CP R80.10 Installation and Upgrade Guide

24 July 2018
INSTALLATION AND
UPGRADE GUIDE
R80.10
Protected
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date
with the latest functional improvements, stability fixes, security enhancements and
protection against new and evolving attacks.
Check Point R80.10

For more about this release, see the R80.10 home page
http://supportcontent.checkpoint.com/solutions?id=sk111841.
Latest Version of this Document

Download the latest version of this document
http://downloads.checkpoint.com/dc/download.htm?ID=54829.
To learn more, visit the Check Point Support Center
http://supportcenter.checkpoint.com.
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Installation and
Upgrade Guide R80.10 .
Searching in Multiple PDFs

To search for text in all the R80.10 PDF documents, download and extract the
complete R80.10 documentation package
Use Shift-Control-F in Adobe Reader or Foxit reader.
Revision History
Date Description
24 July 2018 Removed: All references to IP Series appliances, because they are not
supported by R80 and above.
Added: Feedback link in the WEB guide, at the bottom of each page.
11 July 2018 Removed: Section Converting a Security Management Server to

Multi-Domain Server on Smart-1 Appliance, because it is not supported for
R80 and above.
Improved: vSEC Controller upgrade instructions ("Upgrading the vSEC
Controller on the Security Management Server" on page 76).
31 May 2018 Removed: Section Removing Earlier Version Multi-Domain Server

Installations, because it does not apply to Multi-Domain Server on Gaia.
Updated: Licensing Terms for SmartUpdate (on page 139).
31 May 2018 Added:

• Install Database requirement after Upgrading Gaia Security Management Server and
Standalone ("Upgrading Gaia Security Management Server and Standalone" on page 81).
• Install Database requirement after Importing the Security Management Server Database.
• License requirement prior to importing database on Multi-Domain Servers ("Upgrading an
R77.xx Multi-Domain Security Management with Migration" on page 88).
• mdsstop and mdsstart commands needed before synchronizing Standby Domain
("Updating Objects in the Domain Management Server Databases" on page 101).
• Sync details when doing Upgrade of primary and secondary servers ("Upgrading an R77.xx
Multi-Domain Security Management with Migration" on page 88).
• Commands to run when upgrading from R80 -> R80.10 - Migrating Global Policies
("Migrating Global Policies" on page 92).
12 November 2017 General updates.
08 November 2017 Improved formatting and document layout.

Updated:
• Upgrading a VSX Gateway (on page 83)
• Upgrading Gaia Security Management Server and Standalone (on page 81)
• Upgrading Multi-Domain Security Management ("Upgrading a Multi-Domain Security
Management" on page 87)
• Upgrading a VSX Cluster (on page 124)
03 September Added information on upgrading from R80 to R80.10 in:

2017 • Added CLI commands (see "CLI Commands" on page 169)
• Upgrading Gaia Security Management Server and Standalone (on page 81)
• Upgrading from R80 ("Upgrading Multi-Domain Security Management with CPUSE" on
page 87)
• Upgrading Management with High Availability (on page 131)
• Upgrading SmartEvent Server
14 May 2017 First release of this document.

© 2018 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No part
of this product or related documentation may be reproduced in any form or by any means without
prior written authorization of Check Point. While every precaution has been taken in the
preparation of this book, Check Point assumes no responsibility for errors or omissions. This
publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS
252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page http://www.checkpoint.com/copyright.html for a list of our
trademarks.
Refer to the Third Party copyright notices http://www.checkpoint.com/3rd_party_copyright.html
for a list of relevant copyrights and third-party licenses.
Contents
Important Information................................................................................................... 2
Terms .......................................................................................................................... 10
Getting Started ............................................................................................................ 12
Welcome ................................................................................................................. 12
R80.10 Documentation ............................................................................................ 12
For New Check Point Customers ............................................................................ 13
Disk Space ............................................................................................................... 13
Product Deployment Scenarios ............................................................................... 14
Installing and Upgrading with CPUSE ..................................................................... 15
Configuring your Check Point Appliance ..................................................................... 17
Workflow for Configuring your Appliance ............................................................... 17
Running the Gaia First Time Configuration Wizard ................................................. 18
Deployment Options from the First Time Configuration Wizard ............................. 19
Running an Unattended USB Installation of Gaia on Appliances ............................. 19
Installing a Blink Image to Configure a Check Point Gateway Appliance ................ 20
The Gaia Operating System ......................................................................................... 21
Installing the Gaia Operating System ...................................................................... 21
Changing the Partition Size if you have Gaia Installed ...................................................21
Changing Gaia Partition Sizes Before the Operating System Installs.............................22
Installing the Gaia Operating System on Appliances......................................................22
Installing the Gaia Operating System on an Open Server ...............................................23
Configuring the Gaia Management IP Address ..............................................................24
Installing the Management Server, Standalone, or Security Gateways ...................... 25
Installing a Management Server ............................................................................. 25
Installing a Security Management Server or Multi-Domain Server on Linux.......... 27
Installing a Standalone ........................................................................................... 27
Configuring a Standalone Appliance in Standard Mode .................................................28
Configuring a Standalone Appliance in Quick Setup Mode .............................................30
Installing Security Gateways ................................................................................... 31
Installing Security Gateways on Appliances ..................................................................31
Installing Security Gateways on Open Servers ..............................................................33
Installing VSX Gateways .......................................................................................... 34
Installing Security Gateways on Appliances ..................................................................34
Installing Security Gateways on Open Servers ..............................................................36
Installing Other Servers .......................................................................................... 37
Installing Endpoint Security...........................................................................................37
Installing a Log Server / SmartEvent Server .................................................................38
Minimum Disk Space .....................................................................................................38
Installing a Multi-Domain Security Management .................................................... 40
Installing a Multi-Domain Server on Smart-1 Appliances..............................................40
Installing a Multi-Domain Server on Gaia Open Servers ................................................43
Installing a Multi-Domain Log Server ............................................................................44
Post-Installation Configuration .....................................................................................45
Installing SmartConsole ............................................................................................. 46
Logging in to SmartConsole .................................................................................... 46
Troubleshooting SmartConsole .............................................................................. 47
High Availability .......................................................................................................... 48
Understanding Full High Availability on Appliances ............................................... 48
Installing Standalone Full High Availability on Gaia Appliances ............................. 49
Upgrading Standalone Full High Availability Appliances on Gaia Operating System ......51
Configuring Standalone Full High Availability on Appliances ................................. 52
Removing a Cluster Member .........................................................................................53
Adding a New Appliance to a High Availability Cluster...................................................53
Recommended Logging Options for High Availability ....................................................54
Configuring Management High Availability ............................................................. 55
Using Monitor Mode .................................................................................................... 56
Configuring Monitor Mode ...................................................................................... 56
Supported Software Blades for Monitor Mode ........................................................ 57
Unsupported Software Blades for Monitor Mode .................................................... 58
Unsupported Deployments for Monitor Mode ......................................................... 58
Backing Up and Restoring ........................................................................................... 59
Gaia Snapshot Image Management ......................................................................... 60
Snapshot Prerequisites .................................................................................................61
Working with Snapshot Management - Gaia Portal .......................................................61
Working with Snapshot Management - Gaia Clish .........................................................63
Backing up the Configuration of Gaia ...................................................................... 65
Backing Up the System from the Gaia Portal .................................................................65
Backing Up Security Management Server with CLI ........................................................65
mds_backup ............................................................................................................ 67
mds_restore ........................................................................................................... 69
Upgrading Prerequisites ............................................................................................. 70
Before Upgrading .................................................................................................... 70
Contract Verification ............................................................................................... 72
Upgrade Utilities ..................................................................................................... 73
Using the Pre-Upgrade Verifier .............................................................................. 74
Upgrading Successfully .......................................................................................... 75
Upgrading the vSEC Controller on the Security Management Server ..................... 76
Supported Security Gateways ................................................................................. 77
Service Contract Files ............................................................................................. 78
Working with Contract Files ..........................................................................................78
Installing a Contract File on the Security Management Server ......................................78
Installing a Contract File On Security Gateways ............................................................79
Upgrading Security Management Servers and Security Gateways ............................. 80
Using the Upgrade Verification Service ................................................................... 80
Upgrading Gaia Security Management Server and Standalone .............................. 81
Upgrading Security Gateways ................................................................................. 82
Configuring SmartUpdate for Versions R77.30 and Lower.............................................82
Upgrading a VSX Gateway ..............................................................................................83
Upgrading Standalone Full High Availability ........................................................... 84
Upgrading with Minimal Downtime ................................................................................84
Upgrading with a Clean Installation ...............................................................................85
Upgrading Clusters on Appliances .......................................................................... 86
Upgrading a Multi-Domain Security Management ...................................................... 87
Upgrading Multi-Domain Security Management with CPUSE ................................. 87
Upgrading an R77.xx Multi-Domain Security Management with Migration............. 88
Exporting the Multi-Domain Server Databases .............................................................88
Importing the Database to the Primary Multi-Domain Server .......................................90
Importing the Database to Secondary Multi-Domain Servers and Multi-Domain Log
Servers ..........................................................................................................................90
Migrating Each Domain Management Server Gradually ................................................92
Migrating Global Policies ...............................................................................................92
Upgrading Global Policy from R77.xx to R80.10 .............................................................93
Migrating a Domain Management Server Database .......................................................93
Migrating an R80.10 Database to another R80.10 Server ...............................................99
Upgrading a High Availability Deployment ............................................................ 100
Pre-Upgrade Verification and Tools.............................................................................100
Multi-Domain Server High Availability .........................................................................100
Upgrading Multi-Domain Servers and Domain Management Servers.......................... 101
Updating Objects in the Domain Management Server Databases ................................ 101
Managing Domain Management Servers During the Upgrade Process........................ 102
Restarting Domain Management Servers ............................................................. 103
Changing the Leading Interface on Multi-Domain Server or Multi-Domain Log
Server ................................................................................................................... 104
Saving the Multi-Domain Security Management IPS Configuration ...................... 105
Enabling IPv6 on Gaia ............................................................................................ 106
Enabling IPv6 on Multi-Domain Security Management ................................................106
Upgrading ClusterXL Deployments ........................................................................... 108
Planning a Cluster Upgrade .................................................................................. 108
Ready State During Cluster Upgrade/Rollback Operations.......................................... 109
Upgrading 32/64-bit Cluster Members ........................................................................110
Upgrading Third-Party and OPSEC Certified Cluster Products .................................... 110
Minimal Effort Upgrade on a ClusterXL Cluster.................................................... 111
Zero Downtime Upgrade on a Cluster ................................................................... 112
Upgrading Clusters With Minimal Connectivity Loss ............................................ 114
ClusterXL Optimal Service Upgrade ..................................................................... 115
Upgrade Workflow from R75.40VS ..............................................................................115
Upgrading the Cluster from R75.40VS .........................................................................117
Upgrade Workflow from R67.10 VSX............................................................................119
Upgrading the VSX Cluster from R67.10 ......................................................................121
Troubleshooting the Upgrade ......................................................................................122
Limitations ..................................................................................................................122
Connectivity Upgrade ............................................................................................ 123
Upgrading a VSX Cluster..............................................................................................124
Upgrading ClusterXL High Availability Using Connectivity Upgrade ............................ 125
Connectivity Upgrade Commands ................................................................................126
Upgrading Management with High Availability ......................................................... 131
Upgrading from R77.xx to R80.10 ......................................................................... 131
Upgrading from R80 to R80.10 .............................................................................. 131
Working with Licenses .............................................................................................. 132
Managing Licenses with SmartConsole ................................................................ 132
Viewing Licenses in SmartConsole ..............................................................................132
Monitoring Licenses ....................................................................................................134
Maintaining Licenses with Gaia ............................................................................. 137
Configuring Licenses - Gaia Portal ..............................................................................137
Using SmartUpdate ................................................................................................... 138
Accessing SmartUpdate ........................................................................................ 138
Licenses Stored in the Licenses & Contracts Repository...................................... 139
Licensing Terms for SmartUpdate ........................................................................ 139
Managing Licenses Using SmartUpdate ............................................................... 141
Adding New Licenses to the Licenses & Contracts Repository .................................... 141
Deleting a License from the Licenses & Contracts Repository .................................... 144
Upgrading a License ....................................................................................................144
Exporting a License to a File........................................................................................144
Checking for Expired Licenses ....................................................................................144
Attaching a License to a Security Gateway ............................................................ 145
Retrieving License Data from a Check Point Security Gateway.................................... 145
Detaching Licenses from a Security Gateway ....................................................... 145
Installing Software Packages on R80.10 ............................................................... 146
Upgrading with SmartUpdate for R77.30 and Below ............................................. 147
Upgrading a Single Package on a Check Point Remote Gateway ................................. 147
Upgrading All Packages on a Check Point Remote Gateway ........................................ 147
Prerequisites for Remote Upgrades ............................................................................148
Distributions and Upgrades .........................................................................................148
Canceling and Uninstalling ..........................................................................................148
Restarting the Check Point Security Gateway ..............................................................148
Using the Package Repository .....................................................................................148
Generating CPInfo .......................................................................................................150
Check Point Cloud Services....................................................................................... 152
Automatic Downloads ........................................................................................... 152
Sending Data to Check Point ................................................................................. 153
Advanced Deployments and Conversions.................................................................. 154
Deploying Bridge Mode Security Gateways ........................................................... 154
Supported Software Blades: Gateway and Virtual Systems ......................................... 155
Configuring One Gateway in Bridge Mode ....................................................................155
Configuring ClusterXL in Bridge Mode ........................................................................156
Routing and Bridges ....................................................................................................159
Configuring Link State Propagation (LSP) in ClusterXL ...............................................161
Managing Ethernet Protocols ......................................................................................161
VLANs ..........................................................................................................................162
Security Before Firewall Activation........................................................................... 165
Boot Security ......................................................................................................... 165
Control of IP Forwarding on Boot ................................................................................165
The Default Filter ........................................................................................................165
Changing the Default Filter .........................................................................................165
Defining a Custom Default Filter .................................................................................166
Using the Default Filter for Maintenance .....................................................................166
The Initial Policy .................................................................................................... 167
Monitoring Security ............................................................................................... 168
Unloading Default Filter or Initial Policy ............................................................... 168
Troubleshooting: Cannot Complete Reboot .......................................................... 168
CLI Commands .......................................................................................................... 169
cpconfig ................................................................................................................. 170
cplic ....................................................................................................................... 172
cplic check ...................................................................................................................173
cplic db_add ................................................................................................................174
cplic db_print ..............................................................................................................175
cplic db_rm .................................................................................................................176
cplic del .......................................................................................................................177
cplic del <object name> ...............................................................................................178
cplic get .......................................................................................................................179
cplic put .......................................................................................................................180
cplic put <object name> ...............................................................................................182
cplic print ....................................................................................................................184
cplic upgrade ...............................................................................................................185
cppkg ..................................................................................................................... 187
cppkg add ....................................................................................................................187
cppkg delete ................................................................................................................188
cppkg get .....................................................................................................................188
cppkg getroot ..............................................................................................................188
cppkg print ..................................................................................................................189
cppkg setroot...............................................................................................................189
cprid ...................................................................................................................... 190
cpridrestart .................................................................................................................190
cpridstart.....................................................................................................................190
cpridstop .....................................................................................................................190
cprinstall ............................................................................................................... 191
cprinstall boot .............................................................................................................191
cprinstall cpstart .........................................................................................................191
cprinstall cpstop ..........................................................................................................192
cprinstall get ...............................................................................................................192
cprinstall install ..........................................................................................................193
cprinstall uninstall ......................................................................................................194
cprinstall verify ...........................................................................................................195
cprinstall snapshot ......................................................................................................196
cprinstall show ............................................................................................................197
cprinstall revert ..........................................................................................................197
cprinstall transfer .......................................................................................................198
control_bootsec .................................................................................................... 199
fwboot bootconf..................................................................................................... 200
comp_init_policy ................................................................................................... 201
cpstop -fwflag default and cpstop -fwflag proc .................................................... 202
Distributed Deployment
Terms
The Check Point Security Gateway and
Security Management Server products are
deployed on different computers.
Administrator
Domain
A SmartConsole user with permissions to
A network or a collection of networks related
manage Check Point security products and
to an entity, such as a company, business
the network environment.
unit or geographical location.
ClusterXL
Domain Log Server
Cluster of Check Point Security Gateways
A log server for a specified Domain. It stores
that work together in a redundant
and processes logs from Security Gateways
configuration. The ClusterXL both handles
that are managed by the corresponding
the traffic and performs State
Domain Management Server.
Synchronization.
These Check Point Security Gateways are Domain Management Server
installed on Gaia OS:
A virtual Security Management Server that
• Up to 5 cluster members are supported in manages Security Gateways for one Domain,
ClusterXL. as part of a Multi-Domain Security
Management environment.
• Up to 2 cluster members are supported in
VRRP cluster.
Global Policy
• Up to 13 cluster members are supported
All Policies defined in the Global Domain that
in VSX VSLS cluster.
can be assigned to Domains, or to specified
Note - In ClusterXL Load Sharing mode, groups of Domains.
configuring more than 4 members
significantly decreases the cluster ICA
performance due to amount of Delta Sync. Internal Certificate Authority - A component
on Check Point Management Server that
Database Migration
issues certificates for authentication.
Process of:
Multi-Domain Log Server
1. Installing the latest Security Management
Server or Multi-Domain Server version A Check Point computer that runs Check
from the distribution media on a separate Point software to store and process logs in
computer from the existing Security Multi-Domain Security Management
Management Server or Multi-Domain environment. The Multi-Domain Log Server
Server consists of Domain Log Servers that store
2. Exporting the management database and process logs from Security Gateways
from the existing Security Management that are managed by the corresponding
Server or Multi-Domain Server Domain Management Servers.
3. Importing the management database to Multi-Domain Security Management

the new Security Management Server or
Multi-Domain Server A centralized management solution for
large-scale, distributed environments with
This upgrade method minimizes upgrade many different Domain networks.
risks for an existing deployment.
Multi-Domain Server
A Check Point computer that runs Check
Point software to host all Domain
Management Servers.
Open Server
A physical computer manufactured and
distributed by a company, other than Check
Point.
Package Repository
A SmartUpdate repository on the Security
Management Server that stores uploaded
packages. These packages are then used by
SmartUpdate to perform upgrades of Check
Point Gateways.
Security Gateway
Point software to inspect traffic and enforces
Security Policies for connected network
resources.
Security Management Server

Point software to manage the objects and
policies in Check Point environment.
Security Policy
A collection of rules that control network
traffic and enforce organization guidelines
for data protection and access to resources
with packet inspection.
SmartConsole
A Check Point GUI application used to
manage security policies, monitor products
and events, install updates, provision new
devices and appliances, and manage a
multi-domain environment and each domain.
Getting Started
CHAPTE R 1
Getting Started
In This Section:
Welcome ........................................................................................................................12
R80.10 Documentation .................................................................................................12
For New Check Point Customers ................................................................................13
Disk Space .....................................................................................................................13
Product Deployment Scenarios ...................................................................................14
Installing and Upgrading with CPUSE .........................................................................15
Before you install or upgrade to R80.10:

1. Read the R80.10 Release Notes.
2. Back up ("Backing Up and Restoring" on page 59) the current system.
Welcome
Thank you for choosing Check Point Software Blades for your security solution. We hope that you
will be satisfied with this solution and our support services. Check Point products provide your
business with the most up to date and secure solutions available today.
Check Point also delivers worldwide technical services including educational, professional, and
support services through a network of Authorized Training Centers, Certified Support Partners,
and Check Point technical support personnel to ensure that you get the most out of your security
investment.
For additional information on the Internet Security Product Suite and other security solutions, go
to: http://www.checkpoint.com or call Check Point at 1(800) 429-4391. For additional technical
information, visit the Check Point Support center http://supportcenter.checkpoint.com.
Welcome to the Check Point family. We look forward to meeting all of your current and future
network, application, and management security needs.
R80.10 Documentation
This guide is for administrators responsible for installing R80.10 on appliances and open servers
that run the Gaia Operating System.
To learn what is new in R80.10, see the R80.10 Release Notes.
See the R80.10 Home Page SK http://supportcontent.checkpoint.com/solutions?id=sk111841 for
information about the R80.10 release.
Installation and Upgrade Guide R80.10 | 12

Getting Started
For New Check Point Customers

New Check Point customers can access the Check Point User Center
https://usercenter.checkpoint.com to:
• Manage users and accounts
• Activate products
• Get support offers
• Open service requests
• Search the Technical Knowledge Base
Disk Space
When you install or upgrade R80.10, the installation or upgrade wizard makes sure that there is
sufficient space on the hard disk to install the Check Point products.
If there is not sufficient space on the hard disk, an error message is shown. The message states:
• The amount of disk space necessary to install the product.
• The directory where the product is installed.
• The amount of free disk space that is available in the directory.
To learn how to remove old Check Point packages and files, see sk91060
After there is sufficient disk space, install or upgrade the Check Point product.

Getting Started
Product Deployment Scenarios

There are different deployment scenarios for Check Point software products.
Standalone Deployment - The Security Management Server (1) and the Security Gateway (3) are
installed on the same computer or appliance (2).
Distributed Deployment - The Security Management Server (1) and the Security Gateway (3) are
installed on different computers or appliances, with a network connection (2).
Management HA - A Primary Security Management Server (1) has a direct or indirect connection
(2) to one or more Secondary Security Management Servers (3). The databases of the Security
Management Servers are synchronized, manually or on a schedule, to back up one another. The
administrator makes one Security Management Server Active and the others Standby. If the Active
Security Management Server is down, the administrator can make the Standby server Active.

Getting Started
Installing and Upgrading with CPUSE

With CPUSE, you can automatically update Check Point products on the Gaia operating system,
and the Gaia operating system itself. The software update packages and full images are for Major
releases, Minor releases and Hotfixes. The Deployment Agent daemon (DA) does the deployment
process.
CPUSE automatically locates and shows the available software update packages and full images
that are relevant to the Gaia operating system version installed on the computer, the computer's
role (Gateway, Security Management Server, Standalone), and other specific properties. The
images and packages can be downloaded from the Check Point Cloud or uploaded manually, and
installed.
To update the Deployment Agent:

1. Make sure the proxy and the DNS server are configured.
2. In the Gaia Portal navigation tree, go to Upgrades (CPUSE) > Software Updates Policy.
3. In the Software Deployment Policy section, select an option to update the Deployment Agent:
• Manually - See Latest build of CPUSE and What's New, and How to manually install the
CPUSE Agent package in the CPUSE sk92449
• Periodically update new Deployment Agent version - Updates the Deployment Agent on
interval.
4. Click Apply.
To install R80.10 using CPUSE - Gaia Portal:

1. In the Gaia Portal navigation tree, go to Upgrades (CPUSE) > Status and Actions.
2. Select the R80.10 image.
3. To make sure the installation is allowed, right-click and select Verifier. Click OK.
The Installation verified - Installation is allowed window shows. Verification is complete.
4. Click Install Update, or right-click and select Clean Install or Upgrade.
5. The computer reboots automatically.

Getting Started
Upgrade Limitations
• Personal files saved outside of the /home directories are erased during the upgrade process.
If you created a snapshot immediately before you upgraded, you can revert to the snapshot to
recover personal files saved outside of the /home directory.
• Open Servers that were upgraded from SecurePlatform to Gaia, cannot be upgraded. You can
update the version when you do a clean installation.
• Upgrading using Full Images:
• IP Series appliances are not supported.
• UTM-1 appliances are not supported.
• To upgrade the secondary Security Management Server of a Full High Availability
deployment, use the procedure in this guide for upgrading with a clean installation.
• The SSH key is not migrated to the new version.
• Mobile Access Software Blade custom configuration is not upgraded.
• Endpoint Policy Servers cannot be upgraded.
For more about CPUSE, see sk92449


CHAPTE R 2
Configuring your Check Point Appliance

In This Section:
Workflow for Configuring your Appliance ...................................................................17
Running the Gaia First Time Configuration Wizard ....................................................18
Deployment Options from the First Time Configuration Wizard ...............................19
Running an Unattended USB Installation of Gaia on Appliances ...............................19
Installing a Blink Image to Configure a Check Point Gateway Appliance .................20
After you install the Gaia operating system, you must run the First Time Configuration Wizard.
Workflow for Configuring your Appliance
The steps below walk you through how to install and configure a Check Point appliance, or an
Open Server.
Step 1: Install the operating system on the appliance.
• If you have a Check Point appliance, configure Gaia for the server.
• If you have an Open Server ("Installing the Gaia Operating System on an Open Server" on
page 23):
 Configure the partition sizes on your computer ("Changing Gaia Partition Sizes Before
the Operating System Installs" on page 22).
 Use the Installation Media to start the server.
 Install Gaia on the server.
 Configure the interfaces for the server.
Step 2: Connect to the Gaia Portal to configure the system with the First Time Configuration
Wizard ("Running the Gaia First Time Configuration Wizard" on page 18).
Step 3: Install SmartConsole ("Installing SmartConsole" on page 46).
Step 4: Configure your system and Security Policies.
• Configure a Standalone server ("Installing a Standalone" on page 27).
• Configure a Security Management Server.
• Configure a Security Gateway ("Installing Security Gateways" on page 31).

Running the Gaia First Time Configuration Wizard

To start the First Time Configuration Wizard on Gaia:
1. Connect to the command line on your Gaia system over SSH or a console connection.
2. Log in to Gaia Clish.
This message shows:
In order to configure your system, please access the Web UI and finish the
First Time Configuration Wizard
3. In your web browser, connect to the management IP address:
https://<gaia_ip_address_of_management_interface>
4. Enter the default username and password: admin and admin
5. Click Login.
The Check Point First Time Configuration Wizard window shows.
6. Click Next.
7. Go to the Deployment Options page to select to Setup, Install or do Recovery ("Deployment
Options from the First Time Configuration Wizard" on page 19).
Use the instructions below to install a version available locally on your device.
To configure the settings for the appliance:

1. In the Management Connection page, enter the IPv4 management interface. Click Next.
2. In the Internet Connection page, configure the interface. Click Next.
3. In the Device Information page:
• Enter the Host Name for the appliance.
• Enter the Domain name for the appliance.
(i) If you configured an interface for the User Center, you must configure the IPv4
addresses of DNS servers.
(ii) If you configured an interface for the User Center and you use a Proxy Server to reach
the User Center, in Proxy Settings, enter the IPv4 address and port for the Proxy
Server.
Optional: In the Connection to User Center page, configure an external interface to connect to
the Check Point User Center. Use this connection to download a license and to activate it. Click
Next.
4. In the Date and Time Settings page, set the date and time manually, or enter the hostname
and IPv4 address of the NTP server. Click Next.
The Installation Type window shows. Use the Installation Type window to configure your
system ("The Gaia Operating System" on page 21).

Deployment Options from the First Time Configuration

Wizard
These deployment options are available:
• Setup
Use this to configure the installed Gaia and Check Point products.
• Install
Use this to install a Gaia version from the Check Point Cloud or USB device.
• Recovery
Use this to import an existing Gaia snapshot.
Running an Unattended USB Installation of Gaia on

Appliances
You can install a Gaia appliance using an ISO on a removable USB drive. To prepare a USB drive,
see sk65205 http://supportcontent.checkpoint.com/solutions?id=sk65205.
For versions R77.20 and higher, the ISOmorphic tool lets an administrator run an unattended
installation. In an unattended installation for appliances only, an experienced Check Point system
administrator:
1. Prepares the USB with these pre-configured settings for specified network interface:
• IP address
• Network mask
• Default gateway
2. Sends the USB drive to an administrator who inserts the drive into the appliance and reboots
it.
The tool installs R77.20 (or higher) and configures the appliance with the predefined settings.
The LCD indicates a successful installation and interfaces blink in round-robin fashion.
3. The experienced administrator then:
• Connects to the Gaia Portal and runs the First Time Configuration Wizard, or
• Opens a command line (SSH) connection to the appliance for further operating system level
configuration
Note - The ISOmorphic tool does not support unattended installation on open servers.

Installing a Blink Image to Configure a Check Point

Gateway Appliance
Blink is a Gaia fast deployment procedure. With Blink, you can quickly deploy clean Check Point
Security Gateways on appliances that have not yet been configured with the First Time
Configuration Wizard. Blink deploys within 5-7 minutes.
When Blink completes, clean Security Gateways, Hotfixes, and updated Software Blade signatures
are installed. Blink configures an appliance in place of the First Time Configuration Wizard.
You can run the Blink image from a USB or download it to your appliance. For a Gaia appliance
with R80.10, Take 462 or above, if you add the Blink image to a USB and insert the USB into the
machine before the First Time Configuration Wizard shows, the process begins automatically.
After the installation is complete, connect with your web browser to the Check Point appliance to
complete the simplified Blink configuration.
Use the answer XML file from the Blink utility to run an unattended installation. Enter information
in the fields below:
• Host name
• Gaia administrator password
• Network options - IP, Subnet, Default gateway
• SIC key
• Cluster membership
• Upload/Download approval
You can use -reimage for a Security Gateway that is in use.
For complete information on installation, advanced usage, and supported appliances, see
sk120193 http://supportcontent.checkpoint.com/solutions?id=sk120193.

The Gaia Operating System
CHAPTE R 3

In This Section:
Installing the Gaia Operating System ..........................................................................21
Installing the Gaia Operating System

Check Point appliances come with the Gaia operating system already installed. If you have an
Open Server, you have to install Gaia.
Changing the Partition Size if you have Gaia Installed

To see the size of the system-root and log partitions on an installed system:
1. Enter expert mode.
2. Run: df -h
Most of the remaining space on the disk is reserved for backup images and upgrade.
To see the disk space assigned for backup images:

1. Connect to the Gaia Portal.
2. From the menu at the left, select Maintenance > Snapshot Management view.
On an Open Server, the available space in the Snapshot Management page is less than the
space you defined when installing Gaia. The difference is the space reserved for upgrades. The
amount of reserved space equals the size of the system-root partition.
Note - The minimum recommended space in /var/log to support upgrade is 4 GB.
To manage the partition size on your system, see sk95566

Changing Gaia Partition Sizes Before the Operating System

Installs
Check the partition sizes on your appliance before you start the Gaia installation. On Check Point
appliances, the size of the disk partitions is predefined. On Smart-1 50/150/3050/3150 and
525/5050/5150 appliances, you can modify the default disk partitions within the first 20 seconds.
Then the non-interactive installation then continues.
When installing Gaia on an open server, these partitions have default sizes:
• System-swap
• System-root
• Logs
• Backup and upgrade
You can change the System-root and the Logs partition sizes. The storage size assigned for
backup and upgrade is updated accordingly.
To change the partition size, see sk95566
Installing the Gaia Operating System on Appliances

You can clean install R80.10 on Gaia Check Point appliances. For a list of supported appliances,
see the R80.10 Release Notes.
To reset the appliance to factory defaults:

1. Open a Serial connection to the appliance.
2. Restart the appliance.
3. When prompted, press any key to enter the Boot menu.
4. Within 4 seconds, press any key to access the menu.
5. Select Reset to factory defaults - Security Management Server and press Enter.
6. Type yes and press Enter.
The Security Management Server image is selected for the appliance and the appliance resets.
7. Configure the Management IP Address ("Configuring the Gaia Management IP Address" on
page 24).
8. Run the First Time Configuration Wizard ("Running the Gaia First Time Configuration Wizard"
on page 18).

To install R80.10 on 2012 and 3000 series appliances that run an earlier version of
Gaia:
1. Download the Gaia Operating System ISO file from the R80.10 Home sk111841
2. See sk65205 http://supportcontent.checkpoint.com/solutions?id=sk65205 to create a USB
removable device.
3. Connect a computer to the console port on the front of the appliance through the supplied DB9
serial cable.
4. Connect to the appliance through a Serial connection, using these connection settings:
a) Connection type - Select or enter a serial port.
b) Define the serial port settings - 9600 BPS, 8 bits, no parity, 1 stop bit.
c) From the Flow control list, select None.
5. Connect the installation media to the USB port on the appliance.
6. Reboot the appliance. The appliance begins the boot process and status messages show in the
terminal emulation window.
For installation from a removable USB device - In the boot screen, enter serial at the boot
prompt and press Enter.
The R80.10 ISO file is installed on the appliance, and the version and build number show in the
terminal emulation window and on the LCD screen.
7. Reboot the appliance - Press CTRL+C.
The appliance reboots and shows the model number on the LCD screen.
Installing the Gaia Operating System on an Open Server

Important - When you start the Gaia installation on an Open Server, select Gaia and press Enter
within 60 seconds. Otherwise the server tries to start from the hard drive. The timer countdown
stops when you press Enter. There is no time limit for the next steps.
1. Start the server using the installation media.
2. When the first screen shows, select Install Gaia on the system and press Enter.
3. Press OK to continue with the installation.
4. Select a keyboard language. English US is the default.
5. Configure the hard disk partitions ("Changing Gaia Partition Sizes Before the Operating
System Installs" on page 22).
6. Enter and confirm the password for the admin account.
7. Select the management interface. The default is eth0.
8. Configure the management IP address, net mask and default gateway.
You can define the DHCP server on this interface.
9. Select OK to format the hard drive and installation of the Gaia operating system.
10. Reboot to complete the installation.

Configuring the Gaia Management IP Address

The management interface is pre-configured with the IP address 192.168.1.1. You can change
the management IP address on a Check Point appliance before or after you run the First Time
Configuration Wizard. If you must access the appliance over the network, update the interface
before you connect the Gaia appliance to the network. Make sure the new address is on the same
subnet as the management network.
If you change the management IP address during the First Time Configuration Wizard, this
warning shows: Your IP address has been changed. In order to maintain the browser connection,
the old IP address will be retained as a secondary IP address.
You can also install a log server or Multi-Domain Log Server on a Check Point appliance
("Installing Other Servers" on page 37).
To change the Management address before you run the First Time Configuration
Wizard:
1. Open a console connection.
2. Log in with the default username and password: admin and admin.
3. In Clish, get the name of the management interface: # show interfaces
4. Set the management IP address:
# set interface mgmt ipv4-address <IPv4 address> subnet-mask <mask>
5. Disable the static route to the default gateways that are not used:
# set static-route default nexthop gateway address <IPv4 address> off
6. Open a browser to the Gaia Portal and run the First Time Configuration Wizard.
To change the management IP address after you run the First Time Configuration
Wizard:
1. Open a browser to the Gaia Portal.
2. Open the Network Management > Network Interfaces window.
3. In the Management Interface view, click Set Management Interface.
The Management Interface window shows the interface that is configured as the management
interface.
4. In the Interfaces table, select the management interface and click Edit.
5. Change the IP address of the interface.
Note - This changes the settings of an interface to which the browser connected.
6. Click OK.

CHAPTE R 4
Installing the Management Server,

Standalone, or Security Gateways
In This Section:
Installing a Management Server..................................................................................25
Installing a Security Management Server or Multi-Domain Server on Linux ...........27
Installing a Standalone .................................................................................................27
Installing Security Gateways ........................................................................................31
Installing VSX Gateways ...............................................................................................34
Installing Other Servers ...............................................................................................37
Installing a Multi-Domain Security Management .......................................................40
Installing a Management Server

If you use a Check Point appliance, Gaia automatically identifies the model when you start the
First Time Configuration Wizard. Only some appliance models support a Security Management
Server. To install and configure Check Point appliances on Gaia, from the Gaia Portal use the First
Time Configuration Wizard.
To install a Security Management Server or Multi-Domain Server:

1. Open a browser to the Gaia Portal: https://<management IP address>
2. In the Gaia Portal window, log in with the administrator name and password that you defined
during the Gaia installation.
3. The Portal shows the First Time Configuration Wizard. Click Next.
4. From the Deployment Options window, select Continue with R80.10 configuration. Click Next.
5. From the Management Connection window, enter an IPv4 address for the management
interface.
If you change the management IP address, the new IP address is assigned to the interface. The
old IP address is added as an alias and is used to maintain connectivity.
Optional:
• Configure an Internet Connection in the next window.
6. From the Device Information window, enter the host name of the server.
Optional:
• Enter the Domain Name, and IPv4 address for the DNS servers.
• Set the IP Address and port for a Proxy Server.
7. Click Next.
8. Configure the Date and Time Settings manually, or enter the hostname and IPv4 address of
the NTP server. Click Next.
Note - To configure a Multi-Domain Server see the installation instructions ("Installing a
Multi-Domain Security Management" on page 40).

Installing the Management Server, Standalone, or Security Gateways
To configure a Security Management Server:

1. From the Installation Type window, select Security Gateway and/or Security Management.
2. Click Next.
3. From the Products page, select Security Management Server.
Note - To configure a Security Gateway, see the installation instructions ("Installing Security
Gateways" on page 31).
4. Make sure Security Management is the only product selected. Click Next.
5. In the Security Management Administrator page, define an administrator who can connect to
the server with SmartConsole clients.
Note - If you did not change the default administrator password, do it now.
6. Click Next.
7. In the Security Management GUI Clients page, define which IP addresses a client can log into.
8. Click Next.
9. In the First Time Configuration Wizard Summary page, review your choices.
You can select Improve product experience by sending data to Check Point. Check Point
recommends that you select this option. No data is made accessible to third parties.
10. Click Finish.
License activation is automatic on Check Point appliances.
11. To start the configuration, click Yes.
A progress bar tracks the configuration of each task.
12. Click OK.
Security Management Server or Multi-Domain Server is installed on the appliance.

Installing a Security Management Server or

Multi-Domain Server on Linux
To install a Security Management Server on Red Hat Enterprise Linux, contact Check Point
Support https://www.checkpoint.com/support-services/contact-support/.
Installing a Standalone
Important - These instructions apply to Open Servers and Check Point appliances except Smart-1
appliances.
See the R80.10 Release Notes for the supported Check Point appliances and Open Server
requirements for a Standalone deployment.
You can configure a Check Point Standalone deployment using the Check Point First Time
Configuration Wizard ("Running the Gaia First Time Configuration Wizard" on page 18).
• Standard ("Configuring a Standalone Appliance in Standard Mode" on page 28) - Supported on
Check Point appliances, Open Servers, and VMs that meet the requirements listed in the
Release Notes.
• Quick Setup ("Configuring a Standalone Appliance in Quick Setup Mode" on page 30) - Installs
a Security Gateway and a Security Management Server on a single appliance in Bridge Mode.
Supported on Check Point appliances that support Standalone configuration.
For more on Gaia Quick Standalone Setup on appliances, see sk102231
See the R80.10 Release Notes.

Configuring a Standalone Appliance in Standard Mode

To configure a Standalone system using the First Time Configuration Wizard in the
Standard mode:
Step Action
1 On a computer that is connected to the management network, open a web browser to the
management IP address ("Configuring the Gaia Management IP Address" on page 24)
(default is 192.168.1.1)
The Gaia Portal login page opens.
2 Log in with the default credentials.

• username: admin
• password: admin
3 Click Login.
The First Time Configuration Wizard starts and the Welcome screen shows.
Click Next.
4 In the Setup section of Deployment Options view, select Install a version available locally
on your device.
Click Next.
5 If the Available Releases view shows, select Continue with configuration of Gaia R80.10.
Click Next.
6 In the Authentication Details view, select Change the default administrator password.
Enter a strong password.
Click Next.
7 Configure the Management Connection settings.
7a Enter the IPv4 address and Subnet mask of the management interface.
Note - You can leave the IP address and the subnet mask unchanged. It is the factory
default address or the latest address that the administrator configured.
7b Enter the IPv4 address of the Default Gateway.
7c In Configure IPv6, select On from the drop-down menu (by default, it is off), if you have
IPv6 in your environment.
7d Enter the IPv6 address and Subnet mask of the management interface.
7e Optional: Enter the IPv6 address of the Default Gateway.

Click Next.

Step Action
8 Optional: In the Internet Connection view, configure the interface to connect to the
Internet.
Click Next.
8a In Interface, select an interface on the system.
8b In Configure IPv4, select On from the drop-down menu (by default, it is off). Enter the IPv4
address and Subnet mask of the interface.
8c If you already assigned an IPv6 address, in Configure IPv6, select On from the drop-down
menu (by default, it is Off). Enter the IPv6 address and Subnet mask of the interface.
9 In the Device Information view, enter the applicable information:

• Host Name
• Domain Name
• Primary DNS Server
• Secondary DNS Server
• Tertiary DNS Server
• Proxy Settings
Click Next.
10 Configure the Date and Time Settings.

Select Manually or Use Network Time Protocol (NTP).
Click Next.
11 In the Products window, select both these products: Security Gateway and Security
Management Server.
11a If you configure Security Management in High Availability, define this server as Primary,
or Secondary.
If you configure a Dedicated Server, select SmartEvent or Log Server.
Click Next.
11b Optional: If you configure a Full High Availability cluster, select Unit is a part of a cluster
and select the cluster type ClusterXL.
If you have several clusters on the same network, enter the unique Cluster Global ID.
Click Next.
12 In the Security Management Administrator view, either Use Gaia administrator: admin or
define new log in credentials for the Security Management Server administrator account.
Click Next.
13 In the Security Management GUI Clients view, define which GUI clients can connect to the
Security Management Server.
Click Next.

Step Action
13a Note - For Check Point appliances only:
• Get a license automatically from the User Center https://usercenter.checkpoint.com and activate it, or use
the trial license.
• If there is a proxy server between the appliance and the Internet, enter its IP address and port.
• Click Yes to start the configuration process.
• A progress bar tracks the configuration of each task.
14 In the Summary view, confirm the system configuration.

Click Finish.
15 After the First Time Configuration Wizard completes and reboots the system, you can
download the SmartConsole from the Gaia Portal.
Configuring a Standalone Appliance in Quick Setup Mode

For more on Gaia Quick Standalone Setup on appliances, see sk102231

Installing Security Gateways

After you install the Gaia operating system, install the Security Gateways.
Installing Security Gateways on Appliances

For a list of supported appliances, see the R80.10 Release Notes.

1. Connect a standard network cable to the appliance management interface and to your
management network.
• The management interface is marked MGMT.
• This interface is pre-configured with the IP address 192.168.1.1
Note - Make sure that the management interface on the computer is on the same network
subnet as the appliance. For example: IP address 192.168.1.x and Netmask
255.255.255.0
You can change the interface in the Gaia Portal, after you complete the First Time
Configuration Wizard.
To configure Gaia Security Gateway appliances:
To install a Security Gateway:

1. Open a browser to the Gaia Portal: https://<management IP address>
3. The Portal shows the First Time Configuration Wizard. Click Next.
4. From the Deployment Options window, select Continue with R80.10 configuration. Click Next.
5. From the Management Connection window, enter an IPv4 address for the management
interface.
Optional:
• Configure an Internet Connection in the next window.
6. From the Device Information window, enter the host name of the server.
Optional:
• Enter the Domain Name, and IPv4 address for the DNS servers.
• Set the IP Address and port for a Proxy Server.
7. Click Next.
8. Configure the Date and Time Settings manually, or enter the hostname and IPv4 address of
the NTP server. Click Next.

9. For the Installation Type, select Security Gateway.

Optional: If you have to configure a cluster:
• Select Unit is a part of a cluster
• Select ClusterXL or VRRP Cluster
Click Next.
10. From the Dynamically Assigned IP window, answer yes or no. Click Next.
11. From the Secure Internal Communication (SIC) window, enter the Activation Key that you will
use later in the Security Gateway object in SmartConsole. Click Next.
12. The First Time Configuration Wizard Summary window shows the selected settings for the
system.
13. Click Finish.

Installing Security Gateways on Open Servers

This procedure explains how to install a Security Gateway in a distributed deployment after you
install the Operating System.
To install a Security Gateway on Gaia:

1. In your web browser, connect to the Gaia Portal:
https://<Gaia management IP address>
3. The First Time Configuration Wizard opens.
4. Click Next.
5. Select Continue with R80.10 configuration, and click Next.
6. Configure the Management Connection.
Optional: Configure an Internet Connection.
7. Enter the Device information:
• Host Name
• Domain Name
• Proxy Settings
8. Configure the Date and Time Settings.
9. For the Installation Type, select only Security Gateway.
Optional: If you configure a cluster:
• Select ClusterXL or VRRP Cluster
Click Next.
10. Answer yes or no to the Dynamically Assigned IP question.
11. Define the Secure Internal Communication (SIC) Activation Key that you will use later in the
Security Gateway object in SmartConsole.
12. The Summary window shows the selected settings for the system.
13. Click Finish.

Installing VSX Gateways

A VSX Gateway can be installed on certain Check Point appliances and Open Servers that meet the
minimum requirements listed in the R80.10 Release Notes.
Installing Security Gateways on Appliances

After you install the Gaia operating system, install the VSX Gateways.
For a list of supported appliances, see the R80.10 Release Notes.

management network.
• The management interface is marked MGMT.
• This interface is pre-configured with the IP address 192.168.1.1
Note - Make sure that the management interface on the computer is on the same network
subnet as the appliance. For example: IP address 192.168.1.x and Netmask
255.255.255.0
You can change the interface in the Gaia Portal, after you complete the First Time
2. Open a connection from a browser to the management IP address.
The login page opens.
3. Log in to the system with the default username and password: admin and admin
4. Click Login.
The First Time Configuration Wizard opens.
5. Follow the instructions on the screen.
Note - Settings that you configure in the First Time Configuration Wizard can be changed later
in the Gaia Portal. In your web browser, connect to the https://<appliance_ip_address>.
To configure Gaia Security Gateway appliances:

1. In your web browser, connect to the Gaia Portal: https://<management IP address>
4. Click Next.


• Host Name
• Domain Name
• Proxy Settings
8. Configure the Date and Time Settings manually, or use the Network Time Protocol (NTP).
• Select only ClusterXL
Click Next.
10. Answer no to the Dynamically Assigned IP question.
VSX Gateway object in SmartConsole.
13. Click Finish.

Installing Security Gateways on Open Servers

This procedure explains how to install a Security Gateway in a distributed deployment after you
install the Operating System.
To install a Security Gateway on Gaia:

1. In your web browser, connect to the Gaia Portal:
https://<Gaia management IP address>
4. Click Next.
• Host Name
• Domain Name
• Proxy Settings
8. Configure the Date and Time Settings.
• Select only ClusterXL
Click Next.
10. Answer no to the Dynamically Assigned IP question.
VSX Gateway object in SmartConsole.
13. Click Finish.

Installing Other Servers

You can deploy Gaia on other servers such as:
Endpoint Security ("Installing Endpoint Security" on page 37)
Log Server / SmartEvent ("Installing a Log Server / SmartEvent Server" on page 38)
Multi-Domain Server ("Installing a Multi-Domain Security Management" on page 40)
Installing Endpoint Security

The Network Security Management Server can also be an Endpoint Security Management Server.
Installing Endpoint Security Servers

Use the installation instructions in this guide to install Security Management Servers ("Installing a
Standalone" on page 27). You can enable the Endpoint Security Management Server after the
Security Management Server installation is completed.
To enable an Endpoint Security Management Server:

1. In SmartConsole, open the Security Management Server object.
2. Enable the Endpoint Policy Management blade.
3. In SmartConsole, install policy.
Check Point Cloud Services for Endpoint

After the Endpoint Security Management Server is enabled on the Security Management Server,
these components communicate with the Check Point cloud services:
• Endpoint Anti-Malware Software Blade – Downloads updates from the Check Point Malware
Update Server. These updates are mandatory for the correct functioning of the Anti-Malware
Software Blade. Preventing them causes severe security issues, because the blade does not
operate with the latest malware information database.
• Endpoint Anti-Malware Software Blade – Sends suspected malware to the Check Point
ThreatCloud Server. These updates increase the accuracy of malware detection by Check Point
Endpoint Security clients and Check Point Security Appliances. To turn them off, modify the
Anti-Malware rule in the Organizational Security Policy in SmartEndpoint.
• Endpoint Application Control Software Blade – Downloads information about classified known
applications from the Check Point ThreatCloud Server and sends unknown applications for
analysis. These updates are mandatory for the correct functioning of the Endpoint Application
Control Software Blade. Without these updates, the blade is unable to classify malicious
applications and automatically distinguish between them and non-malicious ones.

To enable an Endpoint Policy Server:

1. Use the instructions in this guide to install a Log Server.
2. Connect from SmartConsole to the Endpoint Security Management Server.
3. Create a new Log Server object.
4. Enable the Endpoint Policy Management and Logging & Status management Software Blades.
5. Install policy
When the Endpoint Policy Management blade is enabled, the Gaia Portal port changes from 443 to
4434. If you disable the blade, the port changes back to 443.
Disk Space for Endpoint Security

We recommend that you have at least 10 GB available for Endpoint Security in the Root disk
partition. Client packages and release files are stored under the Root partition.
The files include:
• 4 GB - Security Management Server installation files.
• 2 GB or more - Client files (each additional version of client packages requires 1GB of disk
space).
• 1 GB - Logs.
• 1 GB - High Availability support (more can be required in large environments).
Note - To make future upgrades easier, we recommend that you use a larger disk size than
necessary in this deployment.
Installing a Log Server / SmartEvent Server

You can install a dedicated Log server or SmartEvent server on Gaia appliances or open servers.
To install a Log Server / SmartEvent server:

1. In the First Time Configuration Wizard Products page, select Products > Security
Management > Define Security Management as: > Log Server/SmartEvent only.
Note - Do not select Security Gateway.
2. Click Next.
3. After you move forward and get to the Secure Internal Communication (SIC) page, define the
Activation Key. Use this key to configure the dedicated server for SmartEvent object in
SmartConsole.
Minimum Disk Space

The Security Management Server or Log Server with log indexing enabled, creates and uses index
files for fast access to log file content. Index files are located by default at
$RTDIR/log_indexes.
To make sure that there is always sufficient disk space on the server, the server that stores the
log index deletes the oldest index entries when the available disk space is less than a specified
minimum. The default minimum value is 5000 MB, or 15% of the available disk space.

To change the minimum available disk space for Logs and indexes:
1. In SmartConsole, edit the Security Management Server or Log Server or SmartEvent network
object.
2. From the Gateways & Servers double-click an object. The Check Point Host window opens.
3. Click Logs > Storage.
4. Select When disk space is below <number> Mbytes, start deleting old files.
5. Change the disk space value.
6. Click OK.
Note - In a Multi-Domain Security Management environment, the disk space for logs and
indexes is controlled by the Multi-Domain Server, and applies to all Domain Management
Servers. Configure the disk space on the Multi-Domain Server object.

Installing a Multi-Domain Security Management

Installing a Multi-Domain Server on Smart-1 Appliances
Install a Multi-Domain Server on supported Smart-1 models.
To install a Multi-Domain Server on an appliance:

The Gaia operating system comes pre-installed on your appliance.
1. While the appliance restarts, connect with a Serial or console connection.
2. When prompted, press any key to enter the boot menu.
3. Select Reset to factory defaults - Multi-Domain Server and press Enter.
4. Type yes and press Enter.
The Multi-Domain Server is installed on the appliance and then the appliance resets.

management network.
The management interface is marked MGMT.
2. In your web browser, connect to the default management IP address:
https://192.168.1.1
3. Log in to the system using the default login name/password: admin/admin.
Note - You can use the Gaia Portal menu to configure the appliance settings. In your web
browser, connect to the https://<appliance_ip_address>:4434
4. Set the username and password for the administrator account.
5. Click Save and Login.
To configure a Multi-Domain Server on Smart-1 appliances:

1. Configure these options in the Gaia Portal, in the Image Management page.
In the Deployment Options page, select Continue with Gaia configuration.
Other options are:
Clean install
• Install a version from the Check Point Cloud.
• Install from a USB device.
Recovery
• Automatic version recovery from the Check Point Cloud.
• Import an existing snapshot.
2. Click Next.
3. In the Authentication Details page, change the default administrator password.
Click Next.

4. In the Management Connection page, set an IPv4 and an IPv6 address for the management
interface, or set one IP address (IPv4).
You can change the Management IP address. Gaia automatically creates a secondary interface
to keep connectivity when the management interface is not available. After you complete the
First Time Configuration Wizard, you can remove this interface in the Interface Management >
Network Interfaces page.
5. Optional: In the Connection to User Center page, configure an external interface to connect to
the Check Point User Center. Use this connection to download a license and activate it.
Alternatively, use the trial license. To connect to the User Center, you must also configure
DNS and (if applicable) a Proxy Server, in the Device Information page of the First Time
6. In the Device Information page, set the Host Name for the appliance.
Optional:
• Set the domain name, and IPv4 or IPv6 addresses for the DNS servers.
• To connect to the User Center, set the IP Address and Port for a Proxy Server. Do this if you
want to activate the appliance by downloading a license from the User Center.
Click Next.
7. In the Date and Time Settings page, set the date and time manually, or enter the hostname,
IPv4 address or IPv6 address of the NTP server.
Click Next.
8. In the Products page, select Multi-Domain Server and Primary.
For R77.10 and higher: Automatically download Blade Contracts and other important data.
Check Point highly recommends that you select Automatic Downloads (on page 152).
9. In the Security Management Administrator page, define the name and password of a
Superuser administrator that can connect to the Multi-Domain Server using SmartConsole
clients.
Click Next.
10. In the Multi-Domain Server GUI Clients page, define IP addresses from which SmartConsole
clients can log in to the Multi-Domain Server.
• If you select This machine or Network, define an IPv4 or an IPv6 address.
• You can also select a range of IPv4 addresses.
Click Next.
11. In the Appliance Activation page, get a license automatically from the User Center and
activate it, or use the 15 day trial license.
Click Next.
12. In the Summary page, review your choices. Click Finish.
Optional: Improve product experience by Sending Data to Check Point (on page 153).
13. To start the configuration, click Yes > OK.
14. Download SmartConsole from the Gaia Portal.
a) In your web browser, connect to the Gaia Portal: https://<management_ip_address>
b) In the Overview page, click Download Now!

To configure a secondary Multi-Domain Server on appliances:

Use the same procedure as for the primary Multi-Domain Server with these changes:
• Use a different IP address for the management interface on the secondary appliance.
• Select Secondary Multi-Domain Server.
• Define the Secure Internal Communication (SIC) Activation Key that is used by the gateway
object in SmartConsole and then click Next.
This key is necessary to configure the appliances in SmartConsole.

Installing a Multi-Domain Server on Gaia Open Servers

To install and configure Check Point products on Gaia, use the First Time Configuration Wizard
("Running the Gaia First Time Configuration Wizard" on page 18) or configure the operating
system and install the products in the Gaia Portal.
To install Multi-Domain Server on a Gaia open server:

1. In your web browser, connect to the Gaia Portal: https://<Gaia management IP address>
during Gaia installation.
4. Click Next.
5. Select Continue with R80.10 configuration.
6. Click Next.
7. Set an IPv4 address for the management interface.
Click Next.
8. Enter the host name of the server.
Optional:
• Enter the domain name, and IPv4 addresses for the DNS servers.
• Set the IP Address and Port for a Proxy Server.
Click Next.
9. Set the date and time manually, or enter the hostname and IPv4 address of the NTP server.
Click Next.
10. Enter the username and password for the Security Management Server administrator account.
Click Next.
11. For Installation Type, select Multi-Domain Server. Click Next.
12. For the type of server, select Primary Multi-Domain Server.
13. Select the Leading VIP Interfaces.
Leading interfaces are physical interfaces that connect to the external network. These
interfaces are for Domain Management Server virtual IP addresses. Each leading VIP interface
can have up to 250 virtual IP addresses (250 Domain Management Servers).
14. Configure the GUI clients that can log into the Multi-Domain Server. Click Next.
15. Set the Name and Password for the Multi-Domain Server administrator account. Click Next.
16. Review the summary and then click Finish.
17. Click Yes when prompted to start the configuration process.
18. Click OK.
19. If the Help Check Point Improve window opens, click Yes or No. Check Point recommends that
you click Yes. Your data is never shared with third parties.

Installing a Multi-Domain Log Server

You can install a dedicated Multi-Domain Log Server on a Gaia appliance or open server. Start to
install the products as for a Multi-Domain Server, but stop at the step where you select
components.
To install a Multi-Domain Log Server:

1. In the First Time Configuration Wizard Products page, select Multi-Domain Log Server.
2. In the Secure Internal Communication (SIC) page, define the Activation Key.

Post-Installation Configuration
You can use the Check Point configuration tool (cpconfig for Security Management Server or
mdsconfig for Multi-Domain Security Management) to configure settings after installation:
• Licenses and Contracts: Add or delete licenses for the Security Management Server and
Security Gateways.
• Administrators: Define administrators with Security Management Server access permissions.
These administrators must have Read/Write permissions to create the first Security Policy.
• GUI Clients: Define client computers that can connect to the Security Management Server
using SmartConsole clients.
Make sure that no firewall blocks port 19009 between the management server and
SmartConsole clients.
• Certificate Authority: Starts the Internal Certificate Authority (ICA), which makes connections
between the Security Management Server and Gateways. For Windows, you must define the
name of the ICA host. You can use the default name or define your own. The ICA name must be
in the host name.domain format, for example, ica.checkpoint.com.
• Fingerprint: Save the certificate fingerprint when you log in to SmartConsole clients for the
first time.
Enabling IPv6 on Gaia

IPv6 is automatically enabled if you configure IPv6 addresses in the First Time Configuration
Wizard.
If you did not do this, enable IPv6 in one of the following ways:
To enable IPv6 using Clish:

# set ipv6-state on
# save config
# reboot
To enable IPv6 using the Gaia Portal:

1. In the Gaia Portal navigation tree, select System Management > System Configuration.
2. For IPv6 Support, select On > Apply.
3. When prompted, select Yes to reboot.

CHAPTE R 5
Installing SmartConsole
In This Section:
Logging in to SmartConsole.........................................................................................46
Troubleshooting SmartConsole ...................................................................................47
SmartConsole is a GUI client you use to manage the Check Point environment. For SmartConsole
requirements, see the R80.10 Release Notes.
You can download the SmartConsole installation package from:
• R80.10 Home Page SK http://supportcontent.checkpoint.com/solutions?id=sk111841
• Check Point Support Center http://supportcenter.checkpoint.com
• Gaia Portal of your Security Management Server or Multi-Domain Server.
To download SmartConsole package from the Gaia Portal:

1. In your web browser, connect to https://<IP Address of Gaia Management Interface>
2. On the Overview page, click Download Now!
3. Save the SmartConsole installation file.
To install the SmartConsole clients on Windows platforms:

1. Transfer the SmartConsole installation file to a Windows-based computer.
2. Run the SmartConsole installation file with Administrator privileges.
3. Follow the instructions on the screen.
Logging in to SmartConsole
To log in to SmartConsole:
1. Open the SmartConsole application.
2. Enter the IP address of resolvable hostname of the Security Management Server or
Multi-Domain Server.
The Management Server authenticates the connection when you log in for the first time.
Multiple administrators can be logged in at one time.
3. Enter your administrator credentials or select the certificate file.
4. Click Login.
5. If necessary, confirm the connection using the fingerprint generated during the installation.
You see this only the first time that you log in from a SmartConsole client computer.

Installing SmartConsole
Troubleshooting SmartConsole
Make sure the SmartConsole computer can access these ports on the Management Server:
• 18190
• 18264
• 19009
For more information, see:
• sk52421: Ports used by Check Point software
http://supportcontent.checkpoint.com/solutions?id=sk52421
• sk43401: How to completely disable FireWall Implied Rules

CHAPTE R 6
High Availability
In This Section:
Understanding Full High Availability on Appliances ...................................................48
Installing Standalone Full High Availability on Gaia Appliances ................................49
Configuring Standalone Full High Availability on Appliances ....................................52
Configuring Management High Availability .................................................................55
Understanding Full High Availability on Appliances

Two Security Management Servers that work together are configured as Management High
Availability. Two Security Gateways that work together are configured as ClusterXL. When you
deploy a Full High Availability cluster, you reduce the maintenance required for your systems.
Full High Availability cluster is a cluster of two Check Point appliances. Each appliance runs a
Security Management Server and a Security Gateway. In the image below, the appliances are
denoted as (1) and (3). The two appliances are connected with a direct connection (2) and work in
High Availability mode.
The Security Management Server on one appliance runs as Primary (1), and the second appliance
runs as Secondary (3). ClusterXL on one appliance runs as Active, and on the second appliance,
runs as Standby.
For information on Cluster functionality, see the R80.10 ClusterXL Administration Guide
For information Security Management Servers, see the R80.10 Security Management
Administration Guide http://downloads.checkpoint.com/dc/download.htm?ID=54842.
After you install the Gaia operating system on each appliance, configure Full High Availability.
First, use the First Time Configuration Wizard, then configure the ClusterXL High Availability
options in SmartConsole.
Note - SmartEvent Server and SmartReporter are not supported in Management High Availability
and ClusterXL Full High Availability environments. For these environments, install SmartEvent
Server and SmartReporter on dedicated machines. To learn more, see sk25164

High Availability
Installing Standalone Full High Availability on Gaia

Appliances
To configure the primary management:
1. Connect the appliance to your management network through the management interface,
which is marked MGMT.
https://<appliance_ip_address>
4. Click Login.
5. Select Continue with configuration of Gaia R80.10.
6. Click Next.
7. Set the username and password for the administrator account. Click Next.
The IP address is automatically taken from the Gaia operating system. If you change the
management IP address, the new IP address is assigned to the interface. The old IP address is
added as an alias and is used to maintain connectivity.
9. Internet Connection - Optionally, define a second interface for the appliance.
10. Set the host name for the appliance.
Optional:
• Set the domain name and IP addresses for the DNS servers.
• Set the IP Address and port for a Proxy Server
11. Click Next.
Click Next.
13. Select Security Gateway and Security Management.
14. Configure these Advanced settings:
• Select Unit is part of a cluster
• Select ClusterXL
• Select Primary
15. Click Next.
16. Set the username and password for the Security Management Server administrator account
and then click Next.
17. Define IP addresses from which SmartConsole clients can log in to the Security Management
Server.
• Any IP Address
• If you select This machine or Network, define an IPv4 address.
• You can also select a range of IPv4 addresses.
18. Click Next.
19. Click Next.
High Availability
20. Review the summary and, if correct, click Finish.

21. To start the configuration process, click Yes.
22. When prompted to reboot, click OK.
Gaia R80.10 is installed on the appliance.
23. Log in to the Gaia Portal with the new management IP address that you entered in the First
24. Double-click the SYNC or eth1 interface and configure the settings. This interface is used to
synchronize with the other appliance. Click Apply.
25. Configure the settings for other interfaces that you are using.
26. Use a cross-over cable to connect the SYNC or eth1 interfaces on the two appliances.
27. If necessary, download SmartConsole from the Gaia Portal.
To configure the secondary management:

1. Connect the appliance to your management network through the management interface,
which is marked MGMT.
https://<appliance_ip_address>
4. Click Login.
5. Select Continue with configuration of Gaia R80.10.
6. Click Next.
7. In the First Time Configuration Wizard, set the username and password for the administrator
account and then click Next.
The primary and secondary management servers must have different IP addresses.
9. Internet Connection - optionally define a second interface for the appliance.
10. Set the host name for the appliance.
Optional:
• Set the domain name, and IPv4 addresses for the DNS servers.
• Set the IP Address and Port for a Proxy Server
11. Click Next.
13. Click Next.
14. Select Security Gateway and Security Management.

High Availability
15. Configure these Advanced settings:

• Select Unit is part of a cluster
• Select ClusterXL
• Select Secondary
Click Next.
16. Define the Secure Internal Communication (SIC) Activation Key that is used by the gateway
object in SmartConsole and then click Next.
17. Review the summary and, if correct, click Finish.
18. To start the configuration process, click Yes.
19. Click OK.
Gaia R80.10 is installed on the appliance.
20. Log in to the Gaia Portal with the new management IP address that you entered in the First
21. Double-click the SYNC or eth1 interface and configure the settings. This interface is used to
synchronize with the other appliance.
Use a different IP address for the SYNC or eth1 interface on the secondary appliance. Make
sure that the primary and secondary appliances are on the same subnet.
Click Apply.
22. Configure the settings for other interfaces that you are using.
23. Make sure a cross-over cable connects the SYNC or eth1 interfaces on the two appliances.
24. If necessary, download SmartConsole from the Gaia Portal.
Upgrading Standalone Full High Availability Appliances on Gaia

Operating System
After upgrading a Full High Availability deployment to R80.10, you must re-establish SIC between
the Active and Standby cluster members.

High Availability
Configuring Standalone Full High Availability on

Appliances
After you set up the appliances for Standalone Full High Availability, configure this deployment in
SmartConsole. You must configure both cluster members before you open the cluster
configuration wizard in SmartConsole.
The LAN1 interface serves as the SYNC interface between cluster members. If not configured,
SYNC interfaces are automatically set to 10.231.149.1 and 10.231.149.2. If these addresses are
already in use, their values can be manually adjusted. If you manually adjust the default IP SYNC
addresses, verify that both reside on the same subnet.
Note - All interfaces in the cluster must have unique IP addresses. If the same IP address is used
twice, policy installation will fail. This error message will show: A load on gateway failed
The cluster has a unique IP address, visible to the internal network. The unique Virtual IP address
makes the cluster visible to the external network, and populates the network routing tables. Each
member interface also has a unique IP address, for internal communication between the cluster
members. These IP addresses are not in the routing tables.
To configure Standalone Full High Availability:

1. Open SmartConsole and connect to the primary appliance and then click Approve to accept
the fingerprint as valid.
The Security Cluster wizard opens. Click Next.
2. Enter the name of the Standalone Full High Availability configuration. Click Next.
3. Configure the settings for the secondary appliance:
a) In Secondary Member Name, enter the hostname.
b) In Secondary Member Name IP Address, enter the IP address of the management
interface.
c) Enter and confirm the SIC activation key.
4. Click Next.
5. Configure the IP address of the paired interfaces on the appliances. Select one of these
options:
• Cluster Interface with Virtual IP - Enter a virtual IP address for the interface.
• Cluster Sync Interface - Configure the interface as the synchronization interface for the
appliances.
• Non-Cluster Interface - Use the configured IP address of this interface.
6. Click Next.
7. Do step 5 again for all the interfaces. Click Finish.

High Availability
Removing a Cluster Member

You can remove one of the two members of a cluster without deleting the cluster object. A cluster
object can have only a primary member, as a placeholder, while you do maintenance on an
appliance. You must remove the cluster member in the Gaia Portal and in the CLI.
To remove a cluster member:

1. Open the Gaia Portal of the member to keep.
2. Open Product Configuration > Cluster.
3. Click Remove Peer.
• If the current member is the primary member, the secondary member is deleted.
• If the current member is the secondary member, the secondary member is promoted to
primary. Then the peer is deleted.
Services running on the appliance are restarted.
4. Open SmartConsole.
5. Delete the peer cluster member from the cluster object.
6. Publish (Ctrl+S).
7. On the appliance command line, run: cp_conf fullha disable
This command changes back the primary cluster member to a standalone configuration.
8. Reboot.
The former cluster object is now a locally managed gateway and Security Management Server.
Adding a New Appliance to a High Availability Cluster

You can add a standalone appliance to a cluster, after the High Availability cluster is defined. You
can change which member is primary.
To add an existing appliance to a cluster:

1. Open the Gaia Portal of the appliance.
2. On the Product Configuration, Cluster page, select Make this Appliance the primary member
of a High Availability Cluster.
3. Click Apply.
4. Reboot the appliance.
5. In SmartConsole, open the object of the primary member.
The first-time cluster configuration wizard opens.
6. Complete the wizard to configure the secondary cluster member.
Troubleshooting network objects:

In SmartConsole, the network object of the standalone appliance is converted to a cluster object. If
the standalone appliance was in the Install On column of a rule, or in the Gateways list of an IPSec
VPN community, the cluster object is updated automatically. For all other uses, you must
manually change the standalone object to the cluster object. These changes can affect policies.

High Availability
To see objects and rules that use the object to change:

1. Right-click the standalone object and select Where Used.
2. Select a line and click Go To.
3. In the window that opens, replace the standalone object with the cluster object.
If the Where Used line is a:
• Host, Network, Group - Browse through the pages of the properties window that opens,
until you find the object to change.
• Policy (for example, dlp_policy) - Open the Gateways page of the Software Blade. Remove
the standalone object. Add the cluster object.
4. In Where Used > Active Policies, see the rules that use the standalone object.
5. Select each rule and click Go To.
6. Edit those rules to use the cluster object.
Note - The icon in SmartConsole changes to show new status of the appliance as a primary
cluster member. The Name and UID of the object in the database stay the same.
Recommended Logging Options for High Availability

In High Availability, log files are not synchronized between the two cluster members. For this
reason, we recommend that you configure the logs of the cluster.
To forward cluster logs to an external log server:
1. Open the properties of the cluster object.
2. Open Logs > Additional Logging.
3. Click Forward log files to Log Server, and select the Log Server.
4. Select or define a time object for Log forwarding schedule.
Or:
Configure SmartEvent and SmartReporter with standard reports, to use only one of the cluster
members as a source for log file correlation and consolidation.

High Availability
Configuring Management High Availability

You can install a Primary and Secondary server on two Smart-1 appliances or two open servers.
The databases are synchronized. If the Primary is Active and goes down, you can set the
Secondary server to be Active.
Prerequisites for Management High Availability

• The Primary and Secondary servers must be R80.10 clean installed from the same ISO. If they
are open servers, they must have the same operating system.
• To enable SmartEvent, see sk25164
High-Level Workflow to install and configure Management High Availability:

1. Configure the primary server with the First Time Configuration Wizard.
2. Configure the secondary server with the First Time Configuration Wizard:
• In the Management Connection page, use a different IP address for the management
interface on the secondary appliance.
• In the Products page, select Secondary.
If prompted to install a Primary Multi-Domain Server, enter no.
• In the Secure Internal Communication (SIC) page, define the Activation Key. Use this key
to configure the secondary server object in SmartConsole.
3. From SmartConsole:
a) Log in to the primary server.
b) Create a Check Point Host object for the secondary server.
c) Initialize SIC with the secondary server.
To set the Secondary server to be Active:

1. Open the SmartConsole and log in to the Secondary server.
2. Click Menu > Management High Availability.
3. In the High Availability Status window > Connected To, click Actions > Set Active.
For more about configuring High Availability for Security Management Servers, see the R80.10
Security Management Administration Guide
For about how to configure High Availability for Multi-Domain Security Management, see the
R80.10 Multi-Domain Server Administration Guide

CHAPTE R 7
Using Monitor Mode

In This Section:
Configuring Monitor Mode ...........................................................................................56
Supported Software Blades for Monitor Mode ...........................................................57
Unsupported Software Blades for Monitor Mode .......................................................58
Unsupported Deployments for Monitor Mode.............................................................58
Configure Monitor Mode on Security Gateway interfaces, to monitor traffic from a mirror port or
span port on a switch. Use Monitor Mode to analyze network traffic without changing the
production environment. The mirror port on a switch duplicates the network traffic and sends it to
the monitor interface on the gateway to record the activity logs.
You can use mirror ports:
• To monitor the use of applications as a permanent part of your deployment
• To evaluate the capabilities of the Application Control and IPS blades before you buy them
The mirror port does not enforce a policy or run active operations (prevent, drop, reject) on
network traffic. It can be used only to evaluate the monitoring and detecting capabilities of the
Software Blades. All duplicated packets that arrive at the monitor interface of the gateway are
terminated and will not be forwarded. The Security Gateway does not send traffic through the
monitor interface.
Configuring Monitor Mode

You can configure a mirror or TAP port to duplicate network traffic that is sent to a Security
Gateway. The gateway inspects the traffic but does not drop packets.
Connect the Security Gateway to a mirror port on the switch that duplicates the ports and VLANs.

Using Monitor Mode
Item Description
1 Switch with mirror port
2 Computers
3 Servers
4 Security Gateway in monitor mode
5 Management for Security Gateway
Note - Make sure that one mirror port on the switch is connected to one interface on the Security
Gateway.
To enable Monitor Mode on the Security Gateway from the Gaia Portal:
1. From the navigation tree, click Network Management > Network Interfaces.
2. Select the interface and click Edit.
3. Click the Ethernet tab and check Monitor Mode.
4. Click OK.
To enable monitor mode on the Security Gateway from the Gaia Clish:
# set interface <interface name> monitor-mode on
Supported Software Blades for Monitor Mode

These Software Blades support Monitor mode for Security Gateway deployment:
Supported Blade Supports Gateways in Supports Virtual System in

Monitor Mode Monitor Mode
Firewall Yes Yes
IPS Yes Yes
URL Filtering Yes Yes
DLP Yes No
Anti-Bot Yes Yes
Application Control Yes Yes
Identity Awareness Yes No
Threat Emulation Yes Yes

Using Monitor Mode
Unsupported Software Blades for Monitor Mode

These features, Software Blades, and deployments are not supported in Monitor mode:
• NAT
• IPsec VPN
• HTTPS Inspection
• Mobile Access
• DLP with FTP
• HTTP/HTTPS proxy
• Anti-Spam and Email Security
• QoS
• Traditional Anti-Virus
• User Authentication
• Client Authentication
Unsupported Deployments for Monitor Mode

These are deployments do not support Monitor Mode:
• Access to Portals
• Multiple TAP interfaces when the same traffic is monitored

CHAPTE R 8
Backing Up and Restoring

In This Section:
Gaia Snapshot Image Management .............................................................................60
Backing up the Configuration of Gaia ..........................................................................65
mds_backup ..................................................................................................................67
mds_restore..................................................................................................................69
Best Practices:
1. Save a backup of your source system as the first step of an upgrade.
2. Save a second backup immediately after the Pre-Upgrade Verifier successfully completes with
no further suggestions.
3. Transfer the backup files and exported database files to external storage devices.

Gaia Snapshot Image Management

Before you upgrade a computer or appliance, back up with a snapshot. A snapshot saves the
configuration of the Gaia operating system and, on a management server, the database. You can
save snapshots on demand, or create a backup schedule.
You can revert to this snapshot to uninstall the new release.
Before you use snapshot image management, see sk91400
http://supportcontent.checkpoint.com/solutions?id=sk91400 and sk98068
A snapshot is a backup of the system settings and products:
• File system, with customized files
• System configuration (interfaces, routing, hostname, and similar)
• Software Blades
• Management database (on a Security Management Server or a Multi-Domain Server)
You can import a snapshot that was made on a different release or on this release. You must
import it to the same appliance or open server hardware model.
IMPORTANT - After importing the snapshot, you must activate the device license from the Gaia
Portal, or the User Center https://usercenter.checkpoint.com.
Snapshot options:
• Revert
• To a user created image.
• To a factory default image.
This is automatically created on Check Point appliances by the installation or upgrade
procedure.
• Delete an image from the local system.
• Export an existing image. This creates a compressed version of the image. You can download
the exported image to a different computer and delete the exported image from the Gaia
computer. This saves disk space.
Important! You must not rename the exported image. If you rename a snapshot image, it is not
possible to revert to it.
• Import an exported image.
• View a list of images that are stored locally.
Note - During the snapshot creation, all the system processes and services continue to run, and
the Security Policy enforcement does not get interrupted.

Snapshot Prerequisites
Before you create a snapshot image, make sure the appliance or storage destination meets these
prerequisites:
• To create the snapshot image requires free space on the disk. The required free disk space is
the size of the system root partition multiplied by 1.15.
Note - A snapshot image is created in unallocated space on the disk. Not all of the unallocated
space on a disk can be used for snapshots. To find out if you have enough free space for
snapshots:
a) Connect to the command line on the Security Management Server.
b) Log in to the Gaia Clish.
c) Run:
show snapshots
The output shows the amount of space on the disk available for snapshots. The value does not
represent all of the unallocated space on the disk.
• The free disk space required in the export file location is the size of the snapshot image
multiplied by two.
The minimal size of a snapshot image is 2.5GB. Therefore, the minimal necessary free disk
space in the export file location is 5GB.
Working with Snapshot Management - Gaia Portal

Before you create a snapshot image, make sure the appliance or storage destination meets the
prerequisites.
See sk98068: Gaia Limitations after Snapshot Recovery
To create a snapshot:
1. In the navigation tree, click Maintenance > Snapshot Management.
2. Click New.
The New Image window opens.
3. In the Name field, enter a name for the image.
Optional: In the Description field, enter a description for the image.
4. Click OK.
To restore a snapshot:
1. In the navigation tree, click Maintenance > Image Management.
2. Select a snapshot.
3. Click Revert.
The Revert window opens.
Note - Pay close attention to the warnings about overwriting settings, the credentials, and the
reboot and the image details.
4. Click OK.

To delete a snapshot:
3. Click Delete.
The Delete Image window opens.
4. Click OK.
To export a snapshot:
3. Check the snapshot size.
4. Make sure that there is enough free disk space in the /var/log/ partition:
a) Connect to the command line on Gaia.
b) Log in to Expert mode.
c) Run:
[Expert@HostName]# df -kh | egrep "Mounted|/var/log"
Check the value in the Avail column.

5. In Gaia Portal, select a snapshot.
6. Click Export.
The Export Image window opens.
7. Click Start Export.
Important - You must not rename the exported image. If you rename a snapshot image, it is not
possible to revert to it.
To import a snapshot:
To use the snapshot on another appliance, it has to be the same type of appliance you used to
export the image.
2. Click Import.
The Import Image window opens.
3. Click Browse to select the snapshot file for upload.
4. Click Upload.
5. Click OK.

Working with Snapshot Management - Gaia Clish

Before you create a snapshot image, make sure the appliance or storage destination meets the
prerequisites.
See sk98068: Gaia Limitations after Snapshot Recovery
Description
Manage system images (snapshots).
Syntax
• To create a new snapshot image:
add snapshot <Name of Snapshot> desc "<Description of Snapshot>"
• To export an existing snapshot image:

set snapshot export<SPACE><TAB>
set snapshot export <Name of Snapshot> path <Path> name <Name of Exported
Snapshot>
• To import a snapshot image:

set snapshot import <External Name of Snapshot> path <Path> name <Name of
Imported Snapshot>
• To revert to an existing snapshot image:

set snapshot revert<SPACE><TAB>
set snapshot revert <Name of Snapshot>
Important - Reverting to the selected snapshot will overwrite the existing running
configuration and settings. Make sure you know credentials of the snapshot, to which you
revert.
• To show snapshot image information:
show snapshot <Name of Snapshot>
all
date
desc
size
show snapshots
• To delete a snapshot image:

delete snapshot <Name of Snapshot>
Important - After you add, configure, or delete features, run the save config command to save
the settings permanently.

Parameters
Parameter Description
snapshot <Name of Snapshot> Configures the name of the snapshot image.

You must enter a string that does not contain spaces.
desc "<Description of Snapshot>" Configures the description of the snapshot image.

You must enclose the text in double quotes, or enter the
string that does not contain spaces.
export <Name of Snapshot> Selects the snapshot image you export by the specified
name.
import <Name of Snapshot> Selects the snapshot image you import by the specified
name.
path <Path> Configures the path to the specified snapshot image file
(for example: /var/log/).
name <Name of Exported Snapshot> Configures the name, under which the exported
snapshot image file is stored on the hard disk.
name <Name of Imported Snapshot> Configures the name, under which the imported
snapshot image is stored on Gaia.
Example
gaia> add snapshot snap1 desc first_image_after_installation
gaia> set snapshot export snap1 path /var/log/ name first_image_after_installation
Notes:
• You must not rename the exported image. If you rename a snapshot image, it is not possible to
revert to it.
• You can import a snapshot only on the same Gaia computer, from which it was exported.

Backing up the Configuration of Gaia

You can back up the configuration of the Gaia operating system and of the Security Management
Server database. The configuration is saved to a .tgz file. You can store backups locally, or
remotely to a TFTP, SCP, or FTP server. You can run the backup manually or on a schedule. You
can restore a previously saved configuration.
See these sk articles:
• How to Backup and Restore Gaia sk91400
• Gaia Limitations after Snapshot Recovery sk98068
Backing Up the System from the Gaia Portal

To add a backup:
1. In the tree view, click Maintenance > System Backup
2. Click Backup.
The New Backup window opens.
3. Select the location of the backup file:
• This appliance
• TFTP server. Specify the IP address.
• SCP server. Specify the IP address, user name and password.
• FTP server. Specify the IP address, user name and password.
Backing Up Security Management Server with CLI

Description Create and save the system's configuration.
Syntax add backup {local | tftp ip <ip> | {ftp | scp} ip <ip> username <name>
password plain}
local Save the backup locally, to /var/CPbackup/backups/
ip The IP address of the remote server.
username User name required to log in to the remote FTP or SCP server.
password plain At the prompt, enter the password for the remote FTP or SCP server.

Output:
gw> add backup local
Creating backup package. Use the command 'show backups' to monitor creation
progress.
gw> show backup status

Performing local backup
gw> show backups

backup_gw-8b0891_22_7_2012_14_29.tgz Sun, Jul 22, 2012 109.73 MB
To monitor the creation of a backup: show backup status

To see the status of the last backup: show backups

mds_backup
You can back up the complete Multi-Domain Server, including all the Domain Management
Servers, binaries, and user data, with the mds_backup command. If the Multi-Domain Security
Management environment has multiple Multi-Domain Servers, back up all of them at the same
time.
This command requires Superuser privileges.
mds_backup executes the gtar command on product root directories containing data and
binaries, and backs up all files, except those specified in the $MDSDIR/conf/mds_exclude.dat
file.
The collected data is stored in a single .tgz file, in the current working directory, named with the
date-time. For example: 13Sep2002-141437.mdsbk.tgz
To back up a Multi-Domain Server:

1. Go to a path outside the product directory.
Do not run mds_backup from a directory that will be backed up, to avoid a circular reference.
For example, do not run mds_backup from /opt/CPmds-R80.
2. Run: mds_backup
3. When the process is done, copy the .tgz file, with the mds_restore, gtar and gzip
command files, to an external backup location.
Syntax
mds_backup [-g -b {-d <target dir name>} -v -h]
-g Executes without prompting to disconnect GUI clients.
-b Batch mode - Executes without asking anything (-g is implied).
-d Specifies a directory store for the backup file. When not specified, the backup file is
stored in the current directory. You cannot store the backup file in any location
inside the product root directory tree.
-v Verbose mode - Lists all files to be backed up, but do not perform the backup
operation.
-l Exclude logs from the backup.
-h Help - Displays help text.
Comments When using the -g or -b options, make sure that no GUI clients or log servers are
connected. If there are client connections, the backup can be corrupted if changes are made
during the backup process.
Active log files are not backed up, to avoid read-during-write inconsistencies. It is best practice to
run a log switch before backup.
You can back up the Multi-Domain Server without log files. The .tgz will be much smaller.

To make sure all logs are excluded:

1. Open: $MDSDIR/conf/mds_exclude.dat
2. Add: log/*
3. Save the file.

mds_restore
You can restore a Multi-Domain Server that was backed up with mds_backup. Make sure you
have the operating system settings that you noted when you backed up.
If the Multi-Domain Security Management environment has multiple Multi-Domain Servers,
restore all Multi-Domain Servers at the same time.
To restore your original environment:

1. Log in to expert mode.
2. Remove the R80.10 installation with the mds_remove utility.
3. Go to the path of the backup file.
4. Log in to expert mode.
5. Run: ./mds_restore <backup_file>
6. If you restore a Multi-Domain Server to a new IP address, configure the new address.

Upgrading Prerequisites
CHAPTE R 9
In This Section:
Before Upgrading .........................................................................................................70
Contract Verification .....................................................................................................72
Upgrade Utilities ...........................................................................................................73
Using the Pre-Upgrade Verifier ...................................................................................74
Upgrading Successfully ................................................................................................75
Upgrading the vSEC Controller on the Security Management Server.......................76
Supported Security Gateways ......................................................................................77
Service Contract Files ..................................................................................................78
Before Upgrading
Before you upgrade:
• Make sure that you have the latest version of this document.
• See the R80.10 Release Notes for supported upgrade paths.
• Make sure that the target server meets the minimum hardware and operating system
requirements and is configured identically to the source server.
If the target server uses a different leading IP address than the source, change the target IP
address and the external interface.
• Upgrade all Management servers in your deployment, including those in High Availability
configuration:
• Upgrade R80 and higher Secondary Security Management Servers.
• For Secondary Security Management Servers of R77.xx and lower, do a clean installation
and re-establish the SIC trust. Management High Availability synchronization will start
automatically.
• Upgrade Secondary Multi-Domain Security Management servers from R80, and R77.xx and
lower.
• For upgrade of Management servers in High Availability configuration: If the Primary
management server was upgraded from R80 (with or without the Jumbo Hotfix Accumulator)
to R80.10, you must upgrade the Secondary management server in the same way.
Warning - If you upgrade from R7x versions and have files in the $FWDIR/lib/ directory
and/or the $FWDIR/conf/ directory that you changed manually, the changes will be lost. Make
sure you save the customized INSPECT files on an external storage and understand how to
replicate the required changes.
Important - If you use the Mobile Access Software Blade and you edited the configurations, review
the edits before you upgrade to R80.10.

1. Open these files on the computer to upgrade and make note of custom changes:
$CVPNDIR/conf/cvpnd.C (Gateway configuration)
$CVPNDIR/conf/httpd.conf (Apache configuration)
$CVPNDIR/conf/includes/* (Apache configuration)
$CVPNDIR/var/ssl/ca-bundle/ (Local certificate authorities)
$CVPNDIR/conf/SmsPhones.lst (DynamicID - SMS OTP - Local Phone List)
/var/ace/sdconf.rec (RSA configuration)
All PHP files
All replaced image files (*.gif, *.jpg)
2. Upgrade to R80.10.
3. Update Mobile Access Endpoint Compliance:
a) In SmartConsole, from the left Navigation Toolbar, click Security Policies.
b) In the Shared Policies section, click Mobile Access > Open Mobile Access Policy in
SmartConsole.
c) In SmartConsole, click Mobile Access tab > expand Endpoint Security On Demand > click
Endpoint Compliance Updates > click Update Databases Now.
d) Close SmartConsole.
4. Manually edit the new versions of the files, to include your changes.
Do not overwrite the R80.10 files with your customized files!

Contract Verification
Before upgrading a gateway or Security Management Server, you need to have a valid support
contract that includes software upgrade and major releases registered to your Check Point User
Centeraccount. The contract file is stored on Security Management Server and downloaded to
Check Point Security Gateways during the upgrade process. By verifying your status with the User
Center, the contract file enables you to easily remain compliant with current Check Point licensing
standards.
For more on service contracts, see sk33089

Upgrade Utilities
Before an upgrade, a set of utilities search your installation for known upgrade issues. The output
of the utilities is saved to a log file and an HTML file, with these message types:
• Action items before the upgrade: Errors that you must repair before the upgrade (for
example, an invalid policy name), and warnings of issues for you to decide whether to fix before
upgrade. Some messages recommend that you run utilities to fix an issue. In most cases, you
must fix the issues manually.
• Action items after the upgrade: Errors and warnings, to be handled after the upgrade.
• Information messages: Items to be aware of. For example, an object type is not supported in
the upgraded version but is in your database and is converted during the upgrade.
Important! Make sure you have the latest version of the upgrade tools! Download the
appropriate package from the Tools section in the Check Point R80.10 Support site
http://supportcontent.checkpoint.com/solutions?id=sk111841. There is a different package for
each operating system.
When you open the upgrade_tools package, you see these files:
Package Description
migrate.conf Holds configuration settings for Advanced Upgrade / Database
Migration.
migrate Runs Advanced Upgrade or migration.
pre_upgrade_verifier Analyzes compatibility of the currently installed configuration with

the upgrade version. It gives a report on the actions to take before
and after the upgrade.
pre_upgrade_verifier -p $FWDIR -c <Current Version>
-t <Target Version>
migrate export Backs up all Check Point configurations, without operating system
information.
migrate import Restores backed up configuration.
puv_report_generator Runs in the end of pre_upgrade_verifier and converts the text

file to HTML.

Using the Pre-Upgrade Verifier

The Pre-Upgrade Verifier runs automatically during the upgrade process. You can also run it
manually with this command.
Syntax:
pre_upgrade_verifier.exe -p <ServerPath> -c <CurrentVersion> (-t <TargetVersion>

| -i) [-f <FileName>]
Parameters:
-p Path of the installed Security Management Server (FWDIR)
-c Currently installed version
-t Target version
-i If -i is used, only the INSPECT files are analyzed, to see if they were customized.
-f Output report to this file

Upgrading Successfully
• When upgrading a Security Management Server, IPS profiles remain in effect on earlier
Gateways and can be managed from the IPS tab. When the gateway is upgraded, install the
policy to get the new IPS profile.
• When upgrading a Security Gateway, remember to change the gateway object in SmartConsole
to the new version.
If you encounter unforeseen obstacles during the upgrade process, consult the Support Center
http://supportcontent.checkpoint.com/solutions?id=sk111841 or contact your Reseller.

Upgrading the vSEC Controller on the Security

Management Server
Upgrading R80 to R80.10
To upgrade the vSEC Controller v1 and v2 for R80 to R80.10, see sk111841
http://supportcontent.checkpoint.com/solutions?id=sk111841 for upgrade instructions.
Important Information
1. When you upgrade the vSEC Controller to R80.10 the following files are overwritten with
default values:
• vSEC Controller v1
 vsec.conf (found in $VSECDIR/conf)
• vSEC Controller v2
 vsec.conf (found in $VSECDIR/conf)
 tagger_db.C (found in $MDS_FWDIR/conf)
Before you begin the upgrade, back up any files that you have changed.
2. A Multi-Domain Server that contains imported Data Center objects in the Global Domain is not
supported in the upgrade to R80.10. You must remove objects from the Global Domain before
you install the upgrade.
3. Before you perform the upgrade on the Management server, if you have a Cisco APIC server,
keep only one URL. After the upgrade, add the other URLs.
4. For upgrades from the vSEC Controller v1, manually connect again to each Data Center
Server. For those servers that communicate with HTTPS, in SmartConsole double-click the
Data Center object and trust the certificate again.
Note - During the upgrade, the vSEC Controller does not communicate with the Data Center.
Therefore, Data Center objects are not updated on the Security Management Server or the
Security Gateways.
Upgrading R77.30 to R80.10

For information on upgrading to R80.10, contact Check Point support.

Supported Security Gateways

The vSEC Controller works with:
• R77.20
• R77.30
• R80.10 gateways
• 60000/40000 Scalable Platforms R76SP.50 (starting with Jumbo Hotfix Accumulator, Take 20)
Important
To use the vSEC Controller with R77.20 and R77.30 gateways (R77.30 gateways with Jumbo Hotfix
Accumulator below Take 309) install the R80.10 vSEC Controller v1 Enforcer Hotfix. See sk120464

Service Contract Files

Before upgrading a gateway or Security Management Server to R80.10, you need to have a valid
support contract that includes software upgrade and major releases registered to your Check
Point User Center account. The Security Management Server stores the contract file and
downloads it to Security Gateways during the upgrade. By verifying your status with the User
Center, the contract file enables you to easily remain compliant with current Check Point licensing
standards.
Working with Contract Files

As in all upgrade procedures, first upgrade your Security Management Server or Multi-Domain
Server before upgrading the Security Gateways. Once the Management Server is upgraded and
contains a Contract File, it transfers this Contract File to the managed Security Gateways when
they are upgraded.
Installing a Contract File on the Security Management Server

When you upgrade a Management Server, the upgrade process checks to see whether a Contract
File is already present on the v. If not, you get the main options for getting a contract. You can
download a Contract File or import it.
If the Contract File does not cover the Management Server, a message informs you that the
Management Server is not eligible for upgrade. The absence of a valid Contract File does not
prevent upgrade. You can download a valid Contract File later in SmartUpdate.
• To download a contracts file from the User Center
If you have Internet access and a valid user account, download a Contract File directly from
your User Center https://usercenter.checkpoint.com account. If you choose to download the
contract information from the User Center, you are prompted to enter your:
• User name
• Password
• Proxy server address (if applicable)
• To import a local contract file
If the Management Server does not have Internet access:
a) On a computer with Internet access, log in to the User Center
http://usercenter.checkpoint.com.
b) In the top menu, click Assets/Info > Download Contract File and follow the instructions on
the screen.
c) Transfer the downloaded file to the Management Server.
d) After selecting Import a local contracts file, enter the full path to the location where you
stored the file.
• To continue without contract information
Select this option if you intend to get and install a valid Contract File at a later date. Note that
at this point your Security Gateways are not strictly eligible for an upgrade; you may be in
violation of your Check Point Licensing Agreement, as shown in the final message of the
upgrade process.
Installing a Contract File On Security Gateways

After you accept the End User License Agreement (EULA), the upgrade process searches for a
valid contract on the gateway. If a valid contract is not located, the upgrade process attempts to
retrieve the latest contract file from the Security Management Server. If not found, you can
download or import a contract.
If the contract file does not cover the gateway, a message informs you (on Download or Import)
that the gateway is not eligible for upgrade. The absence of a valid contract file does not prevent
upgrade. When the upgrade is complete, contact your local support provider to obtain a valid
contract. Use SmartUpdate to install the contract file.
Use the download or import instructions for installing a contract file on a Security Management
Server.
If you continue without a contract, you install a valid contract file later. But the gateway is not
eligible for upgrade. You may be in violation of your Check Point Licensing Agreement, as shown in
the final message of the upgrade process. Contact your reseller.

Upgrading Security Management Servers and Security Gateways
CHAPTE R 10
Upgrading Security Management

Servers and Security Gateways
In This Section:
Using the Upgrade Verification Service .......................................................................80
Upgrading Gaia Security Management Server and Standalone .................................81
Upgrading Security Gateways ......................................................................................82
Upgrading Standalone Full High Availability...............................................................84
Upgrading Clusters on Appliances ..............................................................................86
Using the Upgrade Verification Service

The Upgrade Verification Service helps you upgrade successfully to R80.10.
We evaluate your environment and send you an email that shows if you are ready to upgrade, or
what you must do first. For more details, see sk110267

Upgrading Gaia Security Management Server and

Standalone
A Security Management Server upgraded to R80.10 can enforce and manage Gateways from
earlier versions. You do not have to upgrade the Security Management Server and all of the
Gateways at the same time. But the earlier Gateways will not support all new features.
Important - Before you upgrade:
• Back up your current configuration (see "Backing Up and Restoring" on page 59).
• See the R80.10 Release Notes for the supported appliances, system and memory
requirements, and deployments.
• Use the Pre-Upgrade Verification tool to reduce the risk of incompatibility with your existing
environment. The Pre-Upgrade Verification tool generates a detailed report of the actions to
take before an upgrade (see "Using the Pre-Upgrade Verifier" on page 74).
• For upgrades from an R80 Security Management Server:
• Upgrades are only supported with CPUSE - In-place upgrade of the Security Management
Server.
To learn how to upgrade with CPUSE, see sk92449
• Use the Sessions view in SmartConsole to publish or discard all sessions before you start
the upgrade. In SmartConsole, go to the Manage & Settings tab > Sessions > Actions.
• Upgrades from R77.x to R80.10 are supported with:
• CPUSE - In-place upgrade of the Security Management Server.
• Advanced migration - Export of the database from the source R77.x Security Management
Server and import to the target 80.10 Security Management Server.
Note - After the upgrade of the Security Management Server is complete, make sure to run Install
Database.

Upgrading Security Gateways

Important - Before you upgrade your Security Gateways, you must upgrade your Security
Management Server ("Upgrading Gaia Security Management Server and Standalone" on page 81)
or Multi-Domain Server ("Upgrading a Multi-Domain Security Management" on page 87). You can
also upgrade your High Availability system ("Upgrading a High Availability Deployment" on page
100).
You can upgrade all Security Gateways with CPUSE.
Best Practice - Before you upgrade, back up your configuration (see "Backing Up and Restoring"
on page 59).
Configuring SmartUpdate for Versions R77.30 and Lower

Important - Installing software packages using SmartUpdate is not supported for Security
Gateways running on Gaia Operating System.
To configure the Security Management Server for SmartUpdate:

1. Install the latest version of SmartConsole.
2. Define the remote Check Point Gateways in SmartConsole (for a new Security Management
Server installation).
3. Verify that the Administrator SmartUpdate permissions (as defined in the cpconfig
configuration tool) are Read/Write.
4. To enable SmartUpdate connections to the Gateways:
a) Go to the menu > Global Properties > firewall.
b) Go to Track and check the box: Log Implied Rules
c) Click OK.
Use SmartUpdate to add packages to and delete packages from the Package Repository:
• Directly from the Check Point Download Center website (Packages > Add > From Download
Center),
• When you import a file (Packages > Add > From File).
When you add the package to the Package Repository, the package file is transferred to the
Security Management Server. When the Operation Status window opens, you can verify the
success of the operation. The Package Repository shows the new package object after it updates.

Upgrading a VSX Gateway

Important - Before you begin, make sure the target VSX or Virtual System is currently not edited
or locked by other administrators. The vsx_util command cannot modify the management
database if the database is locked. When the locked VSX and Virtual System objects become
available, begin the vsx_util procedure again.
To upgrade a VSX Gateway to R80.10:

1. On the Security Management Server, log in to Expert mode.
2. Run: vsx_util upgrade
When prompted, enter this information
a) Security Gateway or main Domain Management Server IP address
b) Administrator name and password
c) Target VSX object (if the VSX Gateway is a cluster, select the target member).
d) Version to upgrade to: R80.10
3. Wait for the operation to complete successfully and for this message to show:
Do you wish to reconfigure the gateway/cluster members? (y|n)
4. If you are using CPUSE to upgrade the VSX Gateway, skip this step.
To use clean install, enter y.
When prompted, enter this information:
a) Management server or main Domain Management Server IP address
b) Administrator name and password
c) SIC activation key for the upgraded member
The operation completes successfully, and this message shows:
Reconfigure module operation completed successfully
d) Install the necessary licenses.
e) Reboot the reconfigured VSX member.
5. If you are using CPUSE to upgrade the VSX Gateway, enter n and follow these instructions:
a) In Gaia Clish, switch to the main VSX context. Run:
set virtual-system 0
b) Import the upgrade file into the CPUSE repository. Run:
installer import local <file_name>
c) Make sure that the file is in the repository:
show installer packages
d) Start the upgrade. Enter:
installer upgrade
e) Press the Tab key to see the upgrade options.
f) From the list, select the file to install.

Upgrading Standalone Full High Availability

To upgrade Full High Availability for cluster members in standalone configurations, there are
different options:
• Upgrade one machine and synchronize the second machine with minimal downtime.
• Upgrade with a clean installation on one machine and synchronize the second machine with
system downtime.
Upgrading with Minimal Downtime

You can do a Full High Availability upgrade with minimal downtime on the cluster members.
To upgrade Full High Availability with minimal downtime:

1. Check the status of the cluster members. Run: cphaprob state
Make sure the Primary cluster member is Active and the Secondary cluster member is
Standby.
2. Start failover to the Secondary cluster member.
On the Primary cluster member, run: cpstop
The Secondary cluster member becomes the new Active member and processes all the traffic.
3. Log in with SmartConsole to the Security Management Server of the Secondary cluster
member.
4. Click Change to Active.
5. Configure the Security Management Server on the Secondary cluster member to be Active.
Note - We recommend that you export the database using the Upgrade tools ("Upgrade
Utilities" on page 73).
6. Upgrade the Primary cluster member to the desired Check Point version.
7. Log in with SmartConsole to the Security Management Server of the Primary cluster member.
Make sure you use the SmartConsole of the same Check Point version as the Security
Management Server.
8. Open the cluster object.
9. Change the version of the object to the new version and click OK.
10. Install the Access Policy on the cluster object.
Note - Make sure that the For Gateway Clusters install on all the members option is cleared.
The Primary cluster member now processes all the traffic.
11. Upgrade the Secondary cluster member to the desired Check Point version.
Synchronization for Management High Availability starts automatically.

Upgrading with a Clean Installation

You can do a Full High Availability upgrade with a clean installation on the secondary cluster
member and synchronize the primary cluster member. This type of upgrade causes downtime to
the cluster members.
To upgrade Full High Availability with a clean installation:

1. Make sure the primary cluster member is active and the secondary is standby: check the
status of the members.
2. Start failover to the second cluster member.
The secondary cluster member processes all the traffic.
3. Log in with SmartConsole to the management server of the secondary cluster member.
4. Click Change to Active.
5. Configure the secondary cluster member to be the active management server.
Note - We recommend that you export the database using the Upgrade tools ("Upgrade
Utilities" on page 73).
6. Upgrade the primary cluster member to the appropriate version.
7. Log in with SmartConsole to the management server of the primary cluster member.
Make sure version of the SmartConsole is the same as the server.
8. Upgrade the version of the object to the new version.
9. Install the policy on the cluster object.
The primary cluster member processes all the traffic.
Note - Make sure that the For Gateway Clusters install on all the members option is cleared.
Selecting this option causes the installation to fail.
10. Install the secondary member.
11. From SmartConsole, configure the cluster object.
a) Change the secondary details (if necessary).
b) Establish SIC.
Synchronization for Management High Availability starts automatically.

Upgrading Clusters on Appliances

Important - Before you upgrade your Cluster members, you must upgrade your Security
also upgrade your Management High Availability system.
If the appliance to upgrade was not the primary member of a cluster before, export its database
before you upgrade. If it was the primary member before, you do not have to do this.
To upgrade an appliance and add it to a cluster:
1. If the appliance was not the primary member of a cluster, export the Security Management
Server database.
2. Upgrade the Appliance.
3. If the appliance was not the primary member of a cluster, Import the database.
4. Using the Gaia Portal, on the Cluster page, configure the appliance to be the primary member
of a new cluster.
5. Connect a second appliance to the network.
• If the second appliance is based on an earlier version: get the relevant upgrade package
from the Download Center, save it to a USB stick, and reinstall the appliance as a
secondary cluster member.
• If the second appliance is upgraded: run the first-time wizard and select Secondary
Cluster Member.

Upgrading a Multi-Domain Security Management
CHAPTE R 11
Upgrading a Multi-Domain Security

Management
In This Section:
Upgrading Multi-Domain Security Management with CPUSE ...................................87
Upgrading an R77.xx Multi-Domain Security Management with Migration ..............88
Upgrading a High Availability Deployment ................................................................100
Restarting Domain Management Servers .................................................................103
Changing the Leading Interface on Multi-Domain Server or Multi-Domain Log Server 104
Saving the Multi-Domain Security Management IPS Configuration ........................105
Enabling IPv6 on Gaia ...............................................................................................106
Upgrading Multi-Domain Security Management with

CPUSE
Best Practice - To make sure the Security Gateways of the source Multi-Domain Server are not
affected until the upgrade is done, put the target Multi-Domain Server on an isolated network
segment.
Upgrades from R80 to R80.10 are only supported with CPUSE.
Upgrades from R77.x to R80.10 are supported with:
• CPUSE - In-place upgrade on the Multi-Domain Security Management.
• Advanced migration ("Upgrading an R77.xx Multi-Domain Security Management with
Migration" on page 88) - Export of the database from the source R77.x Multi-Domain Security
Management and import to the target R80.10 Multi-Domain Security Management.
To learn how to upgrade with CPUSE, see sk92449
Important - Before you upgrade:
• Back up your current configuration (see "Backing Up and Restoring" on page 59).
• For upgrades from R80, use the Sessions view in SmartConsole to publish or discard all
sessions. In SmartConsole, go to the Manage & Settings tab > Sessions > Actions.
• For upgrades from R80, if vSEC Controller is used in your environment, in SmartConsole that
is connected to the Global Domain, remove all global Data Centers and global Data Center
Objects.

Upgrading an R77.xx Multi-Domain Security

Management with Migration
You can upgrade R77.xx to R80.20 with a migration procedure. Versions higher than R77.30 cannot
be migrated.
A basic migration is when you upgrade the database from a source Security Management Server
to a target Security Management Server of the same version.
In an advanced upgrade, the database from an R77.xx Security Management Server is migrated to
an R80.10 server. When you migrate, you are exporting the upgrade from the source server and
importing it to the target server.
We recommend that you use database export/import to upgrade.
There has to be a valid license on the Multi-Domain Servers before you import the database
("Working with Licenses" on page 132).
Important! In R80.10, the order that you import servers is crucial.
• First you must import the Primary Multi-Domain Server
• Then you can import the Secondary Multi-Domain Servers and Multi-Domain Log Servers. If
there are active Domain Management Servers on the Secondary Multi-Domain Servers, they
must be upgraded before you upgrade the Multi-Domain Log Servers.
If there is no Primary Multi-Domain Server, you must first promote a secondary Multi-Domain
Server to be the primary.
Note - A valid license has to be applied on the <tp_mdss> before you import the database.
Exporting the Multi-Domain Server Databases

Export current Multi-Domain Server extracts the database and configuration settings from a
Multi-Domain Server and its associated Domain Management Servers. It then stores this data in a
single TGZ file. You can import this TGZ file to a newly installed Multi-Domain Server.
Note - In a High Availability deployment, you must export the primary Multi-Domain Server. If the
target Multi-Domain Server uses a different leading IP address than the source server, you must
change the Multi-Domain Server IP address and the external interface.
You can include the log files in the exported TGZ file. These log files are likely to be very large.
• Export one database at a time. Start with the Primary Multi-Domain Server.
• Make sure the Global Domain Management Server is Active on the Primary Multi-Domain
Server.

To create the export file on a source Multi-Domain Server:

1. Stop all Check Point services:
# mdsstop
2. Switch to the Multi-Domain Server context:
# mdsenv
# mcd
3. Mount the ISO file:
# mount -o loop /path_to/Check_Point_R80.10_Gaia.iso /mnt/cdrom
4. Go to the installation folder:
# cd /mnt/cdrom/linux/p1_install
5. Run the installation script:
# ./mds_setup
6. Run the Pre-Upgrade Verifier > enter 1 when this menu shows:
(1) Run Pre-upgrade verification only [recommended before upgrade]
(2) Upgrade to R80.10
(3) Backup current Multi-Domain Server
(4) Export current Multi-Domain Server
Or 'Q' to quit.
The pre-upgrade verifier analyzes compatibility of the management database and its current
configuration. A detailed report shows the steps to do before and after the upgrade.
Note - The pre-upgrade verification is required when you upgrade to a new version. You do not
need to run the verification when you migrate to the same version (without upgrading).
7. Read the Pre-Upgrade Verifier output and fix all errors according to the instructions.
8. After fixing the errors, open SmartConsole and reassign the Global Policy on all Domains.
9. Stop the services again:
# mdsstop
10. Run the installation script:
# ./mds_setup
11. Export the current Multi-Domain Server configuration > enter 4 when this menu shows:
(1) Run Pre-upgrade verification only [recommended before upgrade]
(2) Upgrade to R80.10
(3) Backup current Multi-Domain Server
(4) Export current Multi-Domain Server
Or 'Q' to quit.
12. Answer the interactive questions:
Would you like to proceed with the export now [yes/no] ? yes
Please enter target directory for your Multi-Domain Server export (or 'Q'
to quit): /var/log
Do you plan to import to a version newer than R80.10 [yes/no] ? no
Using migrate_tools from disk.
Do you wish to export the log database [yes/no] ? yes or no
If you enter no to export the logs, the configuration is still exported.

13. Make sure this export file is created.:

# ls -l /var/log/exported_mds.DDMMYYY-HHMMSS.tgz
14. Calculate the MD5 for this file:
# md5sum /var/log/exported_mds.DDMMYYY-HHMMSS.tgz
Importing the Database to the Primary Multi-Domain Server

Import the Multi-Domain Server configuration that you exported.
Important - When you transfer the exported database from the source to the target, use binary
mode during the transfer.
To import the Multi-Domain Server configuration:

1. Install R80.10 Multi-Domain Security Management on the target Multi-Domain Server
("Installing a Multi-Domain Security Management" on page 40).
When you complete the upgrade process for the Primary Multi-Domain Server, the Multi-Site
upgrade is not finished. You can only access objects that are stored on other Multi-Domain
Security Management servers when the upgrade process for the other Multi-Domain Servers
is complete.
2. Log in to Expert Mode.
3. Transfer (with FTP, SCP, or similar) the exported configuration file collected from the source
to the new server: exported_mds.DDMMYYY-HHMMSS.tgz
4. Calculate the MD5 for the transferred file and compare to the MD5 that was calculated on
original server:
# md5sum /<directory>/exported_mds.DDMMYYY-HHMMSS.tgz
5. Import the configuration: $MDSDIR/scripts/mds_import.sh
<path_exported_database>/exported_mds.DDMMYYY-HHMMSS.tgz
6. Test the target installation.
7. Disconnect the source server from the network.
8. Connect the target server to the network and run mdsstart
Importing the Database to Secondary Multi-Domain Servers and

Multi-Domain Log Servers
Import the Multi-Domain Server configuration that you exported to a Secondary Multi-Domain
Server or Multi-Domain Log Server. If you have multiple servers, import the database to one
server at a time.
Important - When you transfer the exported database from the source to the target, use binary
mode during the transfer.
Before you begin:
1. In the Primary Multi-Domain Server.
2. Log into Expert Mode.
3. Back it up:
# mds_backup -b –d /var/log
4. Install R80.10 Multi-Domain Security Management on the target Multi-Domain Server.
5. Make sure the Primary Multi-Domain Server is running.

6. Make sure that the Primary Multi-Domain Server has the correct license to work in Multi-Site
environment.
7. Make sure that there is good connectivity between all the Multi-Domain Servers. System
databases, logs, and Global Domains are upgraded only on the Primary Multi-Domain Server.
The connection is necessary to synchronize the other Multi-Domain Servers and Multi-Domain
Log Servers.
8. The IP address of the source and target Secondary Multi-Domain Servers and Multi-Domain
Log Servers must be the same.
To import the Multi-Domain Server configuration:

2. Transfer (with FTP, SCP, or similar) the exported configuration file collected from the source
to the new server:
exported_mds.DDMMYYY-HHMMSS.tgz
3. Make sure the transferred file is not corrupted. Calculate the MD5 for the transferred file and
compare to the MD5 that was calculated on the source Multi-Domain Server:
# md5sum /<directory>/exported_mds.DDMMYYY-HHMMSS.tgz
4. Make sure that there is connectivity to the newly upgraded Primary Multi-Domain Server.
5. Import the configuration:
# $MDSDIR/scripts/mds_import.sh -primaryip <IP_primary_server>
<path_to_exported_database>/exported_mds.DDMMYYYY-HHMMSS.tgz
6. On the Primary Multi-Domain Server, make sure that the Full Sync task completes
successfully.
7. Test the target installation.
8. Disconnect the source server from the network.
9. Connect the target server to the network and run the mdsstart command on it.
After you complete the upgrade of all secondary Multi-Domain Servers and the Multi-Domain Log
Servers, you must update the version of the Domain Management Server and the Domain Log
Server objects.
To update the version of the Domain Management Server and Domain Log Server
objects on the Multi-Domain Servers:
1. Connect to the command line on the Primary Multi-Domain Server, and make sure that all the
Domain Management Servers are up. Run:
# mdsstat
2. Make sure to disconnect all SmartConsoles.
3. Switch to the main MDS context:
# mdsenv
4. On each Domain Management Server and Domain Log Server that you import, run:
# $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL
5. Open SmartConsole and make sure that the version for each of the upgraded objects is
R80.10.

Migrating Each Domain Management Server Gradually

In a gradual upgrade, you export each Domain Management Server one at a time from the source
Multi-Domain Server to a target Multi-Domain Server of the latest version.
The gradual upgrade does not keep all data.
Data Not Exported To get this data in the new environment:

Multi-Domain Server administrators and Redefine and reassign to Domains after the upgrade.
management consoles
Status of global communities Run these commands:

mdsenv
fwm mds rebuild_global_communities_status
all
Migrating Global Policies

You can migrate the global policy only one time. We recommend that you do not change the global
policy on R77.xx until you move all the Domain Management Servers to the R80.10 Multi-Domain
Server.
If you have to change the global policy after you have migrated it, follow these guidelines:
• If the global object was deleted or edited on the source Multi-Domain Server, you have to make
the same change manually on the R80.10 Multi-Domain Server.
• If you added new objects to the global policy, you have to remove them from the policy before
you export the Domain Management Servers. Otherwise, cma_migrate on the target
Multi-Domain Server fails.
migrate_global_policies upgrades a global policy database from a Multi-Domain Server
and imports it to an R80.10 Multi-Domain Server.
Note - When you execute the migrate_global_policies utility, the Multi-Domain Server is
stopped.
Before you run the migrate_global_policies utility, make sure that you remove all the data
from the global database of the R80.10 Multi-Domain Server.

Upgrading Global Policy from R77.xx to R80.10

Upgrading the global policy is supported for R77.xx only. You cannot upgrade the global policy
when the source is R80.xx.
To upgrade Global Policies from R77.xx to R80.10:

1. On the R77.xx Multi-Domain Server, extract the Upgrade Tools from the R80.10 ISO ("Upgrade
Utilities" on page 73), if you did not do this already ("Migrating a Domain Management Server
Database" on page 93).
2. Switch to the main MDS context:
# mdsenv
3. Run:
# cd <full path to migrate command>
# ./migrate export <output file>
4. Copy the TGZ file from the R77.xx server to the R80.10 Multi-Domain Server.
5. Migrate the Global Policies. Run:
# migrate_global_policies <full_path_exported_tgz>
6. Start the Multi-Domain Server:
# mdsstart
7. If there is a Secondary Multi-Domain Server, synchronize the global databases.
Migrating a Domain Management Server Database

This procedure exports, updates, and imports the database of an R77.xx Domain Management
Server to an R80.10 Domain Management Server.
Note - Migration of R80/R80.10 Security Management Server or Domain Management Server to
Multi-Domain Server R80/R80.10 is not supported.
Before you begin:

• Make sure that there is one Active Domain Management Server in each Domain to be
migrated.
• If you want to import logs with the database, run a log switch before you export.
• Make sure that you migrate the database only on one Domain Management Server. If you
migrate a database to more than one Domain Management Server, the import fails and shows
an error message.
• Initialize the ICA ("Certificate Authority Data" on page 95).

To import from R77.xx Domain Management Server to R80.10:

1. On the Multi-Domain Server with the active global policy, get the Upgrade Tools from the
R80.10 CD or ISO ("Upgrade Utilities" on page 73).
2. Extract the tools.
Extraction makes the upgrade_tools subdirectory. In this path, extract the Multi-Domain
Security Management tools: p1_upgrade_tools.tgz
For example:
Install from CD:
# gtar xvfz /mnt/cdrom/linux/upgrade_tools/linux/p1_upgrade_tools.tgz -C
/var/opt/export_tools
Install from DVD:
# gtar xvfz /mnt/cdrom/Linux/linux/upgrade_tools/linux/p1_upgrade_tools.tgz
-C /var/opt/export_tools
3. Switch to the context of the Domain Management Server. Run:
# mdsenv <DomainServer_name_or_IP>
4. Run:
# cd <full path to migrate command>
# ./migrate export [-l] <output file>
• The migrate export command exports one Domain Management Server database to a
TGZ file.
• The output file must be specified with the fully qualified path. Make sure there is sufficient
disk space for the output file.
• The optional –l flag includes closed log files and SmartLog data from the source Domain
Management Server in the output archive.
5. On the R80.10 Multi-Domain Server, run these API commands
https://sc1.checkpoint.com/documents/R80/APIs/#introduction to create a new Domain and a
new Domain Management Server (without starting it):
# mgmt_cli --root true add domain name <my_domain_name> servers.ip-address
<my_IP_address> servers.name <my_domain_server_name>
servers.multi-domain-server <R80.10_multi-domain-server_Name>
servers.skip-start-domain-server true
Important! - After you create the new domain with this command, do not change the domain IP
address until you run the cma_migrate command.
6. Copy the TGZ file from the source Domain Management Server to the R80.10 Multi-Domain
Server. Import the exported database:
# unset TMOUT
# cma_migrate <source management tgz file> <target Domain Management Server
$FWDIR directory>
For example:
# cma_migrate tmp/orig_mgmt.tgz
/opt/CPmds-R80/customers/cma1/CPsuite-R80/fw1
This command updates the database schema before it imports. First, the command runs
pre-upgrade verification. If no errors are found, migration continues. If there are errors, you
must change the source Domain Management Server according to instructions in the error
messages. Then do this procedure again.

7. If the R80.10 server has a different IP address than the R77.xx server, establish trust with the
Security Gateways ("Certificate Authority Data" on page 95).
8. If the R77.xx server had VPN gateways, configure the keys ("Resolving Issues with IKE
Certificates" on page 96).
Important - To do a Domain Management Server migration on a Secondary Multi-Domain Server,
you must set its global domain to Active.
Procedure:
1. Connect to the command line on the Secondary Multi-Domain Server.
3. Run this command before you do the first migration on the Secondary Multi-Domain Server:
# mdsenv && $CPDIR/bin/cpprod_util CPPROD_SetValue FW1 LastIpsUpdate 1
`date +%s` 1
4. Connect with SmartConsole to the Secondary Multi-Domain Server.
5. From the left Navigation Toolbar, click Multi Domain > Domains.
6. Right-click the global domain of the Secondary Multi-Domain Server and click Connect to
Domain.
A window shows for the global domain.
7. Click Menu > Management High Availability.
8. In the Management High Availability status window, select Actions > Set Active for the
Connected Domain.
Certificate Authority Data

The cma_migrate process does not change the Certificate Authority or key data. The R80.10
Domain Management Server has SIC with Security Gateways. If the IP address of the R80.10
server is not the same as the IP address of the R77.xx server, you must establish trust between
the new server and the gateways.
Before you begin, see sk17197 http://supportcontent.checkpoint.com/solutions?id=sk17197 to
make sure the environment is prepared.
To initialize a Domain Management Server Internal Certificate Authority:

1. Remove the current Internal Certificate Authority for the specified environment, run:
# mdsstop_customer <DomainServer Name or IP>
# mdsenv <DomainServer Name or IP>
# fwm sic_reset
2. Create a new Internal Certificate Authority, run:
# mdsconfig -ca <DomainServer Name> <DomainServer IP>
# mdsstart_customer <DomainServer Name or IP>

Resolving Issues with IKE Certificates

With a VPN tunnel that has an externally managed, third-party gateway and a Check Point Security
Gateway, there can be an issue with the IKE certificates after you migrate the management
database.
The Security Gateway presents its IKE certificate to its peer. The third-party gateway uses the
FQDN of the certificate to retrieve the host name and IP address of the Certificate Authority. If the
IKE certificate was issued by a Check Point Internal CA, the FQDN contains the host name of the
original management server. The peer gateway will fail to contact the original server and will not
accept the certificate.
To fix:
• Update the external DNS server to resolve the host name to the IP address of the relevant
Domain Management Server.
• Revoke the IKE certificate for the gateway and create a new one.
Migrating from Standalone to Domain Management Server

Migration from standalone Security Management Server to Domain Management Server is
supported only from pre-R80 to R80.10. You will separate the Security Management Server and
Security Gateway on the standalone. Then you manage the former-standalone computer as a
Security Gateway only from the Domain Management Server.
Note - To undo the separation of the Security Management Server and Security Gateway on the
standalone, back up the standalone computer before you migrate.
Before migrating:
1. Make sure that the target Domain Management Server IP address can communicate with all
Gateways.
2. Add an object to represent the Domain Management Server (name and IP address) and define
it as a Secondary Security Management Server.
3. Install policy on all managed Gateways.
4. Delete all objects or access rules created in Steps 1 and 2.
5. If the standalone computer already has Security Gateway installed:
• Clear the Firewall option in the Check Point Products section of the gateway object. You
may have to first remove it from the Install On column of your Rule Base (and then add it
again).
• If the gateway participates in a VPN community, remove it from the community and erase
its certificate. Note these changes, to undo them after the migration.
6. Save and close SmartConsole. Do not install policy.

To migrate the management database to the Domain Management Server:

1. Go to the fully qualified path of the migrate export command.
2. Run:
# ./migrate export [-l] <output file>
3. On the R80.10 Multi-Domain Server, run these API commands
https://sc1.checkpoint.com/documents/R80/APIs/#introduction to create a new Domain and a
new Domain Management Server (without starting it):
# mgmt_cli --root true add domain name <my_domain_name> servers.ip-address
<my_IP_address> servers.name <my_domain_server_name>
servers.multi-domain-server <R80.10_multi-domain-server_Name>
servers.skip-start-domain-server true
Important! After you create the new domain with this command, do not change the domain
IP address until you run the cma_migrate command.
4. Migrate the TGZ file from the source Domain Management Server to the R80.10 Multi-Domain
Server.
5. Import the exported database:
# unset TMOUT
# cma_migrate <source management tgz file> <target Domain Management Server $FWDIR
directory>
For example:
# cma_migrate tmp/orig_mgmt.tgz
/opt/CPmds-R80/customers/cma1/CPsuite-R80/fw1
This command updates the database schema before it imports. First, the command runs
pre-upgrade verification. If no errors are found, migration continues. If there are errors, you
must change the source Domain Management Server according to instructions in the error
messages. Then do this procedure again.
6. If the R80.10 server has a different IP address than the R77.xx server, establish trust with the
Security Gateways ("Certificate Authority Data" on page 95).
7. If the R77.xx server had VPN gateways, configure the keys ("Resolving Issues with IKE
Certificates" on page 96).
8. In SmartConsole, under Network Objects, locate:
• An object with the Name and IP address of the Domain Management Server primary
management object (migrated). Previous references to the standalone management object
now refer to this object.
• An object for each gateway managed previously by Security Management Server.
9. Edit the Primary Management Server object and remove all interfaces (Network Object >
Topology > Remove).
10. Create an object for the Security Gateway on the standalone machine (from New > Check Point
> Gateway), and:
• Assign a Name and IP address for the gateway.
• Select the appropriate Check Point version.
• Enabled the installed Software Blades.
• If the Security Gateway belonged to a VPN Community, add it back.
• Do not initialize communication.

11. Run Domain Management Server on the Primary management object. In each location,
consider changing to the new Security Gateway object.
12. Install the policy on all other Security Gateways, not the new one. If you see warning messages
about this Security Gateway because it is not yet configured, ignore them.
13. Uninstall the standalone deployment.
14. Install a Security Gateway on the previous standalone machine.
15. From the Domain Management Server SmartConsole, edit the Security Gateway object, define
its topology, and establish trust between the Domain Management Server and the Security
Gateway.
16. Install the policy on the Security Gateway.

Migrating an R80.10 Database to another R80.10 Server

You can migrate the R80.10 Security Management Server database to a different R80.10 server.
The procedure is similar to upgrading from an earlier version to R80.10.
1. Create a backup file of the current system settings from the Gaia Portal.
For Multi-Domain Server, run: mds_backup
2. Do the steps to migrate to another R80.10 Security Management Server or Multi-Domain
Server.

Upgrading a High Availability Deployment

Multi-Domain Security Management High Availability gives you management redundancy for all
Domains. Multi-Domain Security Management High Availability operates at these levels:
• Multi-Domain Server High Availability - By default, Multi-Domain Servers are automatically
synchronized with each other. One Multi-Domain Server is always defined as the Active
Multi-Domain Server and all other Multi-Domain Servers are Standby Multi-Domain Servers.
You can connect to an Active or Standby Multi-Domain Server to work on Domain management
tasks.
You can only do Global policy and global object management tasks using the active
Multi-Domain Server. In the event that the active Multi-Domain Server is unavailable, you must
change one of the standby Multi-Domain Servers to active.
• Domain Management Server High Availability - Multiple Domain Management Servers give
Active/Standby redundancy for Domain management. One Domain Management Server for
each Domain is Active. The other, fully synchronized Domain Management Servers for that
Domain, are standbys. In the event that the Active Domain Management Server becomes
unavailable, you must change one of the standby Domain Management Servers to active.
You can also use ClusterXL to give High Availability redundancy to your Domain Security Gateways.
You use SmartConsole to configure and manage Security Gateway High Availability for Domain
Management Servers.
Pre-Upgrade Verification and Tools

Run the pre-upgrade verification on all Multi-Domain Servers before upgrading any Multi-Domain
Servers. Select the Pre-Upgrade Verification Only option from mds_setup. Upgrade the primary
Multi-Domain Server only after you have fixed all errors and reviewed all warnings for all
Multi-Domain Servers.
Multi-Domain Server High Availability

Multi-Domain Servers can only communicate and synchronize with other Multi-Domain Servers
running the same version. If your deployment has more than one Multi-Domain Server, make sure
they are upgraded to the same version.
To upgrade multiple Multi-Domain Servers:

1. Upgrade the primary Multi-Domain Server.
2. Upgrade the other Multi-Domain Servers.
During the upgrade process, we recommend that you do not use any of the Multi-Domain Servers
to make changes to the databases. This can cause inconsistent synchronization between
Multi-Domain Servers.
Important - Before you upgrade a Multi-Domain Server in High Availability Mode, all Domain
Management Servers must be Active on the Primary Multi-Domain Server.
Note - You must upgrade your Multi-Domain Log Servers to the same version as the Multi-Domain
Servers.

Upgrading Multi-Domain Servers and Domain Management

Servers
To upgrade a Multi-Domain Server and a Domain Management Server:
1. Run pre-upgrade verification for all Multi-Domain Servers.
2. If a change to the global database is necessary, synchronize the Multi-Domain Servers
immediately after making these changes. Update the database on one Multi-Domain Server
and start synchronization. The other Multi-Domain Servers will get the database changes
automatically.
3. If global database changes affect a global policy assigned to a Domain, assign the global policy
again to all affected Domains.
4. If the verification command finds Domain Management Server level errors (for example,
Gateways that are no longer supported by the new version):
a) Make the required changes on the Active Domain Management Server.
b) Synchronize the Active Domain Management Server with all Standby Domain Management
Servers.
5. If a Domain has Log Servers:
a) In the Domain SmartConsole, manually install the new database: select Policy > Install
Database.
b) Select all Log Servers.
c) Make sure that the change to the Domain Log Server is successful.
Note - When synchronizing, make sure that you have only one active Multi-Domain Server and one
active Domain Management Server for each Domain.
Change the active Multi-Domain Server and Domain Management Server, and then synchronize
the Standby computers.
Updating Objects in the Domain Management Server Databases

After upgrading the Multi-Domain Servers and Domain Management Servers, you must update the
objects in all Domain Management Server databases. This is necessary because upgrade does not
automatically update the object versions attribute in the databases. If you do not manually update
the objects, the standby Domain Management Servers and Log Servers will show the outdated
versions.
Update the objects with these steps on each Multi-Domain Server.
To update Domain Management Server and Domain Log Server objects:

1. Make sure that all Domain Management Servers are up: mdsstat
If a Domain Management Server is down, resolve the issue, and start the Domain Management
Server: mdsstart_customer <DMSNAME>
2. Go to the top-level CLI: mdsenv
3. Run: $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL
Optional: Update one Domain Management Server or Domain Log Server at a time with this
command:
$MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL -n <server_name>

4. After running the command and before synchronizing the Standby domains, run:
mdsstop;mdsstart. See sk121718
5. Synchronize all Standby Domain Management Servers.
6. Install the database in SmartConsole for the applicable Domain Management Server.
Managing Domain Management Servers During the Upgrade

Process
The best practice is to avoid making any changes to Domain Management Server databases during
the upgrade process. If your business model cannot support management down-time during the
upgrade, you can continue to manage Domain Management Servers during the upgrade process.
This creates a risk of inconsistent Domain Management Server database content between
instances on different Multi-Domain Servers. The synchronization process cannot resolve these
inconsistencies.
After successfully upgrading one Multi-Domain Server, you can set its Domain Management
Servers to Active while you upgrade the others. Synchronization between the Domain
Management Servers occurs after all Multi-Domain Servers are upgraded.
If, during the upgrade process, you make changes to the Domain Management Server database
using different Multi-Domain Servers, the contents of the two (or more) databases will be
different. Because you cannot synchronize these databases, some of these changes will be lost.
The Domain Management Server High Availability status appears as Collision.
You must decide which database version to retain and synchronize it to the other Domain
Management Servers. You then must re-enter the lost changes to the synchronized database.

Restarting Domain Management Servers

After completing the upgrade process, start Domain Management Servers:
mdsstart_customer <DomainServer Name or IP>

Changing the Leading Interface on Multi-Domain Server

or Multi-Domain Log Server
This procedure lets you change the current Leading Interface on a Multi-Domain Server or
Multi-Domain Log Server.
1. Connect to the command line on the Multi-Domain Server.
2. Log in to the Expert mode.
3. Stop the Multi-Domain Server:
# mdsstop
4. Modify the $MDSDIR/conf/LeadingIP file:
a) Back up the file:
# cp -v $MDSDIR/conf/LeadingIP{,_BKP}
b) Edit the file:
# vi $MDSDIR/conf/LeadingIP
c) Change the current IP address to the new IP address.
d) Save the changes and exit from the Vi editor.
5. Modify the $MDSDIR/conf/mdsdb/mdss.C file:
a) Back up the file:
# cp -v $MDSDIR/conf/mdsdb/mdss.C{,_BKP}
b) Edit the file:
# vi $MDSDIR/conf/mdsdb/mdss.C
c) Find the Multi-Domain Server object that has the source Multi-Domain Server's IP address.
d) Change the object's IP address to the new IP address.
e) Do not change the Multi-Domain Server's name.
f) Save the changes and exit from the Vi editor.
6. Install a new license on the target Multi-Domain Server issued for the new Multi-Domain
Server IP address.
7. For multiple Multi-Domain Server environments, repeat Steps 1 to 5 for each Multi-Domain
Server that has a changed IP address.
If your target machine and the source machine have different interface names (for example, eth0
and eth1), follow the steps listed below to adjust the restored Multi-Domain Server to the new
interface name.
To change the interface:

1. Change the interface name in file $MDSDIR/conf/external.if to the new interface name.
2. For each Domain Management Server, replace the interface name in the
$FWDIR/conf/vip_index.conf file.

Saving the Multi-Domain Security Management IPS

Configuration
When upgrading to R80.10, the previous Domain IPS configuration is overridden when you first
assign a Global Policy.
Best Practice - Save each Domain IPS configuration, so that you can restore the settings after the
upgrade:
1. Connect with Multi-Domain Server to R7x Multi-Domain Server.
2. Click Global Policies tab > Global Policies.
3. Click the [+] near the Domain name.
4. Right-click the Domain Management Server > click Configure Domain.
5. Click the Global Policy tab.
6. In the Revision Control section, select Create a database version before assigning global
policy.
7. Click OK.
Notes:
• If you manage IPS globally, you must reassign the global policy before installing the policy on
the managed Security Gateways.
• Customers upgrading to the current version should note that the IPS subscription has
changed. All Domains subscribed to IPS are automatically assigned to an "Exclusive"
subscription. The "Override" and "Merge" subscriptions are no longer supported.
For more on IPS in Multi-Domain Server environment, see the R80.10 Multi-Domain Server
Administration Guide http://downloads.checkpoint.com/dc/download.htm?ID=54841.

Enabling IPv6 on Gaia

IPv6 is automatically enabled if you configure IPv6 addresses in the First Time Configuration
Wizard.
If you did not do this, enable IPv6 in one of the following ways:
To enable IPv6 using Gaia Clish:

# set ipv6-state on
# save config
# reboot
To enable IPv6 using the Gaia Portal:

1. In the Gaia Portal navigation tree, select System Management > system Configuration.
2. For IPv6 Support, select On.
3. When prompted, select Yes to reboot.
Enabling IPv6 on Multi-Domain Security Management

If your environment uses IPv6 addresses, you first must enable IPv6 support for the Multi-Domain
Servers and for existing Domain Management Servers. It is not necessary to enable IPv6 support
for Domain Management Servers that you create after IPv6 is enabled on the Multi-Domain
Server, because this is handled automatically.
Important - You must assign an IPv4 address for each Multi-Domain Server, Multi-Domain Log
Servers, Domain Management Server and Domain Log Server. The IPv6 address is optional.
Preliminary steps:
1. Enable IPv6 for the leading interface (typically eth0) with Gaia Portal.
2. Assign an IPv6 address and default gateway to the management interfaces.
3. Write down the Multi-Domain Server IPv6 address and the host names and IPv6 addresses for
all Domain Management Servers. This is necessary because the system restarts after you
enable IPv6 support.
To enable IPv6 support for the Multi-Domain Server:

1. Log into the Primary Multi-Domain Server with a terminal emulation application.
2. From the command line, run: mdsconfig
3. Select IPv6 Support for the Multi-Domain Server.
4. Press y when prompted to change the IPv6 preferences.
Press y again to confirm.
5. When prompted for the Leading Interface name, enter the management interface name
(typically eth0).
6. When prompted, enter the management interface IPv6 address.
7. Press y to restart Check Point services.

To enable IPv6 support for existing Domain Management Servers:

1. From the mdsconfig menu, select IPv6 Support for Existing Domain Management Servers.
2. Press y when asked to change the IPv6 preferences for Domain Management Servers.
3. Press a to add support to an existing Domain Management Server.
4. Press y to add Support to all Domain Management Servers at once.
Press y again to confirm.
5. Press m to manually add IPv6 addresses
Or
Press r to automatically assign IPv6 address from a specified range.
6. Follow the instructions on the screen to enter the IPv6 addresses or a range of IPv6
addresses.
To manually enable IPv6 support for specified Domain Management Servers.

1. From the mdsconfig menu, select IPv6 Support for Existing Domain Management Servers.
2. At the prompt, press y to change the IPv6 preferences for Domain Management Servers.
3. Press a to add support to an existing Domain Management Server.
4. Press n when asked to enable IPv6 support for all Domain Management Servers at once.
Press y to confirm.
5. At the prompt, enter the Domain Management Server name.
The available Domain Management Servers show above prompt. You can copy and paste the
name.
6. Enter the IPv6 address.
7. At the prompt, press y to enable another Domain Management Server or n to complete the
procedure.

CHAPTE R 12
Upgrading ClusterXL Deployments

In This Section:
Planning a Cluster Upgrade .......................................................................................108
Minimal Effort Upgrade on a ClusterXL Cluster .......................................................111
Zero Downtime Upgrade on a Cluster .......................................................................112
Upgrading Clusters With Minimal Connectivity Loss ...............................................114
ClusterXL Optimal Service Upgrade ..........................................................................115
Connectivity Upgrade .................................................................................................123
Planning a Cluster Upgrade

Important - Before you upgrade your Cluster members, you must upgrade your Security
also upgrade your High Availability system ("Upgrading a High Availability Deployment" on page
100).
Before you upgrade a ClusterXL, consider the available upgrade options.
Upgrades that guarantee minimal connectivity loss

• Optimal Service Upgrade (OSU) ("ClusterXL Optimal Service Upgrade" on page 115) - Select
this option if security is of utmost concern. During this type of upgrade two cluster members
process network traffic. Connections that are initiated during the upgrade stay up through the
upgrade. A minimal number of connections that were initiated before the upgrade get dropped
after the upgrade.
• Connectivity Upgrade (CU) ("Connectivity Upgrade" on page 123) - Select this option, if you
need to upgrade a Security Gateway or a VSX cluster to any version, and guarantee connection
failover. Connections that were initiated before the upgrade are synchronized with the
upgraded Security Gateways and cluster members so that no connections are dropped.
Note - Before you select the Connectivity Upgrade (CU) option, see sk107042 ClusterXL
upgrade methods and paths http://supportcontent.checkpoint.com/solutions?id=sk107042 for
limitations.

Effort and time efficient upgrades with some loss of connectivity

• Simple Upgrade (with downtime) ("Upgrading Security Gateways" on page 82) - Select this
option if you have a period of time during which network downtime is allowed. This method is
the simplest, because each cluster member is upgraded as an independent Gateway.
• Zero Downtime ("Zero Downtime Upgrade on a Cluster" on page 112) - Select this option if you
cannot have any network downtime and need to complete the upgrade quickly, with a minimal
number of dropped connections. During this type of upgrade, there is always at least one active
member that handles traffic. Connections are not synchronized between cluster members
running different Check Point software versions.
Note - Connections that were initiated on a cluster member running the old version get
dropped when the cluster member is upgraded to a new version. Network connectivity,
however, remains available during the upgrade, and connections initiated on an upgraded
cluster member are not dropped.
An administrator can customize the Firewall, VPN, CoreXL, and SecureXL configuration on cluster
members by configuring the relevant kernel parameters in special configuration files -
$FWDIR/boot/modules/fwkern.conf, $FWDIR/boot/modules/vpnkern.conf,
$PPKDIR/boot/modules/simkern.conf, $FWDIR/conf/fwaffinity.conf. For examples,
see sk25977 http://supportcontent.checkpoint.com/solutions?id=sk25977. During the upgrade, all
customized configuration files are overwritten with the default configuration files.
If you upgrade the cluster through CLI, you can preserve the customized configuration. To do that,
you must back up the configuration files before the upgrade and restore them manually
immediately after upgrade, before the cluster members are rebooted. See sk42498
http://supportcontent.checkpoint.com/solutions?id=sk42498 for details.
If you upgrade the cluster gateways through Gaia Portal, they are rebooted automatically
immediately after the upgrade, and the customized configuration is lost.
Note - If configuration customizations are lost during the upgrade, different issues can occur in
the upgraded cluster. Cluster members can stop detecting each other, cluster members can move
to undesired state, and traffic can be dropped.
Ready State During Cluster Upgrade/Rollback Operations

When cluster members of different versions are on the same network, cluster members of the
new (upgraded) version remain in state Ready, and cluster members of the previous version
remain in state Active Attention. Cluster members in the state Ready do not process traffic for
the cluster Virtual IP address and do not synchronize with other cluster members.
To prevent cluster members from being in Ready state:

• Physically disconnect the cluster member.
• Shut down all interfaces. Run this command in Gaia Clish:
set interface <Interface_Name> state off

Upgrading 32/64-bit Cluster Members

High Availability cluster deployments are supported on 32-bit and 64-bit kernel operating
systems. Make sure that all cluster members are running the same 32-bit or the same 64-bit
operating system. If the kernel versions are different among the cluster members, those that are
running the 64-bit version will stay in the state Ready and will not synchronize with the other
cluster members or process any traffic for the cluster Virtual IP address.
Upgrading Third-Party and OPSEC Certified Cluster Products

• When upgrading 3rd party and OPSEC clusters, use the Zero Downtime or the Minimal Effort
procedure.
• When upgrading other third-party clustering products, use the Minimal Effort procedure. If the
third party vendor has an alternative for the Zero Downtime Upgrade, refer to their
documentation for upgrading.

Minimal Effort Upgrade on a ClusterXL Cluster

If you can afford to have a period of time during which network downtime is allowed, and choose to
perform a Minimal Effort Upgrade, each cluster member is upgraded as an individual gateway. For
additional instructions, refer to Upgrading Security Gateways (on page 82).

Zero Downtime Upgrade on a Cluster

Zero Downtime Upgrade is supported on all Check Point clusters and third-party clustering
products.
During a Zero Downtime Upgrade, one cluster member remains Active, while the other cluster
members get upgraded. The Active cluster member is upgraded last.
The procedure below describes a cluster with three members. However, it can be used for
clusters with two or more members.
• In High Availability mode, cluster member M1 is the Active member and is upgraded last.
Cluster members M2 and M3 are Standby.
• In Load Sharing mode, all members are Active. Randomly choose one of the cluster members
to upgrade last. Call it M1.
To upgrade a cluster with the Zero Downtime method:

1. Upgrade the licenses of all cluster members. A convenient time to do this is during the
upgrade of the Security Management Server.
To avoid possible problems with switches around the cluster, we recommend changing the
CCP protocol to Broadcast mode on all cluster members. Run cphaconf set_ccp
broadcast on all cluster members.
Note - cphaconf set_ccp starts working immediately. It does not require a reboot, and it
will survive the reboot. If you want to switch the CCP protocol back to Multicast mode on all
cluster members after the upgrade, then run cphaconf set_ccp multicast on all cluster
members.
2. Attach the upgraded licenses to all cluster members:
a) Connect to the Security Management Server through SmartUpdate. The updated licenses
are displayed as Assigned.
b) Use the Attach assigned licenses option to attach the assigned licenses to the cluster
members.
3. Upgrade M2.
After the upgrade, reboot M2.
4. Upgrade M3.
After the upgrade, reboot M3
5. In SmartConsole:
a) In the Gateway Cluster General Properties window, change the Cluster version to R80.10.
b) In the Install Policy window, clear these options: For Gateway Clusters, install on all the
members, Install on each selected Module independently > if it fails do not install at all.
c) Install the security policy on the cluster.
The policy successfully installs on M2 and M3. Policy installation fails on M1 and generates a
warning. You can safely ignore the warning.
6. On M1, run: cphaprob state
Verify that the status of cluster M1 is Active or Active Attention.
Active Attention means that the outbound status of the synchronization interface on M1 s
down. This is because M1 stopped communicating with other cluster members.
7. On M1, run: cpstop

This forces a failover to M2 or M3 (in High Availability mode) or to M2 and M3 (in Load Sharing
mode).
Make sure that one member is Active (in High Availability) or that all members are Active (in
Load Sharing).
8. On M2 and M3, run: cphaprob state
9. Upgrade M1.
10. Reboot M1.
11. Optional: To return the cluster control protocol to multicast (instead of broadcast), run
cphaconf set_ccp multicast on all cluster members.

Upgrading Clusters With Minimal Connectivity Loss

For minimal loss of connectivity, Check Point provides these cluster upgrade methods:
• ClusterXL Optimal Service Upgrade
• Connectivity Upgrade
To select the correct facility, refer to the table below:
Upgrade Name From version(s) To version(s)

ClusterXL Optimal Service R67.10 (VSX only) R77 and later R80.10 minor versions
Upgrade
R75.40VS
R76
R77
Connectivity Upgrade R75.40VS R77.20 and later R80.10 minor versions

R76

ClusterXL Optimal Service Upgrade

Use the Optimal Service Upgrade feature to upgrade a Security Gateway or VSX cluster from
R75.40VS to R80.10 and future major releases. This feature upgrades the cluster with a minimum
loss of connectivity.
When you upgrade the cluster, two cluster members are used to process the network traffic. New
connections that are opened during the upgrade procedure are maintained after the upgrade is
finished. Connections that were opened on the old version are discarded after the upgrade.
You can also use the Optimal Service Upgrade feature to upgrade a VSX cluster from R67.10 to
R80.10. When you use this feature to upgrade from VSX R67.10, download the R67.10 upgrade
Hotfix and install it on one VSX cluster member. For more about upgrading to R67.10, see the
R67.10 Release Notes http://supportcontent.checkpoint.com/documentation_download?ID=11753.
For more about the Optimal Service Upgrade and to download the R67.10 upgrade Hotfix, go to
sk74300 http://supportcontent.checkpoint.com/solutions?id=sk74300.
Upgrade Workflow from R75.40VS

Use the Optimal Service Upgrade to upgrade a cluster from R75.40VS to a later version, without
loss of connectivity.
• OLD cluster member - Cluster member before the upgrade.
• NEW cluster member - Cluster member that has been upgraded.
Note - Do not use this workflow to upgrade a VSX cluster from R67.10 ("Upgrade Workflow from
R67.10 VSX" on page 119).
Step Diagram of Cluster Members Summary
Cluster with four members (OLD).
1 • Leave one cluster member connected

to the network (OLD) and disconnect all
other cluster members. The connected
cluster member continues to process
1a old connections.
• For upgrades to R77.30, make sure that
the cluster ID (the value of the
1b cluster_id parameter) is the same
on all cluster members.
• For upgrades to R77.20 or an earlier
version, make sure that the value of the
fwha_mac_magic parameter is the
same on all cluster members.


2 • Upgrade the cluster members that are
disconnected from the network (NEW).
2a
• For upgrades to R77.30 or a later
version, make sure that the cluster ID
(the value of the cluster_id
2b parameter) is the same on all the
upgraded cluster members. Change it,
if necessary.
version, make sure that the value of the
fwha_mac_magic parameter on all
the upgraded cluster members is the
same. Change it, if necessary.
3 • Connect one upgraded (NEW) cluster
member to the network.
4
• On the active (OLD) cluster member,
turn off fwaccel on all Virtual Systems.
This allows the active (OLD) cluster
member synchronize all delayed
connections with the upgraded (NEW)
cluster member.
5 Note - If there are a lot of connections
on the Virtual Systems, turning off
fwaccel will cause all the connections
to be forwarded to the firewall. In this
case, run the cpstop command to turn
off the firewall.
start the Optimal Service Upgrade
procedure.
6 • On the upgraded cluster member
(NEW) that you connected to the
network, start the Optimal Service
Upgrade procedure. The upgraded
cluster member begins to process new
connections.
7 • Check the number of active connection

on the old cluster member. When this
cluster member almost stops
8 processing connections, stop the
Optimal Service Upgrade procedure on
it.
• Disconnect the old cluster member
from the network.


9 • Reconnect the other upgraded cluster
members to the network.
10 • Upgrade the old cluster member.

11 • Connect all the cluster members to the
network.
12
• Install the policy.
Upgrading the Cluster from R75.40VS

Two cluster members are used to maintain connectivity, while you upgrade all the other cluster
members.
To use the Optimal Service Upgrade to upgrade the cluster members:

1. Disconnect all cluster members from the network, except for one cluster member.
Make sure that the management interfaces are not connected to the network.
2. On the old cluster member (connected to the network), configure kernel parameters:
• Upgrade to R77.30:
Run: cphaconf cluster_id get
Make sure all cluster members have the same cluster ID. If the cluster ID value is different
on a cluster member, run this command to configure the correct value: cphaconf
cluster_id set <value>
• Upgrade to R77.20 and lower:
Make sure all cluster members use the same value for the fwha_mac_magic parameter.
Run: fw ctl get int fwha_mac_magic
The default value for the fwha_mac_magic parameter is 254. If your configuration uses a
different value, on each member, run: fw ctl set int fwha_mac_magic <value>
For more about the cluster_id and fwha_mac_magic parameters, see the
R80.10ClusterXL Administration Guide
http://downloads.checkpoint.com/dc/download.htm?ID=54804 and sk25977
3. Install R80.10 on all the cluster members that are not connected to the network.
4. Make sure that all the cluster members use the same kernel parameter values:
• Upgrade to R77.30 and higher: Make sure all cluster members have the same cluster ID.
On each member, run: cphaconf cluster_id get
If a member has a different ID, run: cphaconf cluster_id set <value>
• Upgrade to R77.20 and lower: Make sure all cluster members have the same value for
this parameter: fw ctl get int fwha_mac_magic
If a member has a different value, run: fw ctl set int fwha_mac_magic <value>

5. Prepare the old cluster member for synchronization of old connections with the upgraded
cluster member:
a) On the old cluster member, turn off fwaccel - run: fwaccel off -a
b) On the old cluster member, start the Optimal Serve Upgrade - run: cphaosu start
6. Reconnect the SYNC interface of one new cluster member to the network.
7. Move traffic to the new cluster member that is connected to the network. Do these steps:
a) Make sure the new cluster member is in ready state.
b) Connect the other new cluster member interfaces to the network.
c) On the new cluster member, run cphaosu start
d) On the old cluster member, run cphaosu stat
The network traffic statistics are shown.
e) When the old cluster member does not have many connections, run cphaosu finish
8. On the new cluster member, run cphaosu finish
9. Disconnect the old cluster member from the network.
10. Reconnect the other new cluster members to the network one at a time. Do these steps on
each cluster member:
a) Run cphastop
b) Connect the new cluster member to the network.
c) Run cphastart
d) In SmartConsole, change the version of the cluster object to R80.10 and install the Policy.
11. Upgrade the old cluster member and reconnect it to the network.
12. If the cluster has two members: In SmartConsole, change the version to R80.10.
13. Install the Policy.

Upgrade Workflow from R67.10 VSX

Use the Optimal Service Upgrade to upgrade a VSX cluster from R67.10 to a later version, without
loss of connectivity. When you upgrade the cluster, use two cluster members to process the
network traffic.
• OLD cluster member - The R67.10 VSX Gateway on which you install the Optimal Service
Upgrade Hotfix http://supportcontent.checkpoint.com/solutions?id=sk74300.
• NEW cluster member - VSX Gateway that is upgraded to R80.10 and processes new
connections.
Step Diagram of Cluster Members
VSX cluster with four R67.10 VSX

Gateways (OLD).
1 • Install the Optimal Service Upgrade

Hotfix on the cluster member that will
stay connected to the network during
the upgrade.
2 • Leave the cluster with the Hotfix

connected to the network, and
disconnect all other cluster members
2a from the network.
• For upgrades to R77.30, make sure
2b that the cluster ID (the value of the
cluster_id parameter) is the same
on all cluster members.
version, make sure that the value of
the fwha_mac_magic parameter is
the same on all cluster members.
3 • Upgrade the cluster members that
are disconnected from the network
3a
(NEW).
• For upgrades to R77.30 or a later
version, make sure the cluster ID (the
3b value of the cluster_id parameter)
is the same on all the upgraded
cluster members. Change it, if
necessary.
version, make sure that the value of
the fwha_mac_magic parameter on
all the upgraded cluster members is
the same. Change it, if necessary.

Step Diagram of Cluster Members

4 • Connect one upgraded (NEW) cluster
member to the network.
5
turn off fwaccel on all Virtual
Systems. This allows the active (OLD)
cluster member synchronize all
delayed connections with the
upgraded (NEW) cluster member.
Note - If there are a lot of connections
on the Virtual Systems, turning off
6
fwaccel will cause all the
connections to be forwarded to the
firewall. In this case, run the cpstop
command to turn off the firewall.
start the Optimal Service Upgrade
procedure.
7 • On the upgraded cluster member
(NEW) that you connected to the
network, start the Optimal Service
Upgrade procedure. The upgraded
cluster member begins to process
new connections.
8 • Check the number of active

connection on the old cluster
member. When this cluster member
9 almost stops processing connections,
stop the Optimal Service Upgrade
procedure on it.
• Disconnect the old cluster member
from the network.
10 • Reconnect the other upgraded cluster
members to the network.
11 • Upgrade the old cluster member.

12 • Connect all the cluster members to
the network.
13
• Install the policy.

Upgrading the VSX Cluster from R67.10

Two cluster members are used to maintain connectivity, while you upgrade all the other cluster
members.
To use the Optimal Service Upgrade to upgrade the R67.10 VSX cluster members:
1. Install the Optimal Service Upgrade Hotfix on a cluster member. This is the old cluster
member with Hotfix. For instructions and download links, refer to sk74300
2. Disconnect all old cluster members from the network, except for one cluster member.
Make sure that the management interfaces are not connected to the network.
3. On the old cluster member, configure kernel parameters:
• Upgrade to R77.30:
Run: cphaconf cluster_id get
If the cluster ID value is not as expected, run: cphaconf cluster_id set <value>
Make sure all cluster members have the same cluster ID. If a member has a different ID,
run this set command to configure the correct value.
• Upgrade to R77.20 and lower:
Make sure all cluster members use the same value for the fwha_mac_magic parameter.
Run: fw ctl get int fwha_mac_magic
The default value for the fwha_mac_magic parameter is 254. If your configuration uses a
different value, on each member, run: fw ctl set int fwha_mac_magic <value>
For more about the cluster_id and fwha_mac_magic parameters, see the
R80.10 ClusterXL Administration Guide
http://downloads.checkpoint.com/dc/download.htm?ID=54804
and sk25977 http://supportcontent.checkpoint.com/solutions?id=sk25977.
4. Install R80.10 on all the cluster members that are not connected to the network.
5. Prepare the old cluster member for synchronization of old connections with the upgraded
cluster member:
a) On the old cluster member, turn off fwaccel - run: fwaccel off -a
b) On the old cluster member, start the Optimal Serve Upgrade - run: cphaosu start
6. Reconnect the SYNC interface of one new cluster member to the network.
7. Move traffic to the new cluster member that is connected to the network. Do these steps:
a) Make sure the new cluster member is in ready state.
b) Connect the other new cluster member interfaces to the network.
c) On the new cluster member, run cphaosu start
d) On the old cluster member, run cphaosu stat
The network traffic statistics are shown.
e) When the old cluster member does not have many connections, run cphaosu finish
8. On the new cluster member, run cphaosu finish
9. Disconnect the old cluster member from the network.

10. Reconnect the other new cluster members to the network one at a time. Do these steps on
each cluster member:
a) Run cphastop
b) Connect the new cluster member to the network.
c) Run cphastart
11. Upgrade the old cluster member and reconnect it to the network.
Troubleshooting the Upgrade

Use these cphaosu commands if there are problems during the upgrade process.
• If it is necessary to rollback the update, run cphaosu cancel on the new member. The old
member processes all the traffic.
• After you run cpshaosu finish on the old member, you can continue to process the old
traffic on the old member and the new traffic on the new member. Run cphaosu restart on
the old member.
Limitations
1. Upgrade procedure should be implemented when there is minimal network traffic.
2. If there is a member failure during the upgrade, the Optimal Service Upgrade procedure does
not provide redundancy.
3. Do not apply configuration changes during the upgrade process.
4. These connections do not survive the upgrade process:
a) Complex connections, for example:
 DCE RPC  FreeTel

 SUN RPC  WinFrame
 Back Web  NCP
 DHCP  VPN
 IIOP
b) Dynamic routing
c) Bridge mode (L2) configurations

Connectivity Upgrade
Before you run Connectivity Upgrade:
• Make sure that the cluster has two members, one Active and one Standby
• Read sk107042 ClusterXL upgrade methods and paths
• Read sk101209 R77.20 Known Limitations
• Read sk104860 R77.30 Known Limitations
Check Point Connectivity Upgrade (CU) synchronizes existing connections to maintain connectivity
during cluster upgrades.
Connectivity Upgrade is supported during these upgrades:
Upgrade from Version R77.20 R77.30 R80.10

R75.40VS CU CU CU
R75.46 CU CU CU
R75.47 CU CU CU
R76 CU CU CU
R77 - CU CU
R77.10 - CU CU
R77.20 - CU CU
R77.30 - - CU
Notes -
• Software Blade information does not get synchronized. If a connection needs to be inspected
by a Software Blade, and this Software Blade is configured in SmartConsole to Prefer
Connectivity Over Security, then the connection is accepted without the inspection. Otherwise,
the connection is dropped.
• All member gateways must have the same number of CoreXL Firewall instances.
• All member gateways must run the same 32-bit or 64-bit kernel edition.

Upgrading a VSX Cluster

This Procedure is applicable to both High Availability and Load Sharing modes.
Before you upgrade:
Make sure that the cluster has 2 members, one of which is Active and the other is in Standby.
To check the cluster member status:

On each cluster member, run: cphaprob state
To upgrade the cluster:

1. Upgrade the Standby cluster member with CPUSE or a clean install.
2. On the upgraded cluster member, run: cphaprob state
Make sure the status is Ready.
3. Configure dynamic routing.
For BGP, you must configure graceful restart, for BGP routes to remain after failover.
4. Run: cphacu start [no_dr]
If dynamic routing synchronization is not required, use the no_dr option.
The Connectivity Upgrade runs, and shows this message when it finishes: Connectivity
upgrade status: Ready for Failover
5. On the Active cluster member, run these commands:
a) cphaprob state
Make sure the local member is in Active or Active Attention state, and the upgraded
member is in Down state.
b) fwaccel off -a
Turns off SecureXL on all Virtual Systems so that the delayed connections are synchronized
to the upgraded member that is now in Ready state.
c) cpstop
The connections fail over to the upgraded member.
Make sure that it is now in Active state.
7. On the new Active cluster member, run: cphacu stat
Make sure that it handles the traffic. See cphacu stat (on page 130).
8. Upgrade the former Active cluster member with a clean install.
Reboot the gateway after the upgrade.
To make sure all cluster members are up and in VSX High Availability mode:
If the state of a cluster member is HA not started, run: cphastart

Upgrading ClusterXL High Availability Using Connectivity Upgrade

Before you upgrade:
Make sure that the cluster has 2 members, one of which is Active and the other is Standby.
To check the cluster member status:

To upgrade the cluster:

1. Upgrade the Standby cluster member.
Reboot the Standby cluster member after the upgrade.
2. In SmartConsole:
a) Open the cluster object.
b) In the General Properties window, change the Cluster version to the upgraded version.
c) Click Install Policy.
d) In the Install Policy window, go to Installation Mode > Install on each selected gateway
independently section and make sure to clear the checkbox For Gateway Clusters install
on all the members, if it fails do not install at all.
e) Install the Access Policy on the cluster object.
Note - The policy successfully installs on the upgraded cluster member and fails to install on
the Active cluster member. This is expected. Ignore the warning.
3. On the Active cluster member, run: cphaprob state
Make sure the status is Active or Active Attention. Record the IP address of the Sync interface
and the Member ID of the cluster member.
Make sure the status is Ready.
5. On the upgraded cluster member, configure dynamic routing.
For BGP, you must configure graceful restart, for BGP routes to remain after failover.
6. On the upgraded cluster member, run: cphacu start [no_dr]
The Connectivity Upgrade runs, and shows this message when it finishes: Connectivity
upgrade status: Ready for Failover
7. On the upgraded cluster member, run: cphacu state
Make sure that the Active cluster member handles the traffic.

8. On the Active cluster member, run these commands:

a) cphaprob state
Make sure the local member is in Active or Active Attention state, and the upgraded
member is in Down state.
b) fwaccel off -a
Turns off fwaccel on all Virtual Systems, so that the delayed connections are
synchronized to the upgraded cluster member that is now in Ready state.
c) cpstop
The connections fail over to the upgraded cluster member.
Make sure that it is now in the Active state.
10. On the upgraded cluster member, run: cphacu stat
Make sure it handles the traffic.
11. Upgrade the former Active cluster member.
Make sure to reboot it, after the upgrade finishes.
12. In SmartConsole, install Access Policy on this cluster object.
After the cluster upgrade is complete, the Cluster Control Protocol (CCP) run in the broadcast
mode. To return it to the multicast mode, on all cluster members, run (this configuration survives
reboot): cphaconf set_ccp multicast
Connectivity Upgrade Commands

cphacu start
Description Runs Connectivity Upgrade on a cluster member.
Syntax
cphacu start [no_dr]
Notes
Output
cphacu start command outputs this information:
• Dynamic Routing synchronization status
• Performing Full Sync on VSID <VSID number>
• Connectivity Upgrade Status -
• Disabled - Connectivity Upgrade is not running on this cluster member
• Enabled, ready for failover - Connectivity Upgrade completed successfully, and the Active
member can now do the failover
• Not enabled since member is Active - Connectivity Upgrade cannot run, because this
member is Active
• Full sync for connectivity upgrade is still in progress. Wait until full sync finishes

• The peer member is handling the traffic - Shows which cluster member currently handles the
traffic and the version of the Cluster Control Protocol for each member
• Connection table - Shows the summary of the connections table for each Virtual System
Example 1 - VSX High Availability
[Expert@gw2:0]# cphacu start
Starting Connectivity Upgrade...
Dynamic routes synchronization started...

=========================================
Finished Dynamic routes synchronization.
Performing Full Sync

====================
Performing Full Sync on VSID 0. This may take several minutes (depending on the
number of connections); please wait...
==============================================================================
Full Sync ended (Delta Sync is enabled)
For delayed connections (Templates) to be synchronized it is recommended to turn
off SecureXL
on the old member before doing a failover. Run: 'fwaccel off' on the old member
Please note: turning SecureXL off might slow down existing connections.
==============================================================================
Connectivity upgrade status: Enabled, ready for failover

========================================================
The peer member is handling the traffic

=======================================
Version of the local member: 3122
Version of the peer member : 2502
Connections table
=================
VS HOST NAME ID #VALS #PEAK #SLINKS
0 localhost connections 8158 30 103 34

Example 2 - ClusterXL High Availability

[Expert@HostName]# cphacu start
Dynamic routes synchronization started...

=========================================
Finished Dynamic routes synchronization.

====================
Performing Full Sync. This may take several minutes (depending on the number of
connections); please wait...
==============================================================================
==
off SecureXL
==============================================================================
==

========================================================

=======================================
Connections table
=================
HOST NAME ID #VALS #PEAK #SLINKS
localhost connections 8158 34 38
37

Example 3 - No Dynamic Routing VSX

[Expert@gw2:0]# cphacu start no_dr
Dynamic routing synchronization is disabled!

====================
==============================================================================
==
off SecureXL
==============================================================================
==

========================================================

=======================================
Connections table
=================

cphacu stat
Description Shows the status of Connectivity Upgrade.
Syntax
cphacu stat
Example 1 - VSX High Availability
[Expert@HostName]# cphacu stat
Connectivity upgrade status: Disabled

=====================================

=======================================
Connection table
================
6 localhost connections 8158 0 1
Example 2 - ClusterXL High Availability

[Expert@HostName]# cphacu stat
Connectivity upgrade status: Disabled

=====================================

=======================================
Connection table
================
HOST NAME ID #VALS #PEAK #SLINKS
localhost connections 8158 16 56

CHAPTE R 13
Upgrading Management with High

Availability
In This Section:
Upgrading from R77.xx to R80.10 ..............................................................................131
Upgrading from R80 to R80.10 ...................................................................................131
Upgrading from R77.xx to R80.10

The Pre-Upgrade Verifier prevents the upgrade of a secondary management server in a
management High Availability deployment. To upgrade such a deployment you need to:
1. Upgrade the primary management server using CPUSE
2. Do a clean R80.10 installation on the secondary management
3. Initiate SIC between the primary and secondary management servers and wait for the two
servers to synchronize
Upgrading from R80 to R80.10

1. Upgrade the primary management server to R80.10 using CPUSE
2. Do a clean R80.10 installation on the secondary management.
Install the secondary Security Management Server the same way you installed the primary. For
the primary, if you:
• Did a clean install of R80
• Added the R80 Jumbo Hotfix Accumulator
• Upgraded to R80.10
Repeat the same procedure for the secondary management server. If you do not install the
secondary management server in the same way you installed the primary, the servers will fail
to synchronize after SIC.
3. Connect the secondary to the primary server.
Note - You can reuse the same network object in SmartConsole.
4. Initiate SIC between the primary and secondary management servers and wait for the two
servers to synchronize.

CHAPTE R 14
Working with Licenses

In This Section:
Managing Licenses with SmartConsole ....................................................................132
Maintaining Licenses with Gaia .................................................................................137
You can manage licenses on your Security Gateways in a few ways.

• In SmartConsole ("Viewing Licenses in SmartConsole" on page 132) you can activate your
licenses.
• In Gaia Clish or Expert Mode ("cplic" on page 172), you can add or delete your licenses with the
cplic command.
• In the Gaia Portal ("Configuring Licenses - Gaia Portal" on page 137), you can activate, add, or
delete your licenses.
• In SmartUpdate ("Using SmartUpdate " on page 138), you can add, delete, attach, and detach
your licenses.
Managing Licenses with SmartConsole

Viewing Licenses in SmartConsole
To view license information:
In SmartConsole, go to the Gateways & Servers view, and from the Columns drop-down list,
select Licenses.
You can see these columns:
Column Description
License Status The general state of the Software Blade licenses:
• OK - All the blade licenses are valid.
• Not Activated - Blade licenses are not installed. This is only possible
in the first 15 days after the establishment of the SIC with the
Security Management Server. After the initial 15 days, the absence of
licenses will result in the blade error message.
• Error with <number> blade(s) - The specified number of blade
licenses are not installed or not valid.
• Warning with <number> blade(s) - The specified number of blade
licenses have warnings.
• N/A - No available information.
CK Unique Certificate Key of the license instance.
SKU Catalog ID from the Check Point User Center.

Column Description
Account ID User's account ID.
Support Level Check Point level of support.
Support Expiration Date when the Check Point support contract expires.
To view license information per Software Blade:

1. Select a Security Gateway or a Security Management Server.
2. In the Summary tab below, click the object's License Status (for example: OK).
The Device & License Information window opens. It shows basic object information and
License Status, license Expiration Date, and important quota information (in the Additional
Info column) for each Software Blade.
Notes:
• Quota information, quota-dependent license statuses, and blade information messages are
only supported for R80.
• The tooltip of the SKU is the product name.
The possible values for the Software Blade License Status are:
Status Description
Active The Software Blade is active and the license is valid.
Available The Software Blade is not active, but the license is valid.
No License The Software Blade is active but the license is not valid.
Expired The Software Blade is active, but the license expired.
About to Expire The Software Blade is active, but the license will expire in thirty days
(default) or less (7 days or less for an evaluation license).
Quota Exceeded The Software Blade is active, and the license is valid, but the quota of
related objects (gateways, files, virtual systems, and so on, depending
on the blade) is exceeded.
Quota Warning The Software Blade is active, and the license is valid, but the number of
objects of this blade is 90% (default) or more of the licensed quota.
N/A The license information is not available.

Monitoring Licenses
To keep track of license issues, you can use these options:
• License Status view - To see and export license information for Software Blades on each
specific Security Management Server, gateway, or Log Server object.
• License Status report - To see, filter and export license status information for all configured
Security Management Server, gateway, or Log Server objects.
• License Inventory report - To see, filter and export license information for Software Blades on
all configured Security Management Server, gateway, or Log Server objects.
The SmartEvent Software Blade lets you customize the License Status and License Inventory
information from the Logs & Monitor view of SmartConsole.
It is also possible to view license information from the Gateways & Servers view of SmartConsole
without enabling the SmartEvent blade on Security Management Server.
The Gateways & Servers view in SmartConsole lets you see and export the License
Inventory report.
1. To see the License Inventory report from the Gateways & Servers view:
a) In SmartConsole, from the left Navigation Toolbar, click Gateways & Servers.
b) From the top toolbar, click Actions > License Report.
c) Wait for the SmartView to load and show this report.
By default, this report contains:
 Inventory page: Blade Names, Devices Names, License Statuses
 License by Device page: Devices Names, License statuses, CK, SKU, Account ID,
Support Level, Next Expiration Date
2. To export the License Inventory report from the Gateways & Servers view:
a) In the top right corner, click the Options button.
b) Select the applicable export option - Export to Excel, or Export to PDF.
The Logs & Monitor view in SmartConsole lets you see, filter and export the License
Status report.
1. To see the License Status report from the Logs & Monitor view:
a) In SmartConsole, from the left Navigation Toolbar, click Logs & Monitor
b) At the top, open a new tab by clicking New Tab, or [+].
c) In the left section, click Views.
d) In the list of reports, double-click License Status.
e) Wait for the SmartView to load and show this report.
 Names of the configured objects, License status for each object, CK, SKU, Account ID,

2. To filter the License Status report in the Logs & Monitor view:
a) In the top right corner, click the Options button > View Filter.
The Edit View Filter window opens.
b) Select a Field to filter results. For example, Device Name, License Status, Account ID.
c) Select the logical operator - Equals, Not Equals, or Contains.
d) Select or enter a filter value.
Note - Click the X icon to delete a filter.
e) Optional: Click the + icon to configure additional filters.
f) Click OK to apply the configured filters.
The report is filtered based on the configured filters.
3. To export the License Status report in the Logs & Monitor view:
The Logs & Monitor view in SmartConsole lets you see, filter and export the License
Inventory report.
1. To see the License Inventory report from the Logs & Monitor view:
a) In SmartConsole, from the left Navigation Toolbar, click Logs & Monitor
b) At the top, open a new tab by clicking New Tab, or [+].
c) In the left section, click Reports.
d) In the list of reports, double-click License Inventory.
e) Wait for the SmartView to load and show this report.
 Inventory page: Blade Names, Devices Names, License Statuses
 License by Device page: Devices Names, License statuses, CK, SKU, Account ID,
2. To filter the License Inventory report in the Logs & Monitor view:
a) In the top right corner, click the Options button > Report Filter.
The Edit Report Filter window opens.
b) Select a Field to filter results. For example, Blade Name, Device Name, License Overall
Status, Account ID.
c) Select the logical operator - Equals, Not Equals, or Contains.
d) Select or enter a filter value.
Note - Click the X icon to delete a filter.
e) Optional: Click the + icon to configure additional filters.
f) Click OK to apply the configured filters.
The report is filtered based on the configured filters.

3. To export the License Inventory report in the Logs & Monitor view:

Maintaining Licenses with Gaia

Configuring Licenses - Gaia Portal
If you need to get a license, visit the User Center https://usercenter.checkpoint.com.
See the R80.10 Gaia Administration Guide
Adding a license:
1. In the navigation tree, click Maintenance > Licenses.
2. Click New.
The Add License window opens.
3. Enter the license data manually, or click Paste License to enter the data automatically.
The Paste License button only shows in Internet Explorer. For other web browsers, paste the
license strings into the empty text field.
4. Click OK.
Deleting a license:
1. In the navigation tree, click Maintenance > Licenses.
2. Select a license in the table.
3. Click Delete.

CHAPTE R 15
Using SmartUpdate
In This Section:
Accessing SmartUpdate .............................................................................................138
Licenses Stored in the Licenses & Contracts Repository ........................................139
Licensing Terms for SmartUpdate ............................................................................139
Managing Licenses Using SmartUpdate ...................................................................141
Attaching a License to a Security Gateway ...............................................................145
Detaching Licenses from a Security Gateway ...........................................................145
Installing Software Packages on R80.10 ...................................................................146
Upgrading with SmartUpdate for R77.30 and Below ................................................147
SmartUpdate automatically distributes applications and updates for Check Point and OPSEC
Certified products and manages product licenses. It provides a centralized way to guarantee that
Internet security throughout the enterprise network is always up to date.
These features and tools are available in SmartUpdate:
• Maintaining licenses
• Upgrading packages for R77.30 and below (see "Upgrading with SmartUpdate for R77.30 and
Below" on page 147)
• Adding packages to Package Repository for R77.30 and below ("Using the Package
Repository" on page 148)
Important - The SmartUpdate GUI shows two tabs - Package Management and Licenses &
Contracts. For versions R80.10 and above, the tools in the Package Management tab are no
longer supported. To install packages on Gaia OS, use CPUSE (see sk92449
http://supportcontent.checkpoint.com/solutions?id=sk92449), or Central Deployment Tool (see
sk111158 http://supportcontent.checkpoint.com/solutions?id=sk111158). For further information,
see Installing Packages on R80.10 and above ("Installing Software Packages on R80.10" on page
146).
Accessing SmartUpdate
1. Open the SmartUpdate in one of these ways:
• In SmartConsole, click Menu > Manage licenses & packages.
• On the SmartConsole computer, run this executable file directly:
 On Windows OS 32-bit:
C:\Program
Files\CheckPoint\SmartConsole\<RXX>\PROGRAM\SmartDistributor.exe
 On Windows OS 64-bit:
C:\Program Files
(x86)\CheckPoint\SmartConsole\<RXX>\PROGRAM\SmartDistributor.exe
2. Click Menu > View > Menu Bar.
The menu names appear at the top of the GUI.

Using SmartUpdate
Licenses Stored in the Licenses & Contracts Repository

When you add a license with SmartUpdate, it is stored in the Licenses & Contracts Repository.
The SmartUpdate provides a global view of all licenses available and all of the assigned licenses.
To activate the license once it is in the Repository, it has to be attached to a Security Gateway and
registered with the Management Server.
There are two license types available:
License type Description

Central The Central license is the preferred method of licensing.
• A Central license is tied to the IP address of the Management Server.
• There is one IP address for all licenses.
• The license remains valid if you change the IP address of the Security
Gateway.
• A license can be moved from one Check Point Security Gateway to another
easily.
• Maximum flexibility.
Local The Local license is an older method of licensing that is still supported.
• A Local license is tied to the IP address of the specific Security Gateway.
• Cannot be transferred to a gateway with a different IP address.
Licensing Terms for SmartUpdate

• Add ("Adding New Licenses to the Licenses & Contracts Repository" on page 141)
You can add any license that you receive from the User Center
https://usercenter.checkpoint.com to the License & Contract Repository first.
• You can add the licenses directly from a User Center account ("Download a License From
the User Center" on page 143).
• You can add the licenses from a file ("Importing License Files" on page 143) that you
receive from the User Center.
• You can add the licenses manually ("Adding License Details Manually" on page 143) by
pasting or typing the license details.
When you add the Local license to the License & Contract Repository, it also attaches it to the
Security Gateway with the IP address, for which the license was issued.
• Attach
You can attach a license from the License & Contract Repository to a managed Security
Gateway.
• Detach ("Detaching Licenses from a Security Gateway" on page 145)
When you detach a license from a managed Security Gateway, you have to uninstall the license
from that Security Gateway. If this is a Central license, this operation makes that license in the
License & Contract Repository available to other managed Security Gateways.

Using SmartUpdate
• Get
You can add information from your managed Security Gatewaysabout the licenses you installed
locally. This updates the License & Contract Repository with all local licenses across the
installation. The Get operation is a two-way process that places all locally installed licenses in
the License & Contract Repository and removes all locally deleted licenses from the License
& Contract Repository.
• Delete ("Deleting a License from the Licenses & Contracts Repository" on page 144)
You can delete a license from the License & Contract Repository.
• Export
You can export a license from the License & Contract Repository to a file.
• License Expiration
Licenses expire on a particular date, or never. If a license expires, the applicable products and
features stop working on the Check Point computer, to which the license is attached.
• State
The license state depends on whether the license is associated with a managed Security
Gateway in the License & Contract Repository, and whether the license is installed on that
Security Gateway. The license state definitions are as follows:
• Attached indicates that the license is associated with a managed Security Gateway in the
License & Contract Repository, and is installed on that Security Gateway.
• Unattached indicates that the license is not associated with managed Security Gateways in
the License & Contract Repository, and is not installed on managed Security Gateways.
• Assigned is a license that is associated with a managed Security Gateway in the License &
Contract Repository, but has not yet been installed on a Security Gateway.
• Upgrade Status
This is a field in the License & Contract Repository that contains an error message from the
User Center when the License Upgrade process fails.
• Central License
Attach a Central License to the IP address of your Management Server.
• Local License
A Local License is tied to the IP address of the specific Security Gateway. You can only use a
local license with a Security Gateway or a Security Management Server with the same address.
• Multi-License File
This is a license files that contains more than one license.
The cplic put, and cplic add commands support these files.
• Certificate Key
This is a string of 12 alphanumeric characters. The number is unique to each package.
• Features
This is a character string that identifies the features of a package.
• cplic
A CLI utility to manage local licenses on Check Point computers.

Using SmartUpdate
Managing Licenses Using SmartUpdate

Licenses are stored in the License Repository. You can open the Repository from SmartUpdate. Go
to the Licenses & Contracts tab. From the menu at the top, click the icon. The License & Contract
Repository window shows.
From the Repository you can do the following:
• View Repository contents.
• Add a new license to the Repository ("Adding New Licenses to the Licenses & Contracts
Repository" on page 141).
• Delete a license from the Repository ("Deleting a License from the Licenses & Contracts
Repository" on page 144).
• Upgrade a license ("Upgrading a License" on page 144).
• Export a license to a file ("Exporting a License to a File" on page 144).
• Check for an expired license ("Checking for Expired Licenses" on page 144).
• Maintain the license.
• Attach a license to a Security Gateway ("Attaching a License to a Security Gateway" on page
145).
• Detach a license ("Detaching Licenses from a Security Gateway" on page 145).
• Viewing license properties ("Retrieving License Data from a Check Point Security Gateway"
on page 145).
Adding New Licenses to the Licenses & Contracts Repository

To install a license, you must first add it to the Licenses & Contracts Repository.
You can add any license that you receive from the User Center https://usercenter.checkpoint.com
to the Licenses & Contracts Repository.
• You can add the licenses directly from a User Center account.
• You can add the licenses from a file that you receive from the User Center.
• You can add the licenses manually by pasting or typing the license details.
Notes:
• Unattached Central licenses appear in the Licenses & Contracts Repository.
• When you add the Local license to the Licenses & Contracts Repository, the Management
Server attaches it to the Security Gateway with the IP address, for which the license was
issued.
• All licenses are assigned a default name in the format SKU@ Time Date, which you can modify
at a later time.

Using SmartUpdate
To add a license directly from a User Center account:

1. Open the SmartUpdate ("Accessing SmartUpdate" on page 138)
2. Click Licenses & Contracts menu > Add License > From User Center.
3. Enter your User Center credentials.
4. Click Assets / Info > Product Center.
5. Perform one of the following:
• Generate a new license, if there are no identical licenses. This adds the license to the
Licenses & Contracts Repository.
• Change the IP address of an existing license with Move IP.
• Change the license from Local to Central.
To add a license from a file:

1. In the applicable User Center account:
a) Generate a license.
b) Click the License Information tab.
c) Click Get Last License.
d) Click Get License File.
e) Save the CPLicenseFile.lic file.
2. Open the SmartUpdate ("Accessing SmartUpdate" on page 138).
3. Click Licenses & Contracts menu > Add License > From File.
4. Locate and select the downloaded CPLicenseFile.lic file.
5. Click Open.
6. Follow the instructions in the SmartUpdate.
Note - A License File can contain multiple licenses.
To add a license manually:

1. Generate a license in the User Center.
Notes:
• User Center sends you an e-mail with the license information.
• You can also click the License Information tab to see and copy this information.
2. Open the SmartUpdate ("Accessing SmartUpdate" on page 138).
3. Click Licenses & Contracts menu > Add License > Manually.
4. In the Add License window you can:
• Copy the applicable string from the User Center e-mail and click Paste License.
• Paste the applicable information you copied from the User Center.
Note - If you leave the Name field empty, the license is assigned a name in the format SKU@
Time Date.
5. Click OK.

Using SmartUpdate
Download a License From the User Center

To download a license from the User Center:
1. From SmartUpdate, click the icon at the top of the screen to Add License From User Center.
2. Enter your credentials.
3. Perform one of the following:
• Generate a new license if there are no identical licenses. This adds the license to the
Licenses & Contracts Repository.
• Change the IP address of an existing license, that is, Move IP.
• Change the license from Local to Central.
Importing License Files

To import license files:
1. Select Licenses & Contract > Add License > From File.
2. Browse to the location of the license file, select it, and click Open.
A license file can contain multiple licenses. Unattached Central licenses appear in the Licenses &
Contracts Repository, and Local licenses are automatically attached to their Check Point Security
Gateway. All licenses are assigned a default name in the format SKU@ time date, which you can
modify at a later time.
Adding License Details Manually

If you receive a license by email, you can add it. The email contains the license installation
instructions.
1. Locate the license:
• In the email, copy the license to the clipboard. Copy the string that starts with cplic
putlic... and ends with the last SKU/Feature. For example: cplic putlic 1.1.1.1
06Dec2002 dw59Ufa2-eLLQ9NB-gPuyHzvQ-WKreSo4Zx CPSUITE-EVAL-3DES-NGX
CK-1234567890
• If you have a hard copy printout, continue to step 2.
2. Select the Network Objects License & Contract tab in SmartUpdate.
3. Select Licenses > Add License > Manually. The Add License window shows.
4. Enter the license details:
• If you copied the license to the clipboard, click Paste License. The fields will be populated
with the license details.
• Alternatively, enter the license details from a hard-copy printout.
5. Click Calculate, and make sure the result matches the validation code received from the User
Center.
6. You may assign a name to the license, if desired. If you leave the Name field empty, the license
is assigned a name in the format SKU@ time date.
7. Click OK to complete the operation.

Using SmartUpdate
Deleting a License from the Licenses & Contracts Repository

You can delete a license that is no longer attached to, or needed, from a Check Point Security
Gateway.
To delete a license:
1. Right-click anywhere in the Licenses & Contracts Repository and select View Unattached
Licenses.
2. Select the unattached licenses that you want to delete, and click Delete.
Upgrading a License
SmartUpdate can upgrade licenses that are in the Licenses & Contracts Repository. SmartUpdate
attempts to upgrade them with the use of the Upgrade tool.
Exporting a License to a File

You can export a license to a file and import it at a later time to the Licenses & Contracts
Repository. This can be useful for administrative or support purposes.
To export a license to a file:

1. In the Licenses Repository, select one or more licenses, right-click, and from the menu select
Export to File.
2. In the Export Licenses to File window, name the file (or select an existing file).
3. Click Save.
All the licenses that you select are exported. If the file already exists, the new licenses are added
to the file.
Checking for Expired Licenses

After a license has expired, the functionality of the Check Point package will be impaired.
Therefore, it is advisable to be aware of the pending expiration dates of all licenses.
To check for an expired license, select Licenses > Show Expired Licenses.
To check for licenses nearing their dates of expiration:
1. In the License Expiration window, set the Search for licenses expiring within the next x days
property.
2. Click Apply to run the search.
To delete an expired license from the License Expiration window, click Delete.

Using SmartUpdate
Attaching a License to a Security Gateway

You can select one or more licenses to attach to a gateway. When you attach a license, it is
attached to the remote managed gateway.
New licenses have to be attached when:
• An existing license expires.
• An existing license is upgraded to a newer license.
• A Local license is replaced with a Central license.
• The IP address of the Security Management Server or Check Point Security Gateway changes.
To attach a license:
1. Add the license to the License & Contract Repository.
2. Get the gateway data from the managed gateway.
3. Attach the license to the gateway:
a) From SmartUpdate, select Licenses & Contract.
b) Right-click and select Attach.
c) Select the licenses to attach.
Retrieving License Data from a Check Point Security Gateway

Go to License Properties on the remote gateways to retrieve license data.
From SmartUpdate, double-click a gateway and the License Properties window opens.
To retrieve license data from a single remote gateway, right-click on the gateway and select Get
Licenses.
Detaching Licenses from a Security Gateway

If you want to detach a license, delete a single Central license from a remote Check Point Security
Gateway and mark it as unattached in the License & Contract Repository. You can now use this
license by any Check Point Security Gateway.
To detach a license:
• From SmartConsole, select Licenses & Contract. Right-click and select Detach, and select the
licenses to detach.

CHAPTE R 16
Installing Software Packages on R80.10

Use CPUSE to install software packages on R80.10. See sk92449
Note - To install software packages on the managed Security Gateways or Cluster Members that
run on Gaia, you can use the Central Deployment Tool. See sk111158

Using SmartUpdate
Upgrading with SmartUpdate for R77.30 and Below

You can remotely upgrade all Check Point packages on a single remote gateway, other than the
operating system, in a single operation. The Upgrade all Packages function allows you to
simultaneously distribute or upgrade multiple packages to the latest management version.
Upgrading a Single Package on a Check Point Remote Gateway

Use this procedure to select the specific package that you want to apply to a single package. The
Distribute function allows you to:
• Upgrade the OS
• Upgrade a package to a management version other than the latest
• Apply Hot Fix Accumulators (HFAs)
To update a single package on a remote gateway:

1. In the Package Management window, right-click the Check Point Security Gateway to upgrade.
2. Select Distribute Package.
3. From the Distribute Package window, select the package to distribute.
Use the Ctrl and Shift key to select multiple packages.
4. Click Distribute.
The installation proceeds only if the upgrade packages selected are available in the Package
Repository.
Upgrading All Packages on a Check Point Remote Gateway

You can remotely upgrade all Check Point packages on a single remote gateway, other than the
operating system, in a single operation. The Upgrade all Packages function allows you to
simultaneously distribute or upgrade multiple packages to the latest management version.
1. Click Packages > Upgrade all Packages.
2. From the Upgrade All Packages window, select the Check Point Security Gateways that you
want to upgrade. Use the Ctrl and Shift keys to select multiple devices.
Note - The Reboot if required option (selected by default) is required, to activate the newly
distributed package.
3. If one or more of the required packages are missing from the Package Repository, the
Download Packages window opens. Download the required package directly to the Package
Repository.
4. Click Upgrade.
The installation proceeds only if the upgrade packages for the selected packages are available
in the Package Repository.

Using SmartUpdate
Prerequisites for Remote Upgrades

Make sure that SmartUpdate connections are allowed.
1. In SmartConsole, click Menu > Global properties > Track > Log Implied Rules.
2. Make sure that Accept SmartUpdate Connections is selected.
Secure Internal Communication (SIC) must be established between the Security Management
Server and remote Check Point Security Gateways.
Distributions and Upgrades

You can upgrade all packages on one remote gateway, or you can distribute specific packages
one-by-one for all Gateways.
Canceling and Uninstalling

You can stop a Distributed installation or upgrade while in progress.
To stop a Distributed installation or upgrade:

From the SmartUpdate Menu, select Operation > Stop Operation.
To uninstall a package:
From the SmartUpdate Menu, select Packages > Uninstall.
Note - Uninstallation restores the gateway to the last management version distributed.
Restarting the Check Point Security Gateway

After you Distribute an upgrade or uninstall, reboot the gateway.
To restart the gateway:

• Select Reboot if required at the final stage of upgrade or uninstall.
• Select Packages > Reboot Gateway.
Using the Package Repository

Retrieving Package Data from Check Point Security Gateways
You can find details about the gateway, such as OS, vendor and management version from the
Package Repository in SmartUpdate.
From SmartUpdate, go to the menu > Packages. Make sure that View Repository is checked. You
can also find the Package Repository by clicking the icon at the top of the screen.
To find Operation Status of the gateway, go to the Package Management tab. Right-click on a
gateway and select Get Gateway Data.

Using SmartUpdate
Transferring Files from the Package Repository to Remote Devices

When you are ready to upgrade or distribute packages from the Package Repository, we
recommend that you transfer the package files to the devices to be that you want to upgrade.
When you place the file on the remote device, the overall installation time is less, the Security
Management Server is free to do other operations, and there is less of a chance of a
communications error during the distribute/upgrade process. Once the package file is located on
the remote device, you can activate the distribute/upgrade whenever it is convenient.
Transfer the package file(s) to the directory $SUROOT/tmp on the remote device. If this directory
does not exist, do one of the following:
• For Windows Gateways, place the package file in the directory SYSTEMDRIVE\temp
(SYSTEMDRIVE is usually C:\)
• For UNIX Gateways, place the package file in the directory /opt/.
Verifying the Viability of a Distribution from the Package Repository

Verify that the distribution (installation) or upgrade is viable based upon the Check Point Security
Gateway data retrieved. The verification process checks that:
• The Operating System and currently distributed packages are appropriate for the package
to be distributed.
• There is sufficient disk space.
• The package is not already distributed.
• The package dependencies are fulfilled.
To manually verify a distribution, from the SmartUpdate Menu, select Packages > Pre-Install
Verifier.
Adding New Packages to the Package Repository

To distribute (install) or upgrade a package, you must first add it to the Package Repository. You
can add packages from these locations:
Download Center
Select Packages > New Package > Add from Download Center.
1. Accept the Software Subscription Download Agreement.
2. Enter your user credentials.
3. Select the packages to be downloaded. Use the Ctrl and Shift keys to select multiple files.
You can also use the Filter to show just the packages you need.
4. Click Download to add the packages to the Package Repository.

Using SmartUpdate
User Center
Use this procedure for adding OPSEC packages and Hotfixes to the Package Repository.
1. Open a browser to the Check Point Support Center http://supportcenter.checkpoint.com.
2. Select the package you want to upgrade.
3. Enter your user credentials.
4. Accept the Software Subscription Download Agreement.
5. Choose the appropriate platform and package, and save the download to the local disk.
6. Select Packages > New Package > Import File.
7. In the Add Package window, navigate to the desired .tgz file and click Open to add the
packages to the Package Repository.
Deleting Packages from the Package Repository

To clear the Package Repository of extraneous or outdated packages, select a package, or
Ctrl-select multiple packages and select Packages > Delete Package. This operation cannot be
undone.
Generating CPInfo
CPInfo is a support tool that gathers into one text file a wide range of data concerning the Check
Point packages in your system. When speaking with a Check Point Technical Support Engineer,
you may be asked to run CPInfo and transmit the data to the Support Center. Download the tool
from the Support Center http://supportcontent.checkpoint.com/solutions?id=sk30567.
To launch CPInfo, select Tools > Generate CPInfo.
1. Choose the directory to which you want to save the output file.
2. Choose between two methods to name the file:
• based on the SR number the technician assigns you, or
• a custom name that you define.
3. Optionally, you may choose to add:
• log files to the CPInfo output.
• the registry to the CPInfo output.
For more information about the CPInfo Utility, see sk92739

Using SmartUpdate
Sending CPinfo to Check Point Automatically

SmartUpdate lets you automatically generate and send CPinfo to Check Point Technical support.
To automatically generate and send CPinfo:

1. Open SmartUpdate.
2. Right click a Security Gateway or Security Management Server.
3. Select Upload CPInfo to Check Point.
The Upload CPinfo from... window opens.
4. Enter your User Center authentication credentials (email and password) and SR number.
5. Select Download and install latest CPInfo package.
6. Enter an SR Number if you have one.
7. Click Upload More files if you want to send additional files.
Click Add to enter the full path to the remote file on the remote gateway or Security
Management Server.
8. Click OK.
The Operation Status window opens.
• CPinfo generates the data, encrypts and transfers the data to the User Center.
• After the secure file upload successfully completes, an email notification is sent to the
email address specified in step 3.

CHAPTE R 17
Check Point Cloud Services

In This Section:
Automatic Downloads .................................................................................................152
Sending Data to Check Point......................................................................................153
Automatic Downloads
Check Point products connect to Check Point cloud services to download and upload information.
You can enable or disable Automatic Downloads in the Gaia First Time Configuration Wizard, on
the Products page. We recommend that you enable Automatic Downloads, so that you can use
these features:
• Blade Contracts are annual licenses for Software Blades and product features. If there is no
valid Blade contract, the applicable blades and related features will work, but with some
limitations.
• CPUSE lets you manage upgrades and installations on Gaia OS. See sk92449
• Data updates and Cloud Services are necessary for the full functionality of these Software
Blades and features:
• Application & URL Filtering • Threat Prevention (Anti-Bot, • HTTPS Inspection
• Application Database Anti-Virus, Anti-Spam, IPS, Threat • Compliance
Emulation)
• URL Filtering database • SmartEndpoint
• AppWiki • Threat Wiki
The Automatic Downloads feature is applicable to the Security Management Servers,

Multi-Domain Servers, Log Servers, and Security Gateways.
If you disabled Automatic Downloads in the Gaia First Time Configuration Wizard, you can enable it
again in SmartConsole Global properties:
1. Click Menu > Global properties > Security Management Access.
2. Select Automatically download Contracts and other important data.
3. Click OK.
4. Close the SmartConsole.
5. Connect with the SmartConsole to your Management Server.
6. Install the Access Policy.
To learn more, see sk94508 http://supportcontent.checkpoint.com/solutions?id=sk94508.

Check Point Cloud Services
Sending Data to Check Point

In the Gaia First Time Configuration Wizard, on the Summary page, you can enable or disable data
uploads to Check Point. This feature is enabled by default. The CPUSE statistics require this
feature.
In R77 and above, this setting activates the Check Point User Center Synchronization Tool. It
updates your User Center https://usercenter.checkpoint.com account with information from your
Security Gateways, mapping your SKUs to your actual deployment.
This setting of a Security Management Server applies to all its managed Security Gateways
(running R77 and above).
You can always change this setting in SmartConsole:
1. Click Menu > Global properties > Security Management Access.
2. Select or clear Improve product experience by sending data to Check Point.
3. Click OK.
4. Close the SmartConsole.
5. Connect with the SmartConsole to your Management Server.
6. Install the Access Policy.
To learn more, see sk94509 http://supportcontent.checkpoint.com/solutions?id=sk94509.
Note - In some cases, the download process sends a minimal amount of required data about your
Check Point installation to the Check Point User Center.

CHAPTE R 18
Advanced Deployments and

Conversions
In This Section:
Deploying Bridge Mode Security Gateways ...............................................................154
Deploying Bridge Mode Security Gateways

If you install a new Security Gateway in a network and cannot change the IP routing scheme, use
bridge mode. A Security Gateway in bridge mode is invisible to Layer-3 traffic. When authorized
traffic arrives, the Security Gateway passes it to the next interface through bridging. This creates a
Layer-2 relationship between two or more interfaces. Traffic that enters one interface exits the
other interface. Bridging lets the Security Gateway inspect and forward traffic, without the original
IP routing.
Before configuring the bridge, install the Security Gateway.
To manage the gateway in bridge mode:
• The gateway must have a separate, routed IP address
• You must configure the bridged interfaces
To configure a bridge interface in the Gaia Portal:

1. In the Gaia Portal navigation tree, select Network Interfaces.
2. Click Add > Bridge, or select an interface and click Edit.
The Add (or Edit) Bridge window opens.
3. On the Bridge tab, enter or select a Bridge Group ID (unique integer between 1 and 1024).
4. Select the interfaces from the Available Interfaces list and then click Add.
5. Click the IPv4 or IPv6 tabs, and then enter the IP addresses and subnet.
Or click Obtain IP Address automatically.
6. Click OK.
To configure a bridge interface with the CLI:

1. Run: add bridging group <Group Name> interface <physical interface name>
2. Run again for each interface in the bridge.
3. Run: save config
4. Add a bridge interface IP address:
• IPv4: set interface <Group Name> ipv4-address <IP> subnet-mask <Mask>
• IPV6: set interface <Group Name> ipv6-address <IP> mask-length <Prefix>
5. Run: save config

Advanced Deployments and Conversions
Supported Software Blades: Gateway and Virtual Systems

These Software Blades support bridge mode (unless stated they do not) for single Security
Gateway deployment, cluster with one switch in Active/Active and Active/Standby deployment, and
cluster with four switches.
Supported Blade Supports Gateways in Supports Virtual Systems in

Bridge Mode Bridge Mode
Firewall Yes Yes
IPS Yes Yes
URL Filtering Yes Yes
DLP Yes No
Anti-Bot and Anti-Virus Yes Yes
Application Control Yes Yes
HTTPS Inspection Yes No
Identity Awareness Yes No
Threat Emulation Yes Yes
QoS Yes No
Client Authentication Yes No
User Authentication Yes No
Configuring One Gateway in Bridge Mode
Item Description
1 Security Gateway bridges Layer-2 traffic over one IP address, with a subnet on each
side, using the same address
2 Switch from a bridged interface to a subnet
3 Switch from a second bridged interface to a second subnet
4 Internal network

To define the bridge topology:

1. Configure a dedicated management interface.
2. Configure the bridge interface. It must be in the bridged subnet. Only the bridge interface has
an IP address. The bridge ports must not have IP addresses.
3. Configure the bridge topology in the properties of the network object:
• If a bridge port connects to the Internet, set the interface to External.
• If the Security Gateway is in rules with Internet objects, set the interface to External.
• If the topology uses Anti-Spoofing for the internal port (interface), set the interface to
Internal and select the network that connects to the port.
• If the topology does not use Anti-Spoofing, disable Anti-Spoofing on the bridge port.
For example:
Bridge Interface - eth0 - External - 192.0.2.0.208/24
Bridge Port to Internet - eth1 - External - 0.0.0.0/0
Bridge Port with Anti-Spoofing - eth2 - Internal to CP_default_Office network - 0.0.0.0/0
Configuring ClusterXL in Bridge Mode

You can configure cluster gateways for Bridge Mode in different deployments - Active/Standby
mode, or Active/Active mode.
Example:
Item Description
1 Internal network
2 Switch for internal network
3 Security Gateway bridging Layer-2 traffic
3a eth1 - connects to the internal network
3b eth3 - ClusterXL Sync interface
3c eth2 - connects to the external network
4 Switch for external network
5 Internet

Configuring Bridge Mode - Active/Standby

This is the preferred mode in topologies that support it.
In Bridge Active/Standby mode, ClusterXL decides the cluster state. The Standby cluster member
drops all packets. It does not pass any traffic, including STP/RSTP/MSTP. If there is a cluster
failover, the switches are updated by the Active cluster member to forward traffic to the new
Active member.
Best practice - If you use Bridge Active/Standby mode, disable STP/RSTP/MSTP on the adjacent
switches.
To configure Bridge Active/Standby mode, do these steps on both cluster members:

1. Configure the cluster.
2. Run: cpconfig
3. Enter 8, to select Enable Check Point ClusterXL for Bridge Active/Standby.
4. Confirm: y
5. Reboot the cluster member.
6. In SmartConsole, install Access Policy on this cluster object.
7. Check the cluster state.
Run: cphaprob state
The output is similar to:
Cluster Mode: High Availability (Active Up, Bridge Mode) with IGMP Membership
Number Unique Address Firewall State (*)
1 (local) 2.2.2.3 Active
2 2.2.2.2 Standby
Configuring Bridge Mode - Active/Active

When you define a Bridge interface on a cluster member, Bridge Active/Active mode is enabled by
default.
To configure Bridge Active/Active mode, do these steps on both cluster members:

1. Configure a dedicated Management interface.
2. Configure a dedicated Sync interface.
3. Add a Bridge interface, as in a one-gateway deployment ("Configuring One Gateway in Bridge
Mode" on page 155).
Do not configure an IP address on the newly created bridge interface.
4. Configure the ClusterXL in High Availability mode.
5. In SmartConsole, open the cluster object.
6. In the Gateway Cluster Properties window, click Network Management page.
7. Click Get Interfaces > Get Interfaces With Topology.
8. Make sure the dedicated Management and Sync interfaces are configured correctly.
9. Make sure the bridge interface and bridge ports are not in the topology.
Bridge port topology cannot be defined. It is external by default.
10. Click OK.
11. Install Access Policy on this cluster object.

12. Check the cluster state.

Run: cphaprob state
Example of expected output:
Cluster Mode: High Availability (Active Up, Bridge Mode) with IGMP Membership
Number Unique Address Firewall State (*)
1 (local) 192.0.2.3 Active
2 192.0.2.2 Active
Confirming the High Availability Configuration

After you configure Active/Active mode, the output for chpaprob state shows that the
Firewall State is Active/Active. Make sure that the cluster is configured for High
Availability.
To confirm the High Availability configuration:

1. Open the cluster object.
2. In the cluster Properties window, click ClusterXL.
3. In the Cluster Mode section, make sure that High Availability is selected.
4. Click OK.
Configuring Bridge Mode - Cluster Between Four Switches

You can configure a bridged cluster between four switches, in Active/Active mode.
Bridge Active/Standby mode is not supported.
Example:
Item Description
1 Security Gateway bridging Layer-2 traffic
2 eth1
3 eth2
4 eth3 - ClusterXL Sync interface
5 Switches
See also: Bonding with ClusterXL in Layer-2

http://supportcontent.checkpoint.com/documentation_download?ID=23341.

Routing and Bridges

Security Gateways with a bridge interface can support Layer 3 routing over non-bridged
interfaces. If you configure a bridge interface with an IP address for one Security Gateway (not a
cluster), the bridge functions as a regular Layer 3 interface. It participates in IP routing decisions
on the gateway and supports Layer 3 routing.
• Cluster deployments do not support this configuration.
• You cannot configure the bridge to be the route gateway.
• One Security Gateway can support multiple bridge interfaces, but only one bridge can have an
IP address.
• The Security Gateway cannot filter or transmit packets on a bridge interface that it inspected
before (double-inspection).
Management over Bridge

When a Layer-3 management interface sends traffic through the firewall, the traffic is dropped.
The firewall cannot inspect the same packet again.
• The first packet is inspected and goes from the management interface to the router.
• The router sends the packet to the bridge interface.
• The firewall concludes that this packet is a retransmission and drops it.
Item Description
1 Security Management Server sends management packet to management interface
2 Management interface on Security Gateway Firewall bridging Layer-2 traffic inspects

the packet and sends it to the router
3 Router sends the packet to the bridge interface
4 Bridge interface drops the packet as a retransmission
Configure the Security Gateway to handle management packets properly.
Security Gateways R77.10 and Higher

This feature is supported in R77.10 and higher.
You can configure the Security Gateway to recognize that the first packet is from the management
interface. The firewall makes sure that the MD5 hash of the packet that leaves the management
interface and enters the bridge interface is the same. Other packets in this connection are
handled by the bridge interface without using the router.

To enable management over the bridge:

1. Edit $FWDIR/boot/modules/fwkern.conf
If necessary, create this file.
2. Add the appropriate line to the file:
• For IPv4 traffic - fwx_bridge_reroute_ipv4=<management>
• For IPv6 traffic - fwx_bridge_reroute_ipv6=<management>
<management> is the IP address of the management interface.
3. Reboot the Security Gateway.
Security Gateways R77 and Earlier

Incoming and outgoing traffic from a Layer-3 management interface is dropped if traversed over a
bridge interface. You can make this traffic pass. Disable inspection on the management interface
and disable local Anti-Spoofing.
Note - This removes inspection from the management interface and could compromise gateway
security. If you are unsure whether your environment is safe to use this method, contact Check
Point Solution Center.
To configure management over the bridge:

1. Open $PPKDIR/boot/modules/simkern.conf and add:
simlinux_excluded_ifs_list=interface name
(Create this file if not found.)
Where the value (interface name) is the management interface name.
This excludes the management interface from SecureXL.
2. Edit $FWDIR/modules/fwkern.conf.
(Create this file if not found.)
Add these lines:
fwx_bridge_use_routing=0
fw_local_interface_anti_spoofing=0
fwlinux_excluded_ifs_list=interface name
Where the value (interface name) is the management interface name.
This disables local Anti-Spoofing and bridge routing, and excludes the management interface
from security inspection.
3. Reboot.

IPv6 Neighbor Discovery

Neighbor discovery works over the ICMPv6 Neighbor Discovery protocol, which is the functional
equivalent of the IPv4 ARP protocol. ICMPv6 Neighbor Discovery Protocol must be explicitly
permitted for all bridged networks in your Firewall rules. This is different from ARP. Traffic is
permitted in ARP regardless of the Rule Base.
This is an example of a Rule Base that permits ICMPv6 Neighbor Discovery protocol:
Source Destination Services and Applications Action

Bridged_Network Bridged_Network neighbor - advertisement Accept
neighbor - solicitation
router - advertisement
router - solicitation
redirect6
Configuring Link State Propagation (LSP) in ClusterXL

You can bind two or more physical ports on a Check Point Line Card together, so that when the
link state for one port goes down, the other ports also goes down. This lets a switch detect and
react to a link failure on the other side of a bridge or another part of the network.
Follow the instructions in sk108121: How to configure Link State Propagation (LSP) in a Bridge
interface on Gaia OS and SecurePlatform OS
Managing Ethernet Protocols

This feature is supported in R77.10 and higher.
It is possible to configure a Security Gateway with bridge interface to allow or drop protocols that
are not based on IP that pass through the bridge interface. For example, protocols that are not
IPv4, IPv6, or ARP.
By default, these protocols are allowed by the Security Gateway.
To manage the traffic of Ethernet protocols:

1. Change the value of global parameter fwaccept_unknown_protocol in
$FWDIR/modules/fwkern.conf. The default value is 1.
2. Create user defined tables in $FWDIR/conf/user.def file (see sk98239
http://supportcontent.checkpoint.com/solutions?id=sk98239):
$ifndef __user_def__
$define __user_def__
\\
\\ User defined INSPECT code
\\
allowed_ethernet_protocols={ <0x44,0x44> );
dropped_ethernet_protocols={ <0x4,0x4> );
fendif /*__user_def__*/

Traffic is allowed if:

• fwaccept_unknown_protocol is enabled
• OR protocol is in allowed_ethernet_protocols table
• AND NOT in dropped_ethernet_protocols table
VLANs
When switches are configured with VLANs, VLAN traffic can pass through our bridge in Access
mode or in Trunk mode:
• Access mode (VLAN translation) – Bridge is constructed from two VLAN interfaces.
• Trunk mode – Bridge is constructed from two non-VLAN interfaces. The VLAN tag is not
removed, and the firewall processes the tagged packet. The traffic passes with the original tag
to its destination.
Item Description
1 Security Gateway
2 Switch
3 Access mode bridge 1 with VLAN translation
4 Access mode bridge 2 with VLAN translation
5 VLAN 3 (eth 1.3)
6 VLAN 33 (eth 2.33)
7 VLAN 2 (eth 1.2)
8 VLAN 22 (eth 2.22)

Access Mode VLAN

When the switch is configured in Access Mode, create the bridge from two VLAN interfaces as the
slave ports of the bridge. For VLAN translation, use different numbered VLAN interfaces to create
the bridge. You can build multiple VLAN translation bridges on the same Security Gateway.
Note - VLAN translation is not supported over bridged FONIC (Fail open NIC) ports.
See sk85560 http://supportcontent.checkpoint.com/solutions?id=sk85560.
To configure VLAN translation:

1. Add the VLANs. In the Gaia Portal: Network Management > Network Interfaces > Add > VLAN.
2. The Add VLAN window opens. Configure the interfaces of the VLAN: IPv4, IPv6, VLAN ID, and
add the VLAN interface to a physical interface.
When you set a VLAN ID to be a member of a physical interface, the VLAN interface name
<physical_interface>.<vlan_id>. For example, if VLAN ID 2 is a member of eth1, the VLAN
interface is eth1.2.
3. Open the Add Bridge window and select the VLAN interfaces in the Bridge tab.
Special Protocols
PVST - Per-VLAN Spanning Tree. PVST is a proprietary Cisco version of STP and maintains a
spanning tree instance for each VLAN. It uses ISL Trunking and lets a VLAN trunk be forwarded
for some VLANs and blocked for others. Because PVST treats each VLAN as a separate network, it
can load balance traffic at layer-2. It forwards some VLANs on one trunk and other VLANs on
another trunk without causing a Spanning Tree loop.
BPDU - Bridge Protocol Data Unit. BPDUs are data messages that are exchanged across
the switches within an extended LAN that uses STP topology.
When VLAN translation is configured, BPDU frames can arrive with the wrong VLAN number to
the ports through the bridge. This mismatch can cause the switch port to enter blocking mode.
In Active-Standby mode only, there are options to avoid blocking mode.
To disable BPDU forwarding:

1. Edit the file /etc/rc.d/init.d/network
2. After the line:
./etc/init.d/functions
Add this line:
/sbin/sysctl -w net.bridge.bpdu_forwarding=0
3. Save the file.
To configure the gateway to allow only IPv4, IPv6, and ARP traffic:
1. Add to $FWDIR/modules/fwkern.conf the line: fwaccept_unknown_protocol=0

Trunk Mode
If you configure the switch ports as VLAN trunk, the Check Point bridge should not interfere with
the VLANs. To configure bridge with VLAN trunk, create the bridge from two interfaces (no VLAN).
Note - VLAN translation is not supported in Trunk mode.

Security Before Firewall Activation

There are different reasons for a computer to not have a security policy installed and to be
vulnerable. To protect the computer and network, Check Point has baseline security:
• Boot Security - Security during boot process
• Initial Policy - Security before a policy is installed for the first time
Boot Security
During the boot process, there are a few seconds after the computer can receive communication
(and can be attacked) and before the security policy is loaded and enforced. firewall Boot Security
protects the computer, and its networks, during this time. Boot Security works through control of
IP Forwarding on boot and the Default Filter.
The Default Filter also provides protection if firewall processes are stopped for maintenance.
Control of IP Forwarding on Boot

Boot Security disables IP forwarding in the OS kernel. There is never a time when IP Forwarding is
active without a security policy. This protects the networks behind the Security Gateway.
The Default Filter

Boot Security loads the Default Filter when it disables IP Forwarding, after bootup and before
interfaces are configured. You can configure the Default Filter to work in different modes:
• General Filter accepts no inbound communication (this is the default option).
• Drop Filter accepts no inbound or outbound communication. This filter drops all
communications in and out of the gateway during a period of vulnerability.
Best Practice: If the boot process requires that the gateway communicate with other hosts, do not
use the Drop Filter.
The Default Filter also provides Anti-Spoofing protection for the Security Gateway.
Changing the Default Filter

There are two filter files in $FWDIR/lib: defaultfilter.boot and defaultfilter.drop
To change the Default Filter:

1. Copy the Default Filter file (defaultfilter.boot or defaultfilter.drop) to:
$FWDIR/conf/defaultfilter.pf
2. Compile the Default Filter: fw defaultgen
The output is $FWDIR/state/default.bin
3. Get the Default Filter file path: fwboot bootconf get_def
4. Copy default.bin to the Default Filter file path.
5. Generate the Initial Policy: cpconfig

Defining a Custom Default Filter

For administrators with Inspect knowledge, you can define your own Default Filter.
Make sure your security policy does not interfere with the boot process.
To define a Default Filter:

1. Create an Inspect script named: $FWDIR/conf/defaultfilter.pf
Important - The script must not do these functions:
• Logging
• Authentication
• Encryption
• Content security
2. Run: fw defaultgen
3. Run: fwboot bootconf get_def
4. Copy $FWDIR/state/default.bin to the Default Filter file path.
5. Generate the Initial Policy from: cpconfig
Using the Default Filter for Maintenance

It is sometimes necessary to stop firewall processes for maintenance. It is not always practical to
disconnect the Security Gateway from the network (for example, if the gateway is on a remote
site).
Run the cpstop command with the -fwflag <value> to make sure the Security Gateway is
protected when Check Point processes are stopped.
> cpstop -fwflag {-proc|-default}
-fwflag -proc Maintains the active Security Policy running in the kernel when Check
Point daemons and services are stopped. Rules with generic allow, reject,
or drop rules based on services continue to work.
-fwflag -default The active Security Policy running in the kernel is replaced with the
Default Filter, which allows open connections to the gateway to remain
open.

The Initial Policy

Until the Security Gateway administrator installs the security policy on the gateway for the first
time, security is enforced by an Initial Policy. The Initial Policy operates by adding "implied rules"
to the Default Filter. These rules forbid most communication yet allows the communication
needed for the installation of the security policy. The Initial Policy also protects a gateway during
Check Point product upgrades, when a SIC certificate is reset on the gateway, or in the case of a
Check Point product license expiration.
Note - During a Check Point upgrade, a SIC certificate reset, or license expiration, the Initial Policy
overwrites the user-defined policy.
The sequence of actions during boot of the Security Gateway computer until a security policy is
loaded for the first time:
1. The computer boots up.
2. The Default Filter loads and IP Forwarding is disabled.
3. The interfaces are configured.
4. Security Gateway services start.
5. The Initial Policy is fetched from the local gateway.
6. SmartConsole clients connect or Trust is established, and the security policy is installed.
The Initial Policy is enforced until a user-defined policy is installed, and is never loaded again. In
subsequent boots, the regular policy is loaded immediately after the Default Filter.
There are different Initial Policies for standalone and distributed setups. In a standalone
configuration, where the Security Management Server and the Security Gateway are on the same
computer, the Initial Policy allows CPMI communication only. This permits SmartConsole clients
to connect to the Security Management Server.
In a distributed configuration, where the Primary Security Management Server is on one computer
and the Security Gateway is on a different computer, the Initial Policy allows the following:
• Primary Security Management Server computer — allows CPMI communication for
SmartConsole clients.
• Security Gateway — allows cpd and fwd communication for SIC communication (to establish
trust) and for Policy installation.
In a distributed configuration, the Initial Policy on the Security Gateway does not allow CPMI
connections. The SmartConsole will not be able to connect to the Security Management Server if
the SmartConsole must access the Security Management Server through a gateway running the
Initial Policy.
There is also an Initial Policy for a Secondary Security Management Server (Management High
Availability). This Initial Policy allows CPMI communication for SmartConsole clients and allows
cpd and fwd communication for SIC communication (to establish trust) and for Policy installation.

Monitoring Security
You can see that the Default Filter or the Initial Policy are loaded on a non-production Security
Gateway. Restart the computer before Install Policy and run:
$FWDIR/bin/fw stat
If the output shows defaultfilter for the Default Filter status and InitialPolicy for the installed
policy, the computer is running on the default, pre-firewall security.
Unloading Default Filter or Initial Policy

To unload a Default Filter or an Initial Policy from the kernel, use the command to unloading a
regular policy. Do this only if you are sure that the security of the Default Filter or Initial Policy is
not required.
To unload the Default Filter locally: fw unloadlocal
To unload an Initial Policy from a remote Security Management server: fwm unload <gateway>
Where gateway is the SIC_name of the gateway.
Troubleshooting: Cannot Complete Reboot

In some configurations, the Default Filter prevents the Security Gateway from completing the
reboot after installation.
First, look at the Default Filter. Does the Default Filter allow traffic required by the boot
procedures? If the boot process cannot complete successfully, remove the Default Filter.
1. Reboot in single user mode.
2. Set the Default Filter to not load again: fwbootconf bootconf Set_def
3. Reboot.

CHAPTE R 19
CLI Commands
In This Section:
cpconfig .......................................................................................................................170
cplic .............................................................................................................................172
cppkg ...........................................................................................................................187
cprid .............................................................................................................................190
cprinstall .....................................................................................................................191
control_bootsec ..........................................................................................................199
fwboot bootconf ..........................................................................................................200
comp_init_policy .........................................................................................................201
cpstop -fwflag default and cpstop -fwflag proc ........................................................202
All management operations can be executed via the command line. There are three main
commands:
• cppkg to work with the Packages Repository.
• cprinstall to perform remote installations of packages.
• cplic for license management.

CLI Commands
cpconfig
Description
This command starts the Check Point Configuration Tool. This tool is used to configure installed
Check Point products.
The options shown depend on the configuration and installed products:
Menu Option Description

Licenses and contracts Manages Check Point licenses and contracts.
Administrator Configures Check Point system administrators

for the Security Management Server.
GUI Clients Configures the GUI clients that can use

SmartConsoles to connect to the Security
Management Server.
SNMP Extension Do not use this option anymore.

To configure SNMP, see the R80.10 Gaia
Administration Guide
https://sc1.checkpoint.com/documents/R80.10/
WebAdminGuides/EN/CP_R80.10_Gaia_AdminG
uide/html_frameset.htm - Chapter System
Management - Section SNMP.
Random Pool Configures the RSA keys, to be used by Gaia OS.
Certificate Authority Initializes the Internal Certificate Authority (ICA)

and configures the Certificate Authority's (CA)
Fully Qualified Domain Name (FQDN).
Certificate's Fingerprint Shows the ICA's Fingerprint. This fingerprint is

a text string derived from the Security
Management Server or Domain Management
Server ICA certificate. This fingerprint verifies
the identity of the Security Management Server
or Domain Management Server when you
connect to it with a SmartConsole.
Automatic start of Check Point Products Shows and controls which of the installed
Check Point products start automatically during
boot.
Exit Exits from the Check Point Configuration Tool.

CLI Commands
Syntax
cpconfig
Note - On Multi-Domain Server, run the mdsconfig command.
Example - Menu on a Security Management Server

[Expert@MyMGMT:0]# cpconfig
This program will let you re-configure
your Check Point Security Management Server configuration.
Configuration Options:
----------------------
(1) Licenses and contracts
(2) Administrator
(3) GUI Clients
(4) SNMP Extension
(5) Random Pool
(6) Certificate Authority
(7) Certificate's Fingerprint
(8) Automatic start of Check Point Products
(9) Exit
Enter your choice (1-9) :

CLI Commands
cplic
The cplic command lets you manage Check Point licenses. The cplic command can be run in
Gaia Clish or in Expert Mode.
Best Practice - Manage licenses in the SmartUpdate GUI.
License Management is divided into three types of commands:
• Local licensing commands are executed on the Check Point computers.
• Remote licensing commands are executed on the Security Management Server, and affect the
managed Security Gateways.
• License Repository commands are executed on the Security Management Server, and affect
the licenses stored in the local license repository.
For more about managing licenses, see the R80.10 Security Management Administration Guide
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_SecurityManage
ment_AdminGuide/html_frameset.htm.
Syntax for Local Licensing

cplic
-h
put <options>
del <options>
print <options>
check <options>
contract <options>
Syntax for Remote Licensing

cplic
-h
put <Object Name> ...
del <Object Name> <options>
get {<IP Address> | <Host Name> | -all}
upgrade -l <Input File>
Syntax for License Database Operations

cplic
-h
db_add <options>
db_rm <options>
db_print <options>
Note - For help on commands, add the -h option.

CLI Commands
cplic check
Description
Confirms that the license includes the feature on the local Security Gateway or Security
Management Server.
Syntax
cplic check [-p <Product>] [-v <Version>] [-c | -count] [-t <Date>] [-r | -routers]
[-S | -SRusers] <Feature>
Parameters
-p <Product> Product, for which license information is requested.

Example: fw1, netso
-v <Version> Product version, for which license information is requested.
-c | -count Outputs the number of licenses connected to this feature.
-t <Date> Checks license status on future date.

Use the format ddmmyyyy.
A feature can be valid on a given date on one license, but invalid
on another.
-r | -routers Checks how many routers are allowed.

The <Feature> option is not needed.
-S | -SRusers Checks how many SecuRemote users are allowed.
<Feature> Feature, for which license information is requested.

CLI Commands
cplic db_add
Description
Adds one or more licenses to the license repository on the Security Management Server.
When local licenses are added to the license repository, they are automatically attached to the
intended Check Point Security Gateway. Central licenses have to undergo the attachment process.
This command is a license repository command and can only be executed on the Security
Management Server.
Syntax
cplic db_add -l <License File> [<Host>] [<Expiration Date>] [<Signature>]
[<SKU/Features>]
Parameters
-l <License File> Name of the file that contains the license.
<Host> Security Management Server hostname or IP address.
<Expiration Date> The license expiration date.
<Signature> The license signature string. For example:

aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m
The string is case sensitive and the hyphens are optional.
<SKU/Features> The SKU of the license summarizes the features included in the license.
For example, CPSUITE-EVAL-3DES-vNG
Example
If the file 192.0.2.11.lic contains one or more licenses, the command cplic db_add -l
192.0.2.11.lic produces output similar to:
gaia> cplic db_add -l 192.0.2.11.lic
Adding license to database ...
Operation Done

CLI Commands
cplic db_print
Description
Displays the details of Check Point licenses stored in the license repository on the Security
Management Server.
Syntax
cplic db_print <Object Name | -all> [-n | -noheader] [-x] [-t | -type] [-a |
-attached]
Parameters
<Object Name> Prints only the licenses attached to <Object Name>.

<Object Name> is the name of the Check Point Security Gateway object
as defined in SmartConsole.
-all Prints all the licenses in the license repository.
-n | -noheader Prints licenses with no header.
-x Prints licenses with their signatures.
-t | -type Prints licenses with their type: Central or Local.
-a | -attached Shows to which object the license is attached.

Useful, if the -all option is specified.
Note - This command is a license repository command and can only run on the Security
Management Server.

CLI Commands
cplic db_rm
Description
Removes a license from the license repository on the Security Management Server. It can be
executed ONLY after the license was detached using the cplic del command. Once the license
is removed from the repository, it can no longer be used.
Syntax
cplic db_rm <Signature>
Parameters
<Signature> The signature string within the license.
Example
gaia> cplic db_rm 2f540abb-d3bcb001-7e54513e-kfyigpwn
Note - This command is a license repository command and can only run on the Security
Management Server.

CLI Commands
cplic del
Description
Deletes a single Check Point license on a host, including unwanted evaluation, expired, and other
licenses. Used for both local and remote machines
Syntax
cplic del [-F <Output File>] <Signature> <Object Name>
Parameters
-F <Output File> Sends the output to <output file> instead of the screen.

To see the license signature string, run the cplic print -x command.
<Object Name> The name of the Check Point Security Gateway object as defined in
SmartConsole.

CLI Commands
cplic del <object name>

Description
Detaches a Central license from a Check Point Security Gateway. When this command is executed,
the license repository is automatically updated. The Central license remains in the repository as
an unattached license. This command can only run on a Security Management Server.
Syntax
cplic del <Object Name> [-F <Output File>] [-ip <Dynamic IP Address>] <Signature>
Parameters
<Object Name> The name of the Check Point Security Gateway object as defined in
SmartConsole.
-F <Output File> Diverts the output to outputfile rather than to the screen.
-ip <Dynamic IP Deletes the license on the Check Point Security Gateway with the
Address> specified IP address. Use this parameter to delete a license on a DAIP
Check Point Security Gateway.
Note - If this parameter is used, then object name must be a DAIP
Security Gateway.
Note - This is a Remote Licensing command, which affects remote managed machines. It is
executed on the Security Management Server.

CLI Commands
cplic get
Description
Retrieves all licenses from Security Gateways into the license repository on the Security
Management Server. This command helps to synchronize the repository with the Check Point
Security Gateways. When the command is run, all local changes are updated.
Syntax
cplic get {<IP Address> | <Host Name> | -all} [-v41]
Parameters
<IP Address> The IP address of the Check Point Security Gateway, from which licenses are to
be retrieved.
<Host Name> The name of the Check Point Security Gateway object as defined in
SmartConsole, from which licenses are to be retrieved.
-all Retrieves licenses from all Check Point Security Gateways in the managed
network.
-v41 Retrieves version 4.1 licenses from the NF Check Point Security Gateway. Used
to upgrade version 4.1 licenses.
Example
If the Check Point Security Gateway with the object name caruso contains four Local licenses,
and the license repository contains two other Local licenses, the command cplic get caruso
produces output similar to this:
gaia> cplic get caruso
Get retrieved 4 licenses.
Get removed 2 licenses.
Note - This is a Remote Licensing Command, which affects remote machines. It is executed on the
Security Management Server.

CLI Commands
cplic put
Description
Installs one or more local licenses on a local machine.
Syntax
cplic put [-o|-overwrite] [-c|-check-only] [-s|-select] [-F <Output File>]
[-P|-Pre-boot] [-k|-kernel-only] -l <License File> [<Host>] [<Expiration Date>]
[<Signature>] [<SKU/Features>]
Parameters
-o | -overwrite On a Security Management Server, this erases all existing licenses and
replaces them with the new licenses.
On a Check Point Security Gateway, this erases only the local licenses,
but not central licenses that are installed remotely.
-c | -check-only Verifies the license. Checks if the IP of the license matches the machine
and if the signature is valid.
-s | -select Selects only the local license whose IP address matches the IP address
of the machine.
-F <Output File> Outputs the result of the command to the designated file rather than to
the screen.
-P | -Pre-boot Use this option after you have upgraded and before you reboot the
machine. Use of this option will prevent certain error messages.
-K | -kernel-only Pushes the current valid licenses to the kernel.

For use by Check Point Support only.
-l <License File> Name of the file that contains the license.
<Host> Hostname or IP address of Security Management Server.
<Signature> The license signature string. For example:

aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m
(The string is case sensitive and the hyphens are optional).
For example: CPSUITE-EVAL-3DES-vNG

CLI Commands
Copy and paste the parameters from the license received from the User Center:
host One of these:
• All platforms - The IP address of the external interface (in dot
notation). The last part cannot be 0 or 255.
• Solaris2 - The response to the hostid command (beginning with
0x).
expiration date The license expiration date. It can be never.
signature The license signature string.

For example: aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m
(Case sensitive. The hyphens are optional.)
SKU/features A string listing the SKU and the Certificate Key of the license. The SKU
of the license summarizes the features included in the license.
For example: CPSB-SWB CPSB-ADNC-M CK0123456789ab
Example
gaia> cplic put -l License.lic
Host Expiration SKU
192.168.2.3 14Jan2016 CPSB-SWB CPSB-ADNC-M CK0123456789ab
gaia>

CLI Commands
cplic put <object name>

Description
Attaches one or more central or local licenses remotely. When this command is executed, the
license repository is also updated.
Syntax
cplic put <Object Name> [-ip Dynamic IP] [-F <Output File>] -l <License File>
[<Host>] [<Expiration Date>] [<Signature>] [<SKU/Feature>]
Parameters
<Object Name> The name of the Check Point Security Gateway object, as defined in
SmartConsole.
-ip <Dynamic IP> Installs the license on the Check Point Security Gateway with the specified
IP address. This parameter is used for installing a license on a DAIP
Note - If this parameter is used, then the object name must be a DAIP
-F <Output File> Diverts the output to <outputfile> rather than to the screen.
-l <license File> Installs the licenses from <license file>.
<Host> Hostname or IP address of Security Management Server.
<Signature> The license signature string.

The string is case sensitive and the hyphens are optional.
For example: CPSUITE-EVAL-3DES-vNG
Note - This is a remote licensing command, which affects remote machines. It is executed on the
Security Management Server. More than one license can be attached.

CLI Commands
Copy and paste the parameters from the license received from the User Center:
host One of these:
• All platforms - The IP address of the external interface (in dot
notation). The last part cannot be 0 or 255.
• Solaris2 - The response to the hostid command (beginning with
0x).
expiration date The license expiration date. It can be never.
signature The license signature string.

(Case sensitive. The hyphens are optional.)
SKU/features A string listing the SKU and the Certificate Key of the license. The SKU
of the license summarizes the features included in the license.
For example: CPSB-SWB CPSB-ADNC-M CK0123456789ab

CLI Commands
cplic print
Description
The cplic print command prints details of Check Point licenses on the local machine.
Syntax
cplic print [-n|-noheader][-x][-t|-type][-F <Output File>] [-p|-preatures]
Parameters
-n|-noheader Prints licenses with no header.
-x Prints licenses with their signature.
-t|-type Prints licenses showing their type: Central or Local.
-F <Output File> Diverts the output to <Output File>.
-p|-preatures Prints licenses resolved to primitive features.
Note - On a Check Point Security Gateway, this command prints all licenses that are installed on
the local machine, both local and central licenses.

CLI Commands
cplic upgrade
Description
Upgrades licenses in the license repository with licenses in a license file from the user center.
Syntax
cplic upgrade –l <Input File>
Parameters
–l <Input File> Upgrades the licenses in the license repository and Check Point Security
Gateways to match the licenses in <Input File>.
Example
This example explains the procedure to upgrade the licenses in the license repository. There are
two Software Blade licenses in the file. One does not match any license on a remote Security
Gateway, the other matches a version NGX license on a Security Gateway that has to be upgraded.
• Upgrade the Security Management Server to the latest version.
Ensure that there is connectivity between the Security Management Server and the Security
Gateways with the previous product versions.
• Import all licenses into the license repository. This can also be done after upgrading the
products on the remote Security Gateways.
• Run this command:
cplic get -all
Example:
[Expert@MyMGMT]# cplic get -all
Getting licenses from all modules ...
MyGW:
Retrieved 1 licenses
• To see all the licenses in the repository, run this command:

cplic db_print -all -a
Example:
[Expert@MyMGMT]# cplic db_print -all -a
Retrieving license information from database ...
The following licenses appear in the database:

==================================================
Host Expiration Features
192.0.2.11 Never CPFW-FIG-25-53 CK49C3A3CC7121 golda
192.0.2.11 26Nov2017 CPSB-SWB CPSB-ADNC-M CK0123456789ab count
• In the User Center http://usercenter.checkpoint.com, view the licenses for the products that
were upgraded from version NGX to a Software Blades license. You can also create new
upgraded licenses.
• Download a file containing the upgraded licenses. Only download licenses for the products that
were upgraded from version NGX to Software Blades.

CLI Commands
• If you did not import the version NGX licenses into the repository, import the version NGX
licenses now. Use the command cplic get -all
• Run the license upgrade command: cplic upgrade –l <inputfile>
• The licenses in the downloaded license file and in the license repository are compared.
• If the certificate keys and features match, the old licenses in the repository and in the
remote Security Gateways are updated with the new licenses.
• A report of the results of the license upgrade is printed.
Note - This is a remote licensing command, which affects remote Security Gateways. It is
executed on the Security Management Server.
For more about managing licenses, see the R80.10 Security Management Administration Guide

CLI Commands
cppkg
Description Manages the product repository. It is always executed on the Security Management
Server.
Important - This command is not supported for gateways running on Gaia OS.
cppkg add
Description Adds a product package to the product repository. You can only add SmartUpdate
packages to the product repository.
Add products to the repository by importing a file downloaded from the Download Center. Add the
package file to the repository directly from a DVD or from a local or network drive.
Syntax:
> cppkg add {<package-full-path>|<CD drive> [product]}
package-full-pat If the package you want to add to the repository is on a local disk or
h network drive, type the full path to the package.
CD drive If the package you want to add to the repository is on a DVD:

• For Windows machines type the DVD drive letter, for example: d:\
• For UNIX machines, type the DVD root path, for example:
/caruso/image/CPsuite-R80.10
You are asked to specify the product and appropriate operating system
(OS).
Note - cppkg add does not overwrite existing packages. To overwrite existing packages, you
must first delete existing packages.
Example:
[d:\winnt\fw1\ng\bin]cppkg add l:\CPsuite-R80.10\
Enter package name:
----------------------
(1) SVNfoundation
(2) firewall
(3) floodgate
(4) rtm
(e) Exit
Enter your choice : 1
Enter package OS :
----------------------
(1) win32
(2) linux
(3) ipso
(e) Exit
Enter your choice : 1
You choose to add 'SVNfoundation' for 'win32' OS. Is this correct? [y/n] : y

CLI Commands
cppkg delete
Description Deletes a product package from the repository. To delete a product package you
must specify a number of options. To see the format of the options and to view the contents of the
product repository, use the cppkg print command.
Syntax:
> cppkg delete <vendor> <product> <version> <os> [sp]
vendor Package vendor. For example, checkpoint
product Package name.
version Package version.
os Package Operating System. Options are: win32, solaris, ipso, linux
sp Package minor version.
Note - It is not possible to undo the cppkg del command.
cppkg get
Description Synchronizes the Package Repository database with the content of the actual
package repository under $SUROOT
Syntax:
> cppkg get
cppkg getroot
Description Finds the location of the product repository. The default product repository location
on Windows machines is C:\SUroot. On UNIX machines it is /var/SUroot.
Syntax:
> cppkg getroot
Example:
> cppkg getroot
Current repository root is set to : /var/suroot/

CLI Commands
cppkg print
Description Lists the contents of the product repository.
Use cppkg print to see the product and OS strings required to install a product package
using the cprinstall command, or to delete a package using the cppkg delete
command.
Syntax:
> cppkg print
cppkg setroot
Description Creates a new repository root directory location and moves existing product
packages into the new repository.
The default product repository location is created when the Security Management Server is
installed. On Windows machines the default location is C:\SUroot and on UNIX machines it is
/var/SUroot. Use this command to change the default location.
When changing repository root directory:
• The content of the old repository is copied into the new repository.
• The $SUROOT environment variable gets the value of the new root path.
• A product package in the new location is overwritten by a package in the old location, if the
packages are the same (they have the same ID strings).
The repository root directory should have at least 200 Mbyte of free disk space.
Syntax:
> cppkg setroot <repository>
<repository> The full path for the desired location for the
product repository.
Note - It is important to reboot the Security Management Server after using this command. This
sets the new $SUROOT environment variable.
Example:
cppkg setroot /var/new_suroot
Repository root is set to : /var/new_suroot/
Note: When changing repository root directory :

1. Old repository content will be copied into the new repository.
2. A package in the new location will be overwritten by a package in the old
location, if the packages have the same name.
Change the current repository root ? [y/n] : y
The new repository directory does not exist. Create it ? [y/n] : y
Repository root was set to : /var/new_suroot
Notice : To complete the setting of your directory, reboot the machine!

CLI Commands
cprid
cpridrestart
Description Stops and starts the Check Point Remote Installation Daemon cprid. This is the
daemon that is used for remote upgrade and installation of products. In Windows it is a service.
cpridstart
Description Starts the Check Point Remote Installation Daemon (cprid). This is the service
that allows for the remote upgrade and installation of products. In Windows it is a service.
Syntax:
> cpridstart
cpridstop
Description Stops the Check Point Remote Installation Daemon cprid. This is the service
that allows for the remote upgrade and installation of products. In Windows it is a service.
Syntax:
> cpridstop

CLI Commands
cprinstall
Description Use cprinstall commands to perform remote installation of product
packages and associated operations.
Important - This command is not supported for gateways running on Gaia OS.
On the Security Management Server, cprinstall commands require licenses for
SmartUpdate.
On the remote Check Point gateways the following are required:
• Trust must be established between the Security Management Server and the Check Point
gateway.
• cpd must run.
• cprid remote installation daemon must run.
cprinstall boot
Description Boot the remote computer.
Syntax:
> cprinstall boot <object name>
<object name> Object name of the Check Point Security Gateway defined in SmartConsole.
Example:
> cprinstall boot harlin
cprinstall cpstart
Description Enables cpstart to be run remotely.
All products on the Check Point Security Gateway must be of the same version.
Syntax:
> cprinstall cpstart <object name>
<Object name> Object name of the Check Point Security Gateway defined in SmartConsole.

CLI Commands
cprinstall cpstop
Description Enables cpstop to be run remotely.
All products on the Check Point Security Gateway must be the same version.
Syntax:
> cprinstall cpstop {-proc|-nopolicy} <object name>
-proc Kills Check Point daemons and security servers while it maintains the active
Security Policy running in the kernel. Rules with generic allow/reject/drop
rules, based on services continue to work.
-nopolicy
Object name Object name of the Check Point Security Gateway defined in SmartConsole.
cprinstall get
Description Gets details of the products and the operating system installed on the specified
Check Point Security Gateway. It also updates the database.
Syntax:
> cprinstall get <object name>
<object name> The name of the Check Point Security Gateway object defined in
SmartConsole.
Example:
cprinstall get gw1
Checking cprid connection...
Verified
Operation completed successfully
Updating machine information...
Update successfully completed
'Get Gateway Data' completed successfully
Operating system Major Version Minor Version
------------------------------------------------------------------------
SecurePlatform R75.20 R75.20
Vendor Product Major Version Minor Version

------------------------------------------------------------------------
Check Point VPN-1 Power/UTM R75.20 R75.20
Check Point SecurePlatform R75.20 R75.20
Check Point SmartPortal R75.20 R75.20

CLI Commands
cprinstall install
Description Installs Check Point products on remote Check Point Security Gateways.
To install a product package you must specify a number of options. Use the cppkg print
command and copy the required options.
Syntax:
> cprinstall install [-boot] <Object name> <vendor> <product> <version> [sp]
-boot Boots the remote computer after installing the package.

Note - Only boot after ALL products have the same version. Boot will be
canceled in certain scenarios.
Note - Before transferring any files, this command runs the cprinstall verify command
to verify that the operating system is appropriate and that the product is compatible with
previously installed products.
Example:
# cprinstall install -boot fred checkpoint firewall R70
Installing firewall R75.20 on fred...

Info : Testing Check Point Gateway
Info : Test completed successfully.
Info : Transferring Package to Check Point Gateway
Info : Extracting package on Check Point Gateway
Info : Installing package on Check Point Gateway
Info : Product was successfully applied.
Info : Rebooting the Check Point Gateway
Info : Checking boot status
Info : Reboot completed successfully.
Info : Checking Check Point Gateway
Info : Operation completed successfully.

CLI Commands
cprinstall uninstall
Description Uninstalls products on remote Check Point Security Gateways.
To uninstall a product package you must specify a number of options. Use the cppkg print
command and copy the required options.
Syntax:
> cprinstall uninstall [-boot] <Object name> <vendor> <product> <version> [sp]
-boot Boots the remote computer after installing the package.

Note - Only boot after ALL products have the same version. Boot will be
canceled in certain scenarios. See the Release Notes for details.
Note - Before uninstalling any files, this command runs the cprinstall verify command.
It verifies that the operating system is appropriate and that the product is installed.
After uninstalling, retrieve the Check Point Security Gateway data by running cprinstall get
Example
# cprinstall uninstall fred checkpoint firewall R75.20
Uninstalling firewall R75.20 from fred...

Info : Removing package from Check Point Gateway
Info : Product was successfully applied.
Operation Success. Please get network object data to complete the operation.

CLI Commands
cprinstall verify
Description Confirms these operations were successful:
• If a specific product can be installed on the remote Check Point Security Gateway.
• That the operating system and currently installed products are appropriate for the package.
• That there is enough disk space to install the product.
• That there is a CPRID connection.
Syntax:
> cprinstall verify <Object name> <vendor> <product> <version> [sp]

Options are: SVNfoundation, firewall, floodgate
sp Package minor version. This parameter is optional.
Example:
Successful - Verify succeeds
cprinstall verify harlin checkpoint SVNfoundation R75.20
Verifying installation of SVNfoundation R75.20 on jimmy...

Info : Testing Check Point Gateway.
Info : Test completed successfully.
Info : Installation Verified, The product can be installed.
Unsuccessful - Verify fails
cprinstall verify harlin checkpoint SVNfoundation R75.20
Verifying installation of SVNfoundation R75.20 on jimmy...

Info : Testing Check Point Gateway
Info : SVN Foundation R70 is already installed on 192.0.2.134
Operation Success. Product cannot be installed, did not pass dependency check.

CLI Commands
cprinstall snapshot
Description Creates a snapshot <filename> on the Check Point Security Gateway.
Syntax:
> cprinstall snapshot <object name> <filename>
filename Name of the snapshot file
Note - Supported on SecurePlatform only.

CLI Commands
cprinstall show
Description Displays all snapshot (backup) files on the Check Point Security Gateway.
Syntax:
> cprinstall show <object name>
Example:
# cprinstall show GW1
SU_backup.tzg
cprinstall revert
Description Restores the Check Point Security Gateway from a snapshot.
Syntax:
> cprinstall revert <object name> <filename>
<object name> Object name of the Check Point Security Gateway defined in SmartConsole.
<filename> Name of the snapshot file.

CLI Commands
cprinstall transfer
Description Transfers a package from the repository to a Check Point Security Gateway without
installing the package.
Syntax:
> cprinstall transfer <object name> <vendor> <product> <version> [sp]
sp Package minor version. This parameter is optional.

CLI Commands
control_bootsec
Enables or disables Boot Security. The command affects both the Default Filter and the Initial
Policy.
$FWDIR/bin/control_bootsec [-r] [-g]
Options Description
-r Removes boot security
-g Enables boot security

CLI Commands
fwboot bootconf
Configure boot security options. This command is in $FWDIR/boot.
$FWDIR/bin/fwboot bootconf <command> [value]
Commands Values Description

get_ipf none Reports if firewall controls IP Forwarding.
• Returns 1 if IP Forwarding control is enabled on boot.
• Returns 0 if IP Forwarding is not controlled on boot.
set_ipf 0|1 Turns off/on control of IP forwarding for the next boot.
0 - Turns off
1 - Turns on
get_def none Returns the full path to the Default Filter that will be used on boot.
set_def <filename> Loads the file as the Default Filter in the next boot. The only safe and
recommended directory is $FWDIR/boot. (The default.bin
filename is a default name.)
Note - Do NOT move these files.

CLI Commands
comp_init_policy
Use the comp_init_policy command to generate and load, or to remove, the Initial Policy.
This command generates the Initial Policy. It ensures that it will be loaded when the computer is
booted, or any other time that a Policy is fetched, for example, at cpstart, or with the fw fetch
localhost command. After running this command, cpconfig adds an Initial Policy if there is no
previous Policy installed.
$FWDIR/bin/comp_init_policy [-u | -g]
Options Description
-u Removes the Initial Policy, and makes sure that it will not be generated in the future
when cpconfig is run.
-g Generates the Initial Policy and makes sure that it is loaded the next time a policy is
fetched (cpstart, reboot, fw fetchlocalhost). After running this command,
cpconfig adds an Initial Policy when needed.
The comp_init_policy -g command will only work if there is no previous policy. If there is a policy,
make sure that after removing the policy, you delete the folder $FWDIR/state/local/FW1/. The
$FWDIR/state/local/FW1/ folder contains the policy that will be fetched when fw fetch localhost is
run.
The fw fetch localhost command is the command that installs the local policy. cpstart.
comp_init_policy creates the initial policy, but has a safeguard so that the initial policy will not
overwrite a regular user policy (since initial policy is only used for fresh installations or upgrade).
For this reason, you must delete the $FWDIR/state/local/FW1/ directory if there is a previous
policy, otherwise comp_init_policy will detect that the existing user policy and will not overwrite it.
If you do not delete the previous policy, the original policy will be loaded.

CLI Commands
cpstop -fwflag default and cpstop -fwflag proc

To stop all firewall processes but leave the Default Filter running, run: cpstop -fwflag
-default
To stop all Security Gateway processes but leave the security policy running, run:
cpstop -fwflag -proc
To stop and start all Check Point processes, run: cpstop and cpstart
cpstop -fwflag [-default | -proc]
Options Description
-default Kills firewall processes (such as fwd, fwm, vpnd, snmpd). Logs, kernel traps,
resources, and security server connections stop.
The security policy in the kernel is replaced with the Default Filter.
-proc Kills firewall processes. Logs, kernel traps, resources, and security server
connections stop.
The security policy remains loaded in the kernel. Allow, reject, and drop rules
that do not use resources, only services, continue to work.

CP R80.10 Installation and Upgrade Guide

Uploaded by

Copyright:

Available Formats

CP R80.10 Installation and Upgrade Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CP R80.10 Installation and Upgrade Guide

Uploaded by

Copyright:

Available Formats

24 July 2018

Check Point R80.10

Latest Version of this Document

Searching in Multiple PDFs

11 July 2018 Removed: Section Converting a Security Management Server to

31 May 2018 Removed: Section Removing Earlier Version Multi-Domain Server

31 May 2018 Added:

12 November 2017 General updates.

08 November 2017 Improved formatting and document layout.

03 September Added information on upgrading from R80 to R80.10 in:

14 May 2017 First release of this document.

3. Importing the management database to Multi-Domain Security Management

Security Management Server

Before you install or upgrade to R80.10:

Installation and Upgrade Guide R80.10 | 12

For New Check Point Customers

Installation and Upgrade Guide R80.10 | 13

Product Deployment Scenarios

Installation and Upgrade Guide R80.10 | 14

Installing and Upgrading with CPUSE

To update the Deployment Agent:

To install R80.10 using CPUSE - Gaia Portal:

Installation and Upgrade Guide R80.10 | 15

For more about CPUSE, see sk92449

Installation and Upgrade Guide R80.10 | 16

Configuring your Check Point Appliance

Workflow for Configuring your Appliance

Installation and Upgrade Guide R80.10 | 17

Running the Gaia First Time Configuration Wizard

To configure the settings for the appliance:

Installation and Upgrade Guide R80.10 | 18

Deployment Options from the First Time Configuration

Running an Unattended USB Installation of Gaia on

Installation and Upgrade Guide R80.10 | 19

Installing a Blink Image to Configure a Check Point

Installation and Upgrade Guide R80.10 | 20

The Gaia Operating System

Installing the Gaia Operating System

Changing the Partition Size if you have Gaia Installed

To see the disk space assigned for backup images:

Installation and Upgrade Guide R80.10 | 21

Changing Gaia Partition Sizes Before the Operating System

Installing the Gaia Operating System on Appliances

To reset the appliance to factory defaults:

Installation and Upgrade Guide R80.10 | 22

Installing the Gaia Operating System on an Open Server

Installation and Upgrade Guide R80.10 | 23

Configuring the Gaia Management IP Address

Installation and Upgrade Guide R80.10 | 24

Installing the Management Server,

Installing a Management Server

To install a Security Management Server or Multi-Domain Server:

Installation and Upgrade Guide R80.10 | 25

To configure a Security Management Server:

Installation and Upgrade Guide R80.10 | 26

Installing a Security Management Server or

Installation and Upgrade Guide R80.10 | 27

Configuring a Standalone Appliance in Standard Mode

2 Log in with the default credentials.

7 Configure the Management Connection settings.