DISCLAIMER:  This document is just a guideline to upgrade checkpoint firewall from version 4.0 to 4.1.   Please use this document at your own risk.  Document contains author's personal view and notes collected from other checkpoint FW users and Mailing lists. Author takes no responsibility for any damage or mis-configuration occur in your system by following this document.
 
 

As I follow checkpoint mailing list and find lots of question about upgrade process, bad experiences after upgrade etc. This document is written as a guideline to address some of those questions. Readers are encouraged to suggest modifications, addition to this document for the larger benefit of  Firewall community.  There may be several combination of configurations possible at many sites. This document is not a panacea for all sites, but covers some basic questions and methodology that may be helpful during upgrade process.
 

Reason for Upgrade:

You all know. New version of FW-1 gives you more feature, many bug fixes, additional security features and most of all your current version will not be supported one day in future. If  that is not sufficient then time to time follow links  like BlackHat briefings, bugtraq , FW-1 mailing lists to scare you enough if you are taking security seriously.

LEGENDS: (Used in this document)
    production box : Your current Management/Enterprise server, contains all rulebase, firewall objects etc. It may have Firewall Module installed also.
    independent network: This is a separate network , cut off from your LAN,  for UPGRADE mock test.
    upgrade box: Where you have to install and upgrade to New Firewall version.
which will finally replace production box, once upgrade test is complete.
    remote-fw: A remote Firewall module box, that receives security policy from upgrade box.
    new production box: Upgrade box replacing old production box after final upgrade process.
 

Upgrade process: (4.0 to 4.1SP2, Management server, May contain FW module)

1. REPLICATE YOUR EXISTING PRODUCTION ENVIRONMENT IN INDEPENDENT NETWORK.
2. UPGRADE FIREWALL VERSION IN INDEPENDENT NETWORK.
3. MOCK TEST YOUR UPGRADE IN INDEPENDENT NETWORK.
4. AND ONE FINE DAY, PLAN FOR UPGRADE.

Obtain New License for FW-1 4.1. Old licenses of ver 4.0 will not work for 4.1.

READ and UNDERSTAND Release notes, that comes with FW-1 software. Checkpoint FW1 release notes really contains some useful information, that will come very handy to avoid many confusions after upgrade process. Keep FW-1 manual handy as you may have to refer it during install/upgrade process.

DO NOT UPGRADE YOUR PRODUCTION BOX  directly. Especially box installed with management server. It is highly recommended that obtain a similar box (upgrade box) as of your production enterprise/management server, install latest OS and patches that box, tighten up that upgrade  box for security reasons (Visit Lance's web page).

Take   upgrade box off your LAN and give same IP addresses to all interface like your current production server.  REMEMBER to take upgrade box off of your LAN, otherwise IP address conflict may happen with your current production management/FW server. In general for upgrade process it is better if you make independent network like in Fig-1.

• Install Checkpoint  FW-1 4.0  on upgrade box ( Same version, SP etc.  as your current production 4.0 FW box ). Run fwconfig , select appropriate product, and make your box ready to run FW processes. Do not install license at this time.
• Now take snapshot of your running Firewall (management server) on your current production  box. In case of UNIX boxes your can tar following.

 

 
 

tar cvbf 20  ckp.tar /opt/CKPfw /opt/CKPfwgui /etc/fw /etc/fw.boot /var/opt/CKPfw
 

• A final tar file "ckp.tar" will contain all firewall files on management server (may contain FW module also), this tarball also includes current licenses, Encryption keys, user database etc.
• Although Checkpoint manual suggest for upgrade process make identical disks as your production  management server  install in another identical machine and upgrade checkpoint FW there.  (Possibly use dd  in unix or rawrite in windows), But in this case if you want to change file system layout or wants to do some fundamental changes in OS layout, you may not be able to do that easily.
• Now copy "ckp.tar"  from production box to upgrade box  FW-1 (Box A)  Normally this requires your Independent Network to be talking to your LAN if you are FTPing. I suggest simply change the IP address (Use ifconfig) of one of FW-1 (Box A) interface to any unused IP address of your LAN and then connect BoxA to your Internal LAN. (Be careful if you are having multiple IP addresses on interface using IP aliasing). You may want to burn snapshot tar file "ckp.tar" on CDROM and transfer this file to Box A. Choice is all yours.
• On upgrade BoxA, cd / (root area) and untar ckp.tar. This will overwrite your existing FW-1 4.0 distribution and make your (upgrade box) Box A very similar to current production box.

 

 
 
 

tar xvbf 20 ckp.tar    (on upgrade box)
 

• This copies all environment from production box to upgrade box (Box A), including licenses, Encryption parameters, User database etc. Reboot box after untar process. Run fw printlic to check if licenses are okay.  If not you can put your licenses for 4.0 again. Just to make sure, run fwconfig once more and exit.
• It would be nice to setup a test REMOTE-FW (Box C) in your independent network. Generally this REMOTE-FW may be equivalent to any of your remote site Firewall module (if any) you may use any Unix/Nokia/NT or cheap Linux box and installing FW-1 module. (On Linux, only FW-1 ver 4.1and up are available). In general it is best if you upgrade your remote FW modules also to latest version of Firewall.
• If you are using Securemote, at this point you may want to test that too, before upgrade. You can hook up a Windows box with Securemote at HUB/Router and giving any random IP address (possibly from private IP address range RFC1918 (say 192.168.0.1) and try to access Internal IP address of Box A) at securemote window provide username/Password and see if it can authenticate with BoxA (upgrade box.)
• If you are using S/Key it may be possible that at this time Securemote window may report "User  xyz not recognized by Firewall". Evenif you find user in user database GUI and you re-install User database and that won't help too. I suggest at this point simply dump user database (at command line using fw dbexport -f /tmp/userdatabase ) and copy /tmp/userdatabase to /tmp/empty , edit file /tmp/empty and keep only line 1 (header line) and delete all other lines reload blank user database /tmp/empty, ( fw dbimport -f /tmp/empty )  Go to FW GUI and click on install (in User database window). Now from command line re-import the database fw dbimport -f /tmp/userdatabase, go to FW GUI and click on "Install" in User database window. Installing through GUI seems to be necessary.  This process will reset S/Key (if you are using) count and starts from your last S/Key to down. You may want to reboot atleast once after this process sometimes. I am not sure why I have to do above , but it seems to work. If anybody knows better than this, let me know and I will include in this document.
• Test your Securemote again and hopefully it should work this time. Otherwise look www.phoneboy.com   site for help.
• So upto this point you will be able to emulate your existing  FW-1 (ver 4.0) production  box  as BoxA in  independent network  that needs to be upgraded now.

• Read release notes, how to install  new packages and service packs.  For Nokia boxes you can use  voyger web interface or newpkg command to download and install new version.
• This step onwards is Upgrade process. Now install Checkpoint 4.1 on Box A, including GUI etc. Update your $FWDIR  environment variable. Logout and Login to make sure you picked up new $FWDIR variable.  Add $FWDIR/bin in your path.  Run "cpconfig". Install desired product, It must found that Checkpoint FW-1 ver 4.0 already installed (atleast it could find in Solaris/Nokia), and ask if you want to upgrade it. Select yes for upgrade from last version. Install backward compatibility package also if you are planning to manage ver 4.0 remote FW module.   It depends upon site to site, but personally I think it is worth upgrading all your sites to 4.1 at once, so you may avoid backward compatibility option here. It is not really very painful to upgrade all sites at once. In case of Nokia/Solaris/Linux boxes if you can telnet/ssh access to remote FW module box it hardly takes 15-20 minutes to upgrade remote module. (mileage may vary case to case..)
• Install all  NEW Licenses for ver 4.1. Which you have obtained already from your  Checkpoint reseller or license.checkpoint.com

• License Gotcha: When I received checkpoint licenses from  license@checkpoint.com, they sent wrong and truncated 'fw putlic ....' command strings in all licenses for 4.1. Make sure this is not in your case. Generally in license mail received from checkpoint, there are two lines FEATURE and LICENSE STRING, these lines are included as  'fw putlic hostid expiration-date FEATURE LICENSE_STRING'. So while installing licenses if you get "invalid License Error, make sure you have included full  license strings.)
• Securemote Licenses: They sent wrong date format in  'fw putlic .......' string.  If you are obtaining one year Eval license or so, make sure date must be used as   'fw putlic 24Aug2001 ....' any other format may result in invalid license error.
• Now fireup GUI (On NT console or X-Console, you need to install ver 4.1 GUI client here to talk with 4.1 management server, you may need additional motif license  on your management server in case of X-console GUI, but for NT GUI client can access FW management server GUI free.)
• From GUI, make sure, everything looks okay, you got all Network , User objects etc. This upgrade process had copy all your user database, Encryption keys etc. Please read  FW-1 4.1 manual and Release notes for some changes like Securemote now use port 264/udp instead of 256/UDP to communicate with management server. So if you are using old securemote client you may need to add additional rule(s). For encryption tunnel  it uses same 259/udp.
• Now try loading security policy on  FW-1, 4.1 module (BoxA ). Version 4.1 seems to be little strict on Anti spoofing settings checks, so if you have inappropriate anti spoofing setup, at the time of policy load it may give error and not load security policy unless you correct it.
• Upgrade to latest  Service pack at this time. Service pack usually comes in form of patches which you may install as instructions provided by Checkpoint. Usually you need to reboot or restart Firewall after SP install.
• Make sure you are able to reload security policy after SP upgrade.
• You may now test your remote-fw  Firewall. Upgrade remote firewall module box if you are planning to upgrade to latest version.  Since remote Firewall module gets information from management console, hence they are easy to upgrade. Usually either follow simple upgrade process or  simply install new version of Firewall 4.1, run cpconfig,  to activate FW v 4.1, install licenses, run fw putkey command to make ready to talk with management server.  In case of Nokia boxes, either use newpkg command  to upgrade (this will allow you to copy package directly from anonymous ftp server) or install new version using  voyger Web interface. You can ftp software directly  to Nokia box using  voyger Web interface and unpack /activate using voyger also. On Nokia boxes packages are saved under /opt directly generally.
• NOKIA BOX UPGRADE STEPS, brief. (using voyger) :
• Copy Latest FW-1/Service packs to Nokia box /opt directory.
• Unpack and install using voyger. If you are upgrading many Nokia boxes, you can perform upto this step in advance so that all Nokia boxes are ready with latest software. Do NOT CHECK/SELECT NEW VERSION OF FIREWALL AT THIS STEP, UNLESS YOU ARE READY FOR UPGRADE.
• When you are ready to upgrade, Disable FW-1 running on Nokia at boot time.
• Select new version of FW-1 (4.1SP2 or so) and UNselect  old running version of FW-1.
• Save changes and reboot.
• Run cpconfig and make sure to select appropriate products, licenses etc.  DO NOT START FIREWALL NOW.
• Run fw putkey command to enter passwd to communicate with management server, do similar on management server also for this remote module.
• Run fwstart now. For first time it may say "Exchanging new keys with management server or so.." This is a good sign. It may fail to load policy, since there isn't any default policy saved  yet on remote-fw. You may ignore that for now.
• Do not forget to turn  on "run FW-1 at boot  time" option when you are done.
• Before you push the policy to remote server. In most cases you may need to  run "fw putkey" at both management server and remote-fw module again, if these passwords are not in sync properly you may face difficulty. Almost in every cases I need to run fw putkey command again after upgrade.  see www.phoneboy.com site to rectify this problem in general. (Search for Can't get putkey to work). Sometimes you may need to delete few files in $FWDIR/{database,conf} directory and reboot firewalls. I suggest take printout of this link before you plan for final upgrade. (http://www.phoneboy.com/  Can't get putkey to work.).
• Also before you try to push the policy from management server to remote-fw, on management server GUI select "remote-fw" network object and  click on "Get Version" and "Get Interface" buttons. This process must return without any error(s), which means Management server and remote-fw are talking to each other. If it returns with "authentication failed" error, rerun fw putkey on both management server and try couple of times again.  If this is isn't working at all you are out of luck, refer www.phoneboy.com troubleshoot link.
• NOTE: In version 4.1, YOU CAN NOT HAVE name of security policy and name of Firewall module same. So make sure these two are different, otherwise you will get error at policy load time,  but not telling this reason at all.
• Now try installing Security policy on remote-fw Firewall. :-)
• If you get an error message while installing policy,  run "fw unload <remote-fw>"  command to unload any rulebase on remote-fw make a simple test policy contain a single rule like "Any Any Any_Service Allow" and see if you can upload this policy, (THIS IS JUST FOR TEST, DO NOT LEAVE THIS POLICY FOREVER ofcourse!).  If you are able to upload test policy  then there may be some problem with your  actual policy for remote-fw, which you got after upgrade from 4.0 -> 4.1 but may not be suitable for 4.1. You may need to Disable/eliminate/modify rules to try upload your actual policy again.
• If you follow above process and upgrade from 4.0 -> 4.1, I found that Expiration date for all users in User database is set to "31-dec-1999" (which was default in ver 4.0 earlier versions ).  If users are small in number edit each user in GUI, or checkpoint released some script (I don't have it with me) to fix this problem. Or dump user database in Ascii file, Edit Ascii file, (Search and replace) and import  database file back. (In case of S/Key this may reset all S/Key count for users).
• Old version of Securemote (pre 4.1) seems to work with FW-1 ver 4.1. Although personally I suggest upgrade all your Securemote users to ver 4.1 client. You can simply automate the process, by first setting up single Securemote client (version 4.1 client)  obtaining  site layout and after that obtaining userc.C file  (C:/Program Files/Checkpoint/Securemote/database/userc.C ) and putting that in raw distribution and bundling (zipping) that for  other users to install. Make sure user first un-install older Securemote version and then install the new version. If you allow download site layout  directly  from management server user can obtain  fresh userc.C themselves. Read Checkpoint manual for more details.
• While installing Securemote it ask for if you want to install Secureclient also.  Do not select it if you are not using this feature. Otherwise user will get warning message (harmless though) at every securemote authentication.

• Once again: GET ALL YOUR FW-1 4.1 licenses for all remote modules in advance. Old licenses (pre 4.1) will not work at all with FW-1 module ver 4.1.
• Place your upgrade box, near to production box  and  simply move all network connections  from production box to upgrade box (WHICH WILL BE YOUR NEW PRODUCTION BOX.). This step is only important for Management server (which may or may not contain FW-1 module also.) Assuming your management server also contains FW-1 module on your main site. (if not then setup is little easier than this.)
• Now power cycle new production box.  (leaving old production box up, but not connected to network) This comes up with new FW-1 version and your site should start communicating through it. You may need to delete arp entries in case, or may wait for arp cache to time out on your network machines. (Usually 20 minutes sometimes.). Once you are done with this, now it is time to upgrade remote Firewall modules.
• Remote FW-1 module running ver 4.0 can still talk to ver 4.1. (Encryption/Securemote works just fine). Although you may not be able to push policy unless you have backward compatibility turned on. If you are planning to upgrade remote modules also. Go on...
• Hope that you have already copied software (FW-1 and Service Packs) to remote FW boxes local drives, now install new version of FW-1 on remote-fw controlled by your new production box (management server.) While installing new version on remote modules, you may opt to upgrade or  just fresh install, since remote modules are simply getting rulebase from management server. In case of upgrade it will automatically copy some of your settings like external interface settings etc. But still you will need to put new licenses yourself. See notes above if you have Nokia boxes.  Solaris FW-1 module upgrade may complain about "couldn't put license in running module" simple reboot will fix this.
• Upgrade and push policies to remote FW-1 modules like in mock test in independent network above.  Try fwstop;fwstart  on remote modules to see if they are getting updated policy from management server.
• Hope to see your happy face now :-)

I hope above document will provide guidelines and checklist for Firewall-1 upgrade process.  Obviously there are many other paths to follow upgrade process and that also depends upon site configurations. If you want to ask any question(s), suggest modifications, correct errors and/or include your thrills with upgrade process in this document, please convey your comments to  rajeev@rajeevnet.com

Last Updated: Sept/10/2000

Copyright © 2000 Rajeev Kumar (rajeev@rajeevnet.com)