

Field Description

Security Gateway Select this option to install:

l A single Security Gateway.

l A Cluster Member.

l A Standalone.

Installation and Upgrade Guide R81 | 38

 Running the First Time Configuration Wizard in Gaia Portal

Field Description

Security Select this option to install:

Management l A Security Management Server, including

Management High Availability.

l An Endpoint Security Management Server.

l An Endpoint Policy Server.

l CloudGuard Controller.

l A dedicated single Log Server.

l A dedicated single SmartEvent Server.

l A Standalone.

Unit is a part of a This option is available only if you selected Security

cluster Gateway.
Select this option to install a cluster of dedicated Security
Gateways, or a Full High Availability Cluster.
Select the cluster type:
l ClusterXL - For a cluster of dedicated Security

Gateways, or a Full High Availability Cluster.

l VRRP Cluster - For a VRRP Cluster on Gaia.

Define Security Select Primary to install:

Management as l A Security Management Server.

l An Endpoint Security Management Server.

l An Endpoint Policy Server.

l CloudGuard Controller.

Select Secondary to install:

l A Secondary Management Server in Management

High Availability.
Select Log Server / SmartEvent only to install:
l A dedicated single Log Server.

l A dedicated single SmartEvent Server.

n If in the Installation Type window, you selected Multi-Domain Server, these options
appear:

Field Description

Primary Multi- Select this option to install a Primary Multi-Domain Server in

Domain Server Management High Availability.

Secondary Multi- Select this option to install a Secondary Multi-Domain

Domain Server Server in Management High Availability.

Installation and Upgrade Guide R81 | 39

 Running the First Time Configuration Wizard in Gaia Portal

Field Description

Multi-Domain Log Select this option to install a dedicated single Multi-Domain

Server Log Server.

Note - By default, the option Automatically download Blade Contracts, new

software, and other important data is enabled. See sk111080.

Dynamically Assigned IP window

In this window, you select if this Security Gateway gets its IP address dynamically (DAIP
gateway).

Field Description

Yes Select this option, if this Security Gateway gets its IP address dynamically
(DAIP gateway).

No Select this option, if you wish to configure this Security Gateway with a static
IP address.

Secure Internal Communication (SIC) window

In this window, you configure a one-time Activation Key. You must enter this key later in
SmartConsole when you create the corresponding object and initialize SIC.

Field Description

Activation Key Enter one-time activation key (between 4 and 127 characters
long).

Confirm Activation Enter the same one-time activation key again.

Key

Security Management Administrator window

In this window, you configure the main administrator for this Security Management Server.

Use Gaia Select this option, if you wish to use the default Gaia
administrator: admin administrator (admin).

Define a new Select this option, if you wish to configure an administrator

administrator username and password manually.

Installation and Upgrade Guide R81 | 40

 Running the First Time Configuration Wizard in Gaia Portal

Security Management GUI Clients window

In this window, you configure which computers are allowed to connect with SmartConsole to
this Security Management Server.

Field Description

Any IP Address Select this option to allow all computers to connect.

This machine Select this option to allow only a specific computer to connect.
By default, the First Time Configuration Wizard uses the IPv4
address of your computer.
You can change it to another IP address.

Network Select this option to allow an entire IPv4 subnet of computers to

connect.
Enter the applicable subnet IPv4 address and subnet mask.

Range of IPv4 Select this option to allow a specific range of IPv4 addresses to
addresses connect.
Enter the applicable start and end IPv4 addresses.

Leading VIP Interfaces Configuration window

In this window, you select the main Leading VIP Interface on this Multi-Domain Server.

Field Description

Select leading interface Select the applicable interface.

Multi-Domain Server GUI Clients window

In this window, you configure which computers are allowed to connect with SmartConsole to
this Multi-Domain Server.

Field Description

Any host Select this option to allow all computers to connect.

IP Select this option to allow only a specific computer to connect.

address By default, the First Time Configuration Wizard uses the IPv4 address of
your computer.
You can change it to another IP address.

Installation and Upgrade Guide R81 | 41

 Running the First Time Configuration Wizard in Gaia Portal

First Time Configuration Wizard Summary window

In this window, you can see the installation options you selected.
The Improve product experience section:
n By default, the option Send data to Check Point is enabled. For information about this
option, see sk111080.
n By default, the option Send crash data to Check Point that might contain personal
data is disabled.
If you enable this option, Gaia operating system uploads the detected core dump files
to Check Point Cloud.
R&D can analyze the crashes and issue fixes for them.

Notes:

n At the end of the First Time Configuration Wizard, the Gaia computer reboots and the
initialization process is performed in the background for several minutes.
n If you installed the Gaia computer as a Security Management Server or Multi-Domain
Server, only read-only access is possible with SmartConsole during this initialization
time.
n To make sure the configuration is finished:
1. Connect to the command line on the Gaia computer.

2. Log in to the Expert mode.

3. Check that the bottom section of the /var/log/ftw_install.log file
contains one of these sentences:
l installation succeeded
l FTW: Complete

Run:

cat /var/log/ftw_install.log | egrep --color

"installation succeeded|FTW: Complete"

Installation and Upgrade Guide R81 | 42

 Running the First Time Configuration Wizard in Gaia Portal

Example outputs:
l From a Security Gateway or Cluster Member:

[Expert@GW:0]# cat /var/log/ftw_install.log | egrep

--color "installation succeeded|FTW: Complete"
Dec 06, 19 19:19:51 FTW: Complete
[Expert@GW:0]#

l From a Security Management Server or a Standalone:

[Expert@SA:0]# cat /var/log/ftw_install.log | egrep

--color "installation succeeded|FTW: Complete"
Dec 06, 2019 03:48:38 PM installation succeeded.
06/12/19 15:48:39 FTW: Complete
[Expert@SA:0]#

l From a Multi-Domain Server:

[Expert@MDS:0]# cat /var/log/ftw_install.log |

egrep --color "installation succeeded|FTW:
Complete"
Dec 06, 2019 07:43:15 PM installation succeeded.
[Expert@MDS:0]#

Installation and Upgrade Guide R81 | 43

 Running the First Time Configuration Wizard in CLI Expert mode

Running the First Time Configuration Wizard in CLI Expert

mode

Description
Use this command in the Expert mode to test and to run the First Time Configuration Wizard
on a Gaia system for the first time after the system installation.

Notes:
n The config_system utility is not an interactive configuration tool. It helps
automate the first time configuration process.
n The config_system utility is only for the first time configuration, and not for
ongoing system configurations.

Syntax
n To list the command options, run one of these:

Form Command

Short form config_system -h

Long form config_system --help

n To run the First Time Configuration Wizard from a specified configuration file, run one of
these:

Form Command

Short form config_system -f <Path and Filename>

Long form config_system --config-file <Path and Filename>

n To run the First Time Configuration Wizard from a specified configuration string, run one
of these:

Form Command

Short form config_system -s <String>

Long form config_system --config-string <String>

n To create a First Time Configuration Wizard Configuration file template in a specified

path, run one of these:

Installation and Upgrade Guide R81 | 44

 Running the First Time Configuration Wizard in CLI Expert mode

Form Command

Short form config_system -t <Path>

Long form config_system --create-template <Path>

n To verify that the First Time Configuration file is valid, run:

config_system --dry-run

n To list configurable parameters, run one of these:

Form Command

Short form config_system -l

Long form config_system --list-params

To run the First Time Configuration Wizard from a configuration string:

Ste
Instructions
p

1 Run this command in Expert mode:

config_system --config-string <String of Parameters and
Values>
A configuration string must consist of parameter=value pairs, separated by the
ampersand (&).
You must enclose the whole string between quotation marks.
For example:
"hostname=myhost&domainname=somedomain.com&timezone='Americ
a/Indiana/Indianapolis'&ftw_sic_key=aaaa&install_security_
gw=true&gateway_daip=false&install_ppak=true&gateway_
cluster_member=true&install_security_managment=false"
For more information on valid parameters and values, run the "config_system -
h" command.

2 Reboot the system.

Installation and Upgrade Guide R81 | 45

 Running the First Time Configuration Wizard in CLI Expert mode

To run the First Time Configuration Wizard from a configuration file:

Step Instructions

1 Run this command in Expert mode:

config_system -f <File
Name>

2 Reboot the system.

If you do not have a configuration file, you can create a configuration template and fill in the
parameter values as necessary.

Before you run the First Time Configuration Wizard, you can validate the configuration file you
created.

To create a configuration file:

Step Instructions

1 Run this command in Expert mode:

config_system -t <File
Name>

2 Open the file you created in a text editor.

3 Edit all parameter values as necessary.

4 Save the updated configuration file.

To validate a configuration file:

Run this command in Expert mode:

config_system --config-file <File Name> --dry-run

Parameters
A configuration file contains the <parameter>=<value> pairs described in the table below.

Note - The config_system parameters can change from Gaia version to Gaia
version. Run the "config_system --help" command to see the available
parameters.

Installation and Upgrade Guide R81 | 46

 Running the First Time Configuration Wizard in CLI Expert mode

Table: The 'config_system' parameters

Supports
Parameter Scalable Description Valid values
Platforms?

admin_hash Configures the administrator's A string of

password. alphanumeric
characters, enclosed
between single
quotation marks.

default_gw_ Specifies IPv4 address of the Single IPv4 address.

v4 default gateway.

default_gw_ Specifies IPv6 address of the Single IPv6 address.

v6 default gateway.

domainname Configures the domain name Fully qualified

(optional). domain name.
Example:
somedomain.com

download_ Downloads Check Point n true

info Software Blade contracts and n false
other important information, if its
value is set to "true".
For more information, see
sk94508.
Best Practice - We highly
recommended you enable
this optional parameter.

ftw_sic_key Configures the Secure Internal A string of

Communication key, if the value alphanumeric
of the "install_security_ characters (between
managment" parameter is set to 4 and 127 characters
"false". long).

gateway_ Configures the Security n true

cluster_ Gateway as member of n false
member ClusterXL, if its value is set to
"true".

Installation and Upgrade Guide R81 | 47

 Running the First Time Configuration Wizard in CLI Expert mode

Table: The 'config_system' parameters (continued)

Supports
Parameter Scalable Description Valid values
Platforms?

gateway_ Configures the Security n true

daip Gateway as Dynamic IP (DAIP) n false
Security Gateway, if its value is
set to "true". Note - Must be
set to "false", if
ClusterXL or
Security
Management
Server is
enabled.

hostname Configures the name of the local A string of

host (optional). alphanumeric
characters.

iface Interface name (optional). Name of the interface

exactly as it appears
in the device
configuration.
Examples:
eth0, eth1

install_ Specifies Multi-Domain Server Name of the interface

mds_ management interface. exactly as it appears
interface in the device
configuration.
Examples: eth0,
eth1

install_ Makes the installed Security n true

mds_primary Management Server the Primary n false
Multi-Domain Server.
Note - The value of the Note - Can only
"install_security_ be set to "true",
managment" parameter if the value of the
must be set to "true". "install_
mds_
secondary"
parameter is set
to "false".

Installation and Upgrade Guide R81 | 48

 Running the First Time Configuration Wizard in CLI Expert mode

Table: The 'config_system' parameters (continued)

Supports
Parameter Scalable Description Valid values
Platforms?

install_ Makes the installed Security n true

mds_ Management Server a n false
secondary Secondary Multi-Domain Server.
Note - The value of the Note - Can only
"install_security_ be set to "true",
managment" parameter if the value of the
must be set to "true". "install_
mds_primary"
parameter is set
to "false".

install_ Makes the installed Security n true

mgmt_ Management Server the Primary n false
primary one.
Notes:.
n Can only be set to
"true", if the value of
the "install_
mgmt_secondary"
parameter is set to
"false".
n To install a dedicated
Log Server, the value
of this parameter must
be set to "false".

install_ Makes the installed Security n true

mgmt_ Management Server a n false
secondary Secondary one.
Notes:
n Can only be set to
"true", if the value of
the "install_mgmt_
primary" parameter
is set to "false".
n To install a dedicated
Log Server, the value
of this parameter must
be set to "false".

Installation and Upgrade Guide R81 | 49

 Running the First Time Configuration Wizard in CLI Expert mode

Table: The 'config_system' parameters (continued)

Supports
Parameter Scalable Description Valid values
Platforms?

install_mlm Installs Multi-Domain Log n true

Server, if its value is set to n false
"true".

install_ Installs Security Gateway, if its n true

security_gw value is set to "true". n false

install_ Installs a Security Management n true

security_ Server or a dedicated Log n false
managment Server, if its value is set to
"true".

install_ Installs VSX Gateway, if its value n true

security_ is set to "true". n false
vsx

ipaddr_v4 Configures the IPv4 address of Single IPv4 address.

the management interface.

ipaddr_v6 Configures the IPv6 address of Single IPv6 address.

the management interface.

ipstat_v4 Turns on static IPv4 n manually

configuration, if its value is set to n off
"manually".

ipstat_v6 Turns static IPv6 configuration n manually

on, if its value is set to n off
"manually".

masklen_v4 Configures the IPv4 mask length A number from 0 to

for the management interface. 32.

masklen_v6 Configures the IPv6 mask length A number from 0 to

for the management interface. 128.

mgmt_admin_ Configures the management A string of

name administrator's username. alphanumeric
Note - You must specify this characters.
parameter, if the value of
the "install_security_
managment" parameter is
set to "true".

Installation and Upgrade Guide R81 | 50

 Running the First Time Configuration Wizard in CLI Expert mode

Table: The 'config_system' parameters (continued)

Supports
Parameter Scalable Description Valid values
Platforms?

mgmt_admin_ Configures the management A string of

passwd administrator's password. alphanumeric
Note - You must specify this characters.
parameter, if the value of
the "install_security_
managment" parameter is
set to "true".

mgmt_admin_ Configures Management Server n Set the value to

radio administrator. "gaia_admin",
Note - You must specify this if you wish to
parameter, if you install a use the Gaia
Management Server. "admin"
account.
n Set the value to
"new_admin",
if you wish to
configure a new
administrator
account.

mgmt_gui_ Specifies the first address of the Single IPv4 address

clients_ range, if the value of the "mgmt_ of a host.
first_ip_ gui_clients_radio" Example:
field parameter is set to "range". 192.168.0.10

mgmt_gui_ Specifies the netmask, if value of Single IPv4 address

clients_ the "mgmt_gui_clients_ of a host.
hostname radio" parameter is set to Example:
"this". 192.168.0.15

mgmt_gui_ Specifies the network address, if IPv4 address of a

clients_ip_ the value of the "mgmt_gui_ network.
field clients_radio" parameter is Example:
set to "network". 192.168.0.0

mgmt_gui_ Specifies the last address of the Single IPv4 address

clients_ range, if the value of the "mgmt_ of a host.
last_ip_ gui_clients_radio" Example:
field parameter is set to "range". 192.168.0.20

Installation and Upgrade Guide R81 | 51

 Running the First Time Configuration Wizard in CLI Expert mode

Table: The 'config_system' parameters (continued)

Supports
Parameter Scalable Description Valid values
Platforms?

mgmt_gui_ Specifies SmartConsole clients n any

clients_ that can connect to the Security n range
radio Management Server. n network
n this

mgmt_gui_ Specifies the netmask, if the A number from 1 to

clients_ value of the "mgmt_gui_ 32.
subnet_ clients_radio" parameter is
field set to "network".

ntp_primary Configures the IP address of the IPv4 address.

primary NTP server (optional).

ntp_ Configures the NTP version of n 1

primary_ the primary NTP server n 2
version (optional). n 3
n 4

ntp_ Configures the IP address of the IPv4 address.

secondary secondary NTP server
(optional).

ntp_ Configures the NTP version of n 1

secondary_ the secondary NTP server n 2
version (optional). n 3
n 4

primary Configures the IP address of the IPv4 address.

primary DNS server (optional).

proxy_ Configures the IP address of the IPv4 address, or

address proxy server (optional). Hostname.

proxy_port Configures the port number of A number from 1 to

the proxy server (optional). 65535.

reboot_if_ Reboots the system after the n true

required configuration, if its value is set to n false
"true" (optional).

Installation and Upgrade Guide R81 | 52

 Running the First Time Configuration Wizard in CLI Expert mode

Table: The 'config_system' parameters (continued)

Supports
Parameter Scalable Description Valid values
Platforms?

secondary Configures the IP address of the IPv4 address.

secondary DNS server
(optional).

sg_cluster_ For Check Point Support use

id only.

tertiary Configures the IP address of the IPv4 address.

tertiary DNS server (optional).

timezone Configures the Area/Region The Area/Region

(optional). must be enclosed
between single
quotation marks.
Examples:
'America/New_
York'
'Asia/Tokyo'
Note - To see
the available
Areas and
Regions,
connect to any
Gaia computer,
log in to Gaia
Clish, and run
this command
(names of Areas
and Regions are
case-sensitive):
set timezone
Area
<
SPACE><TAB>

Installation and Upgrade Guide R81 | 53

 Running the First Time Configuration Wizard in CLI Expert mode

Table: The 'config_system' parameters (continued)

Supports
Parameter Scalable Description Valid values
Platforms?

upload_ Uploads core dump files that n true

crash_data help Check Point resolve n false (default)
stability issues, if its value is set
to "true".
For more information, see the
R81 Gaia Administration Guide.
Warning - The core dump
files may contain personal
data.

upload_info Uploads data that helps Check n true

Point provide you with optimal n false
services, if its value is set to
"true".
For more information, see
sk94509.
Best Practice - We highly
recommended you enable
this optional parameter.

Installation and Upgrade Guide R81 | 54

 Configuring the IP Address of the Gaia Management Interface

Configuring the IP Address of the Gaia

Management Interface
The Gaia Management Interface is pre-configured with the IP address 192.168.1.1.
You can change this IP address during or after you run the Gaia First Time Configuration
Wizard.
If you must access the Gaia computer over the network, assign the applicable IP address to
that interface before you connect the Gaia computer to the network.
If you change the IP address of the Gaia Management Interface during the First Time
Configuration Wizard, this warning shows:

Your IP address has been changed. In order to maintain the browser

connection, the old IP address will be retained as a secondary IP
address.

You can change the IP address of the Gaia Management Interface after you run the Gaia First
Time Configuration Wizard.
Changing the IP address in Gaia Portal

Step Instructions

1 In your web browser, connect the Gaia Portal to the current IP address of the
Gaia management interface:
https://<IP Address of Gaia Management Interface>

2 In the left navigation tree, go to Network Management > Network Interfaces.

3 In the Management Interface section, click Set Management Interface.

4 Select the applicable interface.

5 Click OK.

6 In the Interfaces section, select the Management Interface and click Edit.

7 Assign the applicable IP address.

8 Click OK.

Installation and Upgrade Guide R81 | 55

 Configuring the IP Address of the Gaia Management Interface

Changing the IP address in Gaia Clish

Step Instructions

1 Connect to the command line on the Gaia computer.

n Over SSH to the current IP address of the Gaia Management
Interface
n Over a console

2 Log in to Gaia Clish.

3 Get the name of the current Gaia Management Interface:

show management interface

4 Select another Gaia Management Interface:

set management interface <Interface Name>

5 Assign another IP address to the Gaia Management Interface:

set interface <Interface Name> ipv4-address
<IPv4 address> subnet-mask <Mask>

6 Save the changes in the Gaia database:

save config

For more information:

See the R81 Gaia Administration Guide.

Installation and Upgrade Guide R81 | 56

 Changing the Disk Partition Sizes on an Installed Gaia

Changing the Disk Partition Sizes on an

Installed Gaia
See the R81 Release Notes for disk space requirements.

To see the size of the system-root and log partitions on an installed system:

Step Instructions

1 Connect to the command line on your Gaia computer.

2 Log in to the Expert mode.

3 Run:
df -h

Note - Most of the remaining space on the disk is reserved for backup images and
upgrades.

To see the disk space assigned for backup images:

Step Instructions

1 With a web browser, connect to Gaia Portal at:

https://<IP address of Gaia Management Interface>

2 In the left navigation tree, click Maintenance > Snapshot Management.

Note - On an Open Server, the available space in the Snapshot
Management page is less than the space you defined during the
Gaia installation. The difference is the space reserved for
upgrades. The amount of reserved space equals the size of the
system-root partition.

To manage the partition size on your system, see sk95566.

Installation and Upgrade Guide R81 | 57

 Enabling IPv6 on Gaia

Enabling IPv6 on Gaia

IPv6 is automatically enabled, if you configure IPv6 addresses in the Gaia First Time
Configuration Wizard.
If you did not configure IPv6 addresses, you can manually enable the IPv6 support in Gaia
later.
Enabling IPv6 in Gaia Portal

Step Instructions

1 With a web browser, connect to Gaia Portal at:

https://<IP address of Gaia Management Interface>

2 From the navigation tree, click System Management > System Configuration.

3 In the IPv6 Support section, select On.

4 Click Apply.

5 When prompted, select Yes to reboot.

Important - IPv6 support is not available until you reboot.

Enabling IPv6 in Gaia Clish

Step Instructions

1 Connect to the command line on Gaia.

2 Log in to Gaia Clish.

3 Enable the IPv6 support:

set ipv6-state on

4 Save the changes:

save config

5 Reboot:
reboot
Important - IPv6 support is not
available until you reboot.

Installation and Upgrade Guide R81 | 58

 Enabling IPv6 on Gaia

For more information:

See the R81 Gaia Administration Guide > Chapter System Management > Section System
Configuration.

Installation and Upgrade Guide R81 | 59

 Installing a Security Management Server

Installing a Security Management

Server
This section provides instructions to install a Security Management Server:
n "Installing One Security Management Server only, or Primary Security Management
Server in Management High Availability" on page 61
n "Installing a Secondary Security Management Server in Management High Availability"
on page 63

Installation and Upgrade Guide R81 | 60

 Installing One Security Management Server only, or Primary Security Management Server in

Installing One Security Management Server

only, or Primary Security Management Server in
Management High Availability
Procedure:
1: Install the Security Management Server

Step Instructions

1 Install the Gaia Operating System:

n "Installing the Gaia Operating System on Check Point Appliances" on
page 24
n "Installing the Gaia Operating System on Open Servers" on page 26

2 Follow "Configuring Gaia for the First Time" on page 31.

3 During the First Time Configuration Wizard, you must configure these settings:
n In the Installation Type window, select Security Gateway and/or
Security Management.
n In the Products window:
1. In the Products section, select Security Management only.
2. In the Clustering section, in the Define Security Management as
field, select Primary.
n In the Security Management GUI Clients window, configure the
applicable allowed computers:
l Any IP Address - Allows all computers to connect.

l This machine - Allows only the single specified computer to

connect.
l Network - Allows all computers on the specified network to

connect.
l Range of IPv4 addresses - Allows all computers in the specified

range to connect.

4 Install a valid license.

See "Working with Licenses" on page 657.

Installation and Upgrade Guide R81 | 61

 Installing One Security Management Server only, or Primary Security Management Server in

2: Perform initial configuration in SmartConsole

Step Instructions

1 Connect with SmartConsole to the Security Management Server.

2 From the left navigation panel, click Gateways & Servers.

3 Open the Security Management Server object.

4 On the General Properties page, click the Management tab.

5 Enable the applicable Software Blades.

Note - In a Management High Availability environment, the
SmartEvent Software Blade is supported only on the Active
Management Server (for more information, see sk25164).

6 Click OK.

Disk space for logs and indexes:

The Security Management Server with Log Indexing enabled, creates and uses index files for
fast access to log file content. Index files are located by default at $RTDIR/log_indexes/.
To make sure that there is always sufficient disk space on the Security Management Server,
the server that stores the log index deletes the oldest index entries, when the available disk
space is less than a specified minimum. The default minimum value is 5000 MB, or 15% of the
available disk space.
Configuring the applicable minimum disk space

Step Instructions

1 In the SmartConsole, edit the object of the Security Management Server.

2 From the left navigation tree, click Logs > Storage.

3 Select When disk space is below <number> Mbytes, start deleting old files.

4 Enter the applicable disk space value.

5 Click OK.

For more information:

See the R81 Security Management Administration Guide.

Installation and Upgrade Guide R81 | 62

 Installing a Secondary Security Management Server in Management High Availability

Installing a Secondary Security Management

Server in Management High Availability
Procedure:
1. Install the Secondary Security Management Server

Step Instructions

1 Install the Gaia Operating System:

n "Installing the Gaia Operating System on Check Point Appliances"

on page 24
n "Installing the Gaia Operating System on Open Servers" on

page 26
Important - You must use the same Gaia installation version as you
used for the Primary Security Management Server.

2 Follow "Configuring Gaia for the First Time" on page 31.

3 During the First Time Configuration Wizard, you must configure these
settings:
n In the Installation Type window, select Security Gateway and/or

Security Management.
n In the Products window:

a. In the Products section, select Security Management only.

b. In the Clustering section, in the Define Security
Management as field, select Secondary.
n In the Secure Internal Communication window, enter the

applicable Activation Key (between 4 and 127 characters long).

4 Install a valid license.

See "Working with Licenses" on page 657.

2. Perform initial configuration in SmartConsole

Step Instructions

1 Connect with SmartConsole to the Primary Security Management Server.

2 From the left navigation panel, click Gateways & Servers.

Installation and Upgrade Guide R81 | 63

Installing a Secondary Security Management Server in Management High Availability

Step Instructions

3 Create a new Check Point Host object that represents the Secondary
Security Management Server in one of these ways:
n From the top toolbar, click the New ( > More > Check Point Host.
n In the top left corner, click Objects menu > More object types >

Network Object > Gateways & Servers > New Check Point Host.
n In the top right corner, click Objects Pane > New > More >

Network Object > Gateways and Servers > Check Point Host.

4 Click the General Properties page.

5 In the Name field, enter the applicable name.

6 In the IPv4 Address and IPv6 Address fields, enter the applicable IP
addresses.

7 In the Platform section:

n In the Hardware field, select the applicable option
n In the Version field, select R81
n In the OS field, select Gaia

8 On the General Properties page, click the Management tab.

9 Select Network Policy Management.

Make sure the Secondary Server is selected and grayed out.
Note - In a Management High Availability environment, the
SmartEvent Software Blade is supported only on the Active
Management Server (for more information, see sk25164).

10 Establish the Secure Internal Communication (SIC) between the Primary

Security Management Server and the Secondary Security Management
Server:
a. In the Secure Internal Communication field, click Communication.
b. Enter the same Activation Key you entered during the First Time
Configuration Wizard of the Secondary Security Management
Server.
c. Click Initialize. The Trust state field must show Established.
d. Click Close.

11 Click OK.

12 In the SmartConsole top left corner, click Menu > Install database.

13 Select all objects.

Installation and Upgrade Guide R81 | 64

 Installing a Secondary Security Management Server in Management High Availability

Step Instructions

14 Click Install.

15 Click OK.

16 In the SmartConsole top left corner, click Menu > Management High
Availability.

17 Make sure the Security Management Servers are able to synchronize.

Disk space for logs and indexes:

The Security Management Server with Log Indexing enabled, creates and uses index files for
fast access to log file content. Index files are located by default at $RTDIR/log_indexes/.
To make sure that there is always sufficient disk space on the Security Management Server,
the server that stores the log index deletes the oldest index entries, when the available disk
space is less than a specified minimum. The default minimum value is 5000 MB, or 15% of the
available disk space.
Configuring the applicable minimum disk space

Step Instructions

1 In the SmartConsole, edit the object of the Security Management Server.

2 From the left navigation tree, click Logs > Storage.

3 Select When disk space is below <number> Mbytes, start deleting old files.

4 Enter the applicable disk space value.

5 Click OK.

For more information:

See the R81 Security Management Administration Guide.

Installation and Upgrade Guide R81 | 65

 Installing a Dedicated Log Server or SmartEvent Server

Installing a Dedicated Log Server

or SmartEvent Server

Installation and Upgrade Guide R81 | 66

 Installing a Dedicated Log Server or SmartEvent Server

Procedure:
1. Install the Log Server or SmartEvent Server
Note - You can install a dedicated SmartEvent Server and a dedicated
SmartEvent Correlation Unit.

Step Instructions

1 Install the Gaia Operating System:

n "Installing the Gaia Operating System on Check Point Appliances"

on page 24
n "Installing the Gaia Operating System on Open Servers" on

page 26

2 Follow "Configuring Gaia for the First Time" on page 31.

3 During the First Time Configuration Wizard, you must configure these
settings:
n In the Installation Type window, select Security Gateway and/or

Security Management.
n In the Products window:

a. In the Products section, select Security Management only.

b. In the Clustering section, in the Define Security
Management as field, select Log Server / SmartEvent only.
n In the Security Management Administrator window, select one of

these options:
l Use Gaia administrator

l Define a new administrator and configure it

n In the Security Management GUI Clients window, configure the

applicable allowed computers:

l Any IP Address - Allows all computers to connect.

l This machine - Allows only the single specified computer to

connect.
l Network - Allows all computers on the specified network to

connect.
l Range of IPv4 addresses - Allows all computers in the

specified range to connect.

n In the Secure Internal Communication window, enter the

applicable Activation Key (between 4 and 127 characters long).

4 Install a valid license.

See "Working with Licenses" on page 657.

2. Perform initial configuration in SmartConsole

Installation and Upgrade Guide R81 | 67

 Installing a Dedicated Log Server or SmartEvent Server

Step Instructions

1 Connect with SmartConsole to the Security Management Server that

works with this Log Server or SmartEvent Server.

2 From the left navigation panel, click Gateways & Servers.

3 Create a new Check Point Host object that represents the dedicated Log
Server or SmartEvent Server in one of these ways:
n From the top toolbar, click the New ( ) > More > Check Point

Host.
n In the top left corner, click Objects menu > More object types >

Network Object > Gateways & Servers > New Check Point Host.
n In the top right corner, click Objects Pane > New > More >

Network Object > Gateways and Servers > Check Point Host.

4 Click the General Properties page.

5 In the Name field, enter the applicable name.

6 In the IPv4 Address and IPv6 Address fields, enter the applicable IP
addresses.

7 In the Platform section:

n In the Hardware field, select the applicable option
n In the Version field, select R81
n In the OS field, select Gaia

8 On the Management tab, select the applicable Software Blades:

n For the Log Server, select:
l Logging & Status

l Identity Logging, if you work with Identity Awareness Software

Blade
n For the SmartEvent Server, select:
l SmartEvent Server

l SmartEvent Correlation Unit

Note - You can install a dedicated SmartEvent Server and a

dedicated SmartEvent Correlation Unit.

Installation and Upgrade Guide R81 | 68

 Installing a Dedicated Log Server or SmartEvent Server

Step Instructions

9 Establish the Secure Internal Communication (SIC) between the

Management Server and this dedicated Log Server or SmartEvent
Server:
a. In the Secure Internal Communication field, click Communication.
b. Enter the same Activation Key you entered during the First Time
Configuration Wizard of the dedicated Log Server or SmartEvent
Server.
c. Click Initialize. The Trust state field must show Established.
d. Click Close.

10 In the left tree, configure the applicable settings.

11 Click OK.

12 In the SmartConsole top left corner, click Menu > Install database.

13 Select all objects.

14 Click Install.

15 Click OK.

Installation and Upgrade Guide R81 | 69

 Installing a Dedicated Log Server or SmartEvent Server

Disk space for logs and indexes:

The Log Server or SmartEvent Server with Log Indexing enabled, creates and uses index files
for fast access to log file content. Index files are located by default at $RTDIR/log_
indexes/.
To make sure that there is always sufficient disk space on the Log Server or SmartEvent
Server, the server that stores the log index deletes the oldest index entries when the available
disk space is less than a specified minimum. The default minimum value is 5000 MB, or 15%
of the available disk space.
Configuring the applicable minimum disk space

Step Instructions

1 In the SmartConsole, edit the object of the Security Management Server.

2 From the left navigation tree, click Logs > Storage.

3 Select When disk space is below <number> Mbytes, start deleting old files.

4 Enter the applicable disk space value.

5 Click OK.

Note - In a Multi-Domain Security Management environment, the Multi-Domain

Server controls the disk space for logs and indexes. The configured disk space
applies to all Domain Management Servers. Configure the applicable disk space in
the Multi-Domain Server object.

For more information, see:

n The R81 Security Management Administration Guide
n The R81 Logging and Monitoring Administration Guide
n "Deploying a Domain Dedicated Log Server" on page 71

Installation and Upgrade Guide R81 | 70

 Deploying a Domain Dedicated Log Server

Deploying a Domain Dedicated Log Server

Introduction
In a Multi-Domain Security Management environment, the Security Gateways send logs to the
Domain Management Server and dedicated Domain Log Servers.
The Multi-Domain Server unifies logs, and they can be stored on the Multi-Domain Server or
on a dedicated Multi-Domain Log Server.
Starting in R81, Multi-Domain Server supports a dedicated Log Server (installed on a separate
computer) for a Domain.
You can configure a Domain Dedicated Log Server to receive logs only from a specified
Domain, and no other Domains can access these logs.
This allows you to locate the dedicated Log Server in a separate network from the Multi-
Domain Security Management environment to comply with special regulatory requirements.
Logs reported to the Domain Dedicated Log Server can be viewed from any SmartConsole
that has permissions for this Domain.
The Domain Dedicated Log Server communicates directly only with the associated Domain
Server. No other Domain can access its log data.

Note - Connecting with SmartConsole to the Domain Dedicated Log Server to see Security
Policies is not supported.

Procedure for an R81 Multi-Domain Environment

1. Install an R81 Multi-Domain Server.

See "Installing a Multi-Domain Server" on page 76.

2. Install a regular dedicated R81 Log Server.
See "Installing a Dedicated Log Server or SmartEvent Server" on page 66.
3. Connect with SmartConsole to the specific Domain.
See the R81 Multi-Domain Security Management Administration Guide.
4. Add a regular Log Server object for the dedicated R81 Log Server you installed in Step 2.
Requirement post upgrade to R81:
For any environment, which uses SmartEvent Server or a Domain Dedicated Log Server, this
is a required step to complete post upgrade to R81 from any source version:
After you upgrade the SmartEvent Server or Domain Dedicated Log Server, run this command
in the Expert mode on each Multi-Domain Security Management Server:

Installation and Upgrade Guide R81 | 71

 Deploying a Domain Dedicated Log Server

$MDS_FWDIR/scripts/cpm.sh -tm -op reset -d all -sd

Procedure for an R77.x Multi-Domain Environment

Upgrade with CPUSE

1. Upgrade all servers from R77.x to R80.20 (or R80.30 or R80.40).

This applies to all Multi-Domain Servers, Multi-Domain Log Servers, Domain
Dedicated Log Servers, and SmartEvent Servers.
a. Follow the instructions in the R80.40 Installation and Upgrade Guide.
Important - Stop after the CPUSE Verifier shows the upgrade / installation is
allowed.
n For Multi-Domain Servers:
See the chapter "Upgrade of Multi-Domain Servers and Multi-Domain Log
Servers" > select the applicable section to upgrade "from R80.10 and
lower" > select the applicable section to upgrade "with CPUSE".
n For Log Servers:
See the chapter "Upgrade of Security Management Servers and Log
Servers" > section "Upgrading a Dedicated Log Server from R80.10 and
lower" > select the applicable section to upgrade "with CPUSE".
n For SmartEvent Servers:
See the chapter "Upgrade of Security Management Servers and Log
Servers" > section "Upgrading a Dedicated SmartEvent Server from
R80.10 and lower" > select the applicable section to upgrade "with
CPUSE".
b. Fix all the errors, except the one specified for Log Servers on a Domain
Management Server:

Log Servers on the Domain Management Server level are

not yet supported in R80.x

Installation and Upgrade Guide R81 | 72

 Deploying a Domain Dedicated Log Server

c. On each Multi-Domain Security Management Server, modify the Pre-Upgrade

Verifier to treat the upgrade errors as warnings:
i. Connect to the command line on the Multi-Domain Server.
ii. Log in to the Expert mode.
iii. Enter these commands as they appear below (after each command, press
the Enter key):

cp -v $CPDIR/tmp/.CPprofile.sh{,_BKP}
cat >> $CPDIR/tmp/.CPprofile.sh << EOF
> export PUV_ERRORS_AS_WARNINGS=1
> EOF

d. Restart the CPUSE daemon:

DAClient stop ; DAClient start

e. Follow the instructions in the R80.40 Installation and Upgrade Guide to upgrade
all the servers "with CPUSE".
2. Upgrade all Multi-Domain Servers to R81.
See "Upgrade of Multi-Domain Servers and Multi-Domain Log Servers" on page 248 >
select the applicable section to upgrade "from R80.20 and higher" > select the
applicable section to upgrade "with CPUSE".

3. On each Multi-Domain Security Management Server, run this script in the Expert
mode:

$MDS_FWDIR/scripts/configureCrlDp.sh

4. Reboot each Multi-Domain Security Management Server:

reboot

5. Upgrade all Log Servers and SmartEvent Servers to R81.

See "Upgrade of Security Management Servers and Log Servers" on page 209 >
section "Upgrading a Security Management Servers or Log Server from R80.20 and
higher" > section "Upgrading a Security Management Server or Log Server from
R80.20 and higher with Advanced Upgrade".

Note - To install an R81 Log Server or an R81 SmartEvent Server, see

"Installing a Dedicated Log Server or SmartEvent Server" on page 66.

Installation and Upgrade Guide R81 | 73

 Deploying a Domain Dedicated Log Server

6. On each Multi-Domain Security Management Server, run this script in the Expert
mode:

$MDS_FWDIR/scripts/cpm.sh -tm -op reset -d all -sd

7. Reboot all the Domain Dedicated Log Servers and the SmartEvent Servers:

reboot

Advanced Upgrade

1. Upgrade all servers from R77.x to R80.20 (or R80.30 or R80.40).

This applies to all Multi-Domain Servers, Multi-Domain Log Servers, Domain
Dedicated Log Servers, and SmartEvent Servers.
a. Run the Pre-Upgrade Verifier, as detailed in the R80.40 Installation and
Upgrade Guide.
n For Multi-Domain Servers:
See the chapter "Upgrade of Multi-Domain Servers and Multi-Domain Log
Servers" > select the applicable section to upgrade "from R80.10 and
lower" > select the applicable section to upgrade "with Advanced
Upgrade".
n For Log Servers:
See the chapter "Upgrade of Security Management Servers and Log
Servers" > section "Upgrading a Dedicated Log Server from R80.10 and
lower" > select the applicable section to upgrade "with Advanced
Upgrade".
n For SmartEvent Servers:
See the chapter "Upgrade of Security Management Servers and Log
Servers" > section "Upgrading a Dedicated SmartEvent Server from
R80.10 and lower" > select the applicable section to upgrade "with
Advanced Upgrade".
b. Fix all the errors, except the one specified for Log Servers on a Domain
Management Server:

Log Servers on Domain Management Server level are not

yet supported in R80.x

c. In your active shell window, run this command in the Expert mode:

export PUV_ERRORS_AS_WARNINGS=1

Installation and Upgrade Guide R81 | 74

 Deploying a Domain Dedicated Log Server

d. Follow the instructions in the R80.40 Installation and Upgrade Guide to upgrade
all the servers "with Advanced Upgrade".
2. Upgrade all Multi-Domain Servers to R81.
See "Upgrade of Multi-Domain Servers and Multi-Domain Log Servers" on page 248 >
select the applicable section to upgrade "from R80.20 and higher" > select the
applicable section to upgrade "with Advanced Upgrade".
3. On each Multi-Domain Security Management Server, run this script in the Expert
mode:

$MDS_FWDIR/scripts/configureCrlDp.sh

4. Reboot each Multi-Domain Security Management Server:

reboot

5. Upgrade all Log Servers and SmartEvent Servers to R81.

See "Upgrade of Security Management Servers and Log Servers" on page 209 >
section "Upgrading a Security Management Servers or Log Server from R80.20 and
higher" > section "Upgrading a Security Management Server or Log Server from
R80.20 and higher with Advanced Upgrade".

Note - To install an R81 Log Server or an R81 SmartEvent Server, see

"Installing a Dedicated Log Server or SmartEvent Server" on page 66.

6. On each Multi-Domain Security Management Server, run this script in the Expert
mode:

$MDS_FWDIR/scripts/cpm.sh -tm -op reset -d all –sd

7. Reboot all the Domain Dedicated Log Servers and SmartEvent Servers:

reboot

Installation and Upgrade Guide R81 | 75

 Installing a Multi-Domain Server

Installing a Multi-Domain Server

This section provides instructions to install a Multi-Domain Server:
n "Installing One Multi-Domain Server Only, or Primary Multi-Domain Server in
Management High Availability" on page 77
n "Installing a Secondary Multi-Domain Server in Management High Availability" on
page 79

Installation and Upgrade Guide R81 | 76

 Installing One Multi-Domain Server Only, or Primary Multi-Domain Server in Management

Installing One Multi-Domain Server Only, or

Primary Multi-Domain Server in Management
High Availability
Procedure:
1. Install the Multi-Domain Server

Step Instructions

1 Install the Gaia Operating System:

n "Installing the Gaia Operating System on Check Point Appliances"

on page 24
n "Installing the Gaia Operating System on Open Servers" on

page 26

2 Follow "Configuring Gaia for the First Time" on page 31.

3 During the First Time Configuration Wizard, you must configure these
settings:
n In the Installation Type window, select Multi-Domain Server.
n In the Installation Type window, select Primary Multi-Domain

Server.
n In the Leading VIP Interfaces Configuration window, select the

applicable interface.
n In the Multi-Domain Server GUI Clients window, select one of

these options:
l Any host to allow all computers to connect

l IP address and enter the IPv4 address of the applicable

allowed computer
n In the Security Management Administrator window, select one of

these options:
l Use Gaia administrator

l Define a new administrator and configure it

4 Install a valid license.

See "Working with Licenses" on page 657.

2. Perform initial configuration in SmartConsole

Installation and Upgrade Guide R81 | 77

 Installing One Multi-Domain Server Only, or Primary Multi-Domain Server in Management

Step Instructions

1 Connect with SmartConsole to the Multi-Domain Server.

2 Configure the applicable settings.

For more information:

See the R81 Multi-Domain Security Management Administration Guide.

Installation and Upgrade Guide R81 | 78

 Installing a Secondary Multi-Domain Server in Management High Availability

Installing a Secondary Multi-Domain Server in

Management High Availability
Procedure:
1. Install the Secondary Multi-Domain Server

Step Instructions

1 Install the Gaia Operating System:

n "Installing the Gaia Operating System on Check Point Appliances"

on page 24
n "Installing the Gaia Operating System on Open Servers" on

page 26
Important - You must use the same Gaia installation version as you
used for the Primary Multi-Domain Server.

2 Follow "Configuring Gaia for the First Time" on page 31.

3 During the First Time Configuration Wizard, you must configure these
settings:
n In the Installation Type window, select Multi-Domain Server.
n In the Installation Type window, select Secondary Multi-Domain

Server.
n In the Leading VIP Interfaces Configuration window, select the

applicable interface.
n In the Secure Internal Communication window, enter the

applicable Activation Key (between 4 and 127 characters long).

4 Install a valid license.

See "Working with Licenses" on page 657.

2. Perform initial configuration in SmartConsole

Step Instructions

1 Connect with SmartConsole to the Primary Multi-Domain Server - the

MDS context.

2 From the left navigation panel, click Multi Domain > Domains.

3 From the top toolbar, click New > Multi-Domain Server.

Installation and Upgrade Guide R81 | 79

 Installing a Secondary Multi-Domain Server in Management High Availability

Step Instructions

4 Enter the applicable object name.

5 Click the General page.

6 In the Basic Details section:

a. Enter the applicable IPv4 address.
b. Click Connect.

7 Enter the same Activation Key you entered during the setup of First Time
Configuration Wizard of the Secondary Multi-Domain Server.

8 Click OK.

7 In the Platform section:

n In the OS field, select Gaia
n In the Version field, select R81
n In the Hardware field, select the applicable option

8 Click the Multi-Domain page.

9 Configure the applicable settings.

10 Click the Log Settings > General page.

11 Configure the applicable settings.

12 Click the Log Settings > Advanced Settings page.

13 Configure the applicable settings.

14 Click OK.
Notes:
n The new Multi-Domain Server automatically synchronizes with all

existing Multi-Domain Servers and Multi-Domain Log Servers. The

synchronization operation can take some time to complete, during
which a notification indicator shows in the task information area.
n It is not supported to move the Secondary Multi-Domain Server from

one Management High Availability environment to another

Management High Availability environment. If you disconnect the
existing Secondary Multi-Domain Server from one Management High
Availability environment and connect it to another, you must install it
again from scratch as a Secondary Multi-Domain Server (Known
Limitation PMTR-14327).

Installation and Upgrade Guide R81 | 80

 Installing a Secondary Multi-Domain Server in Management High Availability

For more information:

See the R81 Multi-Domain Security Management Administration Guide.

Installation and Upgrade Guide R81 | 81

 Installing a Multi-Domain Log Server

Installing a Multi-Domain Log

Server
Procedure:
1. Install the Multi-Domain Log Server

Step Instructions

1 Install the Gaia Operating System:

n "Installing the Gaia Operating System on Check Point Appliances"

on page 24
n "Installing the Gaia Operating System on Open Servers" on

page 26

2 Follow "Configuring Gaia for the First Time" on page 31.

3 During the First Time Configuration Wizard, you must configure these
settings:
n In the Installation Type window, select Multi-Domain Server.
n In the Installation Type window, select Multi-Domain Log Server.
n In the Leading VIP Interfaces Configuration window, select the

applicable interface.
n In the Secure Internal Communication window, enter the

applicable Activation Key (between 4 and 127 characters long).

4 Install a valid license.

See "Working with Licenses" on page 657.

2. Perform initial configuration in SmartConsole

Step Instructions

1 Connect with SmartConsole to the Primary Multi-Domain Server - the

MDS context.

2 From the left navigation panel, click Multi Domain > Domains.

3 From the top toolbar, click New > Multi-Domain Log Server.

4 Enter the applicable object name.

5 Click the General page.

Installation and Upgrade Guide R81 | 82

 Installing a Multi-Domain Log Server

Step Instructions

6 In the Basic Details section:

a. Enter the applicable IPv4 address.
b. Click Connect.

7 Enter the same Activation Key you entered during the First Time
Configuration Wizard of the Multi-Domain Log Server.

8 Click OK.

9 In the Platform section:

n In the OS field, select Gaia
n In the Version field, select R81
n In the Hardware field, select the applicable option

10 Click the Multi-Domain page.

11 Configure the applicable settings.

12 Click the Log Settings > General page.

13 Configure the applicable settings.

14 Click the Log Settings > Advanced Settings page.

15 Configure the applicable settings.

16 Click OK.

For more information, see:

n The R81 Multi-Domain Security Management Administration Guide
n "Deploying a Domain Dedicated Log Server" on page 71

Installation and Upgrade Guide R81 | 83

 Installing an Endpoint Server

Installing an Endpoint Server

This section describes the installation and basic configuration of Endpoint Security
Management Server and Endpoint Policy Server:
n "Installing an Endpoint Security Management Server" on page 85
n "Installing an Endpoint Policy Server" on page 90
n "Connection Port to Services on an Endpoint Security Management Server" on page 92
n "Disk Space on an Endpoint Security Management Server" on page 96

Installation and Upgrade Guide R81 | 84

 Installing an Endpoint Security Management Server

Installing an Endpoint Security Management

Server
Procedure:
1. Install the Endpoint Security Management Server

Step Instructions

1 Install the Gaia Operating System:

n "Installing the Gaia Operating System on Check Point Appliances"

on page 24
n "Installing the Gaia Operating System on Open Servers" on

page 26

2 Follow "Configuring Gaia for the First Time" on page 31.

3 During the First Time Configuration Wizard, you must configure these
settings:
n In the Installation Type window, select Security Gateway and/or

Security Management.
n In the Products window:

a. In the Products section, select Security Management only.

b. In the Clustering section, in the Define Security
Management as field, select Primary.
n In the Security Management GUI Clients window, configure the

applicable allowed computers:

l Any IP Address - Allows all computers to connect.

l This machine - Allows only the single specified computer to

connect.
l Network - Allows all computers on the specified network to

connect.
l Range of IPv4 addresses - Allows all computers in the

specified range to connect.

4 Install a valid license.

See "Working with Licenses" on page 657.

2. Perform initial configuration in SmartConsole

Installation and Upgrade Guide R81 | 85

 Installing an Endpoint Security Management Server

Step Instructions

1 Connect with SmartConsole to the Security Management Server.

2 From the left navigation panel, click Gateways & Servers.

3 Open the Security Management Server object.

4 On the General Properties page, click the Management tab.

5 Select the Endpoint Policy Management blade.

6 Click OK.

7 In the SmartConsole top left corner, click Menu > Install database.

8 Select all objects.

9 Click Install.

10 Click OK.

For more information:

See the R81 Harmony Endpoint Security Server Administration Guide.

Installation and Upgrade Guide R81 | 86

 Installing a Secondary Endpoint Security Management Server in Management High

Installing a Secondary Endpoint Security

Management Server in Management High
Availability
Procedure:
1. Install the Secondary Endpoint Security Management Server

Step Instructions

1 Install the Gaia Operating System:

n "Installing the Gaia Operating System on Check Point Appliances"

on page 24
n "Installing the Gaia Operating System on Open Servers" on

page 26
Important - You must use the same Gaia installation version as you
used for the Primary Endpoint Security Management Server.

2 Follow "Configuring Gaia for the First Time" on page 31.

3 During the First Time Configuration Wizard, you must configure these
settings:
n In the Installation Type window, select Security Gateway and/or

Security Management.
n In the Products window:

a. In the Products section, select Security Management only.

b. In the Clustering section, in the Define Security
Management as field, select Secondary.
n In the Secure Internal Communication window, enter the

applicable Activation Key (between 4 and 127 characters long).

4 Install a valid license.

See "Working with Licenses" on page 657.

2. Perform initial configuration in SmartConsole

Step Instructions

1 Connect with SmartConsole to the Primary Endpoint Security

Management Server.

Installation and Upgrade Guide R81 | 87

 Installing a Secondary Endpoint Security Management Server in Management High

Step Instructions

2 From the left navigation panel, click Gateways & Servers.

3 Create a new Check Point Host object that represents the Secondary
Endpoint Security Management Server in one of these ways:
n From the top toolbar, click the New ( > More > Check Point Host.
n In the top left corner, click Objects menu > More object types >

Network Object > Gateways & Servers > New Check Point Host.
n In the top right corner, click Objects Pane > New > More >

Network Object > Gateways and Servers > Check Point Host.

4 Click the General Properties page.

5 In the Name field, enter the applicable name.

6 In the IPv4 Address and IPv6 Address fields, enter the applicable IP
addresses.

7 In the Platform section:

n In the Hardware field, select the applicable option
n In the Version field, select R81
n In the OS field, select Gaia

8 On the General Properties page, click the Management tab.

9 Select the Network Policy Management and Endpoint Policy

Management blades.
Note - In a Management High Availability environment, the
SmartEvent Software Blade is supported only on the Active
Management Server (for more information, see sk25164).

10 Establish the Secure Internal Communication (SIC) between the Primary

Endpoint Security Management Server and the Secondary Endpoint
Security Management Server:
a. In the Secure Internal Communication field, click Communication.
b. Enter the same Activation Key you entered during the First Time
Configuration Wizard of the Secondary Endpoint Security
Management Server.
c. Click Initialize. The Trust state field must show Established.
d. Click Close.

11 Click OK.

12 In the SmartConsole top left corner, click Menu > Install database.

Installation and Upgrade Guide R81 | 88

 Installing a Secondary Endpoint Security Management Server in Management High

Step Instructions

13 Select all objects.

14 Click Install.

15 Click OK.

16 In the SmartConsole top left corner, click Menu > Management High
Availability.

17 Make sure the Endpoint Security Management Servers are able to

synchronize.

For more information:

See the R81 Harmony Endpoint Security Server Administration Guide.

Installation and Upgrade Guide R81 | 89

 Installing an Endpoint Policy Server

Installing an Endpoint Policy Server

Procedure:
1. Install the dedicated Endpoint Security Management Server

Follow the instructions in "Installing an Endpoint Security Management Server" on

page 85.

2. Install the dedicated Endpoint Policy Server

Follow the installation step instructions in "Installing a Dedicated Log Server or

SmartEvent Server" on page 66.

3. Perform initial configuration in SmartConsole

Step Instructions

1 Connect with SmartConsole to the Endpoint Security Management

Server.

2 From the left navigation panel, click Gateways & Servers.

3 Create a new Check Point Host object that represents the Endpoint
Policy Server in one of these ways:
n From the top toolbar, click the New ( ) > More > Check Point

Host.
n In the top left corner, click Objects menu > More object types >

Network Object > Gateways & Servers > New Check Point Host.
n In the top right corner, click Objects Pane > New > More >

Network Object > Gateways and Servers > Check Point Host.

4 Click the General Properties page.

5 In the Name field, enter the applicable name.

6 In the IPv4 Address and IPv6 Address fields, enter the applicable IP
addresses.

7 In the Platform section:

n In the Hardware field, select the applicable option
n In the Version field, select R81
n In the OS field, select Gaia

Installation and Upgrade Guide R81 | 90

 Installing an Endpoint Policy Server

Step Instructions

8 On the Management tab, select both the Endpoint Policy Management

and Logging & Status Software Blades.

9 Establish the Secure Internal Communication (SIC) between the

Endpoint Security Management Server and the Endpoint Policy Server:
a. In the Secure Internal Communication field, click Communication.
b. Enter the same Activation Key you entered during the First Time
Configuration Wizard of this dedicated Log Server.
c. Click Initialize. The Trust state field must show Established.
d. Click Close.

10 Click OK.

11 In the SmartConsole top left corner, click Menu > Install database.

12 Select all objects.

13 Click Install.

14 Click OK.

For more information:

See the R81 Harmony Endpoint Security Server Administration Guide.

Installation and Upgrade Guide R81 | 91

 Connection Port to Services on an Endpoint Security Management Server

Connection Port to Services on an Endpoint

Security Management Server

Installation and Upgrade Guide R81 | 92

 Connection Port to Services on an Endpoint Security Management Server

Important:

SSL connection ports on Security Management Servers R81 and higher

n A Security Management Server listens to SSL traffic for all services on the TCP port
443 in these cases:
l If you performed a clean installation of a Security Management Server R81 and
enabled the Endpoint Policy Management Software Blade.
l If you upgraded a Security Management Server with disabled Endpoint Policy
Management Software Blade to R81 and enabled this Software Blade after the
upgrade.
In these cases, when Endpoint Security SSL traffic arrives at the TCP port 443, the
Security Management Server automatically redirects it (internally) to the TCP port
4434.

Service URL and Port

Gaia Portal https://<IP Address of Gaia

Management Interface>

SmartView Web Application https://<IP Address of Management

Server>/smartview/

Management API Web https://<IP Address of Management

Services Server>/web_api/<command>
(see Check Point
Management API Reference)

n If you upgraded a Security Management Server with enabled Endpoint Policy

Management Software Blade to R81, then the SSL port configuration remains as it
was in the previous version, from which you upgraded:

Installation and Upgrade Guide R81 | 93

 Connection Port to Services on an Endpoint Security Management Server

l A Security Management Server listens to Endpoint Security SSL traffic on the

TCP port 443
l A Security Management Server listens to SSL traffic for all other services on the
TCP port 4434:

Service URL and Port

Gaia Portal https://<IP Address of Gaia

Management Interface>:4434

SmartView Web https://<IP Address of Management

Application Server>:4434/smartview/

Management API Web https://<IP Address of Management

Services Server>:4434/web_api/<command>
(see Check Point
Management API
Reference)

In R81 and higher, an administrator can manually configure different TCP ports for the
Gaia Portal (and other services) and Endpoint Security - 443 or 4434. For the
applicable procedures, see the R81 Harmony Endpoint Security Server
Administration Guide > Chapter Endpoint Security Architecture > Section Connection
Port to Services on an Endpoint Security Management Server.

SSL connection ports on Security Management Servers R80.40 and lower

n When you enable the Endpoint Policy Management Software Blade on a Security
Management Server, the SSL connection port to these services automatically
changes from the default TCP port 443 to the TCP port 4434:

Installation and Upgrade Guide R81 | 94

 Connection Port to Services on an Endpoint Security Management Server

l Gaia Portal

Configuration URL and Port

Default https://<IP Address of Gaia Management

Interface>

New https://<IP Address of Gaia Management

Interface>:4434

l SmartView Web Application

Configuration URL and Port

Default https://<IP Address of Management

Server>/smartview/

New https://<IP Address of Management

Server>:4434/smartview/

l Management API Web Services (see Check Point Management API

Reference)

Configuration URL and Port

Default https://<IP Address of Management

Server>/web_api/<command>

New https://<IP Address of Management

Server>:4434/web_api/<command>

n When you disable the Endpoint Policy Management Software Blade on a Security
Management Server, the SSL connection port automatically changes back to the
default TCP port 443.

Installation and Upgrade Guide R81 | 95

 Disk Space on an Endpoint Security Management Server

Disk Space on an Endpoint Security

Management Server
We recommend that you have at least 10 GB available for Endpoint Security in the root
partition.
Client packages and main release files are stored in the root partition:

Required
Instructions
Space

4 GB Main Security Management Server installation files.

2 GB or more Client files (each additional version of client packages requires 1 GB of

disk space).

1 GB Logs.

1 GB High Availability support (more can be required in large environments).

Note - To make future upgrades easier, we recommend that you use a larger disk
size than necessary in this deployment.

Installation and Upgrade Guide R81 | 96

 Installing a CloudGuard Controller

Installing a CloudGuard Controller

Note - It is not supported to perform an in-place upgrade of a Management Server
that runs in CloudGuard for Amazon Web Services (AWS), Microsoft Azure, Google
Cloud Platform (GCP), or any other cloud providers (Known Limitation VSECPC-
1341).

Procedure:
1. Install the CloudGuard Controller

Step Instructions

1 Install the Gaia Operating System:

n "Installing the Gaia Operating System on Check Point Appliances"

on page 24
n "Installing the Gaia Operating System on Open Servers" on

page 26

2 Follow "Configuring Gaia for the First Time" on page 31.

3 During the First Time Configuration Wizard, you must configure these
settings:
n In the Installation Type window, select Security Gateway and/or

Security Management.
n In the Products window:

a. In the Products section, select Security Management only.

b. In the Clustering section, in the Define Security
Management as field, select Primary.
n In the Security Management GUI Clients window, configure the

applicable allowed computers:

l Any IP Address - Allows all computers to connect.

l This machine - Allows only the single specified computer to

connect.
l Network - Allows all computers on the specified network to

connect.
l Range of IPv4 addresses - Allows all computers in the

specified range to connect.

4 Install a valid license.

See "Working with Licenses" on page 657.

2. Enable the CloudGuard Controller

Installation and Upgrade Guide R81 | 97

 Installing a CloudGuard Controller

Step Instructions

1 Connect to the command line on the Security Management Server.

2 Log in to the Gaia Clish, or Expert mode.

3 Run:
cloudguard on

3. Enable the Identity Awareness Software Blade

Enable the Identity Awareness Software Blade on the applicable Security Gateways.

For more information, see the:

n R81 CloudGuard Controller Administration Guide
n R81 Identity Awareness Administration Guide

Installation and Upgrade Guide R81 | 98

 Installing a Management Server on Linux

Installing a Management Server on

Linux
To install a Security Management Server or Multi-Domain Server on Red Hat Enterprise Linux:
1. See sk44925.
2. Follow sk98760.
3. Contact Check Point Support for specific installation instructions.

Installation and Upgrade Guide R81 | 99

 Installing SmartConsole

Installing SmartConsole
SmartConsole is a GUI client you use to manage the Check Point environment.
For SmartConsole requirements, see the R81 Release Notes.

Downloading SmartConsole
You can download the SmartConsole installation package in several ways:
Downloading the SmartConsole package from the Home Page SK

Step Instructions

1 Open the R81 Home Page SK.

2 Go to the Downloads section.

3 Click the SmartConsole link.

4 Save the SmartConsole installation file.

Downloading the SmartConsole package from the Support Center

Step Instructions

1 Connect to the Check Point Support Center.

2 Search for:
"R81 SmartConsole"

3 Click the Downloads tab.

4 Click the applicable link to open the download page.

5 Click the Download button.

6 Save the SmartConsole installation file.

Installation and Upgrade Guide R81 | 100

 Installing SmartConsole

Downloading the SmartConsole package from the Gaia Portal

You can download the SmartConsole package from the Gaia Portal of your Security
Management Server or Multi-Domain Server.

Step Instructions

1 With a web browser, connect to Gaia Portal at:

https://<IP address of Gaia
Management Interface>

2 On the Overview page, click Download Now!

3 Save the SmartConsole installation file.

Installing SmartConsole
To install the SmartConsole client on Windows platforms:

Step Instructions

1 Transfer the SmartConsole installation file to a Windows-based computer you

wish to use as a SmartConsole Client.

2 Run the SmartConsole installation file with Administrator privileges.

3 Follow the instructions on the screen.

Installation and Upgrade Guide R81 | 101

 Installing SmartConsole

Logging in to SmartConsole
Step Instructions

1 Open the SmartConsole application.

2 Enter the IP address or resolvable hostname of the Security Management Server,

Multi-Domain Server, or Domain Management Server.
The Management Server authenticates the connection when you log in for the
first time.
Multiple administrators can log in at the same time.

3 Enter your administrator credentials, or select the certificate file.

4 Click Login.

5 If necessary, confirm the connection using the fingerprint generated during the
installation.
You see this only the first time that you log in from a SmartConsole client.

For more information:

See the R81 Security Management Administration Guide.

Troubleshooting SmartConsole
Make sure the SmartConsole client can access these ports on the Management Server:
n 18190
n 18264
n 19009
For more information, see:
n sk52421: Ports used by Check Point software
n sk43401: How to completely disable FireWall Implied Rules

Installation and Upgrade Guide R81 | 102

 Installing a Security Gateway, VSX Gateway

Installing a Security Gateway, VSX

Gateway
This section provides instructions to install a Security Gateway and a VSX Gateway:
n "Installing a Security Gateway" on page 104
n "Installing a VSX Gateway" on page 111

Installation and Upgrade Guide R81 | 103

 Installing a Security Gateway

Installing a Security Gateway

Notes:
n This procedure applies to both Check Point Appliances and Open Servers.
n This procedure does not apply to Check Point Small Office Appliance models
lower than 3000.

Procedure:
1. Install the Security Gateway

Step Instructions

1 Install the Gaia Operating System:

n "Installing the Gaia Operating System on Check Point Appliances"

on page 24
n "Installing the Gaia Operating System on Open Servers" on

page 26

2 Follow "Configuring Gaia for the First Time" on page 31.

3 During the First Time Configuration Wizard, you must configure these
settings:
n In the Installation Type window, select Security Gateway and/or

Security Management.
n In the Products window:

a. In the Products section, select Security Gateway only.

b. In the Clustering section, clear Unit is a part of a cluster,
type.
n In the Dynamically Assigned IP window, select the applicable

option.
n In the Secure Internal Communication window, enter the

applicable Activation Key (between 4 and 127 characters long).

4 Install a valid license.

See "Working with Licenses" on page 657.

2. Configure the Security Gateway object in SmartConsole

Installation and Upgrade Guide R81 | 104

 Installing a Security Gateway

n Configuring in Wizard Mode

Step Instructions

1 Connect with SmartConsole to the Security Management Server

or Domain Management Server that should manage this Security
Gateway.

2 From the left navigation panel, click Gateways & Servers.

3 Create a new Security Gateway object in one of these ways:

l From the top toolbar, click the New ( ) > Gateway.
l In the top left corner, click Objects menu > More object

types > Network Object > Gateways and Servers > New
Gateway.
l In the top right corner, click Objects Pane > New > More >

Network Object > Gateways and Servers > Gateway.

4 In the Check Point Security Gateway Creation window, click

Wizard Mode.

5 On the General Properties page:

a. In the Gateway name field, enter the applicable name for
this Security Gateway object.
b. In the Gateway platform field, select the correct hardware
type.
c. In the Gateway IP address section, select the applicable
option:
l If you selected Static IP address, configure the same

IPv4 and IPv6 addresses that you configured on the

Management Connection page of the Security
Gateway's First Time Configuration Wizard.
Make sure the Security Management Server or Multi-
Domain Server can connect to these IP addresses.
l If this Security Gateway receives its IP addresses

from a DHCP server, click Cancel and follow the

procedure Step 2 of 3: Configure the Security
Gateway object in SmartConsole - Classic Mode
below.
d. Click Next.

Installation and Upgrade Guide R81 | 105

 Installing a Security Gateway

Step Instructions

6 On the Trusted Communication page:

a. Select the applicable option:
l If you selected Initiate trusted communication now,

enter the same Activation Key you entered during the

Security Gateway's First Time Configuration Wizard.
l If you selected Skip and initiate trusted

communication later, make sure to follow Step 7.

b. Click Next.

7 On the End page:

a. Examine the Configuration Summary.
b. Select Edit Gateway properties for further configuration.
c. Click Finish.
Check Point Gateway properties window opens on the General
Properties page.

8 If during the Wizard Mode, you selected Skip and initiate trusted
communication later:
a. The Secure Internal Communication field shows
Uninitialized.
b. Click Communication.
c. In the Platform field:
l Select Open server / Appliance for all Check Point

appliance models 3000 and higher.

l Select Open server / Appliance for an Open Server.

l Select Small Office Appliance only for Check Point

Small Office Appliance models lower than 3000.

d. Enter the same Activation Key you entered during the
Security Gateway's First Time Configuration Wizard.
e. Click Initialize.
Make sure the Certificate state field shows Established.
f. Click OK.

9 On the General Properties page:

l On the Network Security tab, enable the applicable

Software Blades.
l On the Threat Prevention tab, enable the applicable

Software Blades.

10 Click OK.

Installation and Upgrade Guide R81 | 106

 Installing a Security Gateway

Step Instructions

11 Publish the SmartConsole session.

Installation and Upgrade Guide R81 | 107

 Installing a Security Gateway

n Configuring in Classic Mode

Step Instructions

1 Connect with SmartConsole to the Security Management Server

or Domain Management Server that should manage this Security
Gateway.

2 From the left navigation panel, click Gateways & Servers.

3 Create a new Security Gateway object in one of these ways:

l From the top toolbar, click the New ( ) > Gateway.
l In the top left corner, click Objects menu > More object

types > Network Object > Gateways and Servers > New
Gateway.
l In the top right corner, click Objects Pane > New > More >

Network Object > Gateways and Servers > Gateway.

4 In the Check Point Security Gateway Creation window, click

Classic Mode.
Check Point Gateway properties window opens on the General
Properties page.

5 In the Name field, enter the applicable name for this Security
Gateway object.

6 In the IPv4 address and IPv6 address fields, configure the same
IPv4 and IPv6 addresses that you configured on the
Management Connection page of the Security Gateway's First
Time Configuration Wizard.
Make sure the Security Management Server or Multi-Domain
Server can connect to these IP addresses.
If this Security Gateway receives its IP addresses from a DHCP
server, select Dynamic Address.

Installation and Upgrade Guide R81 | 108

 Installing a Security Gateway

Step Instructions

7 Establish the Secure Internal Communication (SIC) between the

Management Server and this Security Gateway:
a. Near the Secure Internal Communication field, click
Communication.
b. In the Platform field:
l Select Open server / Appliance for all Check Point

models 3000 and higher.

l Select Open server / Appliance for an Open Server.

c. Enter the same Activation Key you entered during the

Security Gateway's First Time Configuration Wizard.
d. Click Initialize.
e. Click OK.

If the Certificate state field does not show Established,

perform these steps:
a. Connect to the command line on the Security Gateway.
b. Make sure there is a physical connectivity between the
Security Gateway and the Management Server (for
example, pings can pass).
c. Run:
cpconfig
d. Enter the number of this option:
Secure Internal Communication
e. Follow the instructions on the screen to change the
Activation Key.
f. In SmartConsole, click Reset.
g. Enter the same Activation Key you entered in the
cpconfig menu.
h. In SmartConsole, click Initialize.

8 In the Platform section, select the correct options:

a. In the Hardware field:
l If you install the Security Gateway on a Check Point

Appliance, select the correct appliances series.

l If you install the Security Gateway on an Open

Server, select Open server.

b. In the Version field, select R81.
c. In the OS field, select Gaia.

Installation and Upgrade Guide R81 | 109

 Installing a Security Gateway

Step Instructions

9 Enable the applicable Software Blades:

l On the Network Security tab.

l On the Threat Prevention tab.

10 Click OK.

11 Publish the SmartConsole session.

3. Configure the applicable Security Policy for the Security Gateway in SmartConsole

Step Instructions

1 Connect with SmartConsole to the Security Management Server or

Domain Management Server that manages this Security Gateway.

2 From the left navigation panel, click Security Policies..

3 Create a new policy and configure the applicable layers:

a. At the top, click the + tab (or press CTRL T).
b. On the Manage Policies tab, click Manage policies and layers.
c. In the Manage policies and layers window, create a new policy
and configure the applicable layers.
d. Click Close.
e. On the Manage Policies tab, click the new policy you created.

4 Create the applicable Access Control rules.

5 Install the Access Control Policy on the Security Gateway object.

6 Create the applicable Threat Prevention rules.

7 Install the Threat Prevention Policy on the Security Gateway object.

For more information, see the:

n R81 Security Management Administration Guide
n R81 Threat Prevention Administration Guide
n Applicable Administration Guides on the R81 Home Page.

Installation and Upgrade Guide R81 | 110

 Installing a VSX Gateway

Installing a VSX Gateway

Notes:
n This procedure applies to both Check Point Appliances and Open Servers.
n This procedure does not apply to Check Point Small Office Appliance models
lower than 3000.

Procedure:
1. Install the VSX Gateway

Step Instructions

1 Install the Gaia Operating System:

n "Installing the Gaia Operating System on Check Point Appliances"

on page 24
n "Installing the Gaia Operating System on Open Servers" on

page 26

2 Follow "Configuring Gaia for the First Time" on page 31.

3 During the First Time Configuration Wizard, you must configure these
settings:
n In the Installation Type window, select Security Gateway and/or

Security Management.
n In the Products window:

a. In the Products section, select Security Gateway only.

b. In the Clustering section, clear Unit is a part of a cluster,
type.
n In the Dynamically Assigned IP window, select the applicable

option.
n In the Secure Internal Communication window, enter the

applicable Activation Key (between 4 and 127 characters long).

4 Install a valid license.

See "Working with Licenses" on page 657.

2. Configure the VSX Gateway object in SmartConsole

Installation and Upgrade Guide R81 | 111

 Installing a VSX Gateway

n The steps below are only for a Clean Install of a new VSX Gateway. To
configure a VSX Gateway that failed, see the R81 VSX Administration
Guide > Chapter Command Line Reference > Section vsx_util >
Section vsx_util reconfigure.
n The steps below are for the Dedicated Management Interfaces (DMI)
configuration. For the non-DMI configuration, see the R81 VSX
Administration Guide.

Step Instructions

1 Connect with SmartConsole to the Security Management Server or Main

Domain Management Server that should manage this VSX Gateway.

2 From the left navigation panel, click Gateways & Servers.

3 Create a new VSX Gateway object in one of these ways:

n From the top toolbar, click the New ( ) > VSX > Gateway.
n In the top left corner, click Objects menu > More object types >

Network Object > Gateways and Servers > VSX > New Gateway.
n In the top right corner, click Objects Pane > New > More >

Network Object > Gateways and Servers > VSX > Gateway.
The VSX Gateway Wizard opens.

4 On the VSX Gateway General Properties (Specify the object's basic

settings) page:
a. In the Enter the VSX Gateway Name field, enter the applicable
name for this VSX Gateway object.
b. In the Enter the VSX Gateway IPv4 field, enter the same IPv4
address that you configured on the Management Connection page
of the VSX Gateway's First Time Configuration Wizard.
c. In the Enter the VSX Gateway IPv6 field, enter the same IPv6
address that you configured on the Management Connection page
of the VSX Gateway's First Time Configuration Wizard.
d. In the Select the VSX Gateway Version field, select R81.
e. Click Next.

5 On the VSX Gateway General Properties (Secure Internal

Communication) page:
a. In the Activation Key field, enter the same Activation Key you
entered during the VSX Gateway's First Time Configuration Wizard.
b. In the Confirm Activation Key field, enter the same Activation Key
again.
c. Click Initialize.
d. Click Next.

Installation and Upgrade Guide R81 | 112

 Installing a VSX Gateway

Step Instructions

If the Trust State field does not show Trust established, perform these
steps:
a. Connect to the command line on the VSX Gateway.
b. Make sure there is a physical connectivity between the VSX
Gateway and the Management Server (for example, pings can
pass).
c. Run:
cpconfig
d. Enter the number of this option:
Secure Internal Communication
e. Follow the instructions on the screen to change the Activation Key.
f. In SmartConsole, on the VSX Gateway General Properties page,
click Reset.
g. Enter the same Activation Key you entered in the cpconfig menu.
h. In SmartConsole, click Initialize.

6 On the VSX Gateway Interfaces (Physical Interfaces Usage) page:

a. Examine the list of the interfaces - it must show all the physical
interfaces on the VSX Gateway.
b. If you plan to connect more than one Virtual System directly to the
same physical interface, you must select VLAN Trunk for that
physical interface.
c. Click Next.

7 On the Virtual Network Device Configuration (Specify the object's

basic settings) page:
a. You can select Create a Virtual Network Device and configure the
first applicable Virtual Network Device at this time (we recommend
to do this later) - Virtual Switch or Virtual Router.
b. Click Next.

8 On the VSX Gateway Management (Specify the management access

rules) page:
a. Examine the default access rules.
b. Select the applicable default access rules.
c. Configure the applicable source objects, if needed.
d. Click Next.
Important - These access rules apply only to the VSX Gateway
(context of VS0), which is not intended to pass any "production"
traffic.

Installation and Upgrade Guide R81 | 113

 Installing a VSX Gateway

Step Instructions

9 On the VSX Gateway Creation Finalization page:

a. Click Finish and wait for the operation to finish.
b. Click View Report for more information.
c. Click Close.

10 Examine the VSX configuration:

a. Connect to the command line on the VSX Gateway.
b. Log in to the Expert mode.
c. Run:
vsx stat -v

11 Open the VSX Gateway object.

12 On the General Properties page, click the Network Security tab.

13 Enable the applicable Software Blades for the VSX Gateway object itself
(context of VS0).
Refer to:
n sk79700: VSX supported features on R75.40VS and above
n sk106496: Software Blades updates on VSX R75.40VS and above

- FAQ
n Applicable Administration Guides on the R81 Home Page.

14 Click OK to push the updated VSX Configuration.

Click View Report for more information.

15 Examine the VSX configuration:

a. Connect to the command line on the VSX Gateway.
b. Log in to the Expert mode.
c. Run:
vsx stat -v

16 Install the default policy on the VSX Gateway object:

a. Click Install Policy.
b. In the Policy field, select the default policy for this VSX Gateway
object.
This policy is called:
<Name of VSX Gateway object>_VSX
c. Click Install.

Installation and Upgrade Guide R81 | 114

 Installing a VSX Gateway

Step Instructions

17 Examine the VSX configuration:

a. Connect to the command line on the VSX Gateway.
b. Log in to the Expert mode.
c. Run:
vsx stat -v

18 Configure the applicable Threat Prevention Policy for this VSX Gateway.

19 Install the applicable Threat Prevention Policy on the VSX Gateway

object:
a. Click Install Policy.
b. In the Policy field, select the applicable Threat Prevention Policy for
this VSX Gateway object.
c. Click Install.

20 Examine the VSX configuration:

a. Connect to the command line on the VSX Gateway.
b. Log in to the Expert mode.
c. Run:
vsx stat -v

3. Configure the Virtual Devices and their Security Policies in SmartConsole

Step Instructions

1 Connect with SmartConsole to the Security Management Server, or each

Target Domain Management Server that should manage each Virtual
Device.

2 Configure the applicable Virtual Devices on this VSX Gateway.

3 Configure the applicable Access Control Policies for these Virtual

Devices.

4 Install the configured Access Control Policies on these Virtual Devices.

5 Examine the VSX configuration:

a. Connect to the command line on the VSX Gateway.
b. Log in to the Expert mode.
c. Run:
vsx stat -v

Installation and Upgrade Guide R81 | 115

 Installing a VSX Gateway

Step Instructions

6 Configure the applicable Threat Prevention Policies for these Virtual

Devices.

7 Install the configured Threat Prevention Policies on these Virtual

Devices.

8 Examine the VSX configuration:

a. Connect to the command line on the VSX Gateway.
b. Log in to the Expert mode.
c. Run:
vsx stat -v

For more information, see the:

n R81 Security Management Administration Guide
n R81 VSX Administration Guide
n R81 Threat Prevention Administration Guide
n Applicable Administration Guides on the R81 Home Page.

Installation and Upgrade Guide R81 | 116

 Installing a ClusterXL, VSX Cluster, VRRP Cluster

Installing a ClusterXL, VSX

Cluster, VRRP Cluster
This section provides instructions to install a cluster:
n "Installing a ClusterXL Cluster" on page 118
n "Installing a VSX Cluster" on page 139
n "Installing a VRRP Cluster" on page 148
n "Full High Availability Cluster on Check Point Appliances" on page 167

Installation and Upgrade Guide R81 | 117

 Installing a ClusterXL Cluster

Installing a ClusterXL Cluster

Notes:
n This procedure applies to both Check Point Appliances and Open Servers.
n This procedure does not apply to Check Point Small Office Appliance models
lower than 3000.
n You must install and configure at least two Cluster Members.

Procedure:
1. Install the Cluster Members

Step Instructions

1 Install the Gaia Operating System:

n "Installing the Gaia Operating System on Check Point Appliances"

on page 24
n "Installing the Gaia Operating System on Open Servers" on

page 26

2 Follow "Configuring Gaia for the First Time" on page 31.

3 During the First Time Configuration Wizard, you must configure these
settings:
n In the Installation Type window, select Security Gateway and/or

Security Management.
n In the Products window:

a. In the Products section, select Security Gateway only.

b. In the Clustering section, select these two options:
l Unit is a part of a cluster

l ClusterXL

n In the Secure Internal Communication window, enter the

applicable Activation Key (between 4 and 127 characters long).

4 Install a valid license.

See "Working with Licenses" on page 657.

2. Configure the ClusterXL object in SmartConsole

You can configure the ClusterXL object in either Wizard Mode, or Classic Mode.

Installation and Upgrade Guide R81 | 118

 Installing a ClusterXL Cluster

n Configuring the ClusterXL object in Wizard Mode

Step Instructions

1 Connect with SmartConsole to the Security Management Server

or Domain Management Server that should manage this
ClusterXL.

2 From the left navigation panel, click Gateways & Servers.

3 Create a new Cluster object in one of these ways:

l From the top toolbar, click the New ( ) > Cluster >
Cluster.
l In the top left corner, click Objects menu > More object

types > Network Object > Gateways and Servers >

Cluster > New Cluster.
l In the top right corner, click Objects Pane > New > More >

Network Object > Gateways and Servers > Cluster >

Cluster.

4 In the Check Point Security Gateway Cluster Creation window,

click Wizard Mode.

5 On the Cluster General Properties page:

a. In the Cluster Name field, enter the applicable name for
this ClusterXL object.
b. Configure the main Virtual IP address(es) for this ClusterXL
object.
l In the Cluster IPv4 Address section, enter the main

Virtual IPv4 address for this ClusterXL object.

l In the Cluster IPv6 Address section, enter the main

Virtual IPv6 address for this ClusterXL object.

Note - You can configure the Cluster Virtual IP address
to be on a different network than the physical IP
addresses of the Cluster Members. In this case, you
must configure the required static routes on the Cluster
Members.
c. In the Choose the Cluster's Solution field, select Check
Point ClusterXL and select the cluster mode - either High
Availability, or Load Sharing.
d. Click Next.

Installation and Upgrade Guide R81 | 119

 Installing a ClusterXL Cluster

Step Instructions

6 On the Cluster members' properties page, add the objects for

the Cluster Members.
a. Click Add > New Cluster Member.
The Cluster Member Properties window opens.
b. In the Name field, enter the applicable name for this Cluster
Member object.
c. Configure the main physical IP address(es) for this Cluster
Member object.
In the IPv4 Address and IPv6 Address fields, configure the
same IPv4 and IPv6 addresses that you configured on the
Management Connection page of the Cluster Member's
First Time Configuration Wizard.
Make sure the Security Management Server or Multi-
Domain Server can connect to these IP addresses.
Note - You can configure the Cluster Virtual IP address
to be on a different network than the physical IP
addresses of the Cluster Members. In this case, you
must configure the required static routes on the Cluster
Members.
d. In the Activation Key and Confirm Activation Key fields,
enter the same Activation Key you entered during the
Cluster Member's First Time Configuration Wizard.
e. Click Initialize.
f. Click OK.
g. Repeat Steps a-f to add the second Cluster Member, and
so on.

Installation and Upgrade Guide R81 | 120

 Installing a ClusterXL Cluster

Step Instructions

If the Trust State field does not show Trust established, perform
these steps:
a. Connect to the command line on the Cluster Member.
b. Make sure there is a physical connectivity between the
Cluster Member and the Management Server (for example,
pings can pass).
c. Run:
cpconfig
d. Enter the number of this option:
Secure Internal Communication
e. Follow the instructions on the screen to change the
Activation Key.
f. In SmartConsole, click Reset.
g. Enter the same Activation Key you entered in the
cpconfig menu.
h. In SmartConsole, click Initialize.

7 On the Cluster Topology page, configure the roles of the cluster

interfaces:
a. Examine the IPv4 Network Address at the top of the page.
b. Select the applicable role:
l For cluster traffic interfaces, select Representing a

cluster interface and configure the Cluster Virtual

IPv4 address and its Net Mask.
Note - You can configure the Cluster Virtual IP
address to be on a different network than the
physical IP addresses of the Cluster Members. In
this case, you must configure the required static
routes on the Cluster Members.
l For cluster synchronization interfaces, select Cluster

Synchronization and select Primary only. Check

Point cluster supports only one synchronization
network.
l For interfaces that do not pass the traffic between the

connected networks, select Private use of each

member (don't monitor members interfaces).
c. Click Next

Installation and Upgrade Guide R81 | 121

 Installing a ClusterXL Cluster

Step Instructions

8 On the Cluster Definition Wizard Complete page:

a. Examine the Configuration Summary.
b. Select Edit Cluster's Properties.
c. Click Finish
The Gateway Cluster Properties window opens.

9 On the General Properties page > Machine section:

a. In the Name field, make sure you see the configured
applicable name for this ClusterXL object.
b. In the IPv4 Address and IPv6 Address fields, configure the
same IPv4 and IPv6 addresses that you configured on the
Management Connection page of the Cluster Member's
First Time Configuration Wizard.
Make sure the Security Management Server or Multi-
Domain Server can connect to these IP addresses.

10 On the General Properties page > Platform section, select the

correct options:
a. In the Hardware field:
If you install the Cluster Members on Check Point
Appliances, select the correct appliances series.
If you install the Cluster Members on Open Servers, select
Open server.
b. In the Version field, select R81.
c. In the OS field, select Gaia.

11 On the General Properties page:

a. On the Network Security tab, make sure the ClusterXL
Software Blade is selected.
b. Enable the additional applicable Software Blades on the
Network Security tab and on the Threat Prevention tab.

Installation and Upgrade Guide R81 | 122

 Installing a ClusterXL Cluster

Step Instructions

12 On the Cluster Members page:

a. Click Add > New Cluster Member.
The Cluster Member Properties window opens.
b. In the Name field, enter the applicable name for this Cluster
Member object.
c. Configure the main physical IP address(es) for this Cluster
Member object.
In the IPv4 Address and IPv6 Address fields, configure the
same IPv4 and IPv6 addresses that you configured on the
Management Connection page of the Cluster Member's
First Time Configuration Wizard.
Make sure the Security Management Server or Multi-
Domain Server can connect to these IP addresses.
Note - You can configure the Cluster Virtual IP address
to be on a different network than the physical IP
addresses of the Cluster Members. In this case, you
must configure the required static routes on the Cluster
Members.
d. Click Communication.
e. In the One-time password and Confirm one-time
password fields, enter the same Activation Key you entered
during the Cluster Member's First Time Configuration
Wizard.
f. Click Initialize.
g. Click Close.
h. Click OK.
i. Repeat Steps a-h to add the second Cluster Member, and
so on.

Installation and Upgrade Guide R81 | 123

 Installing a ClusterXL Cluster

Step Instructions

If the Trust State field does not show Trust established, perform
these steps:
a. Connect to the command line on the Cluster Member.
b. Make sure there is a physical connectivity between the
Cluster Member and the Management Server (for example,
pings can pass).
c. Run:
cpconfig
d. Enter the number of this option:
Secure Internal Communication
e. Follow the instructions on the screen to change the
Activation Key.
f. In SmartConsole, click Reset.
g. Enter the same Activation Key you entered in the
cpconfig menu.
h. In SmartConsole, click Initialize.

13 On the ClusterXL and VRRP page:

a. In the Select the cluster mode and configuration section,
select the applicable mode:
l High Availability and ClusterXL

l Load Sharing and Multicast or Unicast

l Active-Active

b. In the Tracking section, select the applicable option.

c. In the Advanced Settings section:

Installation and Upgrade Guide R81 | 124

 Installing a ClusterXL Cluster

Step Instructions

l If you selected the High Availability mode, then:

i. Optional: Select Use State Synchronization.
This configures the Cluster Members to
synchronize the information about the
connections they inspect.
Best Practice - Enable this setting to
prevent connection drops after a cluster
failover.
ii. Optional: Select Start synchronizing [ ]
seconds after connection initiation and enter
the applicable value.
This option is available only for clusters R80.20
and higher.
To prevent the synchronization of short-lived
connections (which decreases the cluster
performance), you can configure the Cluster
Members to start the synchronization of all
connections a number of seconds after they start.
Range: 2 - 60 seconds
Default: 3 seconds
Notes:
o This setting in the cluster object

applies to all connections that pass

through the cluster.
You can override this global cluster
synchronization delay in the properties
of applicable services.
o The greater this value, the fewer short-

lived connections the Cluster Members

have to synchronize.
o The connections that the Cluster

Members did not synchronize, do not

survive a cluster failover.
Best Practice - Enable and configure this
setting to increase the cluster performance.
iii. Optional: Select Use Virtual MAC.
This configure all Cluster Members to associate
the same virtual MAC address with the Virtual IP
address on the applicable interfaces (each
Virtual IP address has its unique Virtual MAC
address).
For more information, see sk50840.
iv. Select the Cluster Member recovery method -
which Cluster Member to select as Active during
a fallback (return to normal operation after a
cluster failover):
o Maintain Installation
current and Upgrade
active Guide R81
Cluster | 125
Member
i. The Cluster Member that is currently
in the Active state, remains in this
 Installing a ClusterXL Cluster

Step Instructions

l If you selected the Load Sharing > Multicast mode,

then:
i. Optional: Select Use Sticky Decision Function.
This option is available only for clusters R80.10
and lower.
For more information, click the (?) button in the
top right corner.
ii. Optional: Select Start synchronizing [ ]
seconds after connection initiation and enter
the applicable value.
This option is available only for clusters R80.20
and higher.
To prevent the synchronization of short-lived
connections (which decreases the cluster
performance), you can configure the Cluster
Members to start the synchronization of all
connections a number of seconds after they start.
Range: 2 - 60 seconds
Default: 3 seconds
Notes:
o This setting in the cluster object

applies to all connections that pass

through the cluster.
You can override this global cluster
synchronization delay in the properties
of applicable services.
o The greater this value, the fewer short-

lived connections the Cluster Members

have to synchronize.
o The connections that the Cluster

Members did not synchronize, do not

survive a cluster failover.
Best Practice - Enable and configure this
setting to increase the cluster performance.
iii. Select the connection sharing method between
the Cluster Members:
o IPs, Ports, SPIs

Configures each Cluster Member to inspect

all connections with the same Source and
Destination IP address, the same Source
and Destination ports, and the same IPsec
SPI numbers.
This is the least "sticky" sharing
configuration that provides the best sharing
distribution between Cluster Members.
This method decreases the probability that
Installation
a certain and Upgrade
connection passesGuide R81 the
through | 126
same Cluster Member in both inbound and
outbound directions
 Installing a ClusterXL Cluster

Step Instructions

l If you selected the Load Sharing > Unicast mode,

then:
i. Optional: Select Use Sticky Decision Function.
This option is available only for clusters R80.10
and lower.
For more information, click the (?) button in the
top right corner.
ii. Optional: Select Start synchronizing [ ]
seconds after connection initiation and enter
the applicable value.
This option is available only for clusters R80.20
and higher.
To prevent the synchronization of short-lived
connections (which decreases the cluster
performance), you can configure the Cluster
Members to start the synchronization of all
connections a number of seconds after they start.
Range: 2 - 60 seconds
Default: 3 seconds
Notes:
o This setting in the cluster object

applies to all connections that pass

through the cluster.
You can override this global cluster
synchronization delay in the properties
of applicable services.
o The greater this value, the fewer short-

lived connections the Cluster Members

have to synchronize.
o The connections that the Cluster

Members did not synchronize, do not

survive a cluster failover.
Best Practice - Enable and configure this
setting to increase the cluster performance.
iii. Optional: Select Use Virtual MAC.
This configure all Cluster Members to associate
the same virtual MAC address with the Virtual IP
address on the applicable interfaces (each
Virtual IP address has its unique Virtual MAC
address).
For more information, see sk50840.
iv. Select the connection sharing method between
the Cluster Members:
o IPs, Ports, SPIs

Configures each Cluster Member to inspect

all connections with the same Source and
Installation
Destination and Upgrade
IP address, theGuide
sameR81 | 127
Source
and Destination ports, and the same IPsec
SPI numbers.
 Installing a ClusterXL Cluster

Step Instructions

14 On the Network Management page:

a. Select each interface and click Edit. The Network: <Name
of Interface> window opens.
b. From the left tree, click the General page.
c. In the General section, in the Network Type field, select
the applicable type:
l For cluster traffic interfaces, select Cluster.

Make sure the Cluster Virtual IPv4 address and its

Net Mask are correct.
l For cluster synchronization interfaces, select Sync or

Cluster+Sync.
Notes:
o We do not recommend the configuration

Cluster+Sync.
o Check Point cluster supports only these

settings:
o One Sync interface.
o One Cluster+Sync interface.
o One Sync interface and one

Cluster+Sync interface.
o For Check Point Appliances or Open

Servers:
The Synchronization Network is supported
only on the lowest VLAN tag of a VLAN
interface.
l For interfaces that do not pass the traffic between the

connected networks, select Private.

Installation and Upgrade Guide R81 | 128

 Installing a ClusterXL Cluster

Step Instructions

d. In the Member IPs section, make sure the IPv4 address

and its Net Mask are correct on each Cluster Member.
Notes:
l For a ClusterXL in High Availability mode that is

deployed in a Cloud environment (Geo Cluster):

You can configure IP addresses that belong to
different networks on cluster synchronization
interfaces and on cluster traffic interfaces.
l For cluster traffic interfaces, you can configure

the Cluster Virtual IP address to be on a different

network than the physical IP addresses of the
Cluster Members. In this case, you must
configure the required static routes on the Cluster
Members.See the R81 ClusterXL Administration
Guide.
e. In the Topology section:
l Make sure the settings are correct in the Leads To

and Security Zone fields.

l Make sure to enable the Anti-Spoofing.

15 Click OK.

16 Publish the SmartConsole session.

Installation and Upgrade Guide R81 | 129

 Installing a ClusterXL Cluster

n Configuring the ClusterXL object in Classic Mode

Step Instructions

1 Connect with SmartConsole to the Security Management Server

or Domain Management Server that should manage this
ClusterXL.

2 From the left navigation panel, click Gateways & Servers.

3 Create a new Cluster object in one of these ways:

l From the top toolbar, click the New ( ) > Cluster >
Cluster.
l In the top left corner, click Objects menu > More object

types > Network Object > Gateways and Servers >

Cluster > New Cluster.
l In the top right corner, click Objects Pane > New > More >

Network Object > Gateways and Servers > Cluster >

Cluster.

4 In the Check Point Security Gateway Creation window, click

Classic Mode.
The Gateway Cluster Properties window opens.

5 On the General Properties page > Machine section:

a. In the Name field, make sure you see the configured
applicable name for this ClusterXL object.
b. In the IPv4 Address and IPv6 Address fields, configure the
same IPv4 and IPv6 addresses that you configured on the
Management Connection page of the Cluster Member's
First Time Configuration Wizard.
Make sure the Security Management Server or Multi-
Domain Server can connect to these IP addresses.

6 On the General Properties page > Platform section, select the

correct options:
a. In the Hardware field:
If you install the Cluster Members on Check Point
Appliances, select the correct appliances series.
If you install the Cluster Members on Open Servers, select
Open server.
b. In the Version field, select R81.
c. In the OS field, select Gaia.

Installation and Upgrade Guide R81 | 130

 Installing a ClusterXL Cluster

Step Instructions

7 On the General Properties page:

a. On the Network Security tab, make sure the ClusterXL
Software Blade is selected.
b. Enable the additional applicable Software Blades on the
Network Security tab and on the Threat Prevention tab.

8 On the Cluster Members page:

a. Click Add > New Cluster Member.
The Cluster Member Properties window opens.
b. In the Name field, enter the applicable name for this Cluster
Member object.
c. Configure the main physical IP address(es) for this Cluster
Member object.
In the IPv4 Address and IPv6 Address fields, configure the
same IPv4 and IPv6 addresses that you configured on the
Management Connection page of the Cluster Member's
First Time Configuration Wizard.
Make sure the Security Management Server or Multi-
Domain Server can connect to these IP addresses.
Note - You can configure the Cluster Virtual IP address
to be on a different network than the physical IP
addresses of the Cluster Members. In this case, you
must configure the required static routes on the Cluster
Members.
d. Click Communication.
e. In the One-time password and Confirm one-time
password fields, enter the same Activation Key you entered
during the Cluster Member's First Time Configuration
Wizard.
f. Click Initialize.
g. Click Close.
h. Click OK.
i. Repeat Steps a-h to add the second Cluster Member, and
so on.

Installation and Upgrade Guide R81 | 131

 Installing a ClusterXL Cluster

Step Instructions

If the Trust State field does not show Trust established, perform
these steps:
a. Connect to the command line on the Cluster Member.
b. Make sure there is a physical connectivity between the
Cluster Member and the Management Server (for example,
pings can pass).
c. Run:
cpconfig
d. Enter the number of this option:
Secure Internal Communication
e. Follow the instructions on the screen to change the
Activation Key.
f. In SmartConsole, click Reset.
g. Enter the same Activation Key you entered in the
cpconfig menu.
h. In SmartConsole, click Initialize.

9 On the ClusterXL and VRRP page:

a. In the Select the cluster mode and configuration section,
select the applicable mode:
l High Availability and ClusterXL

l Load Sharing and Multicast or Unicast

l Active-Active

b. In the Tracking section, select the applicable option.

c. In the Advanced Settings section:

Installation and Upgrade Guide R81 | 132

 Installing a ClusterXL Cluster

Step Instructions

l If you selected the High Availability mode, then:

i. Optional: Select Use State Synchronization.
This configures the Cluster Members to
synchronize the information about the
connections they inspect.
Best Practice - Enable this setting to
prevent connection drops after a cluster
failover.
ii. Optional: Select Start synchronizing [ ]
seconds after connection initiation and enter
the applicable value.
This option is available only for clusters R80.20
and higher.
To prevent the synchronization of short-lived
connections (which decreases the cluster
performance), you can configure the Cluster
Members to start the synchronization of all
connections a number of seconds after they start.
Range: 2 - 60 seconds
Default: 3 seconds
Notes:
o This setting in the cluster object

applies to all connections that pass

through the cluster.
You can override this global cluster
synchronization delay in the properties
of applicable services.
o The greater this value, the fewer short-

lived connections the Cluster Members

have to synchronize.
o The connections that the Cluster

Members did not synchronize, do not

survive a cluster failover.
Best Practice - Enable and configure this
setting to increase the cluster performance.
iii. Optional: Select Use Virtual MAC.
This configure all Cluster Members to associate
the same virtual MAC address with the Virtual IP
address on the applicable interfaces (each
Virtual IP address has its unique Virtual MAC
address).
For more information, see sk50840.
iv. Select the Cluster Member recovery method -
which Cluster Member to select as Active during
a fallback (return to normal operation after a
cluster failover):
o Maintain Installation
current and Upgrade
active Guide R81
Cluster | 133
Member
i. The Cluster Member that is currently
in the Active state, remains in this
 Installing a ClusterXL Cluster

Step Instructions

l If you selected the Load Sharing > Multicast mode,

then:
i. Optional: Select Use Sticky Decision Function.
This option is available only for clusters R80.10
and lower.
For more information, click the (?) button in the
top right corner.
ii. Optional: Select Start synchronizing [ ]
seconds after connection initiation and enter
the applicable value.
This option is available only for clusters R80.20
and higher.
To prevent the synchronization of short-lived
connections (which decreases the cluster
performance), you can configure the Cluster
Members to start the synchronization of all
connections a number of seconds after they start.
Range: 2 - 60 seconds
Default: 3 seconds
Notes:
o This setting in the cluster object

applies to all connections that pass

through the cluster.
You can override this global cluster
synchronization delay in the properties
of applicable services.
o The greater this value, the fewer short-

lived connections the Cluster Members

have to synchronize.
o The connections that the Cluster

Members did not synchronize, do not

survive a cluster failover.
Best Practice - Enable and configure this
setting to increase the cluster performance.
iii. Select the connection sharing method between
the Cluster Members:
o IPs, Ports, SPIs

Configures each Cluster Member to inspect

all connections with the same Source and
Destination IP address, the same Source
and Destination ports, and the same IPsec
SPI numbers.
This is the least "sticky" sharing
configuration that provides the best sharing
distribution between Cluster Members.
This method decreases the probability that
Installation
a certain and Upgrade
connection passesGuide R81 the
through | 134
same Cluster Member in both inbound and
outbound directions
 Installing a ClusterXL Cluster

Step Instructions

l If you selected the Load Sharing > Unicast mode,

then:
i. Optional: Select Use Sticky Decision Function.
This option is available only for clusters R80.10
and lower.
For more information, click the (?) button in the
top right corner.
ii. Optional: Select Start synchronizing [ ]
seconds after connection initiation and enter
the applicable value.
This option is available only for clusters R80.20
and higher.
To prevent the synchronization of short-lived
connections (which decreases the cluster
performance), you can configure the Cluster
Members to start the synchronization of all
connections a number of seconds after they start.
Range: 2 - 60 seconds
Default: 3 seconds
Notes:
o This setting in the cluster object

applies to all connections that pass

through the cluster.
You can override this global cluster
synchronization delay in the properties
of applicable services.
o The greater this value, the fewer short-

lived connections the Cluster Members

have to synchronize.
o The connections that the Cluster

Members did not synchronize, do not

survive a cluster failover.
Best Practice - Enable and configure this
setting to increase the cluster performance.
iii. Optional: Select Use Virtual MAC.
This configure all Cluster Members to associate
the same virtual MAC address with the Virtual IP
address on the applicable interfaces (each
Virtual IP address has its unique Virtual MAC
address).
For more information, see sk50840.
iv. Select the connection sharing method between
the Cluster Members:
o IPs, Ports, SPIs

Configures each Cluster Member to inspect

all connections with the same Source and
Installation
Destination and Upgrade
IP address, theGuide
sameR81 | 135
Source
and Destination ports, and the same IPsec
SPI numbers.
 Installing a ClusterXL Cluster

Step Instructions

10 On the Network Management page:

a. Select each interface and click Edit. The Network: <Name
of Interface> window opens.
b. From the left tree, click the General page.
c. In the General section, in the Network Type field, select
the applicable type:
l For cluster traffic interfaces, select Cluster.

Make sure the Cluster Virtual IPv4 address and its

Net Mask are correct.
l For cluster synchronization interfaces, select Sync or

Cluster+Sync.
Notes:
o We do not recommend the configuration

Cluster+Sync.
o Check Point cluster supports only these

settings:
o One Sync interface.
o One Cluster+Sync interface.
o One Sync interface and one

Cluster+Sync interface.
o For Check Point Appliances or Open

Servers:
The Synchronization Network is supported
only on the lowest VLAN tag of a VLAN
interface.
l For interfaces that do not pass the traffic between the

connected networks, select Private.

Installation and Upgrade Guide R81 | 136

 Installing a ClusterXL Cluster

Step Instructions

d. In the Member IPs section, make sure the IPv4 address

and its Net Mask are correct on each Cluster Member.
Notes:
l For a ClusterXL in High Availability mode that is

deployed in a Cloud environment (Geo Cluster):

You can configure IP addresses that belong to
different networks on cluster synchronization
interfaces and on cluster traffic interfaces.
l For cluster traffic interfaces, you can configure

the Cluster Virtual IP address to be on a different

network than the physical IP addresses of the
Cluster Members. In this case, you must
configure the required static routes on the Cluster
Members.See the R81 ClusterXL Administration
Guide.
e. In the Topology section:
l Make sure the settings are correct in the Leads To

and Security Zone fields.

l Make sure to enable the Anti-Spoofing.

11 Click OK.

12 Publish the SmartConsole session.

3. Configure the applicable Access Control policy for the ClusterXL in SmartConsole

Step Instructions

1 Connect with SmartConsole to the Security Management Server or

Domain Management Server that manages this ClusterXL Cluster.

2 From the left navigation panel, click Security Policies.

3 Create a new policy and configure the applicable layers:

a. At the top, click the + tab (or press CTRL T).
b. On the Manage Policies tab, click Manage policies and layers.
c. In the Manage policies and layers window, create a new policy
and configure the applicable layers.
d. Click Close.
e. On the Manage Policies tab, click the new policy you created.

4 Configure and install the applicable Access Control Policy on the

ClusterXL object.

Installation and Upgrade Guide R81 | 137

 Installing a ClusterXL Cluster

Step Instructions

5 Configure and install the applicable Threat Prevention Policy on the

ClusterXL object.

4. Examine the cluster configuration

Step Instructions

1 Connect to the command line on each Cluster Member.

2 Examine the cluster state in one of these ways:

n In Gaia Clish, run:

show cluster state

n In the Expert mode, run:
cphaprob state

3 Examine the cluster interfaces in one of these ways:

n In Gaia Clish, run:

show cluster members interfaces

all
n In the Expert mode, run:
cphaprob -a if

For more information, see the:

n R81 Security Management Administration Guide.
n R81 ClusterXL Administration Guide.
n Applicable Administration Guides on the R81 Home Page.

Installation and Upgrade Guide R81 | 138

 Installing a VSX Cluster

Installing a VSX Cluster

Notes:
n This procedure applies to both Check Point Appliances and Open Servers.
n This procedure does not apply to Check Point Small Office Appliance models
lower than 3000.
n You must install and configure at least two VSX Cluster Members.

Procedure:
1. Install the VSX Cluster Members

Step Instructions

1 Install the Gaia Operating System:

n "Installing the Gaia Operating System on Check Point Appliances"

on page 24
n "Installing the Gaia Operating System on Open Servers" on

page 26

2 Follow "Configuring Gaia for the First Time" on page 31.

3 During the First Time Configuration Wizard, you must configure these
settings:
n In the Installation Type window, select Security Gateway and/or

Security Management.
n In the Products window:

a. In the Products section, select Security Gateway only.

b. In the Clustering section, select these two options:
l Unit is a part of a cluster

l ClusterXL

n In the Secure Internal Communication window, enter the

applicable Activation Key (between 4 and 127 characters long).

4 Install a valid license.

See "Working with Licenses" on page 657.

2. Configure the VSX Cluster object in SmartConsole

Installation and Upgrade Guide R81 | 139

 Installing a VSX Cluster

Notes:
n The steps below are only for a Clean Install of a new VSX Cluster. To

configure a VSX Cluster Member that failed, see the R81 VSX
Administration Guide > Chapter Command Line Reference > Section
vsx_util > Section vsx_util reconfigure.
n The steps below are for the Dedicated Management Interfaces (DMI)

configuration. For the non-DMI configuration, see the R81 VSX

Administration Guide.

Step Instructions

1 Connect with SmartConsole to the Security Management Server or Main

Domain Management Server that should manage this VSX Cluster.

2 From the left navigation panel, click Gateways & Servers.

3 Create a new VSX Cluster object in one of these ways:

n From the top toolbar, click the New ( ) > VSX > Cluster.
n In the top left corner, click Objects menu > More object types >

Network Object > Gateways and Servers > VSX > New Cluster.
n In the top right corner, click Objects Pane > New > More >

Network Object > Gateways and Servers > VSX > Cluster.

4 On the VSX Cluster General Properties (Specify the object's basic

settings) page:
a. In the Enter the VSX Cluster Name field, enter the applicable
name for this VSX Cluster object.
b. In the Enter the VSX Cluster IPv4 field, enter the Cluster Virtual
IPv4 address that is configured on the Dedicated Management
Interfaces (DMI).
c. In the Enter the VSX Cluster IPv6 field, enter the Cluster Virtual
IPv6 address that is configured on the Dedicated Management
Interfaces (DMI).
d. In the Select the VSX Cluster Version field, select R81.
e. In the Select the VSX Cluster Platform field, select the applicable
VSX Cluster mode:
n ClusterXL (for High Availability)
n ClusterXL Virtual System Load Sharing

f. Click Next.

Installation and Upgrade Guide R81 | 140

 Installing a VSX Cluster

Step Instructions

5 On the VSX Cluster Members (Define the members of this VSX

Cluster) page, add the objects for the VSX Cluster Members:
a. Click Add.
b. In the Cluster Member Name field, enter the applicable name for
this Cluster Member object.
c. In the Cluster Member IPv4 Address field, enter the IPv4 address
of the Dedicated Management Interface (DMI).
d. In the Enter the VSX Gateway IPv6 field, enter the applicable IPv6
address.
e. In the Activation Key and Confirm Activation Key fields, enter the
same Activation Key you entered during the Cluster Member's First
Time Configuration Wizard.
f. Click Initialize.
g. Click OK.
h. Repeat Steps a-f to add the second VSX Cluster Member, and so
on.

If the Trust State field does not show Trust established, perform these
steps:
a. Connect to the command line on the VSX Cluster Member.
b. Make sure there is a physical connectivity between the VSX Cluster
Member and the Management Server (for example, pings can
pass).
c. Run:
cpconfig
d. Enter the number of this option:
Secure Internal Communication
e. Follow the instructions on the screen to change the Activation Key.
f. In SmartConsole, click Reset.
g. Enter the same Activation Key you entered in the cpconfig menu.
h. In SmartConsole, click Initialize.

6 On the VSX Cluster Interfaces (Physical Interfaces Usage) page:

a. Examine the list of the interfaces - it must show all the physical
interfaces on the VSX Gateway.
b. If you plan to connect more than one Virtual System directly to the
same physical interface, you must select VLAN Trunk for that
physical interface.
c. Click Next.

Installation and Upgrade Guide R81 | 141

 Installing a VSX Cluster

Step Instructions

7 On the VSX Cluster members (Synchronization Network) page:

a. Select the interface that will be used for state synchronization.
b. Configure the IPv4 addresses for the Sync interfaces on each
Cluster Member.
c. Click Next.

8 On the Virtual Network Device Configuration (Specify the object's

basic settings) page:
a. You can select Create a Virtual Network Device and configure the
first applicable Virtual Network Device at this time (we recommend
to do this later) - Virtual Switch or Virtual Router.
b. Click Next.

9 On the VSX Gateway Management (Specify the management access

rules) page:
a. Examine the default access rules.
b. Select the applicable default access rules.
c. Configure the applicable source objects, if needed.
d. Click Next.
Important - These access rules apply only to the VSX Gateway
(context of VS0), which is not intended to pass any "production"
traffic.

10 On the VSX Gateway Creation Finalization page:

a. Click Finish and wait for the operation to finish.
b. Click View Report for more information.
c. Click Close.

11 Examine the VSX Cluster configuration:

a. Connect to the command line on each VSX Cluster Member.
b. Log in to the Expert mode.
c. Run:
vsx stat -v

12 In SmartConsole, open the VSX Cluster object.

Installation and Upgrade Guide R81 | 142

 Installing a VSX Cluster

Step Instructions

13 On the General Properties page > the Network Security tab:

a. Make sure the ClusterXL Software Blade is selected.
b. Enable the additional applicable Software Blades for the VSX
Cluster object itself (context of VS0).
Refer to:
n sk79700: VSX supported features on R75.40VS and above
n sk106496: Software Blades updates on VSX R75.40VS and above

- FAQ
n Applicable Administration Guides on the R81 Home Page.

14 Click OK to push the updated VSX Configuration.

Click View Report for more information.

15 Install the default policy on the VSX Cluster object:

a. Click Install Policy.
b. In the Policy field, select the default policy for this VSX Cluster
object.
This policy is called:
<Name of VSX Cluster object>_VSX
c. Click Install.

Installation and Upgrade Guide R81 | 143

 Installing a VSX Cluster

Step Instructions

16 Examine the VSX configuration and cluster state:

a. Connect to the command line on each VSX Cluster Member.
b. Examine the VSX configuration:
In the Expert mode, run:
vsx stat -v
Important:
n Make sure all the configured Virtual Devices are loaded.
n Make sure all Virtual Systems and Virtual Routers have

SIC Trust and policy.

c. Examine the cluster state in one of these ways:
n In Gaia Clish, run:

set virtual-system 0
show cluster state
n In the Expert mode, run:
vsenv 0
cphaprob state
Important:
n All VSX Cluster Members must show the same

information about the states of all VSX Cluster Members.

n One VSX Cluster Member must be in the Active state,

and all other VSX Cluster Members must be in Standby

state.
n All Virtual Systems must show the same information

about the states of all Virtual Systems.

d. Examine the cluster interfaces in one of these ways:
n In Gaia Clish, run:

set virtual-system 0
show cluster members interfaces all
n In the Expert mode, run:
vsenv 0
cphaprob -a if

3. Configure the Virtual Devices and their Security Policies in SmartConsole

Installation and Upgrade Guide R81 | 144

 Installing a VSX Cluster

Step Instructions

1 Connect with SmartConsole to the Security Management Server, or each

Target Domain Management Server that should manage each Virtual
Device.

2 Configure the applicable Virtual Devices on this VSX Cluster.

3 Configure the applicable Access Control and Threat Prevention Policies

for these Virtual Devices.

4 Install the configured Security Policies on these Virtual Devices.

Installation and Upgrade Guide R81 | 145

 Installing a VSX Cluster

Step Instructions

5 Examine the VSX configuration and cluster state:

a. Connect to the command line on each VSX Cluster Member.
b. Examine the VSX configuration:
In the Expert mode, run:
vsx stat -v
Important:
n Make sure all the configured Virtual Devices are loaded.
n Make sure all Virtual Systems and Virtual Routers have

SIC Trust and policy.

c. Examine the cluster state in one of these ways:
n In Gaia Clish, run:

set virtual-system 0
show cluster state
n In the Expert mode, run:
vsenv 0
cphaprob state
Important:
n All VSX Cluster Members must show the same

information about the states of all VSX Cluster Members.

n One VSX Cluster Member must be in the Active state,

and all other VSX Cluster Members must be in Standby

state.
n All Virtual Systems must show the same information

about the states of all Virtual Systems.

d. Examine the cluster interfaces in one of these ways:
n In Gaia Clish, run:

set virtual-system 0
show cluster members interfaces all
n In the Expert mode, run:
vsenv 0
cphaprob -a if

Installation and Upgrade Guide R81 | 146

 Installing a VSX Cluster

For more information, see the:

n R81 Security Management Administration Guide.
n R81 VSX Administration Guide.
n R81 ClusterXL Administration Guide.
n Applicable Administration Guides on the R81 Home Page.

Installation and Upgrade Guide R81 | 147

 Installing a VRRP Cluster

Installing a VRRP Cluster

Notes:
n This procedure applies to both Check Point Appliances and Open Servers.
n This procedure does not apply to Check Point Small Office Appliance models
lower than 3000.
n VRRP Cluster on Gaia supports only two Cluster Members (see sk105170).

Installation and Upgrade Guide R81 | 148

 Installing a VRRP Cluster

Procedure:

Installation and Upgrade Guide R81 | 149

 Installing a VRRP Cluster

1. Install the VRRP Cluster Members

Step Instructions

1 Install the Gaia Operating System:

n "Installing the Gaia Operating System on Check Point Appliances"

on page 24
n "Installing the Gaia Operating System on Open Servers" on

page 26

2 Follow "Configuring Gaia for the First Time" on page 31.

3 During the First Time Configuration Wizard, you must configure these
settings:
n In the Installation Type window, select Security Gateway and/or

Security Management.
n In the Products window:

a. In the Products section, select Security Gateway only.

b. In the Clustering section, select these two options:
l Unit is a part of a cluster

l VRRP Cluster

n In the Secure Internal Communication window, enter the

applicable Activation Key (between 4 and 127 characters long).

4 Install a valid license.

See "Working with Licenses" on page 657.

5 On Gaia, VRRP can be used with ClusterXL enabled or with ClusterXL

disabled.
See the R81 Gaia Administration Guide - Chapter High Availability for
more information.
If it is necessary to configure VRRP with ClusterXL enabled, then:
a. When prompted to reboot, click Cancel.
b. Connect to the command line.
c. Run:
cpconfig
d. Select Enable cluster membership for this gateway to enable
State synchronization.
Enter y when prompted.
e. Exist from the cpconfig menu.

6 Reboot.

2. Perform the initial VRRP configuration in Gaia on the VRRP Cluster Members

Configure the VRRP in Gaia on both Cluster Members.

Installation and Upgrade Guide R81 | 150

 Installing a VRRP Cluster

Follow the instructions in the R81 Gaia Administration Guide - Chapter High
Availability.
In addition, refer to:
n sk105170: Configuration requirements / considerations and limitations for VRRP
cluster on Gaia OS
n sk92061: How to configure VRRP on Gaia

3. Configure the VRRP Cluster object in SmartConsole

Installation and Upgrade Guide R81 | 151

 Installing a VRRP Cluster

n Configuring in Wizard Mode

Step Instructions

1 Connect with SmartConsole to the Security Management Server

or Domain Management Server that should manage this VRRP
Cluster.

2 From the left navigation panel, click Gateways & Servers.

3 Create a new Cluster object in one of these ways:

l From the top toolbar, click the New ( ) > Cluster >
Cluster.
l In the top left corner, click Objects menu > More object

types > Network Object > Gateways and Servers >

Cluster > New Cluster.
l In the top right corner, click Objects Pane > New > More >

Network Object > Gateways and Servers > Cluster >

Cluster.

4 In the Check Point Security Gateway Cluster Creation window,

click Wizard Mode.

5 On the Cluster General Properties page:

a. In the Cluster Name field, enter the applicable name for
this VRRP Cluster object.
b. Configure the main Virtual IP address(es) for this VRRP
Cluster object.
l In the Cluster IPv4 Address section, enter the main

Virtual IPv4 address for this VRRP Cluster object.

l In the Cluster IPv6 Address section, enter the main

Virtual IPv6 address for this VRRP Cluster object.

Note - You can configure the Cluster Virtual IP address
to be on a different network than the physical IP
addresses of the Cluster Members. In this case, you
must configure the required static routes on the Cluster
Members.
c. In the Choose the Cluster's Solution field, select Gaia
VRRP.
d. Click Next.

Installation and Upgrade Guide R81 | 152

 Installing a VRRP Cluster

Step Instructions

6 On the Cluster members' properties page, add the objects for

the Cluster Members.
a. Click Add > New Cluster Member.
The Cluster Member Properties window opens.
b. In the Name field, enter the applicable name for this VRRP
Cluster Member object.
c. Configure the main physical IP address(es) for this object.
In the IPv4 Address and IPv6 Address fields, configure the
same IPv4 and IPv6 addresses that you configured on the
Management Connection page of the Cluster Member's
First Time Configuration Wizard.
Make sure the Security Management Server or Multi-
Domain Server can connect to these IP addresses.
Note - You can configure the Cluster Virtual IP address
to be on a different network than the physical IP
addresses of the Cluster Members. In this case, you
must configure the required static routes on the Cluster
Members.
d. In the Activation Key and Confirm Activation Key fields,
enter the same Activation Key you entered during the
Cluster Member's First Time Configuration Wizard.
e. Click Initialize.
f. Click OK.
g. Repeat Steps a-f to add the second VRRP Cluster Member.

Installation and Upgrade Guide R81 | 153

 Installing a VRRP Cluster

Step Instructions

If the Trust State field does not show Trust established, perform
these steps:
a. Connect to the command line on the Cluster Member.
b. Make sure there is a physical connectivity between the
Cluster Member and the Management Server (for example,
pings can pass).
c. Run:
cpconfig
d. Enter the number of this option:
Secure Internal Communication
e. Follow the instructions on the screen to change the
Activation Key.
f. In SmartConsole, click Reset.
g. Enter the same Activation Key you entered in the
cpconfig menu.
h. In SmartConsole, click Initialize.

7 On the Cluster Topology page, configure the roles of the cluster

interfaces:
a. Examine the IPv4 Network Address at the top of the page.
b. Select the applicable role:
l For cluster traffic interfaces, select Representing a

cluster interface and configure the Cluster Virtual

IPv4 address and its Net Mask.
Note - You can configure the Cluster Virtual IP
address to be on a different network than the
physical IP addresses of the Cluster Members. In
this case, you must configure the required static
routes on the Cluster Members.
l For cluster synchronization interfaces, select Cluster

Synchronization and select Primary only. Check

Point cluster supports only one synchronization
network.
l For interfaces that do not pass the traffic between the

connected networks, select Private use of each

member (don't monitor members interfaces).
c. Click Next

Installation and Upgrade Guide R81 | 154

 Installing a VRRP Cluster

Step Instructions

8 On the Cluster Definition Wizard Complete page:

a. Examine the Configuration Summary.
b. Select Edit Cluster's Properties.
c. Click Finish
The Gateway Cluster Properties window opens.

9 On the General Properties page > Machine section:

a. In the Name field, enter the applicable name for this VRRP
Cluster object.
b. In the IPv4 Address and IPv6 Address fields, configure the
same IPv4 and IPv6 addresses that you configured on the
Management Connection page of the Cluster Member's
First Time Configuration Wizard.
Make sure the Security Management Server or Multi-
Domain Server can connect to these IP addresses.

10 On the General Properties page > Platform section, select the

correct options:
a. In the Hardware field:
If you install the Cluster Members on Check Point
Appliances, select the correct appliances series.
If you install the Cluster Members on Open Servers, select
Open server.
b. In the Version field, select R81.
c. In the OS field, select Gaia.

11 On the General Properties page:

a. On the Network Security tab, make sure the ClusterXL
Software Blade is selected.
b. Enable the additional applicable Software Blades on the
Network Security tab and on the Threat Prevention tab.

Installation and Upgrade Guide R81 | 155

 Installing a VRRP Cluster

Step Instructions

12 On the Cluster Members page:

a. Click Add > New Cluster Member.
The Cluster Member Properties window opens.
b. In the Name field, enter the applicable name for this VRRP
Cluster Member object.
c. Configure the main physical IP address(es) for this VRRP
Cluster Member object.
In the IPv4 Address and IPv6 Address fields, configure the
same IPv4 and IPv6 addresses that you configured on the
Management Connection page of the Cluster Member's
First Time Configuration Wizard.
Make sure the Security Management Server or Multi-
Domain Server can connect to these IP addresses.
Note - You can configure the Cluster Virtual IP address
to be on a different network than the physical IP
addresses of the Cluster Members. In this case, you
must configure the required static routes on the Cluster
Members.
d. Click Communication.
e. In the One-time password and Confirm one-time
password fields, enter the same Activation Key you entered
during the Cluster Member's First Time Configuration
Wizard.
f. Click Initialize.
g. Click Close.
h. Click OK.
i. Repeat Steps a-h to add the second Cluster Member.

Installation and Upgrade Guide R81 | 156

 Installing a VRRP Cluster

Step Instructions

If the Trust State field does not show Trust established, perform
these steps:
a. Connect to the command line on the Cluster Member.
b. Make sure there is a physical connectivity between the
Cluster Member and the Management Server (for example,
pings can pass).
c. Run:
cpconfig
d. Enter the number of this option:
Secure Internal Communication
e. Follow the instructions on the screen to change the
Activation Key.
f. In SmartConsole, click Reset.
g. Enter the same Activation Key you entered in the
cpconfig menu.
h. In SmartConsole, click Initialize.

13 On the ClusterXL and VRRP page:

a. In the Select the cluster mode and configuration section,
select High Availability and VRRP.
b. In the Tracking section, select the applicable option.
c. In the Advanced Settings section:
l Optional: Select Use State Synchronization

l Optional: Select Hide Cluster Members outgoing

traffic behind the Cluster IP Address

l Optional: Select Forward Cluster incoming traffic to

Cluster Members IP Addresses

For more information, click the (?) button in the top right
corner.
Best Practice - We recommend to select all these
optional settings.

Installation and Upgrade Guide R81 | 157

 Installing a VRRP Cluster

Step Instructions

14 On the Network Management page:

a. Select each interface and click Edit. The Network: <Name
of Interface> window opens.
b. From the left tree, click the General page.
c. In the General section, in the Network Type field, select
the applicable type:
l For cluster traffic interfaces, select Cluster.

Make sure the Cluster Virtual IPv4 address and its

Net Mask are correct.
l For cluster synchronization interfaces, select Sync or

Cluster+Sync.
Notes:
o We do not recommend the configuration

Cluster+Sync.
o Check Point cluster supports only these

settings:
o One Sync interface.
o One Cluster+Sync interface.
o One Sync interface and one

Cluster+Sync interface.
o For Check Point Appliances or Open

Servers:
The Synchronization Network is supported
only on the lowest VLAN tag of a VLAN
interface.
l For interfaces that do not pass the traffic between the

connected networks, select Private.

Installation and Upgrade Guide R81 | 158

 Installing a VRRP Cluster

Step Instructions

d. In the Member IPs section, make sure the IPv4 address

and its Net Mask are correct on each Cluster Member.
Notes:
l For a ClusterXL in High Availability mode that is

deployed in a Cloud environment (Geo Cluster):

You can configure IP addresses that belong to
different networks on cluster synchronization
interfaces and on cluster traffic interfaces.
l For cluster traffic interfaces, you can configure

the Cluster Virtual IP address to be on a different

network than the physical IP addresses of the
Cluster Members. In this case, you must
configure the required static routes on the Cluster
Members.See the R81 ClusterXL Administration
Guide.
e. In the Topology section:
l Make sure the settings are correct in the Leads To

and Security Zone fields.

l Make sure to enable the Anti-Spoofing.

15 Click OK.

16 Publish the SmartConsole session.

Installation and Upgrade Guide R81 | 159

 Installing a VRRP Cluster

n Configuring in Classic Mode

Step Instructions

1 Connect with SmartConsole to the Security Management Server

or Domain Management Server that should manage this VRRP
Cluster.

2 From the left navigation panel, click Gateways & Servers.

3 Create a new Cluster object in one of these ways:

l From the top toolbar, click the New ( ) > Cluster >
Cluster.
l In the top left corner, click Objects menu > More object

types > Network Object > Gateways and Servers >

Cluster > New Cluster.
l In the top right corner, click Objects Pane > New > More >

Network Object > Gateways and Servers > Cluster >

Cluster.

4 In the Check Point Security Gateway Cluster Creation window,

click Classic Mode.
The Gateway Cluster Properties window opens.

5 On the General Properties page > Machine section:

a. In the Name field, enter the applicable name for this VRRP
Cluster object.
b. In the IPv4 Address and IPv6 Address fields, configure the
same IPv4 and IPv6 addresses that you configured on the
Management Connection page of the Cluster Member's
First Time Configuration Wizard.
Make sure the Security Management Server or Multi-
Domain Server can connect to these IP addresses.

6 On the General Properties page > Platform section, select the

correct options:
a. In the Hardware field:
If you install the Cluster Members on Check Point
Appliances, select the correct appliances series.
If you install the Cluster Members on Open Servers, select
Open server.
b. In the Version field, select R81.
c. In the OS field, select Gaia.

Installation and Upgrade Guide R81 | 160

 Installing a VRRP Cluster

Step Instructions

7 On the General Properties page:

a. On the Network Security tab, make sure the ClusterXL
Software Blade is selected.
b. Enable the additional applicable Software Blades on the
Network Security tab and on the Threat Prevention tab.

8 On the Cluster Members page:

a. Click Add > New Cluster Member.
The Cluster Member Properties window opens.
b. In the Name field, enter the applicable name for this VRRP
Cluster Member object.
c. Configure the main physical IP address(es) for this VRRP
Cluster Member object.
In the IPv4 Address and IPv6 Address fields, configure the
same IPv4 and IPv6 addresses that you configured on the
Management Connection page of the Cluster Member's
First Time Configuration Wizard.
Make sure the Security Management Server or Multi-
Domain Server can connect to these IP addresses.
Note - You can configure the Cluster Virtual IP address
to be on a different network than the physical IP
addresses of the Cluster Members. In this case, you
must configure the required static routes on the Cluster
Members.
d. Click Communication.
e. In the One-time password and Confirm one-time
password fields, enter the same Activation Key you entered
during the Cluster Member's First Time Configuration
Wizard.
f. Click Initialize.
g. Click Close.
h. Click OK.
i. Repeat Steps a-h to add the second Cluster Member.

Installation and Upgrade Guide R81 | 161

 Installing a VRRP Cluster

Step Instructions

If the Trust State field does not show Trust established, perform
these steps:
a. Connect to the command line on the Cluster Member.
b. Make sure there is a physical connectivity between the
Cluster Member and the Management Server (for example,
pings can pass).
c. Run:
cpconfig
d. Enter the number of this option:
Secure Internal Communication
e. Follow the instructions on the screen to change the
Activation Key.
f. In SmartConsole, click Reset.
g. Enter the same Activation Key you entered in the
cpconfig menu.
h. In SmartConsole, click Initialize.

9 On the ClusterXL and VRRP page:

a. In the Select the cluster mode and configuration section,
select High Availability and VRRP.
b. In the Tracking section, select the applicable option.
c. In the Advanced Settings section:
l Optional: Select Use State Synchronization

l Optional: Select Hide Cluster Members outgoing

traffic behind the Cluster IP Address

l Optional: Select Forward Cluster incoming traffic to

Cluster Members IP Addresses

For more information, click the (?) button in the top right
corner.
Best Practice - We recommend to select all these
optional settings.

Installation and Upgrade Guide R81 | 162

 Installing a VRRP Cluster

Step Instructions

10 On the Network Management page:

a. Select each interface and click Edit. The Network: <Name
of Interface> window opens.
b. From the left tree, click the General page.
c. In the General section, in the Network Type field, select
the applicable type:
l For cluster traffic interfaces, select Cluster.

Make sure the Cluster Virtual IPv4 address and its

Net Mask are correct.
l For cluster synchronization interfaces, select Sync or

Cluster+Sync.
Notes:
o We do not recommend the configuration

Cluster+Sync.
o Check Point cluster supports only these

settings:
o One Sync interface.
o One Cluster+Sync interface.
o One Sync interface and one

Cluster+Sync interface.
o For Check Point Appliances or Open

Servers:
The Synchronization Network is supported
only on the lowest VLAN tag of a VLAN
interface.
l For interfaces that do not pass the traffic between the

connected networks, select Private.

Installation and Upgrade Guide R81 | 163

 Installing a VRRP Cluster

Step Instructions

d. In the Member IPs section, make sure the IPv4 address

and its Net Mask are correct on each Cluster Member.
Notes:
l For a ClusterXL in High Availability mode that is

deployed in a Cloud environment (Geo Cluster):

You can configure IP addresses that belong to
different networks on cluster synchronization
interfaces and on cluster traffic interfaces.
l For cluster traffic interfaces, you can configure

the Cluster Virtual IP address to be on a different

network than the physical IP addresses of the
Cluster Members. In this case, you must
configure the required static routes on the Cluster
Members.See the R81 ClusterXL Administration
Guide.
e. In the Topology section:
l Make sure the settings are correct in the Leads To

and Security Zone fields.

l Make sure to enable the Anti-Spoofing.

11 Click OK.

12 Publish the SmartConsole session.

4. Configure the Security Policy for the VRRP Cluster in SmartConsole

Ste
Instructions
p

1 Connect with SmartConsole to the Security Management Server or Domain

Management Server that manages this VRRP Cluster.

2 From the left navigation panel, click Security Policies.

3 Create a new policy and configure the applicable layers:

a. At the top, click the + tab (or press CTRL T).
b. On the Manage Policies tab, click Manage policies and layers.
c. In the Manage policies and layers window, create a new policy and
configure the applicable layers.
d. Click Close.
e. On the Manage Policies tab, click the new policy you created.

Installation and Upgrade Guide R81 | 164

 Installing a VRRP Cluster

Ste
Instructions
p

4 Create the required Access Control rules.

You must define an explicit Access Control rule to allow the VRRP Cluster
Members to send and receive the VRRP and IGMP traffic:
Services
Inst
N Nam Sour Destinat VP & Acti Trac
all
o e ce ion N Applicati on k
On
ons

1 VRRP VRRP Node Host Any vrrp Accept None VRRP

and Cluster object with IP igmp Cluster
IGMP object address object
224.0.0.18

If the VRRP Cluster Members use dynamic routing protocols (such as OSPF
or RIP), create new rules for each multicast destination IP address.
Alternatively, you can create a Network object to represent all multicast
network IP destinations:
n Name: MCAST.NET (this is an example name)
n IP Address: 224.0.0.0
n Net mask: 240.0.0.0

You can use one rule for all multicast protocols you agree to accept, as
shown in this example:
Services
Inst
N Nam Sour Destinat VP & Acti Trac
all
o e ce ion N Applicati on k
On
ons

1 All VRRP VRRP Cluster Any vrrp Accept None VRRP

multica Cluster object igmp Cluster
st object MCAST.NET ospf object
protoco rip
ls

5 Configure additional applicable Access Control rules.

6 Install the Access Control Policy on the VRRP Cluster object.

7 Configure and install the applicable Threat Prevention Policy on the VRRP
Cluster object.

5. Examine the cluster configuration

Installation and Upgrade Guide R81 | 165

 Installing a VRRP Cluster

Step Instructions

1 Connect to the command line on each Cluster Member.

2 Examine the cluster state in one of these ways:

n In Gaia Clish, run:

show cluster state

n In the Expert mode, run:
cphaprob state

3 Examine the cluster interfaces in one of these ways:

n In Gaia Clish, run:

show cluster members interfaces

all
n In the Expert mode, run:
cphaprob -a if

4 Examine the VRRP configuration in one of these ways:

n In Gaia Clish, run:

show vrrp
n In the Expert mode, run:
clish -c "show vrrp"

For more information, see the:

n R81 Security Management Administration Guide.
n R81 ClusterXL Administration Guide.
n R81 Gaia Administration Guide.
n Applicable Administration Guides on the R81 Home Page.
n sk105170: Configuration requirements / considerations and limitations for VRRP cluster
on Gaia OS
n sk92061: How to configure VRRP on Gaia

Installation and Upgrade Guide R81 | 166

 Full High Availability Cluster on Check Point Appliances

Full High Availability Cluster on Check Point

Appliances
This section provides instructions to install a Full High Availability Cluster.

Installation and Upgrade Guide R81 | 167

 Understanding Full High Availability Cluster on Appliances

Understanding Full High Availability Cluster on Appliances

In a Full High Availability Cluster on two Check Point Appliances, each appliance runs both as
a ClusterXL Cluster Member and as a Security Management Server, in High Availability mode.

Important - You can deploy and configure a Full High Availability Cluster only on
Check Point Appliances that support Standalone configuration. See the R81 Release
Notes and "Installing a Standalone" on page 175.

This deployment reduces the maintenance required for your systems.

In the image below, the appliances are denoted as (1) and (3).
The two appliances are connected with a direct synchronization connection (2) and work in
High Availability mode:
n The Security Management Server on one appliance (for example, 1) runs as Primary,
and the Security Management Server on the other appliance (3) runs as Secondary.
n The ClusterXL on one appliance (for example, 1) runs as Active, and the ClusterXL on
the other appliance (3), runs as Standby.
n The ClusterXL Cluster Members synchronize the information about the traffic over the
synchronization connection (2).

For information on ClusterXL functionality, see the R81 ClusterXL Administration Guide.
For information on Security Management Servers, see the R81 Security Management
Administration Guide.

Important - SmartEvent Server is not supported in Management High Availability and

Full High Availability Cluster environments (sk25164). For these environments, install
a Dedicated SmartEvent Server (see "Installing a Dedicated Log Server or
SmartEvent Server" on page 66).

Installation and Upgrade Guide R81 | 168

 Installing Full High Availability Cluster

Installing Full High Availability Cluster

Procedure:
1. Install the first Cluster Member of the Full High Availability Cluster that runs the Primary
Security Management Server

Step Instructions

1 Install the Gaia Operating System:

n "Installing the Gaia Operating System on Check Point Appliances"

on page 24
n "Installing the Gaia Operating System on Open Servers" on

page 26

2 Follow "Configuring Gaia for the First Time" on page 31.

3 During the First Time Configuration Wizard, you must configure these
settings:
n In the Installation Type window, select Security Gateway and/or

Security Management.
n In the Products window:

a. In the Products section, select both Security Gateway and

Security Management.
b. In the Clustering section:
l Select Unit is a part of a cluster, type and select

ClusterXL.
l In the Define Security Management as field, select

Primary.
n In the Security Management Administrator window, select one of

these options:
l Use Gaia administrator

l Define a new administrator and configure it

n In the Security Management GUI Clients window, configure the

applicable allowed computers:

l Any IP Address - Allows all computers to connect

l This machine - Allows only the single specified computer to

connect
l Network - Allows all computers on the specified network to

connect
l Range of IPv4 addresses - Allows all computers in the

specified range to connect

Installation and Upgrade Guide R81 | 169

 Installing Full High Availability Cluster

Step Instructions

4 Install a valid license.

See "Working with Licenses" on page 657.

5 With a web browser, connect to Gaia Portal at:

https://<IP address of Gaia Management Interface>

6 In the left navigation tree, click Network Management > Network

Interfaces.
Configure all required interfaces with applicable unique IP addresses.

2. Install the second Cluster Member of the Full High Availability Cluster that runs the
Secondary Security Management Server

Step Instructions

1 Install the Gaia Operating System:

n "Installing the Gaia Operating System on Check Point Appliances"

on page 24
n "Installing the Gaia Operating System on Open Servers" on

page 26

2 Follow "Configuring Gaia for the First Time" on page 31.

3 During the First Time Configuration Wizard, you must configure these
settings:
n In the Installation Type window, select Security Gateway and/or

Security Management.
n In the Products window:

a. In the Products section, select both Security Gateway and

Security Management.
b. In the Clustering section:
l Select Unit is a part of a cluster, type and select

ClusterXL.
l In the Define Security Management as field, select

Secondary.
n In the Secure Internal Communication window, enter the

applicable Activation Key (between 4 and 127 characters long).

4 Install a valid license.

See "Working with Licenses" on page 657.

Installation and Upgrade Guide R81 | 170

 Installing Full High Availability Cluster

Step Instructions

5 With a web browser, connect to Gaia Portal at:

https://<IP address of Gaia Management Interface>

6 In the left navigation tree, click Network Management > Network

Interfaces.
Configure all required interfaces with applicable unique IP addresses.

3. Connect the synchronization interfaces on both appliances

Step Instructions

1 Connect a cable between the synchronization interfaces on both

appliances.
See the R81 ClusterXL Administration Guide - Chapter ClusterXL
Requirements and Compatibility - Section Supported Topologies for
Synchronization Network.

2 With a web browser, connect to Gaia Portal on both appliances at:

https://<IP address of Gaia Management Interface>

3 In the left navigation tree, click Network Management > Network

Interfaces.

4 In the top right corner, click the Configuration button.

5 Make sure the Link Status on the synchronization interfaces is Up.

6 In the top right corner, click the Monitoring button.

7 Click Refresh every several seconds.

These counters must increase:
n Rbytes
n Rpackets
n Tbytes
n Tpackets

4. Install the R81 SmartConsole

Follow "Installing SmartConsole" on page 100.

5. Configure the Full High Availability Cluster object in SmartConsole

Installation and Upgrade Guide R81 | 171

 Installing Full High Availability Cluster

Step Instructions

1 Connect with SmartConsole to the Cluster Member that runs the Primary
Security Management Server.

2 In the Security Cluster wizard, click Next.

3 Enter the name of the Full High Availability Cluster object.

4 Click Next.

5 Configure the settings for the Full High Availability Cluster Member that
runs the Secondary Security Management Server:
a. In the Secondary Member Name field, enter the hostname that you
entered during the First Time Configuration Wizard.
b. In the Secondary Member Name IP Address field, enter the IP
address of the Gaia Management Interface that you entered during
the First Time Configuration Wizard.
c. Enter and confirm the SIC Activation Key that you entered during
the First Time Configuration Wizard.

6 Click Next.

7 Configure the IP address of the paired interfaces on the appliances.

Select one of these options:
n Cluster Interface with Virtual IP - Enter a Cluster Virtual IP

address for the interface.

n Cluster Sync Interface - Configure the interface as the

synchronization interface for the appliances.

n Non-Cluster Interface - Use the configured IP address of this

interface.

8 Click Next.

9 Repeat Step 7 for all the interfaces.

10 Click Finish.

11 Publish the SmartConsole session.

12 Install the Access Control Policy on this cluster object.

Only after policy installation, can the Primary server synchronize with the
Secondary server.

13 Install the Threat Prevention Policy on this cluster object.

Installation and Upgrade Guide R81 | 172

 Installing Full High Availability Cluster

Note - You can also control the Full High Availability Cluster Members in Gaia Portal
> High Availability > Cluster page.

For more information, see the:

n R81 Gaia Administration Guide
n R81 ClusterXL Administration Guide

Installation and Upgrade Guide R81 | 173

 Recommended Logging Options for a Full High Availability Cluster

Recommended Logging Options for a Full High Availability

Cluster
In a cluster, log files are not synchronized between the two Cluster Members.

Best Practice - We recommend that you install a dedicated Log Server and configure
the Cluster Members to forward their logs to that dedicated Log Server.

Step Instructions

1 Install a dedicated Log Server.

Follow "Installing a Dedicated Log Server or SmartEvent Server" on page 66.

2 Connect with SmartConsole to the Full High Availability Cluster Member that runs
the Primary Security Management Server.

3 From the left navigation panel, click Gateways & Servers.

4 Open the cluster object.

5 From the left navigation tree, click Logs > Additional Logging Configuration.

6 Select Forward log files to Log Server and select the object of the dedicated Log
Server.

7 In the Log forwarding schedule field, select or define a Scheduled Event object.

8 Click OK.

9 Publish the SmartConsole session.

10 Install the Access Control Policy on this cluster object.

Installation and Upgrade Guide R81 | 174

 Installing a Standalone

Installing a Standalone
In a Standalone deployment, a Check Point computer runs both the Security Gateway and
Security Management Server products.

Important:
n These instructions apply only to Check Point Appliances that support a
Standalone deployment.
n These instructions apply to all Open Servers.
n These instructions apply to Virtual Machines.

See the R81 Release Notes for the requirements for a Standalone deployment.

These methods are available to configure a Standalone deployment:

Configuring a Standalone in Standard Mode

This method is supported on Check Point appliances (that support a Standalone

deployment), Open Servers, and Virtual Machines that meet the requirements listed in the
R81 Release Notes.

Installation and Upgrade Guide R81 | 175

 Installing a Standalone

1. Install the Standalone

Step Instructions

1 Install the Gaia Operating System:

n "Installing the Gaia Operating System on Check Point

Appliances" on page 24
n "Installing the Gaia Operating System on Open Servers" on

page 26

2 Follow "Configuring Gaia for the First Time" on page 31.

3 During the First Time Configuration Wizard, you must configure these
settings:
n In the Installation Type window, select Security Gateway

and/or Security Management.

n In the Products window:

a. In the Products section, select both Security Gateway and

Security Management.
b. In the Clustering section:
l Clear Unit is a part of a cluster, type.

l In the Define Security Management as field, select

Primary.
n In the Security Management Administrator window, select one

of these options:
l Use Gaia administrator

l Define a new administrator and configure it

n In the Security Management GUI Clients window, configure the

applicable allowed computers:

l Any IP Address - Allows all computers to connect

l This machine - Allows only the single specified computer

to connect
l Network - Allows all computers on the specified network to

connect
l Range of IPv4 addresses - Allows all computers in the

specified range to connect

2. Configure the Standalone object in SmartConsole

Step Instructions

1 Connect with SmartConsole to the Standalone.

2 From the left navigation panel, click Gateways & Servers.

Installation and Upgrade Guide R81 | 176

 Installing a Standalone

Step Instructions

3 Open the Standalone object.

Check Point Gateway properties window opens on the General
Properties page.

4 In the Platform section, select the correct options:

a. In the Hardware field:
n If you install the Security Gateway on a Check Point

Appliance, select the correct appliances series.

n If you install the Security Gateway on an Open Server,

select Open server.

b. Make sure the Version field shows R81.
c. In the OS field, select Gaia.

5 Enable the applicable Software Blades:

n On the Network Security tab.
n On the Threat Prevention tab.

6 On the Management tab, enable the applicable Software Blades.

7 Click OK.

8 Publish the SmartConsole session.

3. Configure the applicable Access Control policy for the Standalone in SmartConsole

Step Instructions

1 Connect with SmartConsole to the Standalone.

2 From the left navigation panel, click Security Policies.

3 Create a new policy and configure the applicable layers:

a. At the top, click the + tab (or press CTRL T).
b. On the Manage Policies tab, click Manage policies and layers.
c. In the Manage policies and layers window, create a new policy
and configure the applicable layers.
d. Click Close.
e. On the Manage Policies tab, click the new policy you created.

4 Create the applicable Access Control rules.

5 Install the Access Control Policy on the Standalone object.

Installation and Upgrade Guide R81 | 177

 Installing a Standalone

Configuring a Standalone in Quick Setup Mode

This method is supported only on Check Point appliances that support a Standalone
deployment.
This method installs a Standalone on a Check Point appliance in Bridge Mode.
For more information on Gaia Quick Standalone Setup on Check Point appliances, see
sk102231.

For more information, see the:

n R81 Security Management Administration Guide.
n Applicable Administration Guides on the R81 Home Page.

Installation and Upgrade Guide R81 | 178

 Post-Installation Configuration

Post-Installation Configuration
After the installation is complete, and you rebooted the Check Point computer:
n Configure the applicable settings in the Check Point Configuration Tool.
n Check the recommended and available software packages in CPUSE (see "Installing
Software Packages on Gaia" on page 185).

The Check Point Configuration Tool lets you configure these settings:

Check Point
Commands Available Configuration Options
computer

Security cpconfig (1) Licenses and contracts

Management (2) Administrator
Server, (3) GUI Clients
Dedicated Log (4) SNMP Extension
Server, (5) Random Pool
Dedicated (6) Certificate Authority
SmartEvent Server (7) Certificate's Fingerprint
(8) Automatic start of Check Point
Products

(9) Exit

Multi-Domain 1. mdsenv (1) Leading VIP Interfaces

Server, 2. mdsconfig (2) Licenses
Multi-Domain Log (3) Random Pool
Server (4) Groups
(5) Certificate's Fingerprint
(6) Administrators
(7) GUI clients
(8) Automatic Start of Multi-Domain
Server
(9) P1Shell
(10) Start Multi-Domain Server
Password
(11) IPv6 Support for Multi-Domain
Server
(12) IPv6 Support for Existing Domain
Management Servers

(13) Exit

Installation and Upgrade Guide R81 | 179

 Post-Installation Configuration

Check Point
Commands Available Configuration Options
computer

Security Gateway, cpconfig (1) Licenses and contracts

Cluster Member (2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Disable cluster membership for
this gateway
(7) Enable Check Point Per Virtual
System State
(8) Enable Check Point ClusterXL for
Bridge Active/Standby
(9) Check Point CoreXL
(10) Automatic start of Check Point
Products

(11) Exit

Explanation about the Configuration Options on a Security Management Server, dedicated Log
Server or SmartEvent Server

For more information, see the R81 Security Management Administration Guide.

Note - The options shown depend on the configuration and installed products.

Menu Option Description

Licenses and Manages Check Point licenses and contracts on this server.
contracts

Administrator Configures Check Point system administrators for this server.

GUI Clients Configures the GUI clients that can use SmartConsole to connect
to this server.

SNMP Extension Obsolete. Do not use this option anymore.

To configure SNMP, see the R81 Gaia Administration Guide -
Chapter System Management - Section SNMP.

Random Pool Configures the RSA keys, to be used by Gaia Operating System.

Certificate Initializes the Internal Certificate Authority (ICA) and configures

Authority the Certificate Authority's (CA) Fully Qualified Domain Name
(FQDN).

Installation and Upgrade Guide R81 | 180

 Post-Installation Configuration

Menu Option Description

Certificate's Shows the ICA's Fingerprint.

Fingerprint This fingerprint is a text string derived from the server's ICA
certificate.
This fingerprint verifies the identity of the server when you connect
to it with SmartConsole.

Automatic start of Shows and controls which of the installed Check Point products
Check Point start automatically during boot.
Products

Exit Exits from the Check Point Configuration Tool.

Explanation about the Configuration Options on a Multi-Domain Server or Multi-Domain Log

Server

For more information, see the R81 Multi-Domain Security Management Administration
Guide.

Installation and Upgrade Guide R81 | 181

 Post-Installation Configuration

Menu Option Description

Leading VIP Interfaces The Leading VIP Interfaces are real interfaces connected
to an external network.
These interfaces are used when you configure virtual IP
addresses for Domain Management Servers.

Licenses Manages Check Point licenses and contracts on this

server.

Random Pool Configures the RSA keys, to be used by Gaia Operating

System.

Groups Usually, the Multi-Domain Server is given group

permission for access and execution.
You may now name such a group or instruct the
installation procedure to give no group permissions to the
server.
In the latter case, only the Super-User is able to access
and execute commands on the server.

Certificate's Fingerprint Shows the ICA's Fingerprint.

This fingerprint is a text string derived from the server's
ICA certificate.
This fingerprint verifies the identity of the server when
you connect to it with SmartConsole.

Administrators Configures Check Point system administrators for this

server.

GUI Clients Configures the GUI clients that can use SmartConsole to
connect to this server.

Automatic Start of Multi- Shows and controls if Multi-Domain Server starts

Domain Server automatically during boot.

P1Shell Obsolete. Do not use this option anymore.

Important - This option and the p1shell command
are not supported (Known Limitation PMTR-45085).

Start Multi-Domain Server Configures a password to control the start of the Multi-
Password Domain Server.

Installation and Upgrade Guide R81 | 182

 Post-Installation Configuration

Menu Option Description

IPv6 Support for Multi-
Domain Server
Enables or disables the IPv6 Support on the Multi-
Domain Server.
Important - R81 Multi-Domain Server does not
support IPv6 address configuration (Known
Limitation PMTR-14989).

IPv6 Support for Existing
Domain Management
Servers
Enables or disables the IPv6 Support on the Domain
Management Servers.
Important - R81 Multi-Domain Server does not
support IPv6 address configuration (Known
Limitation PMTR-14989).

Exit Exits from the Multi-Domain Server Configuration

Program.

Explanation about the Configuration Options on a Security Gateway or Cluster Member

Note - The options shown depend on the configuration and installed products.

Menu Option Description

Licenses and contracts Manages Check Point licenses and contracts on this
Security Gateway or Cluster Member.

SNMP Extension Obsolete. Do not use this option anymore.

To configure SNMP, see the R81 Gaia Administration
Guide - Chapter System Management - Section SNMP.

PKCS#11 Token Register a cryptographic token, for use by Gaia

Operating System.
See details of the token, and test its functionality.

Random Pool Configures the RSA keys, to be used by Gaia Operating

System.

Secure Internal Manages SIC on the Security Gateway or Cluster

Communication Member.
This change requires a restart of Check Point services
on the Security Gateway or Cluster Member.
For more information, see:
n The R81 Security Management Administration
Guide.
n sk65764: How to reset SIC.

Installation and Upgrade Guide R81 | 183

 Post-Installation Configuration

Menu Option Description

Enable cluster membership Enables the cluster membership on the Security

for this gateway Gateway.
This change requires a reboot of the Security Gateway.
For more information, see the R81 ClusterXL
Administration Guide.

Disable cluster membership Disables the cluster membership on the Security

for this gateway Gateway.
This change requires a reboot of the Security Gateway.
For more information, see the R81 ClusterXL
Administration Guide.

Enable Check Point Per Enables Virtual System Load Sharing on the VSX
Virtual System State Cluster Member.
For more information, see the R81 VSX Administration
Guide.

Disable Check Point Per Disables Virtual System Load Sharing on the VSX
Virtual System State Cluster Member.
For more information, see the R81 VSX Administration
Guide.

Enable Check Point Enables Check Point ClusterXL for Bridge mode.
ClusterXL for Bridge This change requires a reboot of the Cluster Member.
Active/Standby For more information, see the R81 ClusterXL
Administration Guide.

Disable Check Point Disables Check Point ClusterXL for Bridge mode.
ClusterXL for Bridge This change requires a reboot of the Cluster Member.
Active/Standby For more information, see the R81 ClusterXL
Administration Guide.

Check Point CoreXL Manages CoreXL on the Security Gateway or Cluster

Member.
After all changes in CoreXL configuration, you must
reboot the Security Gateway or Cluster Member.
For more information, see the R81 Performance Tuning
Administration Guide.

Automatic start of Check Shows and controls which of the installed Check Point
Point Products products start automatically during boot.

Exit Exits from the Check Point Configuration Tool.

Installation and Upgrade Guide R81 | 184

 Installing Software Packages on Gaia

Installing Software Packages on

Gaia
You can install Software Packages in these ways on Gaia R81:
Installing Software Packages centrally

These options are available on an R81 Management Server:

n Use the Central Deployment in SmartConsole to deploy the applicable packages to
the managed Security Gateways and Clusters.
You can deploy a software package from:
l The Check Point Cloud.
l The Package Repository on the Management Server (first, you must upload the
applicable package to the Package Repository).
For more information, see the R81 Security Management Administration Guide >
Chapter Managing Gateways > Section Central Deployment of Hotfixes and Version
Upgrades.

> Best Practice - Use this method.

n Use the Central Deployment Tool on the Management Server to deploy the applicable
packages to the managed Security Gateways and Clusters.
For more information, see sk111158.

Installing Software Packages locally

You use the CPUSE on each Gaia computer to install the applicable packages.
For more information, see sk92449.

Installation and Upgrade Guide R81 | 185

 Installing Software Packages on Gaia

n If a Gaia computer is connected to the Internet

Installation
Action Plan
Method

Online 1. Connect to the Gaia Portal or Gaia Clish on your Gaia

computer.
2. Verify the applicable CPUSE Software Packages.
3. Download the applicable CPUSE Software Packages.
4. Install the applicable CPUSE Software Packages.

Offline See the instructions for a Gaia computer that is not connected to
the Internet.

n If a Gaia computer is not connected to the Internet

Installation
Action Plan
Method

Offline only Installation in Gaia Portal

1. Use the computer, from which you connect to Gaia Portal.
2. Download the applicable CPUSE Software Packages from:
l R81 Home Page

l Upgrade Wizard

3. Connect to Gaia Portal on your Gaia computer.

4. Import the applicable CPUSE Software Packages.
5. Verify the applicable CPUSE Software Packages.
6. Install the applicable CPUSE Software Packages.

Installation in Gaia Clish

1. Use the computer, from which you connect to Gaia Portal.
2. Download the applicable CPUSE Software Packages from:
l R81 Home Page

l Upgrade Wizard

3. Transfer the applicable CPUSE Offline Software Packages

to your Gaia computer
to some directory (for example, /var/log/path_to_
CPUSE_packages/).
4. Connect to Gaia Clish on your Gaia computer.
5. Import the applicable CPUSE Software Packages.
6. Verify the applicable CPUSE Software Packages.
7. Install the applicable CPUSE Software Packages.

Installation and Upgrade Guide R81 | 186

 Installing Software Packages on Gaia

Important:
When you perform an upgrade to R81 with CPUSE from R80.20.M1, R80.20,
R80.20.M2, R80.30, or higher versions, you can see the upgrade report in Gaia
Portal:
1. From the left navigation tree, click Upgrades (CPUSE) > Status and Actions.
2. In the Major Versions section, select the R81 Upgrade package.
3. In the right pane Package Details, click the link To see a detailed upgrade
report.
4. A pop up opens and shows the upgrade progress in real time.
The report supports only these configurations:
n Security Management Servers
n Endpoint Security Management Servers
n CloudGuard Controllers
n Multi-Domain Servers
n Log Servers
n Endpoint Policy Servers
n Multi-Domain Log Servers
n Standalone Servers

Installation and Upgrade Guide R81 | 187

 Upgrade Options and Prerequisites

Upgrade Options and

Prerequisites
This section contains the supported upgrade options and the upgrade prerequisites.

Note - Use these to download the applicable installation and upgrade images:
n The Upgrade/Download Wizard.
n The Central Deployment in SmartConsole.
For more information, see the R81 Security Management Administration Guide
> Chapter Managing Gateways > Section Central Deployment of Hotfixes and
Version Upgrades.

Installation and Upgrade Guide R81 | 188

 Prerequisites for Upgrading and Migrating of Management Servers and Log Servers

Prerequisites for Upgrading and Migrating of

Management Servers and Log Servers
Prerequisites:
n Make sure you use the latest version of this document (see the "Important Information"
on page 3 page for links).
n See the R81 Release Notes for:
l Supported upgrade paths
l Minimum hardware and operating system requirements
l Supported Security Gateways
n Make sure to read all applicable known limitations in the R81 Known Limitations SK.
n When you use the Advanced Upgrade or the Migration and Upgrade method, before
you import the management database on the R81 Servers, we strongly recommend to
install the latest General Availability Take of the R81 Jumbo Hotfix Accumulator from
R81 Jumbo Hotfix Accumulator.
This makes sure the R81 Servers have the latest improvements for reported import
issues.
This recommendation does not apply to the CPUSE Upgrade method, because these
improvements are already integrated in R81 CPUSE Upgrade Package.
n Licenses and Service Contracts:
l Make sure you have valid licenses installed on all applicable Check Point
computers - source and target.
l Make sure you have a valid Service Contract that includes software upgrades and
major releases registered to your Check Point User Center account (see "Contract
Verification" on page 205).
The contract file is stored on the Management Server and downloaded to Check
Point Security Gateways during the upgrade process.
For more information about Service Contracts, see sk33089.
n If SmartConsole connects to the Management Server (which you plan to upgrade)
through an R7x Security Gateway or Cluster, then follow the steps below.

Installation and Upgrade Guide R81 | 189

 Prerequisites for Upgrading and Migrating of Management Servers and Log Servers

Procedure

1. Connect to the Management Server that manages the R7x Security Gateway or
Cluster
2. Add a new explicit Firewall rule:

Install
Source Destination VPN Service Action
On

SmartConsol Managemen Any TCP Accept R7x

e Host object t Server Traffic 19009 Security
object Gateway
or
Cluster

3. Install the modified Firewall Policy on the R7x Security Gateway or Cluster.
4. If you upgrade this R7x Security Gateway or Cluster to R80.10 or higher, delete
this explicit rule.

n On your Security Management Servers, Multi-Domain Servers, Domain Management

Servers, Multi-Domain Log Servers, Domain Log Servers, Log Servers, and SmartEvent
Servers:
Make a copy of all custom configurations in the applicable directories and files.
l Collect the Log Exporter configuration - see sk127653.
l Pay special attention to these scripts:
o $CPDIR/tmp/.CPprofile.sh
o $CPDIR/tmp/.CPprofile.csh

The upgrade process replaces all existing files with default files. You must not copy the
customized configuration files from the current version to the upgraded version, because
these files can be unique for each version. You must make all the custom configurations
again after the upgrade.

Installation and Upgrade Guide R81 | 190

 Prerequisites for Upgrading and Migrating of Management Servers and Log Servers

List of the applicable directories

l $FWDIR/lib/
l $FWDIR/conf/
l $CVPNDIR/conf/
l /opt/CP*/lib/
l /opt/CP*/conf/
l $MDSDIR/conf/
l $MDSDIR/customers/<Name_of_Domain>/CP*/lib/
l $MDSDIR/customers/<Name_of_Domain>/CP*/conf/

n For your Management Servers in High Availability configuration, plan the upgrade.
Action Plan for Security Management Servers in High Availability
Important - To back up and restore a consistent Security Management
environment, make sure to collect and restore the backups and snapshots
from all servers in the High Availability environment at the same time.

Upgrade to
Action Plan
R81

From 1. Upgrade the Primary Security Management Server.

R80.20, 2. Make sure the Security Management Servers can
R80.20.M2, communicate with each other and SIC works between these
and higher servers. For details, see sk179794.
versions 3. Upgrade the Secondary Security Management Servers.

From 1. Upgrade the Primary Security Management Server.

R80.20.M1 2. Perform a clean install of the Secondary Security
version Management Servers.
3. Connect the Secondary Security Management Servers to the
Primary Security Management Server.

Action Plan for Multi-Domain Servers in High Availability

Important - To back up and restore a consistent Multi-Domain Security
Management environment, make sure to collect and restore the backups and
snapshots from all servers in the High Availability environment at the same
time.

Installation and Upgrade Guide R81 | 191

 Prerequisites for Upgrading and Migrating of Management Servers and Log Servers

Upgrade to
Action Plan
R81

From 1. Make sure to run Pre-Upgrade Verifier on all source

R80.20, servers and to fix all detected issues before you start the
R80.20.M2, upgrade.
and higher 2. Make sure the Global Domain is Active on the Primary Multi-
versions Domain Server.
3. Upgrade the Primary Multi-Domain Server.
4. Make sure the Multi-Domain Security Management Servers
can communicate with each other and SIC works between
these servers. For details, see sk179794.
5. Upgrade the Secondary Multi-Domain Servers.

From 1. Make sure to run Pre-Upgrade Verifier on all source

R80.20.M1 servers and to fix all detected issues before you start the
version upgrade.
2. Make sure the Global Domain is Active on the Primary Multi-
Domain Server.
3. Upgrade the Primary Multi-Domain Server.
4. Perform a clean install of the Secondary Multi-Domain
Servers.
5. Connect the Secondary Multi-Domain Servers to the Primary
Multi-Domain Server.

n If your Security Management Server or Multi-Domain Server manages dedicated Log

Servers or dedicated SmartEvent Servers, you must upgrade these dedicated servers to
the same version as the Management Server.

Important - You must upgrade your Management Servers before you can
upgrade these dedicated servers.

Note - SmartEvent Server can run the same version or higher than the Log Server.

n If your Multi-Domain Server manages Multi-Domain Log Servers, you must upgrade the
Multi-Domain Log Servers to the same version as the Multi-Domain Server.

Important - You must upgrade your Multi-Domain Servers before you can
upgrade the Multi-Domain Log Servers.
n Before you upgrade a Multi-Domain Server, we recommend the steps below to optimize
the upgrade process.

Installation and Upgrade Guide R81 | 192

 Prerequisites for Upgrading and Migrating of Management Servers and Log Servers

Procedure

Step Instructions

1 Delete all unused Threat Prevention Profiles on the Global Domain:

a. Connect with SmartConsole to the Global Domain.
b. From the left navigation panel, click Security Policies.
c. Open each policy.
d. In the top section, click Threat Prevention.
e. In the bottom section Custom Policy Tools, click Profiles.
f. Delete all unused Threat Prevention Profiles.
g. Publish the SmartConsole session.
h. Close SmartConsole.

2 Disable the Staging Mode for IPS protections (see sk142432):

a. Connect with SmartConsole to each Domain.
b. From the left navigation panel, click Security Policies.
c. Open each policy.
d. In the top section, click Threat Prevention.
e. In the bottom section Custom Policy Tools, click Profiles.
f. Edit each profile.
g. From the left tree, click IPS > Updates.
h. Clear the box Set activation as staging mode (Detect).
i. Click OK.
j. Publish the SmartConsole session.
k. Close SmartConsole.

n Before you start an upgrade or migration procedure on your Management Servers, you
must close all GUI clients (SmartConsole applications) connected to your Check Point
computers.
n Before you start an upgrade of your Security Gateway and Cluster Members, you must
upgrade the Management Server.
n On Smart-1 appliances with Multi-Domain Server or Multi-Domain Log Server installed, if
you configured an interface other than Mgmt as the Leading interface, the upgrade
process or clean install process (with CPUSE) configures the interface Mgmt to be the
Leading interface. To configure a different interface as the Leading interface after the
upgrade, see sk107336.
n If an external storage device is connected to a Management Server or Log Server, you
must follow sk66003.

Installation and Upgrade Guide R81 | 193

 Prerequisites for Upgrading and Migrating of Management Servers and Log Servers

Action Plan

1. Unmount and disconnect the external storage device.

2. Upgrade the server to R81.
3. Stop the SOLR process.
4. Connect and mount the external storage device to the server.
5. On the external storage device, configure the required settings to keep log
indexes.
6. Start the SOLR process.

Required Disk Space:

n The size of the /var/log/ partition on the target Management Server or Log Server
must be at minimum 25% of the size of the "/var/log/" partition on the source
Management Server or Log Server.
n For Advanced Upgrade or Migration procedure, the hard disk on the Management Server
or Log Server must be at minimum 5 times the size of the exported database.

IPv4 or IPv6 Addresses:

If the source Security Management Server uses only IPv4 or only IPv6, the target Security
Management Server must use the same IP address configuration. It is possible to change this
configuration after the upgrade or migration.

Installation and Upgrade Guide R81 | 194

 Prerequisites for Upgrading and Migrating of Security Gateways and Clusters

Prerequisites for Upgrading and Migrating of

Security Gateways and Clusters
Prerequisites:
n Make sure you use the latest version of this document (see the "Important Information"
on page 3 page for links).
n See the R81 Release Notes for:
l Supported upgrade paths
l Minimum hardware and operating system requirements
l Supported Security Gateways
n Make sure to read all applicable known limitations in the R81 Known Limitations SK.
n Before starting an upgrade of your Security Gateway and Cluster Members, you must
upgrade the Management Server.
n On your Security Gateways and Cluster Members:
Make a copy of all custom configurations in the applicable directories and files.
The upgrade process replaces all existing files with default files. You must not copy the
customized configuration files from the current version to the upgraded version, because
these files can be unique for each version. You must make all the custom configurations
again after the upgrade.
List of the most important directories
Note - On VSX Gateway and VSX Cluster Member, some of these directories
exist in the context of each Virtual Device.
l $FWDIR/boot/modules/
l $FWDIR/conf/
l $FWDIR/lib/
l $FWDIR/database/
l $CVPNDIR/conf/
l $PPKDIR/boot/modules/
l /var/ace/

Installation and Upgrade Guide R81 | 195

 Prerequisites for Upgrading and Migrating of Security Gateways and Clusters

List of the most important files

Note - Some of these files do not exist by default. Some files are configured
on each VSX Gateway and VSX Cluster Member, and some files are
configured for each Virtual System.
l $FWDIR/boot/modules/fwkern.conf
l $FWDIR/boot/modules/vpnkern.conf
l $FWDIR/conf/fwaffinity.conf
l $FWDIR/conf/fwauthd.conf
l $FWDIR/conf/local.arp
l $FWDIR/conf/discntd.if
l $FWDIR/conf/cpha_bond_ls_config.conf
l $FWDIR/conf/resctrl
l $FWDIR/conf/vsaffinity_exception.conf
l $FWDIR/database/qos_policy.C
l $PPKDIR/conf/simkern.conf:
l $PPKDIR/conf/sim_aff.conf:
l $CPDIR/tmp/.CPprofile.sh
l $CPDIR/tmp/.CPprofile.csh
l /var/ace/sdconf.rec
l /var/ace/sdopts.rec
l /var/ace/sdstatus.12
l /var/ace/securid

List of the most important files

Note - Some of these files do not exist by default. Some files are configured
on each VSX Gateway and VSX Cluster Member, and some files are
configured for each Virtual System.
l $FWDIR/boot/modules/fwkern.conf
l $FWDIR/boot/modules/vpnkern.conf
l $FWDIR/conf/fwaffinity.conf
l $FWDIR/conf/fwauthd.conf
l $FWDIR/conf/local.arp

Installation and Upgrade Guide R81 | 196

 Prerequisites for Upgrading and Migrating of Security Gateways and Clusters

l $FWDIR/conf/discntd.if
l $FWDIR/conf/cpha_bond_ls_config.conf
l $FWDIR/conf/resctrl
l $FWDIR/conf/vsaffinity_exception.conf
l $FWDIR/database/qos_policy.C
l simkern.conf
o In R80.20 and higher: $PPKDIR/conf/simkern.conf
o In R80.10 and lower: $PPKDIR/boot/modules/simkern.conf
l sim_aff.conf
o In R80.20 and higher: $PPKDIR/conf/sim_aff.conf
o In R80.10 and lower: $PPKDIR/boot/modules/sim_aff.conf
l /var/ace/sdconf.rec
l /var/ace/sdopts.rec
l /var/ace/sdstatus.12
l /var/ace/securid

n Licenses and Service Contracts:

l Make sure you have valid licenses installed on all applicable Check Point
computers - source and target.
l Make sure you have a valid Service Contract that includes software upgrades and
major releases registered to your Check Point User Center account (see "Contract
Verification" on page 205).
The contract file is stored on the Management Server and downloaded to Check
Point Security Gateways during the upgrade process.
For more information about Service Contracts, see sk33089.

Installation and Upgrade Guide R81 | 197

 Prerequisites for Upgrading the Mobile Access Software Blade Configuration

Prerequisites for Upgrading the Mobile Access

Software Blade Configuration
Important - If you use the Mobile Access Software Blade and you have customized
configuration, review the customized settings before you upgrade to R81. Do not
copy the existing files, because the default files change between the versions. After
the upgrade, make the applicable changes to the new files.

Prerequisites:
n Make sure you use the latest version of this document (see the "Important Information"
on page 3 page for links).
n See the R81 Release Notes for:
l Supported upgrade paths
l Minimum hardware and operating system requirements
l Supported Security Gateways
n Make sure to read all applicable known limitations in the R81 Known Limitations SK.
n Before starting an upgrade of your Security Gateway and Cluster Members, you must
upgrade the Management Server.
n Licenses and Service Contracts:
l Make sure you have valid licenses installed on all applicable Check Point
computers - source and target.
l Make sure you have a valid Service Contract that includes software upgrades and
major releases registered to your Check Point User Center account (see "Contract
Verification" on page 205).
The contract file is stored on the Management Server and downloaded to Check
Point Security Gateways during the upgrade process.
For more information about Service Contracts, see sk33089.

Procedure:

Step Instructions

1 Open these files on the Management Server and write down all custom changes
in the applicable files:

Installation and Upgrade Guide R81 | 198

 Prerequisites for Upgrading the Mobile Access Software Blade Configuration

Step Instructions

n Mobile Access configuration:

$CVPNDIR/conf/cvpnd.C

n Apache configuration:
$CVPNDIR/conf/httpd.conf
$CVPNDIR/conf/includes/*

n Local certificates:
$CVPNDIR/var/ssl/ca-bundle/*

n DynamicID - SMS OTP - Local Phone List:

$CVPNDIR/conf/SmsPhones.lst

n RSA configuration:
/var/ace/sdconf.rec

n Mobile Access Gaia Portal configuration (run these commands in the Expert
mode to see the applicable files):
find $CVPNDIR/ -name *.php -type f -exec ls {} \;
find $CVPNDIR/ -name *.gif -type f -exec ls {} \;
find $CVPNDIR/ -name *.jpg -type f -exec ls {} \;

2 Upgrade the Management Server to R81 using one of the supported methods
(see "Upgrade Methods" on page 200).

3 Update the Mobile Access Endpoint Compliance:

1. In SmartConsole, from the left navigation panel, click Security Policies.
2. In the Shared Policies section, click Mobile Access > Open Mobile Access
Policy in SmartDashboard.
3. In SmartDashboard, click Mobile Access tab > open Endpoint Security on
Demand > click Endpoint Compliance Updates > click Update Databases
Now.
4. Close SmartDashboard.

4 Manually edit the default files on the upgraded the Management Server to include
your custom changes.

Installation and Upgrade Guide R81 | 199

 Upgrade Methods

Upgrade Methods
You can use this method to upgrade your Security Gateways and Cluster Members:

Central
Central
Gateway Deployment CPUSE
Deployment
Tool

Security See "Upgrade See "Upgrade See "Upgrade with

Gateways, of Security of Security CPUSE" on
VSX Gateways and Gateways and page 202
Gateways, Cluster Cluster
Cluster Members with Members with
Members Central Central
Deployment" on Deployment
the next page Tool" on
Best page 202
> Practice -
Use this
method.

You can use these methods to upgrade your Management Servers and Log Servers:

Advanced Migration and

Server CPUSE
Upgrade Upgrade

Security See "Upgrade See "Advanced See "Migration

Management with CPUSE" on Upgrade of and Upgrade of
Server, page 202 Management Management
Endpoint Servers and Servers and
Security Log Servers" Log Servers"
Management on page 203 on page 204
Server,
CloudGuard
Controller,
vSEC
Controller

Multi-Domain See "Upgrade See "Advanced See "Migration

Server with CPUSE" on Upgrade of and Upgrade of
page 202 Management Management
Servers and Servers and
Log Servers" Log Servers"
on page 203 on page 204

Installation and Upgrade Guide R81 | 200

 Upgrade Methods

Advanced Migration and

Server CPUSE
Upgrade Upgrade

Multi-Domain See "Upgrade See "Advanced See "Migration

Log Server with CPUSE" on Upgrade of and Upgrade of
the next page Management Management
Servers and Servers and
Log Servers" Log Servers"
on page 203 on page 204

Dedicated Log See "Upgrade See "Advanced See "Migration

Server, with CPUSE" on Upgrade of and Upgrade of
Endpoint Policy the next page Management Management
Server Servers and Servers and
Log Servers" Log Servers"
on page 203 on page 204

Dedicated See "Upgrade See "Advanced See "Migration

SmartEvent with CPUSE" on Upgrade of and Upgrade of
Server the next page Management Management
Servers and Servers and
Log Servers" Log Servers"
on page 203 on page 204
Important:
n Upgrade with CPUSE is supported only on Check Point computers that
currently run Gaia Operating System.
n Before you upgrade your Security Gateways and Cluster Members, you must
upgrade your Management Servers that manage them.
n You must upgrade your dedicated Log Servers and SmartEvent Servers to the
same version as the Management Servers that manage them.
You must upgrade your Management Servers before you can upgrade these
dedicated servers.
n You must upgrade your Multi-Domain Log Servers to the same version as the
Multi-Domain Servers that manage them.
n During the upgrade process in a Management High Availability environment, we
recommend that you do not use any of the Security Management Servers or
Multi-Domain Servers to make changes in the management databases.
This can cause inconsistent synchronization between these servers.

Upgrade of Security Gateways and Cluster Members with Central Deployment

With Central Deployment in SmartConsole, you can install software packages to upgrade or
to perform a clean install on Security Gateways and Cluster Members.
You can Deploy a Hotfix or Upgrade Package from:

Installation and Upgrade Guide R81 | 201

 Upgrade Methods

n The Check Point Cloud.

n The Package Repository on the Management Server (first, you must upload the
applicable package to the Package Repository).
For more information, see the R81 Security Management Administration Guide > Chapter
Managing Gateways > Section Central Deployment of Hotfixes and Version Upgrades.

> Best Practice - Use this method.

Upgrade of Security Gateways and Cluster Members with Central Deployment Tool

With Central Deployment Tool on the Management Server, you can install software
packages to upgrade or to perform a clean install on Security Gateways and Cluster
Members.
For more information, see sk111158.

Upgrade with CPUSE

With CPUSE, you can install software packages to upgrade or to perform a clean install on
Check Point computers that run on the Gaia Operating System.
For more about CPUSE, see sk92449.
For detailed CPUSE upgrade instructions, see:
n "Upgrading a Security Management Server or Log Server from R80.20 and higher
with CPUSE" on page 211
n "Upgrading one Multi-Domain Server from R80.20 and higher" on page 249
n "Upgrading Multi-Domain Servers in High Availability from R80.20 and higher" on
page 273
n "Upgrading a Multi-Domain Log Server from R80.20 and higher with CPUSE" on
page 329
n "Upgrading an Endpoint Security Management Server or Endpoint Policy Server from
R80.20 and higher with CPUSE" on page 351

Note - When you perform an upgrade to R81 with CPUSE from R80.20.M1,
R80.20, R80.20.M2, R80.30, or higher versions, you can see the upgrade report in
Gaia Portal. See "Installing Software Packages on Gaia" on page 185.

Installation and Upgrade Guide R81 | 202

 Upgrade Methods

Advanced Upgrade of Management Servers and Log Servers

In an advanced upgrade scenario, perform these steps on the same Check Point
computer:

Step Instructions

1 Take a full backup and snapshot of the current Check Point computer.

2 Export the entire management database with the R81 Management Server
Migration Tool.

3 Get the R81 Check Point computer:

n If the current Check Point computer runs on Gaia, you can upgrade it to
R81.
n If the current Check Point computer runs an operating system other than
Gaia, you must perform a clean install of the R81.

4 Import the entire management database.

For detailed Advanced Upgrade instructions, see:

n "Upgrading a Security Management Server or Log Server from R80.20 and higher
with Advanced Upgrade" on page 217
n "Upgrading one Multi-Domain Server from R80.20 and higher with Advanced
Upgrade" on page 255
n "Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with
Advanced Upgrade" on page 281
n "Upgrading a Multi-Domain Log Server from R80.20 and higher with Advanced
upgrade" on page 333
n "Upgrading an Endpoint Security Management Server or Endpoint Policy Server from
R80.20 and higher with Advanced Upgrade" on page 356

Note - When you perform an upgrade to R81 from R80.20.M1, R80.20,

R80.20.M2, R80.30, or higher versions, you can see the upgrade report on the
server. The upgrade process generates this report after each specific stage of an
upgrade:
$MDS_FWDIR/log/upgrade_report-<yyyy.MM.dd_HH.mm.ss>.html

Installation and Upgrade Guide R81 | 203

 Upgrade Methods

Migration and Upgrade of Management Servers and Log Servers

In a migration and upgrade scenario, perform these steps on the source Check Point
computer and the different target Check Point computer:

Step Instructions

1 Export the entire management database from the source Check Point
computer with the R81 Management Server Migration Tool.

2 Install another target R81 Check Point computer.

3 Import the entire management database on the new target R81 Check Point
computer.

For detailed migration and upgrade instructions, see:

n "Upgrading a Security Management Server or Log Server from R80.20 and higher
with Migration" on page 229
n "Upgrading one Multi-Domain Server from R80.20 and higher with Migration" on
page 264
n "Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with
Migration" on page 304
n "Upgrading a Multi-Domain Log Server from R80.20 and higher with Migration" on
page 341
n "Upgrading an Endpoint Security Management Server or Endpoint Policy Server from
R80.20 and higher with Migration" on page 367

Note - When you perform an upgrade to R81 from R80.20.M1, R80.20,

R80.20.M2, R80.30, or higher versions, you can see the upgrade report on the
target server. The upgrade process generates this report after each specific stage
of an upgrade:
$MDS_FWDIR/log/upgrade_report-<yyyy.MM.dd_HH.mm.ss>.html

Installation and Upgrade Guide R81 | 204

 Contract Verification

Contract Verification
Before you upgrade your Management Server to R81, you must have a valid Support Contract
that includes software upgrades and major releases registered to your Check Point User
Center account.
By verifying your status with the User Center, the contract file enables you to remain compliant
with current Check Point licensing standards.
As in all upgrade procedures, first upgrade your Security Management Server or Multi-Domain
Server before upgrading the Security Gateways.
When you upgrade a Management Server, the upgrade process checks to see whether a
Contract File is already present.

If a Contract File is not present, later you can download a Contract File manually from the
Check Point User Center and import it.
If a Contract File does not cover the Management Server, a message informs you that the
Management Server is not eligible for upgrade.

Important - The absence of a valid Contract File does not prevent upgrade.

Note - In most cases, you do not need to worry about your Service Contract File. Your
Management Server is configured to communicate with the User Center
automatically, and download the most current file. This allows the Management
Server to enable the purchased services properly.

You can download a valid Contract File later.

Option Instructions

Download a contract If you have Internet access and a valid Check Point User Center
file from the User account, download a Contract File directly from your User Center
Center account:

Import a local If the Management Server does not have Internet access:
contract file
1. On a computer with Internet access, log in to your Check
Point User Center account.
2. In the top menu, click Assets/Info > Download Contract File
and follow the instructions on the screen.
3. Transfer the downloaded contract file to your Management
Server.
4. Select Import a local contracts file.
5. Enter the full path to the location where you stored the
contract file.

Installation and Upgrade Guide R81 | 205

 Contract Verification

Option Instructions

Continue without Select this option, if you intend to get and install a valid Contract
contract information File later.
Note that at this point your managed Security Gateways are not
strictly eligible for an upgrade.
You may be in violation of your Check Point Licensing Agreement,
as shown in the final message of the upgrade process.

Installation and Upgrade Guide R81 | 206

 Upgrade Tools

Upgrade Tools
Important - You must always use the latest version of the R81 Upgrade Tools from
sk135172 to:
n Upgrade from R80.20.M1, R80.20, R80.20.M2, R80.30, or higher versions
n Migrate a Domain Management Server between Multi-Domain Servers
n Migrate a Domain Management Server from a Multi-Domain Server to a
Security Management Server
n Migrate a Security Management Server to a Domain on a Multi-Domain Server
n Back up and restore a Domain on a Multi-Domain Server
Notes:
n If the Management Server / Log Server is connected to the Internet and you
enabled the "Allow Download" consent flag (see sk111080), then the server
downloads and installs the latest version of the Upgrade Tools automatically.
To enable the "Allow Download" consent flag:
l In the Gaia First Time Configuration Wizard, you selected the option

Automatically download Blade Contracts, new software, and other

important data.
l In SmartConsole, you selected the option Automatically download

Contracts and other important data in Menu > Global properties >
Security Management.
n If the Management Server / Log Server is not connected to the Internet, then
you must install the latest version of the Upgrade Tools manually.

These Upgrade Tools:

n Make sure it is possible to upgrade the current management database without issues.
n Generate an upgrade report with the list of detected issues that can fail the upgrade.

Installation and Upgrade Guide R81 | 207

 Upgrade Tools

The upgrade report shows these messages:

Message
Instructions
Category

Action items Errors you must repair before the upgrade.

before the Warnings of issues for you to decide whether to fix before upgrade.
upgrade An example of an error you must fix before the upgrade is an invalid
policy name.

Action items Errors and warnings that you must fix after the upgrade.
after the upgrade

Information Items to be aware of.

messages For example, an object type is not supported in the higher version, but is
in your database and it is converted during the upgrade.

The most important files in the Management Server Migration Tool and Upgrade Tools
packages:

Package Instructions

migrate_ Exports and imports the management database and applicable Check
server Point configuration.
For details, see the R81 CLI Reference Guide - Chapter Security
Management Server Commands > Section migrate_server.

migrate.conf Contains configuration settings for Advanced Upgrade / Database

Migration.

Installation and Upgrade Guide R81 | 208

 Upgrade of Security Management Servers and Log Servers

Upgrade of Security Management

Servers and Log Servers
This section provides instructions to upgrade Security Management Servers and Log Servers.
See "Upgrading a Security Management Server or Log Server from R80.20 and higher" on
page 210.

Installation and Upgrade Guide R81 | 209

 Upgrading a Security Management Server or Log Server from R80.20 and higher

Upgrading a Security Management Server or

Log Server from R80.20 and higher
This section provides instructions to upgrade Security Management Servers and dedicated
Log Servers from R80.20.M1, R80.20, R80.20.M2, R80.30, or higher versions:
n "Upgrading a Security Management Server or Log Server from R80.20 and higher with
CPUSE" on page 211
n "Upgrading a Security Management Server or Log Server from R80.20 and higher with
Advanced Upgrade" on page 217
n "Upgrading a Security Management Server or Log Server from R80.20 and higher with
Migration" on page 229
n "Upgrading Security Management Servers in Management High Availability from R80.20
and higher" on page 241
For additional information related to these upgrade procedures, see sk163814.

Installation and Upgrade Guide R81 | 210

Upgrading a Security Management Server or Log Server from R80.20 and higher with CPUSE

Upgrading a Security Management Server or Log Server

from R80.20 and higher with CPUSE
In a CPUSE upgrade scenario, you perform the upgrade procedure on the same Check Point
server.

Notes:
n This procedure is supported only for servers that run R80.20.M1, R80.20,
R80.20.M2, R80.30, or higher versions.
n These instructions equally apply to:
l Security Management Server

l CloudGuard Controller

l Dedicated Log Server

l Dedicated SmartEvent Server

n For additional information related to this upgrade, see sk163814.

Important - Before you upgrade a Management Server or Log Server:

Step Instructions

1 Back up your current configuration (see "Backing Up and Restoring" on

page 20).

2 See the "Upgrade Options and Prerequisites" on page 188.

3 Only the latest published database revision is upgraded.

If there are pending changes, we recommend to Publish the session.

4 You must close all GUI clients (SmartConsole applications) connected to the
source Security Management Server.

5 Install the latest version of the CPUSE from sk92449.

Note - This is to make sure the CPUSE is able to support the required
Upgrade Tools package.

6 Run the Pre-Upgrade Verifier on all source servers and fix all detected issues
before you start the upgrade.

7 In Management High Availability, make sure the Primary Security

Management Server is upgraded and runs, before you start the upgrade on
other servers.

Installation and Upgrade Guide R81 | 211

Upgrading a Security Management Server or Log Server from R80.20 and higher with CPUSE

Procedure:
1. Get the required Upgrade Tools on the server
Important - See "Upgrade Tools" on page 207 to understand if your server
can download and install the latest version of the Upgrade Tools
automatically.

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

2. Upgrade the Security Management Server with CPUSE

Installation and Upgrade Guide R81 | 212

Upgrading a Security Management Server or Log Server from R80.20 and higher with CPUSE

See "Installing Software Packages on Gaia" on page 185 and follow the applicable
action plan.

3. Install the R81 SmartConsole

See "Installing SmartConsole" on page 100.

4. Upgrade the dedicated Log Servers and dedicated SmartEvent Servers

This step is part of the upgrade procedure of a Management Server. If you upgrade a
dedicated Log Servers or SmartEvent Servers, then skip this step.

Important - If your Security Management Server manages dedicated Log

Servers or SmartEvent Servers, you must upgrade these dedicated servers
to the same version as the Security Management Server.

Follow the applicable procedure in "Upgrading a Security Management Server or Log

Server from R80.20 and higher" on page 210.

5. Update the object version of the dedicated Log Servers and SmartEvent Servers
Important - If your Security Management Server manages dedicated Log
Servers or SmartEvent Servers, you must update the version of the
corresponding objects in SmartConsole.

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server that

manages the dedicated Log Server or SmartEvent Server.

2 From the left navigation panel, click Gateways & Servers.

3 Open the object of the dedicated Log Server or SmartEvent Server.

4 From the left tree, click General Properties.

5 In the Platform section > in the Version field, select R81.

6 Click OK.

6. Install the management database

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server.

2 In the top left corner, click Menu > Install database.

3 Select all objects.

Installation and Upgrade Guide R81 | 213

Upgrading a Security Management Server or Log Server from R80.20 and higher with CPUSE

Step Instructions

4 Click Install.

5 Click OK.

7. Install the Event Policy

Important - This step applies only if the SmartEvent Correlation Unit
Software Blade is enabled on the R81 Security Management Server.

Step Instructions

1 Connect with the SmartConsole to the R81 Security Management Server.

2 In the SmartConsole, from the left navigation panel, click Logs & Monitor.

3 At the top, click + to open a new tab.

4 In the bottom left corner, in the External Apps section, click SmartEvent
Settings & Policy.
The Legacy SmartEvent client opens.

5 In the top left corner, click Menu > Actions > Install Event Policy.

6 Confirm.

7 Wait for these messages to appear:

SmartEvent Policy Installer installation complete
SmartEvent Policy Installer installation succeeded

8 Click Close.

9 Close the Legacy SmartEvent client.

Installation and Upgrade Guide R81 | 214

Upgrading a Security Management Server or Log Server from R80.20 and higher with CPUSE

8. Reconfigure the Log Exporter

Step Instructions

1 Connect to the command line on the server.

2 Log in to the Expert mode.

3 Restore the Log Exporter configuration as described in sk127653.

4 Reconfigure the Log Exporter:

cp_log_export reconf

5 Restart the Log Exporter:

cp_log_export restart

For more information, see the R81 Logging and Monitoring Administration Guide >
Chapter Log Exporter.

9. In SmartConsole, install policy on all SmartLSM Security Profiles

Important - This step applies only if you enabled the SmartProvisioning
Software Blade on this Management Server.

Step Instructions

1 Install the Access Control Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Access Control
Policy.
c. Select the applicable SmartLSM Security Profile objects.
d. Click Install.
e. The Access Control Policy must install successfully.

2 Install the Threat Prevention Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Threat Prevention
Policy.
c. Select the applicable SmartLSM Security Profile objects.
d. Click Install.
e. The Threat Prevention Policy must install successfully.

For more information, see the R81 SmartProvisioning Administration Guide.

10. Test the functionality

Installation and Upgrade Guide R81 | 215

Upgrading a Security Management Server or Log Server from R80.20 and higher with CPUSE

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server.

2 Make sure the management database and configuration were upgraded

correctly.

Installation and Upgrade Guide R81 | 216

 Upgrading a Security Management Server or Log Server from R80.20 and higher with

Upgrading a Security Management Server or Log Server

from R80.20 and higher with Advanced Upgrade
In an advanced upgrade scenario, you perform the upgrade procedure on the same Check
Point server.

Notes:
n This procedure is supported only for servers that run R80.20.M1, R80.20,
R80.20.M2, R80.30, or higher versions.
n These instructions equally apply to:
l Security Management Server

l CloudGuard Controller

l Dedicated Log Server

l Dedicated SmartEvent Server

n For additional information related to this upgrade, see sk163814.

Important - Before you upgrade a Management Server or Log Server:

Step Instructions

1 Back up your current configuration (see "Backing Up and Restoring" on

page 20).

2 See the "Upgrade Options and Prerequisites" on page 188.

3 Only the latest published database revision is upgraded.

If there are pending changes, we recommend to Publish the session.

4 You must close all GUI clients (SmartConsole applications) connected to the
source Security Management Server.

5 Install the latest version of the CPUSE from sk92449.

Note - This is to make sure the CPUSE is able to support the required
Upgrade Tools package.

6 Run the Pre-Upgrade Verifier on all source servers and fix all detected issues
before you start the upgrade.

7 In Management High Availability, make sure the Primary Security

Management Server is upgraded and runs, before you start the upgrade on
other servers.

Installation and Upgrade Guide R81 | 217

 Upgrading a Security Management Server or Log Server from R80.20 and higher with

Procedure:
1. Get the required Upgrade Tools on the source server
Important - See "Upgrade Tools" on page 207 to understand if your server
can download and install the latest version of the Upgrade Tools
automatically.

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

2. On the current Security Management Server, run the Pre-Upgrade Verifier and export the
entire management database

Installation and Upgrade Guide R81 | 218

Upgrading a Security Management Server or Log Server from R80.20 and higher with

Step Instructions

1 Connect to the command line on the source Security Management

Server.

2 Log in to the Expert mode.

3 Go to the $FWDIR/scripts/ directory:

cd $FWDIR/scripts

4 Run the Pre-Upgrade Verifier.

n If this Security Management Server is connected to the Internet,

run:
./migrate_server verify -v R81
n If this Security Management Server is not connected to the Internet,
run:
./migrate_server verify -v R81 -skip_upgrade_
tools_check
For details, see the R81 CLI Reference Guide - Chapter Security
Management Server Commands - Section migrate_server.

5 Read the Pre-Upgrade Verifier output.

If it is necessary to fix errors:
a. Follow the instructions in the report.
b. Run the Pre-Upgrade Verifier again.

6 Export the management database:

n If this Security Management Server is connected to the Internet,

run:
./migrate_server export -v R81 [-l | -x]
/<Full Path>/<Name of Exported File>
n If this Security Management Server is not connected to the Internet,
run:
./migrate_server export -v R81 -skip_upgrade_
tools_check [-l | -x] /<Full Path>/<Name of
Exported File>
For details, see the R81 CLI Reference Guide - Chapter Security
Management Server Commands - Section migrate_server.

Installation and Upgrade Guide R81 | 219

 Upgrading a Security Management Server or Log Server from R80.20 and higher with

Step Instructions

7 Calculate the MD5 for the exported database files:

md5sum /<Full Path>/<Name of Database File>.tgz

8 Transfer the exported databases from the source Security Management

Server to an external storage:
/<Full Path>/<Name of Database File>.tgz

Note - Make sure to transfer the file in the binary mode.

3. Install a new R81 Security Management Server

Step Instructions

1 See the R81 Release Notes for requirements.

2 Perform the clean install in one of these ways (do not perform initial
configuration in SmartConsole):
n Follow "Installing Software Packages on Gaia" on page 185 - select

the R81 package and perform Clean Install. See sk92449 for
detailed steps.
n Follow "Installing One Security Management Server only, or

Primary Security Management Server in Management High

Availability" on page 61.
Important - These options are available:
n The IP addresses of the source and target Security Management

Servers can be the same.

If in the future it is necessary to have a different IP address on the R81
Security Management Server, you can change it.
For applicable procedures, see sk40993 and sk65451.
Note that you have to issue licenses for the new IP address.
n The IP addresses of the source and target Security Management

Servers can be different.

you must create a special JSON configuration file mdss.json that
contains each server that migrates to a new IP address.
Note that you have to issue licenses for the new IP address.
You must install the new licenses only after you import the databases.

4. Get the required Upgrade Tools on the R81 server

Important - See "Upgrade Tools" on page 207 to understand if your server
can download and install the latest version of the Upgrade Tools
automatically.

Installation and Upgrade Guide R81 | 220

 Upgrading a Security Management Server or Log Server from R80.20 and higher with

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

5. On the target R81 Security Management Server, import the databases

Required JSON configuration file

If you installed the target R81 Security Management Server with a different IP
address than the source Security Management Server, you must create a special
JSON configuration file before you import the management database from the
source Security Management Server. Note that you have to issue licenses for the
new IP address.

Installation and Upgrade Guide R81 | 221

Upgrading a Security Management Server or Log Server from R80.20 and higher with

Important:
n If none of the servers in the same Security Management environment

changed their original IP addresses, then you do not need to create

the special JSON configuration file.
n Even if only one of the servers migrates to a new IP address, all the

other servers (including all Log Servers and SmartEvent Servers)

must get this configuration file for the import process.
You must use the same JSON configuration file on all servers
(including Log Servers and SmartEvent Servers) in the same
Security Management environment.

To create the required JSON configuration file:

Step Instructions

1 Connect to the command line on the target R81 Security Management

Server.

2 Log in to the Expert mode.

3 Create the /var/log/mdss.json file that contains each server that

migrates to a new IP address.
Format for migrating a single Security Management Server to a new IP
address:
[{"name":"<Name of Security Management Server
Object in SmartConsole>","newIpAddress4":"<New
IPv4 Address of R81 Security Management Server>"}]

Installation and Upgrade Guide R81 | 222

Upgrading a Security Management Server or Log Server from R80.20 and higher with

Step Instructions

Example
There are 2 servers in the R80.30 Security Management environment
- the Security Management Server and the Log Server. The Security
Management Server migrates to a new IP address. The Log Server
remains with the original IP address.
a. The current IPv4 address of the source R80.30 Security
Management Server is:
192.168.10.21
b. The name of the source R80.30 Security Management Server
object in SmartConsole is:
MySecMgmtServer
c. The new IPv4 address of the target R81 Security Management
Server is:
172.30.40.51
d. The required syntax for the JSON configuration file you must use
on the Security Management Server and on the Log Server:
[{"name":"MySecMgmtServer","newIpAddress4":"172
.30.40.51"}]
Important - All servers in this environment must get this
same information.

Importing the databases

Important - Make sure you followed the instructions in the above section
"Required JSON configuration file".

Step Instructions

1 Connect to the command line on the R81 Security Management

Server.

2 Log in to the Expert mode.

3 Make sure a valid license is installed:

cplic print
If it is not already installed, then install a valid license now.

4 Transfer the exported databases from an external storage to the R81

Security Management Server, to some directory.

Note - Make sure to transfer the files in the binary mode.

Installation and Upgrade Guide R81 | 223

 Upgrading a Security Management Server or Log Server from R80.20 and higher with

Step Instructions

5 Make sure the transferred files are not corrupted.

Calculate the MD5 for the transferred files and compare them to the
MD5 that you calculated on the original Security Management Server:
md5sum /<Full Path>/<Name of Database File>.tgz

6 Go to the $FWDIR/scripts/ directory:

cd $FWDIR/scripts/

7 Import the management database:

n If this Security Management Serveris connected to the Internet,

run:
./migrate_server import -v R81 [-l | -x]
/<Full Path>/<Name of Exported File>.tgz
n If this Security Management Server is not connected to the
Internet, run:
./migrate_server import -v R81 -skip_
upgrade_tools_check [-l | -x] /<Full
Path>/<Name of Exported File>.tgz
Important - The "migrate_server import" command
automatically restarts Check Point services (runs the "cpstop"
and "cpstart" commands).
For details, see the R81 CLI Reference Guide - Chapter Security
Management Server Commands - Section migrate_server.

6. Install the R81 SmartConsole

See "Installing SmartConsole" on page 100.

7. Install the new licenses

Important - This step applies only if the target R81 Security Management
Server has a different IP address than the source Security Management
Server.

Step Instructions

1 Issue licenses for the new IP address in your Check Point User Center
account.

Installation and Upgrade Guide R81 | 224

 Upgrading a Security Management Server or Log Server from R80.20 and higher with

Step Instructions

2 Install the new licenses on the R81 Security Management Server.

You can do this either in the CLI with the "cplic put" command, or in
the Gaia Portal.

3 Wait for a couple of minutes for the Security Management Server to

detect the new licenses.
Alternatively, restart Check Point services:
cpstop
cpstart

8. Upgrade the dedicated Log Servers and dedicated SmartEvent Servers

This step is part of the upgrade procedure of a Management Server. If you upgrade a
dedicated Log Servers or SmartEvent Servers, then skip this step.

Important - If your Security Management Server manages dedicated Log

Servers or SmartEvent Servers, you must upgrade these dedicated servers
to the same version as the Security Management Server.

Follow the applicable procedure in "Upgrading a Security Management Server or Log

Server from R80.20 and higher" on page 210.

9. Update the object version of the dedicated Log Servers and SmartEvent Servers
Important - If your Security Management Server manages dedicated Log
Servers or SmartEvent Servers, you must update the version of the
corresponding objects in SmartConsole.

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server that

manages the dedicated Log Server or SmartEvent Server.

2 From the left navigation panel, click Gateways & Servers.

3 Open the object of the dedicated Log Server or SmartEvent Server.

4 From the left tree, click General Properties.

5 In the Platform section > in the Version field, select R81.

6 Click OK.

10. Install the management database

Installation and Upgrade Guide R81 | 225

 Upgrading a Security Management Server or Log Server from R80.20 and higher with

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server.

2 In the top left corner, click Menu > Install database.

3 Select all objects.

4 Click Install.

5 Click OK.

11. Install the Event Policy

Important - This step applies only if the SmartEvent Correlation Unit
Software Blade is enabled on the R81 Security Management Server.

Step Instructions

1 Connect with the SmartConsole to the R81 Security Management Server.

2 In the SmartConsole, from the left navigation panel, click Logs & Monitor.

3 At the top, click + to open a new tab.

4 In the bottom left corner, in the External Apps section, click SmartEvent
Settings & Policy.
The Legacy SmartEvent client opens.

5 In the top left corner, click Menu > Actions > Install Event Policy.

6 Confirm.

7 Wait for these messages to appear:

SmartEvent Policy Installer installation complete
SmartEvent Policy Installer installation succeeded

8 Click Close.

9 Close the Legacy SmartEvent client.

Installation and Upgrade Guide R81 | 226

 Upgrading a Security Management Server or Log Server from R80.20 and higher with

12. Reconfigure the Log Exporter

Step Instructions

1 Connect to the command line on the server.

2 Log in to the Expert mode.

3 Restore the Log Exporter configuration as described in sk127653.

4 Reconfigure the Log Exporter:

cp_log_export reconf

5 Restart the Log Exporter:

cp_log_export restart

For more information, see the R81 Logging and Monitoring Administration Guide >
Chapter Log Exporter.

13. In SmartConsole, install policy on all SmartLSM Security Profiles

Important - This step applies only if you enabled the SmartProvisioning
Software Blade on this Management Server.

Step Instructions

1 Install the Access Control Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Access Control
Policy.
c. Select the applicable SmartLSM Security Profile objects.
d. Click Install.
e. The Access Control Policy must install successfully.

2 Install the Threat Prevention Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Threat Prevention
Policy.
c. Select the applicable SmartLSM Security Profile objects.
d. Click Install.
e. The Threat Prevention Policy must install successfully.

For more information, see the R81 SmartProvisioning Administration Guide.

Installation and Upgrade Guide R81 | 227

 Upgrading a Security Management Server or Log Server from R80.20 and higher with

14. Test the functionality on the R81 Security Management Server

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server.

2 Make sure the management database and configuration were upgraded

correctly.

Installation and Upgrade Guide R81 | 228

 Upgrading a Security Management Server or Log Server from R80.20 and higher with

Upgrading a Security Management Server or Log Server

from R80.20 and higher with Migration
In a migration and upgrade scenario, you perform the procedure on the source Check Point
server and the different target Check Point server.

Notes:
n This procedure is supported only for servers that run R80.20.M1, R80.20,
R80.20.M2, R80.30, or higher versions.
n These instructions equally apply to:
l Security Management Server

l Dedicated Log Server

l Dedicated SmartEvent Server

n For additional information related to this upgrade, see sk163814.

Important - Before you upgrade a Management Server or Log Server:

Step Instructions

1 Back up your current configuration (see "Backing Up and Restoring" on

page 20).

2 See the "Upgrade Options and Prerequisites" on page 188.

3 Only the latest published database revision is upgraded.

If there are pending changes, we recommend to Publish the session.

4 You must close all GUI clients (SmartConsole applications) connected to the
source Security Management Server.

5 Install the latest version of the CPUSE from sk92449.

Note - This is to make sure the CPUSE is able to support the required
Upgrade Tools package.

6 Run the Pre-Upgrade Verifier on all source servers and fix all detected issues
before you start the upgrade.

7 In Management High Availability, make sure the Primary Security

Management Server is upgraded and runs, before you start the upgrade on
other servers.

Installation and Upgrade Guide R81 | 229

 Upgrading a Security Management Server or Log Server from R80.20 and higher with

Procedure:
1. Get the required Upgrade Tools on the source server
Important - See "Upgrade Tools" on page 207 to understand if your server
can download and install the latest version of the Upgrade Tools
automatically.

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

2. On the current Security Management Server, run the Pre-Upgrade Verifier and export the
entire management database

Installation and Upgrade Guide R81 | 230

Upgrading a Security Management Server or Log Server from R80.20 and higher with

Step Instructions

1 Connect to the command line on the source Security Management

Server.

2 Log in to the Expert mode.

3 Go to the $FWDIR/scripts/ directory:

cd $FWDIR/scripts

4 Run the Pre-Upgrade Verifier.

n If this Security Management Server is connected to the Internet,

run:
./migrate_server verify -v R81
n If this Security Management Server is not connected to the Internet,
run:
./migrate_server verify -v R81 -skip_upgrade_
tools_check
For details, see the R81 CLI Reference Guide - Chapter Security
Management Server Commands - Section migrate_server.

5 Read the Pre-Upgrade Verifier output.

If it is necessary to fix errors:
a. Follow the instructions in the report.
b. Run the Pre-Upgrade Verifier again.

6 Export the management database:

n If this Security Management Server is connected to the Internet,

run:
./migrate_server export -v R81 [-l | -x]
/<Full Path>/<Name of Exported File>
n If this Security Management Server is not connected to the Internet,
run:
./migrate_server export -v R81 -skip_upgrade_
tools_check [-l | -x] /<Full Path>/<Name of
Exported File>
For details, see the R81 CLI Reference Guide - Chapter Security
Management Server Commands - Section migrate_server.

Installation and Upgrade Guide R81 | 231

 Upgrading a Security Management Server or Log Server from R80.20 and higher with

Step Instructions

7 Calculate the MD5 for the exported database files:

md5sum /<Full Path>/<Name of Database File>.tgz

8 Transfer the exported databases from the source Security Management

Server to an external storage:
/<Full Path>/<Name of Database File>.tgz

Note - Make sure to transfer the file in the binary mode.

3. Install a new R81 Security Management Server

Step Instructions

1 See the R81 Release Notes for requirements.

2 Perform the clean install in one of these ways (do not perform initial
configuration in SmartConsole):
n Follow "Installing Software Packages on Gaia" on page 185 - select

the R81 package and perform Clean Install. See sk92449 for
detailed steps.
n Follow "Installing One Security Management Server only, or

Primary Security Management Server in Management High

Availability" on page 61.
Important - These options are available:
n The IP addresses of the source and target Security Management

Servers can be the same.

If in the future it is necessary to have a different IP address on the R81
Security Management Server, you can change it.
For applicable procedures, see sk40993 and sk65451.
Note that you have to issue licenses for the new IP address.
n The IP addresses of the source and target Security Management

Servers can be different.

you must create a special JSON configuration file mdss.json that
contains each server that migrates to a new IP address.
Note that you have to issue licenses for the new IP address.
You must install the new licenses only after you import the databases.

4. Get the required Upgrade Tools on the target R81 server

Important - See "Upgrade Tools" on page 207 to understand if your server
can download and install the latest version of the Upgrade Tools
automatically.

Installation and Upgrade Guide R81 | 232

 Upgrading a Security Management Server or Log Server from R80.20 and higher with

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

5. On the target R81 Security Management Server, import the databases

Required JSON configuration file

If you installed the target R81 Security Management Server with a different IP
address than the source Security Management Server, you must create a special
JSON configuration file before you import the management database from the
source Security Management Server. Note that you have to issue licenses for the
new IP address.

Installation and Upgrade Guide R81 | 233

Upgrading a Security Management Server or Log Server from R80.20 and higher with

Important:
n If none of the servers in the same Security Management environment

changed their original IP addresses, then you do not need to create

the special JSON configuration file.
n Even if only one of the servers migrates to a new IP address, all the

other servers (including all Log Servers and SmartEvent Servers)

must get this configuration file for the import process.
You must use the same JSON configuration file on all servers
(including Log Servers and SmartEvent Servers) in the same
Security Management environment.

To create the required JSON configuration file:

Step Instructions

1 Connect to the command line on the target R81 Security Management

Server.

2 Log in to the Expert mode.

3 Create the /var/log/mdss.json file that contains each server that

migrates to a new IP address.
Format for migrating a single Security Management Server to a new IP
address:
[{"name":"<Name of Security Management Server
Object in SmartConsole>","newIpAddress4":"<New
IPv4 Address of R81 Security Management Server>"}]

Installation and Upgrade Guide R81 | 234

Upgrading a Security Management Server or Log Server from R80.20 and higher with

Step Instructions

Example
There are 2 servers in the R80.30 Security Management environment
- the Security Management Server and the Log Server. The Security
Management Server migrates to a new IP address. The Log Server
remains with the original IP address.
a. The current IPv4 address of the source R80.30 Security
Management Server is:
192.168.10.21
b. The name of the source R80.30 Security Management Server
object in SmartConsole is:
MySecMgmtServer
c. The new IPv4 address of the target R81 Security Management
Server is:
172.30.40.51
d. The required syntax for the JSON configuration file you must use
on the Security Management Server and on the Log Server:
[{"name":"MySecMgmtServer","newIpAddress4":"172
.30.40.51"}]
Important - All servers in this environment must get this
same information.

Importing the databases

Important - Make sure you followed the instructions in the above section
"Required JSON configuration file".

Step Instructions

1 Connect to the command line on the R81 Security Management

Server.

2 Log in to the Expert mode.

3 Make sure a valid license is installed:

cplic print
If it is not already installed, then install a valid license now.

4 Transfer the exported databases from an external storage to the R81

Security Management Server, to some directory.

Note - Make sure to transfer the files in the binary mode.

Installation and Upgrade Guide R81 | 235

 Upgrading a Security Management Server or Log Server from R80.20 and higher with

Step Instructions

5 Make sure the transferred files are not corrupted.

Calculate the MD5 for the transferred files and compare them to the
MD5 that you calculated on the original Security Management Server:
md5sum /<Full Path>/<Name of Database File>.tgz

6 Go to the $FWDIR/scripts/ directory:

cd $FWDIR/scripts/

7 Import the management database:

n If this Security Management Serveris connected to the Internet,

run:
./migrate_server import -v R81 [-l | -x]
/<Full Path>/<Name of Exported File>.tgz
n If this Security Management Server is not connected to the
Internet, run:
./migrate_server import -v R81 -skip_
upgrade_tools_check [-l | -x] /<Full
Path>/<Name of Exported File>.tgz
Important - The "migrate_server import" command
automatically restarts Check Point services (runs the "cpstop"
and "cpstart" commands).
For details, see the R81 CLI Reference Guide - Chapter Security
Management Server Commands - Section migrate_server.

6. Install the R81 SmartConsole

See "Installing SmartConsole" on page 100.

7. Install the new licenses

Important - This step applies only if the target R81 Security Management
Server has a different IP address than the source Security Management
Server.

Step Instructions

1 Issue licenses for the new IP address in your Check Point User Center
account.

Installation and Upgrade Guide R81 | 236

 Upgrading a Security Management Server or Log Server from R80.20 and higher with

Step Instructions

2 Install the new licenses on the R81 Security Management Server.

You can do this either in the CLI with the "cplic put" command, or in
the Gaia Portal.

3 Wait for a couple of minutes for the Security Management Server to

detect the new licenses.
Alternatively, restart Check Point services:
cpstop
cpstart

8. Upgrade the dedicated Log Servers and dedicated SmartEvent Servers

This step is part of the upgrade procedure of a Management Server. If you upgrade a
dedicated Log Servers or SmartEvent Servers, then skip this step.

Important - If your Security Management Server manages dedicated Log

Servers or SmartEvent Servers, you must upgrade these dedicated servers
to the same version as the Security Management Server.

Follow the applicable procedure in "Upgrading a Security Management Server or Log

Server from R80.20 and higher" on page 210.

9. Update the object version of the dedicated Log Servers and SmartEvent Servers
Important - If your Security Management Server manages dedicated Log
Servers or SmartEvent Servers, you must update the version of the
corresponding objects in SmartConsole.

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server that

manages the dedicated Log Server or SmartEvent Server.

2 From the left navigation panel, click Gateways & Servers.

3 Open the object of the dedicated Log Server or SmartEvent Server.

4 From the left tree, click General Properties.

5 In the Platform section > in the Version field, select R81.

6 Click OK.

10. Install the management database

Installation and Upgrade Guide R81 | 237

 Upgrading a Security Management Server or Log Server from R80.20 and higher with

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server.

2 In the top left corner, click Menu > Install database.

3 Select all objects.

4 Click Install.

5 Click OK.

11. Install the Event Policy

Important - This step applies only if the SmartEvent Correlation Unit
Software Blade is enabled on the R81 Security Management Server.

Step Instructions

1 Connect with the SmartConsole to the R81 Security Management Server.

2 In the SmartConsole, from the left navigation panel, click Logs & Monitor.

3 At the top, click + to open a new tab.

4 In the bottom left corner, in the External Apps section, click SmartEvent
Settings & Policy.
The Legacy SmartEvent client opens.

5 In the top left corner, click Menu > Actions > Install Event Policy.

6 Confirm.

7 Wait for these messages to appear:

SmartEvent Policy Installer installation complete
SmartEvent Policy Installer installation succeeded

8 Click Close.

9 Close the Legacy SmartEvent client.

Installation and Upgrade Guide R81 | 238

 Upgrading a Security Management Server or Log Server from R80.20 and higher with

12. Reconfigure the Log Exporter

Step Instructions

1 Connect to the command line on the server.

2 Log in to the Expert mode.

3 Restore the Log Exporter configuration as described in sk127653.

4 Reconfigure the Log Exporter:

cp_log_export reconf

5 Restart the Log Exporter:

cp_log_export restart

For more information, see the R81 Logging and Monitoring Administration Guide >
Chapter Log Exporter.

13. In SmartConsole, install policy on all SmartLSM Security Profiles

Important - This step applies only if you enabled the SmartProvisioning
Software Blade on this Management Server.

Step Instructions

1 Install the Access Control Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Access Control
Policy.
c. Select the applicable SmartLSM Security Profile objects.
d. Click Install.
e. The Access Control Policy must install successfully.

2 Install the Threat Prevention Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Threat Prevention
Policy.
c. Select the applicable SmartLSM Security Profile objects.
d. Click Install.
e. The Threat Prevention Policy must install successfully.

For more information, see the R81 SmartProvisioning Administration Guide.

Installation and Upgrade Guide R81 | 239

 Upgrading a Security Management Server or Log Server from R80.20 and higher with

14. Test the functionality on the R81 Security Management Server

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server.

2 Make sure the management database and configuration were upgraded

correctly.

15. Disconnect the old Security Management Server from the network

Disconnect the cables from the old Security Management Server.

16. Connect the new Security Management Server to the network

Connect the cables to the new Security Management Server.

Installation and Upgrade Guide R81 | 240

 Upgrading Security Management Servers in Management High Availability from R80.20 and

Upgrading Security Management Servers in Management

High Availability from R80.20 and higher
Notes:
n This procedure is supported only for servers that run R80.20.M1, R80.20,
R80.20.M2, R80.30, or higher versions.
n These instructions equally apply to:
l Security Management Servers

l CloudGuard Controllers

n For additional information related to this upgrade, see sk163814.

Important - Before you upgrade a Security Management Server:

Step Instructions

1 Back up your current configuration (see "Backing Up and Restoring" on

page 20).

2 See the "Upgrade Options and Prerequisites" on page 188.

3 Only the latest published database revision is upgraded.

If there are pending changes, we recommend to Publish the session.

4 You must close all GUI clients (SmartConsole applications) connected to the
source Security Management Server.

5 Install the latest version of the CPUSE from sk92449.

Note - This is to make sure the CPUSE is able to support the required
Upgrade Tools package.

6 Run the Pre-Upgrade Verifier on all source servers and fix all detected issues
before you start the upgrade.

7 In Management High Availability, make sure the Primary Security

Management Server is upgraded and runs, before you start the upgrade on
other servers.

Important - Before you can install Hotfixes on servers that work in Management High
Availability, you must upgrade all these servers.

Installation and Upgrade Guide R81 | 241

 Upgrading Security Management Servers in Management High Availability from R80.20 and

Procedure:

Step Instructions

1 Upgrade the Primary Security Management Server with one of the supported
methods.
n CPUSE
See "Upgrading a Security Management Server or Log Server from R80.20
and higher with CPUSE" on page 211
n Advanced Upgrade
See "Upgrading a Security Management Server or Log Server from R80.20
and higher with Advanced Upgrade" on page 217
n Migration
See "Upgrading a Security Management Server or Log Server from R80.20
and higher with Migration" on page 229

2 Upgrade the Secondary Security Management Server with one of the supported
methods.
Important:
n Make sure the Security Management Servers can communicate with
each other and SIC works between these servers. For details, see
sk179794.
n If you upgraded the Primary Security Management Server and
changed its IPv4 address before you upgrade the Secondary Security
Management Server, then you must put the required JSON file on the
Secondary Security Management Server. See the corresponding
section below.
n CPUSE
See "Upgrading a Security Management Server or Log Server from R80.20
and higher with CPUSE" on page 211
n Advanced Upgrade
See "Upgrading a Security Management Server or Log Server from R80.20
and higher with Advanced Upgrade" on page 217
n Migration
See "Upgrading a Security Management Server or Log Server from R80.20
and higher with Migration" on page 229

3 Get the R81 SmartConsole.

See "Installing SmartConsole" on page 100.

4 Connect with SmartConsole to the R81 Primary Security Management Server.

Installation and Upgrade Guide R81 | 242

 Upgrading Security Management Servers in Management High Availability from R80.20 and

Step Instructions

5 Update the object version of the Secondary Security Management Server:

a. From the left navigation panel, click Gateways & Servers.
b. Open the Secondary Security Management Server object.
c. From the left tree, click General Properties.
d. In the Platform section > in the Version field, select R81.
e. Click OK.

6 Make sure Secure Internal Communication (SIC) works correctly with the
Secondary Security Management Server:
a. From the left navigation panel, click Gateways & Servers.
b. Open the Secondary Security Management Server object.
c. On the General Properties page, click Communication.
d. Click Test SIC Status.
The SIC Status must show Communicating.
e. Click Close.
f. Click OK.

7 Upgrade the dedicated Log Servers and SmartEvent Servers.

Follow the applicable procedure in "Upgrading a Security Management Server or
Log Server from R80.20 and higher" on page 210.
Important - If you changed the IPv4 address of one of more Security
Management Servers during their upgrade, then you must put the required
JSON file on the dedicated Log Servers and SmartEvent Servers. See the
corresponding section below.

8 Install the management database:

a. In the top left corner, click Menu > Install database.

b. Select all objects.
c. Click Install.
d. Click OK.

Installation and Upgrade Guide R81 | 243

 Upgrading Security Management Servers in Management High Availability from R80.20 and

Step Instructions

9 Install the Event Policy.

Important - This step applies only if the SmartEvent Correlation Unit
Software Blade is enabled on the R81 Security Management Server.

a. In the SmartConsole, from the left navigation panel, click Logs & Monitor.
b. At the top, click + to open a new tab.
c. In the bottom left corner, in the External Apps section, click SmartEvent
Settings & Policy.
The Legacy SmartEvent client opens.
d. In the top left corner, click Menu > Actions > Install Event Policy.
e. Confirm.
f. Wait for these messages to appear:
SmartEvent Policy Installer installation complete
SmartEvent Policy Installer installation succeeded
g. Click Close.
h. Close the Legacy SmartEvent client.

10 Reconfigure the Log Exporter:

a. Connect to the command line on the server.
b. Log in to the Expert mode.
c. Restore the Log Exporter configuration as described in sk127653.
d. Reconfigure the Log Exporter:
cp_log_export reconf
e. Restart the Log Exporter:
cp_log_export restart

For more information, see the R81 Logging and Monitoring Administration Guide
> Chapter Log Exporter

11 Synchronize the Security Management Servers:

a. In the top left corner, click Menu > Management High Availability.
b. In the Peers section, click Actions > Sync Peer.
c. The status must show Successfully synced for all peers.

Required JSON configuration file

If you installed the target R81 Security Management Server with a different IP address than
the source Security Management Server, you must create a special JSON configuration
file before you import the management database from the source Security Management
Server. Note that you have to issue licenses for the new IP address.

Installation and Upgrade Guide R81 | 244

Upgrading Security Management Servers in Management High Availability from R80.20 and

Important:
n If none of the servers in the same Security Management environment
changed their original IP addresses, then you do not need to create the
special JSON configuration file.
n Even if only one of the servers migrates to a new IP address, all the other
servers (including all Log Servers and SmartEvent Servers) must get this
configuration file for the import process.
You must use the same JSON configuration file on all servers (including
Log Servers and SmartEvent Servers) in the same Security Management
environment.

To create the required JSON configuration file:

Step Instructions

1 Connect to the command line on the target R81 Security Management Server.

2 Log in to the Expert mode.

Installation and Upgrade Guide R81 | 245

Upgrading Security Management Servers in Management High Availability from R80.20 and

Step Instructions

3 Create the /var/log/mdss.json file that contains each server that migrates
to a new IP address.
Format for migrating only the Primary Security Management Server to a new IP
address

[{"name":"<Name of Primary Security Management Server

Object in SmartConsole>","newIpAddress4":"<New IPv4
Address of Primary R81 Security Management Server"}]

Format for migrating both the Primary and the Secondary Security Management
Server to new IP addresses

[{"name":"<Name of Primary Security Management Server

Object in SmartConsole>","newIpAddress4":"<New IPv4
Address of Primary R81 Security Management Server"},
{"name":"<Name of Secondary Security Management Server
Object in SmartConsole>","newIpAddress4":"<New IPv4
Address of Secondary R81 Security Management Server"}]

Format for migrating both the Primary and the Secondary Security Management
Servers, and the Log Server to new IP addresses

[{"name":"<Name of Primary Security Management Server

Object in SmartConsole>","newIpAddress4":"<New IPv4
Address of Primary R81 Security Management Server"},
{"name":"<Name of Secondary Security Management Server
Object in SmartConsole>","newIpAddress4":"<New IPv4
Address of Secondary R81 Security Management Server"},
{"name":"<Name of Security Management Server Object in
SmartConsole>","newIpAddress4":"<New IPv4 Address of
R81 Security Management Server"}]

Installation and Upgrade Guide R81 | 246

Upgrading Security Management Servers in Management High Availability from R80.20 and

Step Instructions

Example
There are 3 servers in the R80.30 Security Management environment - the
Primary Security Management Server, the Secondary Security Management
Server, and the Log Server. Both the Primary and the Secondary Security
Management Servers migrate to new IP addresses. The Log Server remains
with the original IP address.
a. The current IPv4 address of the source Primary R80.30 Security
Management Server is:
192.168.10.21
b. The current IPv4 address of the source Secondary R80.30 Security
Management Server is:
192.168.10.22
c. The name of the source Primary R80.30 Security Management Server
object in SmartConsole is:
MyPrimarySecMgmtServer
d. The name of the source Secondary R80.30 Security Management
Server object in SmartConsole is:
MySecondarySecMgmtServer
e. The new IPv4 address of the target Primary R81 Security Management
Server is:
172.30.40.51
f. The new IPv4 address of the target Secondary R81 Security
Management Server is:
172.30.40.52
g. The required syntax for the JSON configuration file you must use on both
the Primary and the Secondary Security Management Servers, and on
the Log Server:
[{"name":"MyPrimarySecMgmtServer","newIpAddress4":"17
2.30.40.51"},
{"name":"MySecondarySecMgmtServer","newIpAddress4":"1
72.30.40.52"}]
Important - All servers in this environment must get this same
information.

Installation and Upgrade Guide R81 | 247

 Upgrade of Multi-Domain Servers and Multi-Domain Log Servers

Upgrade of Multi-Domain Servers

and Multi-Domain Log Servers
This section provides instructions to upgrade Multi-Domain Servers and Multi-Domain Log
Servers:
n "Upgrading one Multi-Domain Server from R80.20 and higher" on page 249
n "Upgrading Multi-Domain Servers in High Availability from R80.20 and higher" on
page 273
n "Upgrading a Multi-Domain Log Server from R80.20 and higher" on page 328

Installation and Upgrade Guide R81 | 248

 Upgrading one Multi-Domain Server from R80.20 and higher

Upgrading one Multi-Domain Server from

R80.20 and higher
This section provides instructions to upgrade Multi-Domain Servers from R80.20.M1, R80.20,
R80.20.M2, R80.30, or higher versions:
n "Upgrading one Multi-Domain Server from R80.20 and higher with CPUSE" on page 250
n "Upgrading one Multi-Domain Server from R80.20 and higher with Advanced Upgrade"
on page 255
n "Upgrading one Multi-Domain Server from R80.20 and higher with Migration" on
page 264
For additional information related to these upgrade procedures, see sk163814.

Installation and Upgrade Guide R81 | 249

 Upgrading one Multi-Domain Server from R80.20 and higher with CPUSE

Upgrading one Multi-Domain Server from R80.20 and

higher with CPUSE
In a CPUSE upgrade scenario, you perform the upgrade procedure on the same Multi-Domain
Server.

Notes:
n This procedure is supported only for servers that run R80.20.M1, R80.20,
R80.20.M2, R80.30, or higher versions.
n For additional information related to this upgrade, see sk163814.

Installation and Upgrade Guide R81 | 250

 Upgrading one Multi-Domain Server from R80.20 and higher with CPUSE

Important - Before you upgrade a Multi-Domain Server:

Step Instructions

1 Back up your current configuration (see "Backing Up and Restoring" on

page 20).

2 See the "Upgrade Options and Prerequisites" on page 188.

3 Only the latest published database revision is upgraded.

If there are pending changes, we recommend to Publish the session.

4 If there are Global Policies configured on the Global Domain:

a. Connect with SmartConsole to the Global Domain on your source
Multi-Domain Server.
b. Reassign all Global Policies to all applicable Domains.

Important - Do not publish any changes in the Global Domain until you
complete the upgrade to the next available version. This is necessary to
avoid any potential issues caused by different policy revisions on the
Global Domain and on other Domains.

5 You must close all GUI clients (SmartConsole applications) connected to the
source Multi-Domain Server.

6 Install the latest version of the CPUSE from sk92449.

Note - This is to make sure the CPUSE is able to support the required
Upgrade Tools package.

7 Run the Pre-Upgrade Verifier on all source servers and fix all detected issues
before you start the upgrade.

8 In Management High Availability, before you start the upgrade on other

servers:
a. Make sure the Primary Multi-Domain Server is upgraded and runs.
b. Make sure the Multi-Domain Security Management Servers can
communicate with each other and SIC works between these servers.
For details, see sk179794.

Installation and Upgrade Guide R81 | 251

 Upgrading one Multi-Domain Server from R80.20 and higher with CPUSE

Procedure:
1. Get the required Upgrade Tools on the server
Important - See "Upgrade Tools" on page 207 to understand if your server
can download and install the latest version of the Upgrade Tools
automatically.

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

2. Upgrade the Multi-Domain Server with CPUSE

Installation and Upgrade Guide R81 | 252

 Upgrading one Multi-Domain Server from R80.20 and higher with CPUSE

See "Installing Software Packages on Gaia" on page 185 and follow the applicable
action plan.

3. Install the R81 SmartConsole

See "Installing SmartConsole" on page 100.

4. Upgrade the Multi-Domain Log Servers, dedicated Log Servers, and dedicated
SmartEvent Servers
Important - If your Multi-Domain Server manages Multi-Domain Log Servers,
dedicated Log Servers, or dedicated SmartEvent Servers, you must upgrade
these dedicated servers to the same version as the Multi-Domain Server.

Select the applicable upgrade option:

n "Upgrading a Multi-Domain Log Server from R80.20 and higher" on page 328
n "Upgrading a Security Management Server or Log Server from R80.20 and
higher" on page 210

5. Reconfigure the Log Exporter

Step Instructions

1 Connect to the command line on the server.

2 Log in to the Expert mode.

3 Restore the Log Exporter configuration as described in sk127653.

4 Reconfigure the Log Exporter:

cp_log_export reconf

5 Restart the Log Exporter:

cp_log_export restart

For more information, see the R81 Logging and Monitoring Administration Guide >
Chapter Log Exporter.

Installation and Upgrade Guide R81 | 253

 Upgrading one Multi-Domain Server from R80.20 and higher with CPUSE

6. In SmartConsole of each applicable Domain Management Server, install policy on all

SmartLSM Security Profiles
Important - This step applies to each Domain Management Server that
manages SmartLSM Security Profiles.

Step Instructions

1 Install the Access Control Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Access Control
Policy.
c. Select the applicable SmartLSM Security Profile objects.
d. Click Install.
e. The Access Control Policy must install successfully.

2 Install the Threat Prevention Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Threat Prevention
Policy.
c. Select the applicable SmartLSM Security Profile objects.
d. Click Install.
e. The Threat Prevention Policy must install successfully.

For more information, see the R81 SmartProvisioning Administration Guide.

7. Test the functionality on the R81 Multi-Domain Server

Step Instructions

1 Connect with SmartConsole to the R81 Multi-Domain Server.

2 Make sure the management database and configuration were upgraded

correctly.

Installation and Upgrade Guide R81 | 254

 Upgrading one Multi-Domain Server from R80.20 and higher with Advanced Upgrade

Upgrading one Multi-Domain Server from R80.20 and

higher with Advanced Upgrade
In an advanced upgrade scenario, you perform the upgrade procedure on the same Multi-
Domain Server.

Notes:
n This procedure is supported only for servers that run R80.20.M1, R80.20,
R80.20.M2, R80.30, or higher versions.
n For additional information related to this upgrade, see sk163814.

Installation and Upgrade Guide R81 | 255

 Upgrading one Multi-Domain Server from R80.20 and higher with Advanced Upgrade

Important - Before you upgrade a Multi-Domain Server:

Step Instructions

1 Back up your current configuration (see "Backing Up and Restoring" on

page 20).

2 See the "Upgrade Options and Prerequisites" on page 188.

3 Only the latest published database revision is upgraded.

If there are pending changes, we recommend to Publish the session.

4 If there are Global Policies configured on the Global Domain:

a. Connect with SmartConsole to the Global Domain on your source
Multi-Domain Server.
b. Reassign all Global Policies to all applicable Domains.

Important - Do not publish any changes in the Global Domain until you
complete the upgrade to the next available version. This is necessary to
avoid any potential issues caused by different policy revisions on the
Global Domain and on other Domains.

5 You must close all GUI clients (SmartConsole applications) connected to the
source Multi-Domain Server.

6 Install the latest version of the CPUSE from sk92449.

Note - This is to make sure the CPUSE is able to support the required
Upgrade Tools package.

7 Run the Pre-Upgrade Verifier on all source servers and fix all detected issues
before you start the upgrade.

8 In Management High Availability, before you start the upgrade on other

servers:
a. Make sure the Primary Multi-Domain Server is upgraded and runs.
b. Make sure the Multi-Domain Security Management Servers can
communicate with each other and SIC works between these servers.
For details, see sk179794.

Installation and Upgrade Guide R81 | 256

 Upgrading one Multi-Domain Server from R80.20 and higher with Advanced Upgrade

Procedure:
1. Get the required Upgrade Tools on the source server
Important - See "Upgrade Tools" on page 207 to understand if your server
can download and install the latest version of the Upgrade Tools
automatically.

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

2. On the current Multi-Domain Server, run the Pre-Upgrade Verifier and export the entire
management database

Installation and Upgrade Guide R81 | 257

Upgrading one Multi-Domain Server from R80.20 and higher with Advanced Upgrade

Step Instructions

1 Connect to the command line on the current Multi-Domain Server.

2 Log in with the superuser credentials.

3 Log in to the Expert mode.

4 Run the Pre-Upgrade Verifier.

n If this Multi-Domain Server is connected to the Internet, run:

$MDS_FWDIR/scripts/migrate_server verify -v
R81
n If this Multi-Domain Server is not connected to the Internet, run:
$MDS_FWDIR/scripts/migrate_server verify -v
R81 -skip_upgrade_tools_check
For details, see the R81 CLI Reference Guide - Chapter Multi-Domain
Security Management Commands - Section migrate_server.

5 Read the Pre-Upgrade Verifier output.

If it is necessary to fix errors:
a. Follow the instructions in the report.
b. Run the Pre-Upgrade Verifier again.

6 Go to the $MDS_FWDIR/scripts/ directory:

cd $MDS_FWDIR/scripts

7 Export the management database:

n If this Multi-Domain Server is connected to the Internet, run:

./migrate_server export -v R81 [-l | -x]

/<Full Path>/<Name of Exported File>
n If this Multi-Domain Server is not connected to the Internet, run:
./migrate_server export -v R81 -skip_upgrade_
tools_check [-l | -x] /<Full Path>/<Name of
Exported File>
For details, see the R81 CLI Reference Guide - Chapter Multi-Domain
Security Management Commands - Section migrate_server.

8 Calculate the MD5 for the exported database files:

md5sum /<Full Path>/<Name of Database File>.tgz

Installation and Upgrade Guide R81 | 258

 Upgrading one Multi-Domain Server from R80.20 and higher with Advanced Upgrade

Step Instructions

9 Transfer the exported databases from the source Multi-Domain Server to

an external storage:
/<Full Path>/<Name of Database File>.tgz

Note - Make sure to transfer the file in the binary mode.

3. Install a new R81 Multi-Domain Server

Step Instructions

1 See the R81 Release Notes for requirements.

2 Perform the clean install in one of these ways (do not perform initial
configuration in SmartConsole):
n Follow "Installing Software Packages on Gaia" on page 185 - select

the R81 package and perform Clean Install. See sk92449 for
detailed steps.
n Follow "Installing One Multi-Domain Server Only, or Primary Multi-

Domain Server in Management High Availability" on page 77.

Important - If it is necessary to have a different IP address on the new R81

server, you have to issue licenses for the new IP address.

4. Get the required Upgrade Tools on the R81 server

Important - See "Upgrade Tools" on page 207 to understand if your server
can download and install the latest version of the Upgrade Tools
automatically.

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

Installation and Upgrade Guide R81 | 259

 Upgrading one Multi-Domain Server from R80.20 and higher with Advanced Upgrade

Step Instructions

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

5. On the R81 Multi-Domain Server, import the databases

Step Instructions

1 Connect to the command line on the R81 Multi-Domain Server.

2 Log in with the superuser credentials.

3 Log in to the Expert mode.

4 Make sure a valid license is installed:

cplic print
If it is not already installed, then install a valid license now.

5 Transfer the exported database from an external storage to the R81

Multi-Domain Server, to some directory.

Note - Make sure to transfer the file in the binary mode.

Installation and Upgrade Guide R81 | 260

 Upgrading one Multi-Domain Server from R80.20 and higher with Advanced Upgrade

Step Instructions

6 Make sure the transferred file is not corrupted.

Calculate the MD5 for the transferred file and compare it to the MD5 that
you calculated on the original Multi-Domain Server:
md5sum /<Full Path>/<Name of Exported File>.tgz

7 Go to the $MDS_FWDIR/scripts/ directory:

cd $MDS_FWDIR/scripts/

8 Import the management database:

n If this Multi-Domain Server is connected to the Internet, run:

./migrate_server import -v R81 [-l | -x]

/<Full Path>/<Name of Exported File>.tgz
n If this Multi-Domain Server is not connected to the Internet, run:
./migrate_server import -v R81 -skip_upgrade_
tools_check [-l | -x] /<Full Path>/<Name of
Exported File>.tgz
For details, see the R81 CLI Reference Guide - Chapter Multi-Domain
Security Management Commands - Section migrate_server.

9 Make sure that all the required daemons (FWM, FWD, CPD, and CPCA)
are in the state "up" and show their PID (the "pnd" state is also
acceptable):
mdsstat
If some of the required daemons on a Domain Management Server are in
the state "down", then wait for 5-10 minutes, restart that Domain
Management Server, and check again. Run these three commands:
mdsstop_customer <IP Address or Name of Domain
Management Server>
mdsstart_customer <IP Address or Name of Domain
Management Server>
mdsstat

6. Install the R81 SmartConsole

See "Installing SmartConsole" on page 100.

7. Upgrade the Multi-Domain Log Servers, dedicated Log Servers, and dedicated
SmartEvent Servers

Installation and Upgrade Guide R81 | 261

 Upgrading one Multi-Domain Server from R80.20 and higher with Advanced Upgrade

Important - If your Multi-Domain Server manages Multi-Domain Log Servers,

dedicated Log Servers, or dedicated SmartEvent Servers, you must upgrade
these dedicated servers to the same version as the Multi-Domain Server.

Select the applicable upgrade option:

n "Upgrading a Multi-Domain Log Server from R80.20 and higher" on page 328
n "Upgrading a Security Management Server or Log Server from R80.20 and
higher" on page 210

8. Reconfigure the Log Exporter

Step Instructions

1 Connect to the command line on the server.

2 Log in to the Expert mode.

3 Restore the Log Exporter configuration as described in sk127653.

4 Reconfigure the Log Exporter:

cp_log_export reconf

5 Restart the Log Exporter:

cp_log_export restart

For more information, see the R81 Logging and Monitoring Administration Guide >
Chapter Log Exporter.

Installation and Upgrade Guide R81 | 262

 Upgrading one Multi-Domain Server from R80.20 and higher with Advanced Upgrade

9. In SmartConsole of each applicable Domain Management Server, install policy on all

SmartLSM Security Profiles
Important - This step applies to each Domain Management Server that
manages SmartLSM Security Profiles.

Step Instructions

1 Install the Access Control Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Access Control
Policy.
c. Select the applicable SmartLSM Security Profile objects.
d. Click Install.
e. The Access Control Policy must install successfully.

2 Install the Threat Prevention Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Threat Prevention
Policy.
c. Select the applicable SmartLSM Security Profile objects.
d. Click Install.
e. The Threat Prevention Policy must install successfully.

For more information, see the R81 SmartProvisioning Administration Guide.

10. Test the functionality on the R81 Multi-Domain Server

Step Instructions

1 Connect with SmartConsole to the R81 Multi-Domain Server.

2 Make sure the management database and configuration were upgraded

correctly.

Installation and Upgrade Guide R81 | 263

 Upgrading one Multi-Domain Server from R80.20 and higher with Migration

Upgrading one Multi-Domain Server from R80.20 and

higher with Migration
In a migration and upgrade scenario, you perform the procedure on the source Multi-Domain
Server and the different target Multi-Domain Server.

Notes:
n This procedure is supported only for servers that run R80.20.M1, R80.20,
R80.20.M2, R80.30, or higher versions.
n For additional information related to this upgrade, see sk163814.

Installation and Upgrade Guide R81 | 264

 Upgrading one Multi-Domain Server from R80.20 and higher with Migration

Important - Before you upgrade a Multi-Domain Server:

Step Instructions

1 Back up your current configuration (see "Backing Up and Restoring" on

page 20).

2 See the "Upgrade Options and Prerequisites" on page 188.

3 Only the latest published database revision is upgraded.

If there are pending changes, we recommend to Publish the session.

4 If there are Global Policies configured on the Global Domain:

a. Connect with SmartConsole to the Global Domain on your source
Multi-Domain Server.
b. Reassign all Global Policies to all applicable Domains.

Important - Do not publish any changes in the Global Domain until you
complete the upgrade to the next available version. This is necessary to
avoid any potential issues caused by different policy revisions on the
Global Domain and on other Domains.

5 You must close all GUI clients (SmartConsole applications) connected to the
source Multi-Domain Server.

6 Install the latest version of the CPUSE from sk92449.

Note - This is to make sure the CPUSE is able to support the required
Upgrade Tools package.

7 Run the Pre-Upgrade Verifier on all source servers and fix all detected issues
before you start the upgrade.

8 In Management High Availability, before you start the upgrade on other

servers:
a. Make sure the Primary Multi-Domain Server is upgraded and runs.
b. Make sure the Multi-Domain Security Management Servers can
communicate with each other and SIC works between these servers.
For details, see sk179794.

Installation and Upgrade Guide R81 | 265

 Upgrading one Multi-Domain Server from R80.20 and higher with Migration

Procedure:
1. Get the required Upgrade Tools on the source server
Important - See "Upgrade Tools" on page 207 to understand if your server
can download and install the latest version of the Upgrade Tools
automatically.

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

2. On the current Multi-Domain Server, run the Pre-Upgrade Verifier and export the entire
management database

Installation and Upgrade Guide R81 | 266

 Upgrading one Multi-Domain Server from R80.20 and higher with Migration

Step Instructions

1 Connect to the command line on the current Multi-Domain Server.

2 Log in with the superuser credentials.

3 Log in to the Expert mode.

4 Run the Pre-Upgrade Verifier.

n If this Multi-Domain Server is connected to the Internet, run:

$MDS_FWDIR/scripts/migrate_server verify -v
R81
n If this Multi-Domain Server is not connected to the Internet, run:
$MDS_FWDIR/scripts/migrate_server verify -v
R81 -skip_upgrade_tools_check
For details, see the R81 CLI Reference Guide - Chapter Multi-Domain
Security Management Commands - Section migrate_server.

5 Read the Pre-Upgrade Verifier output.

If it is necessary to fix errors:
a. Follow the instructions in the report.
b. Run the Pre-Upgrade Verifier again.

6 Go to the $MDS_FWDIR/scripts/ directory:

cd $MDS_FWDIR/scripts

7 Export the management database:

n If this Multi-Domain Server is connected to the Internet, run:

./migrate_server export -v R81 [-l | -x]

/<Full Path>/<Name of Exported File>
n If this Multi-Domain Server is not connected to the Internet, run:
./migrate_server export -v R81 -skip_upgrade_
tools_check [-l | -x] /<Full Path>/<Name of
Exported File>
For details, see the R81 CLI Reference Guide - Chapter Multi-Domain
Security Management Commands - Section migrate_server.

8 Calculate the MD5 for the exported database files:

md5sum /<Full Path>/<Name of Database File>.tgz

Installation and Upgrade Guide R81 | 267

 Upgrading one Multi-Domain Server from R80.20 and higher with Migration

Step Instructions

9 Transfer the exported databases from the source Multi-Domain Server to

an external storage:
/<Full Path>/<Name of Database File>.tgz

Note - Make sure to transfer the file in the binary mode.

3. Install a new R81 Multi-Domain Server

Step Instructions

1 See the R81 Release Notes for requirements.

2 Perform the clean install in one of these ways (do not perform initial
configuration in SmartConsole):
n Follow "Installing Software Packages on Gaia" on page 185 - select

the R81 package and perform Clean Install. See sk92449 for
detailed steps.
n Follow "Installing One Multi-Domain Server Only, or Primary Multi-

Domain Server in Management High Availability" on page 77.

Important - If it is necessary to have a different IP address on the new R81

server, you have to issue licenses for the new IP address.

4. Get the required Upgrade Tools on the R81 server

Important - See "Upgrade Tools" on page 207 to understand if your server
can download and install the latest version of the Upgrade Tools
automatically.

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

Installation and Upgrade Guide R81 | 268

 Upgrading one Multi-Domain Server from R80.20 and higher with Migration

Step Instructions

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

5. On the R81 Multi-Domain Server, import the databases

Step Instructions

1 Connect to the command line on the R81 Multi-Domain Server.

2 Log in with the superuser credentials.

3 Log in to the Expert mode.

4 Make sure a valid license is installed:

cplic print
If it is not already installed, then install a valid license now.

5 Transfer the exported database from an external storage to the R81

Multi-Domain Server, to some directory.

Note - Make sure to transfer the file in the binary mode.

Installation and Upgrade Guide R81 | 269

 Upgrading one Multi-Domain Server from R80.20 and higher with Migration

Step Instructions

6 Make sure the transferred file is not corrupted.

Calculate the MD5 for the transferred file and compare it to the MD5 that
you calculated on the original Multi-Domain Server:
md5sum /<Full Path>/<Name of Exported File>.tgz

7 Go to the $MDS_FWDIR/scripts/ directory:

cd $MDS_FWDIR/scripts/

8 Import the management database:

n If this Multi-Domain Server is connected to the Internet, run:

./migrate_server import -v R81 [-l | -x]

/<Full Path>/<Name of Exported File>.tgz
n If this Multi-Domain Server is not connected to the Internet, run:
./migrate_server import -v R81 -skip_upgrade_
tools_check [-l | -x] /<Full Path>/<Name of
Exported File>.tgz
For details, see the R81 CLI Reference Guide - Chapter Multi-Domain
Security Management Commands - Section migrate_server.

9 Make sure that all the required daemons (FWM, FWD, CPD, and CPCA)
are in the state "up" and show their PID (the "pnd" state is also
acceptable):
mdsstat
If some of the required daemons on a Domain Management Server are in
the state "down", then wait for 5-10 minutes, restart that Domain
Management Server, and check again. Run these three commands:
mdsstop_customer <IP Address or Name of Domain
Management Server>
mdsstart_customer <IP Address or Name of Domain
Management Server>
mdsstat

6. Install the R81 SmartConsole

See "Installing SmartConsole" on page 100.

7. Upgrade the Multi-Domain Log Servers, dedicated Log Servers, and dedicated
SmartEvent Servers

Installation and Upgrade Guide R81 | 270

 Upgrading one Multi-Domain Server from R80.20 and higher with Migration

Important - If your Multi-Domain Server manages Multi-Domain Log Servers,

dedicated Log Servers, or dedicated SmartEvent Servers, you must upgrade
these dedicated servers to the same version as the Multi-Domain Server.

Select the applicable upgrade option:

n "Upgrading a Multi-Domain Log Server from R80.20 and higher" on page 328
n "Upgrading a Security Management Server or Log Server from R80.20 and
higher" on page 210

8. Reconfigure the Log Exporter

Step Instructions

1 Connect to the command line on the server.

2 Log in to the Expert mode.

3 Restore the Log Exporter configuration as described in sk127653.

4 Reconfigure the Log Exporter:

cp_log_export reconf

5 Restart the Log Exporter:

cp_log_export restart

For more information, see the R81 Logging and Monitoring Administration Guide >
Chapter Log Exporter.

Installation and Upgrade Guide R81 | 271

 Upgrading one Multi-Domain Server from R80.20 and higher with Migration

9. In SmartConsole of each applicable Domain Management Server, install policy on all

SmartLSM Security Profiles
Important - This step applies to each Domain Management Server that
manages SmartLSM Security Profiles.

Step Instructions

1 Install the Access Control Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Access Control
Policy.
c. Select the applicable SmartLSM Security Profile objects.
d. Click Install.
e. The Access Control Policy must install successfully.

2 Install the Threat Prevention Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Threat Prevention
Policy.
c. Select the applicable SmartLSM Security Profile objects.
d. Click Install.
e. The Threat Prevention Policy must install successfully.

For more information, see the R81 SmartProvisioning Administration Guide.

10. Test the functionality on the R81 Multi-Domain Server

Step Instructions

1 Connect with SmartConsole to the R81 Multi-Domain Server.

2 Make sure the management database and configuration were upgraded

correctly.

11. Disconnect the old Multi-Domain Server from the network

Disconnect the network cables the old Multi-Domain Server.

12. Connect the new Multi-Domain Server to the network

Connect the network cables to the new Multi-Domain Server.

Installation and Upgrade Guide R81 | 272

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher

Upgrading Multi-Domain Servers in High

Availability from R80.20 and higher
This section provides instructions to upgrade Multi-Domain Servers in High Availability from
R80.20.M1, R80.20, R80.20.M2, R80.30, or higher versions:
n "Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with
CPUSE" on page 274
n "Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with
Advanced Upgrade" on page 281
n "Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with
Migration" on page 304
n "Managing Domain Management Servers During the Upgrade Process" on page 327
For additional information related to these upgrade procedures, see sk163814.
For configuration information, see the R81 Multi-Domain Security Management Administration
Guide.

Important - Before you can install Hotfixes on servers that work in Management High
Availability, you must upgrade all these servers.

Installation and Upgrade Guide R81 | 273

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with CPUSE

Upgrading Multi-Domain Servers in High Availability from

R80.20 and higher with CPUSE
In a CPUSE upgrade scenario, you perform the upgrade procedure on the same Multi-Domain
Servers.

Notes:
n This procedure is supported only for servers that run R80.20.M1, R80.20,
R80.20.M2, R80.30, or higher versions.
n For additional information related to this upgrade, see sk163814.

Installation and Upgrade Guide R81 | 274

Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with CPUSE

Important - Before you upgrade Multi-Domain Servers:

Step Instructions

1 Back up your current configuration (see "Backing Up and Restoring" on

page 20).

2 See the "Upgrade Options and Prerequisites" on page 188.

3 Only the latest published database revision is upgraded.

If there are pending changes, we recommend to Publish the session.

4 If there are Global Policies configured on the Global Domain:

a. Connect with SmartConsole to the Global Domain on your source
Multi-Domain Server.
b. Reassign all Global Policies to all applicable Domains.

Important - Do not publish any changes in the Global Domain until you
complete the upgrade to the next available version. This is necessary to
avoid any potential issues caused by different policy revisions on the
Global Domain and on other Domains.

5 You must close all GUI clients (SmartConsole applications) connected to the
source Multi-Domain Server.

6 Install the latest version of the CPUSE from sk92449.

Note - This is to make sure the CPUSE is able to support the required
Upgrade Tools package.

7 Run the Pre-Upgrade Verifier on all source servers and fix all detected issues
before you start the upgrade.

8 In Management High Availability, before you start the upgrade on other

servers:
a. Make sure the Primary Multi-Domain Server is upgraded and runs.
b. Make sure the Multi-Domain Security Management Servers can
communicate with each other and SIC works between these servers.
For details, see sk179794.

Important - Before you can install Hotfixes on servers that work in Management High
Availability, you must upgrade all these servers.

Installation and Upgrade Guide R81 | 275

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with CPUSE

Procedure:
1. If the Primary Multi-Domain Server is not available, promote the Secondary Multi-Domain
Server to be the Primary

For instructions, see the R81 Multi-Domain Security Management Administration

Guide - Chapter Working with High Availability - Section Failure Recovery -
Subsection Promoting the Secondary Multi-Domain Server to Primary.

2. Make sure the Global Domain is Active on the Primary Multi-Domain Server

Step Instructions

1 Connect with SmartConsole to the Primary Multi-Domain Server.

2 From the left navigation panel, click Multi Domain > Domains.
The table shows Domains and Multi-Domain Servers:
n Every column shows a Multi-Domain Server.
n Active Domain Management Servers (for a Domain) are marked

with a solid black "barrel" icon.

n Standby Domain Management Servers (for a Domain) are marked

with an empty "barrel" icon.

3 In the leftmost column Domains, examine the bottom row Global for the
Primary Multi-Domain Server.
If the Global Domain is in the Standby state on the Primary Multi-Domain
Server (marked with an empty "barrel" icon), then make it Active:
a. Right-click on the Primary Multi-Domain Server and click Connect
to Domain Server.
The High Availability Status window opens.
b. In the section Connected To, click Actions > Set Active.
c. Click Yes to confirm.
d. Wait for the full synchronization to complete.
e. Close SmartConsole.

3. Get the required Upgrade Tools on the Primary Multi-Domain Server

Important - See "Upgrade Tools" on page 207 to understand if your server
can download and install the latest version of the Upgrade Tools
automatically.

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

Installation and Upgrade Guide R81 | 276

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with CPUSE

Step Instructions

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

4. Upgrade the Primary Multi-Domain Server with CPUSE

See "Installing Software Packages on Gaia" on page 185 and follow the applicable
action plan.

5. Install the R81 SmartConsole

See "Installing SmartConsole" on page 100.

6. Get the required Upgrade Tools on the Secondary Multi-Domain Server

Note - This step is needed only to be able to export the entire management
database (for backup purposes) with the latest Upgrade Tools.

Installation and Upgrade Guide R81 | 277

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with CPUSE

Important - See "Upgrade Tools" on page 207 to understand if your server

can download and install the latest version of the Upgrade Tools
automatically.

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

7. Upgrade the Secondary Multi-Domain Server with CPUSE

See "Installing Software Packages on Gaia" on page 185 and follow the applicable
action plan.

8. Update the object version of the Secondary Multi-Domain Server

Installation and Upgrade Guide R81 | 278

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with CPUSE

Step Instructions

1 Connect with SmartConsole to the R81 Primary Multi-Domain Server.

2 From the left navigation panel, click Multi-Domain > Domains.

3 From the top toolbar, open the Secondary Multi-Domain Server object.

4 From the left tree, click General.

5 In the Platform section > in the Version field, select R81.

6 Click OK.

9. Upgrade the Multi-Domain Log Servers, dedicated Log Servers, and dedicated
SmartEvent Servers
Important - If your Multi-Domain Server manages Multi-Domain Log Servers,
dedicated Log Servers, or dedicated SmartEvent Servers, you must upgrade
these dedicated servers to the same version as the Multi-Domain Server.

Select the applicable upgrade option:

n "Upgrading a Multi-Domain Log Server from R80.20 and higher" on page 328
n "Upgrading a Security Management Server or Log Server from R80.20 and
higher" on page 210

10. Reconfigure the Log Exporter

Step Instructions

1 Connect to the command line on the server.

2 Log in to the Expert mode.

3 Restore the Log Exporter configuration as described in sk127653.

4 Reconfigure the Log Exporter:

cp_log_export reconf

5 Restart the Log Exporter:

cp_log_export restart

For more information, see the R81 Logging and Monitoring Administration Guide >
Chapter Log Exporter.

Installation and Upgrade Guide R81 | 279

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with CPUSE

11. In SmartConsole of each applicable Domain Management Server, install policy on all
SmartLSM Security Profiles
Important - This step applies to each Domain Management Server that
manages SmartLSM Security Profiles.

Step Instructions

1 Install the Access Control Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Access Control
Policy.
c. Select the applicable SmartLSM Security Profile objects.
d. Click Install.
e. The Access Control Policy must install successfully.

2 Install the Threat Prevention Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Threat Prevention
Policy.
c. Select the applicable SmartLSM Security Profile objects.
d. Click Install.
e. The Threat Prevention Policy must install successfully.

For more information, see the R81 SmartProvisioning Administration Guide.

12. Test the functionality on the Primary R81 Multi-Domain Server

Step Instructions

1 Connect with SmartConsole to the Primary R81 Multi-Domain Server.

2 Make sure the management database and configuration were upgraded

correctly.

3 Test the Management High Availability functionality.

Installation and Upgrade Guide R81 | 280

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Advanced

Upgrading Multi-Domain Servers in High Availability from

R80.20 and higher with Advanced Upgrade
In an advanced upgrade scenario, you perform the upgrade procedure on the same Multi-
Domain Servers.

Notes:
n This procedure is supported only for servers that run R80.20.M1, R80.20,
R80.20.M2, R80.30, or higher versions.
n For additional information related to this upgrade, see sk163814.

Installation and Upgrade Guide R81 | 281

Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Advanced

Important - Before you upgrade Multi-Domain Servers:

Step Instructions

1 Back up your current configuration (see "Backing Up and Restoring" on

page 20).

2 See the "Upgrade Options and Prerequisites" on page 188.

3 Only the latest published database revision is upgraded.

If there are pending changes, we recommend to Publish the session.

4 If there are Global Policies configured on the Global Domain:

a. Connect with SmartConsole to the Global Domain on your source
Multi-Domain Server.
b. Reassign all Global Policies to all applicable Domains.

Important - Do not publish any changes in the Global Domain until you
complete the upgrade to the next available version. This is necessary to
avoid any potential issues caused by different policy revisions on the
Global Domain and on other Domains.

5 You must close all GUI clients (SmartConsole applications) connected to the
source Multi-Domain Server.

6 Install the latest version of the CPUSE from sk92449.

Note - This is to make sure the CPUSE is able to support the required
Upgrade Tools package.

7 Run the Pre-Upgrade Verifier on all source servers and fix all detected issues
before you start the upgrade.

8 In Management High Availability, before you start the upgrade on other

servers:
a. Make sure the Primary Multi-Domain Server is upgraded and runs.
b. Make sure the Multi-Domain Security Management Servers can
communicate with each other and SIC works between these servers.
For details, see sk179794.

Important - Before you can install Hotfixes on servers that work in Management High
Availability, you must upgrade all these servers.

Installation and Upgrade Guide R81 | 282

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Advanced

Procedure:
1. If the Primary Multi-Domain Server is not available, promote the Secondary Multi-Domain
Server to be the Primary

For instructions, see the R81 Multi-Domain Security Management Administration

Guide - Chapter Working with High Availability - Section Failure Recovery -
Subsection Promoting the Secondary Multi-Domain Server to Primary.

2. Make sure the Global Domain is Active on the Primary Multi-Domain Server

Step Instructions

1 Connect with SmartConsole to the Primary Multi-Domain Server.

2 From the left navigation panel, click Multi Domain > Domains.
The table shows Domains and Multi-Domain Servers:
n Every column shows a Multi-Domain Server.
n Active Domain Management Servers (for a Domain) are marked

with a solid black "barrel" icon.

n Standby Domain Management Servers (for a Domain) are marked

with an empty "barrel" icon.

3 In the leftmost column Domains, examine the bottom row Global for the
Primary Multi-Domain Server.
If the Global Domain is in the Standby state on the Primary Multi-Domain
Server (marked with an empty "barrel" icon), then make it Active:
a. Right-click on the Primary Multi-Domain Server and click Connect
to Domain Server.
The High Availability Status window opens.
b. In the section Connected To, click Actions > Set Active.
c. Click Yes to confirm.
d. Wait for the full synchronization to complete.
e. Close SmartConsole.

3. Get the required Upgrade Tools on the Primary and on the Secondary Multi-Domain

Installation and Upgrade Guide R81 | 283

Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Advanced

Servers
Important - See "Upgrade Tools" on page 207 to understand if your server
can download and install the latest version of the Upgrade Tools
automatically.

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

4. On the Primary Multi-Domain Server, run the Pre-Upgrade Verifier

Step Instructions

1 Connect to the command line on the current Multi-Domain Server.

Installation and Upgrade Guide R81 | 284

Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Advanced

Step Instructions

2 Log in with the superuser credentials.

3 Log in to the Expert mode.

4 Run the Pre-Upgrade Verifier.

n If this Multi-Domain Server is connected to the Internet, run:

$MDS_FWDIR/scripts/migrate_server verify -v
R81
n If this Multi-Domain Server is not connected to the Internet, run:
$MDS_FWDIR/scripts/migrate_server verify -v
R81 -skip_upgrade_tools_check
For details, see the R81 CLI Reference Guide - Chapter Multi-Domain
Security Management Commands - Section migrate_server.

5 Read the Pre-Upgrade Verifier output.

If it is necessary to fix errors:
a. Follow the instructions in the report.
b. Run the Pre-Upgrade Verifier again.

5. On the Secondary Multi-Domain Server, run the Pre-Upgrade Verifier

Step Instructions

1 Connect to the command line on the current Multi-Domain Server.

2 Log in with the superuser credentials.

3 Log in to the Expert mode.

4 Run the Pre-Upgrade Verifier.

n If this Multi-Domain Server is connected to the Internet, run:

$MDS_FWDIR/scripts/migrate_server verify -v
R81
n If this Multi-Domain Server is not connected to the Internet, run:
$MDS_FWDIR/scripts/migrate_server verify -v
R81 -skip_upgrade_tools_check
For details, see the R81 CLI Reference Guide - Chapter Multi-Domain
Security Management Commands - Section migrate_server.

Installation and Upgrade Guide R81 | 285

Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Advanced

Step Instructions

5 Read the Pre-Upgrade Verifier output.

If it is necessary to fix errors:
a. Follow the instructions in the report.
b. Run the Pre-Upgrade Verifier again.

6. On the Primary Multi-Domain Server, export the entire management database

Step Instructions

1 Go to the $MDS_FWDIR/scripts/ directory:

cd $MDS_FWDIR/scripts

2 Export the management database:

n If this Multi-Domain Server is connected to the Internet, run:

./migrate_server export -v R81 [-l | -x]

/<Full Path>/Primary_<Name of Exported File>
n If this Multi-Domain Server is not connected to the Internet, run:
./migrate_server export -v R81 -skip_upgrade_
tools_check [-l | -x] /<Full Path>/Primary_
<Name of Exported File>
For details, see the R81 CLI Reference Guide - Chapter Multi-Domain
Security Management Commands - Section migrate_server.

3 Calculate the MD5 for the exported database files:

md5sum /<Full Path>/Primary_<Name of Database
File>.tgz

4 Transfer the exported databases from the source Multi-Domain Server to

an external storage:
/<Full Path>/Primary_<Name of Database File>.tgz

Note - Make sure to transfer the file in the binary mode.

7. On the Secondary Multi-Domain Server, export the entire management database

Installation and Upgrade Guide R81 | 286

Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Advanced

Step Instructions

1 Go to the $MDS_FWDIR/scripts/ directory:

cd $MDS_FWDIR/scripts

2 Export the management database:

n If this Multi-Domain Server is connected to the Internet, run:

./migrate_server export -v R81 [-l | -x]

/<Full Path>/Secondary_<Name of Exported File>
n If this Multi-Domain Server is not connected to the Internet, run:
./migrate_server export -v R81 -skip_upgrade_
tools_check [-l | -x] /<Full Path>/Secondary_
<Name of Exported File>
For details, see the R81 CLI Reference Guide - Chapter Multi-Domain
Security Management Commands - Section migrate_server.

3 Calculate the MD5 for the exported database files:

md5sum /<Full Path>/Secondary_<Name of Database
File>.tgz

4 Transfer the exported databases from the source Multi-Domain Server to

an external storage:
/<Full Path>/Secondary_<Name of Database File>.tgz

Note - Make sure to transfer the file in the binary mode.

8. Install the Primary R81 Multi-Domain Server

Step Instructions

1 See the R81 Release Notes for requirements.

Installation and Upgrade Guide R81 | 287

Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Advanced

Step Instructions

2 n If you upgrade from R80.20, R80.20.M2, and higher versions, you

can follow one of these procedures:
l "Installing Software Packages on Gaia" on page 185.

Select the R81 package and perform Upgrade. See sk92449

for detailed steps.
l "Installing One Multi-Domain Server Only, or Primary Multi-

Domain Server in Management High Availability" on page 77.

Do not perform initial configuration in SmartConsole.
n If you upgrade from R80.20.M1 version, you must follow this
procedure:
l "Installing a Secondary Multi-Domain Server in Management

High Availability" on page 79.

Do not perform initial configuration in SmartConsole.
Important - The IP addresses of the source and target server can be
different. If it is necessary to have a different IP address on the target R81
server, you must create a special JSON configuration file before you
import the management database from the source server.
Note that you have to issue licenses for the new IP address.
You must use the same JSON configuration file on all servers in the same
Multi-Domain Security Management environment.

9. Get the required Upgrade Tools on the Primary server

Important - See "Upgrade Tools" on page 207 to understand if your server
can download and install the latest version of the Upgrade Tools
automatically.

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

Installation and Upgrade Guide R81 | 288

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Advanced

Step Instructions

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

10. On the Primary R81 Multi-Domain Server, import the databases

Required JSON configuration file

If you installed the target R81 Multi-Domain Server with a different IP address than
the source Multi-Domain Server, you must create a special JSON configuration
file before you import the management database from the source Multi-Domain
Server. Note that you have to issue licenses for the new IP address.

Important:
n If none of the servers in the same Multi-Domain Security

Management environment changed their original IP addresses, then

you do not need to create the special JSON configuration file.
n Even if only one of the servers migrates to a new IP address, all the

other servers (including all Log Servers and SmartEvent Servers)

must get this configuration file for the import process.
You must use the same JSON configuration file on all servers
(including Log Servers and SmartEvent Servers) in the same
Multi-Domain Security Management environment.

Installation and Upgrade Guide R81 | 289

Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Advanced

To create the required JSON configuration file:

Step Instructions

1 Connect to the command line on the target R81 Multi-Domain Server.

2 Log in to the Expert mode.

3 Create the /var/log/mdss.json file that contains each server that

migrates to a new IP address.
Format for migrating only the Primary Multi-Domain Server to a new IP
address

[{"name":"<Name of Primary Multi-Domain Server

Object in SmartConsole>","newIpAddress4":"<New
IPv4 Address of Primary R81 Multi-Domain
Server>"}]

Format for migrating both the Primary and the Secondary Multi-Domain
Servers to new IP addresses

[{"name":"<Name of Primary Multi-Domain Server

Object in SmartConsole>","newIpAddress4":"<New
IPv4 Address of Primary R81 Multi-Domain
Server>"},
{"name":"<Name of Secondary Multi-Domain Server
Object in SmartConsole>","newIpAddress4":"<New
IPv4 Address of Secondary R81 Multi-Domain
Server>"}]

Format for migrating both the Primary and the Secondary Multi-Domain
Servers, and the Multi-Domain Log Server to new IP addresses

[{"name":"<Name of Primary Multi-Domain Server

Object in SmartConsole>","newIpAddress4":"<New
IPv4 Address of Primary R81 Multi-Domain
Server>"},
{"name":"<Name of Secondary Multi-Domain Server
Object in SmartConsole>","newIpAddress4":"<New
IPv4 Address of Secondary R81 Multi-Domain
Server>"},
{"name":"<Name of Multi-Domain Log Server Object
in SmartConsole>","newIpAddress4":"<New IPv4
Address of R81 Multi-Domain Log Server"}]

Installation and Upgrade Guide R81 | 290

Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Advanced

Step Instructions

Example
There are 3 servers in the R80.30 Multi-Domain Security Management
environment - the Primary Multi-Domain Server, the Secondary Multi-
Domain Server, and the Multi-Domain Log Server. Both the Primary
and the Secondary Multi-Domain Servers migrate to new IP
addresses. The Multi-Domain Log Server remains with the original IP
address.
a. The current IPv4 address of the source Primary R80.30 Multi-
Domain Server is:
192.168.10.21
b. The current IPv4 address of the source Secondary R80.30 Multi-
Domain Server is:
192.168.10.22
c. The name of the source Primary R80.30 Multi-Domain Server
object in SmartConsole is:
MyPrimaryMDS
d. The name of the source Secondary R80.30 Multi-Domain Server
object in SmartConsole is:
MySecondaryMDS
e. The new IPv4 address of the target Primary R81 Multi-Domain
Server is:
172.30.40.51
f. The new IPv4 address of the target Secondary R81 Multi-
Domain Server is:
172.30.40.52
g. The required syntax for the JSON configuration file you must use
on both the Primary and the Secondary Multi-Domain Servers,
and on the Multi-Domain Log Server:
[{"name":"MyPrimaryMDS","newIpAddress4":"172.3
0.40.51"},
{"name":"MySecondaryMDS","newIpAddress4":"172.
30.40.52"}]
Important - All servers in this environment must get this
same information.

Importing the databases

Important - Make sure you followed the instructions in the above section
"Required JSON configuration file".

Installation and Upgrade Guide R81 | 291

Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Advanced

Step Instructions

1 Connect to the command line the Primary R81 Multi-Domain Server.

2 Log in with the superuser credentials.

3 Log in to the Expert mode.

4 Make sure a valid license is installed:

cplic print
If it is not already installed, then install a valid license now.

5 Transfer the exported database from an external storage to the R81

Multi-Domain Server, to some directory.

Note - Make sure to transfer the file in the binary mode.

6 Make sure the transferred file is not corrupted.

Calculate the MD5 for the transferred file and compare it to the MD5
that you calculated on the original Multi-Domain Server:
md5sum /<Full Path>/Primary_<Name of Exported
File>.tgz

7 Go to the $MDS_FWDIR/scripts/ directory:

cd $MDS_FWDIR/scripts/

Installation and Upgrade Guide R81 | 292

Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Advanced

Step Instructions

8 Import the management database:

n If this Multi-Domain Server is connected to the Internet:
l And none of the servers changed their IP addresses, run:

./migrate_server import -v R81 [-l | -x]

/<Full Path>/Primary_<Name of Exported
File>.tgz
l And at least one of the servers changed its IP address, run:
./migrate_server import -v R81 [-l | -x]
/var/log/mdss.json /<Full Path>/Primary_
<Name of Exported File>.tgz
Note - Before the release of updated Upgrade Tools in July
2021 (build 995000519 and lower), the syntax was "-
change_ips_file /var/log/mdss.json".
n If this Multi-Domain Server is not connected to the Internet:
l And none of the servers changed their IP addresses, run:

./migrate_server import -v R81 -skip_

upgrade_tools_check [-l | -x] /<Full
Path>/Primary_<Name of Exported
File>.tgz
l And at least one of the servers changed its IP address, run:
./migrate_server import -v R81 [-l | -x]
-skip_upgrade_tools_check
/var/log/mdss.json /<Full Path>/Primary_
<Name of Exported File>.tgz
Note - Before the release of updated Upgrade Tools in July
2021 (build 995000519 and lower), the syntax was "-
change_ips_file /var/log/mdss.json".
For details, see the R81 CLI Reference Guide - Chapter Multi-Domain
Security Management Commands - Section migrate_server.

Installation and Upgrade Guide R81 | 293

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Advanced

Step Instructions

9 Make sure that all the required daemons (FWM, FWD, CPD, and
CPCA) are in the state "up" and show their PID (the "pnd" state is also
acceptable):
mdsstat
If some of the required daemons on a Domain Management Server are
in the state "down", then wait for 5-10 minutes, restart that Domain
Management Server, and check again. Run these three commands:
mdsstop_customer <IP Address or Name of Domain
Management Server>
mdsstart_customer <IP Address or Name of Domain
Management Server>
mdsstat

11. Install the Secondary R81 Multi-Domain Server

Step Instructions

1 See the R81 Release Notes for requirements.

2 n If you upgrade from R80.20, R80.20.M2, and higher versions, you

can follow one of these procedures:
l "Installing Software Packages on Gaia" on page 185.

Select the R81 package and perform Upgrade. See sk92449

for detailed steps.
l "Installing a Secondary Multi-Domain Server in Management

High Availability" on page 79.

Do not perform initial configuration in SmartConsole.
n If you upgrade from R80.20.M1 version, you must follow this
procedure:
l "Installing a Secondary Multi-Domain Server in Management

High Availability" on page 79.

Do not perform initial configuration in SmartConsole.
Important - The IP addresses of the source and target server can be
different. If it is necessary to have a different IP address on the target R81
server, you must create a special JSON configuration file before you
import the management database from the source server.
Note that you have to issue licenses for the new IP address.
You must use the same JSON configuration file on all servers in the same
Multi-Domain Security Management environment.

12. Get the required Upgrade Tools on the Secondary R81 Multi-Domain Server

Installation and Upgrade Guide R81 | 294

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Advanced

Note - This step is needed only to be able to export the entire management
database (for backup purposes) with the latest Upgrade Tools.
Important - See "Upgrade Tools" on page 207 to understand if your server
can download and install the latest version of the Upgrade Tools
automatically.

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

13. On the Secondary R81 Multi-Domain Server, import the databases

Required JSON configuration file

Installation and Upgrade Guide R81 | 295

Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Advanced

If you installed the target R81 Multi-Domain Server with a different IP address than
the source Multi-Domain Server, you must create a special JSON configuration
file before you import the management database from the source Multi-Domain
Server. Note that you have to issue licenses for the new IP address.

Important:
n If none of the servers in the same Multi-Domain Security

Management environment changed their original IP addresses, then

you do not need to create the special JSON configuration file.
n Even if only one of the servers migrates to a new IP address, all the

other servers (including all Log Servers and SmartEvent Servers)

must get this configuration file for the import process.
You must use the same JSON configuration file on all servers
(including Log Servers and SmartEvent Servers) in the same
Multi-Domain Security Management environment.

To create the required JSON configuration file:

Step Instructions

1 Connect to the command line on the target R81 Multi-Domain Server.

2 Log in to the Expert mode.

Installation and Upgrade Guide R81 | 296

Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Advanced

Step Instructions

3 Create the /var/log/mdss.json file that contains each server that

migrates to a new IP address.
Format for migrating only the Primary Multi-Domain Server to a new IP
address

[{"name":"<Name of Primary Multi-Domain Server

Object in SmartConsole>","newIpAddress4":"<New
IPv4 Address of Primary R81 Multi-Domain
Server>"}]

Format for migrating both the Primary and the Secondary Multi-Domain
Servers to new IP addresses

[{"name":"<Name of Primary Multi-Domain Server

Object in SmartConsole>","newIpAddress4":"<New
IPv4 Address of Primary R81 Multi-Domain
Server>"},
{"name":"<Name of Secondary Multi-Domain Server
Object in SmartConsole>","newIpAddress4":"<New
IPv4 Address of Secondary R81 Multi-Domain
Server>"}]

Format for migrating both the Primary and the Secondary Multi-Domain
Servers, and the Multi-Domain Log Server to new IP addresses

[{"name":"<Name of Primary Multi-Domain Server

Object in SmartConsole>","newIpAddress4":"<New
IPv4 Address of Primary R81 Multi-Domain
Server>"},
{"name":"<Name of Secondary Multi-Domain Server
Object in SmartConsole>","newIpAddress4":"<New
IPv4 Address of Secondary R81 Multi-Domain
Server>"},
{"name":"<Name of Multi-Domain Log Server Object
in SmartConsole>","newIpAddress4":"<New IPv4
Address of R81 Multi-Domain Log Server"}]

Installation and Upgrade Guide R81 | 297

Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Advanced

Step Instructions

Example
There are 3 servers in the R80.30 Multi-Domain Security Management
environment - the Primary Multi-Domain Server, the Secondary Multi-
Domain Server, and the Multi-Domain Log Server. Both the Primary
and the Secondary Multi-Domain Servers migrate to new IP
addresses. The Multi-Domain Log Server remains with the original IP
address.
a. The current IPv4 address of the source Primary R80.30 Multi-
Domain Server is:
192.168.10.21
b. The current IPv4 address of the source Secondary R80.30 Multi-
Domain Server is:
192.168.10.22
c. The name of the source Primary R80.30 Multi-Domain Server
object in SmartConsole is:
MyPrimaryMDS
d. The name of the source Secondary R80.30 Multi-Domain Server
object in SmartConsole is:
MySecondaryMDS
e. The new IPv4 address of the target Primary R81 Multi-Domain
Server is:
172.30.40.51
f. The new IPv4 address of the target Secondary R81 Multi-
Domain Server is:
172.30.40.52
g. The required syntax for the JSON configuration file you must use
on both the Primary and the Secondary Multi-Domain Servers,
and on the Multi-Domain Log Server:
[{"name":"MyPrimaryMDS","newIpAddress4":"172.3
0.40.51"},
{"name":"MySecondaryMDS","newIpAddress4":"172.
30.40.52"}]
Important - All servers in this environment must get this
same information.

Importing the databases

Important - Make sure you followed the instructions in the above section
"Required JSON configuration file".

Installation and Upgrade Guide R81 | 298

Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Advanced

Step Instructions

1 Connect to the command line the Secondary R81 Multi-Domain

Server.

2 Log in with the superuser credentials.

3 Log in to the Expert mode.

4 Make sure a valid license is installed:

cplic print
If it is not already installed, then install a valid license now.

5 Transfer the exported database from an external storage to the R81

Multi-Domain Server, to some directory.

Note - Make sure to transfer the file in the binary mode.

6 Make sure the transferred file is not corrupted.

Calculate the MD5 for the transferred file and compare it to the MD5
that you calculated on the original Multi-Domain Server:
md5sum /<Full Path>/Secondary_<Name of Exported
File>.tgz

7 Go to the $MDS_FWDIR/scripts/ directory:

cd $MDS_FWDIR/scripts/

Installation and Upgrade Guide R81 | 299

Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Advanced

Step Instructions

8 Import the management database:

n If this Multi-Domain Server is connected to the Internet:
l And none of the servers changed their IP addresses, run:

./migrate_server import -v R81 [-l | -x]

/<Full Path>/Secondary_<Name of Exported
File>.tgz
l And at least one of the servers changed its IP address, run:
./migrate_server import -v R81 [-l | -x]
/var/log/mdss.json /<Full
Path>/Secondary_<Name of Exported
File>.tgz
Note - Before the release of updated Upgrade Tools in July
2021 (build 995000519 and lower), the syntax was "-
change_ips_file /var/log/mdss.json".
n If this Multi-Domain Server is not connected to the Internet:
l And none of the servers changed their IP addresses, run:

./migrate_server import -v R81 -skip_

upgrade_tools_check [-l | -x] /<Full
Path>/Secondary_<Name of Exported
File>.tgz
l And at least one of the servers changed its IP address, run:
./migrate_server import -v R81 [-l | -x]
-skip_upgrade_tools_check
/var/log/mdss.json /<Full
Path>/Secondary_<Name of Exported
File>.tgz
Note - Before the release of updated Upgrade Tools in July
2021 (build 995000519 and lower), the syntax was "-
change_ips_file /var/log/mdss.json".
For details, see the R81 CLI Reference Guide - Chapter Multi-Domain
Security Management Commands - Section migrate_server.

Installation and Upgrade Guide R81 | 300

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Advanced

Step Instructions

9 Make sure that all the required daemons (FWM, FWD, CPD, and
CPCA) are in the state "up" and show their PID (the "pnd" state is also
acceptable):
mdsstat
If some of the required daemons on a Domain Management Server are
in the state "down", then wait for 5-10 minutes, restart that Domain
Management Server, and check again. Run these three commands:
mdsstop_customer <IP Address or Name of Domain
Management Server>
mdsstart_customer <IP Address or Name of Domain
Management Server>
mdsstat

14. Install the R81 SmartConsole

See "Installing SmartConsole" on page 100.

15. Update the object version of the Secondary Multi-Domain Server

Step Instructions

1 Connect with SmartConsole to the R81 Primary Multi-Domain Server.

2 From the left navigation panel, click Multi-Domain > Domains.

3 From the top toolbar, open the Secondary Multi-Domain Server object.

4 From the left tree, click General.

5 In the Platform section > in the Version field, select R81.

6 Click OK.

16. Upgrade the Multi-Domain Log Servers, dedicated Log Servers, and dedicated
SmartEvent Servers
Important - If your Multi-Domain Server manages Multi-Domain Log Servers,
dedicated Log Servers, or dedicated SmartEvent Servers, you must upgrade
these dedicated servers to the same version as the Multi-Domain Server.

Select the applicable upgrade option:

Installation and Upgrade Guide R81 | 301

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Advanced

n "Upgrading a Multi-Domain Log Server from R80.20 and higher" on page 328
n "Upgrading a Security Management Server or Log Server from R80.20 and
higher" on page 210

17. Reconfigure the Log Exporter

Step Instructions

1 Connect to the command line on the server.

2 Log in to the Expert mode.

3 Restore the Log Exporter configuration as described in sk127653.

4 Reconfigure the Log Exporter:

cp_log_export reconf

5 Restart the Log Exporter:

cp_log_export restart

For more information, see the R81 Logging and Monitoring Administration Guide >
Chapter Log Exporter.

Installation and Upgrade Guide R81 | 302

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Advanced

18. In SmartConsole of each applicable Domain Management Server, install policy on all
SmartLSM Security Profiles
Important - This step applies to each Domain Management Server that
manages SmartLSM Security Profiles.

Step Instructions

1 Install the Access Control Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Access Control
Policy.
c. Select the applicable SmartLSM Security Profile objects.
d. Click Install.
e. The Access Control Policy must install successfully.

2 Install the Threat Prevention Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Threat Prevention
Policy.
c. Select the applicable SmartLSM Security Profile objects.
d. Click Install.
e. The Threat Prevention Policy must install successfully.

For more information, see the R81 SmartProvisioning Administration Guide.

19. Test the functionality on the Primary R81 Multi-Domain Server

Step Instructions

1 Connect with SmartConsole to the Primary R81 Multi-Domain Server.

2 Make sure the management database and configuration were upgraded

correctly.

3 Test the Management High Availability functionality.

Installation and Upgrade Guide R81 | 303

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Migration

Upgrading Multi-Domain Servers in High Availability from

R80.20 and higher with Migration
In a migration and upgrade scenario, you perform the procedure on the source Multi-Domain
Servers and the different target Multi-Domain Servers.

Notes:
n This procedure is supported only for servers that run R80.20.M1, R80.20,
R80.20.M2, R80.30, or higher versions.
n For additional information related to this upgrade, see sk163814.

Installation and Upgrade Guide R81 | 304

Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Migration

Important - Before you upgrade Multi-Domain Servers:

Step Instructions

1 Back up your current configuration (see "Backing Up and Restoring" on

page 20).

2 See the "Upgrade Options and Prerequisites" on page 188.

3 Only the latest published database revision is upgraded.

If there are pending changes, we recommend to Publish the session.

4 If there are Global Policies configured on the Global Domain:

a. Connect with SmartConsole to the Global Domain on your source
Multi-Domain Server.
b. Reassign all Global Policies to all applicable Domains.

Important - Do not publish any changes in the Global Domain until you
complete the upgrade to the next available version. This is necessary to
avoid any potential issues caused by different policy revisions on the
Global Domain and on other Domains.

5 You must close all GUI clients (SmartConsole applications) connected to the
source Multi-Domain Server.

6 Install the latest version of the CPUSE from sk92449.

Note - This is to make sure the CPUSE is able to support the required
Upgrade Tools package.

7 Run the Pre-Upgrade Verifier on all source servers and fix all detected issues
before you start the upgrade.

8 In Management High Availability, before you start the upgrade on other

servers:
a. Make sure the Primary Multi-Domain Server is upgraded and runs.
b. Make sure the Multi-Domain Security Management Servers can
communicate with each other and SIC works between these servers.
For details, see sk179794.

Important - Before you can install Hotfixes on servers that work in Management High
Availability, you must upgrade all these servers.

Installation and Upgrade Guide R81 | 305

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Migration

Procedure:
1. If the Primary Multi-Domain Server is not available, promote the Secondary Multi-Domain
Server to be the Primary

For instructions, see the R81 Multi-Domain Security Management Administration

Guide - Chapter Working with High Availability - Section Failure Recovery -
Subsection Promoting the Secondary Multi-Domain Server to Primary.

2. Make sure the Global Domain is Active on the Primary Multi-Domain Server

Step Instructions

1 Connect with SmartConsole to the Primary Multi-Domain Server.

2 From the left navigation panel, click Multi Domain > Domains.
The table shows Domains and Multi-Domain Servers:
n Every column shows a Multi-Domain Server.
n Active Domain Management Servers (for a Domain) are marked

with a solid black "barrel" icon.

n Standby Domain Management Servers (for a Domain) are marked

with an empty "barrel" icon.

3 In the leftmost column Domains, examine the bottom row Global for the
Primary Multi-Domain Server.
If the Global Domain is in the Standby state on the Primary Multi-Domain
Server (marked with an empty "barrel" icon), then make it Active:
a. Right-click on the Primary Multi-Domain Server and click Connect
to Domain Server.
The High Availability Status window opens.
b. In the section Connected To, click Actions > Set Active.
c. Click Yes to confirm.
d. Wait for the full synchronization to complete.
e. Close SmartConsole.

3. Get the required Upgrade Tools on the Primary and on the Secondary Multi-Domain

Installation and Upgrade Guide R81 | 306

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Migration

Servers
Important - See "Upgrade Tools" on page 207 to understand if your server
can download and install the latest version of the Upgrade Tools
automatically.

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

4. On the Primary Multi-Domain Server, run the Pre-Upgrade Verifier

Step Instructions

1 Connect to the command line on the current Multi-Domain Server.

Installation and Upgrade Guide R81 | 307

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Migration

Step Instructions

2 Log in with the superuser credentials.

3 Log in to the Expert mode.

4 Run the Pre-Upgrade Verifier.

n If this Multi-Domain Server is connected to the Internet, run:

$MDS_FWDIR/scripts/migrate_server verify -v
R81
n If this Multi-Domain Server is not connected to the Internet, run:
$MDS_FWDIR/scripts/migrate_server verify -v
R81 -skip_upgrade_tools_check
For details, see the R81 CLI Reference Guide - Chapter Multi-Domain
Security Management Commands - Section migrate_server.

5 Read the Pre-Upgrade Verifier output.

If it is necessary to fix errors:
a. Follow the instructions in the report.
b. Run the Pre-Upgrade Verifier again.

5. On the Secondary Multi-Domain Server, run the Pre-Upgrade Verifier

Step Instructions

1 Connect to the command line on the current Multi-Domain Server.

2 Log in with the superuser credentials.

3 Log in to the Expert mode.

4 Run the Pre-Upgrade Verifier.

n If this Multi-Domain Server is connected to the Internet, run:

$MDS_FWDIR/scripts/migrate_server verify -v
R81
n If this Multi-Domain Server is not connected to the Internet, run:
$MDS_FWDIR/scripts/migrate_server verify -v
R81 -skip_upgrade_tools_check
For details, see the R81 CLI Reference Guide - Chapter Multi-Domain
Security Management Commands - Section migrate_server.

Installation and Upgrade Guide R81 | 308

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Migration

Step Instructions

5 Read the Pre-Upgrade Verifier output.

If it is necessary to fix errors:
a. Follow the instructions in the report.
b. Run the Pre-Upgrade Verifier again.

6. On the Primary Multi-Domain Server, export the entire management database

Step Instructions

1 Go to the $MDS_FWDIR/scripts/ directory:

cd $MDS_FWDIR/scripts

2 Export the management database:

n If this Multi-Domain Server is connected to the Internet, run:

./migrate_server export -v R81 [-l | -x]

/<Full Path>/Primary_<Name of Exported File>
n If this Multi-Domain Server is not connected to the Internet, run:
./migrate_server export -v R81 -skip_upgrade_
tools_check [-l | -x] /<Full Path>/Primary_
<Name of Exported File>
For details, see the R81 CLI Reference Guide - Chapter Multi-Domain
Security Management Commands - Section migrate_server.

3 Calculate the MD5 for the exported database files:

md5sum /<Full Path>/Primary_<Name of Database
File>.tgz

4 Transfer the exported databases from the source Multi-Domain Server to

an external storage:
/<Full Path>/Primary_<Name of Database File>.tgz

Note - Make sure to transfer the file in the binary mode.

7. On the Secondary Multi-Domain Server, export the entire management database

Installation and Upgrade Guide R81 | 309

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Migration

Step Instructions

1 Go to the $MDS_FWDIR/scripts/ directory:

cd $MDS_FWDIR/scripts

2 Export the management database:

n If this Multi-Domain Server is connected to the Internet, run:

./migrate_server export -v R81 [-l | -x]

/<Full Path>/Secondary_<Name of Exported File>
n If this Multi-Domain Server is not connected to the Internet, run:
./migrate_server export -v R81 -skip_upgrade_
tools_check [-l | -x] /<Full Path>/Secondary_
<Name of Exported File>
For details, see the R81 CLI Reference Guide - Chapter Multi-Domain
Security Management Commands - Section migrate_server.

3 Calculate the MD5 for the exported database files:

md5sum /<Full Path>/Secondary_<Name of Database
File>.tgz

4 Transfer the exported databases from the source Multi-Domain Server to

an external storage:
/<Full Path>/Secondary_<Name of Database File>.tgz

Note - Make sure to transfer the file in the binary mode.

8. Install another Primary R81 Multi-Domain Server

Step Instructions

1 See the R81 Release Notes for requirements.

2 Perform the clean install on another server in one of these ways:

Important - Do not perform initial configuration in SmartConsole.
n Follow "Installing Software Packages on Gaia" on page 185.

Select the R81 package and perform Clean Install. See sk92449
for detailed steps.
n Follow "Installing One Multi-Domain Server Only, or Primary Multi-

Domain Server in Management High Availability" on page 77.

Installation and Upgrade Guide R81 | 310

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Migration

Important - The IP addresses of the source and target server can be

different. If it is necessary to have a different IP address on the target R81
server, you must create a special JSON configuration file before you
import the management database from the source server.
Note that you have to issue licenses for the new IP address.
You must use the same JSON configuration file on all servers (including
Log Servers and SmartEvent Servers) in the same Multi-Domain Security
Management environment.

9. Get the required Upgrade Tools on the Primary server

Important - See "Upgrade Tools" on page 207 to understand if your server
can download and install the latest version of the Upgrade Tools
automatically.

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Installation and Upgrade Guide R81 | 311

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Migration

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

10. On the Primary R81 Multi-Domain Server, import the databases

Required JSON configuration file

If you installed the target R81 Multi-Domain Server with a different IP address than
the source Multi-Domain Server, you must create a special JSON configuration
file before you import the management database from the source Multi-Domain
Server. Note that you have to issue licenses for the new IP address.

Important:
n If none of the servers in the same Multi-Domain Security

Management environment changed their original IP addresses, then

you do not need to create the special JSON configuration file.
n Even if only one of the servers migrates to a new IP address, all the

other servers (including all Log Servers and SmartEvent Servers)

must get this configuration file for the import process.
You must use the same JSON configuration file on all servers
(including Log Servers and SmartEvent Servers) in the same
Multi-Domain Security Management environment.

To create the required JSON configuration file:

Step Instructions

1 Connect to the command line on the target R81 Multi-Domain Server.

2 Log in to the Expert mode.

Installation and Upgrade Guide R81 | 312

Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Migration

Step Instructions

3 Create the /var/log/mdss.json file that contains each server that

migrates to a new IP address.
Format for migrating only the Primary Multi-Domain Server to a new IP
address

[{"name":"<Name of Primary Multi-Domain Server

Object in SmartConsole>","newIpAddress4":"<New
IPv4 Address of Primary R81 Multi-Domain
Server>"}]

Format for migrating both the Primary and the Secondary Multi-Domain
Servers to new IP addresses

[{"name":"<Name of Primary Multi-Domain Server

Object in SmartConsole>","newIpAddress4":"<New
IPv4 Address of Primary R81 Multi-Domain
Server>"},
{"name":"<Name of Secondary Multi-Domain Server
Object in SmartConsole>","newIpAddress4":"<New
IPv4 Address of Secondary R81 Multi-Domain
Server>"}]

Format for migrating both the Primary and the Secondary Multi-Domain
Servers, and the Multi-Domain Log Server to new IP addresses

[{"name":"<Name of Primary Multi-Domain Server

Object in SmartConsole>","newIpAddress4":"<New
IPv4 Address of Primary R81 Multi-Domain
Server>"},
{"name":"<Name of Secondary Multi-Domain Server
Object in SmartConsole>","newIpAddress4":"<New
IPv4 Address of Secondary R81 Multi-Domain
Server>"},
{"name":"<Name of Multi-Domain Log Server Object
in SmartConsole>","newIpAddress4":"<New IPv4
Address of R81 Multi-Domain Log Server"}]

Installation and Upgrade Guide R81 | 313

Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Migration

Step Instructions

Example
There are 3 servers in the R80.30 Multi-Domain Security Management
environment - the Primary Multi-Domain Server, the Secondary Multi-
Domain Server, and the Multi-Domain Log Server. Both the Primary
and the Secondary Multi-Domain Servers migrate to new IP
addresses. The Multi-Domain Log Server remains with the original IP
address.
a. The current IPv4 address of the source Primary R80.30 Multi-
Domain Server is:
192.168.10.21
b. The current IPv4 address of the source Secondary R80.30 Multi-
Domain Server is:
192.168.10.22
c. The name of the source Primary R80.30 Multi-Domain Server
object in SmartConsole is:
MyPrimaryMDS
d. The name of the source Secondary R80.30 Multi-Domain Server
object in SmartConsole is:
MySecondaryMDS
e. The new IPv4 address of the target Primary R81 Multi-Domain
Server is:
172.30.40.51
f. The new IPv4 address of the target Secondary R81 Multi-
Domain Server is:
172.30.40.52
g. The required syntax for the JSON configuration file you must use
on both the Primary and the Secondary Multi-Domain Servers,
and on the Multi-Domain Log Server:
[{"name":"MyPrimaryMDS","newIpAddress4":"172.3
0.40.51"},
{"name":"MySecondaryMDS","newIpAddress4":"172.
30.40.52"}]
Important - All servers in this environment must get this
same information.

Importing the databases

Important - Make sure you followed the instructions in the above section
"Required JSON configuration file".

Installation and Upgrade Guide R81 | 314

Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Migration

Step Instructions

1 Connect to the command line the Primary R81 Multi-Domain Server.

2 Log in with the superuser credentials.

3 Log in to the Expert mode.

4 Make sure a valid license is installed:

cplic print
If it is not already installed, then install a valid license now.

5 Transfer the exported database from an external storage to the R81

Multi-Domain Server, to some directory.

Note - Make sure to transfer the file in the binary mode.

6 Make sure the transferred file is not corrupted.

Calculate the MD5 for the transferred file and compare it to the MD5
that you calculated on the original Multi-Domain Server:
md5sum /<Full Path>/Primary_<Name of Exported
File>.tgz

7 Go to the $MDS_FWDIR/scripts/ directory:

cd $MDS_FWDIR/scripts/

Installation and Upgrade Guide R81 | 315

Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Migration

Step Instructions

8 Import the management database:

n If this Multi-Domain Server is connected to the Internet:
l And none of the servers changed their IP addresses, run:

./migrate_server import -v R81 [-l | -x]

/<Full Path>/Primary_<Name of Exported
File>.tgz
l And at least one of the servers changed its IP address, run:
./migrate_server import -v R81 [-l | -x]
/var/log/mdss.json /<Full Path>/Primary_
<Name of Exported File>.tgz
Note - Before the release of updated Upgrade Tools in July
2021 (build 995000519 and lower), the syntax was "-
change_ips_file /var/log/mdss.json".
n If this Multi-Domain Server is not connected to the Internet:
l And none of the servers changed their IP addresses, run:

./migrate_server import -v R81 -skip_

upgrade_tools_check [-l | -x] /<Full
Path>/Primary_<Name of Exported
File>.tgz
l And at least one of the servers changed its IP address, run:
./migrate_server import -v R81 [-l | -x]
-skip_upgrade_tools_check
/var/log/mdss.json /<Full Path>/Primary_
<Name of Exported File>.tgz
Note - Before the release of updated Upgrade Tools in July
2021 (build 995000519 and lower), the syntax was "-
change_ips_file /var/log/mdss.json".
For details, see the R81 CLI Reference Guide - Chapter Multi-Domain
Security Management Commands - Section migrate_server.

Installation and Upgrade Guide R81 | 316

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Migration

Step Instructions

9 Make sure that all the required daemons (FWM, FWD, CPD, and
CPCA) are in the state "up" and show their PID (the "pnd" state is also
acceptable):
mdsstat
If some of the required daemons on a Domain Management Server are
in the state "down", then wait for 5-10 minutes, restart that Domain
Management Server, and check again. Run these three commands:
mdsstop_customer <IP Address or Name of Domain
Management Server>
mdsstart_customer <IP Address or Name of Domain
Management Server>
mdsstat

11. Install another Secondary R81 Multi-Domain Server

Step Instructions

1 See the R81 Release Notes for requirements.

2 Perform the clean install on another server in one of these ways:

Important - Do not perform initial configuration in SmartConsole.
n Follow "Installing Software Packages on Gaia" on page 185.

Select the R81 package and perform Clean Install. See sk92449
for detailed steps.
n Follow "Installing a Secondary Multi-Domain Server in

Management High Availability" on page 79.

Important - The IP addresses of the source and target server can be
different. If it is necessary to have a different IP address on the target R81
server, you must create a special JSON configuration file before you
import the management database from the source server.
Note that you have to issue licenses for the new IP address.
You must use the same JSON configuration file on all servers in the same
Multi-Domain Security Management environment.

12. Get the required Upgrade Tools on the Secondary R81 Multi-Domain Server
Note - This step is needed only to be able to export the entire management
database (for backup purposes) with the latest Upgrade Tools.
Important - See "Upgrade Tools" on page 207 to understand if your server
can download and install the latest version of the Upgrade Tools
automatically.

Installation and Upgrade Guide R81 | 317

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Migration

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

13. On the Secondary R81 Multi-Domain Server, import the databases

Required JSON configuration file

If you installed the target R81 Multi-Domain Server with a different IP address than
the source Multi-Domain Server, you must create a special JSON configuration
file before you import the management database from the source Multi-Domain
Server. Note that you have to issue licenses for the new IP address.

Installation and Upgrade Guide R81 | 318

Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Migration

Important:
n If none of the servers in the same Multi-Domain Security

Management environment changed their original IP addresses, then

you do not need to create the special JSON configuration file.
n Even if only one of the servers migrates to a new IP address, all the

other servers (including all Log Servers and SmartEvent Servers)

must get this configuration file for the import process.
You must use the same JSON configuration file on all servers
(including Log Servers and SmartEvent Servers) in the same
Multi-Domain Security Management environment.

To create the required JSON configuration file:

Step Instructions

1 Connect to the command line on the target R81 Multi-Domain Server.

2 Log in to the Expert mode.

Installation and Upgrade Guide R81 | 319

Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Migration

Step Instructions

3 Create the /var/log/mdss.json file that contains each server that

migrates to a new IP address.
Format for migrating only the Primary Multi-Domain Server to a new IP
address

[{"name":"<Name of Primary Multi-Domain Server

Object in SmartConsole>","newIpAddress4":"<New
IPv4 Address of Primary R81 Multi-Domain
Server>"}]

Format for migrating both the Primary and the Secondary Multi-Domain
Servers to new IP addresses

[{"name":"<Name of Primary Multi-Domain Server

Object in SmartConsole>","newIpAddress4":"<New
IPv4 Address of Primary R81 Multi-Domain
Server>"},
{"name":"<Name of Secondary Multi-Domain Server
Object in SmartConsole>","newIpAddress4":"<New
IPv4 Address of Secondary R81 Multi-Domain
Server>"}]

Format for migrating both the Primary and the Secondary Multi-Domain
Servers, and the Multi-Domain Log Server to new IP addresses

[{"name":"<Name of Primary Multi-Domain Server

Object in SmartConsole>","newIpAddress4":"<New
IPv4 Address of Primary R81 Multi-Domain
Server>"},
{"name":"<Name of Secondary Multi-Domain Server
Object in SmartConsole>","newIpAddress4":"<New
IPv4 Address of Secondary R81 Multi-Domain
Server>"},
{"name":"<Name of Multi-Domain Log Server Object
in SmartConsole>","newIpAddress4":"<New IPv4
Address of R81 Multi-Domain Log Server"}]

Installation and Upgrade Guide R81 | 320

Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Migration

Step Instructions

Example
There are 3 servers in the R80.30 Multi-Domain Security Management
environment - the Primary Multi-Domain Server, the Secondary Multi-
Domain Server, and the Multi-Domain Log Server. Both the Primary
and the Secondary Multi-Domain Servers migrate to new IP
addresses. The Multi-Domain Log Server remains with the original IP
address.
a. The current IPv4 address of the source Primary R80.30 Multi-
Domain Server is:
192.168.10.21
b. The current IPv4 address of the source Secondary R80.30 Multi-
Domain Server is:
192.168.10.22
c. The name of the source Primary R80.30 Multi-Domain Server
object in SmartConsole is:
MyPrimaryMDS
d. The name of the source Secondary R80.30 Multi-Domain Server
object in SmartConsole is:
MySecondaryMDS
e. The new IPv4 address of the target Primary R81 Multi-Domain
Server is:
172.30.40.51
f. The new IPv4 address of the target Secondary R81 Multi-
Domain Server is:
172.30.40.52
g. The required syntax for the JSON configuration file you must use
on both the Primary and the Secondary Multi-Domain Servers,
and on the Multi-Domain Log Server:
[{"name":"MyPrimaryMDS","newIpAddress4":"172.3
0.40.51"},
{"name":"MySecondaryMDS","newIpAddress4":"172.
30.40.52"}]
Important - All servers in this environment must get this
same information.

Importing the databases

Important - Make sure you followed the instructions in the above section
"Required JSON configuration file".

Installation and Upgrade Guide R81 | 321

Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Migration

Step Instructions

1 Connect to the command line the Secondary R81 Multi-Domain

Server.

2 Log in with the superuser credentials.

3 Log in to the Expert mode.

4 Make sure a valid license is installed:

cplic print
If it is not already installed, then install a valid license now.

5 Transfer the exported database from an external storage to the R81

Multi-Domain Server, to some directory.

Note - Make sure to transfer the file in the binary mode.

6 Make sure the transferred file is not corrupted.

Calculate the MD5 for the transferred file and compare it to the MD5
that you calculated on the original Multi-Domain Server:
md5sum /<Full Path>/Secondary_<Name of Exported
File>.tgz

7 Go to the $MDS_FWDIR/scripts/ directory:

cd $MDS_FWDIR/scripts/

Installation and Upgrade Guide R81 | 322

Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Migration

Step Instructions

8 Import the management database:

n If this Multi-Domain Server is connected to the Internet:
l And none of the servers changed their IP addresses, run:

./migrate_server import -v R81 [-l | -x]

/<Full Path>/Secondary_<Name of Exported
File>.tgz
l And at least one of the servers changed its IP address, run:
./migrate_server import -v R81 [-l | -x]
/var/log/mdss.json /<Full
Path>/Secondary_<Name of Exported
File>.tgz
Note - Before the release of updated Upgrade Tools in July
2021 (build 995000519 and lower), the syntax was "-
change_ips_file /var/log/mdss.json".
n If this Multi-Domain Server is not connected to the Internet:
l And none of the servers changed their IP addresses, run:

./migrate_server import -v R81 -skip_

upgrade_tools_check [-l | -x] /<Full
Path>/Secondary_<Name of Exported
File>.tgz
l And at least one of the servers changed its IP address, run:
./migrate_server import -v R81 [-l | -x]
-skip_upgrade_tools_check
/var/log/mdss.json /<Full
Path>/Secondary_<Name of Exported
File>.tgz
Note - Before the release of updated Upgrade Tools in July
2021 (build 995000519 and lower), the syntax was "-
change_ips_file /var/log/mdss.json".
For details, see the R81 CLI Reference Guide - Chapter Multi-Domain
Security Management Commands - Section migrate_server.

Installation and Upgrade Guide R81 | 323

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Migration

Step Instructions

9 Make sure that all the required daemons (FWM, FWD, CPD, and
CPCA) are in the state "up" and show their PID (the "pnd" state is also
acceptable):
mdsstat
If some of the required daemons on a Domain Management Server are
in the state "down", then wait for 5-10 minutes, restart that Domain
Management Server, and check again. Run these three commands:
mdsstop_customer <IP Address or Name of Domain
Management Server>
mdsstart_customer <IP Address or Name of Domain
Management Server>
mdsstat

14. Update the object version of the Secondary Multi-Domain Server

Step Instructions

1 Connect with SmartConsole to the R81 Primary Multi-Domain Server.

2 From the left navigation panel, click Multi-Domain > Domains.

3 From the top toolbar, open the Secondary Multi-Domain Server object.

4 From the left tree, click General.

5 In the Platform section > in the Version field, select R81.

6 Click OK.

15. Upgrade the Multi-Domain Log Servers, dedicated Log Servers, and dedicated
SmartEvent Servers
Important - If your Multi-Domain Server manages Multi-Domain Log Servers,
dedicated Log Servers, or dedicated SmartEvent Servers, you must upgrade
these dedicated servers to the same version as the Multi-Domain Server.

Select the applicable upgrade option:

n "Upgrading a Multi-Domain Log Server from R80.20 and higher" on page 328
n "Upgrading a Security Management Server or Log Server from R80.20 and
higher" on page 210

Installation and Upgrade Guide R81 | 324

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Migration

16. Reconfigure the Log Exporter

Step Instructions

1 Connect to the command line on the server.

2 Log in to the Expert mode.

3 Restore the Log Exporter configuration as described in sk127653.

4 Reconfigure the Log Exporter:

cp_log_export reconf

5 Restart the Log Exporter:

cp_log_export restart

For more information, see the R81 Logging and Monitoring Administration Guide >
Chapter Log Exporter.

17. In SmartConsole of each applicable Domain Management Server, install policy on all
SmartLSM Security Profiles
Important - This step applies to each Domain Management Server that
manages SmartLSM Security Profiles.

Step Instructions

1 Install the Access Control Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Access Control
Policy.
c. Select the applicable SmartLSM Security Profile objects.
d. Click Install.
e. The Access Control Policy must install successfully.

2 Install the Threat Prevention Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Threat Prevention
Policy.
c. Select the applicable SmartLSM Security Profile objects.
d. Click Install.
e. The Threat Prevention Policy must install successfully.

For more information, see the R81 SmartProvisioning Administration Guide.

Installation and Upgrade Guide R81 | 325

 Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Migration

18. Test the functionality on the Primary R81 Multi-Domain Server

Step Instructions

1 Connect with SmartConsole to the Primary R81 Multi-Domain Server.

2 Make sure the management database and configuration were upgraded

correctly.

3 Test the Management High Availability functionality.

Installation and Upgrade Guide R81 | 326

 Managing Domain Management Servers During the Upgrade Process

Managing Domain Management Servers During the

Upgrade Process
Best Practice - To not make any changes to Domain Management Server databases
during the upgrade process.

If your business model cannot support management downtime during the upgrade, you can
continue to manage Domain Management Servers during the upgrade process.
If you make changes to Domain Management Server databases during the upgrade process,
this can create a risk of inconsistent Domain Management Server database content between
instances on different Multi-Domain Servers. The synchronization process cannot resolve
these database inconsistencies.

After you successfully upgrade one Multi-Domain Server, you can set its Domain Management
Servers to the Active state, while you upgrade the others. Synchronization between the
Domain Management Servers occurs after all Multi-Domain Servers are upgraded.
If, during the upgrade process, you make changes to the Domain Management Server
database on different Multi-Domain Servers, the contents of these databases will be different.
Because you cannot synchronize these databases, some of these changes will be lost. The
Domain Management Server High Availability status appears as Collision.
You must decide which database version to retain and synchronize it to the other Domain
Management Servers. Then you must re-enter the lost changes to the synchronized database
- configure the same objects and settings again.

Installation and Upgrade Guide R81 | 327

 Upgrading a Multi-Domain Log Server from R80.20 and higher

Upgrading a Multi-Domain Log Server from

R80.20 and higher
This section provides instructions to upgrade a Multi-Domain Log Server from R80.20.M1,
R80.20, R80.20.M2, R80.30, or higher versions:
n "Upgrading a Multi-Domain Log Server from R80.20 and higher with CPUSE" on
page 329
n "Upgrading a Multi-Domain Log Server from R80.20 and higher with Advanced upgrade"
on page 333
n "Upgrading a Multi-Domain Log Server from R80.20 and higher with Migration" on
page 341
For additional information related to these upgrade procedures, see sk163814.
For configuration information, see the R81 Multi-Domain Security Management Administration
Guide.

Installation and Upgrade Guide R81 | 328

 Upgrading a Multi-Domain Log Server from R80.20 and higher with CPUSE

Upgrading a Multi-Domain Log Server from R80.20 and

higher with CPUSE
In a CPUSE upgrade scenario, you perform the upgrade procedure on the same Multi-Domain
Log Server.

Notes:
n This procedure is supported only for servers that run R80.20.M1, R80.20,
R80.20.M2, R80.30, or higher versions.
n For additional information related to this upgrade, see sk163814.

Important - Before you upgrade a Multi-Domain Log Server:

Step Instructions

1 Back up your current configuration (see "Backing Up and Restoring" on

page 20).

2 See the "Upgrade Options and Prerequisites" on page 188.

3 You must upgrade your Multi-Domain Servers.

4 You must close all GUI clients (SmartConsole applications) connected to the
source Multi-Domain Log Server.

5 Run the Pre-Upgrade Verifier on all source servers and fix all detected issues
before you start the upgrade.

Installation and Upgrade Guide R81 | 329

 Upgrading a Multi-Domain Log Server from R80.20 and higher with CPUSE

Procedure:
1. Get the required Upgrade Tools on the server
Important - See "Upgrade Tools" on page 207 to understand if your server
can download and install the latest version of the Upgrade Tools
automatically.

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

2. Upgrade the Multi-Domain Log Server with CPUSE

Installation and Upgrade Guide R81 | 330

 Upgrading a Multi-Domain Log Server from R80.20 and higher with CPUSE

See "Installing Software Packages on Gaia" on page 185 and follow the applicable
action plan.

3. Update the version of the Multi-Domain Log Server object

Step Instructions

1 Connect with SmartConsole to the R81 Multi-Domain Server that

manages the Multi-Domain Log Server.

2 From the left navigation panel, click Multi-Domain > Domains.

3 From the top toolbar, open the Multi-Domain Log Server object.

4 From the left tree, click General.

5 In the Platform section > in the Version field, select R81.

6 Click OK.

4. Reconfigure the Log Exporter

Step Instructions

1 Connect to the command line on the server.

2 Log in to the Expert mode.

3 Restore the Log Exporter configuration as described in sk127653.

4 Reconfigure the Log Exporter:

cp_log_export reconf

5 Restart the Log Exporter:

cp_log_export restart

For more information, see the R81 Logging and Monitoring Administration Guide >
Chapter Log Exporter.

Installation and Upgrade Guide R81 | 331

 Upgrading a Multi-Domain Log Server from R80.20 and higher with CPUSE

5. Test the functionality on the R81 Multi-Domain Log Server

Step Instructions

1 Connect with SmartConsole to the R81 Multi-Domain Log Server.

2 Make sure the management database and configuration were upgraded

correctly.

6. Test the functionality on the R81 Multi-Domain Server

Step Instructions

1 Connect with SmartConsole to the R81 Multi-Domain Server that

manages the Multi-Domain Log Server.

2 Make sure the logging works as expected.

Installation and Upgrade Guide R81 | 332

 Upgrading a Multi-Domain Log Server from R80.20 and higher with Advanced upgrade

Upgrading a Multi-Domain Log Server from R80.20 and

higher with Advanced upgrade
In an advanced upgrade scenario, you perform the upgrade procedure on the same Multi-
Domain Log Server.

Notes:
n This procedure is supported only for servers that run R80.20.M1, R80.20,
R80.20.M2, R80.30, or higher versions.
n For additional information related to this upgrade, see sk163814.

Important - Before you upgrade a Multi-Domain Log Server:

Step Instructions

1 Back up your current configuration (see "Backing Up and Restoring" on

page 20).

2 See the "Upgrade Options and Prerequisites" on page 188.

3 You must upgrade your Multi-Domain Servers.

4 You must close all GUI clients (SmartConsole applications) connected to the
source Multi-Domain Log Server.

5 Run the Pre-Upgrade Verifier on all source servers and fix all detected issues
before you start the upgrade.

Installation and Upgrade Guide R81 | 333

 Upgrading a Multi-Domain Log Server from R80.20 and higher with Advanced upgrade

Procedure:
1. Get the required Upgrade Tools on the source server
Important - See "Upgrade Tools" on page 207 to understand if your server
can download and install the latest version of the Upgrade Tools
automatically.

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

2. On the current Multi-Domain Log Server, run the Pre-Upgrade Verifier and export the
entire management database

Installation and Upgrade Guide R81 | 334

Upgrading a Multi-Domain Log Server from R80.20 and higher with Advanced upgrade

Step Instructions

1 Connect to the command line on the current Multi-Domain Log Server.

2 Log in with the superuser credentials.

3 Log in to the Expert mode.

4 Run the Pre-Upgrade Verifier.

n If this Multi-Domain Log Server is connected to the Internet, run:

$MDS_FWDIR/scripts/migrate_server verify -v
R81
n If this Multi-Domain Log Server is not connected to the Internet, run:
$MDS_FWDIR/scripts/migrate_server verify -v
R81 -skip_upgrade_tools_check
For details, see the R81 CLI Reference Guide - Chapter Multi-Domain
Security Management Commands - Section migrate_server.

5 Read the Pre-Upgrade Verifier output.

If it is necessary to fix errors:
a. Follow the instructions in the report.
b. Run the Pre-Upgrade Verifier again.

6 Go to the $MDS_FWDIR/scripts/ directory:

cd $MDS_FWDIR/scripts

7 Export the management database:

n If this Multi-Domain Log Server is connected to the Internet, run:

./migrate_server export -v R81 [-l | -x]

/<Full Path>/<Name of Exported File>
n If this Multi-Domain Log Server is not connected to the Internet, run:
./migrate_server export -v R81 -skip_upgrade_
tools_check [-l | -x] /<Full Path>/<Name of
Exported File>
For details, see the R81 CLI Reference Guide - Chapter Multi-Domain
Security Management Commands - Section migrate_server.

8 Calculate the MD5 for the exported database files:

md5sum /<Full Path>/<Name of Database File>.tgz

Installation and Upgrade Guide R81 | 335

 Upgrading a Multi-Domain Log Server from R80.20 and higher with Advanced upgrade

Step Instructions

9 Transfer the exported databases from the source Multi-Domain Log

Server to an external storage:
/<Full Path>/<Name of Database File>.tgz

Note - Make sure to transfer the file in the binary mode.

3. Install a new R81 Multi-Domain Log Server

Step Instructions

1 See the R81 Release Notes for requirements.

2 Perform the clean install in one of these ways (do not perform initial
configuration in SmartConsole):
n Follow "Installing Software Packages on Gaia" on page 185 - select

the R81 package and perform Clean Install. See sk92449 for
detailed steps.
n Follow "Installing a Multi-Domain Log Server" on page 82.

4. Get the required Upgrade Tools on the R81 server

Important - See "Upgrade Tools" on page 207 to understand if your server
can download and install the latest version of the Upgrade Tools
automatically.

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

Installation and Upgrade Guide R81 | 336

 Upgrading a Multi-Domain Log Server from R80.20 and higher with Advanced upgrade

Step Instructions

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

5. On the R81 Multi-Domain Log Server, import the databases

Step Instructions

1 Connect to the command line on the R81 Multi-Domain Log Server.

2 Log in with the superuser credentials.

3 Log in to the Expert mode.

4 Make sure a valid license is installed:

cplic print
If it is not already installed, then install a valid license now.

5 Transfer the exported database from an external storage to the R81

Multi-Domain Log Server, to some directory.

Note - Make sure to transfer the file in the binary mode.

Installation and Upgrade Guide R81 | 337

 Upgrading a Multi-Domain Log Server from R80.20 and higher with Advanced upgrade

Step Instructions

6 Make sure the transferred file is not corrupted.

Calculate the MD5 for the transferred file and compare it to the MD5 that
you calculated on the original Multi-Domain Server:
md5sum /<Full Path>/<Name of Exported File>.tgz

7 Go to the $MDS_FWDIR/scripts/ directory:

cd $MDS_FWDIR/scripts/

8 Import the management database:

n If this Multi-Domain Log Server is connected to the Internet, run:

./migrate_server import -v R81 [-l | -x]

/<Full Path>/<Name of Exported File>.tgz
n If this Multi-Domain Log Server is not connected to the Internet, run:
./migrate_server import -v R81 -skip_upgrade_
tools_check [-l | -x] /<Full Path>/<Name of
Exported File>.tgz
For details, see the R81 CLI Reference Guide - Chapter Multi-Domain
Security Management Commands - Section migrate_server.

9 Make sure that all the required daemons have the correct state:
mdsstat
n The state of the FWM, FWD, and CPD daemons must be "up" on all
levels.
These daemons must show their PID, or "pnd".
n The state of the CPCA daemon must be "N/R" on the MDS level.
n The state of the CPCA daemon must be "down" on the Domain Log

Server level.
If the state of one of the required daemons (FWM, FWD, or CPD) on a
Domain Log Server is "down", then wait for 5-10 minutes, restart that
Domain Log Server, and check again. Run these three commands:
mdsstop_customer <IP Address or Name of Domain Log
Server>
mdsstart_customer <IP Address or Name of Domain
Log Server>
mdsstat

6. Install the R81 SmartConsole

See "Installing SmartConsole" on page 100.

Installation and Upgrade Guide R81 | 338

 Upgrading a Multi-Domain Log Server from R80.20 and higher with Advanced upgrade

7. Update the version of the Multi-Domain Log Server object

Step Instructions

1 Connect with SmartConsole to the R81 Multi-Domain Server that

manages the Multi-Domain Log Server.

2 From the left navigation panel, click Multi-Domain > Domains.

3 From the top toolbar, open the Multi-Domain Log Server object.

4 From the left tree, click General.

5 In the Platform section > in the Version field, select R81.

6 Click OK.

8. Reconfigure the Log Exporter

Step Instructions

1 Connect to the command line on the server.

2 Log in to the Expert mode.

3 Restore the Log Exporter configuration as described in sk127653.

4 Reconfigure the Log Exporter:

cp_log_export reconf

5 Restart the Log Exporter:

cp_log_export restart

For more information, see the R81 Logging and Monitoring Administration Guide >
Chapter Log Exporter.

9. Test the functionality on the R81 Multi-Domain Log Server

Step Instructions

1 Connect with SmartConsole to the R81 Multi-Domain Log Server.

2 Make sure the management database and configuration were upgraded

correctly.

Installation and Upgrade Guide R81 | 339

 Upgrading a Multi-Domain Log Server from R80.20 and higher with Advanced upgrade

10. Test the functionality on the R81 Multi-Domain Server

Step Instructions

1 Connect with SmartConsole to the R81 Multi-Domain Server that

manages the Multi-Domain Log Server.

2 Make sure the logging works as expected.

Installation and Upgrade Guide R81 | 340

 Upgrading a Multi-Domain Log Server from R80.20 and higher with Migration

Upgrading a Multi-Domain Log Server from R80.20 and

higher with Migration
In a migration and upgrade scenario, you perform the procedure on the source Multi-Domain
Server and the different target Multi-Domain Server.

Notes:
n This procedure is supported only for servers that run R80.20.M1, R80.20,
R80.20.M2, R80.30, or higher versions.
n For additional information related to this upgrade, see sk163814.

Important - Before you upgrade a Multi-Domain Log Server:

Step Instructions

1 Back up your current configuration (see "Backing Up and Restoring" on

page 20).

2 See the "Upgrade Options and Prerequisites" on page 188.

3 You must upgrade your Multi-Domain Servers.

4 You must close all GUI clients (SmartConsole applications) connected to the
source Multi-Domain Log Server.

5 Run the Pre-Upgrade Verifier on all source servers and fix all detected issues
before you start the upgrade.

Installation and Upgrade Guide R81 | 341

 Upgrading a Multi-Domain Log Server from R80.20 and higher with Migration

Procedure:
1. Get the required Upgrade Tools on the source server
Important - See "Upgrade Tools" on page 207 to understand if your server
can download and install the latest version of the Upgrade Tools
automatically.

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

2. On the current Multi-Domain Log Server, run the Pre-Upgrade Verifier and export the
entire management database

Installation and Upgrade Guide R81 | 342

 Upgrading a Multi-Domain Log Server from R80.20 and higher with Migration

Step Instructions

1 Connect to the command line on the current Multi-Domain Log Server.

2 Log in with the superuser credentials.

3 Log in to the Expert mode.

4 Run the Pre-Upgrade Verifier.

n If this Multi-Domain Log Server is connected to the Internet, run:

$MDS_FWDIR/scripts/migrate_server verify -v
R81
n If this Multi-Domain Log Server is not connected to the Internet, run:
$MDS_FWDIR/scripts/migrate_server verify -v
R81 -skip_upgrade_tools_check
For details, see the R81 CLI Reference Guide - Chapter Multi-Domain
Security Management Commands - Section migrate_server.

5 Read the Pre-Upgrade Verifier output.

If it is necessary to fix errors:
a. Follow the instructions in the report.
b. Run the Pre-Upgrade Verifier again.

6 Go to the $MDS_FWDIR/scripts/ directory:

cd $MDS_FWDIR/scripts

7 Export the management database:

n If this Multi-Domain Log Server is connected to the Internet, run:

./migrate_server export -v R81 [-l | -x]

/<Full Path>/<Name of Exported File>
n If this Multi-Domain Log Server is not connected to the Internet, run:
./migrate_server export -v R81 -skip_upgrade_
tools_check [-l | -x] /<Full Path>/<Name of
Exported File>
For details, see the R81 CLI Reference Guide - Chapter Multi-Domain
Security Management Commands - Section migrate_server.

8 Calculate the MD5 for the exported database files:

md5sum /<Full Path>/<Name of Database File>.tgz

Installation and Upgrade Guide R81 | 343

 Upgrading a Multi-Domain Log Server from R80.20 and higher with Migration

Step Instructions

9 Transfer the exported databases from the source Multi-Domain Log

Server to an external storage:
/<Full Path>/<Name of Database File>.tgz

Note - Make sure to transfer the file in the binary mode.

3. Install another R81 Multi-Domain Log Server

Step Instructions

1 See the R81 Release Notes for requirements.

2 Perform the clean install on another server in one of these ways (do not
perform initial configuration in SmartConsole):
n Follow "Installing Software Packages on Gaia" on page 185 - select

the R81 package and perform Clean Install. See sk92449 for
detailed steps.
n Follow "Installing a Multi-Domain Log Server" on page 82.

Important - The IP addresses of the source and target R81 servers must be
the same. If it is necessary to have a different IP address on the R81 server,
you can change it only after the upgrade procedure. Note that you have to
issue licenses for the new IP address. See "Changing the IP Address of a
Multi-Domain Server or Multi-Domain Log Server" on page 526.

4. Get the required Upgrade Tools on the R81 server

Important - See "Upgrade Tools" on page 207 to understand if your server
can download and install the latest version of the Upgrade Tools
automatically.

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

Installation and Upgrade Guide R81 | 344

 Upgrading a Multi-Domain Log Server from R80.20 and higher with Migration

Step Instructions

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

5. On the R81 Multi-Domain Log Server, import the databases

Step Instructions

1 Connect to the command line on the R81 Multi-Domain Log Server.

2 Log in with the superuser credentials.

3 Log in to the Expert mode.

4 Make sure a valid license is installed:

cplic print
If it is not already installed, then install a valid license now.

5 Transfer the exported database from an external storage to the R81

Multi-Domain Log Server, to some directory.

Note - Make sure to transfer the file in the binary mode.

Installation and Upgrade Guide R81 | 345

 Upgrading a Multi-Domain Log Server from R80.20 and higher with Migration

Step Instructions

6 Make sure the transferred file is not corrupted.

Calculate the MD5 for the transferred file and compare it to the MD5 that
you calculated on the original Multi-Domain Server:
md5sum /<Full Path>/<Name of Exported File>.tgz

7 Go to the $MDS_FWDIR/scripts/ directory:

cd $MDS_FWDIR/scripts/

8 Import the management database:

n If this Multi-Domain Log Server is connected to the Internet, run:

./migrate_server import -v R81 [-l | -x]

/<Full Path>/<Name of Exported File>.tgz
n If this Multi-Domain Log Server is not connected to the Internet, run:
./migrate_server import -v R81 -skip_upgrade_
tools_check [-l | -x] /<Full Path>/<Name of
Exported File>.tgz
For details, see the R81 CLI Reference Guide - Chapter Multi-Domain
Security Management Commands - Section migrate_server.

9 Make sure that all the required daemons have the correct state:
mdsstat
n The state of the FWM, FWD, and CPD daemons must be "up" on all
levels.
These daemons must show their PID, or "pnd".
n The state of the CPCA daemon must be "N/R" on the MDS level.
n The state of the CPCA daemon must be "down" on the Domain Log

Server level.
If the state of one of the required daemons (FWM, FWD, or CPD) on a
Domain Log Server is "down", then wait for 5-10 minutes, restart that
Domain Log Server, and check again. Run these three commands:
mdsstop_customer <IP Address or Name of Domain Log
Server>
mdsstart_customer <IP Address or Name of Domain
Log Server>
mdsstat

6. Install the R81 SmartConsole

See "Installing SmartConsole" on page 100.

Installation and Upgrade Guide R81 | 346

 Upgrading a Multi-Domain Log Server from R80.20 and higher with Migration

7. Update the version of the Multi-Domain Log Server object

Step Instructions

1 Connect with SmartConsole to the R81 Multi-Domain Server that

manages the Multi-Domain Log Server.

2 From the left navigation panel, click Multi-Domain > Domains.

3 From the top toolbar, open the Multi-Domain Log Server object.

4 From the left tree, click General.

5 In the Platform section > in the Version field, select R81.

6 Click OK.

8. Reconfigure the Log Exporter

Step Instructions

1 Connect to the command line on the server.

2 Log in to the Expert mode.

3 Restore the Log Exporter configuration as described in sk127653.

4 Reconfigure the Log Exporter:

cp_log_export reconf

5 Restart the Log Exporter:

cp_log_export restart

For more information, see the R81 Logging and Monitoring Administration Guide >
Chapter Log Exporter.

9. Test the functionality on the R81 Multi-Domain Log Server

Step Instructions

1 Connect with SmartConsole to the R81 Multi-Domain Log Server.

2 Make sure the management database and configuration were upgraded

correctly.

Installation and Upgrade Guide R81 | 347

 Upgrading a Multi-Domain Log Server from R80.20 and higher with Migration

10. Test the functionality on the R81 Multi-Domain Server

Step Instructions

1 Connect with SmartConsole to the R81 Multi-Domain Server that

manages the Multi-Domain Log Server.

2 Make sure the logging works as expected.

11. Disconnect the old Multi-Domain Log Server from the network

Disconnect the network cables the old Multi-Domain Log Server.

12. Connect the new Multi-Domain Log Server to the network

Connect the network cables to the new Multi-Domain Log Server.

Installation and Upgrade Guide R81 | 348

 Upgrade of Endpoint Security Management Servers and Endpoint Policy Servers

Upgrade of Endpoint Security

Management Servers and
Endpoint Policy Servers
This section provides instructions to upgrade Endpoint Security Management Servers and
Endpoint Policy Servers.
See "Upgrading an Endpoint Security Management Server or Endpoint Policy Server from
R80.20 and higher" on page 350.

Installation and Upgrade Guide R81 | 349

 Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

Upgrading an Endpoint Security Management

Server or Endpoint Policy Server from R80.20
and higher
This section provides instructions to upgrade Security Management Servers and dedicated
Log Servers from R80.20.M1, R80.20, R80.20.M2, R80.30, or higher versions:
n "Upgrading an Endpoint Security Management Server or Endpoint Policy Server from
R80.20 and higher with CPUSE" on page 351
n "Upgrading an Endpoint Security Management Server or Endpoint Policy Server from
R80.20 and higher with Advanced Upgrade" on page 356
n "Upgrading an Endpoint Security Management Server or Endpoint Policy Server from
R80.20 and higher with Migration" on page 367
n "Upgrading Endpoint Security Management Servers in Management High Availability
from R80.20 and higher" on page 378
For additional information related to these upgrade procedures, see sk163814.

Installation and Upgrade Guide R81 | 350

 Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

Upgrading an Endpoint Security Management Server or

Endpoint Policy Server from R80.20 and higher with CPUSE
In a CPUSE upgrade scenario, you perform the upgrade procedure on the same Check Point
server.

Notes:
n This procedure is supported only for servers that run R80.20.M1, R80.20,
R80.20.M2, R80.30, or higher versions.
n These instructions equally apply to:
l Endpoint Security Management Server

l Endpoint Policy Server

n For additional information related to this upgrade, see sk163814.

Important - Before you upgrade an Endpoint Security Management Server or Endpoint

Policy Server:
Step Instructions

1 Back up your current configuration (see "Backing Up and Restoring" on

page 20).

2 See the "Upgrade Options and Prerequisites" on page 188.

3 Only the latest published database revision is upgraded.

If there are pending changes, we recommend to Publish the session.

4 You must close all GUI clients (SmartConsole applications) connected to the
source Endpoint Security Management Server or Endpoint Policy Server.

5 Install the latest version of the CPUSE from sk92449.

Note - This is to make sure the CPUSE is able to support the required
Upgrade Tools package.

6 Run the Pre-Upgrade Verifier on all source servers and fix all detected issues
before you start the upgrade.

7 In Management High Availability, make sure the Primary Endpoint Security

Management Server is upgraded and runs, before you start the upgrade on
other servers.

Installation and Upgrade Guide R81 | 351

 Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

Procedure:
1. Get the required Upgrade Tools on the server
Important - See "Upgrade Tools" on page 207 to understand if your server
can download and install the latest version of the Upgrade Tools
automatically.

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

2. Upgrade the Endpoint Security Management Server or Endpoint Policy Server with
CPUSE

Installation and Upgrade Guide R81 | 352

Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

See "Installing Software Packages on Gaia" on page 185 and follow the applicable
action plan.

3. Install the R81 SmartConsole

See "Installing SmartConsole" on page 100.

4. Upgrade the dedicated Endpoint Policy Servers

This step is part of the upgrade procedure of an Endpoint Security Management

Server. If you upgrade a dedicated Endpoint Policy Server, then skip this step.

Important - If your Endpoint Security Management Server manages

dedicated Endpoint Policy Servers, you must upgrade these dedicated
servers to the same version as the Endpoint Security Management Server.

Follow the applicable procedure in "Upgrading an Endpoint Security Management

Server or Endpoint Policy Server from R80.20 and higher" on page 350.

5. Update the object version of the dedicated Endpoint Policy Servers

Important - If your Endpoint Security Management Server manages
dedicated Endpoint Policy Servers, you must update the version of the
corresponding objects in SmartConsole.

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server that

manages the Endpoint Policy Server.

2 From the left navigation panel, click Gateways & Servers.

3 Open the object of the Endpoint Policy Server.

4 From the left tree, click General Properties.

5 In the Platform section > in the Version field, select R81.

6 Click OK.

6. Install the management database

Step Instructions

1 Connect with SmartConsole to the R81 Endpoint Security Management

Server.

2 In the top left corner, click Menu > Install database.

Installation and Upgrade Guide R81 | 353

Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

Step Instructions

3 Select all objects.

4 Click Install.

5 Click OK.

7. Install the Event Policy

Important - This step applies only if the SmartEvent Correlation Unit
Software Blade is enabled on the R81 Endpoint Server.

Step Instructions

1 Connect with the SmartConsole to the R81 Endpoint Server.

2 In the SmartConsole, from the left navigation panel, click Logs & Monitor.

3 At the top, click + to open a new tab.

4 In the bottom left corner, in the External Apps section, click SmartEvent
Settings & Policy.
The Legacy SmartEvent client opens.

5 In the top left corner, click Menu > Actions > Install Event Policy.

6 Confirm.

7 Wait for these messages to appear:

SmartEvent Policy Installer installation complete
SmartEvent Policy Installer installation succeeded

8 Click Close.

9 Close the Legacy SmartEvent client.

Installation and Upgrade Guide R81 | 354

Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

8. Reconfigure the Log Exporter

Step Instructions

1 Connect to the command line on the server.

2 Log in to the Expert mode.

3 Restore the Log Exporter configuration as described in sk127653.

4 Reconfigure the Log Exporter:

cp_log_export reconf

5 Restart the Log Exporter:

cp_log_export restart

For more information, see the R81 Logging and Monitoring Administration Guide >
Chapter Log Exporter.

9. Test the functionality on the R81 Endpoint Server

Step Instructions

1 Connect with SmartConsole to the R81 Endpoint Security Management

Server.
Make sure the management database and configuration were upgraded
correctly.

2 Connect with SmartConsole to the R81 Endpoint Policy Server.

Make sure the everything works correctly.

Installation and Upgrade Guide R81 | 355

 Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

Upgrading an Endpoint Security Management Server or

Endpoint Policy Server from R80.20 and higher with
Advanced Upgrade
In an advanced upgrade scenario, you perform the upgrade procedure on the same Check
Point server.

Notes:
n This procedure is supported only for servers that run R80.20.M1, R80.20,
R80.20.M2, R80.30, or higher versions.
n These instructions equally apply to:
l Endpoint Security Management Server

l Endpoint Policy Server

n For additional information related to this upgrade, see sk163814.

Important - Before you upgrade an Endpoint Security Management Server or Endpoint

Policy Server:
Step Instructions

1 Back up your current configuration (see "Backing Up and Restoring" on

page 20).

2 See the "Upgrade Options and Prerequisites" on page 188.

3 Only the latest published database revision is upgraded.

If there are pending changes, we recommend to Publish the session.

4 You must close all GUI clients (SmartConsole applications) connected to the
source Endpoint Security Management Server or Endpoint Policy Server.

5 Install the latest version of the CPUSE from sk92449.

Note - This is to make sure the CPUSE is able to support the required
Upgrade Tools package.

6 Run the Pre-Upgrade Verifier on all source servers and fix all detected issues
before you start the upgrade.

7 In Management High Availability, make sure the Primary Endpoint Security

Management Server is upgraded and runs, before you start the upgrade on
other servers.

Installation and Upgrade Guide R81 | 356

 Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

Procedure:
1. Get the required Upgrade Tools on the source server
Important - See "Upgrade Tools" on page 207 to understand if your server
can download and install the latest version of the Upgrade Tools
automatically.

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

2. On the current Endpoint Security Management Server or Endpoint Policy Server, run the
Pre-Upgrade Verifier and export the entire management database

Installation and Upgrade Guide R81 | 357

Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

Step Instructions

1 Connect to the command line on the source Endpoint Server.

2 Log in to the Expert mode.

5 Go to the $FWDIR/scripts/ directory:

cd $FWDIR/scripts

3 Run the Pre-Upgrade Verifier.

n If this Endpoint Server is connected to the Internet, run:

./migrate_server verify -v R81

n If this Endpoint Server is not connected to the Internet, run:
./migrate_server verify -v R81 -skip_upgrade_
tools_check
For details, see the R81 CLI Reference Guide - Chapter Security
Management Server Commands - Section migrate_server.

4 Read the Pre-Upgrade Verifier output.

If it is necessary to fix errors:
a. Follow the instructions in the report.
b. Run the Pre-Upgrade Verifier again.

4 Export the management database:

n If this Endpoint Server is connected to the Internet, run:

./migrate_server export -v R81 [-l | -x]

/<Full Path>/<Name of Exported File>
n If this Endpoint Server is not connected to the Internet, run:
./migrate_server export -v R81 -skip_upgrade_
tools_check [-l | -x] /<Full Path>/<Name of
Exported File>
Notes:
n You can also export the MSI packages with the "--include-

uepm-msi-files" option.
n For details, see the R81 CLI Reference Guide - Chapter

Security Management Server Commands - Section migrate_

server.

7 Calculate the MD5 for the exported database files:

md5sum /<Full Path>/<Name of Database File>.tgz

Installation and Upgrade Guide R81 | 358

Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

Step Instructions

8 Transfer the exported databases from the source Endpoint Server to an

external storage:
/<Full Path>/<Name of Database File>.tgz

Note - Make sure to transfer the file in the binary mode.

3. Install a new R81 Endpoint Security Management Server or Endpoint Policy Server

Step Instructions

1 See the R81 Release Notes for requirements.

2 Perform the clean install in one of these ways (do not perform initial
configuration in SmartConsole):
n Follow "Installing Software Packages on Gaia" on page 185 - select

the R81 package and perform Clean Install. See sk92449 for
detailed steps.
n Follow "Installing an Endpoint Security Management Server" on

page 85.
n Follow "Installing an Endpoint Policy Server" on page 90.

Important - These options are available:

n The IP addresses of the source and target servers can be the same.

If in the future it is necessary to have a different IP address on the R81

server, you can change it.
For applicable procedures, see sk40993 and sk65451.
Note that you have to issue licenses for the new IP address.
n The IP addresses of the source and target servers can be different.

you must create a special JSON configuration file mdss.json that

contains each server that migrates to a new IP address.
Note that you have to issue licenses for the new IP address.
You must install the new licenses only after you import the databases.

4. Get the required Upgrade Tools on the R81 server

Important - See "Upgrade Tools" on page 207 to understand if your server
can download and install the latest version of the Upgrade Tools
automatically.

Installation and Upgrade Guide R81 | 359

Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

5. On the target R81 Endpoint Security Management Server or Endpoint Policy Server,
import the databases

Required JSON configuration file

If you installed the target R81 Endpoint Server with a different IP address than the
source Endpoint Server, you must create a special JSON configuration file
before you import the management database from the source Endpoint Server.
Note that you have to issue licenses for the new IP address.

Installation and Upgrade Guide R81 | 360

Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

Important:
n If none of the servers in the same Endpoint Security environment

changed their original IP addresses, then you do not need to create

the special JSON configuration file.
n Even if only one of the servers migrates to a new IP address, all the

other servers (including all Log Servers and SmartEvent Servers)

must get this configuration file for the import process.
You must use the same JSON configuration file on all servers
(including Log Servers and SmartEvent Servers) in the same
Endpoint Security environment.

To create the required JSON configuration file:

Step Instructions

1 Connect to the command line on the target R81 Endpoint Server.

2 Log in to the Expert mode.

3 Create the /var/log/mdss.json file that contains each server that

migrates to a new IP address.
Format for migrating a single Endpoint Server to a new IP address:
[{"name":"<Name of Endpoint Server Object in
SmartConsole>","newIpAddress4":"<New IPv4 Address
of R81 Endpoint Server>"}]

Installation and Upgrade Guide R81 | 361

Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

Step Instructions

Example
There are 2 servers in the R80.30 Endpoint Security environment - the
Endpoint Security Management Server and the Log Server. The
Endpoint Security Management Server migrates to a new IP address.
The Log Server remains with the original IP address.
a. The current IPv4 address of the source R80.30 Endpoint Security
Management Server is:
192.168.10.21
b. The name of the source R80.30 Endpoint Security Management
Server object in SmartConsole is:
MyEndpointMgmtServer
c. The new IPv4 address of the target R81 Endpoint Security
Management Server is:
172.30.40.51
d. The required syntax for the JSON configuration file you must use
on the Endpoint Security Management Server and on the Log
Server:
[{"name":"MyEndpointMgmtServer","newIpAddress4"
:"172.30.40.51"}]
Important - All servers in this environment must get this
same information.

Importing the databases

Important - Make sure you followed the instructions in the above section
"Required JSON configuration file".

Step Instructions

1 Connect to the command line on the R81 Endpoint Server.

2 Log in to the Expert mode.

3 Make sure a valid license is installed:

cplic print
If it is not already installed, then install a valid license now.

4 Transfer the exported databases from an external storage to the R81

Endpoint Server, to some directory.

Note - Make sure to transfer the files in the binary mode.

Installation and Upgrade Guide R81 | 362

Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

Step Instructions

5 Make sure the transferred files are not corrupted.

Calculate the MD5 for the transferred files and compare them to the
MD5 that you calculated on the original Endpoint Server:
md5sum /<Full Path>/<Name of Database File>.tgz

6 Go to the $FWDIR/scripts/ directory:

cd $FWDIR/scripts/

7 Import the management database:

n If this Endpoint Server is connected to the Internet, run:

./migrate_server import -v R81 [-l | -x]

/<Full Path>/<Name of Exported File>.tgz
n If this Endpoint Server is not connected to the Internet, run:
./migrate_server import -v R81 -skip_
upgrade_tools_check [-l | -x] /<Full
Path>/<Name of Exported File>.tgz
Notes:
n The "migrate_server import" command automatically

restarts Check Point services (runs the "cpstop" and

"cpstart" commands).
n You can also import the MSI packages with the "--

include-uepm-msi-files" option.
n For details, see the R81 CLI Reference Guide - Chapter

Security Management Server Commands - Section migrate_

server.

6. Install the R81 SmartConsole

See "Installing SmartConsole" on page 100.

7. Install the new licenses

Important - This step applies only if the target R81 Endpoint Server has a
different IP address than the source Endpoint Server.

Step Instructions

1 Issue licenses for the new IP address in your Check Point User Center
account.

Installation and Upgrade Guide R81 | 363

 Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

Step Instructions

2 Install the new licenses on the R81 Endpoint Server.

You can do this either in the CLI with the "cplic put" command, or in
the Gaia Portal.

3 Wait for a couple of minutes for the Endpoint Server to detect the new
licenses.
Alternatively, restart Check Point services:
cpstop
cpstart

8. Upgrade the dedicated Endpoint Policy Servers

This step is part of the upgrade procedure of an Endpoint Security Management

Server. If you upgrade a dedicated Endpoint Policy Server, then skip this step.

Important - If your Endpoint Security Management Server manages

dedicated Endpoint Policy Servers, you must upgrade these dedicated
servers to the same version as the Endpoint Security Management Server.

Follow the applicable procedure in "Upgrading an Endpoint Security Management

Server or Endpoint Policy Server from R80.20 and higher" on page 350.

9. Update the object version of the dedicated Endpoint Policy Servers

Important - If your Endpoint Security Management Server manages
dedicated Endpoint Policy Servers, you must update the version of the
corresponding objects in SmartConsole.

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server that

manages the Endpoint Policy Server.

2 From the left navigation panel, click Gateways & Servers.

3 Open the object of the Endpoint Policy Server.

4 From the left tree, click General Properties.

5 In the Platform section > in the Version field, select R81.

6 Click OK.

10. Install the management database

Installation and Upgrade Guide R81 | 364

 Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

Step Instructions

1 Connect with SmartConsole to the R81 Endpoint Security Management

Server.

2 In the top left corner, click Menu > Install database.

3 Select all objects.

4 Click Install.

5 Click OK.

11. Install the Event Policy

Important - This step applies only if the SmartEvent Correlation Unit
Software Blade is enabled on the R81 Endpoint Server.

Step Instructions

1 Connect with the SmartConsole to the R81 Endpoint Server.

2 In the SmartConsole, from the left navigation panel, click Logs & Monitor.

3 At the top, click + to open a new tab.

4 In the bottom left corner, in the External Apps section, click SmartEvent
Settings & Policy.
The Legacy SmartEvent client opens.

5 In the top left corner, click Menu > Actions > Install Event Policy.

6 Confirm.

7 Wait for these messages to appear:

SmartEvent Policy Installer installation complete
SmartEvent Policy Installer installation succeeded

8 Click Close.

9 Close the Legacy SmartEvent client.

Installation and Upgrade Guide R81 | 365

 Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

12. Reconfigure the Log Exporter

Step Instructions

1 Connect to the command line on the server.

2 Log in to the Expert mode.

3 Restore the Log Exporter configuration as described in sk127653.

4 Reconfigure the Log Exporter:

cp_log_export reconf

5 Restart the Log Exporter:

cp_log_export restart

For more information, see the R81 Logging and Monitoring Administration Guide >
Chapter Log Exporter.

13. Test the functionality on the R81 Endpoint Server

Step Instructions

1 Connect with SmartConsole to the R81 Endpoint Security Management

Server.
Make sure the management database and configuration were upgraded
correctly.

2 Connect with SmartConsole to the R81 Endpoint Policy Server.

Make sure the everything works correctly.

Installation and Upgrade Guide R81 | 366

 Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

Upgrading an Endpoint Security Management Server or

Endpoint Policy Server from R80.20 and higher with
Migration
In a migration and upgrade scenario, you perform the procedure on the source Check Point
server and the different target Check Point server.

Notes:
n This procedure is supported only for servers that run R80.20.M1, R80.20,
R80.20.M2, R80.30, or higher versions.
n These instructions equally apply to:
l Endpoint Security Management Server

l Endpoint Policy Server

n For additional information related to this upgrade, see sk163814.

Important - Before you upgrade an Endpoint Security Management Server or Endpoint

Policy Server:
Step Instructions

1 Back up your current configuration (see "Backing Up and Restoring" on

page 20).

2 See the "Upgrade Options and Prerequisites" on page 188.

3 Only the latest published database revision is upgraded.

If there are pending changes, we recommend to Publish the session.

4 You must close all GUI clients (SmartConsole applications) connected to the
source Endpoint Security Management Server or Endpoint Policy Server.

5 Install the latest version of the CPUSE from sk92449.

Note - This is to make sure the CPUSE is able to support the required
Upgrade Tools package.

6 Run the Pre-Upgrade Verifier on all source servers and fix all detected issues
before you start the upgrade.

7 In Management High Availability, make sure the Primary Endpoint Security

Management Server is upgraded and runs, before you start the upgrade on
other servers.

Installation and Upgrade Guide R81 | 367

 Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

Procedure:
1. Get the required Upgrade Tools on the source server
Important - See "Upgrade Tools" on page 207 to understand if your server
can download and install the latest version of the Upgrade Tools
automatically.

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

2. On the current Endpoint Security Management Server or Endpoint Policy Server, run the
Pre-Upgrade Verifier and export the entire management database

Installation and Upgrade Guide R81 | 368

Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

Step Instructions

1 Connect to the command line on the source Endpoint Server.

2 Log in to the Expert mode.

5 Go to the $FWDIR/scripts/ directory:

cd $FWDIR/scripts

3 Run the Pre-Upgrade Verifier.

n If this Endpoint Server is connected to the Internet, run:

./migrate_server verify -v R81

n If this Endpoint Server is not connected to the Internet, run:
./migrate_server verify -v R81 -skip_upgrade_
tools_check
For details, see the R81 CLI Reference Guide - Chapter Security
Management Server Commands - Section migrate_server.

4 Read the Pre-Upgrade Verifier output.

If it is necessary to fix errors:
a. Follow the instructions in the report.
b. Run the Pre-Upgrade Verifier again.

4 Export the management database:

n If this Endpoint Server is connected to the Internet, run:

./migrate_server export -v R81 [-l | -x]

/<Full Path>/<Name of Exported File>
n If this Endpoint Server is not connected to the Internet, run:
./migrate_server export -v R81 -skip_upgrade_
tools_check [-l | -x] /<Full Path>/<Name of
Exported File>
Notes:
n You can also export the MSI packages with the "--include-

uepm-msi-files" option.
n For details, see the R81 CLI Reference Guide - Chapter

Security Management Server Commands - Section migrate_

server.

7 Calculate the MD5 for the exported database files:

md5sum /<Full Path>/<Name of Database File>.tgz

Installation and Upgrade Guide R81 | 369

Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

Step Instructions

8 Transfer the exported databases from the source Endpoint Server to an

external storage:
/<Full Path>/<Name of Database File>.tgz

Note - Make sure to transfer the file in the binary mode.

3. Install a new R81 Endpoint Security Management Server or Endpoint Policy Server

Step Instructions

1 See the R81 Release Notes for requirements.

2 Perform the clean install in one of these ways (do not perform initial
configuration in SmartConsole):
n Follow "Installing Software Packages on Gaia" on page 185 - select

the R81 package and perform Clean Install. See sk92449 for
detailed steps.
n Follow "Installing an Endpoint Security Management Server" on

page 85.
n Follow "Installing an Endpoint Policy Server" on page 90.

Important - These options are available:

n The IP addresses of the source and target servers can be the same.

If in the future it is necessary to have a different IP address on the R81

server, you can change it.
For applicable procedures, see sk40993 and sk65451.
Note that you have to issue licenses for the new IP address.
n The IP addresses of the source and target servers can be different.

you must create a special JSON configuration file mdss.json that

contains each server that migrates to a new IP address.
Note that you have to issue licenses for the new IP address.
You must install the new licenses only after you import the databases.

4. Get the required Upgrade Tools on the target R81 server

Important - See "Upgrade Tools" on page 207 to understand if your server
can download and install the latest version of the Upgrade Tools
automatically.

Installation and Upgrade Guide R81 | 370

Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

Step Instructions

1 Download the R81 Upgrade Tools from the sk135172.

(See "Upgrade Tools" on page 207.)
Note - This is a CPUSE Offline package.

2 Install the R81 Upgrade Tools with CPUSE.

See "Installing Software Packages on Gaia" on page 185 and follow the
applicable action plan for the Local - Offline installation.

3 Make sure the package is installed.

Run this command in the Expert mode:
cpprod_util CPPROD_GetValue CPupgrade-tools-R81
BuildNumber 1
The output must show the same build number you see in the name of the
downloaded TGZ package.
Example
Name of the downloaded package: ngm_upgrade_wrapper_
993000222_1.tgz
[Expert@HostName:0]# cpprod_util CPPROD_GetValue
CPupgrade-tools-R81 BuildNumber 1
993000222
[Expert@HostName:0]#

Note - The command "migrate_server" from these Upgrade Tools always

tries to connect to Check Point Cloud over the Internet.
This is to make sure you always have the latest version of these Upgrade
Tools installed.
If the connection to Check Point Cloud fails, this message appears:
Timeout. Failed to retrieve Upgrade Tools package. To
download the package manually, refer to sk135172.

5. On the target R81 Endpoint Security Management Server or Endpoint Policy Server,
import the databases

Required JSON configuration file

If you installed the target R81 Endpoint Server with a different IP address than the
source Endpoint Server, you must create a special JSON configuration file
before you import the management database from the source Endpoint Server.
Note that you have to issue licenses for the new IP address.

Installation and Upgrade Guide R81 | 371

Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

Important:
n If none of the servers in the same Endpoint Security environment

changed their original IP addresses, then you do not need to create

the special JSON configuration file.
n Even if only one of the servers migrates to a new IP address, all the

other servers (including all Log Servers and SmartEvent Servers)

must get this configuration file for the import process.
You must use the same JSON configuration file on all servers
(including Log Servers and SmartEvent Servers) in the same
Endpoint Security environment.

To create the required JSON configuration file:

Step Instructions

1 Connect to the command line on the target R81 Endpoint Server.

2 Log in to the Expert mode.

3 Create the /var/log/mdss.json file that contains each server that

migrates to a new IP address.
Format for migrating a single Endpoint Server to a new IP address:
[{"name":"<Name of Endpoint Server Object in
SmartConsole>","newIpAddress4":"<New IPv4 Address
of R81 Endpoint Server>"}]

Installation and Upgrade Guide R81 | 372

Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

Step Instructions

Example
There are 2 servers in the R80.30 Endpoint Security environment - the
Endpoint Security Management Server and the Log Server. The
Endpoint Security Management Server migrates to a new IP address.
The Log Server remains with the original IP address.
a. The current IPv4 address of the source R80.30 Endpoint Security
Management Server is:
192.168.10.21
b. The name of the source R80.30 Endpoint Security Management
Server object in SmartConsole is:
MyEndpointMgmtServer
c. The new IPv4 address of the target R81 Endpoint Security
Management Server is:
172.30.40.51
d. The required syntax for the JSON configuration file you must use
on the Endpoint Security Management Server and on the Log
Server:
[{"name":"MyEndpointMgmtServer","newIpAddress4"
:"172.30.40.51"}]
Important - All servers in this environment must get this
same information.

Importing the databases

Important - Make sure you followed the instructions in the above section
"Required JSON configuration file".

Step Instructions

1 Connect to the command line on the R81 Endpoint Server.

2 Log in to the Expert mode.

3 Make sure a valid license is installed:

cplic print
If it is not already installed, then install a valid license now.

4 Transfer the exported databases from an external storage to the R81

Endpoint Server, to some directory.

Note - Make sure to transfer the files in the binary mode.

Installation and Upgrade Guide R81 | 373

Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

Step Instructions

5 Make sure the transferred files are not corrupted.

Calculate the MD5 for the transferred files and compare them to the
MD5 that you calculated on the original Endpoint Server:
md5sum /<Full Path>/<Name of Database File>.tgz

6 Go to the $FWDIR/scripts/ directory:

cd $FWDIR/scripts/

7 Import the management database:

n If this Endpoint Server is connected to the Internet, run:

./migrate_server import -v R81 [-l | -x]

/<Full Path>/<Name of Exported File>.tgz
n If this Endpoint Server is not connected to the Internet, run:
./migrate_server import -v R81 -skip_
upgrade_tools_check [-l | -x] /<Full
Path>/<Name of Exported File>.tgz
Notes:
n The "migrate_server import" command automatically

restarts Check Point services (runs the "cpstop" and

"cpstart" commands).
n You can also import the MSI packages with the "--

include-uepm-msi-files" option.
n For details, see the R81 CLI Reference Guide - Chapter

Security Management Server Commands - Section migrate_

server.

6. Install the R81 SmartConsole

See "Installing SmartConsole" on page 100.

7. Install the new licenses

Important - This step applies only if the target R81 Endpoint Server has a
different IP address than the source Endpoint Server.

Step Instructions

1 Issue licenses for the new IP address in your Check Point User Center
account.

Installation and Upgrade Guide R81 | 374

 Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

Step Instructions

2 Install the new licenses on the R81 Endpoint Server.

You can do this either in the CLI with the "cplic put" command, or in
the Gaia Portal.

3 Wait for a couple of minutes for the Endpoint Server to detect the new
licenses.
Alternatively, restart Check Point services:
cpstop
cpstart

8. Upgrade the dedicated Endpoint Policy Servers

This step is part of the upgrade procedure of an Endpoint Security Management

Server. If you upgrade a dedicated Endpoint Policy Server, then skip this step.

Important - If your Endpoint Security Management Server manages

dedicated Endpoint Policy Servers, you must upgrade these dedicated
servers to the same version as the Endpoint Security Management Server.

Follow the applicable procedure in "Upgrading an Endpoint Security Management

Server or Endpoint Policy Server from R80.20 and higher" on page 350.

9. Update the object version of the dedicated Endpoint Policy Servers

Important - If your Endpoint Security Management Server manages
dedicated Endpoint Policy Servers, you must update the version of the
corresponding objects in SmartConsole.

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server that

manages the Endpoint Policy Server.

2 From the left navigation panel, click Gateways & Servers.

3 Open the object of the Endpoint Policy Server.

4 From the left tree, click General Properties.

5 In the Platform section > in the Version field, select R81.

6 Click OK.

10. Install the management database

Installation and Upgrade Guide R81 | 375

 Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

Step Instructions

1 Connect with SmartConsole to the R81 Endpoint Security Management

Server.

2 In the top left corner, click Menu > Install database.

3 Select all objects.

4 Click Install.

5 Click OK.

11. Install the Event Policy

Important - This step applies only if the SmartEvent Correlation Unit
Software Blade is enabled on the R81 Endpoint Server.

Step Instructions

1 Connect with the SmartConsole to the R81 Endpoint Server.

2 In the SmartConsole, from the left navigation panel, click Logs & Monitor.

3 At the top, click + to open a new tab.

4 In the bottom left corner, in the External Apps section, click SmartEvent
Settings & Policy.
The Legacy SmartEvent client opens.

5 In the top left corner, click Menu > Actions > Install Event Policy.

6 Confirm.

7 Wait for these messages to appear:

SmartEvent Policy Installer installation complete
SmartEvent Policy Installer installation succeeded

8 Click Close.

9 Close the Legacy SmartEvent client.

Installation and Upgrade Guide R81 | 376

 Upgrading an Endpoint Security Management Server or Endpoint Policy Server from R80.20

12. Reconfigure the Log Exporter

Step Instructions

1 Connect to the command line on the server.

2 Log in to the Expert mode.

3 Restore the Log Exporter configuration as described in sk127653.

4 Reconfigure the Log Exporter:

cp_log_export reconf

5 Restart the Log Exporter:

cp_log_export restart

For more information, see the R81 Logging and Monitoring Administration Guide >
Chapter Log Exporter.

13. Test the functionality on the R81 Endpoint Server

Step Instructions

1 Connect with SmartConsole to the R81 Endpoint Security Management

Server.
Make sure the management database and configuration were upgraded
correctly.

2 Connect with SmartConsole to the R81 Endpoint Policy Server.

Make sure the everything works correctly.

14. Disconnect the old Endpoint Server from the network

Disconnect the cables from the old Endpoint Server.

15. Connect the new Endpoint Server to the network

Connect the cables to the new Endpoint Server.

Installation and Upgrade Guide R81 | 377

 Upgrading Endpoint Security Management Servers in Management High Availability from

Upgrading Endpoint Security Management Servers in

Management High Availability from R80.20 and higher
Notes:
n This procedure is supported only for servers that run R80.20.M1, R80.20,
R80.20.M2, R80.30, or higher versions.
n For additional information related to this upgrade, see sk163814.

Important - Before you upgrade an Endpoint Security Management Server:

Step Instructions

1 Back up your current configuration (see "Backing Up and Restoring" on

page 20).

2 See the "Upgrade Options and Prerequisites" on page 188.

3 Only the latest published database revision is upgraded.

If there are pending changes, we recommend to Publish the session.

4 You must close all GUI clients (SmartConsole applications) connected to the
source Endpoint Security Management Server or Endpoint Policy Server.

5 Install the latest version of the CPUSE from sk92449.

Note - This is to make sure the CPUSE is able to support the required
Upgrade Tools package.

6 Run the Pre-Upgrade Verifier on all source servers and fix all detected issues
before you start the upgrade.

7 In Management High Availability, make sure the Primary Endpoint Security

Management Server is upgraded and runs, before you start the upgrade on
other servers.

Important - Before you can install Hotfixes on servers that work in Management High
Availability, you must upgrade all these servers.

Installation and Upgrade Guide R81 | 378

 Upgrading Endpoint Security Management Servers in Management High Availability from

Procedure:

Step Instructions

1 Upgrade the Primary Endpoint Security Management Server with one of the
supported methods.
n CPUSE
See "Upgrading an Endpoint Security Management Server or Endpoint
Policy Server from R80.20 and higher with CPUSE" on page 351
n Advanced Upgrade
See "Upgrading an Endpoint Security Management Server or Endpoint
Policy Server from R80.20 and higher with Advanced Upgrade" on
page 356
n Migration
See "Upgrading an Endpoint Security Management Server or Endpoint
Policy Server from R80.20 and higher with Migration" on page 367

2 Upgrade the Secondary Endpoint Security Management Server with one of the
supported methods.
Important - Make sure the Endpoint Security Management Servers can
communicate with each other and SIC works between these servers. For
details, see sk179794.
n CPUSE
See "Upgrading an Endpoint Security Management Server or Endpoint
Policy Server from R80.20 and higher with CPUSE" on page 351
n Advanced Upgrade
See "Upgrading an Endpoint Security Management Server or Endpoint
Policy Server from R80.20 and higher with Advanced Upgrade" on
page 356
n Migration
See "Upgrading an Endpoint Security Management Server or Endpoint
Policy Server from R80.20 and higher with Migration" on page 367

3 Get the R81 SmartConsole.

See "Installing SmartConsole" on page 100.

4 Connect with SmartConsole to the R81 Primary Endpoint Security Management

Server.

Installation and Upgrade Guide R81 | 379

 Upgrading Endpoint Security Management Servers in Management High Availability from

Step Instructions

5 Update the object version of the Secondary Endpoint Security Management

Server:
a. From the left navigation panel, click Gateways & Servers.
b. Open the Secondary Endpoint Security Management Server object.
c. From the left tree, click General Properties.
d. In the Platform section > in the Version field, select R81.
e. Click OK.

6 Make sure Secure Internal Communication (SIC) works correctly with the
Secondary Security Management Server:
a. From the left navigation panel, click Gateways & Servers.
b. Open the Secondary Security Management Server object.
c. On the General Properties page, click Communication.
d. Click Test SIC Status.
The SIC Status must show Communicating.
e. Click Close.
f. Click OK.

7 Install the management database:

a. In the top left corner, click Menu > Install database.
b. Select all objects.
c. Click Install.
d. Click OK.

8 Install the Event Policy.

Important - This step applies only if the SmartEvent Correlation Unit
Software Blade is enabled on the R81 Endpoint Security Management
Server.

a. In the SmartConsole, from the left navigation panel, click Logs & Monitor.
b. At the top, click + to open a new tab.
c. In the bottom left corner, in the External Apps section, click SmartEvent
Settings & Policy.
The Legacy SmartEvent client opens.
d. In the top left corner, click Menu > Actions > Install Event Policy.
e. Confirm.
f. Wait for these messages to appear:
SmartEvent Policy Installer installation complete
SmartEvent Policy Installer installation succeeded
g. Click Close.
h. Close the Legacy SmartEvent client.

Installation and Upgrade Guide R81 | 380

 Upgrading Endpoint Security Management Servers in Management High Availability from

Step Instructions

9 Reconfigure the Log Exporter:

a. Connect to the command line on the server.
b. Log in to the Expert mode.
c. Restore the Log Exporter configuration as described in sk127653.
d. Reconfigure the Log Exporter:
cp_log_export reconf
e. Restart the Log Exporter:
cp_log_export restart

For more information, see the R81 Logging and Monitoring Administration Guide
> Chapter Log Exporter

10 Synchronize the Endpoint Security Management Servers:

a. In the top left corner, click Menu > Management High Availability.
b. In the Peers section, click Actions > Sync Peer.
c. The status must show Successfully synced for all peers.

Installation and Upgrade Guide R81 | 381

 Upgrade of Security Gateways and Clusters

Upgrade of Security Gateways and

Clusters
This section provides instructions to upgrade Security Gateways and Clusters:
n "Upgrading a Security Gateway or VSX Gateway" on page 383
n "Upgrading ClusterXL, VSX Cluster, or VRRP Cluster" on page 396
n "Full High Availability Cluster on Check Point Appliances" on page 167

Installation and Upgrade Guide R81 | 382

 Upgrading a Security Gateway or VSX Gateway

Upgrading a Security Gateway or VSX Gateway

This section provides instructions to upgrade a Security Gateway or VSX Gateway:
n "Upgrading a Security Gateway with CPUSE" on page 384
n "Upgrading a VSX Gateway with CPUSE" on page 388

Installation and Upgrade Guide R81 | 383

 Upgrading a Security Gateway with CPUSE

Upgrading a Security Gateway with CPUSE

Notes:
n In a CPUSE upgrade scenario, you perform the upgrade procedure on the same
Security Gateway.
n This upgrade method is supported only for Security Gateways that already run
Gaia Operating System.

Important - Before you upgrade a Security Gateway:

Step Instructions

1 Back up your current configuration (see "Backing Up and Restoring" on

page 20).

2 See the "Upgrade Options and Prerequisites" on page 188.

3 Upgrade the Management Server and Log Servers.

4 Upgrade the licenses on the Security Gateway, if needed.

See "Working with Licenses" on page 657.

4 Schedule a full maintenance window to make sure you can make all the
custom configurations again after the upgrade.
The upgrade process replaces all existing files with default files.
If you have custom configurations on the Security Gateway, they are lost
during the upgrade.
As a result, different issues can occur in the upgraded Security Gateway.

Installation and Upgrade Guide R81 | 384

 Upgrading a Security Gateway with CPUSE

Procedure:
1. On the Security Gateway, upgrade to R81 with CPUSE, or perform a Clean Install of R81
Important - You must reboot the Security Gateway after the upgrade or clean
install.

Installation
Instructions
Method

Upgrade to R81 See "Installing Software Packages on Gaia" on page 185.

with CPUSE Follow the applicable action plan for the local or central
installation.
In local installation, select the R81 package and perform
Upgrade. See sk92449 for detailed steps.

Clean Install of See "Installing Software Packages on Gaia" on page 185.

R81 with CPUSE Follow the applicable action plan for the local or central
installation.
In local installation, select the R81 package and perform
Clean Install. See sk92449 for detailed steps.

Clean Install of Follow "Installing a Security Gateway" on page 104 - only the
R81 from scratch step "Install the Security Gateway".
Important - In the Gaia First Time Configuration Wizard,
for the Management Connection IP address, you must
use the same IP address as was used by the previous
Security Gateway (prior to the upgrade).

2. In SmartConsole, establish SIC with the Security Gateway

Important - This step is required only if you performed a Clean Install of R81
on this Security Gateway.

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Main Domain Management Server that manages this Security Gateway.

2 From the left navigation panel, click Gateways & Servers.

3 Open the Security Gateway object.

4 From the left tree, click General Properties.

5 Click the Communication button.

Installation and Upgrade Guide R81 | 385

 Upgrading a Security Gateway with CPUSE

Step Instructions

6 Click Reset.

7 In the One-time password field, enter the same Activation Key you
entered during the First Time Configuration Wizard of the Security
Gateway.

8 In the Confirm one-time password field, enter the same Activation Key
again.

9 Click Initialize.

10 The Trust state field must show Trust established.

11 Click Close to close the Communication window.

12 Click OK to close the Security Gateway Properties window.

13 Publish the SmartConsole session.

3. In SmartConsole, change the version of the Security Gateway object

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Domain Management Server that manages this Security Gateway.

2 From the left navigation panel, click Gateways & Servers.

3 Open the Security Gateway object.

4 From the left tree, click the General Properties page.

5 In the Platform section > Version field, select R81.

6 Click OK.

4. In SmartConsole, install the Policy

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Domain Management Server that manages this Security Gateway.

2 From the left navigation panel, click Gateways & Servers.

Installation and Upgrade Guide R81 | 386

 Upgrading a Security Gateway with CPUSE

Step Instructions

3 Install the Access Control Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Access Control Policy.
c. Click Install.
d. The Access Control Policy must install successfully.

4 Install the Threat Prevention Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Threat Prevention Policy.
c. Click Install.
d. The Threat Prevention Policy must install successfully.

5. Test the functionality

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Domain Management Server that manages this Security Gateway.

2 From the left navigation panel, click Logs & Monitor > Logs.

3 Examine the logs from this Security Gateway to make sure it inspects the
traffic as expected.

Installation and Upgrade Guide R81 | 387

 Upgrading a VSX Gateway with CPUSE

Upgrading a VSX Gateway with CPUSE

Notes:
n In a CPUSE upgrade scenario, you perform the upgrade procedure on the same
VSX Gateway.
n This upgrade method is supported only for VSX Gateways that already run Gaia
Operating System.

Important - Before you upgrade a VSX Gateway:

Step Instructions

1 Back up your current configuration (see "Backing Up and Restoring" on

page 20).
Important - Back up both the Management Server and the VSX
Gateway. Follow sk100395.

2 See the "Upgrade Options and Prerequisites" on page 188.

3 Upgrade the Management Server and Log Servers.

4 Upgrade the licenses on the VSX Gateway, if needed.

See "Working with Licenses" on page 657.

4 Schedule a full maintenance window to make sure you can make all the
custom configurations again after the upgrade.
The upgrade process replaces all existing files with default files.
If you have custom configurations on the VSX Gateway, they are lost during
the upgrade.
As a result, different issues can occur in the upgraded VSX Gateway.

These upgrade scenarios are available:

n Upgrading the VSX Gateway with CPUSE to R81
n Clean Install of the R81 VSX Gateway

Installation and Upgrade Guide R81 | 388

 Upgrading a VSX Gateway with CPUSE

Upgrading the VSX Gateway with CPUSE to R81

1. On the Management Server, upgrade the configuration of the VSX Gateway object to
R81

Step Instructions

1 Connect to the command line on the Security Management Server or

Multi-Domain Server that manages this VSX Gateway.

2 Log in to the Expert mode.

3 On a Multi-Domain Server, go to the context of the Main Domain

Management Server that manages this VSX Gateway object:
mdsenv <IP Address or Name of Main Domain
Management Server>

4 Upgrade the configuration of the VSX Gateway object to R81:

vsx_util upgrade
This command is interactive.

Enter these details to log in to the management database:

n IP address of the Security Management Server or Main Domain

Management Server that manages this VSX Gateway

n Management Server administrator's username
n Management Server administrator's password

Select your VSX Gateway.

Select R81.

For auditing purposes, save the vsx_util log file:

n On a Security Management Server:

/opt/CPsuite-R81/fw1/log/vsx_util_YYYYMMDD_
HH_MM.log
n On a Multi-Domain Server:
/opt/CPmds-R81/customers/<Name_of_
Domain>/CPsuite-R81/fw1/log/vsx_util_
YYYYMMDD_HH_MM.log

5 Connect with SmartConsole to the R81 Security Management Server

or Main Domain Management Server that manages this VSX
Gateway.

Installation and Upgrade Guide R81 | 389

 Upgrading a VSX Gateway with CPUSE

Step Instructions

6 From the left navigation panel, click Gateways & Servers.

7 Open the VSX Gateway object.

8 From the left tree, click the General Properties page.

9 Make sure in the Platform section, the Version field shows R81.

10 Click Cancel (do not click OK).

Note - If you click OK, the Management Server pushes the VSX
configuration to the VSX Gateway. Because the VSX Gateway is
not upgraded yet, this operation would fail.

2. Upgrade the VSX Gateway with CPUSE

See "Installing Software Packages on Gaia" on page 185 and follow the applicable
action plan.

3. In SmartConsole, install the policy

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server

or Main Domain Management Server that manages this VSX
Gateway.

2 From the left navigation panel, click Gateways & Servers.

3 Install the default policy on the VSX Gateway object:

a. Click Install Policy.
b. In the Policy field, select the default policy for this VSX Gateway
object.
This policy is called:
<Name of VSX Gateway object>_VSX
c. Click Install.

4 Install the Threat Prevention Policy on the VSX Gateway object:

a. Click Install Policy.
b. In the Policy field, select the applicable Threat Prevention Policy
for this VSX Gateway object.
c. Click Install.

Installation and Upgrade Guide R81 | 390

 Upgrading a VSX Gateway with CPUSE

4. Test the functionality

Step Instructions

1 Examine the VSX configuration:

a. Connect to the command line on the VSX Gateway.
b. Log in to the Expert mode.
c. Run:
vsx stat -v

2 Connect with SmartConsole to the R81 Security Management Server

or each Target Domain Management Server that manages the Virtual
Systems on this VSX Gateway.

3 From the left navigation panel, click Logs & Monitor > Logs.

4 Examine the logs from the Virtual Systems on this VSX Gateway to
make sure they inspect the traffic as expected.

Installation and Upgrade Guide R81 | 391

 Upgrading a VSX Gateway with CPUSE

Clean Install of the R81 VSX Gateway

1. On the Management Server, upgrade the configuration of the VSX Gateway object to
R81

Step Instructions

1 Connect to the command line on the Security Management Server or

Multi-Domain Server that manages this VSX Gateway.

2 Log in to the Expert mode.

3 On a Multi-Domain Server, go to the context of the Main Domain

Management Server that manages this VSX Gateway object:
mdsenv <IP Address or Name of Main Domain
Management Server>

4 Upgrade the configuration of the VSX Gateway object to R81:

vsx_util upgrade
This command is interactive.

Enter these details to log in to the management database:

n IP address of the Security Management Server or Main Domain

Management Server that manages this VSX Gateway

n Management Server administrator's username
n Management Server administrator's password

Select your VSX Gateway.

Select R81.

For auditing purposes, save the vsx_util log file:

n On a Security Management Server:

/opt/CPsuite-R81/fw1/log/vsx_util_YYYYMMDD_
HH_MM.log
n On a Multi-Domain Server:
/opt/CPmds-R81/customers/<Name_of_
Domain>/CPsuite-R81/fw1/log/vsx_util_
YYYYMMDD_HH_MM.log

5 Connect with SmartConsole to the R81 Security Management Server

or Main Domain Management Server that manages this VSX
Gateway.

Installation and Upgrade Guide R81 | 392

 Upgrading a VSX Gateway with CPUSE

Step Instructions

6 From the left navigation panel, click Gateways & Servers.

7 Open the VSX Gateway object.

8 From the left tree, click the General Properties page.

9 Make sure in the Platform section, the Version field shows R81.

10 Click Cancel (do not click OK).

Note - If you click OK, the Management Server pushes the VSX
configuration to the VSX Gateway. Because the VSX Gateway is
not upgraded yet, this operation would fail.

2. On the VSX Gateway, perform a Clean Install of R81

Important - You must reboot the VSX Gateway after the upgrade or clean
install.

Installation
Instructions
Method

Clean Install of See "Installing Software Packages on Gaia" on page 185.

R81 with CPUSE Follow the applicable action plan for the local or central
installation.
In local installation, select the R81 package and perform
Clean Install. See sk92449 for detailed steps.

Clean Install of Follow "Installing a VSX Gateway" on page 111 - only the
R81 from scratch step "Install the VSX Gateway".
Important - In the Gaia First Time Configuration
Wizard, for the Management Connection IP address,
you must use the same IP address as was used by the
previous VSX Gateway (prior to the upgrade).

3. Reconfigure the VSX Gateway

Step Instructions

1 Configure the required settings on the VSX Gateway.

For more information, see the R81 CLI Reference Guide - Chapter
VSX Commands > Section vsx_util > Section vsx_util reconfigure.

Installation and Upgrade Guide R81 | 393

 Upgrading a VSX Gateway with CPUSE

Step Instructions

2 Connect to the command line on the R81 Security Management

Server or Multi-Domain Server that manages this VSX Gateway.

3 Log in to the Expert mode.

4 On Multi-Domain Server, go to the context of the Main Domain

Management Server that manages this VSX Gateway:
mdsenv <IP Address or Name of Main Domain
Management Server>

5 Restore the VSX configuration:

vsx_util reconfigure
Follow the instructions on the screen.
Important - Enter the same Activation Key you entered during the
First Time Configuration Wizard of the VSX Gateway.

6 Configure the required settings on the VSX Gateway:

n OS configuration (for example, DNS, NTP, DHCP, Dynamic

Routing, DHCP Relay, and so on).

n Settings manually defined in various configuration files.
n Applicable Check Point configuration files.

4. Test the functionality

Step Instructions

1 Examine the VSX configuration:

a. Connect to the command line on the VSX Gateway.
b. Log in to the Expert mode.
c. Run:
vsx stat -v

2 Connect with SmartConsole to the R81 Security Management Server

or each Target Domain Management Server that manages the Virtual
Systems on this VSX Gateway.

3 From the left navigation panel, click Logs & Monitor > Logs.

4 Examine the logs from the Virtual Systems on this VSX Gateway to
make sure they inspect the traffic as expected.

Installation and Upgrade Guide R81 | 394

 Upgrading a VSX Gateway with CPUSE

For more information, see the:

n R81 VSX Administration Guide.
n R81 CLI Reference Guide.

Installation and Upgrade Guide R81 | 395

 Upgrading ClusterXL, VSX Cluster, or VRRP Cluster

Upgrading ClusterXL, VSX Cluster, or VRRP

Cluster
This section provides instructions to upgrade a cluster:
n "Planning a Cluster Upgrade" on page 397
n "Multi-Version Cluster (MVC) Upgrade" on page 403
n "Minimum Effort Upgrade" on page 452
n "Minimum Downtime Upgrade" on page 470
These instructions equally apply to these clusters:
n ClusterXL
n VSX Cluster
n VRRP Cluster
These instructions equally apply to these software packages:
n Upgrade
n Clean Install
n Hotfixes (does not require the change of the version in the cluster object)

Installation and Upgrade Guide R81 | 396

 Planning a Cluster Upgrade

Planning a Cluster Upgrade

Important - Before you upgrade Cluster Members:
Step Instructions

1 Back up your current configuration (see "Backing Up and Restoring" on

page 20).

2 See "Upgrade Options and Prerequisites" on page 188.

3 Upgrade the Management Server and Log Servers.

4 Upgrade the licenses on the Cluster Members, if needed.

See "Working with Licenses" on page 657.

5 If you upgrade a VSX Cluster, then on the Management Server you must
upgrade the configuration of the VSX Cluster object to R81.

6 Schedule a full maintenance window to make sure you can make all the
custom configurations again after the upgrade.
The upgrade process replaces all existing files with default files.
If you have custom configurations on the Cluster Members, they are lost
during the upgrade.
As a result, different issues can occur in the upgraded cluster.
Cluster Members can stop detecting each other, Cluster Members can move
to undesired state, and traffic can be dropped.

7 Make sure the configuration and the values of the required kernel parameters
are the same on all Cluster Members.
Log in to the Expert mode on each Cluster Member and run the applicable
commands (see below).

Note - For more information, see sk25977.

Installation and Upgrade Guide R81 | 397

 Planning a Cluster Upgrade

Applicable commands and required kernel parameters

Version Mode Applicable Command and Parameters

R80.10 and Cluster cphaprob mmagic

higher Members
Examine the value in the "MAC magic" field.
Examine the value in the "MAC forward magic" field.

VSX Cluster fw ctl get int fwha_add_vsid_to_ccp_mac

Members grep fwha_add_vsid_to_ccp_mac
$FWDIR/boot/modules/fwkern.conf
Examine the value of the kernel parameter "fwha_add_
vsid_to_ccp_mac".

R77.30 Cluster cphaconf cluster_id get

Members
Examine the value of the "cluster_id".

VSX Cluster fw ctl get int fwha_add_vsid_to_ccp_mac

Members grep fwha_add_vsid_to_ccp_mac
$FWDIR/boot/modules/fwkern.conf
Examine the value of the kernel parameter "fwha_add_
vsid_to_ccp_mac".

R75.40 - Cluster fw ctl get int fwha_mac_magic

R77.20 Members, fw ctl get int fwha_mac_forward_magic
VSX Cluster
Members Examine the value of the kernel parameter "fwha_mac_
magic".
Examine the value of the kernel parameter "fwha_mac_
forward_magic".

Installation and Upgrade Guide R81 | 398

 Planning a Cluster Upgrade

Available upgrade methods:

Because the upgrade process on Cluster Members stops all Check Point services, it disrupts
the cluster's ability to inspect and synchronize the connections that pass through the cluster.
The table below describes the available upgrade methods.

Maintenance
Upgrade
Instructions Window Limitations
Method
(downtime)

"Multi- Select this method, if connectivity This upgrade This upgrade

Version is of utmost concern. method does method supports
Cluster Connection failover is guaranteed not require a only specific
(MVC) - no connections are dropped. downtime upgrade paths.
Upgrade" on Connections that were initiated window. Many types of
page 403 before the upgrade are Duration of this connections do not
synchronized with the upgraded upgrade is survive after
Security Gateways and cluster short. failover to upgraded
members, so that no connections Cluster Member.
are dropped. See:
You can select this method, if you n "Supported
upgrade a ClusterXL or a VSX
Versions in
Cluster.
Multi-Version
You can select this method, if you
Cluster" on
upgrade a 3rd party cluster (VRRP
page 405
on Gaia).
n "Multi-Version
Cluster
Limitations"
on page 407.

Installation and Upgrade Guide R81 | 399

 Planning a Cluster Upgrade

Maintenance
Upgrade
Instructions Window Limitations
Method
(downtime)

"Minimum Select this method, if you have a This upgrade None

Effort period of time, during which method
Upgrade" on network downtime is allowed. requires a
page 452 This method is the simplest, substantial
(Simple because it lets you upgrade each downtime
Upgrade) Cluster Member as an window.
independent Security Gateway. Duration of this
All connections that were upgrade is as
initiated before the upgrade, are long as it takes
dropped during the upgrade. to upgrade all
You can select this method, if you Cluster
upgrade a ClusterXL or a VSX Members.
Cluster.
You can select this method, if you
upgrade a 3rd party cluster (VRRP
on Gaia).

Installation and Upgrade Guide R81 | 400

 Planning a Cluster Upgrade

Maintenance
Upgrade
Instructions Window Limitations
Method
(downtime)

"Minimum Select this method, if you cannot This upgrade This upgrade
Downtime have any network downtime and method method does not
Upgrade" on need to complete the upgrade requires a support Dynamic
page 470 quickly, with a minimum number of relatively short Routing
dropped connections. downtime connections.
During this type of upgrade, there window to drop
is always at least one Active old
Cluster Member in cluster that connections.
handles traffic. Duration of this
All connections that were upgrade is
initiated through a Cluster relatively short.
Member that runs the old
version, are dropped when you
upgrade that Cluster Member to
a new version, because Cluster
Members that run different Check
Point software versions, cannot
synchronize connections.
Network connectivity, however,
remains available during the
upgrade, and connections initiated
through an upgraded cluster
member are not dropped.
You can select this method, if you
upgrade a ClusterXL or a VSX
Cluster.
You can select this method, if you
upgrade a 3rd party cluster (VRRP
on Gaia).

Installation and Upgrade Guide R81 | 401

 Planning a Cluster Upgrade

Cluster state "Ready" during a cluster upgrade

Note - This applies only when the Multi-Version Cluster (MVC) Mechanism is
disabled (see "Multi-Version Cluster (MVC) Upgrade" on page 403).

When Cluster Members of different versions are on the same network, Cluster Members of the
new (upgraded) version remain in the state Ready, and Cluster Members of the previous
version remain in state Active Attention.
Cluster Members in the state Ready do not process traffic and do not synchronize with other
Cluster Members.
To prevent Cluster Members from being in the state "Ready":

Option Instructions

1 Perform these steps:

a. Connect over the console to the Cluster Member.
b. Physically disconnect the Cluster Member from the network (disconnect
all cables).

2 Perform these steps:

a. Connect over the console to the Cluster Member.
b. Log in to Gaia Clish..
c. Shut down all interfaces:
set interface <Name of Interface> state off

For more information, see sk42096.

Installation and Upgrade Guide R81 | 402

 Multi-Version Cluster (MVC) Upgrade

Multi-Version Cluster (MVC) Upgrade

The Multi-Version Cluster (MVC) mechanism synchronizes connections between Cluster
Members that run different versions.
You can upgrade to a newer version without a loss in connectivity (Zero Downtime Upgrade)
and test the new version on some of the Cluster Members before you decide to upgrade the
rest of the Cluster Members.

Important - The Multi-Version Cluster Upgrade replaced the Connectivity Upgrade.

Multi-Version Cluster Upgrade Prerequisites

Important - Before you upgrade a cluster, follow the steps below.

Step Instructions

1 On each Cluster Member, run:

cphaprob state

a. All Cluster Members must be operational:

n In the High Availability mode:

One Cluster Member must be in the Active state

All other Cluster Members must be in the Standby state
n In the Load Sharing mode:

All Cluster Members must be in the Active state

b. All Cluster Members must agree upon the states of all Cluster Members.

2 Back up your current configuration (see "Backing Up and Restoring" on page 20).
Important - If you upgrade a VSX Cluster, then back up both the
Management Server and the VSX Cluster Members. Follow sk100395: How
to backup and restore VSX Gateway.

3 See "Upgrade Options and Prerequisites" on page 188.

4 See "Supported Versions in Multi-Version Cluster" on page 405 to know if you

must install a Jumbo Hotfix Accumulator.

5 See "Planning a Cluster Upgrade" on page 397.

Installation and Upgrade Guide R81 | 403

 Multi-Version Cluster (MVC) Upgrade

Step Instructions

6 You must upgrade the Management Server and Log Servers.

n See "Upgrade of Security Management Servers and Log Servers" on
page 209.
n See "Upgrade of Multi-Domain Servers and Multi-Domain Log Servers" on
page 248.

7 Schedule a full maintenance window to make sure you can make all the
custom configurations again after the upgrade.

Installation and Upgrade Guide R81 | 404

 Multi-Version Cluster (MVC) Upgrade

Supported Versions in Multi-Version Cluster

The Multi-Version Cluster (MVC) in an R81 Cluster Member supports synchronization with
peer Cluster Members that run one of these versions:
n R80.10 (or higher)*
n R77.30
In a Multi-Version Cluster, the Cluster Members can run only these versions:
n R81 and R80.10 (or higher)*
n R81 and R77.30
*For supported upgrade paths, see the R81 Release Notes.

These scenarios are supported in Multi-Version Cluster:

n There are only two Cluster Members in the Multi-Version Cluster

The supported combination is:

Member 1 Member 2

R81 Version X

"Version X" is allowed to be only one of these: R77.30, R80.10, R80.20, and so on.
For supported upgrade paths, see the R81 Release Notes.

n There are three, four, or five Cluster Members in the Multi-Version Cluster
Important - In this scenario, Jumbo Hotfix Accumulator is required:
l On Cluster Members R80.20, you must install R80.20 Jumbo Hotfix

Accumulator Take 75 or higher (see Jumbo Hotfix Accumulator for

R80.20).
l On Cluster Members R80.10, you must install R80.10 Jumbo Hotfix

Accumulator Take 215 or higher (see Jumbo Hotfix Accumulator for

R80.10).

The table shows the allowed combinations of Cluster Member versions:

Member 1 Member 2 Member 3 Member 4 Member 5

R81 Version X Version X Version X Version X

R81 R81 Version X Version X Version X

R81 R81 R81 Version X Version X

Installation and Upgrade Guide R81 | 405

 Multi-Version Cluster (MVC) Upgrade

Member 1 Member 2 Member 3 Member 4 Member 5

R81 R81 R81 R81 Version X

"Version X" is allowed to be only one of these: R77.30, R80.10, R80.20, and so on.
For supported upgrade paths, see the R81 Release Notes.

Installation and Upgrade Guide R81 | 406

 Multi-Version Cluster (MVC) Upgrade

Multi-Version Cluster Limitations

Specific limitations apply to Multi-Version Cluster.

General limitations in Multi-Version Cluster configuration

n While the cluster contains Cluster Members that run different software versions (Multi-
Version Cluster), it is not supported to change specific settings of the cluster object in
SmartConsole.
l You cannot change the cluster mode.
For example, from High Availability to Load Sharing.
l In the High Availability mode, you cannot change the recovery mode.

For example, from Maintain current active Cluster Member to Switch to higher
priority Cluster Member.
l You cannot change the cluster topology.
Do not add, remove, or edit settings of cluster interfaces (IP addresses, Network
Objectives, and so on).
In a VSX Cluster object, do not add, remove, or edit static routes.

Note - You can change these settings either before or after you upgrade all the
Cluster Members.
n While the cluster contains Cluster Members that run different software versions (Multi-
Version Cluster), you must install the policy two times.

Installation and Upgrade Guide R81 | 407

 Multi-Version Cluster (MVC) Upgrade

n Multi-Version Cluster (MVC) does not support Cluster Members with Dynamically
Assigned IP Addresses (DAIP).
Procedure
Important - In a VSX Cluster, it is possible to install policy only on the
upgradedVSX Cluster Members that run R81. After you change the version of
the VSX Cluster object to R81, the Management Server does not let you
change it to the previous version.

1. Make the required changes in the Access Control or Threat Prevention policy.
2. In SmartConsole, change the version of the cluster object to R81:
On the General Properties page > in the Platform section > in the Version field,
select R81 > click OK.

3. Install policy on the upgradedCluster Members that run R81:

a. In the Policy field, select the applicable policy.
b. In the Install Mode section, select these two options:
l Select Install on each selected gateway independently.
l Clear For gateway clusters, if installation on a cluster member
fails, do not install on that cluster.
c. Click Install.
The Policy installation:
l Succeeds on the upgradedR81Cluster Members.
l Fails on the oldCluster Members with a warning. Ignore this
warning.

4. In SmartConsole, change the version of the cluster object to the previous

version:
On the General Properties page > in the Platform section > in the Version field,
select the previous version > click OK.

Installation and Upgrade Guide R81 | 408

 Multi-Version Cluster (MVC) Upgrade

5. Install policy on the oldCluster Members that run the previous version:
a. In the Policy field, select the applicable policy.
b. In the Install Mode section, select these two options:
l Select Install on each selected gateway independently.
l Clear For gateway clusters, if installation on a cluster member
fails, do not install on that cluster.
c. Click Install.
The Policy installation:
l Succeeds on the oldCluster Members.
l Fails on the upgradedR81Cluster Members with a warning. Ignore
this warning.

Limitations during failover in Multi-Version Cluster

These connections do not survive failover between Cluster Members with different versions:
n VPN:
l During a cluster failover from an R81 Cluster Member to an R77.30 Cluster
Member, all VPN connections on an R81 Cluster Member that are inspected on
CoreXL Firewall instances #1 and higher, are lost.
l Mobile Access VPN connections.
l Remote Access VPN connections.
l VPN Traditional Mode connections.
n Static NAT connections are cut off during a cluster failover from an R81 Cluster Member
to an R80.10 or R77.30 Cluster Member, if VMAC mode is enabled in this cluster.
n Identity Awareness connections.
n Data Loss Prevention (DLP) connections.
n IPv6 connections.
n Threat Emulation connections.
n PSL connections that are open during fail-over and then fail-back.
In addition, see the R81 ClusterXL Administration Guide > Chapter High Availability and Load
Sharing Modes in ClusterXL > Section Cluster Failover.

Installation and Upgrade Guide R81 | 409

 Multi-Version Cluster (MVC) Upgrade

Multi-Version Cluster Upgrade Procedure - Gateway Mode

Note - The procedure below is for ClusterXL and VRRP Cluster. For VSX Cluster, see
"Multi-Version Cluster Upgrade Procedure - VSX Mode" on page 426.
Important - Before you upgrade a Cluster:
Step Instructions

1 Back up your current configuration (see "Backing Up and Restoring" on

page 20).

2 See "Upgrade Options and Prerequisites" on page 188.

3 Upgrade the Management Server and Log Servers.

4 See "Planning a Cluster Upgrade" on page 397.

5 Schedule a full maintenance window to make sure you can make all the
custom configurations again after the upgrade.

Note - MVC supports Cluster Members with different Gaia kernel editions (R81 64-bit
and R77.30 / R80.10 32-bit).

Installation and Upgrade Guide R81 | 410

 Multi-Version Cluster (MVC) Upgrade

The procedure described below is based on an example cluster with three Cluster Members
M1, M2 and M3.
However, you can use it for clusters that consist of two or more.

Action plan:
1. In SmartConsole, change the cluster object version to R81.
2. On the Cluster Member M3:
a. Upgrade to R81
Note - If you perform a Clean Install of R81, then you must establish SIC in
SmartConsole with this Cluster Member and install Access Control Policy on it

b. Enable the MVC

3. In SmartConsole, install the Access Control Policy on the Cluster Member M3.
4. On the next Cluster Member M2:
a. Upgrade to R81
Note - If you perform a Clean Install of R81, then you must establish SIC in
SmartConsole with this Cluster Member and install Access Control Policy on it
b. Enable the MVC
5. In SmartConsole, install the Access Control Policy on the Cluster Member M3 and M2.
6. On the remaining Cluster Member M1:
n Upgrade to R81
Note - If you perform a Clean Install of R81, then you must establish SIC in
SmartConsole with this Cluster Member
7. In SmartConsole, install the Access Control Policy and the Threat Prevention Policy on
the Cluster object.

Installation and Upgrade Guide R81 | 411

 Multi-Version Cluster (MVC) Upgrade

Procedure:
1. In SmartConsole, change the version of the cluster object

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Domain Management Server that manages this cluster.

2 From the left navigation panel, click Gateways & Servers.

3 Open the Cluster object.

4 From the left tree, click the General Properties page.

5 In the Platform section > Version field, select R81.

6 Click OK to close the Gateway Cluster Properties window.

2. On the Cluster Member M3, upgrade to R81 with CPUSE, or perform a Clean Install of R81
Important - You must reboot the Cluster Member after the upgrade or clean
install.

Installation
Instructions
Method

Upgrade to R81 See "Installing Software Packages on Gaia" on page 185.

with CPUSE Follow the applicable action plan for the local or central
installation.
In local installation, select the R81 package and perform
Upgrade. See sk92449 for detailed steps.

Clean Install of See "Installing Software Packages on Gaia" on page 185.

R81 with CPUSE Follow the applicable action plan for the local or central
installation.
In local installation, select the R81 package and perform
Clean Install. See sk92449 for detailed steps.
Important - In the Gaia First Time Configuration Wizard,
for the Management Connection IP address, you must
use the same IP address as was used by the previous
Cluster Member (prior to the upgrade).

Installation and Upgrade Guide R81 | 412

 Multi-Version Cluster (MVC) Upgrade

Installation
Instructions
Method

Clean Install of
R81 from scratch Installing a Cluster Member
Follow "Installing a ClusterXL Cluster" on page 118 - only the
step "Install the Cluster Members".
Important - In the Gaia First Time Configuration Wizard,
for the Management Connection IP address, you must
use the same IP address as was used by the previous
Cluster Member (prior to the upgrade).

Installing a VRRP Cluster Member

Follow "Installing a VRRP Cluster" on page 148 - only the
step "Install the VRRP Cluster Members".
Important - In the Gaia First Time Configuration Wizard,
for the Management Connection IP address, you must
use the same IP address as was used by the previous
VRRP Cluster Member (prior to the upgrade).

Installation and Upgrade Guide R81 | 413

 Multi-Version Cluster (MVC) Upgrade

3. In SmartConsole, establish SIC with the Cluster Member M3

Important - This step is required only if you performed a Clean Install of R81
on this Cluster Member.

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Main Domain Management Server that manages this Cluster.

2 From the left navigation panel, click Gateways & Servers.

3 Open the cluster object.

4 From the left tree, click Cluster Members.

5 Select the object of this Cluster Member.

6 Click Edit.

7 On the General tab, click the Communication button.

8 Click Reset.

9 In the One-time password field, enter the same Activation Key you
entered during the First Time Configuration Wizard of the Cluster
Member.

10 In the Confirm one-time password field, enter the same Activation Key
again.

11 Click Initialize.

12 The Trust state field must show Trust established.

13 Click Close to close the Communication window.

14 Click OK to close the Cluster Member Properties window.

15 Click OK to close the Gateway Cluster Properties window.

16 Publish the SmartConsole session.

Installation and Upgrade Guide R81 | 414

 Multi-Version Cluster (MVC) Upgrade

4. In SmartConsole, install the Access Control Policy on the R81 Cluster Member M3
Important - This step is required only if you performed a Clean Install of R81
on the Cluster Member M3.

Step Instructions

1 Click Install Policy.

2 In the Install Policy window:

a. In the Policy field, select the applicable Access Control Policy.
b. In the Install Mode section, select these two options:
n Select Install on each selected gateway independently.
n Clear For gateway clusters, if installation on a cluster

member fails, do not install on that cluster.

c. Click Install.

3 The Access Control Policy installation:

n Succeeds on the upgraded Cluster Member M3.
n Fails on the old Cluster Members M1 and M2 with a warning.

Ignore this warning.

5. On the R81 Cluster Member M3, enable the MVC mechanism

Step Instructions

1 Connect to the command line on the Cluster Member.

2 Enable the MVC Mechanism:

n In Gaia Clish:

set cluster member mvc on

n In the Expert mode:
cphaconf mvc on

3 Examine the state of the MVC Mechanism:

n In Gaia Clish:

show cluster members mvc

n In the Expert mode:
cphaprob mvc

Installation and Upgrade Guide R81 | 415

 Multi-Version Cluster (MVC) Upgrade

6. In SmartConsole, install the Access Control Policy on the R81 Cluster Member M3

Step Instructions

1 Click Install Policy.

2 In the Install Policy window:

a. In the Policy field, select the applicable Access Control Policy.
b. In the Install Mode section, select these two options:
n Select Install on each selected gateway independently.
n Clear For gateway clusters, if installation on a cluster

member fails, do not install on that cluster.

c. Click Install.

3 The Access Control Policy installation:

n Succeeds on the upgraded Cluster Member M3.
n Fails on the old Cluster Members M1 and M2 with a warning.

Ignore this warning.

7. On each Cluster Member, examine the cluster state

Step Instructions

1 Connect to the command line on each Cluster Member.

2 Examine the cluster state in one of these ways:

n In Gaia Clish, run:

show cluster state

n In the Expert mode, run:
cphaprob state
Important:
n In the High Availability mode, one of the

upgraded Cluster Members (M2 or M3)

changes its cluster state to Active.
The other upgraded Cluster Member (M2 or
M3) changes its cluster state to Standby.
n In the Load Sharing modes, all Cluster

Members must be in the Active state.

Installation and Upgrade Guide R81 | 416

 Multi-Version Cluster (MVC) Upgrade

8. On the Cluster Member M2, upgrade to R81 with CPUSE, or perform a Clean Install of R81
Important - You must reboot the Cluster Member after the upgrade or clean
install.

Installation
Instructions
Method

Upgrade to R81 See "Installing Software Packages on Gaia" on page 185.

with CPUSE Follow the applicable action plan for the local or central
installation.
In local installation, select the R81 package and perform
Upgrade. See sk92449 for detailed steps.

Clean Install of See "Installing Software Packages on Gaia" on page 185.

R81 with CPUSE Follow the applicable action plan for the local or central
installation.
In local installation, select the R81 package and perform
Clean Install. See sk92449 for detailed steps.
Important - In the Gaia First Time Configuration Wizard,
for the Management Connection IP address, you must
use the same IP address as was used by the previous
Cluster Member (prior to the upgrade).

Clean Install of
R81 from scratch Installing a Cluster Member
Follow "Installing a ClusterXL Cluster" on page 118 - only the
step "Install the Cluster Members".
Important - In the Gaia First Time Configuration Wizard,
for the Management Connection IP address, you must
use the same IP address as was used by the previous
Cluster Member (prior to the upgrade).

Installing a VRRP Cluster Member

Follow "Installing a VRRP Cluster" on page 148 - only the
step "Install the VRRP Cluster Members".
Important - In the Gaia First Time Configuration Wizard,
for the Management Connection IP address, you must
use the same IP address as was used by the previous
VRRP Cluster Member (prior to the upgrade).

Installation and Upgrade Guide R81 | 417

 Multi-Version Cluster (MVC) Upgrade

9. In SmartConsole, establish SIC with the Cluster Member M2

Important - This step is required only if you performed a Clean Install of R81
on this Cluster Member.

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Main Domain Management Server that manages this Cluster.

2 From the left navigation panel, click Gateways & Servers.

3 Open the cluster object.

4 From the left tree, click Cluster Members.

5 Select the object of this Cluster Member.

6 Click Edit.

7 On the General tab, click the Communication button.

8 Click Reset.

9 In the One-time password field, enter the same Activation Key you
entered during the First Time Configuration Wizard of the Cluster
Member.

10 In the Confirm one-time password field, enter the same Activation Key
again.

11 Click Initialize.

12 The Trust state field must show Trust established.

13 Click Close to close the Communication window.

14 Click OK to close the Cluster Member Properties window.

15 Click OK to close the Gateway Cluster Properties window.

16 Publish the SmartConsole session.

Installation and Upgrade Guide R81 | 418

 Multi-Version Cluster (MVC) Upgrade

10. In SmartConsole, install the Access Control Policy on the R81 Cluster Member M3 and M2
Important - This step is required only if you performed a Clean Install of R81
on the Cluster Member M2.

Step Instructions

1 Click Install Policy.

2 In the Install Policy window:

a. In the Policy field, select the applicable Access Control Policy.
b. In the Install Mode section, select these two options:
n Select Install on each selected gateway independently.
n Clear For gateway clusters, if installation on a cluster

member fails, do not install on that cluster.

c. Click Install.

3 The Access Control Policy installation:

n Succeeds on the upgraded Cluster Members M3 and M2.
n Fails on the old Cluster Member M1 with a warning. Ignore this

warning.

11. On the R81 Cluster Member M2, enable the MVC mechanism

Step Instructions

1 Connect to the command line on the Cluster Member.

2 Enable the MVC Mechanism:

n In Gaia Clish:

set cluster member mvc on

n In the Expert mode:
cphaconf mvc on

3 Examine the state of the MVC Mechanism:

n In Gaia Clish:

show cluster members mvc

n In the Expert mode:
cphaprob mvc

Installation and Upgrade Guide R81 | 419

 Multi-Version Cluster (MVC) Upgrade

12. In SmartConsole, install the Access Control Policy on the R81 Cluster Members M3 and
M2

Step Instructions

1 Click Install Policy.

2 In the Install Policy window:

a. In the Policy field, select the applicable Access Control Policy.
b. In the Install Mode section, select these two options:
n Select Install on each selected gateway independently.
n Clear For gateway clusters, if installation on a cluster

member fails, do not install on that cluster.

c. Click Install.

3 The Access Control Policy installation:

n Succeeds on the upgraded Cluster Members M3 and M2.
n Fails on the old Cluster Member M1 with a warning. Ignore this

warning.

13. On each Cluster Member, examine the cluster state

Step Instructions

1 Connect to the command line on each Cluster Member.

2 Examine the cluster state in one of these ways:

n In Gaia Clish, run:

show cluster state

n In the Expert mode, run:
cphaprob state
Important:
n In the High Availability mode, one of the

upgraded Cluster Members (M2 or M3)

changes its cluster state to Active.
The other upgraded Cluster Member (M2 or
M3) changes its cluster state to Standby.
n In the Load Sharing modes, all Cluster

Members must be in the Active state.

Installation and Upgrade Guide R81 | 420

 Multi-Version Cluster (MVC) Upgrade

14. On the old Cluster Member M1, upgrade to R81 with CPUSE, or perform a Clean Install of
R81
Important - You must reboot the Cluster Member after the upgrade or clean
install.

Installation
Instructions
Method

Upgrade to R81 See "Installing Software Packages on Gaia" on page 185.

with CPUSE Follow the applicable action plan for the local or central
installation.
In local installation, select the R81 package and perform
Upgrade. See sk92449 for detailed steps.

Clean Install of See "Installing Software Packages on Gaia" on page 185.

R81 with CPUSE Follow the applicable action plan for the local or central
installation.
In local installation, select the R81 package and perform
Clean Install. See sk92449 for detailed steps.
Important - In the Gaia First Time Configuration Wizard,
for the Management Connection IP address, you must
use the same IP address as was used by the previous
Cluster Member (prior to the upgrade).

Clean Install of
R81 from scratch Installing a Cluster Member
Follow "Installing a ClusterXL Cluster" on page 118 - only the
step "Install the Cluster Members".
Important - In the Gaia First Time Configuration Wizard,
for the Management Connection IP address, you must
use the same IP address as was used by the previous
Cluster Member (prior to the upgrade).

Installing a VRRP Cluster Member

Follow "Installing a VRRP Cluster" on page 148 - only the
step "Install the VRRP Cluster Members".
Important - In the Gaia First Time Configuration Wizard,
for the Management Connection IP address, you must
use the same IP address as was used by the previous
VRRP Cluster Member (prior to the upgrade).

Installation and Upgrade Guide R81 | 421

 Multi-Version Cluster (MVC) Upgrade

15. In SmartConsole, establish SIC with the Cluster Member M1

Important - This step is required only if you performed a Clean Install of R81
on this Cluster Member.

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Main Domain Management Server that manages this Cluster.

2 From the left navigation panel, click Gateways & Servers.

3 Open the cluster object.

4 From the left tree, click Cluster Members.

5 Select the object of this Cluster Member.

6 Click Edit.

7 On the General tab, click the Communication button.

8 Click Reset.

9 In the One-time password field, enter the same Activation Key you
entered during the First Time Configuration Wizard of the Cluster
Member.

10 In the Confirm one-time password field, enter the same Activation Key
again.

11 Click Initialize.

12 The Trust state field must show Trust established.

13 Click Close to close the Communication window.

14 Click OK to close the Cluster Member Properties window.

15 Click OK to close the Gateway Cluster Properties window.

16 Publish the SmartConsole session.

Installation and Upgrade Guide R81 | 422

 Multi-Version Cluster (MVC) Upgrade

16. In SmartConsole, install the Access Control Policy and Threat Prevention Policy on the
Cluster object

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Domain Management Server that manages this cluster.

2 From the left navigation panel, click Gateways & Servers.

3 Install the Access Control Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Access Control Policy.
c. In the Install Mode section, select these two options:
n Install on each selected gateway independently
n For gateway clusters, if installation on a cluster member

fails, do not install on that cluster

d. Click Install.
e. The Access Control Policy must install successfully on all the
Cluster Members.

4 Install the Threat Prevention Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Threat Prevention Policy.
c. Click Install.
d. The Threat Prevention Policy must install successfully on all the
Cluster Members.

Installation and Upgrade Guide R81 | 423

 Multi-Version Cluster (MVC) Upgrade

17. On each Cluster Member, examine the cluster state

Step Instructions

1 Connect to the command line on each Cluster Member.

2 Examine the cluster state in one of these ways:

n In Gaia Clish, run:

show cluster state

n In the Expert mode, run:
cphaprob state
Important:
n All Cluster Members must show the same

information about the states of all Cluster

Members.
n In the High Availability mode, one Cluster

Member must be in the Active state, and all

other Cluster Members must be in Standby
state.
n In the Load Sharing modes, all Cluster

Members must be in the Active state.

18. On each Cluster Member, disable the MVC mechanism

Step Instructions

1 Connect to the command line on each Cluster Member.

2 Disable the MVC Mechanism:

n In Gaia Clish:

set cluster member mvc off

n In the Expert mode:
cphaconf mvc off

3 Examine the state of the MVC Mechanism:

n In Gaia Clish:

show cluster members mvc

n In the Expert mode:
cphaprob mvc

Installation and Upgrade Guide R81 | 424

 Multi-Version Cluster (MVC) Upgrade

19. Test the functionality

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Domain Management Server that manages this cluster.

2 From the left navigation panel, click Logs & Monitor > Logs.

3 Examine the logs from this Cluster to make sure it inspects the traffic as
expected.

For more information, see the:

n R81 ClusterXL Administration Guide.
n R81 VSX Administration Guide.

Installation and Upgrade Guide R81 | 425

 Multi-Version Cluster (MVC) Upgrade

Multi-Version Cluster Upgrade Procedure - VSX Mode

Note - The procedure below is for VSX Cluster. For ClusterXL and VRRP Cluster, see
"Multi-Version Cluster Upgrade Procedure - Gateway Mode" on page 410.
Important - Before you upgrade a VSX Cluster:
Step Instructions

1 Back up your current configuration (see "Backing Up and Restoring" on

page 20).

2 See "Upgrade Options and Prerequisites" on page 188.

3 Upgrade the Management Server and Log Servers.

4 See "Planning a Cluster Upgrade" on page 397.

5 Schedule a full maintenance window to make sure you can make all the
custom configurations again after the upgrade.

Note - MVC supports VSX Cluster Members with different Gaia kernel editions (R81
64-bit and R77.30 / R80.10 32-bit).

Installation and Upgrade Guide R81 | 426

 Multi-Version Cluster (MVC) Upgrade

The procedure described below is based on an example cluster with three VSX Cluster
Members M1, M2 and M3.
However, you can use it for clusters that consist of two or more.

Action plan:
1. On the Management Server, upgrade the VSX Cluster object to R81.
2. On the VSX Cluster Member M3:
a. Upgrade to R81
Note - If you perform a Clean Install of R81, then push the VSX configuration from
the Management Server to this VSX Cluster Member

b. Enable the MVC

3. In SmartConsole, install the Access Control Policy on the R81 VSX Cluster Member M3
4. On the next VSX Cluster Member M2:
a. Upgrade to R81
Note - If you perform a Clean Install of R81, then push the VSX configuration from
the Management Server to this VSX Cluster Member
b. Enable the MVC
5. In SmartConsole, install the Access Control Policy on the R81 VSX Cluster Members M3
and M2.

6. On the remaining VSX Cluster Member M1:

n Upgrade to R81

Note - If you perform a Clean Install of R81, then push the VSX configuration from
the Management Server to this VSX Cluster Member
7. In SmartConsole, install the Access Control Policy and the Threat Prevention Policy on
the VSX Cluster object.
8. In SmartConsole, install the Access Control Policy and the Threat Prevention Policy on
each Virtual System object.

Installation and Upgrade Guide R81 | 427

 Multi-Version Cluster (MVC) Upgrade

Procedure:
1. On the Management Server, upgrade the VSX Cluster object to R81

Follow the R81 VSX Administration Guide > Chapter Command Line Reference >
Section vsx_util > Section vsx_util upgrade.

2. On the VSX Cluster Member M3, upgrade to R81 with CPUSE, or perform a Clean Install
of R81
Important - You must reboot the VSX Cluster Member after the upgrade or
clean install.

Installation
Instructions
Method

Upgrade to See "Installing Software Packages on Gaia" on page 185.

R81 with Follow the applicable action plan for the local or central
CPUSE installation.
In local installation, select the R81 package and perform
Upgrade. See sk92449 for detailed steps.

Installation and Upgrade Guide R81 | 428

 Multi-Version Cluster (MVC) Upgrade

Installation
Instructions
Method

Clean Install Follow these steps:

of R81 with a. See "Installing Software Packages on Gaia" on page 185.
CPUSE Follow the applicable action plan for the local or central
installation.
In local installation, select the R81 package and perform
Clean Install. See sk92449 for detailed steps.
Important - In the Gaia First Time Configuration
Wizard, for the Management Connection IP address,
you must use the same IP address as was used by the
previous VSX Cluster Member (prior to the upgrade).
b. Run the "vsx_util reconfigure" command on the
Management Server to push the VSX configuration to this
VSX Cluster Member.
See the R81 VSX Administration Guide > Chapter
Command Line Reference > Section vsx_util > Section vsx_
util reconfigure.
Important - You must enter the same Activation Key
you entered during the Gaia First Time Configuration
Wizard of this VSX Cluster Member.
c. Configure the required settings on this VSX Cluster
Member:
n OS configuration (for example, DNS, NTP, DHCP,

Dynamic Routing, DHCP Relay, and so on).

n Settings manually defined in various configuration

files.
n Applicable Check Point configuration files.

Installation and Upgrade Guide R81 | 429

 Multi-Version Cluster (MVC) Upgrade

Installation
Instructions
Method

Clean Install Follow these steps:

of R81 from a. Follow "Installing a VSX Cluster" on page 139 - only the step
scratch "Install the VSX Cluster Members".
Important - In the Gaia First Time Configuration
Wizard, for the Management Connection IP address,
you must use the same IP address as was used by the
previous VSX Cluster Member (prior to the upgrade).
b. Run the "vsx_util reconfigure" command on the
Management Server to push the VSX configuration to this
VSX Cluster Member.
See the R81 VSX Administration Guide > Chapter
Command Line Reference > Section vsx_util > Section vsx_
util reconfigure.
Important - You must enter the same Activation Key
you entered during the Gaia First Time Configuration
Wizard of this VSX Cluster Member.
c. Configure the required settings on this VSX Cluster
Member:
n OS configuration (for example, DNS, NTP, DHCP,

Dynamic Routing, DHCP Relay, and so on).

n Settings manually defined in various configuration

files.
n Applicable Check Point configuration files.

Installation and Upgrade Guide R81 | 430

 Multi-Version Cluster (MVC) Upgrade

3. On each VSX Cluster Member, examine the VSX configuration and cluster state

Step Instructions

1 Connect to the command line on each VSX Cluster Member.

2 Log in to the Expert mode.

3 Examine the VSX configuration:

vsx stat -v
Important:
n Make sure all the configured Virtual Devices are

loaded.
n Make sure all Virtual Systems and Virtual Routers

have SIC Trust and policy.

4 Examine the cluster state in one of these ways:

n In Gaia Clish, run:

set virtual-system 0
show cluster state
n In the Expert mode, run:
vsenv 0
cphaprob state

5 Examine the cluster interfaces in one of these ways:

n In Gaia Clish, run:

set virtual-system 0
show cluster members interfaces all
n In the Expert mode, run:
vsenv 0
cphaprob -a if

Important:
n The upgraded VSX Cluster Member M3 shows its cluster state as Ready.
n Other VSX Cluster Members M2 and M1 show the cluster state of the

upgraded VSX Cluster Member M3 as Lost, or do not detect it.

n All Virtual Systems must show the same information about the states of all

Virtual Systems.

Installation and Upgrade Guide R81 | 431

 Multi-Version Cluster (MVC) Upgrade

4. On the R81 VSX Cluster Member M3, enable the MVC mechanism

Step Instructions

1 Connect to the command line on the VSX Cluster Member.

2 Go to the context of Virtual System 0:

n In Gaia Clish:

set virtual-system 0
n In the Expert mode:
vsenv 0

3 Enable the MVC Mechanism:

n In Gaia Clish:

set cluster member mvc on

n In the Expert mode:
cphaconf mvc on

4 Examine the state of the MVC Mechanism:

n In Gaia Clish:

show cluster members mvc

n In the Expert mode:
cphaprob mvc

Installation and Upgrade Guide R81 | 432

 Multi-Version Cluster (MVC) Upgrade

5. In SmartConsole, install the Access Control Policy on the R81 VSX Cluster Member M3

Step Instructions

1 Click Install Policy.

2 In the Install Policy window:

a. In the Policy field, select the applicable Access Control Policy.
b. In the Install Mode section, select these two options:
n Select Install on each selected gateway independently.
n Clear For gateway clusters, if installation on a cluster

member fails, do not install on that cluster.

c. Click Install.

3 The Access Control Policy installation:

n Succeeds on the upgraded VSX Cluster Member M3.
n Fails on the old VSX Cluster Members M1 and M2 with a warning.

Ignore this warning.

Installation and Upgrade Guide R81 | 433

 Multi-Version Cluster (MVC) Upgrade

6. On each VSX Cluster Member, examine the VSX configuration and cluster state

Step Instructions

1 Connect to the command line on each VSX Cluster Member.

2 Log in to the Expert mode.

3 Examine the VSX configuration:

vsx stat -v
Important:
n Make sure all the configured Virtual Devices are

loaded.
n Make sure all Virtual Systems and Virtual Routers

have SIC Trust and policy.

4 Examine the cluster state in one of these ways:

n In Gaia Clish, run:

set virtual-system 0
show cluster state
n In the Expert mode, run:
vsenv 0
cphaprob state

5 Examine the cluster interfaces in one of these ways:

n In Gaia Clish, run:

set virtual-system 0
show cluster members interfaces all
n In the Expert mode, run:
vsenv 0
cphaprob -a if

Installation and Upgrade Guide R81 | 434

 Multi-Version Cluster (MVC) Upgrade

Important:
n In High Availability mode:
l The upgraded VSX Cluster Member M3 changes its cluster state to

Active.
l Other VSX Cluster Members change their state to Standby.

n In the Virtual System Load Sharing mode:

l The upgraded VSX Cluster Member M3 changes its cluster state to

Active.
l Other VSX Cluster Members change their state to Standby and

Backup.
n All Virtual Systems must show the same information about the states of all

Virtual Systems.

Installation and Upgrade Guide R81 | 435

 Multi-Version Cluster (MVC) Upgrade

7. On the VSX Cluster Member M2, upgrade to R81 with CPUSE, or perform a Clean Install
of R81
Important - You must reboot the VSX Cluster Member after the upgrade or
clean install.

Installation
Instructions
Method

Upgrade to See "Installing Software Packages on Gaia" on page 185.

R81 with Follow the applicable action plan for the local or central
CPUSE installation.
In local installation, select the R81 package and perform
Upgrade. See sk92449 for detailed steps.

Clean Install Follow these steps:

of R81 with a. See "Installing Software Packages on Gaia" on page 185.
CPUSE Follow the applicable action plan for the local or central
installation.
In local installation, select the R81 package and perform
Clean Install. See sk92449 for detailed steps.
Important - In the Gaia First Time Configuration
Wizard, for the Management Connection IP address,
you must use the same IP address as was used by the
previous VSX Cluster Member (prior to the upgrade).
b. Run the "vsx_util reconfigure" command on the
Management Server to push the VSX configuration to this
VSX Cluster Member.
See the R81 VSX Administration Guide > Chapter
Command Line Reference > Section vsx_util > Section vsx_
util reconfigure.
Important - You must enter the same Activation Key
you entered during the Gaia First Time Configuration
Wizard of this VSX Cluster Member.
c. Configure the required settings on this VSX Cluster
Member:
n OS configuration (for example, DNS, NTP, DHCP,

Dynamic Routing, DHCP Relay, and so on).

n Settings manually defined in various configuration

files.
n Applicable Check Point configuration files.

Installation and Upgrade Guide R81 | 436

 Multi-Version Cluster (MVC) Upgrade

Installation
Instructions
Method

Clean Install Follow these steps:

of R81 from a. Follow "Installing a VSX Cluster" on page 139 - only the step
scratch "Install the VSX Cluster Members".
Important - In the Gaia First Time Configuration
Wizard, for the Management Connection IP address,
you must use the same IP address as was used by the
previous VSX Cluster Member (prior to the upgrade).
b. Run the "vsx_util reconfigure" command on the
Management Server to push the VSX configuration to this
VSX Cluster Member.
See the R81 VSX Administration Guide > Chapter
Command Line Reference > Section vsx_util > Section vsx_
util reconfigure.
Important - You must enter the same Activation Key
you entered during the Gaia First Time Configuration
Wizard of this VSX Cluster Member.
c. Configure the required settings on this VSX Cluster
Member:
n OS configuration (for example, DNS, NTP, DHCP,

Dynamic Routing, DHCP Relay, and so on).

n Settings manually defined in various configuration

files.
n Applicable Check Point configuration files.

Installation and Upgrade Guide R81 | 437

 Multi-Version Cluster (MVC) Upgrade

8. On each VSX Cluster Member, examine the VSX configuration and cluster state

Step Instructions

1 Connect to the command line on each VSX Cluster Member.

2 Log in to the Expert mode.

3 Examine the VSX configuration:

vsx stat -v
Important:
n Make sure all the configured Virtual Devices are

loaded.
n Make sure all Virtual Systems and Virtual Routers

have SIC Trust and policy.

4 Examine the cluster state in one of these ways:

n In Gaia Clish, run:

set virtual-system 0
show cluster state
n In the Expert mode, run:
vsenv 0
cphaprob state

5 Examine the cluster interfaces in one of these ways:

n In Gaia Clish, run:

set virtual-system 0
show cluster members interfaces all
n In the Expert mode, run:
vsenv 0
cphaprob -a if

Installation and Upgrade Guide R81 | 438

 Multi-Version Cluster (MVC) Upgrade

Important:
n In the High Availability mode:
l One of the upgraded VSX Cluster Members has the cluster state

Active.
l Other VSX Cluster Members have the cluster state Standby.

n In the Virtual System Load Sharing mode:

l One of the upgraded VSX Cluster Members has the cluster state

Active.
l Other VSX Cluster Members have the cluster states Standby and

Backup.
n All Virtual Systems must show the same information about the states of all

Virtual Systems.
9. On the R81 VSX Cluster Member M2, enable the MVC mechanism

Step Instructions

1 Connect to the command line on the VSX Cluster Member.

2 Go to the context of Virtual System 0:

n In Gaia Clish:

set virtual-system 0
n In the Expert mode:
vsenv 0

3 Enable the MVC Mechanism:

n In Gaia Clish:

set cluster member mvc on

n In the Expert mode:
cphaconf mvc on

4 Examine the state of the MVC Mechanism:

n In Gaia Clish:

show cluster members mvc

n In the Expert mode:
cphaprob mvc

Installation and Upgrade Guide R81 | 439

 Multi-Version Cluster (MVC) Upgrade

10. In SmartConsole, install the Access Control Policy on the R81 VSX Cluster Members M3
and M2

Step Instructions

1 Click Install Policy.

2 In the Install Policy window:

a. In the Policy field, select the applicable Access Control Policy.
b. In the Install Mode section, select these two options:
n Select Install on each selected gateway independently.
n Clear For gateway clusters, if installation on a cluster

member fails, do not install on that cluster.

c. Click Install.

3 The Access Control Policy installation:

n Succeeds on the upgraded VSX Cluster Members M3 and M2.
n Fails on the old VSX Cluster Member M1 with a warning. Ignore

this warning.

Installation and Upgrade Guide R81 | 440

 Multi-Version Cluster (MVC) Upgrade

11. On each VSX Cluster Member, examine the VSX configuration and cluster state

Step Instructions

1 Connect to the command line on each VSX Cluster Member.

2 Log in to the Expert mode.

3 Examine the VSX configuration:

vsx stat -v
Important:
n Make sure all the configured Virtual Devices are

loaded.
n Make sure all Virtual Systems and Virtual Routers

have SIC Trust and policy.

4 Examine the cluster state in one of these ways:

n In Gaia Clish, run:

set virtual-system 0
show cluster state
n In the Expert mode, run:
vsenv 0
cphaprob state

5 Examine the cluster interfaces in one of these ways:

n In Gaia Clish, run:

set virtual-system 0
show cluster members interfaces all
n In the Expert mode, run:
vsenv 0
cphaprob -a if

Installation and Upgrade Guide R81 | 441

 Multi-Version Cluster (MVC) Upgrade

Important:
n In the High Availability mode:
l One of the upgraded VSX Cluster Members has the cluster state

Active.
l Other VSX Cluster Members have the cluster state Standby.

n In the Virtual System Load Sharing mode:

l One of the upgraded VSX Cluster Members has the cluster state

Active.
l Other VSX Cluster Members have the cluster states Standby and

Backup.
n All Virtual Systems must show the same information about the states of all

Virtual Systems.

Installation and Upgrade Guide R81 | 442

 Multi-Version Cluster (MVC) Upgrade

12. On the VSX Cluster Member M1, upgrade to R81 with CPUSE, or perform a Clean Install
of R81
Important - You must reboot the VSX Cluster Member after the upgrade or
clean install.

Installation
Instructions
Method

Upgrade to See "Installing Software Packages on Gaia" on page 185.

R81 with Follow the applicable action plan for the local or central
CPUSE installation.
In local installation, select the R81 package and perform
Upgrade. See sk92449 for detailed steps.

Clean Install Follow these steps:

of R81 with a. See "Installing Software Packages on Gaia" on page 185.
CPUSE Follow the applicable action plan for the local or central
installation.
In local installation, select the R81 package and perform
Clean Install. See sk92449 for detailed steps.
Important - In the Gaia First Time Configuration
Wizard, for the Management Connection IP address,
you must use the same IP address as was used by the
previous VSX Cluster Member (prior to the upgrade).
b. Run the "vsx_util reconfigure" command on the
Management Server to push the VSX configuration to this
VSX Cluster Member.
See the R81 VSX Administration Guide > Chapter
Command Line Reference > Section vsx_util > Section vsx_
util reconfigure.
Important - You must enter the same Activation Key
you entered during the Gaia First Time Configuration
Wizard of this VSX Cluster Member.
c. Configure the required settings on this VSX Cluster
Member:
n OS configuration (for example, DNS, NTP, DHCP,

Dynamic Routing, DHCP Relay, and so on).

n Settings manually defined in various configuration

files.
n Applicable Check Point configuration files.

Installation and Upgrade Guide R81 | 443

 Multi-Version Cluster (MVC) Upgrade

Installation
Instructions
Method

Clean Install Follow these steps:

of R81 from a. Follow "Installing a VSX Cluster" on page 139 - only the step
scratch "Install the VSX Cluster Members".
Important - In the Gaia First Time Configuration
Wizard, for the Management Connection IP address,
you must use the same IP address as was used by the
previous VSX Cluster Member (prior to the upgrade).
b. Run the "vsx_util reconfigure" command on the
Management Server to push the VSX configuration to this
VSX Cluster Member.
See the R81 VSX Administration Guide > Chapter
Command Line Reference > Section vsx_util > Section vsx_
util reconfigure.
Important - You must enter the same Activation Key
you entered during the Gaia First Time Configuration
Wizard of this VSX Cluster Member.
c. Configure the required settings on this VSX Cluster
Member:
n OS configuration (for example, DNS, NTP, DHCP,

Dynamic Routing, DHCP Relay, and so on).

n Settings manually defined in various configuration

files.
n Applicable Check Point configuration files.

Installation and Upgrade Guide R81 | 444

 Multi-Version Cluster (MVC) Upgrade

13. On each VSX Cluster Member, examine the VSX configuration and cluster state

Step Instructions

1 Connect to the command line on each VSX Cluster Member.

2 Log in to the Expert mode.

3 Examine the VSX configuration:

vsx stat -v
Important:
n Make sure all the configured Virtual Devices are

loaded.
n Make sure all Virtual Systems and Virtual Routers

have SIC Trust and policy.

4 Examine the cluster state in one of these ways:

n In Gaia Clish, run:

set virtual-system 0
show cluster state
n In the Expert mode, run:
vsenv 0
cphaprob state

5 Examine the cluster interfaces in one of these ways:

n In Gaia Clish, run:

set virtual-system 0
show cluster members interfaces all
n In the Expert mode, run:
vsenv 0
cphaprob -a if

Important:
n In the High Availability mode:
l One of the VSX Cluster Members has the cluster state Active.

l Other VSX Cluster Members have the cluster state Standby.

n In the Virtual System Load Sharing mode:

l One of the VSX Cluster Members has the cluster state Active.

l Other VSX Cluster Members have the cluster states Standby and

Backup.
n All Virtual Systems must show the same information about the states of all

Virtual Systems.

Installation and Upgrade Guide R81 | 445

 Multi-Version Cluster (MVC) Upgrade

14. In SmartConsole, install the Access Control Policy and Threat Prevention Policy on the
Cluster object

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Domain Management Server that manages this cluster.

2 From the left navigation panel, click Gateways & Servers.

3 Install the Access Control Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Access Control Policy.
c. In the Install Mode section, select these two options:
n Install on each selected gateway independently
n For gateway clusters, if installation on a cluster member

fails, do not install on that cluster

d. Click Install.
e. The Access Control Policy must install successfully on all the
Cluster Members.

4 Install the Threat Prevention Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Threat Prevention Policy.
c. Click Install.
d. The Threat Prevention Policy must install successfully on all the
Cluster Members.

Installation and Upgrade Guide R81 | 446

 Multi-Version Cluster (MVC) Upgrade

15. On each VSX Cluster Member, examine the VSX configuration and cluster state

Step Instructions

1 Connect to the command line on each VSX Cluster Member.

2 Log in to the Expert mode.

3 Examine the VSX configuration:

vsx stat -v
Important:
n Make sure all the configured Virtual Devices are

loaded.
n Make sure all Virtual Systems and Virtual Routers

have SIC Trust and policy.

4 Examine the cluster state in one of these ways:

n In Gaia Clish, run:

set virtual-system 0
show cluster state
n In the Expert mode, run:
vsenv 0
cphaprob state
Important:
n All VSX Cluster Members must show the same

information about the states of all VSX Cluster

Members.
n In the High Availability mode, one VSX Cluster

Member must be in the Active state, and all other

VSX Cluster Members must be in Standby state.
n In the Virtual System Load Sharing mode, all VSX

Cluster Members must be in the Active state.

n All Virtual Systems must show the same

information about the states of all Virtual

Systems.

Installation and Upgrade Guide R81 | 447

 Multi-Version Cluster (MVC) Upgrade

Step Instructions

5 Examine the cluster interfaces in one of these ways:

n In Gaia Clish, run:

set virtual-system 0
show cluster members interfaces all
n In the Expert mode, run:
vsenv 0
cphaprob -a if

Important:
n In the High Availability mode:
l One of the VSX Cluster Members has the cluster state Active.

l Other VSX Cluster Members have the cluster state Standby.

n In the Virtual System Load Sharing mode:

l One of the VSX Cluster Members has the cluster state Active.

l Other VSX Cluster Members have the cluster states Standby and

Backup.
n All Virtual Systems must show the same information about the states of all

Virtual Systems.

Installation and Upgrade Guide R81 | 448

 Multi-Version Cluster (MVC) Upgrade

16. On each VSX Cluster Member, disable the MVC mechanism

Step Instructions

1 Connect to the command line on each VSX Cluster Member.

2 Go to the context of Virtual System 0:

n In Gaia Clish:

set virtual-system 0
n In the Expert mode:
vsenv 0

3 Disable the MVC Mechanism:

n In Gaia Clish:

set cluster member mvc off

n In the Expert mode:
cphaconf mvc off

4 Examine the state of the MVC Mechanism:

n In Gaia Clish:

show cluster members mvc

n In the Expert mode:
cphaprob mvc

17. In SmartConsole, install the Access Control Policy and the Threat Prevention Policy on
each Virtual System object

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

each Target Domain Management Server that manages the Virtual
System on this VSX Cluster.

2 Install the Access Control Policy on the Virtual System object.

3 Install the Threat Prevention Policy on the Virtual System object.

Installation and Upgrade Guide R81 | 449

 Multi-Version Cluster (MVC) Upgrade

18. Test the functionality

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

each Target Domain Management Server that manages the Virtual
Systems on this VSX Cluster.

2 From the left navigation panel, click Logs & Monitor > Logs.

3 Examine the logs from the Virtual Systems on this VSX Cluster to make
sure they inspect the traffic as expected.

For more information, see the:

n R81 ClusterXL Administration Guide.
n R81 VSX Administration Guide.

Installation and Upgrade Guide R81 | 450

 Multi-Version Cluster (MVC) Upgrade

Troubleshooting the Multi-Version Cluster

Making sure the Cluster Members synchronize their connections

Step Instructions

1 Connect to the command line on each Cluster Member.

2 Examine the Delta Synchronization statistics in one of these ways:

n In Gaia Clish, run:
show cluster statistics sync
n In the Expert mode, run:
cphaprob syncstat

For more information, see the R81 ClusterXL Administration Guide > Chapter
Monitoring and Troubleshooting Clusters - Section ClusterXL Monitoring
Commands > Section Viewing Delta Synchronization.

3 Examine the number of concurrent connections in the Connections kernel

table (ID 8158).
In the Expert mode, run:
fw tab -t connections -s
Important - These numbers must be as close as possible on all Cluster
Members.
For more information, see the R81 CLI Reference Guide.

Collecting the cluster kernel debug

In case more detailed information is required, collect the kernel debug.

In the debug module "cluster", enable the debug flags "ccp" and "cu".
For complete debug procedure, see the R81 Quantum Security Gateway Guide > Chapter
Kernel Debug on Security Gateway.

Installation and Upgrade Guide R81 | 451

 Minimum Effort Upgrade

Minimum Effort Upgrade

This section provides instructions for Minimum Effort Upgrade (Simple Upgrade):
n "Minimum Effort Upgrade of a Security Gateway Cluster" on page 453
n "Minimum Effort Upgrade of a VSX Cluster" on page 460

Important - You can use this upgrade method for all supported versions as described
in the R81 Release Notes.

Installation and Upgrade Guide R81 | 452

 Minimum Effort Upgrade of a Security Gateway Cluster

Minimum Effort Upgrade of a Security Gateway Cluster

Important - Before you upgrade a Cluster:
Step Instructions

1 Back up your current configuration (see "Backing Up and Restoring" on

page 20).

2 See "Upgrade Options and Prerequisites" on page 188.

3 Upgrade the Management Server and Log Servers.

4 See "Planning a Cluster Upgrade" on page 397.

5 Schedule a full maintenance window to make sure you can make all the
custom configurations again after the upgrade.

Installation and Upgrade Guide R81 | 453

 Minimum Effort Upgrade of a Security Gateway Cluster

Procedure:

Installation and Upgrade Guide R81 | 454

 Minimum Effort Upgrade of a Security Gateway Cluster

1. On each Cluster Member, Upgrade to R81 with CPUSE, or perform a Clean Install of R81
Important - You must reboot the Cluster Member after the upgrade or clean
install.

Installation
Instructions
Method

Upgrade to R81 See "Installing Software Packages on Gaia" on page 185.

with CPUSE Follow the applicable action plan for the local or central
installation.
In local installation, select the R81 package and perform
Upgrade. See sk92449 for detailed steps.

Clean Install of See "Installing Software Packages on Gaia" on page 185.

R81 with CPUSE Follow the applicable action plan for the local or central
installation.
In local installation, select the R81 package and perform
Clean Install. See sk92449 for detailed steps.
Important - In the Gaia First Time Configuration Wizard,
for the Management Connection IP address, you must
use the same IP address as was used by the previous
Cluster Member (prior to the upgrade).

Installation and Upgrade Guide R81 | 455

 Minimum Effort Upgrade of a Security Gateway Cluster

Installation
Instructions
Method

Clean Install of Installing a Cluster Member

R81 from scratch Follow "Installing a ClusterXL Cluster" on page 118 - only
the step "Install the Cluster Members".
Important - In the Gaia First Time Configuration
Wizard, for the Management Connection IP address,
you must use the same IP address as was used by the
previous Cluster Member (prior to the upgrade).

Installing a VRRP Cluster Member

Follow "Installing a VRRP Cluster" on page 148 - only the
step "Install the VRRP Cluster Members".
Important - In the Gaia First Time Configuration
Wizard, for the Management Connection IP address,
you must use the same IP address as was used by the
previous VRRP Cluster Member (prior to the upgrade).

Installing a VSX Cluster Member

Follow "Installing a VSX Cluster" on page 139 - only the step
"Install the VSX Cluster Members".
Important - In the Gaia First Time Configuration
Wizard, for the Management Connection IP address,
you must use the same IP address as was used by the
previous VSX Cluster Member (prior to the upgrade).

2. In SmartConsole, change the version of the cluster object

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Domain Management Server that manages this cluster.

2 From the left navigation panel, click Gateways & Servers.

3 Open the Cluster object.

4 From the left tree, click the General Properties page.

5 In the Platform section > Version field, select R81.

6 Click OK to close the Gateway Cluster Properties window.

Installation and Upgrade Guide R81 | 456

 Minimum Effort Upgrade of a Security Gateway Cluster

3. In SmartConsole, establish SIC with the each Cluster Member

Important - This step is required only if you performed a Clean Install of R81
on this Cluster Member.

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Main Domain Management Server that manages this Cluster.

2 From the left navigation panel, click Gateways & Servers.

3 Open the cluster object.

4 From the left tree, click Cluster Members.

5 Select the object of this Cluster Member.

6 Click Edit.

7 On the General tab, click the Communication button.

8 Click Reset.

9 In the One-time password field, enter the same Activation Key you
entered during the First Time Configuration Wizard of the Cluster
Member.

10 In the Confirm one-time password field, enter the same Activation Key
again.

11 Click Initialize.

12 The Trust state field must show Trust established.

13 Click Close to close the Communication window.

14 Click OK to close the Cluster Member Properties window.

15 Click OK to close the Gateway Cluster Properties window.

16 Publish the SmartConsole session.

4. In SmartConsole, install the Access Control Policy and Threat Prevention Policy on the
Cluster object

Installation and Upgrade Guide R81 | 457

 Minimum Effort Upgrade of a Security Gateway Cluster

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Domain Management Server that manages this cluster.

2 From the left navigation panel, click Gateways & Servers.

3 Install the Access Control Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Access Control Policy.
c. In the Install Mode section, select these two options:
n Install on each selected gateway independently
n For gateway clusters, if installation on a cluster member

fails, do not install on that cluster

d. Click Install.
e. The Access Control Policy must install successfully on all the
Cluster Members.

4 Install the Threat Prevention Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Threat Prevention Policy.
c. Click Install.
d. The Threat Prevention Policy must install successfully on all the
Cluster Members.

5. On each Cluster Member, examine the cluster state

Step Instructions

1 Connect to the command line on each Cluster Member.

Installation and Upgrade Guide R81 | 458

 Minimum Effort Upgrade of a Security Gateway Cluster

Step Instructions

2 Examine the cluster state in one of these ways:

n In Gaia Clish, run:

show cluster state

n In the Expert mode, run:
cphaprob state
Important:
n All Cluster Members must show the same

information about the states of all Cluster

Members.
n In the High Availability mode, one Cluster

Member must be in the Active state, and all

other Cluster Members must be in Standby
state.
n In the Load Sharing modes, all Cluster

Members must be in the Active state.

6. Test the functionality

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Domain Management Server that manages this cluster.

2 From the left navigation panel, click Logs & Monitor > Logs.

3 Examine the logs from this Cluster to make sure it inspects the traffic as
expected.

For more information:

See the R81 ClusterXL Administration Guide.

Installation and Upgrade Guide R81 | 459

 Minimum Effort Upgrade of a VSX Cluster

Minimum Effort Upgrade of a VSX Cluster

Important - Before you upgrade a VSX Cluster:
Step Instructions

1 Back up your current configuration (see "Backing Up and Restoring" on

page 20).
Important - Back up both the Management Server and the VSX Cluster
Members. Follow sk100395.

2 See the "Upgrade Options and Prerequisites" on page 188.

3 Upgrade the Management Server and Log Servers.

4 See "Planning a Cluster Upgrade" on page 397.

5 Schedule a full maintenance window to make sure you can make all the
custom configurations again after the upgrade.

Installation and Upgrade Guide R81 | 460

 Minimum Effort Upgrade of a VSX Cluster

Procedure:

Installation and Upgrade Guide R81 | 461

 Minimum Effort Upgrade of a VSX Cluster

1. On the Management Server, upgrade the configuration of the VSX Cluster object to R81

Step Instructions

1 Connect to the command line on the Security Management Server or

Multi-Domain Server that manages this VSX Cluster.

2 Log in to the Expert mode.

3 On a Multi-Domain Server, go to the context of the Main Domain

Management Server that manages this VSX Cluster object:
mdsenv <IP Address or Name of Main Domain
Management Server>

4 Upgrade the configuration of the VSX Cluster object to R81:

vsx_util upgrade
This command is interactive.

Enter these details to log in to the management database:

n IP address of the Security Management Server or Main Domain

Management Server that manages this VSX Cluster

n Management Server administrator's username
n Management Server administrator's password

Select your VSX Cluster.

Select R81.

For auditing purposes, save the vsx_util log file:

n On a Security Management Server:

/opt/CPsuite-R81/fw1/log/vsx_util_YYYYMMDD_HH_
MM.log
n On a Multi-Domain Server:
/opt/CPmds-R81/customers/<Name_of_
Domain>/CPsuite-R81/fw1/log/vsx_util_YYYYMMDD_
HH_MM.log

5 Connect with SmartConsole to the R81 Security Management Server or

Main Domain Management Server that manages this VSX Cluster.

6 From the left navigation panel, click Gateways & Servers.

7 Open the VSX Cluster object.

Installation and Upgrade Guide R81 | 462

 Minimum Effort Upgrade of a VSX Cluster

Step Instructions

8 From the left tree, click the General Properties page.

9 Make sure in the Platform section, the Version field shows R81.

10 Click Cancel (do not click OK).

Note - If you click OK, the Management Server pushes the VSX
configuration to the VSX Cluster. Because the VSX Cluster is not
upgraded yet, this operation would fail.

2. On each VSX Cluster Member, Upgrade to R81 with CPUSE, or perform a Clean Install of
R81
Important - You must reboot the VSX Cluster Member after the upgrade or
clean install.

Installation
Instructions
Method

Upgrade to See "Installing Software Packages on Gaia" on page 185.

R81 with Follow the applicable action plan for the local or central
CPUSE installation.
In local installation, select the R81 package and perform
Upgrade. See sk92449 for detailed steps.

Installation and Upgrade Guide R81 | 463

 Minimum Effort Upgrade of a VSX Cluster

Installation
Instructions
Method

Clean Install Follow these steps:

of R81 with a. See "Installing Software Packages on Gaia" on page 185.
CPUSE Follow the applicable action plan for the local or central
installation.
In local installation, select the R81 package and perform
Clean Install. See sk92449 for detailed steps.
Important - In the Gaia First Time Configuration
Wizard, for the Management Connection IP address,
you must use the same IP address as was used by the
previous VSX Cluster Member (prior to the upgrade).
b. Run the "vsx_util reconfigure" command on the
Management Server to push the VSX configuration to this
VSX Cluster Member.
See the R81 VSX Administration Guide > Chapter
Command Line Reference > Section vsx_util > Section vsx_
util reconfigure.
Important - You must enter the same Activation Key
you entered during the Gaia First Time Configuration
Wizard of this VSX Cluster Member.
c. Configure the required settings on this VSX Cluster
Member:
n OS configuration (for example, DNS, NTP, DHCP,

Dynamic Routing, DHCP Relay, and so on).

n Settings manually defined in various configuration

files.
n Applicable Check Point configuration files.

Installation and Upgrade Guide R81 | 464

 Minimum Effort Upgrade of a VSX Cluster

Installation
Instructions
Method

Clean Install Follow these steps:

of R81 from a. Follow "Installing a VSX Cluster" on page 139 - only the step
scratch "Install the VSX Cluster Members".
Important - In the Gaia First Time Configuration
Wizard, for the Management Connection IP address,
you must use the same IP address as was used by the
previous VSX Cluster Member (prior to the upgrade).
b. Run the "vsx_util reconfigure" command on the
Management Server to push the VSX configuration to this
VSX Cluster Member.
See the R81 VSX Administration Guide > Chapter
Command Line Reference > Section vsx_util > Section vsx_
util reconfigure.
Important - You must enter the same Activation Key
you entered during the Gaia First Time Configuration
Wizard of this VSX Cluster Member.
c. Configure the required settings on this VSX Cluster
Member:
n OS configuration (for example, DNS, NTP, DHCP,

Dynamic Routing, DHCP Relay, and so on).

n Settings manually defined in various configuration

files.
n Applicable Check Point configuration files.

Installation and Upgrade Guide R81 | 465

 Minimum Effort Upgrade of a VSX Cluster

3. In SmartConsole, establish SIC with each VSX Cluster Member

Important - This step is required only if you performed a Clean Install of R81
on this VSX Cluster Member.

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Main Domain Management Server that manages this VSX Cluster.

2 From the left navigation panel, click Gateways & Servers.

3 Open the cluster object.

4 From the left tree, click Cluster Members.

5 Select the object of this VSX Cluster Member.

6 Click Edit.

7 On the General tab, click the Communication button.

8 Click Reset.

9 In the One-time password field, enter the same Activation Key you
entered during the First Time Configuration Wizard of the Cluster
Member.

10 In the Confirm one-time password field, enter the same Activation Key
again.

11 Click Initialize.

12 The Trust state field must show Trust established.

13 Click Close to close the Communication window.

14 Click OK to close the Cluster Member Properties window.

15 Click OK to close the Gateway Cluster Properties window.

16 Publish the SmartConsole session.

4. In SmartConsole, install the policy

Installation and Upgrade Guide R81 | 466

 Minimum Effort Upgrade of a VSX Cluster

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Main Domain Management Server that manages this VSX Cluster.

2 From the left navigation panel, click Gateways & Servers.

3 Install the default policy on the VSX Cluster object:

a. Click Install Policy.
b. In the Policy field, select the default policy for this VSX Cluster
object.
This policy is called:
<Name of VSX Cluster object>_VSX
c. In the Install Mode section, select these two options:
n Install on each selected gateway independently
n For gateway clusters, if installation on a cluster member

fails, do not install on that cluster

d. Click Install.
e. The default policy install successfully on all the VSX Cluster
Members.

4 Install the Threat Prevention Policy on the VSX Cluster object:

a. Click Install Policy.
b. In the Policy field, select the applicable Threat Prevention Policy for
this VSX Cluster object.
c. Click Install.
d. The Threat Prevention Policy must install successfully on all the
VSX Cluster Members.

5. On each VSX Cluster Member, examine the VSX configuration and cluster state

Step Instructions

1 Connect to the command line on each VSX Cluster Member.

2 Log in to the Expert mode.

Installation and Upgrade Guide R81 | 467

 Minimum Effort Upgrade of a VSX Cluster

Step Instructions

3 Examine the VSX configuration:

vsx stat -v
Important:
n Make sure all the configured Virtual Devices are

loaded.
n Make sure all Virtual Systems and Virtual Routers

have SIC Trust and policy.

4 Examine the cluster state in one of these ways:

n In Gaia Clish, run:

set virtual-system 0
show cluster state
n In the Expert mode, run:
vsenv 0
cphaprob state
Important:
n All VSX Cluster Members must show the same

information about the states of all VSX Cluster

Members.
n In the High Availability mode, one VSX Cluster

Member must be in the Active state, and all other

VSX Cluster Members must be in Standby state.
n In the Virtual System Load Sharing mode, all VSX

Cluster Members must be in the Active state.

n All Virtual Systems must show the same

information about the states of all Virtual

Systems.

5 Examine the cluster interfaces in one of these ways:

n In Gaia Clish, run:

set virtual-system 0
show cluster members interfaces all
n In the Expert mode, run:
vsenv 0
cphaprob -a if

6. Test the functionality

Installation and Upgrade Guide R81 | 468

 Minimum Effort Upgrade of a VSX Cluster

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

each Target Domain Management Server that manages the Virtual
Systems on this VSX Cluster.

2 From the left navigation panel, click Logs & Monitor > Logs.

3 Examine the logs from the Virtual Systems on this VSX Cluster to make
sure they inspect the traffic as expected.

For more information, see the:

n R81 VSX Administration Guide.
n R81 ClusterXL Administration Guide.

Installation and Upgrade Guide R81 | 469

 Minimum Downtime Upgrade

Minimum Downtime Upgrade

This section provides instructions for Minimum Downtime (formerly, Zero Downtime) Upgrade:
n "Minimum Downtime Upgrade of a Security Gateway Cluster" on page 471
n "Minimum Downtime Upgrade of a VSX Cluster" on page 484

Important - You can use this upgrade method for all supported versions as described
in the R81 Release Notes.

Installation and Upgrade Guide R81 | 470

 Minimum Downtime Upgrade of a Security Gateway Cluster

Minimum Downtime Upgrade of a Security Gateway Cluster

Important - Before you upgrade a Cluster:
Step Instructions

1 Back up your current configuration (see "Backing Up and Restoring" on

page 20).

2 See "Upgrade Options and Prerequisites" on page 188.

3 Upgrade the Management Server and Log Servers.

4 See "Planning a Cluster Upgrade" on page 397.

5 Schedule a full maintenance window to make sure you can make all the
custom configurations again after the upgrade.

The procedure below is based on an example cluster with three Cluster Members M1, M2, and
M3.
However, you can use it for clusters that consist of two or more Cluster Members.

Installation and Upgrade Guide R81 | 471

 Minimum Downtime Upgrade of a Security Gateway Cluster

Procedure:
1. On each Cluster Member, change the CCP mode to Broadcast
Important - This step applies only to R80.30 and lower with the Linux kernel
2.6 (run the "uname -r" command).
Best Practice - To avoid possible problems with switches around the cluster
during the upgrade, we recommend to change the Cluster Control Protocol
(CCP) mode to Broadcast.
Note - In R80.40 and above, the Cluster Control Protocol (CCP) runs only in
the Unicast mode. Therefore, after the upgrade, it is not necessary to change
the CCP mode.

Step Instructions

1 Connect to the command line on each Cluster Member.

2 Log in to the Expert mode.

3 Change the CCP mode to Broadcast:

cphaconf set_ccp broadcast
Notes:
n This change does not require a reboot.
n This change applies immediately and

survives reboot.

4 Make sure the CCP mode is set to Broadcast:

cphaprob -a if

2. On the Cluster Member M3, upgrade to R81 with CPUSE, or perform a Clean Install of R81
Important - You must reboot the Cluster Member after the upgrade or clean
install.

Installation
Instructions
Method

Upgrade to R81 See "Installing Software Packages on Gaia" on page 185.

with CPUSE Follow the applicable action plan for the local or central
installation.
In local installation, select the R81 package and perform
Upgrade. See sk92449 for detailed steps.

Installation and Upgrade Guide R81 | 472

 Minimum Downtime Upgrade of a Security Gateway Cluster

Installation
Instructions
Method

Clean Install of See "Installing Software Packages on Gaia" on page 185.

R81 with CPUSE Follow the applicable action plan for the local or central
installation.
In local installation, select the R81 package and perform
Clean Install. See sk92449 for detailed steps.
Important - In the Gaia First Time Configuration Wizard,
for the Management Connection IP address, you must
use the same IP address as was used by the previous
Cluster Member (prior to the upgrade).

Clean Install of Installing a Cluster Member

R81 from scratch Follow "Installing a ClusterXL Cluster" on page 118 - only
the step "Install the Cluster Members".
Important - In the Gaia First Time Configuration
Wizard, for the Management Connection IP address,
you must use the same IP address as was used by the
previous Cluster Member (prior to the upgrade).

Installing a VRRP Cluster Member

Follow "Installing a VRRP Cluster" on page 148 - only the
step "Install the VRRP Cluster Members".
Important - In the Gaia First Time Configuration
Wizard, for the Management Connection IP address,
you must use the same IP address as was used by the
previous VRRP Cluster Member (prior to the upgrade).

Installing a VSX Cluster Member

Follow "Installing a VSX Cluster" on page 139 - only the step
"Install the VSX Cluster Members".
Important - In the Gaia First Time Configuration
Wizard, for the Management Connection IP address,
you must use the same IP address as was used by the
previous VSX Cluster Member (prior to the upgrade).

3. On the Cluster Member M2, upgrade to R81 with CPUSE, or perform a Clean Install of R81
Important - You must reboot the Cluster Member after the upgrade or clean
install.

Installation and Upgrade Guide R81 | 473

 Minimum Downtime Upgrade of a Security Gateway Cluster

Installation
Instructions
Method

Upgrade to R81 See "Installing Software Packages on Gaia" on page 185.

with CPUSE Follow the applicable action plan for the local or central
installation.
In local installation, select the R81 package and perform
Upgrade. See sk92449 for detailed steps.

Clean Install of See "Installing Software Packages on Gaia" on page 185.

R81 with CPUSE Follow the applicable action plan for the local or central
installation.
In local installation, select the R81 package and perform
Clean Install. See sk92449 for detailed steps.
Important - In the Gaia First Time Configuration Wizard,
for the Management Connection IP address, you must
use the same IP address as was used by the previous
Cluster Member (prior to the upgrade).

Clean Install of Installing a Cluster Member

R81 from scratch Follow "Installing a ClusterXL Cluster" on page 118 - only the
step "Install the Cluster Members".
Important - In the Gaia First Time Configuration Wizard,
for the Management Connection IP address, you must
use the same IP address as was used by the previous
Cluster Member (prior to the upgrade).

Installing a VRRP Cluster Member

Follow "Installing a VRRP Cluster" on page 148 - only the
step "Install the VRRP Cluster Members".
Important - In the Gaia First Time Configuration Wizard,
for the Management Connection IP address, you must
use the same IP address as was used by the previous
VRRP Cluster Member (prior to the upgrade).

Installing a VSX Cluster Member

Follow "Installing a VSX Cluster" on page 139 - only the step
"Install the VSX Cluster Members".
Important - In the Gaia First Time Configuration Wizard,
for the Management Connection IP address, you must
use the same IP address as was used by the previous
VSX Cluster Member (prior to the upgrade).

4. In SmartConsole, change the version of the cluster object

Installation and Upgrade Guide R81 | 474

 Minimum Downtime Upgrade of a Security Gateway Cluster

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Domain Management Server that manages this cluster.

2 From the left navigation panel, click Gateways & Servers.

3 Open the Cluster object.

4 From the left tree, click the General Properties page.

5 In the Platform section > Version field, select R81.

6 Click OK to close the Gateway Cluster Properties window.

Installation and Upgrade Guide R81 | 475

 Minimum Downtime Upgrade of a Security Gateway Cluster

5. In SmartConsole, establish SIC with the Cluster Member M3

Important - This step is required only if you performed a Clean Install of R81
on this Cluster Member.

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Main Domain Management Server that manages this Cluster.

2 From the left navigation panel, click Gateways & Servers.

3 Open the cluster object.

4 From the left tree, click Cluster Members.

5 Select the object of this Cluster Member.

6 Click Edit.

7 On the General tab, click the Communication button.

8 Click Reset.

9 In the One-time password field, enter the same Activation Key you
entered during the First Time Configuration Wizard of the Cluster
Member.

10 In the Confirm one-time password field, enter the same Activation Key
again.

11 Click Initialize.

12 The Trust state field must show Trust established.

13 Click Close to close the Communication window.

14 Click OK to close the Cluster Member Properties window.

15 Click OK to close the Gateway Cluster Properties window.

16 Publish the SmartConsole session.

Installation and Upgrade Guide R81 | 476

 Minimum Downtime Upgrade of a Security Gateway Cluster

6. In SmartConsole, establish SIC with the Cluster Member M2

Important - This step is required only if you performed a Clean Install of R81
on this Cluster Member.

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Main Domain Management Server that manages this Cluster.

2 From the left navigation panel, click Gateways & Servers.

3 Open the cluster object.

4 From the left tree, click Cluster Members.

5 Select the object of this Cluster Member.

6 Click Edit.

7 On the General tab, click the Communication button.

8 Click Reset.

9 In the One-time password field, enter the same Activation Key you
entered during the First Time Configuration Wizard of the Cluster
Member.

10 In the Confirm one-time password field, enter the same Activation Key
again.

11 Click Initialize.

12 The Trust state field must show Trust established.

13 Click Close to close the Communication window.

14 Click OK to close the Cluster Member Properties window.

15 Click OK to close the Gateway Cluster Properties window.

16 Publish the SmartConsole session.

7. In SmartConsole, install the Access Control Policy

Step Instructions

1 Click Install Policy.

Installation and Upgrade Guide R81 | 477

 Minimum Downtime Upgrade of a Security Gateway Cluster

Step Instructions

2 In the Install Policy window:

a. In the Policy field, select the applicable Access Control Policy.
b. In the Install Mode section, configure these two options:
n Select Install on each selected gateway independently.
n Clear For gateway clusters, if installation on a cluster

member fails, do not install on that cluster.

c. Click Install.

3 The Access Control Policy installation:

n Succeeds on the upgraded Cluster Members M2 and M3.
n Fails on the old Cluster Member M1 with a warning. Ignore this

warning.

8. On each Cluster Member, examine the cluster state

Step Instructions

1 Connect to the command line on each Cluster Member.

2 Examine the cluster state in one of these ways:

n In Gaia Clish (R80.20 and higher), run:

show cluster state

n In the Expert mode, run:
cphaprob state
Important:
n The cluster states of the upgraded Cluster

Members M2 and M3 are Ready.

n The cluster state of the old Cluster Member

M1 is:
l In R80.20 and higher - Active(!).

l In R80.10 and lower - Active Attention.

9. On the old Cluster Member M1, stop all Check Point services

Step Instructions

1 Connect to the command line on the Cluster Member M1.

Installation and Upgrade Guide R81 | 478

 Minimum Downtime Upgrade of a Security Gateway Cluster

Step Instructions

2 Stop all Check Point services:

cpstop
Notes:
n This forces a controlled cluster failover from

the old Cluster Member M1 to one of the

upgraded Cluster Members.
n At this moment, all connections that were

initiated through the old Cluster Member M1

are dropped (because Cluster Members with
different software versions cannot
synchronize).

10. On each Cluster Member, examine the cluster state

Step Instructions

1 Connect to the command line on each Cluster Member.

2 Examine the cluster state in one of these ways:

n In Gaia Clish, run:

show cluster state

n In the Expert mode, run:
cphaprob state
Important:
n In the High Availability mode, one of the

upgraded Cluster Members (M2 or M3)

changes its cluster state to Active.
The other upgraded Cluster Member (M2 or
M3) changes its cluster state to Standby.
n In the Load Sharing modes, all Cluster

Members must be in the Active state.

11. On the old Cluster Member M1, upgrade to R81 with CPUSE, or perform a Clean Install of
R81
Important - You must reboot the Cluster Member after the upgrade or clean
install.

Installation and Upgrade Guide R81 | 479

 Minimum Downtime Upgrade of a Security Gateway Cluster

Installation
Instructions
Method

Upgrade to R81 See "Installing Software Packages on Gaia" on page 185.

with CPUSE Follow the applicable action plan for the local or central
installation.
In local installation, select the R81 package and perform
Upgrade. See sk92449 for detailed steps.

Clean Install of See "Installing Software Packages on Gaia" on page 185.

R81 with CPUSE Follow the applicable action plan for the local or central
installation.
In local installation, select the R81 package and perform
Clean Install. See sk92449 for detailed steps.
Important - In the Gaia First Time Configuration Wizard,
for the Management Connection IP address, you must
use the same IP address as was used by the previous
Cluster Member (prior to the upgrade).

Clean Install of Installing a Cluster Member

R81 from scratch Follow "Installing a ClusterXL Cluster" on page 118 - only the
step "Install the Cluster Members".
Important - In the Gaia First Time Configuration Wizard,
for the Management Connection IP address, you must
use the same IP address as was used by the previous
Cluster Member (prior to the upgrade).

Installing a VRRP Cluster Member

Follow "Installing a VRRP Cluster" on page 148 - only the
step "Install the VRRP Cluster Members".
Important - In the Gaia First Time Configuration Wizard,
for the Management Connection IP address, you must
use the same IP address as was used by the previous
VRRP Cluster Member (prior to the upgrade).

Installing a VSX Cluster Member

Follow "Installing a VSX Cluster" on page 139 - only the step
"Install the VSX Cluster Members".
Important - In the Gaia First Time Configuration Wizard,
for the Management Connection IP address, you must
use the same IP address as was used by the previous
VSX Cluster Member (prior to the upgrade).

12. In SmartConsole, establish SIC with the Cluster Member M1

Installation and Upgrade Guide R81 | 480

 Minimum Downtime Upgrade of a Security Gateway Cluster

Important - This step is required only if you performed a Clean Install of R81
on this Cluster Member M1.

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Main Domain Management Server that manages this Cluster.

2 From the left navigation panel, click Gateways & Servers.

3 Open the cluster object.

4 From the left tree, click Cluster Members.

5 Select the object of the Cluster Member M1.

6 Click Edit.

7 On the General tab, click the Communication button.

8 Click Reset.

9 In the One-time password field, enter the same Activation Key you
entered during the First Time Configuration Wizard of the Cluster
Member.

10 In the Confirm one-time password field, enter the same Activation Key
again.

11 Click Initialize.

12 The Trust state field must show Trust established.

13 Click Close to close the Communication window.

14 Click OK to close the Cluster Member Properties window.

13. In SmartConsole, install the Access Control Policy and Threat Prevention Policy on the
Cluster object

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Domain Management Server that manages this cluster.

2 From the left navigation panel, click Gateways & Servers.

Installation and Upgrade Guide R81 | 481

 Minimum Downtime Upgrade of a Security Gateway Cluster

Step Instructions

3 Install the Access Control Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Access Control Policy.
c. In the Install Mode section, select these two options:
n Install on each selected gateway independently
n For gateway clusters, if installation on a cluster member

fails, do not install on that cluster

d. Click Install.
e. The Access Control Policy must install successfully on all the
Cluster Members.

4 Install the Threat Prevention Policy:

a. Click Install Policy.
b. In the Policy field, select the applicable Threat Prevention Policy.
c. Click Install.
d. The Threat Prevention Policy must install successfully on all the
Cluster Members.

14. On each Cluster Member, examine the cluster state

Step Instructions

1 Connect to the command line on each Cluster Member.

2 Examine the cluster state in one of these ways:

n In Gaia Clish, run:

show cluster state

n In the Expert mode, run:
cphaprob state
Important:
n All Cluster Members must show the same

information about the states of all Cluster

Members.
n In the High Availability mode, one Cluster

Member must be in the Active state, and all

other Cluster Members must be in Standby
state.
n In the Load Sharing modes, all Cluster

Members must be in the Active state.

15. Test the functionality

Installation and Upgrade Guide R81 | 482

 Minimum Downtime Upgrade of a Security Gateway Cluster

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Domain Management Server that manages this cluster.

2 From the left navigation panel, click Logs & Monitor > Logs.

3 Examine the logs from this Cluster to make sure it inspects the traffic as
expected.

For more information:

See the R81 ClusterXL Administration Guide.

Installation and Upgrade Guide R81 | 483

 Minimum Downtime Upgrade of a VSX Cluster

Minimum Downtime Upgrade of a VSX Cluster

Important - Before you upgrade a VSX Cluster:
Step Instructions

1 Back up your current configuration (see "Backing Up and Restoring" on

page 20).
Important - Back up both the Management Server and the VSX Cluster
Members. Follow sk100395.

2 See the "Upgrade Options and Prerequisites" on page 188.

3 Upgrade the Management Server and Log Servers.

4 See "Planning a Cluster Upgrade" on page 397.

5 Schedule a full maintenance window to make sure you can make all the
custom configurations again after the upgrade.

The procedure below describes an example VSX Cluster with three VSX Cluster Members M1,
M2, and M3.
However, you can use it for clusters that consist of two or more Cluster Members.

Installation and Upgrade Guide R81 | 484

 Minimum Downtime Upgrade of a VSX Cluster

Procedure:

Installation and Upgrade Guide R81 | 485

 Minimum Downtime Upgrade of a VSX Cluster

1. On the Management Server, upgrade the configuration of the VSX Cluster object to R81

Step Instructions

1 Connect to the command line on the Security Management Server or

Multi-Domain Server that manages this VSX Cluster.

2 Log in to the Expert mode.

3 On a Multi-Domain Server, go to the context of the Main Domain

Management Server that manages this VSX Cluster object:
mdsenv <IP Address or Name of Main Domain
Management Server>

4 Upgrade the configuration of the VSX Cluster object to R81:

vsx_util upgrade
This command is interactive.

Enter these details to log in to the management database:

n IP address of the Security Management Server or Main Domain

Management Server that manages this VSX Cluster

n Management Server administrator's username
n Management Server administrator's password

Select your VSX Cluster.

Select R81.

For auditing purposes, save the vsx_util log file:

n On a Security Management Server:

/opt/CPsuite-R81/fw1/log/vsx_util_YYYYMMDD_HH_
MM.log
n On a Multi-Domain Server:
/opt/CPmds-R81/customers/<Name_of_
Domain>/CPsuite-R81/fw1/log/vsx_util_YYYYMMDD_
HH_MM.log

5 Connect with SmartConsole to the R81 Security Management Server or

Main Domain Management Server that manages this VSX Cluster.

6 From the left navigation panel, click Gateways & Servers.

7 Open the VSX Cluster object.

Installation and Upgrade Guide R81 | 486

 Minimum Downtime Upgrade of a VSX Cluster

Step Instructions

8 From the left tree, click the General Properties page.

9 Make sure in the Platform section, the Version field shows R81.

10 Click Cancel (do not click OK).

Note - If you click OK, the Management Server pushes the VSX
configuration to the VSX Cluster. Because the VSX Cluster is not
upgraded yet, this operation would fail.

2. On each VSX Cluster Member, change the CCP mode to Broadcast

Important - This step does not apply to R80.30 with Linux kernel 3.10 (run
the "uname -r" command).
Best Practice - To avoid possible problems with switches around the cluster
during the upgrade, we recommend to change the Cluster Control Protocol
(CCP) mode to Broadcast.

Step Instructions

1 Connect to the command line on each VSX Cluster Member.

2 Log in to the Expert mode.

3 Change the CCP mode to Broadcast:

cphaconf set_ccp broadcast
Notes:
n This change does not require a reboot.
n This change applies immediately and survives

reboot.

4 Make sure the CCP mode is set to Broadcast:

cphaprob -a if

3. On the VSX Cluster Member M3, upgrade to R81 with CPUSE, or perform a Clean Install
of R81
Important - You must reboot the VSX Cluster Member after the upgrade or
clean install.

Installation and Upgrade Guide R81 | 487

 Minimum Downtime Upgrade of a VSX Cluster

Installation
Instructions
Method

Upgrade to See "Installing Software Packages on Gaia" on page 185.

R81 with Follow the applicable action plan for the local or central
CPUSE installation.
In local installation, select the R81 package and perform
Upgrade. See sk92449 for detailed steps.

Clean Install Follow these steps:

of R81 with a. See "Installing Software Packages on Gaia" on page 185.
CPUSE Follow the applicable action plan for the local or central
installation.
In local installation, select the R81 package and perform
Clean Install. See sk92449 for detailed steps.
Important - In the Gaia First Time Configuration
Wizard, for the Management Connection IP address,
you must use the same IP address as was used by the
previous VSX Cluster Member (prior to the upgrade).
b. Run the "vsx_util reconfigure" command on the
Management Server to push the VSX configuration to this
VSX Cluster Member.
See the R81 VSX Administration Guide > Chapter
Command Line Reference > Section vsx_util > Section vsx_
util reconfigure.
Important - You must enter the same Activation Key
you entered during the Gaia First Time Configuration
Wizard of this VSX Cluster Member.
c. Configure the required settings on this VSX Cluster
Member:
n OS configuration (for example, DNS, NTP, DHCP,

Dynamic Routing, DHCP Relay, and so on).

n Settings manually defined in various configuration

files.
n Applicable Check Point configuration files.

Installation and Upgrade Guide R81 | 488

 Minimum Downtime Upgrade of a VSX Cluster

Installation
Instructions
Method

Clean Install Follow these steps:

of R81 from a. Follow "Installing a VSX Cluster" on page 139 - only the step
scratch "Install the VSX Cluster Members".
Important - In the Gaia First Time Configuration
Wizard, for the Management Connection IP address,
you must use the same IP address as was used by the
previous VSX Cluster Member (prior to the upgrade).
b. Run the "vsx_util reconfigure" command on the
Management Server to push the VSX configuration to this
VSX Cluster Member.
See the R81 VSX Administration Guide > Chapter
Command Line Reference > Section vsx_util > Section vsx_
util reconfigure.
Important - You must enter the same Activation Key
you entered during the Gaia First Time Configuration
Wizard of this VSX Cluster Member.
c. Configure the required settings on this VSX Cluster
Member:
n OS configuration (for example, DNS, NTP, DHCP,

Dynamic Routing, DHCP Relay, and so on).

n Settings manually defined in various configuration

files.
n Applicable Check Point configuration files.

4. On the VSX Cluster Member M2, upgrade to R81 with CPUSE, or perform a Clean Install
of R81
Important - You must reboot the VSX Cluster Member after the upgrade or
clean install.

Installation
Instructions
Method

Upgrade to See "Installing Software Packages on Gaia" on page 185.

R81 with Follow the applicable action plan for the local or central
CPUSE installation.
In local installation, select the R81 package and perform
Upgrade. See sk92449 for detailed steps.

Installation and Upgrade Guide R81 | 489

 Minimum Downtime Upgrade of a VSX Cluster

Installation
Instructions
Method

Clean Install Follow these steps:

of R81 with a. See "Installing Software Packages on Gaia" on page 185.
CPUSE Follow the applicable action plan for the local or central
installation.
In local installation, select the R81 package and perform
Clean Install. See sk92449 for detailed steps.
Important - In the Gaia First Time Configuration
Wizard, for the Management Connection IP address,
you must use the same IP address as was used by the
previous VSX Cluster Member (prior to the upgrade).
b. Run the "vsx_util reconfigure" command on the
Management Server to push the VSX configuration to this
VSX Cluster Member.
See the R81 VSX Administration Guide > Chapter
Command Line Reference > Section vsx_util > Section vsx_
util reconfigure.
Important - You must enter the same Activation Key
you entered during the Gaia First Time Configuration
Wizard of this VSX Cluster Member.
c. Configure the required settings on this VSX Cluster
Member:
n OS configuration (for example, DNS, NTP, DHCP,

Dynamic Routing, DHCP Relay, and so on).

n Settings manually defined in various configuration

files.
n Applicable Check Point configuration files.

Installation and Upgrade Guide R81 | 490

 Minimum Downtime Upgrade of a VSX Cluster

Installation
Instructions
Method

Clean Install Follow these steps:

of R81 from a. Follow "Installing a VSX Cluster" on page 139 - only the step
scratch "Install the VSX Cluster Members".
Important - In the Gaia First Time Configuration
Wizard, for the Management Connection IP address,
you must use the same IP address as was used by the
previous VSX Cluster Member (prior to the upgrade).
b. Run the "vsx_util reconfigure" command on the
Management Server to push the VSX configuration to this
VSX Cluster Member.
See the R81 VSX Administration Guide > Chapter
Command Line Reference > Section vsx_util > Section vsx_
util reconfigure.
Important - You must enter the same Activation Key
you entered during the Gaia First Time Configuration
Wizard of this VSX Cluster Member.
c. Configure the required settings on this VSX Cluster
Member:
n OS configuration (for example, DNS, NTP, DHCP,

Dynamic Routing, DHCP Relay, and so on).

n Settings manually defined in various configuration

files.
n Applicable Check Point configuration files.

Installation and Upgrade Guide R81 | 491

 Minimum Downtime Upgrade of a VSX Cluster

5. In SmartConsole, establish SIC with the VSX Cluster Member M3

Important - This step is required only if you performed a Clean Install of R81
on this VSX Cluster Member.

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Main Domain Management Server that manages this VSX Cluster.

2 From the left navigation panel, click Gateways & Servers.

3 Open the cluster object.

4 From the left tree, click Cluster Members.

5 Select the object of this VSX Cluster Member.

6 Click Edit.

7 On the General tab, click the Communication button.

8 Click Reset.

9 In the One-time password field, enter the same Activation Key you
entered during the First Time Configuration Wizard of the Cluster
Member.

10 In the Confirm one-time password field, enter the same Activation Key
again.

11 Click Initialize.

12 The Trust state field must show Trust established.

13 Click Close to close the Communication window.

14 Click OK to close the Cluster Member Properties window.

15 Click OK to close the Gateway Cluster Properties window.

16 Publish the SmartConsole session.

Installation and Upgrade Guide R81 | 492

 Minimum Downtime Upgrade of a VSX Cluster

6. In SmartConsole, establish SIC with the VSX Cluster Member M2

Important - This step is required only if you performed a Clean Install of R81
on this VSX Cluster Member.

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Main Domain Management Server that manages this VSX Cluster.

2 From the left navigation panel, click Gateways & Servers.

3 Open the cluster object.

4 From the left tree, click Cluster Members.

5 Select the object of this VSX Cluster Member.

6 Click Edit.

7 On the General tab, click the Communication button.

8 Click Reset.

9 In the One-time password field, enter the same Activation Key you
entered during the First Time Configuration Wizard of the Cluster
Member.

10 In the Confirm one-time password field, enter the same Activation Key
again.

11 Click Initialize.

12 The Trust state field must show Trust established.

13 Click Close to close the Communication window.

14 Click OK to close the Cluster Member Properties window.

15 Click OK to close the Gateway Cluster Properties window.

16 Publish the SmartConsole session.

7. In SmartConsole, install the Access Control Policy

Installation and Upgrade Guide R81 | 493

 Minimum Downtime Upgrade of a VSX Cluster

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Main Domain Management Server that manages this VSX Cluster.

2 From the left navigation panel, click Gateways & Servers.

3 Click Install Policy.

4 In the Install Policy window:

a. In the Policy field, select the default policy for this VSX Cluster
object.
This policy is called:
<Name of VSX Cluster object>_VSX
b. In the Install Mode section, configure these two options:
n Select Install on each selected gateway independently.
n Clear For gateway clusters, if installation on a cluster

member fails, do not install on that cluster.

c. Click Install.

5 The policy installation:

n Succeeds on the upgraded VSX Cluster Members M2 and M3.
n Fails on the old VSX Cluster Member M1 with a warning. Ignore

this warning.

8. On each VSX Cluster Member, examine the VSX configuration and cluster state

Step Instructions

1 Connect to the command line on each VSX Cluster Member.

2 Log in to the Expert mode.

3 Examine the VSX configuration:

vsx stat -v
Important:
n Make sure all the configured Virtual Devices are

loaded.
n Make sure all Virtual Systems and Virtual Routers

have SIC Trust and policy.

Installation and Upgrade Guide R81 | 494

 Minimum Downtime Upgrade of a VSX Cluster

Step Instructions

4 Examine the cluster state in one of these ways:

n In Gaia Clish (R80.20 and higher), run:

set virtual-system 0
show cluster state
n In the Expert mode, run:
vsenv 0
cphaprob state
Important:
n The cluster states of the upgraded VSX Cluster

Members M2 and M3 are Ready.

n The cluster state of the old VSX Cluster Member

M1 is:
l In R80.20 and higher - Active(!).

l In R80.10 and lower - Active Attention.

9. On the old VSX Cluster Member M1, stop all Check Point services

Step Instructions

1 Connect to the command line on the VSX Cluster Member M1.

2 Stop all Check Point services:

cpstop
Notes:
n This forces a controlled cluster failover from the old

VSX Cluster Member M1 to one of the upgraded

VSX Cluster Members.
n At this moment, all connections that were initiated

through the old VSX Cluster Member M1 are

dropped (because VSX Cluster Members with
different software versions cannot synchronize).

10. On the upgraded VSX Cluster Members M2 and M3, examine the cluster state

Step Instructions

1 Connect to the command line on each Cluster Member M2 and M3.

Installation and Upgrade Guide R81 | 495

 Minimum Downtime Upgrade of a VSX Cluster

Step Instructions

2 Examine the cluster state in one of these ways:

n In Gaia Clish, run:

show cluster state

n In the Expert mode, run:
cphaprob state
Important:
n One of the VSX Cluster Members (M2 or M3) changes

its cluster state to Active.

n The other VSX Cluster Member (M2 or M3) changes its

cluster state to Standby.

11. On the old VSX Cluster Member M1, upgrade to R81 with CPUSE, or perform a Clean
Install of R81
Important - You must reboot the VSX Cluster Member after the upgrade or
clean install.

Installation
Instructions
Method

Upgrade to See "Installing Software Packages on Gaia" on page 185.

R81 with Follow the applicable action plan for the local or central
CPUSE installation.
In local installation, select the R81 package and perform
Upgrade. See sk92449 for detailed steps.

Installation and Upgrade Guide R81 | 496

 Minimum Downtime Upgrade of a VSX Cluster

Installation
Instructions
Method

Clean Install Follow these steps:

of R81 with a. See "Installing Software Packages on Gaia" on page 185.
CPUSE Follow the applicable action plan for the local or central
installation.
In local installation, select the R81 package and perform
Clean Install. See sk92449 for detailed steps.
Important - In the Gaia First Time Configuration
Wizard, for the Management Connection IP address,
you must use the same IP address as was used by the
previous VSX Cluster Member (prior to the upgrade).
b. Run the "vsx_util reconfigure" command on the
Management Server to push the VSX configuration to this
VSX Cluster Member.
See the R81 VSX Administration Guide > Chapter
Command Line Reference > Section vsx_util > Section vsx_
util reconfigure.
Important - You must enter the same Activation Key
you entered during the Gaia First Time Configuration
Wizard of this VSX Cluster Member.
c. Configure the required settings on this VSX Cluster
Member:
n OS configuration (for example, DNS, NTP, DHCP,

Dynamic Routing, DHCP Relay, and so on).

n Settings manually defined in various configuration

files.
n Applicable Check Point configuration files.

Installation and Upgrade Guide R81 | 497

 Minimum Downtime Upgrade of a VSX Cluster

Installation
Instructions
Method

Clean Install Follow these steps:

of R81 from a. Follow "Installing a VSX Cluster" on page 139 - only the step
scratch "Install the VSX Cluster Members".
Important - In the Gaia First Time Configuration
Wizard, for the Management Connection IP address,
you must use the same IP address as was used by the
previous VSX Cluster Member (prior to the upgrade).
b. Run the "vsx_util reconfigure" command on the
Management Server to push the VSX configuration to this
VSX Cluster Member.
See the R81 VSX Administration Guide > Chapter
Command Line Reference > Section vsx_util > Section vsx_
util reconfigure.
Important - You must enter the same Activation Key
you entered during the Gaia First Time Configuration
Wizard of this VSX Cluster Member.
c. Configure the required settings on this VSX Cluster
Member:
n OS configuration (for example, DNS, NTP, DHCP,

Dynamic Routing, DHCP Relay, and so on).

n Settings manually defined in various configuration

files.
n Applicable Check Point configuration files.

Installation and Upgrade Guide R81 | 498

 Minimum Downtime Upgrade of a VSX Cluster

12. In SmartConsole, establish SIC with the VSX Cluster Member M1

Important - This step is required only if you performed a Clean Install of R81
on this VSX Cluster Member.

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Main Domain Management Server that manages this VSX Cluster.

2 From the left navigation panel, click Gateways & Servers.

3 Open the cluster object.

4 From the left tree, click Cluster Members.

5 Select the object of this VSX Cluster Member.

6 Click Edit.

7 On the General tab, click the Communication button.

8 Click Reset.

9 In the One-time password field, enter the same Activation Key you
entered during the First Time Configuration Wizard of the Cluster
Member.

10 In the Confirm one-time password field, enter the same Activation Key
again.

11 Click Initialize.

12 The Trust state field must show Trust established.

13 Click Close to close the Communication window.

14 Click OK to close the Cluster Member Properties window.

15 Click OK to close the Gateway Cluster Properties window.

16 Publish the SmartConsole session.

13. In SmartConsole, install the policy

Installation and Upgrade Guide R81 | 499

 Minimum Downtime Upgrade of a VSX Cluster

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

Main Domain Management Server that manages this VSX Cluster.

2 From the left navigation panel, click Gateways & Servers.

3 Install the default policy on the VSX Cluster object:

a. Click Install Policy.
b. In the Policy field, select the default policy for this VSX Cluster
object.
This policy is called:
<Name of VSX Cluster object>_VSX
c. In the Install Mode section, select these two options:
n Install on each selected gateway independently
n For gateway clusters, if installation on a cluster member

fails, do not install on that cluster

d. Click Install.
e. The default policy install successfully on all the VSX Cluster
Members.

4 Install the Threat Prevention Policy on the VSX Cluster object:

a. Click Install Policy.
b. In the Policy field, select the applicable Threat Prevention Policy for
this VSX Cluster object.
c. Click Install.
d. The Threat Prevention Policy must install successfully on all the
VSX Cluster Members.

14. On each VSX Cluster Member, examine the VSX configuration and cluster state

Step Instructions

1 Connect to the command line on each VSX Cluster Member.

2 Log in to the Expert mode.

Installation and Upgrade Guide R81 | 500

 Minimum Downtime Upgrade of a VSX Cluster

Step Instructions

3 Examine the VSX configuration:

vsx stat -v
Important:
n Make sure all the configured Virtual Devices are

loaded.
n Make sure all Virtual Systems and Virtual Routers

have SIC Trust and policy.

4 Examine the cluster state in one of these ways:

n In Gaia Clish, run:

set virtual-system 0
show cluster state
n In the Expert mode, run:
vsenv 0
cphaprob state
Important:
n All VSX Cluster Members must show the same

information about the states of all VSX Cluster

Members.
n In the High Availability mode, one VSX Cluster

Member must be in the Active state, and all other

VSX Cluster Members must be in Standby state.
n In the Virtual System Load Sharing mode, all VSX

Cluster Members must be in the Active state.

n All Virtual Systems must show the same

information about the states of all Virtual

Systems.

5 Examine the cluster interfaces in one of these ways:

n In Gaia Clish, run:

set virtual-system 0
show cluster members interfaces all
n In the Expert mode, run:
vsenv 0
cphaprob -a if

15. Test the functionality

Installation and Upgrade Guide R81 | 501

 Minimum Downtime Upgrade of a VSX Cluster

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server or

each Target Domain Management Server that manages the Virtual
Systems on this VSX Cluster.

2 From the left navigation panel, click Logs & Monitor > Logs.

3 Examine the logs from the Virtual Systems on this VSX Cluster to make
sure they inspect the traffic as expected.

For more information, see the:

n R81 VSX Administration Guide.
n R81 CLI Reference Guide.

Installation and Upgrade Guide R81 | 502

 Upgrading a Full High Availability Cluster

Upgrading a Full High Availability Cluster

For more information, see "Full High Availability Cluster on Check Point Appliances" on
page 167.
To upgrade, follow the procedure Upgrading Security Management Servers in Management
High Availability from R80.10 and lower.

Important - After you upgrade a Full High Availability Cluster to R81, you must
establish the Secure Internal Communication (SIC) again between the Full High
Availability Cluster Member that runs the Primary Security Management Server and
the Full High Availability Cluster Member that runs the Secondary Security
Management Server.

Installation and Upgrade Guide R81 | 503

 Special Scenarios for Management Servers

Special Scenarios for Management

Servers
This section describes various migration and configuration scenarios for Management
Servers, such as migrating the database, backing up and restoring, and others.

Installation and Upgrade Guide R81 | 504

 Backing Up and Restoring a Domain

Backing Up and Restoring a Domain

You can back up a Domain and later restore it on the same Multi-Domain Server.

Important:
n You can restore a Domain only on the same Multi-Domain Server, on which you
backed it up.
n You can restore a Domain, to which a Global Policy is assigned, only if during
the Domain backup you did not purge the assigned Global Domain Revision.

Backing Up a Domain

Run this API:

backup-domain

For API documentation, see the Check Point Management API Reference - search for
backup-domain.

Restoring a Domain

1. Make sure it is possible to restore the Domain

Before you can restore a Domain, you must delete the current Domain.
Before you delete the current Domain, make sure it is possible to restore it.

Run this API with the "verify-only" flag:

restore-domain

For API documentation, see the Check Point Management API Reference - search
for restore-domain.

2. Delete the current Domain

Before you can restore a Domain, you must delete the current Domain.
You can perform this step in one of these ways:
n In SmartConsole connected to the MDS context
n With the API delete domain (see the Check Point Management API
Reference)

3. Restore the Active Domain Management Server

Run this API:

Installation and Upgrade Guide R81 | 505

 Backing Up and Restoring a Domain

restore-domain

For API documentation, see the Check Point Management API Reference - search
for restore-domain.

4. Restore the Standby Domain Management Servers and Domain Log Servers

When you restore the Standby Domain Management Servers and Domain Log
Servers, they must have the same IP addresses that were used when you collected
the Domain backup.
For API documentation, see the Check Point Management API Reference - search
for set domain
For each Standby Domain Management Server, run this API:

set-domain name <Name or UID of Domain> servers.add.ip-

address <IP Address of Domain Management Server>
servers.add.name <Name of Domain Management Server>
servers.add.multi-domain-server <Name of Multi-Domain
Server> servers.add.backup-file-path <Full Path to Domain
Backup File>.tgz --format json

For each Domain Log Server, run this API:

set-domain name <Name or UID of Domain> servers.add.ip-

address <IP Address of Domain Log Server> servers.add.name
<Name of Domain Log Server> servers.add.multi-domain-
server <Name of Multi-Domain Server> servers.add.backup-
file-path <Full Path to Domain Backup File>.tgz --format
json servers.add.type "log server"

5. Configure and assign the Administrators and GUI clients

You must again configure the Multi-Domain Server Administrators and GUI clients
and assign them to the Domains.
a. Configure the Multi-Domain Server Administrators and GUI clients:
i. Run the mdsconfig command
ii. Configure the Administrators
iii. Configure the GUI clients

Installation and Upgrade Guide R81 | 506

 Backing Up and Restoring a Domain

b. Assign the Administrators and GUI clients to the Domains:

See the R81 Multi-Domain Security Management Administration Guide -
Chapter Managing Domains - Section Creating a New Domain and Section
Assigning Trusted Clients to Domains.

6. Install policy on all managed Security Gateways and Clusters

a. Connect with SmartConsole to the restored Active Domain.

b. Install the applicable policies on all managed Security Gateways and
Clusters.

Installation and Upgrade Guide R81 | 507

 Migrating a Domain Management Server between R81 Multi-Domain Servers

Migrating a Domain Management Server

between R81 Multi-Domain Servers
This procedure lets you export the entire management database from a Domain Management
Server on one R81 Multi-Domain Server and import it on another R81 Multi-Domain Server.
For the list of known limitations, see sk156072.

Procedure:
1. On the source Multi-Domain Server, export the Domain Management Server

a. Run this API:

migrate-export-domain

For API documentation, see the Check Point Management API Reference -
search for migrate-export-domain.
b. Calculate the MD5 of the export file:

md5sum <Full Path to Export File>

2. Transfer the export file to the target Multi-Domain Server

a. Transfer the export file from the source Multi-Domain Server to the target Multi-
Domain Server, to some directory.

Note - Make sure to transfer the file in the binary mode.

b. Make sure the transferred file is not corrupted.

Calculate the MD5 for the transferred file and compare it to the MD5 that you
calculated on the source Multi-Domain Server:

md5sum <Full Path to Export File>

3. On the target Multi-Domain Server, import the Domain Management Server

a. Run this API:

migrate-import-domain

For API documentation, see the Check Point Management API Reference -
search for migrate-import-domain.

Installation and Upgrade Guide R81 | 508

 Migrating a Domain Management Server between R81 Multi-Domain Servers

b. Make sure that all the required daemons (FWM, FWD, CPD, and CPCA) are in
the state "up" and show their PID (the "pnd" state is also acceptable):

mdsstat

If some of the required daemons on a Domain Management Server are in the

state "down", then wait for 5-10 minutes, restart that Domain Management
Server and check again. Run these three commands:

mdsstop_customer <IP Address or Name of Domain

Management Server>
mdsstart_customer <IP Address or Name of Domain
Management Server>
mdsstat

4. Configure and assign the Administrators and GUI clients

You must again configure the Multi-Domain Server Administrators and GUI clients and
assign them to the Domains.
a. Configure the Multi-Domain Server Administrators and GUI clients:
i. Run the mdsconfig command
ii. Configure the Administrators
iii. Configure the GUI clients
iv. Exit the mdsconfig menu

b. Assign the Administrators and GUI clients to the Domains:

See the R81 Multi-Domain Security Management Administration Guide -
Chapter Managing Domains - Section Creating a New Domain and Section
Assigning Trusted Clients to Domains.

5. Install policy on all managed Security Gateways and Clusters

a. Connect with SmartConsole to the Active Domain (to which this Domain
Management Server belongs).
b. Install the applicable policies on all managed Security Gateways and Clusters.

Installation and Upgrade Guide R81 | 509

 Migrating Database Between R81 Security Management Servers

Migrating Database Between R81 Security

Management Servers
This procedure lets you export the entire management database from one R81 Security
Management Server and import it on another R81 Security Management Server.

Important - Before you migrate the database:

Step Instructions

1 Back up your current configuration (see "Backing Up and Restoring" on

page 20).

2 Examine the SmartConsole sessions:

1. Connect with the SmartConsole to the Security Management Server.
2. From the left navigation panel, click Manage & Settings > Sessions >
View Sessions.
3. You must publish or discard all sessions, for which the Changes
column shows a number greater than zero.
Right-click on such session and select Publish or Discard.

3 You must close all GUI clients (SmartConsole applications) connected to the
source Security Management Server.

Installation and Upgrade Guide R81 | 510

 Migrating Database Between R81 Security Management Servers

Procedure:

Installation and Upgrade Guide R81 | 511

 Migrating Database Between R81 Security Management Servers

1. On the source R81 Security Management Server, export the entire management database

Step Instructions

1 Connect to the command line on the current R81 Security Management

Server.

2 Log in to the Expert mode.

3 Go to the $FWDIR/scripts/ directory:

cd $FWDIR/scripts/

4 Export the management database:

If the "Endpoint Policy Management" blade is disabled on this Security
Management Server
n And this Security Management Server is connected to the Internet,
run:
./migrate_server export -v R81 [-l | -x]
/<Full Path>/<Name of Exported File>
n And this Security Management Server is not connected to the
Internet, run:
./migrate_server export -v R81 -skip_upgrade_
tools_check [-l | -x] /<Full Path>/<Name of
Exported File>

If the "Endpoint Policy Management" blade is enabled on this Security

Management Server
n This Security Management Server is connected to the Internet, run:
./migrate_server export -v R81 [-l | -x] [--
include-uepm-msi-files] /<Full Path>/<Name of
Exported File>
n This Security Management Server is not connected to the Internet,
run:
./migrate_server export -v R81 -skip_upgrade_
tools_check [-l | -x] [--include-uepm-msi-
files] /<Full Path>/<Name of Exported File>

For details, see the R81 CLI Reference Guide - Chapter Security
Management Server Commands - Section migrate_server.

5 Calculate the MD5 for the exported database files:

md5sum /<Full Path>/<Name of Database File>.tgz

Installation and Upgrade Guide R81 | 512

 Migrating Database Between R81 Security Management Servers

Step Instructions

6 Transfer the exported databases from the source Security Management

Server to an external storage:
/<Full Path>/<Name of Database File>.tgz

Note - Make sure to transfer the file in the binary mode.

2. Install a new R81 Security Management Server

Step Instructions

1 See the R81 Release Notes for requirements.

2 Perform a clean install of the R81 Security Management Server on

another computer.
See "Installing a Security Management Server" on page 60.

3. On the R81 Security Management Server, import the databases

Step Instructions

1 Connect to the command line on the R81 Security Management Server.

2 Log in to the Expert mode.

3 Make sure a valid license is installed:

cplic print
If it is not already installed, then install a valid license now.

4 Transfer the exported database from an external storage to the R81

Security Management Server, to some directory.

Note - Make sure to transfer the file in the binary mode.

5 Make sure the transferred files are not corrupted.

Calculate the MD5 for the transferred files and compare them to the MD5
that you calculated on the source Security Management Server:
md5sum /<Full Path>/<Name of Database File>.tgz

6 Go to the $FWDIR/scripts/ directory:

cd $FWDIR/scripts/

Installation and Upgrade Guide R81 | 513

 Migrating Database Between R81 Security Management Servers

Step Instructions

7 Import the management database:

n If this Security Management Server is connected to the Internet,

run:
./migrate_server import -v R81 [-l | -x]
/<Full Path>/<Name of Exported File>.tgz
n If this Security Management Server is not connected to the Internet,
run:
./migrate_server import -v R81 -skip_upgrade_
tools_check [-l | -x] /<Full Path>/<Name of
Exported File>.tgz
Important - The "migrate_server import" command
automatically restarts Check Point services (runs the "cpstop" and
"cpstart" commands).
For details, see the R81 CLI Reference Guide - Chapter Security
Management Server Commands - Section migrate_server.

4. Test the functionality on the R81 Security Management Server

Step Instructions

1 Connect with SmartConsole to the R81 Security Management Server.

2 Make sure the management database and configuration were upgraded

correctly.

5. Disconnect the old Security Management Server from the network

Disconnect cables from the old Security Management Server.

6. Connect the new Security Management Server to the network

Connect cables to the new Security Management Server.

Installation and Upgrade Guide R81 | 514

 Migrating Database from an R81 Security Management Server to an R81 Domain

Migrating Database from an R81 Security

Management Server to an R81 Domain
Management Server
This procedure lets you export the entire management database from an R81 Security
Management Server and import it on an R81 Multi-Domain Server into a Domain Management
Server.
For the list of known limitations, see sk156072.

Prerequisites on the source Security Management Server:

n Make sure to publish all changes you wish to migrate.
n Make sure all required processes are up and running:

cpwd_admin list

The "STAT" column must show "E" (executing) for all processes.
n Close the active Security log ($FWDIR/log/fw.log) and Audit log
($FWDIR/log/fw.adtlog) files:

fw logswitch
fw logswitch -audit

n If the target Domain Management Server must have a different IP address than the
source Security Management Server, then you must prepare the source database before
the export.
Instructions in SmartConsole

1. Create a new Host object with the new IP address of the target Domain
Management Server.

Installation and Upgrade Guide R81 | 515

 Migrating Database from an R81 Security Management Server to an R81 Domain

2. In each Security Policy, add a new Access Control rule to allow specific traffic
from the Host object with new IP address to all managed Security Gateways and
Clusters.

Services
Sour Destinat VP & Actio Trac Insta
No Name
ce ion N Applicati n k ll On
ons

1 Traffic Host Applicable Any FW1 Accept None Policy

from new object objects of FW1_CPRID Target
Domain with new managed CPD s
Managem IP addre Security
ent Server ss Gateways and
to Clusters
managed
Gateways

Notes:
l You must use the pre-defined Check Point services.

l If the source Security Management Server manages VSX

Gateways or VSX Clusters, you must also add this Access

Control rule to their default VSX policies.
These default policies are called:
<Name of VSX Gateway or VSX Cluster Object>_VSX

3. Install all updated Access Control Policies.

Prerequisites on the target Multi-Domain Server:

n The free disk space must be at least 5 times the size of the database file you export from
the source Security Management Server.
n Back up the current Multi-Domain Server. See "Backing Up and Restoring" on page 20.
n Do not create a new Domain Management Server on the target Multi-Domain Server.
This procedure creates it automatically.
n Make sure you install the required license.

Installation and Upgrade Guide R81 | 516

 Migrating Database from an R81 Security Management Server to an R81 Domain

Procedure:
1. On the source R81 Security Management Server, export the database

a. Run this API:

migrate-export-domain

For API documentation, see the Check Point Management API Reference -
search for migrate-export-domain.
Example:

mgmt_cli -d "System Data" migrate-export-domain file-

path "/var/log/SecMgmtServer_Export.tgz" include-logs
"false"

Important - The option -d "System Data" is mandatory.

b. Calculate the MD5 of the export file:

md5sum <Full Path to Export File>.tgz

2. Transfer the export file to the target R81 Multi-Domain Server

a. Transfer the export file from the source Security Management Server to the
target Multi-Domain Server, to some directory.

Note - Make sure to transfer the file in the binary mode.

b. Make sure the transferred file is not corrupted.

Calculate the MD5 for the transferred file and compare it to the MD5 that you
calculated on the source Security Management Server:

md5sum <Full Path to Export File>.tgz

3. On the target Multi-Domain Server, import the Security Management Server database into
a Domain Management Server

Installation and Upgrade Guide R81 | 517

 Migrating Database from an R81 Security Management Server to an R81 Domain

a. Make sure you have the sufficient license.

b. Run this API:

migrate-import-domain

For API documentation, see the Check Point Management API Reference -
search for migrate-import-domain.
Make sure the name of the Domain you create does not conflict with the name of
an existing Domain.
Example:

mgmt_cli -d "System Data" migrate-import-domain domain-

name "MyDomain3" domain-server-name "MyDomainServer3"
domain-ip-address "192.168.20.30" file-path
"/var/log/SecMgmtServer_Export.tgz" include-logs "false"

Important - The option -d "System Data" is mandatory.

c. Make sure that all the required daemons (FWM, FWD, CPD, and CPCA) are in
the state "up" and show their PID (the "pnd" state is also acceptable):

mdsstat

If some of the required daemons on a Domain Management Server are in the

state "down", then wait for 5-10 minutes, restart that Domain Management
Server and check again. Run these three commands:

mdsstop_customer <IP Address or Name of Domain

Management Server>
mdsstart_customer <IP Address or Name of Domain
Management Server>
mdsstat

4. Configure and assign the Administrators and GUI clients

You must again configure the Multi-Domain Server Administrators and GUI clients and
assign them to the new Domain.

Installation and Upgrade Guide R81 | 518

 Migrating Database from an R81 Security Management Server to an R81 Domain

a. Configure the Multi-Domain Server Administrators and GUI clients:

i. Run the mdsconfig command.
ii. Configure the Administrators.
iii. Configure the GUI clients.
iv. Exit the mdsconfig menu.
b. Assign the Administrators and GUI clients to the new Domain.
See the R81 Multi-Domain Security Management Administration Guide -
Chapter Managing Domains - Section Creating a New Domain and Section
Assigning Trusted Clients to Domains.

5. Stop the source R81 Security Management Server

a. Connect to the command line on the source Security Management Server.

b. Stop the source Security Management Server you migrated:

cpstop

6. Test the functionality on the R81 Domain Management Server

a. Connect with SmartConsole to the Domain Management Server.

b. Make sure the management database and configuration were imported
correctly.

7. Install policy on all managed Security Gateways and Clusters

In SmartConsole, install the applicable policies on all managed Security Gateways

and Clusters.

8. Disconnect the source R81 Security Management Server

Disconnect the source Security Management Server from the network.

9. Delete the special Access Control rule you added before migration
Important - This step applies only if the target Domain Management Server
has a different IP address than the source Security Management Server.

a. Connect with SmartConsole to the target Domain Management Server.

b. In each Security Policy, delete the Access Control rule with the new Host object
you added on the source Security Management Server before migration.

Installation and Upgrade Guide R81 | 519

 Migrating Database from an R81 Security Management Server to an R81 Domain

c. Delete the Host object you added on the source Security Management Server
before migration.
d. Install the applicable policies on all managed Security Gateways and Clusters.

Installation and Upgrade Guide R81 | 520

 Migrating Database from an R81 Domain Management Server to an R81 Security

Migrating Database from an R81 Domain

Management Server to an R81 Security
Management Server
This procedure lets you export the entire management database from a Domain Management
Server on an R81 Multi-Domain Server and import it on an R81 Security Management Server.
For the list of known limitations, see sk156072.

Prerequisites on the source Domain Management Server:

n Back up the current Multi-Domain Server. See "Backing Up and Restoring" on page 20.
n Make sure to publish all changes you wish to migrate.
n Close the active Security log ($FWDIR/log/fw.log) and Audit log
($FWDIR/log/fw.adtlog) files:

mdsenv <Name or IP Address of Domain Management Server>

fw logswitch
fw logswitch -audit

n If the target Security Management Server must have a different IP address than the
source Domain Management Server, then you must prepare the source database before
the export.
Instructions in SmartConsole

1. Create a new Host object with the new IP address of the target Security
Management Server.

Installation and Upgrade Guide R81 | 521

 Migrating Database from an R81 Domain Management Server to an R81 Security

2. In each Security Policy, add a new Access Control rule to allow specific traffic
from the Host object with new IP address to all managed Security Gateways and
Clusters.

Services
Sour Destinat VP & Actio Trac Insta
No Name
ce ion N Applicati n k ll On
ons

1 Traffic Host Applicable Any FW1 Accept None Policy

from new object objects of FW1_CPRID Target
Security with new managed CPD s
Managem IP addre Security
ent Server ss Gateways and
to Clusters
managed
Gateways

Notes:
l You must use the pre-defined Check Point services.

l If the source Domain Management Server manages VSX

Gateways or VSX Clusters, you must also add this Access

Control rule to their default VSX policies.
These default policies are called:
<Name of VSX Gateway or VSX Cluster Object>_VSX

3. Install all updated Access Control Policies.

Prerequisites on the target Security Management Server:

n Perform a clean install of an R81 Security Management Server.
See "Installing One Security Management Server only, or Primary Security Management
Server in Management High Availability" on page 61.
n Make sure you install the required license.

Installation and Upgrade Guide R81 | 522

 Migrating Database from an R81 Domain Management Server to an R81 Security

Procedure:
1. On the source R81 Multi-Domain Server, export the Domain Management Server

a. Run this API:

migrate-export-domain

For API documentation, see the Check Point Management API Reference -
search for migrate-export-domain.
Example:

mgmt_cli -d "System Data" migrate-export-domain domain

"MyDomain3" file-path "/var/log/MyDomain3_Export.tgz"
include-logs "false"

Important - The option -d "System Data" is mandatory.

b. Calculate the MD5 of the export file:

md5sum /<Full Path to Export File>.tgz

2. Transfer the export file to the target R81 Security Management Server

a. Transfer the export file from the source Multi-Domain Server to the target
Security Management Server, to some directory.

Note - Make sure to transfer the file in the binary mode.

b. Make sure the transferred file is not corrupted.

Calculate the MD5 for the transferred file and compare it to the MD5 that you
calculated on the source Multi-Domain Server:

md5sum /<Full Path>/<Name of Exported File>.tgz

3. On the target R81 Security Management Server, import the Domain Management Server
database

Step Instructions

1 Connect to the command line the target Security Management Server.

2 Log in to the Expert mode.

Installation and Upgrade Guide R81 | 523

 Migrating Database from an R81 Domain Management Server to an R81 Security

Step Instructions

3 Go to the $MDS_FWDIR/scripts/ directory:

cd $MDS_FWDIR/scripts/

4 Import the management database:

n If this Security Management Server is connected to the Internet:

./migrate_server migrate_import_domain -v R81

[-l | -x] /<Full Path>/<Name of Exported
File>.tgz
n If this Security Management Server is not connected to the Internet:
./migrate_server migrate_import_domain -v R81
-skip_upgrade_tools_check [-l | -x] /<Full
Path>/<Name of Exported File>.tgz
For details, see the R81 CLI Reference Guide - Chapter Security
Management Server Commands - Section migrate_server.

5 Make sure that all the required daemons (FWM, FWD, CPD, and CPM)
are in the state "E" and show their PID:
cpwd_admin list
If some of the required daemons on the Security Management Server are
in the state "T", then wait for 5-10 minutes, restart the Security
Management Server and check again. Run these two commands:
cpstop
cpstart

4. Configure and assign the Administrators and GUI clients

You must again configure the Security Management Server Administrators and GUI
clients.
a. Run the cpconfig command.
b. Configure the Administrators.
c. Configure the GUI clients.
d. Exit the cpconfig menu.

5. Stop the source R81 Domain Management Server

Installation and Upgrade Guide R81 | 524

 Migrating Database from an R81 Domain Management Server to an R81 Security

a. Connect to the command line on the source Multi-Domain Server.

b. Stop the source Domain Management Server you migrated:

mdsstop_customer <IP address or Name of Domain

Management Server>

6. Test the functionality on the target R81 Security Management Server

a. Connect with SmartConsole to the target Security Management Server.

b. Make sure the management database and configuration were imported
correctly.

7. Install policy on all managed Security Gateways and Clusters

In SmartConsole, install the applicable policies on all managed Security Gateways

and Clusters.

8. Delete the source R81 Domain Management Server

Make sure you backed up the Multi-Domain Server. See "Backing Up and Restoring"
on page 20.
a. Connect with SmartConsole to the source Multi-Domain Server to the MDS
context.
b. From the left navigation panel, click Multi Domain > Domains.

c. Right-click the Domain Management Server object you migrated and select
Delete.

9. Delete the special Access Control rule you added before migration
Important - This step applies only if the target Security Management Server
has a different IP address than the source Domain Management Server.

a. Connect with SmartConsole to the target Security Management Server.

b. In each Security Policy, delete the Access Control rule with the new Host object
you added on the source Domain Management Server before migration.
c. Delete the Host object you added on the source Domain Management Server
before migration.
d. Install the applicable policies on all managed Security Gateways and Clusters.

Installation and Upgrade Guide R81 | 525

 Changing the IP Address of a Multi-Domain Server or Multi-Domain Log Server

Changing the IP Address of a Multi-Domain

Server or Multi-Domain Log Server
This procedure lets you change the current IP Address of a Multi-Domain Server or Multi-
Domain Log Server.

Note - In environments with multiple Multi-Domain Servers or Multi-Domain Log

Servers, perform the procedure for each applicable Multi-Domain Server or Multi-
Domain Log Server.

Procedure:
1. Back up the current R81 Multi-Domain Server or Multi-Domain Log Server

See "Backing Up and Restoring" on page 20.

2. Change the IP address on the applicable interface

Note - This step applies only if it is necessary to use the same physical
interface, but with a different IP address.

See the R81 Gaia Administration Guide > Chapter Network Management > Section
Network Interfaces > Section Physical Interfaces.

3. Install the new license for the new IP address

Step Instructions

1 Connect to your Check Point User Center account.

2 Issue a new license for the new IP address of your Multi-Domain Server
or Multi-Domain Log Server.

3 Get the new license and Support Contract.

4 Install the new license and Support Contract in the MDS context on your
Multi-Domain Server or Multi-Domain Log Server.
See "Working with Licenses" on page 657.

4. Connect to the command line on the Multi-Domain Server or Multi-Domain Log Server

Step Instructions

1 Connect over SSH, or serial console.

Installation and Upgrade Guide R81 | 526

 Changing the IP Address of a Multi-Domain Server or Multi-Domain Log Server

Step Instructions

2 Log in with the superuser credentials.

3 Log in to the Expert mode.

4 Go to the MDS context:

mdsenv

5. Stop all processes in the MDS context

Step Instructions

1 Stop all processes in the MDS context:

mdsstop -m
Important - While these process are stopped, SmartConsole cannot
connect.

2 Make sure all processes stopped in the MDS context:

mdsstat -m
All the daemons (FWM, FWD, CPD, and CPCA) must be in the state
"down".

6. Change the IP address in the MDS database

Important - This step applies only if the MDS object already exists in the
database.
For example, this step does not apply to a new Secondary Multi-Domain
Server or Multi-Domain Log Server in a clean installation.

Step Instructions

1 Change the IP address:

$MDSDIR/bin/mdscmd change-mds-ip <Current IP
Address> <New IP Address> ipv4 -x
Example:
$MDSDIR/bin/mdscmd change-mds-ip 192.168.20.30
172.30.40.50 ipv4 -x

Installation and Upgrade Guide R81 | 527

 Changing the IP Address of a Multi-Domain Server or Multi-Domain Log Server

Step Instructions

2 Make sure the IP address is updated in the dleobjectderef_data

database:
a. Save the applicable data from this database to a file:
psql_client -c "select fwset from
dleobjectderef_data where cpmitable='mdss' and
not deleted and dlesession=0" -o
/tmp/dleobject.txt cpm postgres
b. Examine the IP address:
cat /tmp/dleobject.txt | egrep -w
'name|ipaddr'
Example output:
:name (My_MDS_Server)
:ipaddr (172.30.40.50)

3 Make sure the IP address is updated in the cpnetworkobject_data

database:
a. Save the applicable data from this database to a file:
psql_client -c "select name, ipaddress4 from
cpnetworkobject_data where not deleted and
dlesession=0" -o /tmp/cpnetworkobject.txt cpm
postgres
b. Examine the IP address:
cat /tmp/cpnetworkobject.txt
Example output:
name | ipaddress4
---------------+--------------
My_MDS_Server | 172.30.40.50

7. Modify the $MDSDIR/conf/external.if file

Important:
n This step applies if you change the Leading Interface to another

physical interface.
n This step applies if you migrated the entire management database from

a source Multi-Domain Server or Multi-Domain Log Server to a target

Multi-Domain Server or Multi-Domain Log Server, and the target server
uses a different external interface (for example, eth0 on the source
server and eth1 on the target server).

Installation and Upgrade Guide R81 | 528

 Changing the IP Address of a Multi-Domain Server or Multi-Domain Log Server

Step Instructions

1 Back up the current $MDSDIR/conf/external.if file:

cp -v $MDSDIR/conf/external.if{,_BKP}

2 Edit the current $MDSDIR/conf/external.if file:

vi $MDSDIR/conf/external.if

3 Change the current interface name to the name of the applicable main
interface.
This is the interface, on which you configured the main IPv4 address of
your Multi-Domain Server or Multi-Domain Log Server.

4 Save the changes and exit the Vi editor.

5 Go to the context of each existing Domain Management Server:

mdsenv <IP Address or Name of Domain Management
Server>

6 Back up the current $FWDIR/conf/vip_index.conf file:

cp -v $FWDIR/conf/vip_index.conf{,_BKP}

7 Edit the current $FWDIR/conf/vip_index.conf file:

vi $FWDIR/conf/vip_index.conf

8 Change the current interface name to the name of the applicable main
interface.
This is the interface, on which you configured the main IPv4 address of
your Multi-Domain Server or Multi-Domain Log Server.

9 Save the changes and exit the Vi editor.

8. Modify the $MDSDIR/conf/LeadingIP file

Step Instructions

1 Back up the current $MDSDIR/conf/LeadingIP file:

cp -v $MDSDIR/conf/LeadingIP{,_BKP}

2 Edit the current file:

vi $MDSDIR/conf/LeadingIP

Installation and Upgrade Guide R81 | 529

 Changing the IP Address of a Multi-Domain Server or Multi-Domain Log Server

Step Instructions

3 Change the current IP address to the new IP address.

4 Save the changes in the file and exit the editor.

9. Modify the $MDSDIR/conf/mdsdb/mdss.C file

Step Instructions

1 Back up the current $MDSDIR/conf/mdsdb/mdss.C file:

cp -v $MDSDIR/conf/mdsdb/mdss.C{,_BKP}

2 Edit the current $MDSDIR/conf/mdsdb/mdss.C file:

vi $MDSDIR/conf/mdsdb/mdss.C

3 Find the object of your Multi-Domain Server or Multi-Domain Log Server

that has the current IP address.

4 Change the object's IP address to the new IP address.

5 Do not change the object's name.

6 Save the changes in the file and exit the editor.

10. Modify the $SMARTLOGDIR/smartlog_settings.txt file

Step Instructions

1 Back up the current $SMARTLOGDIR/smartlog_settings.txt file:

cp -v $SMARTLOGDIR/smartlog_settings.txt{,_BKP}

2 Edit the current file:

vi $SMARTLOGDIR/smartlog_settings.txt

3 Change the current IP address to the new IP address in these

parameters:
n Parameter :server_port ()
n Section :connections > Section :domain > Section

:management > Parameter :name ()

n Section :connections > Section :domain > Section :log_

servers > Parameter :name ()

Installation and Upgrade Guide R81 | 530

 Changing the IP Address of a Multi-Domain Server or Multi-Domain Log Server

Step Instructions

4 Save the changes in the file and exit the editor.

11. Modify the $INDEXERDIR/log_indexer_custom_settings.conf file

Step Instructions

1 Back up the current $INDEXERDIR/log_indexer_custom_

settings.conf file:
cp -v $INDEXERDIR/log_indexer_custom_settings.conf
{,_BKP}

2 Edit the current file:

vi $INDEXERDIR/log_indexer_custom_settings.conf

3 Change the current IP address to the new IP address in these

parameters:
n Parameter :server_port ()
n Section :connections > Section :domain > Section

:management > Parameter :name ()

n Section :connections > Section :domain > Section :log_

servers > Parameter :name ()

4 Save the changes in the file and exit the editor.

12. Start all processes in the MDS context

Step Instructions

1 Start all processes in the MDS context:

mdsstart -m

2 Make sure all processes started in the MDS context:

mdsstat -m
All the daemons (FWM, FWD, CPD, and CPCA) must be in the state "up"
and show their PID.

13. Change the IP addresses of all existing Domain Management Servers and Domain Log
Servers

Installation and Upgrade Guide R81 | 531

 Changing the IP Address of a Multi-Domain Server or Multi-Domain Log Server

Follow "Changing the IP Address of a Domain Management Server or Domain Log

Server" on page 533.

Important Notes

n If you just installed the Secondary Multi-Domain Server or Multi-Domain Log Server,
and it is necessary to change the server's IP address, you only need to change the
$MDSDIR/conf/LeadingIP file.
n After you change the IP address of the Multi-Domain Server or Multi-Domain Log
Server, you have to synchronize the local log database again on these servers (see
sk116335):

Important - Perform this synchronization only after you change the IP

addresses of all existing Domain Management Servers and Domain Log
Servers.
l Multi-Domain Server
l Secondary Multi-Domain Server (if it is installed in the environment)
l Multi-Domain Log Server
l Secondary Multi-Domain Log Server (if it is installed in the environment)
l Global SmartEvent Server (if it is installed in the environment)

Installation and Upgrade Guide R81 | 532

 Changing the IP Address of a Domain Management Server or Domain Log Server

Changing the IP Address of a Domain

Management Server or Domain Log Server
This procedure lets you change the current IP Address of:
n A Domain Management Server on a Multi-Domain Server
n A Domain Log Server on a Multi-Domain Log Server

Important:
n See "Changing the IP Address of a Multi-Domain Server or Multi-Domain Log
Server" on page 526.
n On Multi-Domain Servers in a Management High Availability environment, you
must perform the procedure below in this order:
1. Change the IP address on the Active Domain Management Server on the
Primary Multi-Domain Server
2. On the Primary Multi-Domain Server, change the state of the Active
Domain Management Server to Standby
3. On the Secondary Multi-Domain Server, change the state of the
applicable Domain Management Server to Active
4. Change the IP address on the Active Domain Management Server on the
Secondary Multi-Domain Server
n On Multi-Domain Log Servers in a Management High Availability environment,
you must perform the procedure below in this order:
1. Change the IP address on the Active Domain Log Server on the Primary
Multi-Domain Log Server
2. On the Primary Multi-Domain Log Server, change the state of the Active
Domain Log Server to Standby
3. On the Secondary Multi-Domain Log Server, change the state of the
applicable Domain Log Server to Active
4. Change the IP address on the Active Domain Log Server on the
Secondary Multi-Domain Log Server

Procedure:
1. Back up the current R81 Multi-Domain Server or Multi-Domain Log Server

See "Backing Up and Restoring" on page 20.

2. Close all SmartConsole applications

You must close all GUI clients (SmartConsole applications) connected to the Multi-
Domain Server or Multi-Domain Log Server.

Installation and Upgrade Guide R81 | 533

 Changing the IP Address of a Domain Management Server or Domain Log Server

3. Connect to the command line on the Multi-Domain Server or Multi-Domain Log Server

Step Instructions

1 Connect over SSH, or serial console.

2 Log in with the superuser credentials.

3 Log in to the Expert mode.

4 Go to the MDS context:

mdsenv

4. Stop the applicable Domain Management Server or Domain Log Server

Step Instructions

1 Stop the services:

mdsstop_customer <Name or IP of Domain Management
Server or Domain Log Server>

2 Make sure the services stopped in the applicable context:

mdsstat
All the daemons (FWM, FWD, CPD, and CPCA) must be in the state
"down".

5. Change the IP address in the MDS database

Step Instructions

1 Change the IP address:

$MDS_TEMPLATE/scripts/change_cma_ip.sh -n <Name of
Domain Management Server or Domain Log Server
object> -i <New IP Address>
Example:
$MDS_TEMPLATE/scripts/change_cma_ip.sh -n My_
Domain_Server -i 172.30.40.55

Installation and Upgrade Guide R81 | 534

 Changing the IP Address of a Domain Management Server or Domain Log Server

Step Instructions

You can change the IP addresses of several Domain Management

Servers or Domain Log Servers in one command:
a. Make sure the services stopped in all applicable contexts.
b. Create a plain text file that contains pairs of server names and their
new IPv4 addresses (separated with comma).
Example of a file:
MyDomainManagementServer_1, 172.30.40.51
MyDomainManagementServer_2, 172.30.40.52
MyDomainManagementServer_3, 172.30.40.53
c. Run this command:
$MDS_TEMPLATE/scripts/change_cma_ip.sh -f
/<Path To>/<File>

6. Modify the $SMARTLOGDIR/smartlog_settings.txt file

Step Instructions

1 Go to the context of the Domain Management Server or Domain Log

Server:
mdsenv <Name or IP of Domain Management Server or
Domain Log Server>

2 Back up the current $SMARTLOGDIR/smartlog_settings.txt file:

cp -v $SMARTLOGDIR/smartlog_settings.txt{,_BKP}

3 Edit the current file:

vi $SMARTLOGDIR/smartlog_settings.txt

4 Change the current IP address to the new IP address in these

parameters:
n Parameter :server_port ()
n Section :connections > Section :domain > Section

:management > Parameter :name ()

n Section :connections > Section :domain > Section :log_

servers > Parameter :name ()

5 Save the changes in the file and exit the editor.

7. Modify the $INDEXERDIR/log_indexer_custom_settings.conf file

Installation and Upgrade Guide R81 | 535

 Changing the IP Address of a Domain Management Server or Domain Log Server

Step Instructions

1 Go to the context of the Domain Management Server or Domain Log

Server:
mdsenv <Name or IP of Domain Management Server or
Domain Log Server>

2 Back up the current $INDEXERDIR/log_indexer_custom_

settings.conf file:
cp -v $INDEXERDIR/log_indexer_custom_settings.conf
{,_BKP}

3 Edit the current file:

vi $INDEXERDIR/log_indexer_custom_settings.conf

4 Change the current IP address to the new IP address in these

parameters:
n Parameter :server_port ()
n Section :connections > Section :domain > Section

:management > Parameter :name ()

n Section :connections > Section :domain > Section :log_

servers > Parameter :name ()

5 Save the changes in the file and exit the editor.

8. Start the applicable Domain Management Server or Domain Log Server

Step Instructions

1 Start the services:

mdsstart_customer <Name or IP of Domain Management
Server or Domain Log Server>

Installation and Upgrade Guide R81 | 536

 Changing the IP Address of a Domain Management Server or Domain Log Server

Step Instructions

2 Make sure that all the required daemons (FWM, FWD, CPD, and CPCA)
are in the state "up" and show their PID (the "pnd" state is also
acceptable):
mdsstat
If some of the required daemons on a Domain Management Server
(Domain Log Server) are in the state "down", then wait for 5-10 minutes,
restart that Domain Management Server (Domain Log Server), and check
again. Run these three commands:
mdsstop_customer <IP Address or Name or IP of
Domain Management Server or Domain Log Server>
mdsstart_customer <IP Address or Name or IP of
Domain Management Server or Domain Log Server>
mdsstat

Important Note

If SmartLog does not work for a Domain Management Server with the modified IP address:
1. Connect with SmartConsole to that Domain Management Server.
2. From the left navigation panel, click Gateways & Servers.
3. Open the Domain Management Server object.

4. Make any change in the Domain Management Server object (for example, in the
Comment field).
5. Click OK.

6. Publish the SmartConsole session.

Installation and Upgrade Guide R81 | 537

 IPS in Multi-Domain Server Environment

IPS in Multi-Domain Server Environment

When you upgrade a Multi-Domain Server from to R7x to R81, the previous Domain IPS
configuration is overridden when you first assign a Global Policy.

Notes:
n If you manage IPS globally, you must reassign the Global Policies before
installing the policy on the managed Security Gateways.
n Starting in R80, the IPS subscription has changed. All Domains subscribed to
IPS, are automatically assigned to an "Exclusive" subscription. "Override" and
"Merge" subscriptions are no longer supported.
n For more on IPS in Multi-Domain Server environment, see the R81 Multi-
Domain Security Management Administration Guide.

Installation and Upgrade Guide R81 | 538

 Special Scenarios for Security Gateways

Special Scenarios for Security

Gateways
This section describes special scenarios for Security Gateways:
n "Deploying a Security Gateway in Monitor Mode" on page 540
n "Deploying a Security Gateway or a ClusterXL in Bridge Mode" on page 576
n "Security Before Firewall Activation" on page 647

Installation and Upgrade Guide R81 | 539

 Deploying a Security Gateway in Monitor Mode

Deploying a Security Gateway in Monitor Mode

Introduction to Monitor Mode
You can configure Monitor Mode on a single Check Point Security Gateway's interface.
The Check Point Security Gateway listens to traffic from a Mirror Port or Span Port on a
connected switch.
Use the Monitor Mode to analyze network traffic without changing the production environment.
The mirror port on a switch duplicates the network traffic and sends it to the Security Gateway
with an interface configured in Monitor Mode to record the activity logs.

You can use the Monitor Mode:

n To monitor the use of applications as a permanent part of your deployment
n To evaluate the capabilities of the Software Blades:
l The Security Gateway neither enforces any security policy, nor performs any active
operations (prevent / drop / reject) on the interface in the Monitor Mode.
l The Security Gateway terminates and does not forward all packets that arrive at
the interface in the Monitor Mode.
l The Security Gateway does not send any traffic through the interface in the Monitor
Mode.
Benefits of the Monitor Mode include:
n There is no risk to your production environment.
n It requires minimal set-up configuration.
n It does not require TAP equipment, which is expensive.

Installation and Upgrade Guide R81 | 540

 Deploying a Security Gateway in Monitor Mode

Example Topology for Monitor Mode

Item Description

1 Switch with a mirror or SPAN port that duplicates all incoming and outgoing
packets.
The Security Gateway connects to a mirror or SPAN port on the switch.

2 Servers.

3 Clients.

4 Security Gateway with an interface in Monitor Mode.

5 Security Management Server that manages the Security Gateway.

Supported Software Blades in Monitor Mode

This table lists Software Blades and their support for the Monitor Mode in a single Security
Gateway deployment.

Important - Check Point Cluster does not support the Monitor Mode.

Software Blade Support for the Monitor Mode

Firewall Fully supports the Monitor Mode.

Installation and Upgrade Guide R81 | 541

 Deploying a Security Gateway in Monitor Mode

Software Blade Support for the Monitor Mode

IPS These protections and features do not work:

n The SYN Attack protection (SYNDefender).
n The Initial Sequence Number (ISN) Spoofing protection.
n The Send error page action in Web Intelligence protections.
n Client and Server notifications about connection termination.

Application Does not support UserCheck.

Control

URL Filtering Does not support UserCheck.

Data Loss Does not support these:

Prevention
n UserCheck.
n The "Prevent" and "Ask User" actions - these are automatically
demoted to the "Inform User" action.
n FTP inspection.

Identity Does not support these:

Awareness
n Captive Portal.
n Identity Agent.

Threat Emulation Does not support these:

n The Emulation Connection Prevent Handling Modes
"Background" and "Hold". See sk106119.
n FTP inspection.

Content Does not support the FTP inspection.

Awareness

Anti-Bot Fully supports the Monitor Mode.

Anti-Virus Does not support the FTP inspection.

IPsec VPN Does not support the Monitor Mode.

Mobile Access Does not support the Monitor Mode.

Anti-Spam & Does not support the Monitor Mode.

Email Security

QoS Does not support the Monitor Mode.

Installation and Upgrade Guide R81 | 542

 Deploying a Security Gateway in Monitor Mode

Limitations in Monitor Mode

These features and deployments are not supported in Monitor Mode:
n Passing production traffic through a Security Gateway, on which you configured Monitor
Mode interface(s).
n If you configure more than one Monitor Mode interface on a Security Gateway, you must
make sure the Security Gateway does not receive the same traffic on the different
Monitor Mode interfaces.
n HTTPS Inspection
n NAT rules.
n HTTP / HTTPS proxy.
n Anti-Virus in Traditional Mode.
n User Authentication.
n Client Authentication.
n Check Point Active Streaming (CPAS).
n Cluster deployment.
n CloudGuard Gateways.
n CoreXL Dynamic Dispatcher (sk105261).
n Setting the value of the kernel parameters "psl_tap_enable" and "fw_tap_enable"
to 1 (one) on-the-fly with the "fw ctl set int" command (Issue ID 02386641).
For more information, see sk101670: Monitor Mode on Gaia OS and SecurePlatform OS.

Installation and Upgrade Guide R81 | 543

 Configuring a Single Security Gateway in Monitor Mode

Configuring a Single Security Gateway in Monitor Mode

Important:
n For Cloud-based services (for example, Social Network widgets and URL
Filtering), you must connect the Security Gateway in Monitor Mode to the
Internet.
n You must install valid license and contracts file on the Security Gateway in
Monitor Mode.

Note - This procedure applies to both Check Point Appliances and Open Servers.

Procedure:
1. Install the Security Gateway

Step Instructions

1 Install the Gaia Operating System:

n "Installing the Gaia Operating System on Check Point Appliances"

on page 24
n "Installing the Gaia Operating System on Open Servers" on

page 26

2 Follow "Configuring Gaia for the First Time" on page 31.

3 During the First Time Configuration Wizard, you must configure these
settings:
n In the Management Connection window, select the interface,

through which you connect to Gaia operating system.

n In the Internet Connection window, do not configure IP addresses.
n In the Installation Type window, select Security Gateway and/or

Security Management.
n In the Products window:

a. In the Products section, select Security Gateway only.

b. In the Clustering section, clear Unit is a part of a cluster,
type.
n In the Dynamically Assigned IP window, select No.
n In the Secure Internal Communication window, enter the

applicable Activation Key (between 4 and 127 characters long).

2. Configure the Monitor Mode on the applicable interface

Installation and Upgrade Guide R81 | 544

 Configuring a Single Security Gateway in Monitor Mode

You can configure the Monitor Mode on an interface either in Gaia Portal, or Gaia
Clish.
Configuring the Monitor Mode in Gaia Portal

Step Instructions

1 With a web browser, connect to Gaia Portal at:

https://<IP address of Gaia Management Interface>

2 In the left navigation tree, click Network Management > Network

Interfaces.

3 Select the applicable physical interface from the list and click Edit.

4 Select the Enable option to set the interface status to UP.

5 In the Comment field, enter the applicable comment text (up to 100
characters).

6 On the IPv4 tab, select Use the following IPv4 address, but do not
enter an IPv4 address.

7 On the IPv6 tab, select Use the following IPv6 address, but do not
enter an IPv6 address.
Important - This setting is available only after you enable the IPv6
Support in Gaia and reboot.

8 On the Ethernet tab:

n Select Auto Negotiation, or select a link speed and duplex

setting from the list.

n In the Hardware Address field, enter the Hardware MAC

address (if not automatically received from the NIC).

Caution - Do not manually change the MAC address unless
you are sure that it is incorrect or has changed. An incorrect
MAC address can lead to a communication failure.
n In the MTU field, enter the applicable Maximum Transmission

Unit (MTU) value (minimal value is 68, maximal value is 16000,

and default value is 1500).
n Select Monitor Mode.

9 Click OK.

Installation and Upgrade Guide R81 | 545

 Configuring a Single Security Gateway in Monitor Mode

Configuring the Monitor Mode in Gaia Clish

Step Instructions

1 Connect to the command line on the Security Gateway.

2 Log in to Gaia Clish.

3 Examine the configuration and state of the applicable physical

interface:
show interface <Name of Physical Interface>

4 If the applicable physical interface has an IP address assigned to it,

remove that IP address.
n To remove an IPv4 address:

delete interface <Name of Physical

Interface> ipv4-address
n To remove an IPv6 address:
delete interface <Name of Physical
Interface> ipv6-address

5 Enable the Monitor Mode on the physical interface:

set interface <Name of Physical Interface>
monitor-mode on

6 Configure other applicable settings on the interface in the Monitor

Mode:
set interface <Name of Physical Interface> ...

7 Examine the configuration and state of the Monitor Mode interface:

show interface <Name of Physical Interface>

8 Save the configuration:

save config

3. Configure the Security Gateway object in SmartConsole

You can configure the Security Gateway object in SmartConsole either in Wizard
Mode, or in Classic Mode.

Installation and Upgrade Guide R81 | 546

 Configuring a Single Security Gateway in Monitor Mode

Configuring the Security Gateway object in Wizard Mode

Step Instructions

1 Connect with SmartConsole to the Security Management Server or

Domain Management Server that should manage this Security
Gateway.

2 From the left navigation panel, click Gateways & Servers.

3 Create a new Security Gateway object in one of these ways:

n From the top toolbar, click the New ( ) > Gateway.
n In the top left corner, click Objects menu > More object types >

Network Object > Gateways and Servers > New Gateway.

n In the top right corner, click Objects Pane > New > More >

Network Object > Gateways and Servers > Gateway.

4 In the Check Point Security Gateway Creation window, click Wizard

Mode.

5 On the General Properties page:

a. In the Gateway name field, enter the applicable name for this
Security Gateway object.
b. In the Gateway platform field, select the correct hardware type.
c. In the Gateway IP address section, select Static IP address and
configure the same IPv4 and IPv6 addresses that you configured
on the Management Connection page of the Security Gateway's
First Time Configuration Wizard.
Make sure the Security Management Server or Multi-Domain
Server can connect to these IP addresses.
d. Click Next.

6 On the Trusted Communication page:

a. Select the applicable option:
n If you selected Initiate trusted communication now, enter

the same Activation Key you entered during the Security

Gateway's First Time Configuration Wizard.
n If you selected Skip and initiate trusted communication

later, make sure to follow Step 7.

b. Click Next.

Installation and Upgrade Guide R81 | 547

 Configuring a Single Security Gateway in Monitor Mode

Step Instructions

7 On the End page:

a. Examine the Configuration Summary.
b. Select Edit Gateway properties for further configuration.
c. Click Finish.
Check Point Gateway properties window opens on the General
Properties page.

8 If during the Wizard Mode, you selected Skip and initiate trusted
communication later:
a. The Secure Internal Communication field shows Uninitialized.
b. Click Communication.
c. In the Platform field:
n Select Open server / Appliance for all Check Point models

3000 and higher.

n Select Open server / Appliance for an Open Server.

d. Enter the same Activation Key you entered during the Security
Gateway's First Time Configuration Wizard.
e. Click Initialize.
Make sure the Certificate state field shows Established.
f. Click OK.

9 On the Network Security tab, make sure to enable only the Firewall
Software Blade.

10 On the Network Management page:

a. Click Get Interfaces > Get Interfaces With Topology.
b. Confirm the interfaces information.

Installation and Upgrade Guide R81 | 548

 Configuring a Single Security Gateway in Monitor Mode

Step Instructions

11 Select the interface in the Monitor Mode and click Edit.

Configure these settings:
a. Click the General page.
b. In the General section, enter a random IPv4 address.
Important - This random IPv4 address must not conflict with
existing IPv4 addresses on your network.
c. In the Topology section:
Click Modify.
In the Leads To section, select Not defined (Internal).
In the Security Zone section, select According to topology:
Internal Zone.
Click OK to close the Topology Settings window.
d. Click OK to close the Interface window.

12 Click OK.

13 Publish the SmartConsole session.

14 This Security Gateway object is now ready to receive the Security

Policy.

Configuring the Security Gateway in Classic Mode

Step Instructions

1 Connect with SmartConsole to the Security Management Server or

Domain Management Server that should manage this Security
Gateway.

2 From the left navigation panel, click Gateways & Servers.

3 Create a new Security Gateway object in one of these ways:

n From the top toolbar, click the New ( ) > Gateway.
n In the top left corner, click Objects menu > More object types >

Network Object > Gateways and Servers > New Gateway.

n In the top right corner, click Objects Pane > New > More >

Network Object > Gateways and Servers > Gateway.

4 In the Check Point Security Gateway Creation window, click Classic

Mode.
Check Point Gateway properties window opens on the General
Properties page.

Installation and Upgrade Guide R81 | 549

 Configuring a Single Security Gateway in Monitor Mode

Step Instructions

5 In the Name field, enter the applicable name for this Security Gateway
object.

6 In the IPv4 address and IPv6 address fields, configure the same IPv4
and IPv6 addresses that you configured on the Management
Connection page of the Security Gateway's First Time Configuration
Wizard.
Make sure the Security Management Server or Multi-Domain Server
can connect to these IP addresses.

7 Establish the Secure Internal Communication (SIC) between the

Management Server and this Security Gateway:
a. Near the Secure Internal Communication field, click
Communication.
b. In the Platform field:
n Select Open server / Appliance for all Check Point models

3000 and higher.

n Select Open server / Appliance for an Open Server.

c. Enter the same Activation Key you entered during the Security
Gateway's First Time Configuration Wizard.
d. Click Initialize.
e. Click OK.

If the Certificate state field does not show Established, perform

these steps:
a. Connect to the command line on the Security Gateway.
b. Make sure there is a physical connectivity between the Security
Gateway and the Management Server (for example, pings can
pass).
c. Run:
cpconfig
d. Enter the number of this option:
Secure Internal Communication
e. Follow the instructions on the screen to change the Activation
Key.
f. In SmartConsole, click Reset.
g. Enter the same Activation Key you entered in the cpconfig
menu.
h. In SmartConsole, click Initialize.

Installation and Upgrade Guide R81 | 550

 Configuring a Single Security Gateway in Monitor Mode

Step Instructions

8 In the Platform section, select the correct options:

a. In the Hardware field:
n If you install the Security Gateway on a Check Point

Appliance, select the correct appliances series.

n If you install the Security Gateway on an Open Server,

select Open server.

b. In the Version field, select R81.
c. In the OS field, select Gaia.

9 On the Network Security tab, make sure to enable only the Firewall
Software Blade.

Important - Do not select anything on the Management tab.

10 On the Network Management page:

a. Click Get Interfaces > Get Interfaces With Topology.
b. Confirm the interfaces information.

11 Select the interface in the Monitor Mode and click Edit.

Configure these settings:
a. Click the General page.
b. In the General section, enter a random IPv4 address.
Important - This random IPv4 address must not conflict with
existing IPv4 addresses on your network.
c. In the Topology section:
Click Modify.
In the Leads To section, select Not defined (Internal).
In the Security Zone section, select According to topology:
Internal Zone.
Click OK to close the Topology Settings window.
d. Click OK to close the Interface window.

12 Click OK.

13 Publish the SmartConsole session.

14 This Security Gateway object is now ready to receive the Security

Policy.

4. Configure the Security Gateway to process packets that arrive in the wrong order

Installation and Upgrade Guide R81 | 551

 Configuring a Single Security Gateway in Monitor Mode

Step Instructions

1 Connect to the command line on the Security Gateway.

2 Log in to the Expert mode.

3 Modify the $FWDIR/boot/modules/fwkern.conf file:

a. Back up the current $FWDIR/boot/modules/fwkern.conf
file:
cp -v $FWDIR/boot/modules/fwkern.conf{,_
BKP}
If this file does not exist, create it:
touch $FWDIR/boot/modules/fwkern.conf
b. Edit the current $FWDIR/boot/modules/fwkern.conf file:
vi $FWDIR/boot/modules/fwkern.conf
Important - This configuration file does not support spaces
or comments.
c. Add this line to enable the Passive Streaming Layer (PSL) Tap
Mode:
psl_tap_enable=1
d. Add this line to enable the Firewall Tap Mode:
fw_tap_enable=1
e. Save the changes in the file and exit the Vi editor.

4 Modify the $PPKDIR/conf/simkern.conf file:

a. Back up the current $PPKDIR/conf/simkern.conf file:
cp -v $PPKDIR/conf/simkern.conf{,_BKP}
If this file does not exist, create it:
touch $PPKDIR/conf/simkern.conf
b. Edit the current $PPKDIR/conf/simkern.conf file:
vi $PPKDIR/conf/simkern.conf
Important - This configuration file does not support spaces
or comments.
c. Add this line to enable the Firewall Tap Mode:
fw_tap_enable=1
d. Save the changes in the file and exit the Vi editor.

Installation and Upgrade Guide R81 | 552

 Configuring a Single Security Gateway in Monitor Mode

Step Instructions

5 Reboot the Security Gateway.

6 Make sure the Security Gateway loaded the new configuration:

a. Examine the status of the PSL Tap Mode:
fw ctl get int psl_tap_enable
Output must show:
psl_tap_enable = 1
b. Examine the status of the Firewall Tap Mode:
fw ctl get int fw_tap_enable
Output must show:
fw_tap_enable = 1

Notes:
n This configuration helps the Security Gateway process packets that

arrive in the wrong or abnormal order (for example, TCP [SYN-ACK]

arrives before TCP [SYN]).
n This configuration helps the Security Gateway work better for the first

10-30 minutes when it processes connections, in which the TCP [SYN]

packets did not arrive.
n This configuration is also required when you use a TAP device or Mirror

/ Span ports with separated TX/RX queues.

n This configuration will make the Mirror Port on Security Gateway work

better for the first 10-30 minutes when processing connections, in which
the TCP-SYN packet did not arrive.
n It is not possible to set the value of the kernel parameters "psl_tap_

enable" and "fw_tap_enable" on-the-fly with the "fw ctl set

int <parameter>" command (Known Limitation 02386641).

5. Configure the required Global Properties for the Security Gateway in SmartConsole

Step Instructions

1 Connect with SmartConsole to the Security Management Server or

Target Domain Management Server that manages this Security
Gateway.

2 In the top left corner, click Menu > Global properties.

Installation and Upgrade Guide R81 | 553

 Configuring a Single Security Gateway in Monitor Mode

Step Instructions

3 From the left tree, click the Stateful Inspection pane and configure:
a. In the Default Session Timeouts section:
i. Change the value of the TCP session timeout from the
default 3600 to 60 seconds.
ii. Change the value of the TCP end timeout from the default 20
to 5 seconds.
b. In the Out of state packets section, you must clear all the boxes.
Otherwise, the Security Gateway drops the traffic as out of state
(because the traffic does not pass through the Security Gateway, it
does not record the state information for the traffic).

4 From the left tree, click the Advanced page > click the Configure button,
and configure:
a. Click FireWall-1 > Stateful Inspection.
b. Clear reject_x11_in_any.
c. Click OK to close the Advanced Configuration window.

5 Click OK to close the Global Properties window.

6 Publish the SmartConsole session.

6. Configure the required Access Control Policy for the Security Gateway in SmartConsole

Ste
Instructions
p

1 Connect with SmartConsole to the Security Management Server or Domain

Management Server that manages this Security Gateway.

2 From the left navigation panel, click Security Policies.

3 Create a new policy and configure the applicable layers:

a. At the top, click the + tab (or press the CTRL T keys).
b. On the Manage Policies tab, click Manage policies and layers.
c. In the Manage policies and layers window, create a new policy and
configure the applicable layers.
d. Click Close.
e. On the Manage Policies tab, click the new policy you created.

Installation and Upgrade Guide R81 | 554

 Configuring a Single Security Gateway in Monitor Mode

Ste
Instructions
p

4 Create the Access Control rule that accepts all traffic:

Services
Inst
N Nam Sour Destinat VP & Acti Trac
all
o e ce ion N Applicati on k
On
ons

1 Accept *Any *Any Any *Any Accept Log Object

All of
Securit
y
Gatewa
y
in
Monitor
Mode

5
Best Practice

We recommend these Aggressive Aging settings for the most common TCP
connections:
a. In the SmartConsole, click Objects menu > Object Explorer.
b. Open Services and select TCP.
c. Search for the most common TCP connections in this network.
d. Double-click the applicable TCP service.
e. From the left tree, click Advanced.
f. At the top, select Override default settings.
On Domain Management Server, select Override global domain
settings.
g. Select Match for 'Any'.
h. In the Aggressive aging section:
Select Enable aggressive aging.
Select Specific and enter 60.
i. Click OK.
j. Close the Object Explorer.

6 Publish the SmartConsole session.

7 Install the Access Control Policy on the Security Gateway object.

7. Make sure the Security Gateway enabled the Monitor Mode for Software Blades

Step Instructions

1 Connect to the command line on the Security Gateway.

Installation and Upgrade Guide R81 | 555

 Configuring a Single Security Gateway in Monitor Mode

Step Instructions

2 Log in to the Expert mode.

3 Install the default policy on the VSX Gateway object:

Make sure the parameter fw_span_port_mode is part of the installed
policy:
grep -A 3 -r fw_span_port_mode
$FWDIR/state/local/*
The returned output must show:
:val (true)

8. Connect the Security Gateway to the switch

On the Security Gateway, connect the interface in the Monitor Mode to the mirror or
SPAN port on the switch.

For more information, see the:

n R81 Gaia Administration Guide.
n R81 Security Management Administration Guide.

Installation and Upgrade Guide R81 | 556

 Configuring a Single VSX Gateway in Monitor Mode

Configuring a Single VSX Gateway in Monitor Mode

Important:
n For Cloud-based services (for example, Social Network widgets and URL
Filtering), you must connect the VSX Gateway in Monitor Mode to the Internet
(also, see sk79700 and sk106496).
n You must install valid license and contracts file on the VSX Gateway in Monitor
Mode.

Note - This procedure applies to both Check Point Appliances and Open Servers.

Procedure:
1. Install the VSX Gateway

Important - Make sure the VSX Gateway has enough physical interfaces.

Step Instructions

1 Install the Gaia Operating System:

n "Installing the Gaia Operating System on Check Point Appliances"

on page 24
n "Installing the Gaia Operating System on Open Servers" on

page 26

2 Follow "Configuring Gaia for the First Time" on page 31.

3 During the First Time Configuration Wizard, you must configure these
settings:
n In the Management Connection window, select the interface,

through which you connect to Gaia operating system.

n In the Internet Connection window, do not configure IP addresses.
n In the Installation Type window, select Security Gateway and/or

Security Management.
n In the Products window:

a. In the Products section, select Security Gateway only.

b. In the Clustering section, clear Unit is a part of a cluster,
type.
n In the Dynamically Assigned IP window, select No.
n In the Secure Internal Communication window, enter the

applicable Activation Key (between 4 and 127 characters long).

2. Configure the Monitor Mode on the applicable interface

Installation and Upgrade Guide R81 | 557

 Configuring a Single VSX Gateway in Monitor Mode

You can configure the Monitor Mode on an interface either in Gaia Portal, or Gaia
Clish.
Configuring the Monitor Mode in Gaia Portal

Step Instructions

1 With a web browser, connect to Gaia Portal at:

https://<IP address of Gaia Management Interface>

2 In the left navigation tree, click Network Management > Network

Interfaces.

3 Select the applicable physical interface from the list and click Edit.

4 Select the Enable option to set the interface status to UP.

5 In the Comment field, enter the applicable comment text (up to 100
characters).

6 On the IPv4 tab, select Use the following IPv4 address, but do not
enter an IPv4 address.

7 On the IPv6 tab, select Use the following IPv6 address, but do not
enter an IPv6 address.
Important - This setting is available only after you enable the IPv6
Support in Gaia and reboot.

8 On the Ethernet tab:

n Select Auto Negotiation, or select a link speed and duplex

setting from the list.

n In the Hardware Address field, enter the Hardware MAC

address (if not automatically received from the NIC).

Caution - Do not manually change the MAC address unless
you are sure that it is incorrect or has changed. An incorrect
MAC address can lead to a communication failure.
n In the MTU field, enter the applicable Maximum Transmission

Unit (MTU) value (minimal value is 68, maximal value is 16000,

and default value is 1500).
n Select Monitor Mode.

9 Click OK.

Installation and Upgrade Guide R81 | 558

 Configuring a Single VSX Gateway in Monitor Mode

Configuring the Monitor Mode in Gaia Clish

Step Instructions

1 Connect to the command line on the Security Gateway.

2 Log in to Gaia Clish.

3 Examine the configuration and state of the applicable physical

interface:
show interface <Name of Physical Interface>

4 If the applicable physical interface has an IP address assigned to it,

remove that IP address.
n To remove an IPv4 address:

delete interface <Name of Physical

Interface> ipv4-address
n To remove an IPv6 address:
delete interface <Name of Physical
Interface> ipv6-address

5 Enable the Monitor Mode on the physical interface:

set interface <Name of Physical Interface>
monitor-mode on

6 Configure other applicable settings on the interface in the Monitor

Mode:
set interface <Name of Physical Interface> ...

7 Examine the configuration and state of the Monitor Mode interface:

show interface <Name of Physical Interface>

8 Save the configuration:

save config

3. Configure the VSX Gateway to process packets that arrive in the wrong order

Step Instructions

1 Connect to the command line on the VSX Gateway.

Installation and Upgrade Guide R81 | 559

 Configuring a Single VSX Gateway in Monitor Mode

Step Instructions

2 Log in to the Expert mode.

3 Modify the $FWDIR/boot/modules/fwkern.conf file:

a. Back up the current $FWDIR/boot/modules/fwkern.conf
file:
cp -v $FWDIR/boot/modules/fwkern.conf{,_
BKP}
If this file does not exist, create it:
touch $FWDIR/boot/modules/fwkern.conf
b. Edit the current $FWDIR/boot/modules/fwkern.conf file:
vi $FWDIR/boot/modules/fwkern.conf
Important - This configuration file does not support spaces
or comments.
c. Add this line to enable the Passive Streaming Layer (PSL) Tap
Mode:
psl_tap_enable=1
d. Add this line to enable the Firewall Tap Mode:
fw_tap_enable=1
e. Save the changes in the file and exit the Vi editor.

4 Modify the $PPKDIR/conf/simkern.conf file:

a. Back up the current $PPKDIR/conf/simkern.conf file:
cp -v $PPKDIR/conf/simkern.conf{,_BKP}
If this file does not exist, create it:
touch $PPKDIR/conf/simkern.conf
b. Edit the current $PPKDIR/conf/simkern.conf file:
vi $PPKDIR/conf/simkern.conf
Important - This configuration file does not support spaces
or comments.
c. Add this line to enable the Firewall Tap Mode:
fw_tap_enable=1
d. Save the changes in the file and exit the Vi editor.

5 Reboot the VSX Gateway.

Installation and Upgrade Guide R81 | 560

 Configuring a Single VSX Gateway in Monitor Mode

Step Instructions

6 Make sure the VSX Gateway loaded the new configuration:

a. Examine the status of the PSL Tap Mode:
fw ctl get int psl_tap_enable
Output must show:
psl_tap_enable = 1
b. Examine the status of the Firewall Tap Mode:
fw ctl get int fw_tap_enable
Output must show:
fw_tap_enable = 1

Notes:
n This configuration helps the VSX Gateway process packets that arrive

in the wrong or abnormal order (for example, TCP [SYN-ACK] arrives

before TCP [SYN]).
n This configuration helps the VSX Gateway work better for the first 10-30

minutes when it processes connections, in which the TCP [SYN]

packets did not arrive.
n This configuration is also required when you use a TAP device or Mirror

/ Span ports with separated TX/RX queues.

n This configuration will make the Mirror Port on VSX Gateway work

better for the first 10-30 minutes when processing connections, in which
the TCP-SYN packet did not arrive.
n It is not possible to set the value of the kernel parameters "psl_tap_

enable" and "fw_tap_enable" on-the-fly with the "fw ctl set

int <parameter>" command (Known Limitation 02386641).

4. Configure the VSX Gateway object in SmartConsole

Step Instructions

1 Connect with SmartConsole to the Security Management Server or Main

Domain Management Server that should manage this VSX Gateway.

2 From the left navigation panel, click Gateways & Servers.

3 Create a new VSX Gateway object in one of these ways:

n From the top toolbar, click the New ( ) > VSX > Gateway.
n In the top left corner, click Objects menu > More object types >

Network Object > Gateways and Servers > VSX > New Gateway.
n In the top right corner, click Objects Pane > New > More >

Network Object > Gateways and Servers > VSX > Gateway.
The VSX Gateway Wizard opens.

Installation and Upgrade Guide R81 | 561

 Configuring a Single VSX Gateway in Monitor Mode

Step Instructions

4 On the VSX Gateway General Properties (Specify the object's basic

settings) page:
a. In the Enter the VSX Gateway Name field, enter the applicable
name for this VSX Gateway object.
b. In the Enter the VSX Gateway IPv4 field, enter the same IPv4
address that you configured on the Management Connection page
of the VSX Gateway's First Time Configuration Wizard.
c. In the Enter the VSX Gateway IPv6 field, enter the same IPv6
address that you configured on the Management Connection page
of the VSX Gateway's First Time Configuration Wizard.
d. In the Select the VSX Gateway Version field, select R81.
e. Click Next.

5 On the VSX Gateway General Properties (Secure Internal

Communication) page:
a. In the Activation Key field, enter the same Activation Key you
entered during the VSX Gateway's First Time Configuration Wizard.
b. In the Confirm Activation Key field, enter the same Activation Key
again.
c. Click Initialize.
d. Click Next.

If the Trust State field does not show Trust established, perform these
steps:
a. Connect to the command line on the VSX Gateway.
b. Make sure there is a physical connectivity between the VSX
Gateway and the Management Server (for example, pings can
pass).
c. Run:
cpconfig
d. Enter the number of this option:
Secure Internal Communication
e. Follow the instructions on the screen to change the Activation Key.
f. In SmartConsole, on the VSX Gateway General Properties page,
click Reset.
g. Enter the same Activation Key you entered in the cpconfig menu.
h. In SmartConsole, click Initialize.

Installation and Upgrade Guide R81 | 562

 Configuring a Single VSX Gateway in Monitor Mode

Step Instructions

6 On the VSX Gateway Interfaces (Physical Interfaces Usage) page:

a. Examine the list of the interfaces - it must show all the physical
interfaces on the VSX Gateway.
b. If you plan to connect more than one Virtual System directly to the
same physical interface, you must select VLAN Trunk for that
physical interface.
c. Click Next.

7 On the Virtual Network Device Configuration (Specify the object's

basic settings) page:
a. You can select Create a Virtual Network Device and configure the
first applicable Virtual Network Device at this time (we recommend
to do this later) - Virtual Switch or Virtual Router.
b. Click Next.

8 On the VSX Gateway Management (Specify the management access

rules) page:
a. Examine the default access rules.
b. Select the applicable default access rules.
c. Configure the applicable source objects, if needed.
d. Click Next.
Important - These access rules apply only to the VSX Gateway
(context of VS0), which is not intended to pass any "production"
traffic.

9 On the VSX Gateway Creation Finalization page:

a. Click Finish and wait for the operation to finish.
b. Click View Report for more information.
c. Click Close.

10 Examine the VSX configuration:

a. Connect to the command line on the VSX Gateway.
b. Log in to the Expert mode.
c. Run:
vsx stat -v

Installation and Upgrade Guide R81 | 563

 Configuring a Single VSX Gateway in Monitor Mode

Step Instructions

11 Install the default policy on the VSX Gateway object:

a. Click Install Policy.
b. In the Policy field, select the default policy for this VSX Gateway
object.
This policy is called:
<Name of VSX Gateway object>_VSX
c. Click Install.

12 Examine the VSX configuration:

a. Connect to the command line on the VSX Gateway.
b. Log in to the Expert mode.
c. Run:
vsx stat -v

5. Configure the Virtual System object (and other Virtual Devices) in SmartConsole

Step Instructions

1 Connect with SmartConsole to the Security Management Server, or each

Target Domain Management Server that should manage each Virtual
Device.

2 Configure the applicable Virtual System (and other Virtual Devices) on

this VSX Gateway.
When you configure this Virtual System, for the Monitor Mode interface,
add a regular interface. In the IPv4 Configuration section, enter a
random IPv4 address.
Important - This random IPv4 address must not conflict with existing
IPv4 addresses on your network.

3 Examine the VSX configuration:

a. Connect to the command line on the VSX Gateway.
b. Log in to the Expert mode.
c. Run:
vsx stat -v

Installation and Upgrade Guide R81 | 564

 Configuring a Single VSX Gateway in Monitor Mode

Step Instructions

4 Disable the Anti-Spoofing on the interface that is configured in the

Monitor Mode:
a. In the SmartConsole, open the Virtual System object.
b. Click the Topology page.
c. Select the Monitor Mode interface and click Edit.
The Interface Properties window opens.
d. Click the General tab.
e. In the Security Zone field, select None.
f. Click the Topology tab.
g. In the Topology section, make sure the settings are Internal (leads
to the local network) and Not Defined.
h. In the Anti-Spoofing section, clear Perform Anti-Spoofing based
on interface topology.
i. Click OK to close the Interface Properties window.
j. Click OK to close the Virtual System Properties window.
k. The Management Server pushes the VSX Configuration.

6. Configure the required Global Properties for the Virtual System in SmartConsole

Step Instructions

1 Connect with SmartConsole to the Security Management Server or

Target Domain Management Server that manages this Virtual System.

2 In the top left corner, click Menu > Global properties.

3 From the left tree, click the Stateful Inspection pane and configure:
a. In the Default Session Timeouts section:
i. Change the value of the TCP session timeout from the
default 3600 to 60 seconds.
ii. Change the value of the TCP end timeout from the default 20
to 5 seconds.
b. In the Out of state packets section, you must clear all the boxes.
Otherwise, the Virtual System drops the traffic as out of state
(because the traffic does not pass through the Virtual System, it
does not record the state information for the traffic).

4 From the left tree, click the Advanced page > click the Configure button,
and configure:
a. Click FireWall-1 > Stateful Inspection.
b. Clear reject_x11_in_any.
c. Click OK to close the Advanced Configuration window.

Installation and Upgrade Guide R81 | 565

 Configuring a Single VSX Gateway in Monitor Mode

Step Instructions

5 Click OK to close the Global Properties window.

6 Publish the SmartConsole session.

7. Configure the required Access Control policy for the Virtual System in SmartConsole

Ste
Instructions
p

1 Connect with SmartConsole to the Security Management Server or Target

Domain Management Server that manages this Virtual System.

2 From the left navigation panel, click Security Policies.

3 Create a new policy and configure the applicable layers:

a. At the top, click the + tab (or press the CTRL T keys).
b. On the Manage Policies tab, click Manage policies and layers.
c. In the Manage policies and layers window, create a new policy and
configure the applicable layers.
d. Click Close.
e. On the Manage Policies tab, click the new policy you created.

4 Create the Access Control rule that accepts all traffic:

Services
Inst
N Nam Sour Destinat VP & Acti Trac
all
o e ce ion N Applicati on k
On
ons

1 Accept *Any *Any Any *Any Accept Log Object

All of
Virtual
System

Installation and Upgrade Guide R81 | 566

 Configuring a Single VSX Gateway in Monitor Mode

Ste
Instructions
p

5
Best Practice

We recommend these Aggressive Aging settings for the most common TCP
connections:
a. In the SmartConsole, click Objects menu > Object Explorer.
b. Open Services and select TCP.
c. Search for the most common TCP connections in this network.
d. Double-click the applicable TCP service.
e. From the left tree, click Advanced.
f. At the top, select Override default settings.
On Domain Management Server, select Override global domain
settings.
g. Select Match for 'Any'.
h. In the Aggressive aging section:
n Select Enable aggressive aging.
n Select Specific and enter 60.

i. Click OK.
j. Close the Object Explorer.

6 Publish the SmartConsole session.

7 Install the Access Control Policy on the Virtual System object.

a. Click Install Policy.
b. In the Policy field, select the applicable policy for this Virtual System
object.
c. Click Install.

8 Examine the VSX configuration:

a. Connect to the command line on the VSX Gateway.
b. Log in to the Expert mode.
c. Run:
vsx stat -v

8. Make sure the VSX Gateway enabled the Monitor Mode for Software Blades

Step Instructions

1 Connect to the command line on the VSX Gateway.

2 Log in to the Expert mode.

Installation and Upgrade Guide R81 | 567

 Configuring a Single VSX Gateway in Monitor Mode

Step Instructions

3 Install the default policy on the VSX Gateway object:

Make sure the parameter fw_span_port_mode is part of the installed
policy:
grep -A 3 -r fw_span_port_mode
$FWDIR/state/local/*
The returned output must show:
:val (true)

9. Connect the VSX Gateway to the switch

On the VSX Gateway, connect the interface in the Monitor Mode to the mirror or SPAN
port on the switch.

For more information, see the:

n R81 Gaia Administration Guide.
n R81 VSX Administration Guide.
n R81 Security Management Administration Guide.

Installation and Upgrade Guide R81 | 568

 Configuring Specific Software Blades for Monitor Mode

Configuring Specific Software Blades for Monitor Mode

This section shows how to configure specific Software Blades for Monitor Mode.

Note - For VSX, see:

n sk79700: VSX supported features on R75.40VS and above
n sk106496: Software Blades updates on VSX R75.40VS and above
- FAQ

Installation and Upgrade Guide R81 | 569

 Configuring the Threat Prevention Software Blades for Monitor Mode

Configuring the Threat Prevention Software Blades for Monitor Mode

Configure the settings below, if you enabled one of the Threat Prevention Software Blades
(IPS, Anti-Bot, Anti-Virus, Threat Emulation or Threat Extraction) on the Security Gateway in
Monitor Mode:

Step Instructions

1 Connect with SmartConsole to the Security Management Server or Domain

Management Server that manages this Security Gateway.

2 From the left navigation panel, click Security Policies > Threat Prevention.

3 Create the Threat Prevention rule that accepts all traffic:

Protected
Protection/Site/File/Blade Action Track
Scope

*Any -- N/A Applicable Log

Threat Packet
Prevention Capture
Profile
Notes:
n We recommend the Optimized profile.
n The Track setting Packet Capture is optional.

4 Right-click the selected Threat Prevention profile and click Edit.

5 From the left tree, click the General Policy page and configure:
a. In the Blades Activation section, select the applicable Software Blades.
b. In the Activation Mode section:
n In the High Confidence field, select Detect.
n In the Medium Confidence field, select Detect.
n In the Low Confidence field, select Detect.

6 From the left tree, click the Anti-Virus page and configure:
a. In the Protected Scope section, select Inspect incoming and outgoing
files.
b. In the File Types section:
n Select Process all file types.
n Optional: Select Enable deep inspection scanning (impacts

performance).
c. Optional: In the Archives section, select Enable Archive scanning
(impacts performance).

Installation and Upgrade Guide R81 | 570

 Configuring the Threat Prevention Software Blades for Monitor Mode

Step Instructions

7 From the left tree, click the Threat Emulation page > click General and configure:
n In the Protected Scope section, select Inspect incoming files from the
following interfaces and from the menu, select All.

8 Configure other applicable settings for the Software Blades.

9 Click OK.

10 Install the Threat Prevention Policy on the Security Gateway object.

For more information:

See the R81 Threat Prevention Administration Guide.

Installation and Upgrade Guide R81 | 571

 Configuring the Application Control and URL Filtering Software Blades for Monitor Mode

Configuring the Application Control and URL Filtering Software Blades

for Monitor Mode
Configure the settings below, if you enabled Application Control or URL Filtering Software
Blade on the Security Gateway in Monitor Mode:

Step Instructions

1 Connect with SmartConsole to the Security Management Server or Domain

Management Server that manages this Security Gateway.

2 From the left navigation panel, click Manage & Settings > Blades.

3 In the Application Control & URL Filtering section, click Advanced Settings.
The Application Control & URL Filtering Settings window opens.

4 On the General page:

n In the Fail mode section, select Allow all requests (fail-open).
n In the URL Filtering section, select Categorize HTTPS websites.

5 On the Check Point online web service page:

n In the Website categorization mode section, select Background.
n Select Categorize social networking widgets.

6 Click OK to close the Application Control & URL Filtering Settings window.

7 Install the Access Control Policy on the Security Gateway object.

For more information, see the:

n R81 Security Management Administration Guide.
n R81 Quantum Security Gateway Guide.

Installation and Upgrade Guide R81 | 572

 Configuring the Data Loss Prevention Software Blade for Monitor Mode

Configuring the Data Loss Prevention Software Blade for Monitor Mode
Configure the settings below, if you enabled the Data Loss Prevention Software Blade on the
Security Gateway in Monitor Mode:

Step Instructions

1 Connect with SmartConsole to the Security Management Server or Domain

Management Server that manages this Security Gateway.

2 From the left navigation panel, click Manage & Settings > Blades.

3 In the Data Loss Prevention section, click Configure in SmartDashboard.

The SmartDashboard window opens.

4 In SmartDashboard:
a. Click the My Organization page.
b. In the Email Addresses or Domains section, configure with full list of
company's domains.
There is no need to include subdomains (for example, mydomain.com,
mydomain.uk).
c. In the Networks section, select Anything behind the internal interfaces of
my DLP gateways.
d. In the Users section, select All users.

5 Click the Policy page.

Configure the applicable rules:
n In the Data column, right-click the pre-defined data types and select Edit.
l On the General Properties page, in the Flag field, select Improve

Accuracy.
l In the Customer Names data type, we recommend to add the

company's real customer names.

n In the Action column, you must select Detect.
n In the Severity column, select Critical or High in all applicable rules.
n You may choose to disable or delete rules that are not applicable to the
company or reduce the Severity of these rules.

Note - Before you can configure the DLP rules, you must configure the
applicable objects in SmartConsole.

Installation and Upgrade Guide R81 | 573

 Configuring the Data Loss Prevention Software Blade for Monitor Mode

Step Instructions

6 Click the Additional Settings > Protocols page.

Configure these settings:
n In the Email section, select SMTP (Outgoing Emails).
n In the Web section, select HTTP. Do not configure the HTTPS.
n In the File Transfer section, do not select FTP.

7 Click Launch Menu > File > Update (or press the CTRL S keys).

8 Close the SmartDashboard.

9 Install the Access Control Policy on the Security Gateway object.

10 Make sure the Security Gateway enabled the SMTP Mirror Port Mode:
a. Connect to the command line on the Security Gateway.
b. Log in to the Expert mode.
c. Run this command:
dlp_smtp_mirror_port status
d. Make sure the value of the kernel parameter dlp_force_smtp_kernel_
inspection is set to 1 (one).
Run these two commands:
fw ctl get int dlp_force_smtp_kernel_inspection
grep dlp_force_smtp_kernel_inspection
$FWDIR/boot/modules/fwkern.conf

For more information:

See the R81 Data Loss Prevention Administration Guide.

Installation and Upgrade Guide R81 | 574

 Configuring the Security Gateway in Monitor Mode Behind a Proxy Server

Configuring the Security Gateway in Monitor Mode Behind a

Proxy Server
If you connect a Proxy Server between the Security Gateway in Monitor Mode and the switch,
then configure these settings to see Source IP addresses and Source Users in the Security
Gateway logs:

Step Instructions

1 On the Proxy Server, configure the "X Forward-For header".

See the applicable documentation for your Proxy Server.

2 On the Security Gateway in Monitor Mode, enable the stripping of the X-Forward-
For (XFF) field.
Follow the sk100223: How to enable stripping of X-Forward-For (XFF) field.

Installation and Upgrade Guide R81 | 575

 Deploying a Security Gateway or a ClusterXL in Bridge Mode

Deploying a Security Gateway or a ClusterXL in

Bridge Mode
Introduction to Bridge Mode
If you cannot divide the existing network into several networks with different IP addresses, you
can install a Check Point Security Gateway (or a ClusterXL) in the Bridge Mode.
A Security Gateway (or ClusterXL) in Bridge Mode is invisible to Layer 3 traffic.
When traffic arrives at one of the bridge subordinate interfaces, the Security Gateway (or
Cluster Members) inspects it and passes it to the second bridge subordinate interface.

Supported Software Blades in Bridge Mode

This table lists Software Blades, features, and their support for the Bridge Mode.
This table applies to single Security Gateway deployment, ClusterXL (with one switch) in
Active/Active and Active/Standby deployment, and ClusterXL with four switches.

Support of
a Support of a
Support of VSX
Security ClusterXL
Software Blade Virtual Systems
Gateway in Bridge
in Bridge Mode
in Bridge Mode
Mode

Firewall

IPS

URL Filtering

DLP

Anti-Bot

Anti-Virus (1) (1) (1)

Application Control

HTTPS Inspection (2) (2)

Identity Awareness (3) (3)

Installation and Upgrade Guide R81 | 576

 Deploying a Security Gateway or a ClusterXL in Bridge Mode

Support of
a Support of a
Support of VSX
Security ClusterXL
Software Blade Virtual Systems
Gateway in Bridge
in Bridge Mode
in Bridge Mode
Mode

Threat Emulation - ThreatCloud Yes in

emulation Active/Active
Bridge Mode
No in
Active/Standby
Bridge Mode

Threat Emulation - Local emulation No in all Bridge

Modes

Threat Emulation - Remote emulation Yes in

Active/Active
Bridge Mode
No in
Active/Standby
Bridge Mode

Threat Extraction Yes in

Active/Active
Bridge Mode
No in
Active/Standby
Bridge Mode

UserCheck

QoS
(see (see (see sk79700)
sk89581) sk89581)

HTTP / HTTPS proxy

Security Servers - SMTP, HTTP, FTP,

POP3

Client Authentication

User Authentication

Installation and Upgrade Guide R81 | 577

 Deploying a Security Gateway or a ClusterXL in Bridge Mode

Support of
a Support of a
Support of VSX
Security ClusterXL
Software Blade Virtual Systems
Gateway in Bridge
in Bridge Mode
in Bridge Mode
Mode

Multi-Portal (Mobile Access Portal,

Identity Awareness Captive Portal, Data
Loss Prevention Portal, and so on)

IPsec VPN

Mobile Access

Notes:
1. Does not support the Anti-Virus in Traditional Mode.
2. HTTPS Inspection in Layer 2 works as Man-in-the-Middle, based on MAC
addresses:
n Client sends a TCP [SYN] packet to the MAC address X.
n Security Gateway creates a TCP [SYN-ACK] packet and sends it to the

MAC address X.
n Security Gateway in Bridge Mode does not need IP addresses, because

CPAS takes the routing and the MAC address from the original packet.
Note - To be able to perform certificate validation (CRL/OCSP download),
Security Gateway needs at least one interface to be assigned with an IP
address. Probe bypass can have issues with Bridge Mode. Therefore, we do not
recommend Probe bypass in Bridge Mode configuration.
3. Identity Awareness in Bridge Mode supports only the AD Query authentication.

Installation and Upgrade Guide R81 | 578

 Deploying a Security Gateway or a ClusterXL in Bridge Mode

Limitations in Bridge Mode

You can configure only two subordinate interfaces in a single Bridge interface. You can think
of this Bridge interface as a two-port Layer 2 switch. Each port can be a Physical interface, a
VLAN interface, or a Bond interface.
These features and deployments are not supported in Bridge Mode:
n Assigning an IP address to a Bridge interface in ClusterXL.
n NAT rules (specifically, Firewall kernel in logs shows the traffic as accepted, but Security
Gateway does not actually forward it). For more information, see sk106146.
n Access to Multi-Portal (Mobile Access Portal, Identity Awareness Captive Portal, Data
Loss Prevention Portal, and so on) from bridged networks, if the bridge does not have an
assigned IP address.
n Clusters with more than two Cluster Members..
n Full High Availability Cluster.
n Asymmetric traffic inspection in ClusterXL in Active/Active Bridge Mode.
(Asymmetric traffic inspection is any situation, where the Client-to-Server packet is
inspected by one Cluster Member, while the Server-to-Client packet is inspected by the
other Cluster Member. In such scenarios, several security features do not work.)
For more information, see sk101371: Bridge Mode on Gaia OS and SecurePlatform OS.

Installation and Upgrade Guide R81 | 579

 Configuring a Single Security Gateway in Bridge Mode

Configuring a Single Security Gateway in Bridge Mode

Note - This procedure applies to both Check Point Appliances and Open Servers.

Example Topology for a single Security Gateway

Item Description

1 Network, which an administrator needs to divide into two Layer 2 segments.

The Security Gateway in Bridge Mode connects between these segments.

2 First network segment.

3 Switch that connects the first network segment to one bridged subordinate
interface (4) on the Security Gateway in Bridge Mode.

4 One bridged subordinate interface (for example, eth1) on the Security

Gateway in Bridge Mode.

5 Security Gateway in Bridge Mode.

6 Another bridged subordinate interface (for example, eth2) on the Security

Gateway in Bridge Mode.

7 Dedicated Gaia Management Interface (for example, eth0) on the Security

Gateway.

8 Switch that connects the second network segment to the other bridged
subordinate interface (6) on the Security Gateway in Bridge Mode.

9 Second network segment.

Installation and Upgrade Guide R81 | 580

 Configuring a Single Security Gateway in Bridge Mode

Procedure:
1. Install the Security Gateway

Step Instructions

1 Install the Gaia Operating System:

n "Installing the Gaia Operating System on Check Point Appliances"

on page 24
n "Installing the Gaia Operating System on Open Servers" on

page 26

2 Follow "Configuring Gaia for the First Time" on page 31.

3 During the First Time Configuration Wizard, you must configure these
settings:
n In the Management Connection window, select the interface,

through which you connect to Gaia operating system.

n In the Internet Connection window, do not configure IP addresses.
n In the Installation Type window, select Security Gateway and/or

Security Management.
n In the Products window:

a. In the Products section, select Security Gateway only.

b. In the Clustering section, clear Unit is a part of a cluster,
type.
n In the Dynamically Assigned IP window, select No.
n In the Secure Internal Communication window, enter the

applicable Activation Key (between 4 and 127 characters long).

2. Configure the Bridge interface on the Security Gateway

You configure the Bridge interface in either Gaia Portal, or Gaia Clish.
Configuring the Bridge interface in Gaia Portal

Step Instructions

1 In the left navigation tree, click Network Management > Network

Interfaces.

2 Make sure that the subordinate interfaces, which you wish to add to the
Bridge interface, do not have IP addresses assigned.

Installation and Upgrade Guide R81 | 581

 Configuring a Single Security Gateway in Bridge Mode

Step Instructions

3 Click Add > Bridge.

To configure an existing Bridge interface, select the Bridge interface
and click Edit.

4 On the Bridge tab, enter or select a Bridge Group ID (unique integer

between 1 and 1024).

5 Select the interfaces from the Available Interfaces list and then click
Add.
Notes:
n Make sure that the subordinate interfaces do not have any

IP addresses or aliases configured.

n Do not select the interface that you configured as Gaia

Management Interface.
n A Bridge interface in Gaia can contain only two subordinate

interfaces.

6 On the IPv4 tab, enter the IPv4 address and subnet mask.
You can optionally select the Obtain IPv4 Address automatically
option.

7 On the IPv6 tab (optional), enter the IPv6 address and mask length.
You can optionally select the Obtain IPv6 Address automatically
option.

Important - First, you must enable the IPv6 Support and reboot.

8 Click OK.

Note - The name of a Bridge interface in Gaia is "br<Bridge Group

ID>". For example, the name of a bridge interface with a Bridge Group ID
of 5 is "br5".

Configuring the Bridge interface in Gaia Clish

Step Instructions

1 Connect to the command line on the Security Gateway.

2 Log in to Gaia Clish.

Installation and Upgrade Guide R81 | 582

 Configuring a Single Security Gateway in Bridge Mode

Step Instructions

3 Make sure that the subordinate interfaces, which you wish to add to the
Bridge interface, do not have IP addresses assigned:
show interface <Name of Interface> ipv4-address
show interface <Name of Interface> ipv6-address

4 Add a new bridging group:

add bridging group <Bridge Group ID 0 - 1024>

5 Add subordinate interfaces to the new bridging group:

add bridging group <Bridge Group ID> interface
<Name of First Subordinate Interface>
add bridging group <Bridge Group ID> interface
<Name of Second Subordinate Interface>
Notes:
n Do not select the interface that you configured as Gaia

Management Interface.
n A Bridge interface in Gaia can contain only two subordinate

interfaces.

6 Assign an IP address to the bridging group.

n To assign an IPv4 address, run:

set interface <Name of Bridge Interface>

ipv4-address <IPv4 Address> {subnet-mask
<Mask> | mask-length <Mask Length>}
You can optionally configure the bridging group to obtain an IPv4
Address automatically.
n To assign an IPv6 address, run:
set interface <Name of Bridge Interface>
ipv6-address <IPv6 Address> mask-length
<Mask Length>
You can optionally configure the bridging group to obtain an IPv6
Address automatically.
Important - First, you must enable the IPv6 Support and
reboot.

7 Save the configuration:

save config

Installation and Upgrade Guide R81 | 583

 Configuring a Single Security Gateway in Bridge Mode

Note - The name of a Bridge interface in Gaia is "br<Bridge Group

ID>". For example, the name of a bridge interface with a Bridge Group ID
of 5 is "br5".

3. Configure the Security Gateway object in SmartConsole

You can configure the ClusterXL object in either Wizard Mode, or Classic Mode.
Configuring the Security Gateway object in Wizard Mode

Step Instructions

1 Connect with SmartConsole to the Security Management Server or

Domain Management Server that should manage this Security
Gateway.

2 From the left navigation panel, click Gateways & Servers.

3 Create a new Security Gateway object in one of these ways:

n From the top toolbar, click the New ( ) > Gateway.
n In the top left corner, click Objects menu > More object types >

Network Object > Gateways and Servers > New Gateway.

n In the top right corner, click Objects Pane > New > More >

Network Object > Gateways and Servers > Gateway.

4 In the Check Point Security Gateway Creation window, click Wizard

Mode.

5 On the General Properties page:

a. In the Gateway name field, enter the applicable name for this
Security Gateway object.
b. In the Gateway platform field, select the correct hardware type.
c. In the Gateway IP address section, select Static IP address and
configure the same IPv4 and IPv6 addresses that you configured
on the Management Connection page of the Security Gateway's
First Time Configuration Wizard.
Make sure the Security Management Server or Multi-Domain
Server can connect to these IP addresses.
d. Click Next.

Installation and Upgrade Guide R81 | 584

 Configuring a Single Security Gateway in Bridge Mode

Step Instructions

6 On the Trusted Communication page:

a. Select the applicable option:
n If you selected Initiate trusted communication now, enter

the same Activation Key you entered during the Security

Gateway's First Time Configuration Wizard.
n If you selected Skip and initiate trusted communication

later, make sure to follow Step 7.

b. Click Next.

7 On the End page:

a. Examine the Configuration Summary.
b. Select Edit Gateway properties for further configuration.
c. Click Finish.
Check Point Gateway properties window opens on the General
Properties page.

8 If during the Wizard Mode, you selected Skip and initiate trusted
communication later:
a. The Secure Internal Communication field shows Uninitialized.
b. Click Communication.
c. In the Platform field:
n Select Open server / Appliance for all Check Point models

3000 and higher.

n Select Open server / Appliance for an Open Server.

d. Enter the same Activation Key you entered during the Security
Gateway's First Time Configuration Wizard.
e. Click Initialize.
Make sure the Certificate state field shows Established.
f. Click OK.

9 On the General Properties page:

n On the Network Security tab, enable the applicable Software

Blades.
n On the Threat Prevention tab, enable the applicable Software

Blades.
Important - See the Supported Software Blades in Bridge Mode
and Limitations in Bridge Mode sections in "Deploying a Security
Gateway or a ClusterXL in Bridge Mode" on page 576.

Installation and Upgrade Guide R81 | 585

 Configuring a Single Security Gateway in Bridge Mode

Step Instructions

10 On the Network Management page, configure the Topology of the

Bridge interface.
Notes:
n If a Bridge interface connects to the Internet, then set the

Topology to External.
n If you use this Bridge Security Gateway object in Access

Control Policy rules with Internet objects, then set the

Topology to External.

11 Click OK.

12 Publish the SmartConsole session.

13 This Security Gateway object is now ready to receive the Security

Policy.

Configuring the Security Gateway object in Classic Mode

Step Instructions

1 Connect with SmartConsole to the Security Management Server or

Domain Management Server that should manage this Security
Gateway.

2 From the left navigation panel, click Gateways & Servers.

3 Create a new Security Gateway object in one of these ways:

n From the top toolbar, click the New ( ) > Gateway.
n In the top left corner, click Objects menu > More object types >

Network Object > Gateways and Servers > New Gateway.

n In the top right corner, click Objects Pane > New > More >

Network Object > Gateways and Servers > Gateway.

4 In the Check Point Security Gateway Creation window, click Classic

Mode.
Check Point Gateway properties window opens on the General
Properties page.

5 In the Name field, enter the applicable name for this Security Gateway
object.

Installation and Upgrade Guide R81 | 586

 Configuring a Single Security Gateway in Bridge Mode

Step Instructions

6 In the IPv4 address and IPv6 address fields, configure the same IPv4
and IPv6 addresses that you configured on the Management
Connection page of the Security Gateway's First Time Configuration
Wizard.
Make sure the Security Management Server or Multi-Domain Server
can connect to these IP addresses.

7 Establish the Secure Internal Communication (SIC) between the

Management Server and this Security Gateway:
a. Near the Secure Internal Communication field, click
Communication.
b. In the Platform field:
n Select Open server / Appliance for all Check Point models

3000 and higher.

n Select Open server / Appliance for an Open Server.

c. Enter the same Activation Key you entered during the Security
Gateway's First Time Configuration Wizard.
d. Click Initialize.
e. Click OK.

If the Certificate state field does not show Established, perform

these steps:
a. Connect to the command line on the Security Gateway.
b. Make sure there is a physical connectivity between the Security
Gateway and the Management Server (for example, pings can
pass).
c. Run:
cpconfig
d. Enter the number of this option:
Secure Internal Communication
e. Follow the instructions on the screen to change the Activation
Key.
f. In SmartConsole, click Reset.
g. Enter the same Activation Key you entered in the cpconfig
menu.
h. In SmartConsole, click Initialize.

Installation and Upgrade Guide R81 | 587

 Configuring a Single Security Gateway in Bridge Mode

Step Instructions

8 In the Platform section, select the correct options:

a. In the Hardware field:
n If you install the Security Gateway on a Check Point

Appliance, select the correct appliances series.

n If you install the Security Gateway on an Open Server,

select Open server.

b. In the Version field, select R81.
c. In the OS field, select Gaia.

9 Enable the applicable Software Blades:

n On the Network Security tab.
n On the Threat Prevention tab.

Important - See the Supported Software Blades in Bridge Mode

and Limitations in Bridge Mode sections in "Deploying a Security
Gateway or a ClusterXL in Bridge Mode" on page 576.

10 On the Network Management page, configure the Topology of the

Bridge interface.
Notes:
n If a Bridge interface connects to the Internet, then set the

Topology to External.
n If you use this Bridge Security Gateway object in Access

Control Policy rules with Internet objects, then set the

Topology to External.

11 Click OK.

12 Publish the SmartConsole session.

13 This Security Gateway object is now ready to receive the Security

Policy.

4. Configure the applicable Security Policies for the Security Gateway in SmartConsole

Step Instructions

1 Connect with SmartConsole to the Security Management Server or

Domain Management Server that manages this Security Gateway.

2 From the left navigation panel, click Security Policies.

Installation and Upgrade Guide R81 | 588

 Configuring a Single Security Gateway in Bridge Mode

Step Instructions

3 Create a new policy and configure the applicable layers:

a. At the top, click the + tab (or press CTRL T).
b. On the Manage Policies tab, click Manage policies and layers.
c. In the Manage policies and layers window, create a new policy
and configure the applicable layers.
d. Click Close.
e. On the Manage Policies tab, click the new policy you created.

4 Create the applicable rules in the Access Control and Threat Prevention
policies.
Important - See the Supported Software Blades in Bridge Mode and
Limitations in Bridge Mode sections in "Deploying a Security
Gateway or a ClusterXL in Bridge Mode" on page 576.

5 Install the Access Control Policy on the Security Gateway object.

5 Install the Threat Prevention Policy on the Security Gateway object.

For more information, see the:

n R81 Gaia Administration Guide.
n R81 Security Management Administration Guide.
n Applicable Administration Guides on the R81 Home Page.

Installation and Upgrade Guide R81 | 589

 Configuring a ClusterXL in Bridge Mode

Configuring a ClusterXL in Bridge Mode

You can configure ClusterXL in Bridge Mode in different cluster deployments:

Bridge Mode Number of Supported Switches

Active/Standby Bridge Mode Two only

Active/Active Bridge Mode Two, or Four

For instructions, see:

n "Configuring ClusterXL in Bridge Mode - Active / Standby with Two Switches" on
page 591
n "Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches" on
page 608

Installation and Upgrade Guide R81 | 590

 Configuring ClusterXL in Bridge Mode - Active / Standby with Two Switches

Configuring ClusterXL in Bridge Mode - Active / Standby with Two

Switches
Notes:
n This procedure applies to both Check Point Appliances and Open Servers.
n ClusterXL deployed in Active/Standby Bridge Mode, supports only two
switches.

The Active/Standby Bridge Mode is the preferred mode in topologies that support it.
In the Active/Standby Bridge Mode, Cluster Members work in High Availability mode.
For more information, see the R81 ClusterXL Administration Guide.
Example Topology with Two Switches

Item Instructions

1 Network, which an administrator needs to divide into two Layer 2 segments.

The ClusterXL in Bridge Mode connects between these segments.

2 First network segment.

3 Switch that connects the first network segment to one bridged subordinate
interface (4) on the ClusterXL in Bridge Mode.

4 One bridged subordinate interface (for example, eth1) on the Cluster

Members in Bridge Mode.

Installation and Upgrade Guide R81 | 591

 Configuring ClusterXL in Bridge Mode - Active / Standby with Two Switches

Item Instructions

5 Dedicated Gaia Management Interface (for example, eth0) on the Cluster

Members.

6 First Cluster Member in Bridge Mode (for example, in the Active cluster
state).

7 Network that connects dedicated synchronization interfaces (for example,

eth3) on the ClusterXL in Bridge Mode.

8 Second Cluster Member in Bridge Mode (for example, in the Standby cluster
state).

9 Another bridged subordinate interface (for example, eth2) on the Cluster

Members in Bridge Mode.

10 Switch that connects the second network segment to the other bridged
subordinate interface (9) on the ClusterXL in Bridge Mode.

11 Second network segment.

Procedure:

Best Practice - If you configure Bridge Mode Active / Standby, then disable STP,
> RSTP, and MSTP on the adjacent switches. See the applicable documentation for
your switches.

Installation and Upgrade Guide R81 | 592

 Configuring ClusterXL in Bridge Mode - Active / Standby with Two Switches

1. Install the two Cluster Members

Step Instructions

1 Install the Gaia Operating System:

n "Installing the Gaia Operating System on Check Point Appliances"

on page 24
n "Installing the Gaia Operating System on Open Servers" on

page 26

2 Follow "Configuring Gaia for the First Time" on page 31.

3 During the First Time Configuration Wizard, you must configure these
settings:
n In the Installation Type window, select Security Gateway and/or

Security Management.
n In the Products window:

a. In the Products section, select Security Gateway only.

b. In the Clustering section, select these two options:
l Unit is a part of a cluster

l ClusterXL

n In the Secure Internal Communication window, enter the

applicable Activation Key (between 4 and 127 characters long).

2. Configure the ClusterXL object in High Availability mode in SmartConsole

You can configure the ClusterXL object in either Wizard Mode, or Classic Mode.
Configuring the ClusterXL object in Wizard Mode

Step Instructions

1 Connect with SmartConsole to the Security Management Server or

Domain Management Server that should manage this ClusterXL.

2 From the left navigation panel, click Gateways & Servers.

3 Create a new Cluster object in one of these ways:

n From the top toolbar, click the New ( ) > Cluster > Cluster.
n In the top left corner, click Objects menu > More object types >

Network Object > Gateways and Servers > Cluster > New
Cluster.
n In the top right corner, click Objects Pane > New > More >

Network Object > Gateways and Servers > Cluster > Cluster.

Installation and Upgrade Guide R81 | 593

 Configuring ClusterXL in Bridge Mode - Active / Standby with Two Switches

Step Instructions

4 In the Check Point Security Gateway Cluster Creation window, click

Wizard Mode.

5 On the Cluster General Properties page:

a. In the Cluster Name field, enter the applicable name for this
ClusterXL object.
b. Configure the main Virtual IP address(es) for this ClusterXL
object.
In the Cluster IPv4 Address section, enter the main Virtual IPv4
address for this ClusterXL object.
In the Cluster IPv6 Address section, enter the main Virtual IPv6
address for this ClusterXL object.
c. In the Choose the Cluster's Solution field, select Check Point
ClusterXL and High Availability.
d. Click Next.

6 On the Cluster members' properties page, add the objects for the
Cluster Members.
a. Click Add > New Cluster Member.
The Cluster Member Properties window opens.
b. In the Name field, enter the applicable name for this Cluster
Member object.
c. Configure the main physical IP address(es) for this Cluster
Member object.
In the IPv4 Address and IPv6 Address fields, configure the
same IPv4 and IPv6 addresses that you configured on the
Management Connection page of the Cluster Member's First
Time Configuration Wizard.
Make sure the Security Management Server or Multi-Domain
Server can connect to these IP addresses.
Note - You can configure the Cluster Virtual IP address to be
on a different network than the physical IP addresses of the
Cluster Members. In this case, you must configure the
required static routes on the Cluster Members.
d. In the Activation Key and Confirm Activation Key fields, enter
the same Activation Key you entered during the Cluster
Member's First Time Configuration Wizard.
e. Click Initialize.
f. Click OK.
g. Repeat Steps a-f to add the second Cluster Member, and so on.

Installation and Upgrade Guide R81 | 594

 Configuring ClusterXL in Bridge Mode - Active / Standby with Two Switches

Step Instructions

If the Trust State field does not show Trust established, perform these
steps:
a. Connect to the command line on the Cluster Member.
b. Make sure there is a physical connectivity between the Cluster
Member and the Management Server (for example, pings can
pass).
c. Run:
cpconfig
d. Enter the number of this option:
Secure Internal Communication
e. Follow the instructions on the screen to change the Activation
Key.
f. In SmartConsole, click Reset.
g. Enter the same Activation Key you entered in the cpconfig
menu.
h. In SmartConsole, click Initialize.

7 On the Cluster Topology page, configure the roles of the cluster

interfaces:
a. Examine the IPv4 Network Address at the top of the page.
b. Select the applicable role:
n For cluster traffic interfaces, select Representing a cluster

interface and configure the Cluster Virtual IPv4 address

and its Net Mask.
Note - You can configure the Cluster Virtual IP
address to be on a different network than the physical
IP addresses of the Cluster Members. In this case, you
must configure the required static routes on the
Cluster Members.
n For cluster synchronization interfaces, select Cluster

Synchronization and select Primary only. Check Point

cluster supports only one synchronization network.
n For interfaces that do not pass the traffic between the

connected networks, select Private use of each member

(don't monitor members interfaces).
c. Click Next

Installation and Upgrade Guide R81 | 595

 Configuring ClusterXL in Bridge Mode - Active / Standby with Two Switches

Step Instructions

8 On the Cluster Definition Wizard Complete page:

a. Examine the Configuration Summary.
b. Select Edit Cluster's Properties.
c. Click Finish
The Gateway Cluster Properties window opens.

9 On the General Properties page > Machine section:

a. In the Name field, make sure you see the configured applicable
name for this ClusterXL object.
b. In the IPv4 Address and IPv6 Address fields, configure the
same IPv4 and IPv6 addresses that you configured on the
Management Connection page of the Cluster Member's First
Time Configuration Wizard.
Make sure the Security Management Server or Multi-Domain
Server can connect to these IP addresses.

10 On the General Properties page > Platform section, select the correct
options:
a. In the Hardware field:
If you install the Cluster Members on Check Point Appliances,
select the correct appliances series.
If you install the Cluster Members on Open Servers, select Open
server.
b. In the Version field, select R81.
c. In the OS field, select Gaia.

11 On the General Properties page:

a. On the Network Security tab, make sure the ClusterXL Software
Blade is selected.
b. Enable the additional applicable Software Blades on the
Network Security tab and on the Threat Prevention tab.
Important - See the Supported Software Blades in Bridge Mode
and Limitations in Bridge Mode sections in "Deploying a Security
Gateway or a ClusterXL in Bridge Mode" on page 576.

Installation and Upgrade Guide R81 | 596

 Configuring ClusterXL in Bridge Mode - Active / Standby with Two Switches

Step Instructions

12 On the Cluster Members page:

a. Click Add > New Cluster Member.
The Cluster Member Properties window opens.
b. In the Name field, enter the applicable name for this Cluster
Member object.
c. Configure the main physical IP address(es) for this Cluster
Member object.
In the IPv4 Address and IPv6 Address fields, configure the
same IPv4 and IPv6 addresses that you configured on the
Management Connection page of the Cluster Member's First
Time Configuration Wizard.
Make sure the Security Management Server or Multi-Domain
Server can connect to these IP addresses.
Note - You can configure the Cluster Virtual IP address to be
on a different network than the physical IP addresses of the
Cluster Members. In this case, you must configure the
required static routes on the Cluster Members.
d. Click Communication.
e. In the One-time password and Confirm one-time password
fields, enter the same Activation Key you entered during the
Cluster Member's First Time Configuration Wizard.
f. Click Initialize.
g. Click Close.
h. Click OK.
i. Repeat Steps a-h to add the second Cluster Member, and so on.

Installation and Upgrade Guide R81 | 597

 Configuring ClusterXL in Bridge Mode - Active / Standby with Two Switches

Step Instructions

If the Trust State field does not show Trust established, perform these
steps:
a. Connect to the command line on the Cluster Member.
b. Make sure there is a physical connectivity between the Cluster
Member and the Management Server (for example, pings can
pass).
c. Run:
cpconfig
d. Enter the number of this option:
Secure Internal Communication
e. Follow the instructions on the screen to change the Activation
Key.
f. In SmartConsole, click Reset.
g. Enter the same Activation Key you entered in the cpconfig
menu.
h. In SmartConsole, click Initialize.

13 On the ClusterXL and VRRP page:

a. In the Select the cluster mode and configuration section, select
High Availability and ClusterXL.
b. In the Tracking section, select the applicable option.
c. In the Advanced Settings section:
i. Optional: Select Use State Synchronization.

> Best Practice - We recommend to select this option.

For more information, click the (?) button in the top right
corner.
ii. Optional: Select Use Virtual MAC.
For more information, see sk50840.
iii. Select the Cluster Member recovery method.
For more information, click the (?) button in the top right
corner.

Installation and Upgrade Guide R81 | 598

 Configuring ClusterXL in Bridge Mode - Active / Standby with Two Switches

Step Instructions

14 On the Network Management page:

a. Select each interface and click Edit. The Network: <Name of
Interface> window opens.
b. From the left tree, click the General page.
c. In the General section, in the Network Type field, select the
applicable type:
n For cluster traffic interfaces, select Cluster.

Make sure the Cluster Virtual IPv4 address and its Net
Mask are correct.
n For cluster synchronization interfaces, select Sync or

Cluster+Sync.
Notes:
l We do not recommend the configuration

Cluster+Sync.
l Check Point cluster supports only these settings:

o One Sync interface.

o One Cluster+Sync interface.
o One Sync interface and one Cluster+Sync

interface.
l For Check Point Appliances or Open Servers:

The Synchronization Network is supported only

on the lowest VLAN tag of a VLAN interface.
n For interfaces that do not pass the traffic between the

connected networks, select Private.

d. In the Member IPs section, make sure the IPv4 address and its
Net Mask are correct on each Cluster Member.
Notes:
n For a ClusterXL in High Availability mode that is

deployed in a Cloud environment (Geo Cluster):

You can configure IP addresses that belong to
different networks on cluster synchronization
interfaces and on cluster traffic interfaces.
n For cluster traffic interfaces, you can configure the

Cluster Virtual IP address to be on a different network

than the physical IP addresses of the Cluster
Members. In this case, you must configure the
required static routes on the Cluster Members.See the
R81 ClusterXL Administration Guide.

Installation and Upgrade Guide R81 | 599

 Configuring ClusterXL in Bridge Mode - Active / Standby with Two Switches

Step Instructions

e. In the Topology section:

n Make sure the settings are correct in the Leads To and

Security Zone fields.

n Make sure to enable the Anti-Spoofing.

Important:
n Make sure the Bridge interface and Bridge subordinate

interfaces are not in the Topology.

n You cannot define the Topology of the Bridge interface. It is

External by default.

15 Click OK.

16 Publish the SmartConsole session.

Configuring the ClusterXL object in Classic Mode

Step Instructions

1 Connect with SmartConsole to the Security Management Server or

Domain Management Server that should manage this ClusterXL.

2 From the left navigation panel, click Gateways & Servers.

3 Create a new Cluster object in one of these ways:

n From the top toolbar, click the New ( ) > Cluster > Cluster.
n In the top left corner, click Objects menu > More object types >

Network Object > Gateways and Servers > Cluster > New
Cluster.
n In the top right corner, click Objects Pane > New > More >

Network Object > Gateways and Servers > Cluster > Cluster.

4 In the Check Point Security Gateway Creation window, click Classic

Mode.
The Gateway Cluster Properties window opens.

Installation and Upgrade Guide R81 | 600

 Configuring ClusterXL in Bridge Mode - Active / Standby with Two Switches

Step Instructions

5 On the General Properties page > Machine section:

a. In the Name field, make sure you see the configured applicable
name for this ClusterXL object.
b. In the IPv4 Address and IPv6 Address fields, configure the
same IPv4 and IPv6 addresses that you configured on the
Management Connection page of the Cluster Member's First
Time Configuration Wizard.
Make sure the Security Management Server or Multi-Domain
Server can connect to these IP addresses.

6 On the General Properties page > Platform section, select the correct
options:
a. In the Hardware field:
If you install the Cluster Members on Check Point Appliances,
select the correct appliances series.
If you install the Cluster Members on Open Servers, select Open
server.
b. In the Version field, select R81.
c. In the OS field, select Gaia.

7 On the General Properties page:

a. On the Network Security tab, make sure the ClusterXL Software
Blade is selected.
b. Enable the additional applicable Software Blades on the
Network Security tab and on the Threat Prevention tab.
Important - See the Supported Software Blades in Bridge Mode
and Limitations in Bridge Mode sections in "Deploying a Security
Gateway or a ClusterXL in Bridge Mode" on page 576.

Installation and Upgrade Guide R81 | 601

 Configuring ClusterXL in Bridge Mode - Active / Standby with Two Switches

Step Instructions

8 On the Cluster Members page:

a. Click Add > New Cluster Member.
The Cluster Member Properties window opens.
b. In the Name field, enter the applicable name for this Cluster
Member object.
c. Configure the main physical IP address(es) for this Cluster
Member object.
In the IPv4 Address and IPv6 Address fields, configure the
same IPv4 and IPv6 addresses that you configured on the
Management Connection page of the Cluster Member's First
Time Configuration Wizard.
Make sure the Security Management Server or Multi-Domain
Server can connect to these IP addresses.
Note - You can configure the Cluster Virtual IP address to be
on a different network than the physical IP addresses of the
Cluster Members. In this case, you must configure the
required static routes on the Cluster Members.
d. Click Communication.
e. In the One-time password and Confirm one-time password
fields, enter the same Activation Key you entered during the
Cluster Member's First Time Configuration Wizard.
f. Click Initialize.
g. Click Close.
h. Click OK.
i. Repeat Steps a-h to add the second Cluster Member, and so on.

Installation and Upgrade Guide R81 | 602

 Configuring ClusterXL in Bridge Mode - Active / Standby with Two Switches

Step Instructions

If the Trust State field does not show Trust established, perform these
steps:
a. Connect to the command line on the Cluster Member.
b. Make sure there is a physical connectivity between the Cluster
Member and the Management Server (for example, pings can
pass).
c. Run:
cpconfig
d. Enter the number of this option:
Secure Internal Communication
e. Follow the instructions on the screen to change the Activation
Key.
f. In SmartConsole, click Reset.
g. Enter the same Activation Key you entered in the cpconfig
menu.
h. In SmartConsole, click Initialize.

9 On the ClusterXL and VRRP page:

a. In the Select the cluster mode and configuration section, select
High Availability and ClusterXL.
b. In the Tracking section, select the applicable option.
c. In the Advanced Settings section:
i. Optional: Select Use State Synchronization.

> Best Practice - We recommend to select this option.

For more information, click the (?) button in the top right
corner.
ii. Optional: Select Use Virtual MAC.
For more information, see sk50840.
iii. Select the Cluster Member recovery method.
For more information, click the (?) button in the top right
corner.

Installation and Upgrade Guide R81 | 603

 Configuring ClusterXL in Bridge Mode - Active / Standby with Two Switches

Step Instructions

10 On the Network Management page:

a. Select each interface and click Edit. The Network: <Name of
Interface> window opens.
b. From the left tree, click the General page.
c. In the General section, in the Network Type field, select the
applicable type:
n For cluster traffic interfaces, select Cluster.

Make sure the Cluster Virtual IPv4 address and its Net
Mask are correct.
n For cluster synchronization interfaces, select Sync or

Cluster+Sync.
Notes:
l We do not recommend the configuration

Cluster+Sync.
l Check Point cluster supports only these settings:

o One Sync interface.

o One Cluster+Sync interface.
o One Sync interface and one Cluster+Sync

interface.
l For Check Point Appliances or Open Servers:

The Synchronization Network is supported only

on the lowest VLAN tag of a VLAN interface.
n For interfaces that do not pass the traffic between the

connected networks, select Private.

d. In the Member IPs section, make sure the IPv4 address and its
Net Mask are correct on each Cluster Member.
Notes:
n For a ClusterXL in High Availability mode that is

deployed in a Cloud environment (Geo Cluster):

You can configure IP addresses that belong to
different networks on cluster synchronization
interfaces and on cluster traffic interfaces.
n For cluster traffic interfaces, you can configure the

Cluster Virtual IP address to be on a different network

than the physical IP addresses of the Cluster
Members. In this case, you must configure the
required static routes on the Cluster Members.See the
R81 ClusterXL Administration Guide.

Installation and Upgrade Guide R81 | 604

 Configuring ClusterXL in Bridge Mode - Active / Standby with Two Switches

Step Instructions

e. In the Topology section:

n Make sure the settings are correct in the Leads To and

Security Zone fields.

n Make sure to enable the Anti-Spoofing.

Important:
n Make sure the Bridge interface and Bridge subordinate

interfaces are not in the Topology.

n You cannot define the Topology of the Bridge interface. It is

External by default.

11 Click OK.

12 Publish the SmartConsole session.

3. Configure the applicable Security Policies for the ClusterXL in SmartConsole

Step Instructions

1 Connect with SmartConsole to the Security Management Server or

Domain Management Server that manages this ClusterXL Cluster.

2 From the left navigation panel, click Security Policies.

3 Create a new policy and configure the applicable layers:

a. At the top, click the + tab (or press CTRL T).
b. On the Manage Policies tab, click Manage policies and layers.
c. In the Manage policies and layers window, create a new policy
and configure the applicable layers.
d. Click Close.
e. On the Manage Policies tab, click the new policy you created.

4 Create the applicable rules in the Access Control and Threat Prevention
policies.
Important - See the Supported Software Blades in Bridge Mode and
Limitations in Bridge Mode sections in "Deploying a Security
Gateway or a ClusterXL in Bridge Mode" on page 576.

5 Install the Access Control Policy on the ClusterXL object.

6 Install the Threat Prevention Policy on the ClusterXL object.

4. Examine the cluster configuration

Installation and Upgrade Guide R81 | 605

 Configuring ClusterXL in Bridge Mode - Active / Standby with Two Switches

Step Instructions

1 Connect to the command line on each Cluster Member.

2 Examine the cluster state in one of these ways:

n In Gaia Clish, run:

show cluster state

n In the Expert mode, run:
cphaprob state
Example output:
Member1> show cluster state

Cluster Mode: High Availability (Active Up) with IGMP Membership

ID Unique Address Assigned Load State Name

1 (local) 11.22.33.245 100% ACTIVE Member1

2 11.22.33.246 0% STANDBY Member2

3 Examine the cluster interfaces in one of these ways:

n In Gaia Clish, run:

show cluster members interfaces all

n In the Expert mode, run:
cphaprob -a if

5. Enable the Active/Standby Bridge Mode on both Cluster Members

Item Instructions

1 Connect to the command line on each Cluster Member.

2 Run:
cpconfig

3 Select Enable Check Point ClusterXL for Bridge Active/Standby.

4 Enter y to confirm.

5 Reboot each Cluster Member.

6 Connect with SmartConsole to the Security Management Server or

Domain Management Server that manages this ClusterXL.

7 Install the Access Control Policy on this cluster object.

Installation and Upgrade Guide R81 | 606

 Configuring ClusterXL in Bridge Mode - Active / Standby with Two Switches

6. Examine the cluster configuration

Step Instructions

1 Connect to the command line on each Cluster Member.

2 Examine the cluster state in one of these ways:

n In Gaia Clish, run:

show cluster state

n In the Expert mode, run:
cphaprob state
Example output:
Member1> show cluster state

Cluster Mode: High Availability (Active Up, Bridge Mode) with IGMP
Membership

ID Unique Address Assigned Load State Name

1 (local) 11.22.33.245 100% ACTIVE Member1

2 11.22.33.246 0% STANDBY Member2

3 Examine the cluster interfaces in one of these ways:

n In Gaia Clish, run:

show cluster members interfaces all

n In the Expert mode, run:
cphaprob -a if

Installation and Upgrade Guide R81 | 607

 Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches

Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four

Switches
When you define a Bridge interface on a Cluster Member, the Active/Active Bridge Mode is
enabled by default.

Notes:
n This procedure applies to both Check Point Appliances and Open Servers.
n This procedure describes ClusterXL in Active/Active Bridge Mode deployed with
two or four switches.

Example Topology with Two Switches

Item Instructions

1 Network, which an administrator needs to divide into two Layer 2 segments.

The ClusterXL in Bridge Mode connects between these segments.

2 First network segment.

3 Switch that connects the first network segment to one bridged subordinate
interface (4) on the ClusterXL in Bridge Mode.

4 One bridged subordinate interface (for example, eth1) on the Cluster

Members in Bridge Mode.

5 Dedicated Gaia Management Interface (for example, eth0) on the Cluster

Members.

Installation and Upgrade Guide R81 | 608

 Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches

Item Instructions

6 First Cluster Member in Bridge Mode (in the Active cluster state).

7 Network that connects dedicated synchronization interfaces (for example,

eth3) on the ClusterXL in Bridge Mode.

8 Second Cluster Member in Bridge Mode (in the Active cluster state).

9 Another bridged subordinate interface (for example, eth2) on the Cluster

Members in Bridge Mode.

10 Switch that connects the second network segment to the other bridged
subordinate interface (9) on the ClusterXL in Bridge Mode.

11 Second network segment.

Example Topology with Four Switches

Installation and Upgrade Guide R81 | 609

 Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches

Item Instructions

1 Network, which an administrator needs to divide into two Layer 2 segments.

The ClusterXL in Bridge Mode connects between these segments.

2 First network segment.

3 Switch that connects the first network segment to one bridged subordinate
interface (6) on the ClusterXL in Bridge Mode.

4 Switch that connects between one switch (that directly connects to the first
network segment) and one bridged subordinate interface (6) on the ClusterXL
in Bridge Mode.

5 Dedicated Gaia Management Interface (for example, eth0) on the Cluster

Members.

6 One bridged subordinate interface (for example, eth1) on the Cluster

Members in Bridge Mode.

7 First Cluster Member in Bridge Mode (in the Active cluster state).

8 Network that connects dedicated synchronization interfaces (for example,

eth3) on the ClusterXL in Bridge Mode.

9 Second Cluster Member in Bridge Mode (in the Active cluster state).

10 Another bridged subordinate interface (for example, eth2) on the Cluster

Members in Bridge Mode.

11 Switch that connects the second network segment to the other bridged
subordinate interface (10) on the ClusterXL in Bridge Mode.

12 Switch that connects between one switch (that directly connects to the second
network segment) and the other bridged subordinate interface (10) on the
ClusterXL in Bridge Mode.

13 Second network segment.

Installation and Upgrade Guide R81 | 610

 Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches

Procedure:
1. Install the two Cluster Members

Step Instructions

1 Install the Gaia Operating System:

n "Installing the Gaia Operating System on Check Point Appliances"

on page 24
n "Installing the Gaia Operating System on Open Servers" on

page 26

2 Follow "Configuring Gaia for the First Time" on page 31.

3 During the First Time Configuration Wizard, you must configure these
settings:
n In the Installation Type window, select Security Gateway and/or

Security Management.
n In the Products window:

a. In the Products section, select Security Gateway only.

b. In the Clustering section, select these two options:
l Unit is a part of a cluster

l ClusterXL

n In the Secure Internal Communication window, enter the

applicable Activation Key (between 4 and 127 characters long).

2. Configure the Bridge interface on both Cluster Members

You configure the Bridge interface in either Gaia Portal, or Gaia Clish.
Configuring the Bridge interface in Gaia Portal

Step Instructions

1 In the left navigation tree, click Network Management > Network

Interfaces.

2 Make sure that the subordinate interfaces, which you wish to add to the
Bridge interface, do not have IP addresses assigned.

3 Click Add > Bridge.

To configure an existing Bridge interface, select the Bridge interface
and click Edit.

Installation and Upgrade Guide R81 | 611

 Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches

Step Instructions

4 On the Bridge tab, enter or select a Bridge Group ID (unique integer

between 1 and 1024).

5 Select the interfaces from the Available Interfaces list and then click
Add.
Notes:
n Make sure that the subordinate interfaces do not have any

IP addresses or aliases configured.

n Do not select the interface that you configured as Gaia

Management Interface.
n A Bridge interface in Gaia can contain only two subordinate

interfaces.

6 On the IPv4 tab, enter the IPv4 address and subnet mask.
You can optionally select the Obtain IPv4 Address automatically
option.

7 On the IPv6 tab (optional), enter the IPv6 address and mask length.
You can optionally select the Obtain IPv6 Address automatically
option.

Important - First, you must enable the IPv6 Support and reboot.

8 Click OK.

Note - The name of a Bridge interface in Gaia is "br<Bridge Group

ID>". For example, the name of a bridge interface with a Bridge Group ID
of 5 is "br5".

Configuring the Bridge interface in Gaia Clish

Step Instructions

1 Connect to the command line on each Cluster Member.

2 Log in to Gaia Clish.

3 Make sure that the subordinate interfaces, which you wish to add to the
Bridge interface, do not have IP addresses assigned:
show interface <Name of Interface> ipv4-address
show interface <Name of Interface> ipv6-address

Installation and Upgrade Guide R81 | 612

 Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches

Step Instructions

4 Add a new bridging group:

add bridging group <Bridge Group ID 0 - 1024>

5 Add subordinate interfaces to the new bridging group:

add bridging group <Bridge Group ID> interface
<Name of First Subordinate Interface>
add bridging group <Bridge Group ID> interface
<Name of Second Subordinate Interface>
Notes:
n A Bridge interface in Gaia can contain only two subordinate

interfaces.
n Do not select the interface that you configured as Gaia

Management Interface.

6 Do not assign an IP address to the bridging group.

7 Save the configuration:

save config

Note - The name of a Bridge interface in Gaia is "br<Bridge Group

ID>". For example, the name of a bridge interface with a Bridge Group ID
of 5 is "br5".

3. Configure the ClusterXL object in SmartConsole

You can configure the ClusterXL object in either Wizard Mode, or Classic Mode.
Configuring the ClusterXL object in Wizard Mode

Step Instructions

1 Connect with SmartConsole to the Security Management Server or

Domain Management Server that should manage this ClusterXL.

2 From the left navigation panel, click Gateways & Servers.

Installation and Upgrade Guide R81 | 613

 Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches

Step Instructions

3 Create a new Cluster object in one of these ways:

n From the top toolbar, click the New ( ) > Cluster > Cluster.
n In the top left corner, click Objects menu > More object types >

Network Object > Gateways and Servers > Cluster > New
Cluster.
n In the top right corner, click Objects Pane > New > More >

Network Object > Gateways and Servers > Cluster > Cluster.

4 In the Check Point Security Gateway Cluster Creation window, click

Wizard Mode.

5 On the Cluster General Properties page:

a. In the Cluster Name field, enter the applicable name for this
ClusterXL object.
b. Configure the main Virtual IP address(es) for this ClusterXL
object.
n In the Cluster IPv4 Address section, enter the main Virtual

IPv4 address for this ClusterXL object.

n In the Cluster IPv6 Address section, enter the main Virtual

IPv6 address for this ClusterXL object.

Note - You can configure the Cluster Virtual IP address to be
on a different network than the physical IP addresses of the
Cluster Members. In this case, you must configure the
required static routes on the Cluster Members.
c. In the Choose the Cluster's Solution field, select Check Point
ClusterXL and select the cluster mode - either High Availability,
or Load Sharing.
d. Click Next.

Installation and Upgrade Guide R81 | 614

 Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches

Step Instructions

6 On the Cluster members' properties page, add the objects for the
Cluster Members.
a. Click Add > New Cluster Member.
The Cluster Member Properties window opens.
b. In the Name field, enter the applicable name for this Cluster
Member object.
c. Configure the main physical IP address(es) for this Cluster
Member object.
In the IPv4 Address and IPv6 Address fields, configure the
same IPv4 and IPv6 addresses that you configured on the
Management Connection page of the Cluster Member's First
Time Configuration Wizard.
Make sure the Security Management Server or Multi-Domain
Server can connect to these IP addresses.
Note - You can configure the Cluster Virtual IP address to be
on a different network than the physical IP addresses of the
Cluster Members. In this case, you must configure the
required static routes on the Cluster Members.
d. In the Activation Key and Confirm Activation Key fields, enter
the same Activation Key you entered during the Cluster
Member's First Time Configuration Wizard.
e. Click Initialize.
f. Click OK.
g. Repeat Steps a-f to add the second Cluster Member, and so on.

Installation and Upgrade Guide R81 | 615

 Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches

Step Instructions

If the Trust State field does not show Trust established, perform these
steps:
a. Connect to the command line on the Cluster Member.
b. Make sure there is a physical connectivity between the Cluster
Member and the Management Server (for example, pings can
pass).
c. Run:
cpconfig
d. Enter the number of this option:
Secure Internal Communication
e. Follow the instructions on the screen to change the Activation
Key.
f. In SmartConsole, click Reset.
g. Enter the same Activation Key you entered in the cpconfig
menu.
h. In SmartConsole, click Initialize.

7 On the Cluster Topology page, configure the roles of the cluster

interfaces:
a. Examine the IPv4 Network Address at the top of the page.
b. Select the applicable role:
n For cluster traffic interfaces, select Representing a cluster

interface and configure the Cluster Virtual IPv4 address

and its Net Mask.
Note - You can configure the Cluster Virtual IP
address to be on a different network than the physical
IP addresses of the Cluster Members. In this case, you
must configure the required static routes on the
Cluster Members.
n For cluster synchronization interfaces, select Cluster

Synchronization and select Primary only. Check Point

cluster supports only one synchronization network.
n For interfaces that do not pass the traffic between the

connected networks, select Private use of each member

(don't monitor members interfaces).
c. Click Next

Installation and Upgrade Guide R81 | 616

 Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches

Step Instructions

8 On the Cluster Definition Wizard Complete page:

a. Examine the Configuration Summary.
b. Select Edit Cluster's Properties.
c. Click Finish
The Gateway Cluster Properties window opens.

9 On the General Properties page > Machine section:

a. In the Name field, make sure you see the configured applicable
name for this ClusterXL object.
b. In the IPv4 Address and IPv6 Address fields, configure the
same IPv4 and IPv6 addresses that you configured on the
Management Connection page of the Cluster Member's First
Time Configuration Wizard.
Make sure the Security Management Server or Multi-Domain
Server can connect to these IP addresses.

10 On the General Properties page > Platform section, select the correct
options:
a. In the Hardware field:
If you install the Cluster Members on Check Point Appliances,
select the correct appliances series.
If you install the Cluster Members on Open Servers, select Open
server.
b. In the Version field, select R81.
c. In the OS field, select Gaia.

11 On the General Properties page:

a. On the Network Security tab, make sure the ClusterXL Software
Blade is selected.
b. Enable the additional applicable Software Blades on the
Network Security tab and on the Threat Prevention tab.
Important - See the Supported Software Blades in Bridge Mode
and Limitations in Bridge Mode sections in "Deploying a Security
Gateway or a ClusterXL in Bridge Mode" on page 576.

Installation and Upgrade Guide R81 | 617

 Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches

Step Instructions

12 On the Cluster Members page:

a. Click Add > New Cluster Member.
The Cluster Member Properties window opens.
b. In the Name field, enter the applicable name for this Cluster
Member object.
c. Configure the main physical IP address(es) for this Cluster
Member object.
In the IPv4 Address and IPv6 Address fields, configure the
same IPv4 and IPv6 addresses that you configured on the
Management Connection page of the Cluster Member's First
Time Configuration Wizard.
Make sure the Security Management Server or Multi-Domain
Server can connect to these IP addresses.
Note - You can configure the Cluster Virtual IP address to be
on a different network than the physical IP addresses of the
Cluster Members. In this case, you must configure the
required static routes on the Cluster Members.
d. Click Communication.
e. In the One-time password and Confirm one-time password
fields, enter the same Activation Key you entered during the
Cluster Member's First Time Configuration Wizard.
f. Click Initialize.
g. Click Close.
h. Click OK.
i. Repeat Steps a-h to add the second Cluster Member, and so on.

Installation and Upgrade Guide R81 | 618

 Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches

Step Instructions

If the Trust State field does not show Trust established, perform these
steps:
a. Connect to the command line on the Cluster Member.
b. Make sure there is a physical connectivity between the Cluster
Member and the Management Server (for example, pings can
pass).
c. Run:
cpconfig
d. Enter the number of this option:
Secure Internal Communication
e. Follow the instructions on the screen to change the Activation
Key.
f. In SmartConsole, click Reset.
g. Enter the same Activation Key you entered in the cpconfig
menu.
h. In SmartConsole, click Initialize.

13 On the ClusterXL and VRRP page:

a. In the Select the cluster mode and configuration section, select
the applicable mode:
n High Availability and ClusterXL
n Load Sharing and Multicast or Unicast
n Active-Active

b. In the Tracking section, select the applicable option.

c. In the Advanced Settings section:

Installation and Upgrade Guide R81 | 619

 Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches

Step Instructions

n If you selected the High Availability mode, then:

i. Optional: Select Use State Synchronization.
This configures the Cluster Members to synchronize
the information about the connections they inspect.
Best Practice - Enable this setting to prevent
connection drops after a cluster failover.
ii. Optional: Select Start synchronizing [ ] seconds
after connection initiation and enter the applicable
value.
This option is available only for clusters R80.20 and
higher.
To prevent the synchronization of short-lived
connections (which decreases the cluster
performance), you can configure the Cluster Members
to start the synchronization of all connections a
number of seconds after they start.
Range: 2 - 60 seconds
Default: 3 seconds
Notes:
l This setting in the cluster object applies to

all connections that pass through the

cluster.
You can override this global cluster
synchronization delay in the properties of
applicable services.
l The greater this value, the fewer short-lived

connections the Cluster Members have to

synchronize.
l The connections that the Cluster Members

did not synchronize, do not survive a cluster

failover.
Best Practice - Enable and configure this setting
to increase the cluster performance.
iii. Optional: Select Use Virtual MAC.
This configure all Cluster Members to associate the
same virtual MAC address with the Virtual IP address
on the applicable interfaces (each Virtual IP address
has its unique Virtual MAC address).
For more information, see sk50840.
iv. Select the Cluster Member recovery method - which
Cluster Member to select as Active during a fallback
(return to normal operation after a cluster failover):
l Maintain current active Cluster Member

i. The Cluster Member that is currently in the

Active state, remains in this state.
ii. Other Cluster Members that return to
Installation and Upgrade Guide R81 | 620
normal operation, remain the Standby
state.
l
 Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches

Step Instructions

n If you selected the Load Sharing > Multicast mode, then:

i. Optional: Select Use Sticky Decision Function.
This option is available only for clusters R80.10 and
lower.
For more information, click the (?) button in the top
right corner.
ii. Optional: Select Start synchronizing [ ] seconds
after connection initiation and enter the applicable
value.
This option is available only for clusters R80.20 and
higher.
To prevent the synchronization of short-lived
connections (which decreases the cluster
performance), you can configure the Cluster Members
to start the synchronization of all connections a
number of seconds after they start.
Range: 2 - 60 seconds
Default: 3 seconds
Notes:
l This setting in the cluster object applies to

all connections that pass through the

cluster.
You can override this global cluster
synchronization delay in the properties of
applicable services.
l The greater this value, the fewer short-lived

connections the Cluster Members have to

synchronize.
l The connections that the Cluster Members

did not synchronize, do not survive a cluster

failover.
Best Practice - Enable and configure this setting
to increase the cluster performance.
iii. Select the connection sharing method between the
Cluster Members:
l IPs, Ports, SPIs

Configures each Cluster Member to inspect all

connections with the same Source and
Destination IP address, the same Source and
Destination ports, and the same IPsec SPI
numbers.
This is the least "sticky" sharing configuration
that provides the best sharing distribution
between Cluster Members.
This method decreases the probability that a
certain connection passes through the same
Installation
Cluster Member andinbound
in both Upgrade Guide R81 | 621
and outbound
directions
We recommend this method.
 Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches

Step Instructions

n If you selected the Load Sharing > Unicast mode, then:

i. Optional: Select Use Sticky Decision Function.
This option is available only for clusters R80.10 and
lower.
For more information, click the (?) button in the top
right corner.
ii. Optional: Select Start synchronizing [ ] seconds
after connection initiation and enter the applicable
value.
This option is available only for clusters R80.20 and
higher.
To prevent the synchronization of short-lived
connections (which decreases the cluster
performance), you can configure the Cluster Members
to start the synchronization of all connections a
number of seconds after they start.
Range: 2 - 60 seconds
Default: 3 seconds
Notes:
l This setting in the cluster object applies to

all connections that pass through the

cluster.
You can override this global cluster
synchronization delay in the properties of
applicable services.
l The greater this value, the fewer short-lived

connections the Cluster Members have to

synchronize.
l The connections that the Cluster Members

did not synchronize, do not survive a cluster

failover.
Best Practice - Enable and configure this setting
to increase the cluster performance.
iii. Optional: Select Use Virtual MAC.
This configure all Cluster Members to associate the
same virtual MAC address with the Virtual IP address
on the applicable interfaces (each Virtual IP address
has its unique Virtual MAC address).
For more information, see sk50840.
iv. Select the connection sharing method between the
Cluster Members:
l IPs, Ports, SPIs

Configures each Cluster Member to inspect all

connections with the same Source and
Destination IP address, the same Source and
Destination ports, and the same IPsec SPI
numbers. Installation and Upgrade Guide R81 | 622
This is the least "sticky" sharing configuration
that provides the best sharing distribution
 Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches

Step Instructions

14 On the Network Management page:

a. Select each interface and click Edit. The Network: <Name of
Interface> window opens.
b. From the left tree, click the General page.
c. In the General section, in the Network Type field, select the
applicable type:
n For cluster traffic interfaces, select Cluster.

Make sure the Cluster Virtual IPv4 address and its Net
Mask are correct.
n For cluster synchronization interfaces, select Sync or

Cluster+Sync.
Notes:
l We do not recommend the configuration

Cluster+Sync.
l Check Point cluster supports only these settings:

o One Sync interface.

o One Cluster+Sync interface.
o One Sync interface and one Cluster+Sync

interface.
l For Check Point Appliances or Open Servers:

The Synchronization Network is supported only

on the lowest VLAN tag of a VLAN interface.
n For interfaces that do not pass the traffic between the

connected networks, select Private.

d. In the Member IPs section, make sure the IPv4 address and its
Net Mask are correct on each Cluster Member.
Notes:
n For a ClusterXL in High Availability mode that is

deployed in a Cloud environment (Geo Cluster):

You can configure IP addresses that belong to
different networks on cluster synchronization
interfaces and on cluster traffic interfaces.
n For cluster traffic interfaces, you can configure the

Cluster Virtual IP address to be on a different network

than the physical IP addresses of the Cluster
Members. In this case, you must configure the
required static routes on the Cluster Members.See the
R81 ClusterXL Administration Guide.

Installation and Upgrade Guide R81 | 623

 Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches

Step Instructions

e. In the Topology section:

n Make sure the settings are correct in the Leads To and

Security Zone fields.

n Make sure to enable the Anti-Spoofing.

Important:
n Make sure the Bridge interface and Bridge subordinate

interfaces are not in the Topology.

n You cannot define the Topology of the Bridge interface. It is

External by default.

15 Click OK.

16 Publish the SmartConsole session.

Configuring the ClusterXL object in Classic Mode

Step Instructions

1 Connect with SmartConsole to the Security Management Server or

Domain Management Server that should manage this ClusterXL.

2 From the left navigation panel, click Gateways & Servers.

3 Create a new Cluster object in one of these ways:

n From the top toolbar, click the New ( ) > Cluster > Cluster.
n In the top left corner, click Objects menu > More object types >

Network Object > Gateways and Servers > Cluster > New
Cluster.
n In the top right corner, click Objects Pane > New > More >

Network Object > Gateways and Servers > Cluster > Cluster.

4 In the Check Point Security Gateway Creation window, click Classic

Mode.
The Gateway Cluster Properties window opens.

Installation and Upgrade Guide R81 | 624

 Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches

Step Instructions

5 On the General Properties page > Machine section:

a. In the Name field, make sure you see the configured applicable
name for this ClusterXL object.
b. In the IPv4 Address and IPv6 Address fields, configure the
same IPv4 and IPv6 addresses that you configured on the
Management Connection page of the Cluster Member's First
Time Configuration Wizard.
Make sure the Security Management Server or Multi-Domain
Server can connect to these IP addresses.

6 On the General Properties page > Platform section, select the correct
options:
a. In the Hardware field:
If you install the Cluster Members on Check Point Appliances,
select the correct appliances series.
If you install the Cluster Members on Open Servers, select Open
server.
b. In the Version field, select R81.
c. In the OS field, select Gaia.

7 On the General Properties page:

a. On the Network Security tab, make sure the ClusterXL Software
Blade is selected.
b. Enable the additional applicable Software Blades on the
Network Security tab and on the Threat Prevention tab.
Important - See the Supported Software Blades in Bridge Mode
and Limitations in Bridge Mode sections in "Deploying a Security
Gateway or a ClusterXL in Bridge Mode" on page 576.

Installation and Upgrade Guide R81 | 625

 Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches

Step Instructions

8 On the Cluster Members page:

a. Click Add > New Cluster Member.
The Cluster Member Properties window opens.
b. In the Name field, enter the applicable name for this Cluster
Member object.
c. Configure the main physical IP address(es) for this Cluster
Member object.
In the IPv4 Address and IPv6 Address fields, configure the
same IPv4 and IPv6 addresses that you configured on the
Management Connection page of the Cluster Member's First
Time Configuration Wizard.
Make sure the Security Management Server or Multi-Domain
Server can connect to these IP addresses.
Note - You can configure the Cluster Virtual IP address to be
on a different network than the physical IP addresses of the
Cluster Members. In this case, you must configure the
required static routes on the Cluster Members.
d. Click Communication.
e. In the One-time password and Confirm one-time password
fields, enter the same Activation Key you entered during the
Cluster Member's First Time Configuration Wizard.
f. Click Initialize.
g. Click Close.
h. Click OK.
i. Repeat Steps a-h to add the second Cluster Member, and so on.

Installation and Upgrade Guide R81 | 626

 Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches

Step Instructions

If the Trust State field does not show Trust established, perform these
steps:
a. Connect to the command line on the Cluster Member.
b. Make sure there is a physical connectivity between the Cluster
Member and the Management Server (for example, pings can
pass).
c. Run:
cpconfig
d. Enter the number of this option:
Secure Internal Communication
e. Follow the instructions on the screen to change the Activation
Key.
f. In SmartConsole, click Reset.
g. Enter the same Activation Key you entered in the cpconfig
menu.
h. In SmartConsole, click Initialize.

9 On the ClusterXL and VRRP page:

a. In the Select the cluster mode and configuration section, select
the applicable mode:
n High Availability and ClusterXL
n Load Sharing and Multicast or Unicast
n Active-Active

b. In the Tracking section, select the applicable option.

c. In the Advanced Settings section:

Installation and Upgrade Guide R81 | 627

 Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches

Step Instructions

n If you selected the High Availability mode, then:

i. Optional: Select Use State Synchronization.
This configures the Cluster Members to synchronize
the information about the connections they inspect.
Best Practice - Enable this setting to prevent
connection drops after a cluster failover.
ii. Optional: Select Start synchronizing [ ] seconds
after connection initiation and enter the applicable
value.
This option is available only for clusters R80.20 and
higher.
To prevent the synchronization of short-lived
connections (which decreases the cluster
performance), you can configure the Cluster Members
to start the synchronization of all connections a
number of seconds after they start.
Range: 2 - 60 seconds
Default: 3 seconds
Notes:
l This setting in the cluster object applies to

all connections that pass through the

cluster.
You can override this global cluster
synchronization delay in the properties of
applicable services.
l The greater this value, the fewer short-lived

connections the Cluster Members have to

synchronize.
l The connections that the Cluster Members

did not synchronize, do not survive a cluster

failover.
Best Practice - Enable and configure this setting
to increase the cluster performance.
iii. Optional: Select Use Virtual MAC.
This configure all Cluster Members to associate the
same virtual MAC address with the Virtual IP address
on the applicable interfaces (each Virtual IP address
has its unique Virtual MAC address).
For more information, see sk50840.
iv. Select the Cluster Member recovery method - which
Cluster Member to select as Active during a fallback
(return to normal operation after a cluster failover):
l Maintain current active Cluster Member

i. The Cluster Member that is currently in the

Active state, remains in this state.
ii. Other Cluster Members that return to
Installation and Upgrade Guide R81 | 628
normal operation, remain the Standby
state.
l
 Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches

Step Instructions

n If you selected the Load Sharing > Multicast mode, then:

i. Optional: Select Use Sticky Decision Function.
This option is available only for clusters R80.10 and
lower.
For more information, click the (?) button in the top
right corner.
ii. Optional: Select Start synchronizing [ ] seconds
after connection initiation and enter the applicable
value.
This option is available only for clusters R80.20 and
higher.
To prevent the synchronization of short-lived
connections (which decreases the cluster
performance), you can configure the Cluster Members
to start the synchronization of all connections a
number of seconds after they start.
Range: 2 - 60 seconds
Default: 3 seconds
Notes:
l This setting in the cluster object applies to

all connections that pass through the

cluster.
You can override this global cluster
synchronization delay in the properties of
applicable services.
l The greater this value, the fewer short-lived

connections the Cluster Members have to

synchronize.
l The connections that the Cluster Members

did not synchronize, do not survive a cluster

failover.
Best Practice - Enable and configure this setting
to increase the cluster performance.
iii. Select the connection sharing method between the
Cluster Members:
l IPs, Ports, SPIs

Configures each Cluster Member to inspect all

connections with the same Source and
Destination IP address, the same Source and
Destination ports, and the same IPsec SPI
numbers.
This is the least "sticky" sharing configuration
that provides the best sharing distribution
between Cluster Members.
This method decreases the probability that a
certain connection passes through the same
Installation
Cluster Member andinbound
in both Upgrade Guide R81 | 629
and outbound
directions
We recommend this method.
 Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches

Step Instructions

n If you selected the Load Sharing > Unicast mode, then:

i. Optional: Select Use Sticky Decision Function.
This option is available only for clusters R80.10 and
lower.
For more information, click the (?) button in the top
right corner.
ii. Optional: Select Start synchronizing [ ] seconds
after connection initiation and enter the applicable
value.
This option is available only for clusters R80.20 and
higher.
To prevent the synchronization of short-lived
connections (which decreases the cluster
performance), you can configure the Cluster Members
to start the synchronization of all connections a
number of seconds after they start.
Range: 2 - 60 seconds
Default: 3 seconds
Notes:
l This setting in the cluster object applies to

all connections that pass through the

cluster.
You can override this global cluster
synchronization delay in the properties of
applicable services.
l The greater this value, the fewer short-lived

connections the Cluster Members have to

synchronize.
l The connections that the Cluster Members

did not synchronize, do not survive a cluster

failover.
Best Practice - Enable and configure this setting
to increase the cluster performance.
iii. Optional: Select Use Virtual MAC.
This configure all Cluster Members to associate the
same virtual MAC address with the Virtual IP address
on the applicable interfaces (each Virtual IP address
has its unique Virtual MAC address).
For more information, see sk50840.
iv. Select the connection sharing method between the
Cluster Members:
l IPs, Ports, SPIs

Configures each Cluster Member to inspect all

connections with the same Source and
Destination IP address, the same Source and
Destination ports, and the same IPsec SPI
numbers. Installation and Upgrade Guide R81 | 630
This is the least "sticky" sharing configuration
that provides the best sharing distribution
 Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches

Step Instructions

10 On the Network Management page:

a. Select each interface and click Edit. The Network: <Name of
Interface> window opens.
b. From the left tree, click the General page.
c. In the General section, in the Network Type field, select the
applicable type:
n For cluster traffic interfaces, select Cluster.

Make sure the Cluster Virtual IPv4 address and its Net
Mask are correct.
n For cluster synchronization interfaces, select Sync or

Cluster+Sync.
Notes:
l We do not recommend the configuration

Cluster+Sync.
l Check Point cluster supports only these settings:

o One Sync interface.

o One Cluster+Sync interface.
o One Sync interface and one Cluster+Sync

interface.
l For Check Point Appliances or Open Servers:

The Synchronization Network is supported only

on the lowest VLAN tag of a VLAN interface.
n For interfaces that do not pass the traffic between the

connected networks, select Private.

d. In the Member IPs section, make sure the IPv4 address and its
Net Mask are correct on each Cluster Member.
Notes:
n For a ClusterXL in High Availability mode that is

deployed in a Cloud environment (Geo Cluster):

You can configure IP addresses that belong to
different networks on cluster synchronization
interfaces and on cluster traffic interfaces.
n For cluster traffic interfaces, you can configure the

Cluster Virtual IP address to be on a different network

than the physical IP addresses of the Cluster
Members. In this case, you must configure the
required static routes on the Cluster Members.See the
R81 ClusterXL Administration Guide.

Installation and Upgrade Guide R81 | 631

 Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches

Step Instructions

e. In the Topology section:

n Make sure the settings are correct in the Leads To and

Security Zone fields.

n Make sure to enable the Anti-Spoofing.

Important:
n Make sure the Bridge interface and Bridge subordinate

interfaces are not in the Topology.

n You cannot define the Topology of the Bridge interface. It is

External by default.

11 Click OK.

12 Publish the SmartConsole session.

4. Configure the applicable Security Policies for the ClusterXL in SmartConsole

Step Instructions

1 Connect with SmartConsole to the Security Management Server or

Domain Management Server that manages this ClusterXL Cluster.

2 From the left navigation panel, click Security Policies.

3 Create a new policy and configure the applicable layers:

a. At the top, click the + tab (or press CTRL T).
b. On the Manage Policies tab, click Manage policies and layers.
c. In the Manage policies and layers window, create a new policy
and configure the applicable layers.
d. Click Close.
e. On the Manage Policies tab, click the new policy you created.

4 Create the applicable rules in the Access Control and Threat Prevention
policies.
Important - See the Supported Software Blades in Bridge Mode and
Limitations in Bridge Mode sections in "Deploying a Security
Gateway or a ClusterXL in Bridge Mode" on page 576.

5 Install the Access Control Policy on the ClusterXL object.

6 Install the Threat Prevention Policy on the ClusterXL object.

5. Examine the cluster configuration

Installation and Upgrade Guide R81 | 632

 Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches

Step Instructions

1 Connect to the command line on each Cluster Member.

2 Examine the cluster state in one of these ways:

n In Gaia Clish, run:

show cluster state

n In the Expert mode, run:
cphaprob state
Example output:
Member1> show cluster state

Cluster Mode: High Availability (Active Up, Bridge Mode) with IGMP
Membership

ID Unique Address Assigned Load State Name

1 (local) 11.22.33.245 100% ACTIVE Member1

2 11.22.33.246 100% ACTIVE Member2

3 Examine the cluster interfaces in one of these ways:

n In Gaia Clish, run:

show cluster members interfaces all

n In the Expert mode, run:
cphaprob -a if

Installation and Upgrade Guide R81 | 633

 Configuring ClusterXL in Bridge Mode - Active / Active with Two or Four Switches

Step Instructions

4 Make sure the value of the kernel parameter fwha_monitor_if_link_state

is 1 (this is the default).
This kernel parameter enables the "Monitoring of the Interface Link State"
(MILS) feature.
a. Examine the current loaded value:
fw ctl get int fwha_monitor_if_link_state
If the current value is not 1, run this command and examine the
value:
fw ctl set int fwha_monitor_if_link_state 1
b. Examine if this the kernel parameter is configured permanently:
grep fwha_monitor_if_link_state
$FWDIR/boot/modules/fwkern.conf
If this the kernel parameter appears in the configuration file, remove
its entire line:
vi $FWDIR/boot/modules/fwkern.conf

Installation and Upgrade Guide R81 | 634

 Accept, or Drop Ethernet Frames with Specific Protocols

Accept, or Drop Ethernet Frames with Specific Protocols

Important - In a Cluster, you must configure all the Cluster Members in the same way.

By default, Security Gateway and Cluster in Bridge mode allows Ethernet frames that carry
protocols other than IPv4 (0x0800), IPv6 (0x86DD), or ARP (0x0806) protocols.
Administrator can configure a Security Gateway and Cluster in Bridge Mode to either accept,
or drop Ethernet frames that carry specific protocols.
When Access Mode VLAN (VLAN translation) is configured, BPDU frames can arrive with the
wrong VLAN number to the switch ports through the Bridge interface. This mismatch can
cause the switch ports to enter blocking mode.

In Active/Standby Bridge Mode only, you can disable BPDU forwarding to avoid such blocking
mode:

Step Instructions

1 Connect to the command line on the Security Gateway (each Cluster Member).

2 Log in to the Expert mode.

3 Backup the current /etc/rc.d/init.d/network file:

cp -v /etc/rc.d/init.d/network{,_BKP}

4 Edit the current /etc/rc.d/init.d/network file:

vi /etc/rc.d/init.d/network

5 After the line:

./etc/init.d/functions
Add this line:
/sbin/sysctl -w net.bridge.bpdu_forwarding=0

6 Save the changes in the file and exit the Vi editor.

7 Reboot the Security Gateway (each Cluster Member).

8 Make sure the new configuration is loaded:

sysctl net.bridge.bpdu_forwarding
The output must show:
net.bridge.bpdu_forwarding = 0

Installation and Upgrade Guide R81 | 635

 Routing and Bridge Interfaces

Routing and Bridge Interfaces

Security Gateways with a Bridge interface can support Layer 3 routing over non-bridged
interfaces.
If you configure a Bridge interface with an IP address on a Security Gateway (not on Cluster
Members), the Bridge interface functions as a regular Layer 3 interface.
The Bridge interface participates in IP routing decisions on the Security Gateway and supports
Layer 3 routing.
n Cluster deployments do not support this configuration.
n You cannot configure the Bridge interface to be the nexthop gateway for a route.
n A Security Gateway can support multiple Bridge interfaces, but only one Bridge interface
can have an IP address.
n A Security Gateway cannot filter or transmit packets that it inspected before on a Bridge
interface (to avoid double-inspection).

Installation and Upgrade Guide R81 | 636

 Managing a Security Gateway through the Bridge Interface

Managing a Security Gateway through the Bridge Interface

Example Topology

Item Description

1 Security Management Server

2 Router

3 Bridge interface on the Security Gateway

4 Security Gateway

5 Regular traffic interface on the Security Gateway

6 Regular traffic interface on the Security Gateway

Packet flow
1. The Security Management Server sends a management packet to the Management
Interface on the Security Gateway.

This Management Interface is configured as Bridge interface.

2. The Security Gateway inspects the first management packet it receives on the first
subordinate interface of the Bridge interface.
3. The Security Gateway forwards the inspected management packet to the router through
the second subordinate interface of the Bridge interface.
4. The router sends the packet to the first subordinate interface of the Bridge interface.
5. The Security Gateway concludes that this packet is a retransmission and drops it.

Procedure
Configure the Security Gateway to reroute packets on the Bridge interface.
Set the value of the kernel parameter "fwx_bridge_reroute_enabled" to 1.

Installation and Upgrade Guide R81 | 637

 Managing a Security Gateway through the Bridge Interface

The Security Gateway makes sure that the MD5 hash of the packet that leaves the
Management Interface and enters the Bridge interface is the same.
Other packets in this connection are handled by the Bridge interface without using the router.

Notes:
n To make the change permanent (to survive reboot), you configure the value of
the required kernel parameter in the configuration file.
This change applies only after a reboot.
n To apply the change on-the-fly (does not survive reboot), you configure the
value of the required kernel parameter with the applicable command.

Step Instructions

1 Connect to the command line on the Security Gateway.

2 Log in to the Expert mode.

3 Modify the $FWDIR/boot/modules/fwkern.conf file:

a. Back up the current $FWDIR/boot/modules/fwkern.conf file:
cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}
If this file does not exit, create it:
touch $FWDIR/boot/modules/fwkern.conf
b. Edit the current $FWDIR/boot/modules/fwkern.conf file:
vi $FWDIR/boot/modules/fwkern.conf
c. Add this line in the file:
fwx_bridge_reroute_enabled=1
Important - This configuration file does not support spaces or
comments.
d. Save the changes in the file.
e. Exit the Vi editor.

4 Set the value of the required kernel parameter on-the-fly:

fw ctl set int fwx_bridge_reroute_enabled 1

5 Make sure the Security Gateway loaded the new configuration:

fw ctl get int fwx_bridge_reroute_enabled
The output must return
fwx_bridge_reroute_enabled = 1

Installation and Upgrade Guide R81 | 638

 Managing a Security Gateway through the Bridge Interface

Step Instructions

6 Reboot the Security Gateway when possible.

7 After the reboot, make sure the Security Gateway loaded the new configuration:
fw ctl get int fwx_bridge_reroute_enabled
The output must return
fwx_bridge_reroute_enabled = 1

Installation and Upgrade Guide R81 | 639

 IPv6 Neighbor Discovery

IPv6 Neighbor Discovery

Neighbor discovery works over the ICMPv6 Neighbor Discovery protocol, which is the
functional equivalent of the IPv4 ARP protocol.
ICMPv6 Neighbor Discovery Protocol must be explicitly permitted in the Access Control Rule
Base for all bridged networks.
This is different from ARP. ARP traffic is Layer 2 only, therefore it permitted regardless of the
Rule Base.
This is an example of an explicit Rule Base that permits ICMPv6 Neighbor Discovery protocol:

Services & Install

Name Source Destination VPN Action Track
Applications On

IPv6 Network Network object Any neighbor- Accept Log Policy

Neighbor object that represents advertisement Targets
Discovery that the Bridged neighbor-
represents Network solicitation
the Bridged router-
Network advertisement
router-
solicitation
redirect6

Managing Ethernet Protocols

It is possible to configure a Security Gateway with bridge interface to allow or drop protocols
that are not based on IP that pass through the bridge interface. For example, protocols that are
not IPv4, IPv6, or ARP.

By default, these protocols are allowed by the Security Gateway.

Frames for protocols that are not IPv4, IPv6, or ARP are allowed if:
n On the Security Gateway, the value of the kernel parameter fwaccept_unknown_
protocol is 1 (all frames are accepted)
n OR in the applicable user.def file on the Management Server, the protocol IS defined
in the allowed_ethernet_protocols table.
n AND in the applicable user.def file on the Management Server, the protocol is NOT
defined in the dropped_ethernet_protocols table.

Installation and Upgrade Guide R81 | 640

 IPv6 Neighbor Discovery

To configure the Security Gateway to accept only specific protocols that are not IPv4,
IPv6, or ARP:

Step Instructions

1 On the Security Gateway, configure the value of the kernel parameter fwaccept_
unknown_protocol to 0.
Important - In a Cluster, you must configure all the Cluster Members in the
same way.

a. Connect to the command line on the Security Gateway.

b. Log in to the Expert mode.
c. Back up the current $FWDIR/boot/modules/fwkern.conf file:
cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}
d. Edit the current $FWDIR/boot/modules/fwkern.conf file:
vi $FWDIR/boot/modules/fwkern.conf
e. Add this line (spaces or comments are not allowed):
fwaccept_unknown_protocol=0
f. Save the changes in the file and exit the editor.
g. Reboot the Security Gateway.
If the reboot is not possible at this time, then:
n Run this command to make the required change:

fw ctl set int fwaccept_unknown_protocol 0

n Run this command to make sure the required change was accepted:
fw ctl get int fwaccept_unknown_protocol

Installation and Upgrade Guide R81 | 641

 IPv6 Neighbor Discovery

Step Instructions

2 On the Management Server, edit the applicable user.def file.

Note - For the list of user.def files, see sk98239.

a. Back up the current applicable user.def file.

b. Edit the current applicable user.def file.
c. Add these directives:
n allowed_ethernet_protocols - contains the EtherType numbers

(in Hex) of protocols to accept

n dropped_ethernet_protocols - contains the EtherType numbers

(in Hex) of protocols to drop

Example
$ifndef __user_def__
$define __user_def__

\\
\\ User defined INSPECT code
\\

allowed_ethernet_protocols={
<0x0800,0x86DD,0x0806>);
dropped_ethernet_protocols={ <0x8137,0x8847,0x9100>
);

endif /*__user_def__*/

For the list of EtherType numbers, see http://standards-

oui.ieee.org/ethertype/eth.csv.
d. Save the changes in the file and exit the editor.

3 In SmartConsole, install the Access Control Policy on this Security Gateway

object.

Installation and Upgrade Guide R81 | 642

 Configuring Link State Propagation (LSP)

Configuring Link State Propagation (LSP)

On Check Point Appliances that run as a Security Gateway or ClusterXL Cluster Members,
you can bind together in Bridge Mode two physical ports on a Check Point Expansion Line
Card.
When the link state for one bridged subordinate port goes down, the other bridged subordinate
port also goes down.
Switch detects and reacts faster to a link failure on the other side of a bridge or another part of
the network.

Link State Propagation is supported on Check Point Appliances with these Expansion Line
Cards:

Line Card SKU Description Driver

CPAC-4-1C 4 Port 10/100/1000 Base-T Ethernet (RJ45) interface card IGB

CPAC-8-1C 8 Port 10/100/1000 Base-T Ethernet (RJ45) interface card IGB

CPAC-4-1F 4 Port 1000 Base-F Fiber (SFP) interface card IGB

CPAC-4-10F 4 Port 10G Base-F Fiber (SFP+) interface card IXGBE

You can configure the Link State Propagation in one of these modes:

LSP Mode Description

Automatic port detection and Security Gateways and Cluster Members automatically
port pair creation assign all bridged ports to port pairs.

Manual port pair creation You manually configure the assignment of bridged ports to
port pairs.

Note - You can configure up to four port pairs.

Important:
n In a Cluster, you must configure all the Cluster Members in the
same way.
n Link State Propagation does not support Bond interfaces.

Installation and Upgrade Guide R81 | 643

 Configuring Link State Propagation (LSP)

Configuring Link State Propagation for automatic port detection

Step Instructions

1 Connect to the command line on the Security Gateway or each Cluster

Member.

2 Log in to the Expert mode.

3 Back up the current $FWDIR/boot/modules/fwkern.conf file:

cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}
If this file does not exist, create it:
touch $FWDIR/boot/modules/fwkern.conf

4 Edit the current $FWDIR/boot/modules/fwkern.conf file:

vi $FWDIR/boot/modules/fwkern.conf

5 Add this line:

fw_link_state_propagation_enabled=1

6 Save the changes in the file and exit the Vi editor.

7 Reboot the Security Gateway or each Cluster Member.

8 Make sure the Security Gateway or Cluster Members loaded the new
configuration:
fw ctl get int fw_link_state_propagation_enabled
The returned output must show:
fw_link_state_propagation_enabled = 1

Configuring Link State Propagation for manual port detection

Step Instructions

1 Connect to the command line on the Security Gateway or each Cluster

Member.

2 Log in to the Expert mode.

Installation and Upgrade Guide R81 | 644

 Configuring Link State Propagation (LSP)

Step Instructions

3 Back up the current $FWDIR/boot/modules/fwkern.conf file:

cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}
If this file does not exist, create it:
touch $FWDIR/boot/modules/fwkern.conf

4 Edit the current $FWDIR/boot/modules/fwkern.conf file:

vi $FWDIR/boot/modules/fwkern.conf

5 Add these lines (you can configure up to four LSP pairs):

fw_link_state_propagation_enabled=1
fw_manual_link_state_propagation_enabled=1
fw_lsp_pair1="<interface_name_1,interface_name_2>"
fw_lsp_pair2="<interface_name_3,interface_name_4>"
fw_lsp_pair3="<interface_name_5,interface_name_6>"
fw_lsp_pair4="<interface_name_7,interface_name_8>"
Example:
fw_lsp_pair1="eth1,eth2"
fw_lsp_pair2="eth3,eth4"

6 Save the changes in the file and exit the Vi editor.

7 Reboot the Security Gateway or each Cluster Member.

Installation and Upgrade Guide R81 | 645

 Configuring Link State Propagation (LSP)

Step Instructions

8 Make sure the Security Gateway or Cluster Members loaded the new
configuration:
a. Output of this command
fw ctl get int fw_link_state_propagation_enabled
must return
fw_link_state_propagation_enabled = 1
b. Output of this command
fw ctl get int fw_manual_link_state_propagation_
enabled
must return
fw_manual_link_state_propagation_enabled = 1
c. Output of this command
fw ctl get str fw_lsp_pair1
must return the names of the interfaces configured in this pair
<interface_name_1,interface_name_2>
d. Output of this command
fw ctl get str fw_lsp_pair2
must return the names of the interfaces configured in this pair
<interface_name_3,interface_name_4>
e. Output of this command
fw ctl get str fw_lsp_pair3
must return the names of the interfaces configured in this pair
<interface_name_5,interface_name_6>
f. Output of this command
fw ctl get str fw_lsp_pair4
must return the names of the interfaces configured in this pair
<interface_name_7,interface_name_8>

For more information:

See sk108121: How to configure Link State Propagation (LSP) in a Bridge interface on Gaia
OS and SecurePlatform OS.

Installation and Upgrade Guide R81 | 646

 Security Before Firewall Activation

Security Before Firewall Activation

To protect the Security Gateway and network, Check Point Security Gateway has baseline
security:

Baseline
Name of Policy Description
Security

Boot defaultfilter Security during boot process.

Security

Initial InitialPolicy Security before a policy is installed for the first time, or
Policy when Security Gateway failed to load the policy.

Important - If you disable the boot security or unload the currently installed policy, you
leave your Security Gateway, or a Cluster Member without protection.
Best Practice - Before you disable the boot security, we recommend to
disconnect your Security Gateway, or a Cluster Member from the network
completely.

For additional information, see these commands in the R81 CLI Reference Guide:

Command Description

$CPDIR/bin/cpstat -f policy fw Shows the currently installed policy

$FWDIR/bin/control_bootsec {-r | -R} Disables the boot security

$FWDIR/bin/control_bootsec [-g | -G] Enables the boot security

$FWDIR/bin/comp_init_policy [-u | -U] Deletes the local state policy

$FWDIR/bin/comp_init_policy [-g | -G] Creates the local state Initial Policy

$FWDIR/bin/fw unloadlocal Unloads the currently installed policy

Installation and Upgrade Guide R81 | 647

 Boot Security

Boot Security
The Boot Security protects the Security Gateway and its networks, during the boot:
n Disables the IP Forwarding in Linux OS kernel
n Loads the Default Filter Policy

Important - In a Cluster, you must configure all the Cluster Members in the same way.

The Default Filter Policy

The Default Filter Policy (defaultfilter) protects the Security Gateway from the time it
boots up until it installs the user-defined Security Policy.

Boot Security disables IP Forwarding and loads the Default Filter Policy.
There are three Default Filters templates on the Security Gateway:

Default Filter
Default Filter Policy File Description
Mode

Boot Filter $FWDIR/lib/defaultfilter.boot This filter:

n Drops all incoming
packets that have
the same source IP
addresses as the IP
addresses assigned
to the Security
Gateway interfaces
n Allows all outbound
packets from the
Security Gateway

Drop Filter $FWDIR/lib/defaultfilter.drop This filter drops all

inbound and outbound
packets on the Security
Gateway.
Best Practice - If the
boot process
requires that the
Security Gateway
communicate with
other hosts, do not
use the Drop Filter.

Installation and Upgrade Guide R81 | 648

 Boot Security

Default Filter
Default Filter Policy File Description
Mode

Filter for $FWDIR/lib/defaultfilter.dag This filter for Security

Dynamically Gateways with
Assigned Dynamically Assigned IP
Gateways address:
(DAG)
n Allows all DHCP
Requests
n Allows all DHCP
Replies
n Uses Boot Filter:
a. Drops all
incoming
packets that
have the
same source
IP addresses
as the IP
addresses
assigned to
the Security
Gateway
interfaces
b. Allows all
outbound
packets from
the Security
Gateway

Selecting the Default Filter Policy

Step Instructions

1 Make sure to configure and install a Security Policy on the Security Gateway.

2 Connect to the command line on the Security Gateway.

3 Log in to the Expert mode.

4 Back up the current Default Filter Policy file:

cp -v $FWDIR/conf/defaultfilter.pf{,_BKP}

Installation and Upgrade Guide R81 | 649

 Boot Security

Step Instructions

5 Create a new Default Filter Policy file.

n To create a new Boot Filter, run:
cp -v $FWDIR/lib/defaultfilter.boot
$FWDIR/conf/defaultfilter.pf
n To create a new Drop Filter, run:
cp -v $FWDIR/lib/defaultfilter.drop
$FWDIR/conf/defaultfilter.pf
n To create a new DAG Filter, run:
cp -v $FWDIR/lib/defaultfilter.dag
$FWDIR/conf/defaultfilter.pf

6 Compile the new Default Filter file:

fw defaultgen

n The new complied Default Filter file for IPv4 traffic is:
$FWDIR/state/default.bin
n The new complied Default Filter file for IPv6 traffic is:
$FWDIR/state/default.bin6

7 Get the path of the Default Filter Policy file:

$FWDIR/boot/fwboot bootconf get_def
Example:
[Expert@MyGW:0]# $FWDIR/boot/fwboot bootconf get_def
/etc/fw.boot/default.bin
[Expert@MyGW:0]#

8 Copy new complied Default Filter file to the path of the Default Filter Policy file.
n For IPv4 traffic, run:
cp -v $FWDIR/state/default.bin
/etc/fw.boot/default.bin
n For IPv6 traffic, run:
cp -v $FWDIR/state/default.bin6
/etc/fw.boot/default.bin6

Installation and Upgrade Guide R81 | 650

 Boot Security

Step Instructions

9 Make sure to connect to the Security Gateway over a serial console.

Important - If the new Default Filter Policy fails and blocks all access
through the network interfaces, you can unload that Default Filter Policy
and install the working policy.

10 Reboot the Security Gateway.

Defining a Custom Default Filter

Administrators with Check Point INSPECT language knowledge can define customized
Default Filters.

Important - Make sure your customized Default Filter policy does not interfere with
the Security Gateway boot process.

Step Instructions

1 Make sure to configure and install a Security Policy on the Security Gateway.

2 Connect to the command line on the Security Gateway.

3 Log in to the Expert mode.

4 Back up the current Default Filter Policy file:

cp -v $FWDIR/conf/defaultfilter.pf{,_BKP}

5 Create a new Default Filter Policy file.

n To use the Boot Filter as a template, run:
cp -v $FWDIR/lib/defaultfilter.boot
$FWDIR/conf/defaultfilter.pf
n To use the Drop Filter as a template, run:
cp -v $FWDIR/lib/defaultfilter.drop
$FWDIR/conf/defaultfilter.pf
n To use the DAG Filter as a template, run:
cp -v $FWDIR/lib/defaultfilter.dag
$FWDIR/conf/defaultfilter.pf

Installation and Upgrade Guide R81 | 651

 Boot Security

Step Instructions

6 Edit the new Default Filter Policy file to include the applicable INSPECT code.
Important - Your customized Default Filter must not use these functions:
n Logging
n Authentication
n Encryption
n Content Security

7 Compile the new Default Filter file:

fw defaultgen

n The new complied Default Filter file for IPv4 traffic is:
$FWDIR/state/default.bin
n The new complied Default Filter file for IPv6 traffic is:
$FWDIR/state/default.bin6

8 Get the path of the Default Filter Policy file:

$FWDIR/boot/fwboot bootconf get_def
Example:
[Expert@MyGW:0]# $FWDIR/boot/fwboot bootconf get_def
/etc/fw.boot/default.bin
[Expert@MyGW:0]#

9 Copy new complied Default Filter file to the path of the Default Filter Policy file.
n For IPv4 traffic, run:
cp -v $FWDIR/state/default.bin
/etc/fw.boot/default.bin
n For IPv6 traffic, run:
cp -v $FWDIR/state/default.bin6
/etc/fw.boot/default.bin6

10 Make sure to connect to the Security Gateway over a serial console.

Important - If the new Default Filter Policy fails and blocks all access
through the network interfaces, you can unload that Default Filter Policy
and install the working policy.

11 Reboot the Security Gateway.

Installation and Upgrade Guide R81 | 652

 Boot Security

Using the Default Filter Policy for Maintenance

It is sometimes necessary to stop the Security Gateway for maintenance. It is not always
practical to disconnect the Security Gateway from the network (for example, if the Security
Gateway is on a remote site).
To stop the Security Gateway for maintenance and maintain security, you can run:

Command Description

cpstop -
n Shuts down Check Point processes
fwflag - n Loads the Default Filter policy (defaultfilter)
default

cpstop -
n Shuts down Check Point processes
fwflag - n Keeps the currently loaded kernel policy
proc n Maintains the Connections table, so that after you run the
cpstart command, you do not experience dropped packets
because they are "out of state"

Note - Only security rules that do not use user space

processes continue to work.

Installation and Upgrade Guide R81 | 653

 The Initial Policy

The Initial Policy

Until the Security Gateway administrator installs the Security Policy on the Security Gateway
for the first time, security is enforced by an Initial Policy.
The Initial Policy operates by adding the predefined implied rules to the Default Filter policy.
These implied rules forbid most communication, yet allow the communication needed for the
installation of the Security Policy.
The Initial Policy also protects the Security Gateway during Check Point product upgrades,
when a SIC certificate is reset on the Security Gateway, or in the case of a Check Point
product license expiration.

Note - During a Check Point upgrade, a SIC certificate reset, or license expiration, the
Initial Policy overwrites the user-defined policy.

The sequence of actions during boot of the Security Gateway until a Security Policy is loaded
for the first time:

Step Instructions

1 The Security Gateway boots up.

2 The Security Gateway disables IP Forwarding and loads the Default Filter policy.

3 The Security Gateway configures the interfaces.

4 The Security Gateway services start.

5 The Security Gateway fetches the Initial Policy from the local directory.

6 Administrator installs the user-defined Security Policy from the Management

Server.

Installation and Upgrade Guide R81 | 654

 The Initial Policy

The Security Gateway enforces the Initial Policy until administrator installs a user-defined
policy.
In subsequent boots, the Security Gateway loads the user-defined policy immediately after the
Default Filter policy.
There are different Initial Policies for Standalone and distributed setups:
n In a Standalone configuration, where the Security Management Server and the Security
Gateway are on the same computer, the Initial Policy allows CPMI management
communication only.
This permits SmartConsole clients to connect to the Security Management Server.
n In a distributed configuration, where the Security Management Server is on one
computer and the Security Gateway is on a different computer, the Initial Policy:
l Allows the cpd and fwd daemons to communicate for SIC (to establish trust) and
for Policy installation.
l Does not allow CPMI connections through the Security Gateway.
The SmartConsole is not be able to connect to the Security Management Server, if
the SmartConsole must access the Security Management Server through a
Security Gateway with the Initial Policy.

Installation and Upgrade Guide R81 | 655

 Troubleshooting: Cannot Complete Reboot

Troubleshooting: Cannot Complete Reboot

In some configurations, the Default Filter policy prevents the Security Gateway from
completing the reboot after installation.
Firstly, look at the Default Filter. Does the Default Filter allow traffic required by the boot
procedures?
Secondly, if the boot process cannot finish successfully, remove the Default Filter:

Step Instructions

1 Connect to the Security Gateway over serial console.

2 Reboot the Security Gateway.

3 During boot, press any key to enter the Boot Menu.

4 Select the Start in maintenance mode.

5 Enter the Expert mode password.

6 Set the Default Filter to not load again:

a. Go to the $FWDIR directory:
cd /opt/CPsuite-<VERSION>/fw1/
b. Set the Default Filter to not load again:
./fwboot bootconf set_def

7 In the $FWDIR/boot/boot.conf file, examine the value of the "DEFAULT_

FILTER_PATH":

a. Go to the $FWDIR directory:

cd /opt/CPsuite-<VERSION>/fw1/
b. examine the value of the "DEFAULT_FILTER_PATH":
grep DEFAULT_FILTER_PATH boot/boot.conf

8 Reboot the Security Gateway.

Installation and Upgrade Guide R81 | 656

 Working with Licenses

Working with Licenses

You can manage licenses on your Security Gateways in these ways:
n In SmartConsole you can activate, add, or delete your licenses. See "Viewing Licenses
in SmartConsole" on page 658 and "Managing Licenses in SmartConsole" on page 665.
n In Gaia Portal, you can activate, add, or delete your licenses. See "Managing Licenses in
the Gaia Portal" on page 669.
n In Gaia Clish or the Expert mode, you can add or delete your licenses with the "cplic"
command.
See the R81 CLI Reference Guide > Chapter Security Gateway Commands > Section
cplic.
n When Security Gateways are not connected to the Internet, you can add, delete, attach,
and detach your licenses in SmartUpdate. See "Using Legacy SmartUpdate" on
page 673.
When Security Gateways are connected to the Internet, they are able to get and update
their licenses and contracts without SmartUpdate.

Installation and Upgrade Guide R81 | 657

 Viewing Licenses in SmartConsole

Viewing Licenses in SmartConsole

To view license information

Step Instructions

1 From the left navigation panel, click Gateways & Servers.

2 From the Columns drop-down list, select Licenses.

You can see these columns:

Column Description

License The general state of the Software Blade licenses:

Status
n OK - All the blade licenses are valid.
n Not Activated - Blade licenses are not installed. This is only possible
in the first 15 days after the establishment of the SIC with the Security
Management Server. After the initial 15 days, the absence of licenses
will result in the blade error message.
n Error with <number> blade(s) - The specified number of blade
licenses are not installed or not valid.
n Warning with <number> blade(s) - The specified number of blade
licenses have warnings.
n N/A - No available information.

CK Unique Certificate Key of the license instance.

SKU Catalog ID from the Check Point User Center.

Account ID User's account ID.

Support Check Point level of support.

Level

Support Date when the Check Point support contract expires.

Expiration

To view license information for each Software Blade

Step Instructions

1 Select a Security Gateway or a Security Management Server.

Installation and Upgrade Guide R81 | 658

 Viewing Licenses in SmartConsole

Step Instructions

2 In the Summary tab below, click the object's License Status (for example: OK).
The Device & License Information window opens. It shows basic object
information and License Status, license Expiration Date, and important quota
information (in the Additional Info column) for each Software Blade.
Notes:
n Quota information, quota-dependent license statuses, and blade
information messages are only supported for R80 and higher.
n The tooltip of the SKU is the product name.

The possible values for the Software Blade License Status are:

Status Description

Active The Software Blade is active and the license is valid.

Available The Software Blade is not active, but the license is valid.

No License The Software Blade is active but the license is not valid.

Expired The Software Blade is active, but the license expired.

About to The Software Blade is active, but the license will expire in thirty days
Expire (default) or less (7 days or less for an evaluation license).

Quota The Software Blade is active, and the license is valid, but the quota of
Exceeded related objects (Security Gateways, files, virtual systems, and so on,
depending on the blade) is exceeded.

Quota The Software Blade is active, and the license is valid, but the number of
Warning objects of this blade is 90% (default) or more of the licensed quota.

N/A The license information is not available.

Viewing license information for VSX:

SmartConsole reports an error when viewing VS Licenses.

To see the VSX license information:

Select the VSG Gateway or VSX Cluster object (and not objects of Virtual Systems or Virtual
Routers).

Installation and Upgrade Guide R81 | 659

 Monitoring Licenses in SmartConsole

Monitoring Licenses in SmartConsole

To keep track of license issues, you can use these options in SmartConsole:

Option Instructions

License To see and export license information for Software Blades on each specific
Status view Security Management Server, Security Gateway, or Log Server object.

License To see filter and export license status information for all configured Security
Status Management Server, Security Gateway, or Log Server objects.
report

License To see filter and export license information for Software Blades on all
Inventory configured Security Management Server, Security Gateway, or Log Server
report objects.

The SmartEvent Software Blade lets you customize the License Status and License
Inventory information from the Logs & Monitor view of SmartConsole.
It is also possible to view license information from the Gateways & Servers view of
SmartConsole without enabling the SmartEvent Software Blade on Security Management
Server.
The Gateways & Servers view in SmartConsole lets you view, filter, and export different
license reports:
The "License Inventory" report

The Gateways & Servers view in SmartConsole lets you view and export the License
Inventory report.
Viewing the License Inventory report

Step Instructions

1 In SmartConsole, from the left navigation panel, click Gateways & Servers.

2 From the top toolbar, click Actions > License Report.

Installation and Upgrade Guide R81 | 660

 Monitoring Licenses in SmartConsole

Step Instructions

3 Wait for the SmartView to load and show this report.

By default, this report contains:
n Inventory page:
l Blade Names

l Devices Names

l License Statuses

n License by Device page:

l Devices Names

l License statuses

l CK

l SKU

l Account ID

l Support Level

l Next Expiration Date

Exporting the License Inventory report

Step Instructions

1 In the top right corner, click the Options button.

2 Select the applicable export option - Export to Excel, or Export to PDF.

The "License Status" report

The Logs & Monitor view in SmartConsole lets you view, filter, and export the License
Status report.
Viewing the License Status report

Step Instructions

1 In SmartConsole, from the left navigation panel, click Logs & Monitor

2 At the top, open a new tab by clicking New Tab, or [+].

3 In the left section, click Views.

4 In the list of reports, double-click License Status.

Installation and Upgrade Guide R81 | 661

 Monitoring Licenses in SmartConsole

Step Instructions

5 Wait for the SmartView to load and show this report.

By default, this report contains:
n Names of the configured objects
n License status for each object
n CK
n SKU
n Account ID
n Support Level
n Next Expiration Date

Filtering the License Status report

Step Instructions

1 In the top right corner, click the Options button > click View Filter.
The Edit View Filter window opens.

2 Select a Field to filter results.

For example, Device Name, License Status, Account ID.

3 Select the logical operator - Equals, Not Equals, or Contains.

4 Select or enter a filter value.

Note - Click the X icon to delete a filter.

5 Optional: Click the + icon to configure additional filters.

6 Click OK to apply the configured filters.

The report is filtered based on the configured filters.

Exporting the License Status report

Step Instructions

1 In the top right corner, click the Options button.

2 Select the applicable export option - Export to Excel, or Export to PDF.

Installation and Upgrade Guide R81 | 662

 Monitoring Licenses in SmartConsole

The "License Inventory" report

The Logs & Monitor view in SmartConsole lets you view, filter, and export the License
Inventory report.
Viewing the License Inventory report

Step Instructions

1 In SmartConsole, from the left navigation panel, click Logs & Monitor

2 At the top, open a new tab by clicking New Tab, or [+].

3 In the left section, click Reports.

4 In the list of reports, double-click License Inventory.

5 Wait for the SmartView to load and show this report.

By default, this report contains:
n Inventory page:
l Blade Names

l Devices Names

l License Statuses

n License by Device page:

l Devices Names

l License statuses

l CK

l SKU

l Account ID

l Support Level

l Next Expiration Date

Filtering the License Inventory report

Step Instructions

1 In the top right corner, click the Options button > click Report Filter.
The Edit Report Filter window opens.

2 Select a Field to filter results.

For example, Blade Name, Device Name, License Overall Status,
Account ID.

3 Select the logical operator - Equals, Not Equals, or Contains.

Installation and Upgrade Guide R81 | 663

 Monitoring Licenses in SmartConsole

Step Instructions

4 Select or enter a filter value.

Note - Click the X icon to delete a filter.

5 Optional: Click the + icon to configure additional filters.

6 Click OK to apply the configured filters.

The report is filtered based on the configured filters.

Exporting the License Inventory report

Step Instructions

1 In the top right corner, click the Options button.

2 Select the applicable export option - Export to Excel, or Export to PDF.

Installation and Upgrade Guide R81 | 664

 Managing Licenses in SmartConsole

Managing Licenses in SmartConsole

Starting from R81, you can add or remove licenses manually in SmartConsole.
Adding and removing a license

Step Instructions

1 In SmartConsole, from the left navigation panel, click Gateways & Servers.

2 In the top pane, select the object of the applicable Management Server or
Security Gateway.

3 In the bottom pane, click the Licenses tab.

4 Add or remove a license:

n To add a license from a license file:
a. Click Add and select License File.
b. Browse for the license file.
c. Select the license file.
d. Click Open.
n To add a license from a license string:
a. Click Add and select License String.
b. Paste the license string.
c. Click OK.
n To remove a license:
a. Select the license in the leftmost column.
b. Click Remove.

Installation and Upgrade Guide R81 | 665

 Managing Licenses in SmartConsole

Note - To add or remove licenses on the Licenses tab, an administrator must have
the Run One Time Script permission selected in their profile. To assign this
permission, in SmartConsole, go to Manage & Settings > Permissions &
Administrators > Permission Profiles. Open the relevant permission profile, go to
Gateways > Scripts, and select Run One-Time Scripts.

You can see these columns with license information:

Column Description

IP Address The IP address, for which this license was generated.

Expiration Date Date when the Check Point support contract expires.

CK Unique Certificate Key of the license instance.

SKU Catalog ID from the Check Point User Center.

Note - SmartConsole R81 and higher does not support viewing a license of
Quantum Spark appliances with Gaia Embedded OS (in the "Gateways & Servers"
view, select the Security Gateway object > in the bottom pane, click the "Licenses"
tab).
Workaround: Use SmartUpdate to view the licenses.
Important - To distribute licenses to CloudGuard IaaS Security Gateways, see the
R81 CloudGuard Controller Administration Guide.

Viewing Software Blade license information

Step Instructions

1 From the left navigation panel, click Gateways & Servers.

2 In the top pane, select the object of the applicable Management Server or
Security Gateway.

3 In the bottom pane, click the Summary tab.

Installation and Upgrade Guide R81 | 666

 Managing Licenses in SmartConsole

Step Instructions

4 Examine the field License Status:

The general state of the Software Blade licenses:
n OK - All the blade licenses are valid.
n Not Activated - Blade licenses are not installed. This is only possible in
the first 15 days after the establishment of the SIC with the Security
Management Server. After the initial 15 days, the absence of licenses
results in the blade error message.
n Error with <number> blade(s) - The specified number of blade licenses
are not installed or not valid.
n Warning with <number> blade(s) - The specified number of blade
licenses have warnings.
n N/A - The license information is not available.

5 To see the license information for each Software Blade this license covers,
click the license status in the License Status field.
(Alternatively, click the Device & License Information link at the bottom and
then click the License Status page from the left.)
The Device & License Information window opens and shows the License
Status page.
This page shows:
n Object name.
n General license state.
n IP - Object main IP address.
n Account ID - User's account ID.
n CK - Unique Certificate Key of the license instance.
n Support Level - Check Point level of support for this license.
n SKU - Catalog ID from the Check PointUser Center.
n Support Expiration - Date when the Check Point support contract
expires.
n Blade Name - Software Blades this license covers.
n License Status - See the summary table below.
n Expiration Date - Date when the Check Point support contract expires for
this Software Blade.
n Additional Info - Additional information about this Software Blade
configuration.

Installation and Upgrade Guide R81 | 667

 Managing Licenses in SmartConsole

The possible values for the Software Blade License Status are:

Status Instructions

Active The Software Blade is active and the license is valid.

Available The Software Blade is not active, but the license is valid.

No License The Software Blade is active, but the license is not valid.

Expired The Software Blade is active, but the license expired.

About to The Software Blade is active, but the license will expire in 30 days
Expire (default) or less (7 days or less for an evaluation license).

Quota The Software Blade is active, and the license is valid, but the quota of
Exceeded related objects (Security Gateways, files, Virtual Systems, and so on,
depending on the blade) is exceeded.

Quota The Software Blade is active, and the license is valid, but the number of
Warning objects of this blade is 90% (default) or more of the licensed quota.

N/A The license information is not available.

Notes:
n Quota information, quota-dependent license statuses, and blade information
messages are only supported for R80 and above.
n The tooltip of the SKU field is the product name.

Installation and Upgrade Guide R81 | 668

 Managing Licenses in the Gaia Portal

Managing Licenses in the Gaia Portal

Note - If it is necessary to get a license, visit the Check Point User Center.

Adding a license

Step Instructions

1 In the navigation tree, click Maintenance > Licenses.

2 Click New.
The Add License window opens.

3 Enter the license data manually, or click Paste License to enter the data
automatically.
Note - The Paste License button only shows in Internet Explorer. For
other web browsers, paste the license strings into the empty text field.

4 Click OK.

Deleting a license

Step Instructions

1 In the navigation tree, click Maintenance > Licenses.

2 Select a license in the table.

3 Click Delete.

Installation and Upgrade Guide R81 | 669

 Migrating a License to a New IP Address

Migrating a License to a New IP Address

Check Point licenses are issued for the main IP address of Check Point computers.
If you change the IP address of your Check Point computer, or if you migrated the
management database between the servers with different IP addresses, you must update the
applicable configuration.
Procedure for a Security Management Server

Step Instructions

1 Connect to your Check Point User Center account.

2 Issue a new license for the new IP address.

3 Install the new license (issued for the new IP address) on your Security
Management Server.

4 Remove the old license (issued for the old IP address) from your Security
Management Server.

5 Restart Check Point Services:

cpstop
cpstart

6 In SmartConsole:

1. Connect with SmartConsole to the (Primary) Security Management

Server.
2. Open the Security Management Server object.
3. In the left tree, click Network Management.
4. Make sure to update the IP Address and topology.
5. Click OK.
6. Publish the SmartConsole session.
7. Install the database:
a. In the top left corner, click Menu > Install database.
b. Select all objects.
c. Click Install.
d. Click OK.

7 On your DNS Server, map the host name of your Security Management Server
to the new IP address.

Installation and Upgrade Guide R81 | 670

 Migrating a License to a New IP Address

Procedure for a Multi-Domain Server or Multi-Domain Log Server

Step Instructions

1 Connect to your Check Point User Center account.

2 Issue a new license for the new IP address.

3 Install the new license (issued for the new IP address) on your Multi-Domain
Server or Multi-Domain Log Server.

4 Remove the old license (issued for the old IP address) from your Multi-Domain
Server or Multi-Domain Log Server.

5 Change the Leading Interface.

See "Changing the IP Address of a Multi-Domain Server or Multi-Domain Log
Server" on page 526.

6 On your DNS Server, map the host name of your Multi-Domain Server or Multi-
Domain Log Server to the new IP address.

Procedure for dedicated Log Servers and dedicated SmartEvent Servers

Step Instructions

1 Connect to your Check Point User Center account.

2 Issue a new license for the new IP address.

3 Install the new license (issued for the new IP address) on your Log Server or
SmartEvent Server.

4 Remove the old license (issued for the old IP address) from your Log Server or
SmartEvent Server.

5 Restart Check Point Services:

cpstop
cpstart

Installation and Upgrade Guide R81 | 671

 Migrating a License to a New IP Address

Step Instructions

6 In SmartConsole:
1. Connect with SmartConsole to the applicable Management Server that
manages your dedicated Log Server or SmartEvent Server.
2. Open the object of your dedicated Log Server or SmartEvent Server.
3. In the left tree, click Network Management.
4. Make sure to update the IP Address and topology.
5. Click OK.
6. Publish the SmartConsole session.
7. Install the database:
a. In the top left corner, click Menu > Install database.
b. Select all objects.
c. Click Install.
d. Click OK.
8. Install the Access Control Policy on all managed Security Gateways that
send their logs to your dedicated Log Server or SmartEvent Server.

7 On your DNS Server, map the host name of your dedicated Log Server or
SmartEvent Server to the new IP address.

Installation and Upgrade Guide R81 | 672

 Using Legacy SmartUpdate

Using Legacy SmartUpdate

When Security Gateways can connect to Check Point User Center, they can get and update
their licenses and contracts automatically (for more information, see sk94064).
When Security Gateways cannot connect to Check Point User Center:
n Manage your licenses in one of these ways:
l In SmartConsole. See "Managing Licenses in SmartConsole" on page 665.
l With the "cplic" command. See the R81 CLI Reference Guide > Chapter Security
Gateway Commands > Section cplic.
n Manage your contracts in one of these ways:
l In the legacy SmartUpdate.
l With the "cplic" command.
The legacy SmartUpdate can also:
n Distribute licenses and software packages for managed Check Point and OPSEC
Certified products.
n Provide a centralized way to guarantee that Internet security throughout the enterprise
network is always up to date.
These features and tools are available in SmartUpdate:
n Maintaining licenses
n Upgrading packages for R77.30 and below
n Adding packages to Package Repository for R77.30 and below

Important:
n The SmartUpdate GUI shows two tabs - Package Management and Licenses
& Contracts.
n For versions R80.10 and above, the tools in the Package Management tab are
no longer supported.
n To install packages on Gaia OS, use CPUSE (see sk92449), or Central
Deployment Tool (see sk111158).
For more information, see "Installing Software Packages on Gaia" on page 185.

Installation and Upgrade Guide R81 | 673

 Accessing SmartUpdate

Accessing SmartUpdate
Step Instructions

1 Open the SmartUpdate in one of these ways:

n In SmartConsole, in the top left corner, click Menu > Manage licenses &
packages.
n On the SmartConsole client, run this executable file directly:
l On Windows OS 32-bit:

C:\Program
Files\CheckPoint\
SmartConsole\<Rxx>\PROGRAM\SmartDistributor.exe
l On Windows OS 64-bit:
C:\Program Files
(x86)\CheckPoint\
SmartConsole\<Rxx>\PROGRAM\SmartDistributor.exe

2 In the top left corner, click Menu > View > Menu Bar.
The menu names appear at the top of the GUI.

Installation and Upgrade Guide R81 | 674

 Licenses Stored in the Licenses & Contracts Repository

Licenses Stored in the Licenses & Contracts

Repository
When you add a license with SmartUpdate, it is stored in the Licenses & Contracts
Repository.
The SmartUpdate provides a global view of all licenses available and all of the assigned
licenses.
To activate the license once it is in the Repository, it has to be attached to a Security Gateway
and registered with the Management Server.
There are two license types available:

License
Instructions
Type

Central The Central license is the preferred method of licensing.

n A Central license is tied to the IP address of the Management Server.
n There is one IP address for all licenses.
n The license remains valid if you change the IP address of the Security
Gateway.
n A license can be moved from one Check Point Security Gateway to
another easily.
n Maximum flexibility.

Local The Local license is an older method of licensing that is still supported.
n A Local license is tied to the IP address of the specific Security
Gateway.
n Cannot be transferred to a Security Gateway with a different IP
address.

Installation and Upgrade Guide R81 | 675

 Licensing Terms for SmartUpdate

Licensing Terms for SmartUpdate

Term Instructions

Add You can add any license that you receive from the Check Point User Center
to the Licenses & Contracts Repository.
n You can add the licenses directly from a User Center account.
n You can add the licenses from a file that you receive from the User
Center.
n You can add the licenses manually by pasting or typing the license
details.

When you add the Local license to the Licenses & Contracts Repository, it
also attaches it to the Security Gateway with the IP address, for which the
license was issued.
See "Adding New Licenses to the Licenses & Contracts Repository" on
page 679.

Attach You can attach a license from the Licenses & Contracts Repository to a
managed Security Gateway.
See "Attaching a License to a Security Gateway" on page 683.

Detach When you detach a license from a managed Security Gateway, you have to
uninstall the license from that Security Gateway.
If this is a Central license, this operation makes that license in the Licenses
& Contracts Repository available to other managed Security Gateways.
See "Detaching a License from a Security Gateway" on page 684.

Get You can add information from your managed Security Gateways about the
licenses you installed locally.
This updates the Licenses & Contracts Repository with all local licenses
across the installation.
The Get operation is a two-way process that places all locally installed
licenses in the License & Contract Repository and removes all locally
deleted licenses from the Licenses & Contracts Repository.
See "Getting Licenses from Security Gateways" on page 685.

Delete You can delete a license from the Licenses & Contracts Repository.
See "Deleting a License from the Licenses & Contracts Repository" on
page 682.

Export You can export a license from the Licenses & Contracts Repository to a
file.
See "Exporting a License to a File" on page 686.

Installation and Upgrade Guide R81 | 676

 Licensing Terms for SmartUpdate

Term Instructions

License Licenses expire on a particular date, or never.

Expiration If a license expires, the applicable products and features stop working on
the Check Point computer, to which the license is attached.
See "Checking for Expired Licenses" on page 688.

State The license state depends on whether the license is associated with a
managed Security Gateway in the Licenses & Contracts Repository, and
whether the license is installed on that Security Gateway.
The license state definitions are:
n Attached - Indicates that the license is associated with a managed
Security Gateway in the Licenses & Contracts Repository, and is
installed on that Security Gateway.
n Unattached - Indicates that the license is not associated with
managed Security Gateways in the Licenses & Contracts
Repository, and is not installed on managed Security Gateways.
n Assigned Indicates that the license that is associated with a managed
Security Gateway in the Licenses & Contracts Repository, but has
not yet been installed on a Security Gateway.

Upgrade This is a field in the Licenses & Contracts Repository that contains an error
Status message from the User Center when the License Upgrade process fails.

Central Attach a Central License to the IP address of your Management Server.

License

Local A Local License is tied to the IP address of the specific Security Gateway.
License You can only use a local license with a Security Gateway or a Security
Management Server with the same address.

Multi- This is a license file that contains more than one license.
License File The "cplic put" and "cplic add" commands support these files.

Certificate This is a string of 12 alphanumeric characters.

Key This number is unique to each package.

Features This is a character string that identifies the features of a package.

cplic A CLI utility to manage local licenses on Check Point computers.

For details, see the R81 CLI Reference Guide - Chapter Security
Management Server Commands - Section cplic.

Installation and Upgrade Guide R81 | 677

 Viewing the Licenses & Contracts Repository

Viewing the Licenses & Contracts Repository

Step Instructions

1 Open the SmartUpdate.

See "Accessing SmartUpdate" on page 674.

2 Click the Licenses & Contracts tab.

Installation and Upgrade Guide R81 | 678

 Adding New Licenses to the Licenses & Contracts Repository

Adding New Licenses to the Licenses &

Contracts Repository
To install a license, you must first add it to the Licenses & Contracts Repository.
You can add any license that you receive from the Check Point User Center to the Licenses &
Contracts Repository.
n You can add the licenses directly from a User Center account.
n You can add the licenses from a file that you receive from the User Center.
n You can add the licenses manually by pasting or typing the license details.

Notes:
n Unattached Central licenses appear in the Licenses & Contracts Repository.
n When you add the Local license to the Licenses & Contracts Repository, the
Management Server attaches it to the Security Gateway with the IP address, for
which the license was issued.
n All licenses are assigned a default name in the format <SKU>@<Time Date>,
which you can modify later.

Adding a license directly from a User Center account

Step Instructions

1 Open the SmartUpdate.

See "Accessing SmartUpdate" on page 674.

2 Click Licenses & Contracts tab.

3 Click Licenses & Contracts menu at the top > Add License > From User
Center.

4 Enter your User Center credentials.

5 Click Assets / Info > Product Center.

6 Perform one of the following:

n Generate a new license, if there are no identical licenses. This adds the
license to the Licenses & Contracts Repository.
n Change the IP address of an existing license with Move IP.
n Change the license from Local to Central.

Installation and Upgrade Guide R81 | 679

 Adding New Licenses to the Licenses & Contracts Repository

Adding a license from a file

Step Instructions

1 In the applicable Check Point User Center account:

1. Generate a license.
2. Click the License Information tab.
3. Click the Get Last License.
4. Click the Get License File.
5. Save the CPLicenseFile.lic file.

2 Open the SmartUpdate.

See "Accessing SmartUpdate" on page 674.

3 Click the Licenses & Contracts tab.

4 Click the Licenses & Contracts menu at the top > Add License > From File.

5 Locate and select the downloaded CPLicenseFile.lic file.

6 Click Open.

7 Follow the instructions in the SmartUpdate.

Note - A License File can contain multiple licenses.

Adding a license manually

Step Instructions

1 Generate a license in the Check Point User Center.

Notes:
n User Center sends you an e-mail with the license information.
n You can also click the License Information tab to see and copy this
information.

2 Open the SmartUpdate.

See "Accessing SmartUpdate" on page 674.

3 Click the Licenses & Contracts tab.

4 Click the Licenses & Contracts menu at the top > Add License > Manually.

Installation and Upgrade Guide R81 | 680

 Adding New Licenses to the Licenses & Contracts Repository

Step Instructions

5 In the Add License window you can:

n Copy the applicable string from the User Center e-mail and click Paste
License.
n Paste the applicable information you copied from the User Center.

Note - If you leave the Name field empty, the license is assigned a name
in the format <SKU>@<Time Date>.

6 Click OK.

Installation and Upgrade Guide R81 | 681

 Deleting a License from the Licenses & Contracts Repository

Deleting a License from the Licenses &

Contracts Repository
You can delete an unattached license that is no longer needed:

Step Instructions

1 Open the SmartUpdate. See "Accessing SmartUpdate" on page 674.

2 Click the Licenses & Contracts tab.

3 If you do not see the window License And Contract Repository, then click the
Licenses & Contracts menu at the top > click View Repository.

4 Right-click anywhere in the Licenses And Contracts Repository window and

select View Unattached Licenses.

5 Right-click the Unattached license that you want to delete, and select Delete
License / Contract.

6 Click Yes to confirm.

Installation and Upgrade Guide R81 | 682

 Attaching a License to a Security Gateway

Attaching a License to a Security Gateway

Note - Before you can attach a license to a Security Gateway or Cluster Member, you
must add the license to the Licenses & Contracts Repository.

Step Instructions

1 Open the SmartUpdate. See "Accessing SmartUpdate" on page 674.

2 Click the Licenses & Contracts tab.

3 Click the Licenses & Contracts menu at the top > click Attach.

4 In the Attach Licenses window, select the applicable Security Gateway or Cluster
Member.

5 Click Next.

6 Select the applicable license.

7 Click Finish.

8 Check the Operation Status window.

9 Connect to the command line on the applicable Security Gateway or Cluster

Member.

10 Run the "cplic print" command to make sure the license is attached.

Installation and Upgrade Guide R81 | 683

 Detaching a License from a Security Gateway

Detaching a License from a Security Gateway

Step Instructions

1 Open the SmartUpdate. See "Accessing SmartUpdate" on page 674.

2 Click the Licenses & Contracts tab.

3 Click the Licenses & Contracts menu at the top > click Detach.

4 In the Detach Licenses window, select the applicable Security Gateway or

Cluster Member.

5 Click Next.

6 Select the applicable license.

7 Click Finish.

8 Check the Operation Status window.

9 Connect to the command line on the applicable Security Gateway or Cluster

Member.

10 Run the "cplic print" command to make sure the license is detached.

Installation and Upgrade Guide R81 | 684

 Getting Licenses from Security Gateways

Getting Licenses from Security Gateways

You can add information from your managed Security Gateways about the licenses you
installed locally.
This updates the Licenses & Contracts Repository with all local licenses across the
installation.

Step Instructions

1 Open the SmartUpdate. See "Accessing SmartUpdate" on page 674.

2 Click the Licenses & Contracts tab.

3 Click the Licenses & Contracts menu at the top > click Get all Licenses.

4 Check the Operation Status window.

Installation and Upgrade Guide R81 | 685

 Exporting a License to a File

Exporting a License to a File

You can export a license to a file and import it later to the Licenses & Contracts Repository.
This can be useful for administrative or support purposes.
Exporting licenses one by one

Step Instructions

1 Open the SmartUpdate. See "Accessing SmartUpdate" on page 674.

2 Click Licenses & Contracts tab.

3 If you do not see the window License And Contract Repository, then click the
Licenses & Contracts menu at the top > click View Repository.

4 Right-click anywhere in the Licenses And Contracts Repository window and

select View all Licenses & Contracts.

5 Right-click the license that you want to export, and select Export License to
File.

6 Select the location, enter the applicable file name and click Save.

Note - If the license file with such name already exists, the new licenses are added
to the existing file.

Exporting multiple licenses at once

Step Instructions

1 Open the SmartUpdate. See "Accessing SmartUpdate" on page 674.

2 Click the Licenses & Contracts tab.

3 If you do not see the window License And Contract Repository, then click the
Licenses & Contracts menu at the top> View Repository.

4 Right-click anywhere in the Licenses And Contracts Repository window and

select View all Licenses & Contracts.

5 Press and hold the CTRL key.

6 Left-click each license that you want to export.

7 Release the CTRL key.

8 Right-click on one of the selected licenses and select Export License to File.

Installation and Upgrade Guide R81 | 686

 Exporting a License to a File

Step Instructions

9 Select the location, enter the applicable file name and click Save.

Note - If the license file with such name already exists, the new licenses are added
to the existing file.

Installation and Upgrade Guide R81 | 687

 Checking for Expired Licenses

Checking for Expired Licenses

If a license expires, the applicable products and features stop working on the Check Point
computer, to which the license is attached.

Best Practice - We recommend to be aware of the pending expiration dates of all

licenses.

Checking for expired licenses

Step Instructions

1 Open the SmartUpdate. See "Accessing SmartUpdate" on page 674.

2 Click the Licenses & Contracts tab.

3 Click the Licenses & Contracts menu at the top > click Show Expired.

4 In the License/Contract Expiration window, the expired licenses appear in the

Expired License and Contracts section.

5 To delete an expired license, select it and click Delete.

Checking for licenses nearing their dates of expiration

Step Instructions

1 Open the SmartUpdate. See "Accessing SmartUpdate" on page 674.

2 Click the Licenses & Contracts tab.

3 Click the Licenses & Contracts menu at the top > click Show Expired.

4 In the License/Contract Expiration window, set the applicable number of days

in the field Search for licenses/contracts expiring within the next X days.

5 Click Apply to run the search.

Installation and Upgrade Guide R81 | 688

 Check Point Cloud Services

Check Point Cloud Services

Automatic Downloads
Check Point products connect to Check Point cloud services to download and upload
information.
You can enable or disable Automatic Downloads in the Gaia First Time Configuration Wizard,
on the Products page.
We recommend that you enable Automatic Downloads, so that you can use these features:
n Blade Contracts are annual licenses for Software Blades and product features.If there is
no valid Blade contract, the applicable blades and related features will work, but with
some limitations.
n CPUSE lets you manage upgrades and installations on Gaia OS. See sk92449.
n Data updates and Cloud Services are necessary for the full functionality of these
Software Blades and features:
l Application & URL Filtering
l Threat Prevention (Anti-Bot, Anti-Virus, Anti-Spam, IPS, Threat Emulation)
l HTTPS Inspection
l URL Filtering database
l Application Database
l Compliance
l SmartEndpoint
l AppWiki
l ThreatWiki

Installation and Upgrade Guide R81 | 689

 Check Point Cloud Services

The Automatic Downloads feature is applicable to the Security Management Servers, Multi-
Domain Servers, Log Servers, and Security Gateways.
If you disabled Automatic Downloads in the Gaia First Time Configuration Wizard, you can
enable it again in SmartConsole Global properties:

Step Instructions

1 In the top left corner, click Menu > Global properties > Security Management
Access.

2 Select Automatically download Contracts and other important data.

3 Click OK.

4 Close the SmartConsole.

5 Connect with SmartConsole to your Management Server.

6 Install the Access Control Policy.

To learn more, see sk94508.

Installation and Upgrade Guide R81 | 690

 Check Point Cloud Services

Sending Data to Check Point

In the Gaia First Time Configuration Wizard, on the Summary page, you can enable or disable
data uploads to Check Point. This feature is enabled by default. The CPUSE statistics require
this feature.
In R77 and above, this setting activates the Check Point User Center Synchronization Tool. It
updates your Check Point User Center account with information from your Security Gateways,
mapping your SKUs to your actual deployment.
This setting of a Security Management Server applies to all its managed Security Gateways
(running R77 and above).
You can always change this setting in SmartConsole:

Step Instructions

1 In the top left corner, click Menu > Global properties > Security Management
Access.

2 Select or clear Improve product experience by sending data to Check Point.

3 Click OK.

4 Close the SmartConsole.

5 Connect with SmartConsole to your Management Server.

6 Install the Access Control Policy.

To learn more, see sk94509.

Note - In some cases, the download process sends a minimal amount of required
data about your Check Point installation to the Check Point User Center.

Installation and Upgrade Guide R81 | 691

 Glossary

Glossary
A

Anti-Bot
Check Point Software Blade on a Security Gateway that blocks botnet behavior and
communication to Command and Control (C&C) centers. Acronyms: AB, ABOT.

Anti-Spam
Check Point Software Blade on a Security Gateway that provides comprehensive
protection for email inspection. Synonym: Anti-Spam & Email Security. Acronyms: AS,
ASPAM.

Anti-Virus
Check Point Software Blade on a Security Gateway that uses real-time virus signatures
and anomaly-based protections from ThreatCloud to detect and block malware at the
Security Gateway before users are affected. Acronym: AV.

Application Control
Check Point Software Blade on a Security Gateway that allows granular control over
specific web-enabled applications by using deep packet inspection. Acronym: APPI.

Audit Log
Log that contains administrator actions on a Management Server (login and logout,
creation or modification of an object, installation of a policy, and so on).

Bridge Mode
Security Gateway or Virtual System that works as a Layer 2 bridge device for easy
deployment in an existing topology.

Clean Install
Installation of a Check Point Operating System from scratch on a computer.

Installation and Upgrade Guide R81 | 692

 Glossary

Cluster
Two or more Security Gateways that work together in a redundant configuration - High
Availability, or Load Sharing.

Cluster Member
Security Gateway that is part of a cluster.

Compliance
Check Point Software Blade on a Management Server to view and apply the Security
Best Practices to the managed Security Gateways. This Software Blade includes a
library of Check Point-defined Security Best Practices to use as a baseline for good
Security Gateway and Policy configuration.

Content Awareness
Check Point Software Blade on a Security Gateway that provides data visibility and
enforcement. Acronym: CTNT.

CoreXL
Performance-enhancing technology for Security Gateways on multi-core processing
platforms. Multiple Check Point Firewall instances are running in parallel on multiple
CPU cores.

CoreXL Firewall Instance

On a Security Gateway with CoreXL enabled, the Firewall kernel is copied multiple
times. Each replicated copy, or firewall instance, runs on one processing CPU core.
These firewall instances handle traffic at the same time, and each firewall instance is a
complete and independent firewall inspection kernel. Synonym: CoreXL FW Instance.

CoreXL SND
Secure Network Distributer. Part of CoreXL that is responsible for: Processing incoming
traffic from the network interfaces; Securely accelerating authorized packets (if
SecureXL is enabled); Distributing non-accelerated packets between Firewall kernel
instances (SND maintains global dispatching table, which maps connections that were
assigned to CoreXL Firewall instances). Traffic distribution between CoreXL Firewall
instances is statically based on Source IP addresses, Destination IP addresses, and the
IP 'Protocol' type. The CoreXL SND does not really "touch" packets. The decision to stick
to a particular FWK daemon is done at the first packet of connection on a very high level,
before anything else. Depending on the SecureXL settings, and in most of the cases, the
SecureXL can be offloading decryption calculations. However, in some other cases,
such as with Route-Based VPN, it is done by FWK daemon.

Installation and Upgrade Guide R81 | 693

 Glossary

CPUSE
Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can
automatically update Check Point products for the Gaia OS, and the Gaia OS itself.

DAIP Gateway
Dynamically Assigned IP (DAIP) Security Gateway is a Security Gateway, on which the
IP address of the external interface is assigned dynamically by the ISP.

Data Loss Prevention

Check Point Software Blade on a Security Gateway that detects and prevents the
unauthorized transmission of confidential information outside the organization. Acronym:
DLP.

Data Type
Classification of data in a Check Point Security Policy for the Content Awareness
Software Blade.

Database Migration
Process of: (1) Installing the latest Security Management Server or Multi-Domain Server
version from the distribution media on a separate computer from the existing Security
Management Server or Multi-Domain Server (2) Exporting the management database
from the existing Security Management Server or Multi-Domain Server (3) Importing the
management database to the new Security Management Server or Multi-Domain Server
This upgrade method minimizes upgrade risks for an existing deployment.

Distributed Deployment
Configuration in which the Check Point Security Gateway and the Security Management
Server products are installed on different computers.

Dynamic Object
Special object type, whose IP address is not known in advance. The Security Gateway
resolves the IP address of this object in real time.

Installation and Upgrade Guide R81 | 694

 Glossary

Endpoint Policy Management

Check Point Software Blade on a Management Server to manage an on-premises
Harmony Endpoint Security environment.

Expert Mode
The name of the elevated command line shell that gives full system root permissions in
the Check Point Gaia operating system.

Gaia
Check Point security operating system that combines the strengths of both
SecurePlatform and IPSO operating systems.

Gaia Clish
The name of the default command line shell in Check Point Gaia operating system. This
is a restricted shell (role-based administration controls the number of commands
available in the shell).

Gaia Portal
Web interface for the Check Point Gaia operating system.

Hotfix
Software package installed on top of the current software version to fix a wrong or
undesired behavior, and to add a new behavior.

HTTPS Inspection
Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets
Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection.
Acronyms: HTTPSI, HTTPSi.

Installation and Upgrade Guide R81 | 695

 Glossary

ICA
Internal Certificate Authority. A component on Check Point Management Server that
issues certificates for authentication.

Identity Awareness
Check Point Software Blade on a Security Gateway that enforces network access and
audits data based on network location, the identity of the user, and the identity of the
computer. Acronym: IDA.

Identity Logging
Check Point Software Blade on a Management Server to view Identity Logs from the
managed Security Gateways with enabled Identity Awareness Software Blade.

Internal Network
Computers and resources protected by the Firewall and accessed by authenticated
users.

IPS
Check Point Software Blade on a Security Gateway that inspects and analyzes packets
and data for numerous types of risks (Intrusion Prevention System).

IPsec VPN
Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and
Remote Access VPN access.

Jumbo Hotfix Accumulator

Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA.

Kerberos
An authentication server for Microsoft Windows Active Directory Federation Services
(ADFS).

Installation and Upgrade Guide R81 | 696

 Glossary

Log Server
Dedicated Check Point server that runs Check Point software to store and process logs.

Logging & Status

Check Point Software Blade on a Management Server to view Security Logs from the
managed Security Gateways.

Management Interface
(1) Interface on a Gaia Security Gateway or Cluster member, through which
Management Server connects to the Security Gateway or Cluster member. (2) Interface
on Gaia computer, through which users connect to Gaia Portal or CLI.

Management Server
Check Point Single-Domain Security Management Server or a Multi-Domain Security
Management Server.

Manual NAT Rules

Manual configuration of NAT rules by the administrator of the Check Point Management
Server.

Migration
Exporting the Check Point configuration database from one Check Point computer and
importing it on another Check Point computer.

Mobile Access
Check Point Software Blade on a Security Gateway that provides a Remote Access VPN
access for managed and unmanaged clients. Acronym: MAB.

Multi-Domain Log Server

Dedicated Check Point server that runs Check Point software to store and process logs
in a Multi-Domain Security Management environment. The Multi-Domain Log Server
consists of Domain Log Servers that store and process logs from Security Gateways that
are managed by the corresponding Domain Management Servers. Acronym: MDLS.

Installation and Upgrade Guide R81 | 697

 Glossary

Multi-Domain Server
Dedicated Check Point server that runs Check Point software to host virtual Security
Management Servers called Domain Management Servers. Synonym: Multi-Domain
Security Management Server. Acronym: MDS.

Network Object
Logical object that represents different parts of corporate topology - computers, IP
addresses, traffic protocols, and so on. Administrators use these objects in Security
Policies.

Network Policy Management

Check Point Software Blade on a Management Server to manage an on-premises
environment with an Access Control and Threat Prevention policies.

Open Server
Physical computer manufactured and distributed by a company, other than Check Point.

Provisioning
Check Point Software Blade on a Management Server that manages large-scale
deployments of Check Point Security Gateways using configuration profiles. Synonyms:
SmartProvisioning, SmartLSM, Large-Scale Management, LSM.

QoS
Check Point Software Blade on a Security Gateway that provides policy-based traffic
bandwidth management to prioritize business-critical traffic and guarantee bandwidth
and control latency.

Installation and Upgrade Guide R81 | 698

 Glossary

Rule
Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause
specified actions to be taken for a communication session.

Rule Base
All rules configured in a given Security Policy. Synonym: Rulebase.

SecureXL
Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that
passes through a Security Gateway.

Security Gateway
Dedicated Check Point server that runs Check Point software to inspect traffic and
enforce Security Policies for connected network resources.

Security Management Server

Dedicated Check Point server that runs Check Point software to manage the objects and
policies in a Check Point environment within a single management Domain. Synonym:
Single-Domain Security Management Server.

Security Policy
Collection of rules that control network traffic and enforce organization guidelines for
data protection and access to resources with packet inspection.

SIC
Secure Internal Communication. The Check Point proprietary mechanism with which
Check Point computers that run Check Point software authenticate each other over SSL,
for secure communication. This authentication is based on the certificates issued by the
ICA on a Check Point Management Server.

SmartConsole
Check Point GUI application used to manage a Check Point environment - configure
Security Policies, configure devices, monitor products and events, install updates, and
so on.

Installation and Upgrade Guide R81 | 699

 Glossary

SmartDashboard
Legacy Check Point GUI client used to create and manage the security settings in
versions R77.30 and lower. In versions R80.X and higher is still used to configure
specific legacy settings.

SmartProvisioning
Check Point Software Blade on a Management Server (the actual name is
"Provisioning") that manages large-scale deployments of Check Point Security
Gateways using configuration profiles. Synonyms: Large-Scale Management,
SmartLSM, LSM.

SmartUpdate
Legacy Check Point GUI client used to manage licenses and contracts in a Check Point
environment.

Software Blade
Specific security solution (module): (1) On a Security Gateway, each Software Blade
inspects specific characteristics of the traffic (2) On a Management Server, each
Software Blade enables different management capabilities.

Standalone
Configuration in which the Security Gateway and the Security Management Server
products are installed and configured on the same server.

Threat Emulation
Check Point Software Blade on a Security Gateway that monitors the behavior of files in
a sandbox to determine whether or not they are malicious. Acronym: TE.

Threat Extraction
Check Point Software Blade on a Security Gateway that removes malicious content from
files. Acronym: TEX.

Updatable Object
Network object that represents an external service, such as Microsoft 365, AWS, Geo
locations, and more.

Installation and Upgrade Guide R81 | 700

 Glossary

URL Filtering
Check Point Software Blade on a Security Gateway that allows granular control over
which web sites can be accessed by a given group of users, computers or networks.
Acronym: URLF.

User Directory
Check Point Software Blade on a Management Server that integrates LDAP and other
external user management servers with Check Point products and security solutions.

VSX
Virtual System Extension. Check Point virtual networking solution, hosted on a computer
or cluster with virtual abstractions of Check Point Security Gateways and other network
devices. These Virtual Devices provide the same functionality as their physical
counterparts.

VSX Gateway
Physical server that hosts VSX virtual networks, including all Virtual Devices that provide
the functionality of physical network devices. It holds at least one Virtual System, which
is called VS0.

Zero Phishing
Check Point Software Blade on a Security Gateway (R81.20 and higher) that provides
real-time phishing prevention based on URLs. Acronym: ZPH.

Installation and Upgrade Guide R81 | 701