13 January 2011 R75 Installation and Upgrade Guide © 2011 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses. Important Information Latest Software We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks. Latest Documentation The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=11648 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com). Revision History Date Description 13 January 2011 Improved Installation and Advanced Upgrade Procedures 15 December 2010 First release of this document Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on R75 Installation and Upgrade Guide ). Contents Important Information 3 Introduction 9 Welcome 9 R75 Documentation 9 For New Check Point Customers 9 Getting Started 10 Downloading R75 10 Terminology 10 Multi-Domain Security Management Glossary 11 Compatibility Tables 12 Licensing 12 Software Licensing 12 Licensing Multi-Domain Security Management 13 Licensing SmartEvent 13 Installing 14 Installing Security Gateways, Security Management and Endpoint Security 15 Introduction 15 Installation on SecurePlatform 16 Installing SecurePlatform Using the DVD 16 Installing SecurePlatform using the CLI 16 Installing Gateway & Management Features 17 Installing Endpoint Security 18 Completing the Installation 18 Installation on Solaris or Linux 19 Installing Security Management servers 19 Installing Endpoint Security 20 Completing the Installation 20 Installation on IPSO 21 Installing the R75 Package 21 Initial Configuration 22 Installation on Windows 22 Installing Gateway & Management Features 23 Installing Endpoint Security 24 Completing the Installation 24 Post-Installation Configuration 25 Logging In for the First Time 25 Where to Go From Here 26 Installing Multi-Domain Security Management 27 Multi-Domain Security Management Overview 27 Basic Architecture 27 Multi-Domain Security Management Glossary 28 Creating the Multi-Domain Security Management Environment 30 Setting Up Multi-Domain Security Management Networking 30 Installing the Gateways 30 Installing a Multi-Domain Server 30 Installing SmartConsole and SmartDomain Manager Clients 35 Using the SmartDomain Manager for the First Time 36 Launching the SmartDomain Manager 36 Managing Licenses Using SmartUpdate 36 Adding Licenses using the SmartDomain Manager 37 Demo Mode 38 Where To From Here? 38 Installing SmartEvent and SmartReporter 38 SmartEvent and SmartReporter Planning 39 Standalone Deployment 39 Distributed Deployment 40 Log Server Configuration 40 Security Management Server Configuration 40 SmartEvent and SmartReporter Configuration 40 Multi-Domain Security Management Deployment 41 Log Server Configuration 41 Defining Log Servers as Global Servers 41 Defining the Reporting or SmartEvent Server as a Local Server 42 Installing SmartEvent Intro 43 SmartEvent Intro Planning 43 Standalone Deployment 43 Distributed Deployment 44 Multi-Domain Security Management Deployment 44 Installing Mobile Access 46 Mobile Access Overview 46 Mobile Access Installation 46 The Mobile Access Wizard 47 Step 1: Configure a Web Application 47 Step 2: Configure Authorized Users 47 The Mobile Access Wizard is Complete 48 Results of Enabling Mobile Access 48 Upgrading from Connectra to Mobile Access 49 Installing and Configuring DLP 50 DLP and Privacy 50 DLP Requirement Notes 51 Installing the DLP gateway 51 Configuring SecurePlatform using the WebUI 51 Configuring SecurePlatform using the CLI 52 Where To From Here? 52 Installing IPS-1 Sensors 53 Overview of IPS-1 53 IPS-1 System Architecture 53 IPS-1 Sensor Deployment 53 Installing and Configuring IPS-1 Sensors 54 Installing IPS-1 Sensors with SecurePlatform 54 Configuring IPS-1 Sensors 55 Post-Configuration Steps 56 Where To From Here? 58 Upgrading 59 Introduction to the Upgrade Process 60 Contract Verification 60 Terminology 60 Upgrade Tools 61 Upgrading Successfully 61 Service Contract Files 62 Introduction 62 Working with Contract Files 62 Installing a Contract File on Security Management server 62 On a Windows Platform 62 On SecurePlatform, Linux, and Solaris 63 On IPSO 64 Installing a Contract File on a Gateway 64 On a Windows Platform 64 On SecurePlatform 65 On IPSO 66 Managing Contracts with SmartUpdate 66 Managing Contracts 66 Updating Contracts 67 Upgrading a Distributed Deployment 68 Overview to Upgrading a Distributed Deployment 68 Using the Pre-Upgrade Verification Tool 68 The pre_upgrade_verifier command 68 Action Items 68 Web Security License Enforcement 69 Upgrading Products on SecurePlatform 69 UTM-1 Edge Gateways Prior to Firmware Version 7.5 69 Enabling Policy Enforcement 69 Upgrading the Security Management Server 69 Using the Pre-Upgrade Verification Tool 70 Security Management Server Upgrade - SecurePlatform 70 Security Management Server Upgrade - IPSO 71 Security Management Server Upgrade on Windows Platforms 73 Security Management Server Upgrade on Solaris 73 Security Management Server Upgrade on Solaris 74 Upgrading Security Gateways 74 Upgrading a Cluster Deployment 75 Upgrading Gateways using <smartu> 75 Gateway Upgrade on SecurePlatform 77 Gateway Upgrade on a UTM-1/Power-1 Appliance 77 Gateway Upgrade on an IP Appliance 78 Gateway Upgrade Process on a Windows Platform 80 Backup and Revert for Security Gateways 81 Introduction 81 Backing Up Your Current Deployment 81 Restoring a Deployment 82 SecurePlatform Backup and Restore Commands 82 Backup 82 Restore 83 SecurePlatform Snapshot Image Management 84 Snapshot 84 Revert 84 Reverting to Your Previous Deployment 85 To an Earlier Version on SecurePlatform 85 To an Earlier Version on an IP Appliance 85 To an Earlier Version on a Windows Platform 86 To an Earlier Version on a Solaris Platform 86 To an Earlier Version on a Linux Platform 86 ICA Considerations 86 Upgrading a Standalone Deployment 88 Introduction 88 Pre-Upgrade Considerations 88 Upgrading Products on a SecurePlatform Operating System 88 Reverting to Your Previous Software Version 88 Using the Pre-Upgrade Verification Tool 89 Standalone Security Gateway Upgrade on a Windows Platform 89 Uninstalling Packages 89 Standalone Security Gateway Upgrade on SecurePlatform 90 Uninstalling Packages 91 Standalone Gateway Upgrade on an IPSO Platform 91 Standalone Upgrade on a UTM-1/Power-1 Appliance 91 Uninstalling Packages 91 Advanced Security Management Server Upgrade 92 Overview 92 Before Advanced Upgrade 93 After Advanced Upgrade 93 Prerequisites 94 Upgrade Workflow 94 General Workflow 94 Platform-Specific Procedures 95 Upgrading a Secondary Security Management Server 98 Migrating to a Computer with a Different IP Address 99 SmartReporter Advanced Upgrade 99 Using the Pre-Upgrade Verification Tool 101 The pre_upgrade_verifier command 101 Action Items 101 Migrate Command Reference 101 Upgrading ClusterXL Deployments 103 Tools for Gateway Upgrades 103 Planning a Cluster Upgrade 103 Permanent Kernel Global Variables 104 Ready State During Cluster Upgrade/Rollback Operations 104 Upgrading OPSEC Certified Third-Party Cluster Products 104 Minimal Effort Upgrade on a ClusterXL Cluster 104 Zero Downtime Upgrade on a ClusterXL Cluster 104 Supported Modes 104 Full Connectivity Upgrade on a ClusterXL Cluster 107 Understanding a Full Connectivity Upgrade 107 Supported Modes 107 Performing a Full Connectivity Upgrade 107 Upgrading SmartEvent and SmartReporter 110 Overview of Upgrading SmartEvent and SmartReporter 110 Upgrading SmartReporter 110 For Standalone Deployments 110 For Distributed Deployments 111 Advanced SmartReporter Upgrade 112 Enabling SmartEvent after Upgrading SmartReporter 112 Upgrading SmartEvent 112 Upgrading SmartEvent to R75 113 Enabling SmartReporter 114 Upgrading Multi-Domain Security Management 115 Multi-Domain Security Management Upgrade Overview 115 Upgrade Multi-Domain Security Management Tools 115 Pre-Upgrade Verifiers and Correction Utilities 115 Installation Script 116 Container2MultiDomain 117 Export 118 migrate export 118 cma_migrate 119 migrate_global_policies 120 Backup and Restore 121 Upgrade Best Practices 122 In-Place Upgrade 122 Exporting and Importing a Multi-Domain Server 123 Replicate and Upgrade 124 Gradual Upgrade to Another Computer 125 Migrating from Security Management to Domain Management Server 126 Upgrading a High Availability Deployment 127 Pre-Upgrade Verification and Tools 127 Upgrading a High Availability Deployment 128 Restarting Domain Management Servers 129 Restoring Your Original Environment 130 Before the Upgrade 130 Restoring Your Original Environment 130 Changing the Multi-Domain Server IP Address and External Interface 130 IP Address Change 130 Interface Change 130 IPS with Multi-Domain Security Management 131 Upgrading SmartLSM Security (ROBO) Gateways 132 Planning the ROBO Gateway Upgrade 132 ROBO Gateway Upgrade Package to SmartUpdate Repository 132 License Upgrade for a Security Gateway ROBO Gateway 133 Using SmartProvisioning to Attach the Upgraded Licenses 133 License Upgrade on Multiple ROBO Gateways 133 Upgrading a ROBO Gateway Using SmartProvisioning 133 Upgrading a Security Gateway ROBO Gateway 133 Upgrading a UTM-1 Edge ROBO Gateway 134 Upgrading a Security Gateway ROBO Gateway In Place 135 Using the Command Line Interface 135 SmartLSM Upgrade Tools 135 Upgrading a Security Gateway ROBO Gateway Using LSMcli 136 Upgrading a UTM-1 Edge ROBO Gateway Using LSMcli 137 Using the LSMcli in Scripts 138 Index 141 Page 9 Chapter 1 Introduction In This Chapter Welcome 9 R75 Documentation 9 For New Check Point Customers 9 Welcome Thank you for choosing Check Point software blades for your security solution. We hope that you will be satisfied with this solution and our support services. Check Point products provide your business with the most up to date and secure solutions available today. Check Point also delivers worldwide technical services including educational, professional, and support services through a network of Authorized Training Centers, Certified Support Partners, and Check Point technical support personnel to ensure that you get the most out of your security investment. To extend your organization’s growing security infrastructure and requirements, we recommend that you consider adopting the OPSEC platform (Open Platform for Security). OPSEC is the industry's open, multi- vendor security framework, which has over 350 partners and the largest selection of best-of-breed integrated applications and deployment platforms. For additional information on the Internet Security Product Suite and other security solutions, go to: http://www.checkpoint.com or call Check Point at 1(800) 429-4391. For additional technical information, visit the Check Point Support center (http://supportcenter.checkpoint.com). Welcome to the Check Point family. We look forward to meeting all of your current and future network, application, and management security needs. R75 Documentation This guide is intended for administrators responsible for installing and upgrading Check Point security products on the corporate network. Technical documentation is available on your DVD. These documents can also be found at the Check Point Support Center (http://supportcenter.checkpoint.com). To find out about what's new in R75, refer to the R75 Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=11647). For New Check Point Customers New Check Point customers can access the Check Point User Center (http://usercenter.checkpoint.com) to:  Manage users and accounts  Activate products  Get support offers  Open service requests  Search the Technical Knowledge Base Page 10 Chapter 2 Getting Started This chapter contains information and terminology related to installing R75. Before you install or upgrade to R75, you must read the R75 Release Notes. (http://supportcontent.checkpoint.com/documentation_download?ID=11647) In This Chapter Downloading R75 10 Terminology 10 Multi-Domain Security Management Glossary 11 Compatibility Tables 12 Licensing 12 Downloading R75 You can get the R75 software in the official media pack, or you can download the software images from the Support Center (http://supportcenter.checkpoint.com).  The media pack includes DVDs that can install on any supported operating system.  The Support Center includes different DVD images for each operating system.  To use a DVD image from the Support Center, download a DVD image and burn it to a DVD. Terminology These terms are used throughout this chapter:  Distributed Deployment: When the gateway and the Security Management server are installed on separate machines.  Gateway: The software component that enforces the organization's security policy and acts as a security enforcement point.  Security Policy: The policy created by the system administrator that regulates the flow of incoming and outgoing communication.  Security Management server: The server used by the system administrator to manage the security policy. The organization's databases and security policies are stored on the Security Management server and downloaded to the gateway.  SmartConsole: GUI applications that are used to manage various aspects of security policy enforcement. For example, SmartView Tracker is a SmartConsole application that manages logs.  SmartDashboard: A SmartConsole GUI application that is used by the system administrator to create and manage the security policy.  Standalone Deployment: When Check Point components responsible for the management of the security policy (the Security Management server and the gateway) are installed on the same machine. [...]... Package window and click Apply 5 6 7 8 Click the Click here to install /upgrade link to continue with the installation In the Package Installation and Upgrade pane, select Install and then click Apply Click the Install Package branch in the Voyager tree to see the installation progress Go to the Manage Packages page Installing Security Gateways, Security Management and Endpoint Security Page 21 Installation. .. Installation section 1 If the Endpoint Security Server Installation screen appears, click Next The server type selection is done later in this procedure 2 Select Standalone Installation or Distributed Installation:  Standalone Installation: Endpoint Security and the management server (Security Management server or Multi-Domain Security Management) are installed on the same computer  Distributed Installation: ... This Chapter Introduction Installation on SecurePlatform Installation on Solaris or Linux Installation on IPSO Installation on Windows Post -Installation Configuration Logging In for the First Time Where to Go From Here 15 16 19 21 22 25 25 26 Introduction Check Point software runs on many platforms and pre-configured appliances Each installation differs depending on the product and the platform There... options:  New installation  Installation using imported configuration Click Next 6 If you selected Installation using imported configuration, select the location of the imported configuration file and click Next a) Select an option for obtaining the latest upgrade utilities and click Next b) Go to step 10 For more information, see Advanced Upgrade on a Windows Platform 7 If you selected New Installation, ... to continue Read and accept the terms of the End User License Agreement Select New Installation and press N to continue Select the products to install and press N to continue If you selected Security Management Server, select one of these options and press N to continue:  Installation as a primary Security Management Server  Installation as a secondary Security Management Server  Installation as... c) Rerun the installation program and scroll through the configuration screens until you get to this step 10 Press Enter to continue 11 Continue with the Completing the Installation procedure ("Completing the Installation" on page 18) Completing the Installation Do these instructions on the screen to complete the installation The steps that you do can be different, based on the products and features... Management and Endpoint Security Page 22 Installation on Windows Installing Gateway & Management Features To Install R75 on a Windows platform: 1 Log in to Windows using Administrator credentials 2 Put the installation DVD in the drive The installation wizard starts automatically 3 Click Next in the Thank you window 4 Accept the terms of the License Agreement and click Next 5 Select one of these installation. .. (http://supportcontent.checkpoint.com/documentation_download?ID =11647) You can manage VSX R67 using R75 SmartConsole and R75 SmartDomain Manager Note - You must install, configure and activate the TCP/IP network protocol before you run the installation program Page 15 Installation on SecurePlatform Installation on SecurePlatform In this section: Installing SecurePlatform Using the DVD Installing SecurePlatform... If you selected New Installation, select the installation type:  Typical - includes two options:  Security Management and SmartConsole - Installs and automatically configures Security Management, SmartReporter, Correlation Unit and SmartConsole This is the standard distributed deployment  Security Management, Security Gateway and SmartConsole - Installs and automatically configures Security Management,... c) Rerun the installation program and scroll through the configuration screens until you get to this step 10 Press Enter to continue 11 Continue with the Completing the Installation procedure ("Completing the Installation" on page 18) Completing the Installation Do these instructions on the screen to complete the installation The steps that you do can be different, based on the products and features . R75 Installation and Upgrade Guide © 2011 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and. (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on R75 Installation and Upgrade Guide ). Contents Important Information 3 Introduction 9 Welcome 9 R75 Documentation 9 For New Check Point Customers. 120 Backup and Restore 121 Upgrade Best Practices 122 In-Place Upgrade 122 Exporting and Importing a Multi-Domain Server 123 Replicate and Upgrade 124 Gradual Upgrade to Another Computer