Thursday, February 3, 2011

What should I be aware of when upgrading from version 4.0 to 2000

When upgrading from Version 4.0 to Check Point 2000, the Management Station checkbox in the Workstation Properties window will be checked only for the Management Station being upgraded. All other gateways defined on the Management Station will have the Management Station checkbox unchecked by default.

When you upgrade, the $FWDIR/lib/control.map file is replaced. If you have made any changes
to control.map, they will not be preserved in the new control.map, so you must make the same changes in the new version.



Session Authentication Agent — Installing the Version Check Point 2000 Session Authentication Agent does not overwrite the Version 4.0 Session Authentication Agent. You must uninstall the Version 4.0 Session Authentication Agent (using the Control Panel’s Add/Remove Programs applet) and then install the Version Check Point 2000 Session Authentication Agent. Note that the Session Authentication Agent is shut down as part of the uninstallation process, so you must manually restart it (or reboot).



VPN-1/FireWall-1 HP Open View Extension supports Solaris and HP-UX with HP OV version 4.x. HP-UX with HP OV versions 5.x and 6.x is not supported.

 Synchronized VPN/FireWall Modules —

    Synchronized VPN/FireWall Modules must be managed by the same Management Module.
    SecuRemote connections can be synchronized.

Enable Exportable SKIP: If Enable Exportable SKIP (in the Encryption tab of the Properties Setup window) is checked, then if an internal VPN/FireWall Module has Local selected in the Key Manager tab of its SKIP Properties window, you must generate an exportable DH key for it (in its SKIP Properties window). Selective SKIP configuration (that is, some SKIP communications use exportable DH keys and some use non-exportable DH keys) can only be managed in the Rule Base.

Control channel encryption key If you change a Management Server’s control channel encryption key (for example, by using the fw putkey command), then you must restart any ELA proxy that is running on that Management Server. See "Uninstalling VPN-1/FireWall-1" on page 6 for information on how to stop the ELA proxy.

In a High Availability configuration, each VPN/FireWall Module’s license should be issued to its hostid or other unique ("heartbeat" or "configuration IP" interface), since any of the other interfaces can fail.

Do not rename a network object group that is used in the definition of a Logical Server.

Unix platforms — when remote modules are configured using the cpconfig program, if you try to add a new remote module you will not be able to see the list of previously configured modules. However, these modules are still defined and there is no need to reconfigure them. If you do reconfigure them, you must run fw putkey command again for each module.

backward compatibility feature:  If you are using the VPN-1/FireWall-1 Check Point 2000 backward compatibility feature to manage VPN-1/FireWall-1 Version 4.0 SP1 or SP2 FireWall Modules and you use Client Authentication rules, the following workaround must be applied:

a. Edit the file $FWDIR/lib/base.def (where FWDIR specifies the directory in which the VPN-1/FireWall-1 Version 4.0 software or VPN-1/FireWall-1 Check Point 2000 backward compatibility module is installed), replacing the lines:

define pm_prog [(UDPDATA+40+rpc_cred_len+rpc_ver_len),b]
#define pm_prot [(UDPDATA+48+rpc_cred_len+rpc_ver_len),b]

by the lines:

#define pm_prog [68, b]
#define pm_prot [68+8, b]

b. Reinstall the Security Policy on the VPN/FireWall Module.

fw expdate command — This command changes the expiration date of the users in the VPN-1/FireWall-1 users database. Any open GUI Client should be closed before running the command, otherwise the GUI will override the changes made by the command. On NT only, if fw expdate is executed while the Management Server was running, the Management Server should be restarted in order for the command to take effect.

 

No comments: