This procedure describes how to reset the SIC on the entire VAP group, as well as how to reset it on individual VAPs. Resetting SIC on a VAP groupRun 'show-ap-vap-mapping' to display the relationship between application and APMs.hpasabcal5300f101# show ap-vap-mappingModule Slot Status VAP IP Address VAP Group Index Master (true/false)AP2 3 Active 1.1.2.101 VSX 1 falseAP3 4 Active 1.1.2.102 VSX 2 trueAP4 5 Active 1.1.2.103 VSX 3 false(3 rows)Perform this procedure through the CBS CLI for the VAP group.
Reconfigure VSX Cluster member R77.20 / R77.30. VSX Cluster Full Connectivity Upgrade Part 3. R80.10 Best Practices.
My team manages a dozen Check Point firewall HA clusters (plus several SMS and dedicated logging servers) on R77.30 and we are in the process of upgrading all of them to R80. This has been quite an ordeal over the past couple months. We have several cases open with TAC regarding database conversion issues for the SMS, despite passing the pre-upgrade verifier. Our initial success rate as been 20% so far.
TAC and R&D have told me that the in-place upgrade from R77.30 'isn't recommended' and they have seen large volumes of problems related to it. Their recommendation has been to do an advanced upgrade (migrate export, import on new R80 SMS). We have had limited success using either method. Our tickets are currently sitting with R&D as they're looking into potential bugs.So, how are your R80 migrations going?.
Full disclosure before we go further, I am a Check Point SE.I'm glad to hear that you're moving to R80.20, the new linux kernel is going to do a lot of great things for the technology and the amount of traffic your existing hardware can support. There were some difficulties in going from R77.X to R80 when it first came out, but those have been resolved in the R80.10 and R80.20 releases.We have been doing CheckMates User Group meetings all over the world showcasing in-place upgrades, so the whole 'no recommended thing' isn't accurate. Not that I'm saying that someone from TAC didn't tell you that, but I want you to understand that we do these upgrades daily.Personally, I like the fresh install method with a migrate export. I've never seen it, but I have heard about custom hotfixes causing issues with the upgrade.I do have a few questions and I can do my best to assist if you'd like.Are you running any open servers? If so, have you looked to see if we have added these servers to the HCL for R80.20?
We have to qualify all of the hardware to make sure that we've got the drivers required to support these servers.Have you asked your account SE to review the pre-upgrade verifier report? Like mentioned, there are some legacy objects and blades that need to be adjusted before we make the transition.Finally, how long have the tickets been open and how long have they been sitting with R&D? Have you pulled your Check Point account team in to see if they can get anything escalated and provide you with updates on the status?Feel free to message me if you don't want to get into details.
This may not be the response you were looking for, but the experiences you are having with both upgrade methods are not what a majority of the Check Point community making these migrations is experiencing.. The first SMS in-place upgrade from R77.30 to R80.20 went horribly wrong.
The upgrade said it completed successfully but we could no longer push policy due to an error. We had to open a TAC case and it was determined that the database got corrupted during the in-place upgrade.
Eventually I was told by a tier 3 TAC engineer that the in-place upgrade is 'supported', but 'not recommended.' They said the first question R&D asks is if an advanced upgrade (migrate export, import to new R80 SMS) was performed because the in-place upgrade has so many issues.We do not have any custom hotfixes and we ran the pre-upgrade verifier prior to the upgrade, which came back clean and stated we could perform the upgrade. Went from R77.30 to R80.10 recently. A few issue, but nothing terrible. I did have to open a TAC case about a few issues, one involving R&D, but all have since been resolved.I've seen several of people, some being Check Point employees, suggest that an in place upgrade is 'not recommend'. That directly contradicts what is written in Check Point documentation, not really sure what's up with that. I did however do an in place upgrade.
I did read that a fresh install is recommend, if possible, when going to R80.20 because of he new file system. I might go that route when I get to that point. I've done a handful and they've all been successful, just ensure that you budget double the time.Make sure you run the upgrade verifier ahead of time.Don't do an in place upgrade if you can avoid it, or if you do, ensure you have a snapshot and/or externally copied migrate export.The biggest issue I have found is with the way that application control applies now, if you have an explicit deny rule at the bottom of your application control/URL filtering policy you may find that some stuff is now dropped where before it was allowed, so be prepared to make on the fly changes there. Have done many (several each week mostly) upgrades to R80.10 and R80.20 this year (Management and Gateways) in different customer enviroments.I have have had very little issues, but have been working with CheckPoint as a consultant for 17 years,every day.
(started at 4.0/4.1 on Solaris/Ipso, but nowadays mostly on Gaia Open Server and CP Appliances. (I try to stay clear of Embedded Gaia, especially 600,700,1100 Maybe 1400 `s for small remote offices where cost is a big issue).Tips;- Install a replica of your current SmartCenter in a Vmware LAB- Run pre-upgradeverifier and fix all the issues.- Use the 'dbencoding.txt' if you have any unicode-characters etc in the comments etc.- Upgrade in a lab and do an export (or do a R80.x migration tools export on this management after all the preupgrade issues are fixed)- Always, Always Always fresh-install the new R80.x Management and import. Never ever ever do in-place upgrades. Unless you of course like long TAC-cases and problems:-)- Did i mention NEVER do in-place production upgrades of the Management?:)- Do NOT undersize your new Managment VM. I would never run under 16GB RAM for a small deployment.
Most installs are 32GB+ RAM, 4+ CPU-cores, putting it on fast SAN-disks. The R80.x Management is thirsty but work so much better when you dont undersize it.- If you have alot of gateways/much logging, consider splitting logging to a dedicated Log Server and decide if you maybe also shout split SmartEvent into yet another server to give even better performance than running everything on a single server/on the Log Server itself. Its of course a cost issue but it cost premium to get premium.If you are using old (legacy - crappy) DHCP services, definately considering changing to 'new services' when doing the gateway migrations. DHCP Relay is so much more stable running 'new services'.My gateway upgrades from R77.x to R80.10 are probably around 90+% success-rate, unless you have special portfixes on R77x, uninstall these first or do a fresh-install (Blink-tool or Isomorphic is great for this).
The R77.x to R80.10 gateway upgrade is the best upgrade procedure ever in my experience. First time I can confidently reccommend a customer to do a gateway upgrade and not reinstall:-). You can migrate export the database from the hardware to the VM, perform the upgrade test there or whatever you feel like doing.You can also take a snapshot through the Gaia web portal or CLISH and export it off the box as a TGZ file (like a mirror of the disk), so if your upgrade in the VM worked but fails on the hardware you can re-upload the snapshot back on the hardware and revert it. I won't say 'recommended' because doing a few of these I the wild the advance upgrade had worked with the best results.
Well, I ran the pre-upgrade verifier today and apparently LSV profiles is not supported on R80.20. This is both according to the PUV and SK117159. 'Support for this feature is planned soon'. But they already announced support will end in september. Great work, check point! I can't believe people are paying for this shit.
I'm so ditching it first chance I get.Support could not answer this very basic question, and our local representatives told us it is supported. Yay, good information too.