1 Provider-1™ NGX R65 License Upgrade Guide Release Notes February 28, 2007 In This Document Overview It is highly recommended to upgrade all Provider-1™/SiteManager-1™ NG licenses to NGX R65 licenses before upgrading software. Provider-1/SiteManager-1 NGX R65 with licenses from previous versions will not function. Licenses for versions prior to NG cannot be upgraded directly to NGX R65. In such a case, you must first upgrade to NG and then upgrade the licenses from NG to NGX R65 licenses. This document will describe the steps required for upgrading Provider-1/SiteManager-1 licenses to NGX R65, as part of the software Upgrade procedure. Software Subscription Requirements The license upgrade procedure is available to purchasers of any of the Enterprise Software Subscription services. License upgrade will fail for products and accounts for which you do not have software subscription. You can see the exact products and accounts for which you have software subscription by looking in your User Center account. Overview page 1 Before You Begin page 2 Supported Versions for Upgrade page 2 pv1_license_upgrade page 2 license_upgrade page 3 Provider-1 License Upgrade Flow for an MDS Server with Internet Connection page 4 License Upgrade for a Single CMA page 10 Before You Begin Provider-1 NGX R65 License Upgrade Guide. Last Update — February 28, 2007 2 In the Accounts page, Enterprise Contract column, and in the Products page, Subscription and Support column, if the account or product is covered, the expiration date is shown. Otherwise, the entry says Join Now, with a link that accesses a quote for purchasing Enterprise Support. You can purchase an Enterprise Software Subscription for the whole account, in which case all the products in the account will be covered, or you can purchase an Enterprise Software Subscription for individual products. Before You Begin Before performing a Provider-1/SiteManager-1 license upgrade, it is recommended that you check http://www.checkpoint.com/techsupport/ngx/license_upgrade.html for up to date information and downloads regarding the NGX R65 license upgrade. Supported Versions for Upgrade For the latest information about supported versions, refer to the NGX R65 Release Notes. If your current installation cannot be upgraded directly to NGX R65, you should first upgrade to either R55 or VSX NG AI R2 for VSX installations. pv1_license_upgrade The pv1_license_upgrade command line tool is used to perform license upgrade for Provider-1. When the tool is run on the MDS, upgraded licenses are obtained from the Check Point User Center Web site for the MDS and for all the CMAs on the MDS. This tool makes it simple to automatically upgrade licenses without having to do so manually through the User Center. The pv1_license_upgrade tool is located in: • Provider-1 NGX R65 CD at: <platform>/LicenseUpgrade/ • NGX R65 installation at: /opt/CPmds-R62/system/license_upgrade/ It is recommended that you check http://www.checkpoint.com/techsupport/ngx/license_upgrade.html for up to date information and downloads regarding the NGX R65 license upgrade. license_upgrade Provider-1 NGX R65 License Upgrade Guide. Last Update — February 28, 2007 3 license_upgrade The license_upgrade command line tool is used to perform license upgrade for a single CMA. This is the same tool as that used to perform a license upgrade in SmartCenter environments. The license_upgrade tool is located in: • Provider-1 NGX R65 CD at: <platform>/LicenseUpgrade/ • NGX R65 installation at: /opt/CPmds-R62/system/license_upgrade/ It is recommended that you check http://www.checkpoint.com/techsupport/ngx/license_upgrade.html for up to date information and downloads regarding the NGX R65 license upgrade. Running the licence_upgrade command line tool displays a menu with a number of options. To see all the options, run: license_upgrade . License Upgrade Tool Options Table 1 Option Definition [L] View the licenses installed on your machine. [S] Sends existing licenses to the User Center Web site to simulate the license upgrade in order to verify that it can be performed. A real upgrade is not performed and new licenses are not returned. [U] Sends existing licenses to the User Center Web site to perform an upgrade (by default, in online mode) and installs them on the machine. [C] Reports whether or not there are licenses on the machine that need to be upgraded. [O] Performs a license upgrade on a license file that was generated on a machine with no Internet access to the User Center. [V] Enables you to view a log of the last license upgrade or the last upgrade simulation. Provider-1 License Upgrade Flow for an MDS Server with Internet Connection Provider-1 NGX R65 License Upgrade Guide. Last Update — February 28, 2007 4 Provider-1 License Upgrade Flow for an MDS Server with Internet Connection Verify whether a license upgrade is required by running the console command pv1_license_upgrade status . For detailed information refer to License Upgrade of the Entire System prior to a Software Upgrade page 5. License Upgrade of the Entire System prior to a Software Upgrade Provider-1 NGX R65 License Upgrade Guide. Last Update — February 28, 2007 5 License Upgrade of the Entire System prior to a Software Upgrade If a license upgrade is performed before the software upgrade, Check Point products will generate warning messages until all the software on the machine has been upgraded. In This Section Before Upgrading Licenses 1. Copy the pv1_license_upgrade and l icense_upgrade tools and the clic executable to the MDS version NG machine. These tools are located in the following directories and should be saved in the same location on the MDS version NG machine: • Provider-1 NGX R65 CD at: <platform>/LicenseUpgrade/ • NGX R65 installation at: /opt/CPmds-R62/system/license_upgrade/ It is recommended that you check http://www.checkpoint.com/techsupport/ngx/license_upgrade.html for up to date information and downloads regarding the NGX R65 license upgrade. 2. To run the pv1_license_upgrade tool, please make sure you have root permissions, and that you are in an MDS environment. In order to switch to MDS environment run: mdsenv . 3. Verify whether a license upgrade is required by running the console command pv1_license_upgrade status . This step reports whether or not there are licenses on the machine that need to be upgraded. Before Upgrading Licenses page 5 Upgrade Licenses page 6 After Completing the License Upgrade Process page 8 Upgrade Licenses Provider-1 NGX R65 License Upgrade Guide. Last Update — February 28, 2007 6 Upgrade Licenses 4. When upgrading a license you must perform different steps when an MDS has Internet connectivity and when an MDS does not have Internet connectivity. When an MDS machine has Internet connectivity: Run the following command line tool on the MDS. On SecurePlatform, you must be in expert mode. • If the MDS is directly connected to the Internet run: pv1_license_upgrade upgrade . • If the MDS is connected to the Internet via a proxy run pv1_license_upgrade upgrade -y <proxy:port> -w <user_name:pwd> . The proxy port number is optional. Username and password (if any) are intended for the proxy machine. This step performs the following: • Collects all the licenses that exist on the MDS machine. • Verifies that all licenses can be upgraded, both for MDS and CMAs. • Fetches updated licenses from the User Center. • Builds a temporary cache file containing the NGX R65 licenses. • Installs upgraded licenses for the MDS and CMAs. When an MDS machine does not have Internet connectivity: 1. On the offline MDS, run the following command line tool: pv1_license_upgrade export -z <package_file> On SecurePlatform, run the command in expert mode. The export command packs all licenses on the machine, for all CMAs and the MDS into a single package file. 2. Copy the package file (containing the licenses) from the offline MDS to the online machine. The online machine does not need to be a Check Point-installed machine. 3. Copy the license_upgrade tool to the online machine and perform one of the following: • Run the license_upgrade line tool on the online machine: If the online machine is directly connected to the User Center, run: license_upgrade upgrade -i <input_file> -c <cache_file> Upgrade Licenses Provider-1 NGX R65 License Upgrade Guide. Last Update — February 28, 2007 7 If the online machine is connected to the User Center via a proxy, run: license_upgrade upgrade -y <proxy:port> -w <user_name:pwd> -i <input_file> -c <cache_file> Where <input_file> is the package file that is the result of the export operation. • Run the license_upgrade tool on the online machine (wizard mode): - Press [O] to run the upgrade operation in offline mode. - Enter the name of the exported file with the location of the package file that is the result of the export operation. - Enter the name of the file that will be created with all the upgraded licenses (cache file name). - Press [Y] when asked "Is this machine connected to the Internet?" . - Press [Y] if you are connected to the internet via a proxy and supply the proxy IP port and username password. - Press [N] if you are not connected via proxy and continue with the upgrade. - Enter the username and password of your User Center Account. This step fetches new licenses from the User Center and puts them in a cache file. 4. Copy the cache file (with the new licenses) back to the offline MDS machine. 5. Start the MDS in the root shell by running mdsenv mdsstart 6. Run the following command line on the offline MDS: pv1_license_upgrade import -c <cache_file> Where <cache_file> is the file that is the result of the upgrade operation performed on the online machine. As a result, the new CMA and MDS licenses are imported to the MDS. After Completing the License Upgrade Process Provider-1 NGX R65 License Upgrade Guide. Last Update — February 28, 2007 8 After Completing the License Upgrade Process 5. Review the log files from the online machine and the offline machine. When running the pv1_license_upgrade tool the log files are located under $FWDIR/log/<operation_name>/ , where operation name can be upgrade, import, export, status, or simulate. When running the license upgrade tool the log files are located under: $CPDIR/log . This log file is generated for the last operation performed. Note: • License upgrade will fail for products and accounts for which you do not have software subscription. • License upgrade will fail for evaluations. • The following MDS Pro Add-ons are not supported via the pv1_license_upgrade tool: Table 2 Pro Add-Ons for MDS Customer Version Part Number 10 NG CPPR-PRO-10-NG 25 NG CPPR-PRO-25-NG 50 NG CPPR-PRO-50-NG 100 NG CPPR-PRO-100-NG 200 NG CPPR-PRO-200-NG 250 NG CPPR-PRO-250-NG Table 3 LS for Pro Add-Ons for MDS Customer Version Part Number 10 NG LS-CPPR-PRO-10-NG 25 NG LS-CPPR-PRO-25-NG 50 NG LS-CPPR-PRO-50-NG 100 NG LS-CPPR-PRO-100-NG 200 NG LS-CPPR-PRO-200-NG 250 NG LS-CPPR-PRO-250-NG After Completing the License Upgrade Process Provider-1 NGX R65 License Upgrade Guide. Last Update — February 28, 2007 9 To upgrade Pro Add-on licenses: a) Save the following information: * Log Files generated by the tool. The location of the files is printed to the screen when running the pv1_license_upgrade tool. For example, when running pv1_license_upgrade upgrade , part of the output appears as follows: See details in log files: - Upgrade operation logs can be viewed at: /opt/CPmds-R62/log/upgrade/license_upgrade.log - Import operation logs can be viewed at: /opt/CPmds-R62/log/import/license_upgrade.log - Detailed log of the license upgrade tool can be viewed at: /opt/CPmds-R62/log/pv1_license_upgrade.log * Cache file - $CPDIR/conf/lic_cache.C . This file is generated when running pv1_license_upgrade upgrade. b) Contact Account Services at US +1 817 606 6600, option 7. Or, e-mail AccountServices@ts.checkpoint.com , and provide them with the above information. • The Standby CMA repository can not be updated. The Standby CMA repository is in a read only mode. Therefore, it is impossible to see the updated licenses in the SmartUpdate View until the two HA CMAs are synchronized. 6. If the license upgrade fails for only one CMA, it is possible to perform license_upgrade on a single CMA. (refer to License Upgrade for a Single CMA page 10 for more details). 7. Perform the software upgrade to NGX R65 on the MDS Manager, MDS Container, and the MDG. 8. Start the MDS by running mdsenv mdsstart 9. To verify that all the CMAs are running, run: mdsenv mdsstat 10. Run the following command line tool at the MDS: pv1_license_upgrade import -c <cache file name> License Upgrade for a Single CMA Provider-1 NGX R65 License Upgrade Guide. Last Update — February 28, 2007 10 The default cache file location is $CPDIR/conf/lic_cache.C . This step imports the NGX R65 licenses from the cache file to the CMA Repositories of every CMA. 11. Perform the software upgrade to NGX R65 on the enforcement module machine(s). This step is optional since NGX R65 management can manage the NG version of enforcement points. 12. Connect to the MDS using the MDG SmartUpdate component, and for each CMA, delete all obsolete licenses from NGX R65 gateways. (Optional) 13. In an MDS HA environment, as an alternative to running pv1_license_upgrade upgrade on all MDSs, you can use the cache file generated on one MDS, on other MDSs, by copying it to the other MDSs and running: pv1_license_upgrade import -c <cache file name> This step imports the NGX R65 licenses from the cache file to the CMA Repositories of every CMA. License Upgrade for a Single CMA In This Section Before Upgrading Licenses 1. Copy the pv1_license_upgrade and the license_upgrade tools and the clic executable to the MDS version NG machine. These tools are located in the following directories and should be saved in the same location on the MDS version NG machine: • Provider-1 NGX R65 CD at: <platform>/LicenseUpgrade/ • NGX R65 installation at: /opt/CPmds-R62/system/license_upgrade/ It is recommended that you check http://www.checkpoint.com/techsupport/ngx/license_upgrade.html for up to date information and downloads regarding the NGX R65 license upgrade. 2. At the MDS machine, please make sure you have root permissions and that you are in a single CMA environment. To switch to the CMA environment run: mdsenv <cma_name> . Before Upgrading Licenses page 10 Upgrade Licenses page 11 After Completing the License Upgrade Process page 13 [...]... the offline target machine: license_ upgrade export -z • From the menu of options select: - Press [U] to run the upgrade operation - Press [N] to specify that you don't have an internet connection Provider-1 NGX R65 License Upgrade Guide Last Update — February 28, 2007 11 Upgrade Licenses - Press [E] to copy the licenses to a license file - Enter the name of the license package file that... machine: license_ upgrade import -c • Run the license_ upgrade tool on the offline machine (wizard mode) - Press [U] to run the Upgrade operation - Press [N] when asked "Is this machine connected to the Internet?" - Press [I] to import the output file with all the upgraded licenses back to the SmartCenter - Enter the cache file name with all the upgraded licenses This step imports the NGX R65 licenses... via proxy and continue with the upgrade • Enter the username and password of your User Center Account This step fetches new licenses from the User Center and puts them in a cache file 5 Copy the cache file (with the new CMA licenses) to the offline target machine Provider-1 NGX R65 License Upgrade Guide Last Update — February 28, 2007 12 After Completing the License Upgrade Process 6 Perform one of... the upgraded licenses This step imports the NGX R65 licenses from the cache file to the CMA repository After Completing the License Upgrade Process 4 Please refer to step 5 in License Upgrade of the Entire System prior to a Software Upgrade page 5 Provider-1 NGX R65 License Upgrade Guide Last Update — February 28, 2007 13 ... continue with the upgrade - Enter the user and password of your User Center Account This step performs the following: • Collects all the licenses that exist on the CMA • Fetches updated licenses from the User Center • Installs an upgraded license for the CMA, and saves upgraded CMA Repository licenses on the CMA When an MDS machine does not have Internet connectivity: 1 Copy the licenses from this.. .Upgrade Licenses Upgrade Licenses 3 When upgrading a license you must perform different steps when an MDS has Internet connectivity and when an MDS does not have Internet connectivity When an MDS machine has Internet connectivity: Perform one of the following: • Run the following command at the MDS: - If the MDS machine is directly connected to the Internet run: license_ upgrade upgrade -... to the User Center, run: license_ upgrade upgrade -i -c • If the online machine is connected to the User Center via a proxy perform one of the following: - Run: license_ upgrade upgrade -y -w -i -c Where is the package file that is the result of the export operation - Run the license_ upgrade tool at the online... upgrade - If the MDS machine is connected to the Internet via a proxy run: license_ upgrade upgrade -y -w The proxy port number is optional Username and password (if any) are intended for the proxy machine • Run the license_ upgrade tool at the online machine (wizard mode): - Press [U] to perform a license upgrade - Press [Y] when asked "Is this machine connected to the Internet?"... package file that will be created - Press [Q] to quit the license upgrade tool This step packs all licenses on the machine into a single package file 2 Copy the output file package (containing the licenses) from the offline target machine to any online machine The online machine does not need to be a Check Point-installed machine 3 Copy the license_ upgrade tool to the online machine 4 Run the command line... Run the license_ upgrade tool at the online machine (wizard mode): • Press [O] to run the upgrade operation in offline mode • Enter the name of the exported file with the location of the package file that is the result of the export operation • Enter the name of the file that will be created with all the upgraded licenses (output file name) • Press [Y] when asked "Is this machine connected to the Internet?" . http://www.checkpoint.com/techsupport /ngx/ license_ upgrade. html for up to date information and downloads regarding the NGX R65 license upgrade. license_ upgrade Provider-1 NGX R65 License Upgrade. Upgrading Licenses page 10 Upgrade Licenses page 11 After Completing the License Upgrade Process page 13 Upgrade Licenses Provider-1 NGX R65 License Upgrade Guide.