• May 22, 2012, 10:48:11 PM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?
« previous next »
Pages: [1]

Author Topic: Checkpoint migration from R65 to R75  (Read 1484 times)

0 Members and 1 Guest are viewing this topic.

Offline Flintstone

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 584
Checkpoint migration from R65 to R75
« on: December 08, 2011, 11:21:55 AM »
Guys,

Just want to share my experiences when recently migrating from R65 to R75.

Note - We were assisted onsite with our firewall support partner.

(Smartcentre)

In our case we built a new Windows 2008 (32 bit) server as Checkpoint gateway does not work on 64 bit servers?  We exported the database and a month of logs from our existing Smartcentre, but had to use specific tools as R75 uses a different database/log format than R65.  The export process also identifies object names that are the same name but in lower case and upper case.  R75 will only allow one name whether it is lower case or upper case.  The reformatted database is then imported into the new Smartcentre server which has the same IP address/name as the old server.  This maintains 'SIC' etc and you can see if everything is OK by using SmartViewMonitor. 

(Firewalls)

Half of our firewalls were replaced with new hardware as the old firewalls did not support R75.  The other firewalls were upgraded with IPSO 6.2 and R75.  Note - IPSO 6.2 via Voyager now has a 'HA menu', which allows you to configure Proxy Arps and static routes etc on one of the firewall pairs and it is automatically updated on the other.  Pretty neat  :)

We swapped one firewall at a time so downtime was minimal and always re-introduced the new upgraded
firewall as the backup, then pushed the policy and then made it VRRP master so we could remove the other firewall and upgrade.

(SmartReporter)

We also installed SmartReporter which allows us to run reports on Security rules usage etc.

(Observations)

Our existing firewall CPUs are now lower utilisation and the R75 SmartDashboard GUI has been much improved. 

SmartDefender has now been replaced by IPS.  We already have a separate IPS solution, so we turned IPS off.

There are some other new 'Blades' that look very useful.  'User Identity' which allows you to use active directory to put a name to a users IP address and 'Application Awareness', which is the big thing at the moment and Checkpoint only recently came into the game.

(Issues)

We have an outstanding issue on duplicate log files on the SmartCentre which we hope to resolve soon after logging a fault ticket with Checkpoint?

We also have an outstanding issue installing the R75 GUI on an engineers laptop.  Still investigating.

CheerZ


Logged

Offline Michael McNamara

  • Administrator
  • Hero Member
  • *****
  • Posts: 2517
    • Michael McNamara
Re: Checkpoint migration from R65 to R75
« Reply #1 on: December 09, 2011, 10:03:29 AM »
Thanks for the feedback @Flintstone. We went from R62 to R65 last year and the engineer performing the upgrade had a very difficult time getting the Nokia IP560s upgraded. The documentation from Checkpoint (formerly Nokia) wasn't very clear on how to upgrade IPSO.

This past summer we also needed to relocate our Smart Center Server to a new Data Center so we had to change the IP address and work through all the licensing issues. That wasn't too much of an issue.

What are you using for IDS/IPS? I just recently installed two pairs of Cisco 4255s although I haven't turned them up yet.

Cheers!
Logged
We've been helping network engineers, system administrators and technology professionals since June 2009.
If you've found this site useful or helpful, please help me spread the word. Link to us in your blog or homepage - Thanks!

Offline Flintstone

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 584
Re: Checkpoint migration from R65 to R75
« Reply #2 on: December 09, 2011, 10:24:02 AM »
Hi Michael,

We use Sourcefire for all our IDS/IPS needs. 

We also had to upgrade our Sourcefire Defense center and Sensors recently.  Is it me or just a trend?  We seem to be spending a lot of our time upgrading Network equipment hardware/software or we will not get support as it is EOL.  More likely away of generating revenue?

CheerZ
Logged

Offline Dorian

  • Full Member
  • ***
  • Posts: 53
Re: Checkpoint migration from R65 to R75
« Reply #3 on: January 04, 2012, 11:48:21 AM »
Quote from: Michael McNamara on December 09, 2011, 10:03:29 AM
Thanks for the feedback @Flintstone. We went from R62 to R65 last year and the engineer performing the upgrade had a very difficult time getting the Nokia IP560s upgraded. The documentation from Checkpoint (formerly Nokia) wasn't very clear on how to upgrade IPSO.

So true....
Last year, we finished in a wall after an upgrade of our Nokia (R71 -> R71.40)
This year I have the budget to replace them by 2 servers running SPLAT.
Logged

Offline Flintstone

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 584
Re: Checkpoint migration from R65 to R75
« Reply #4 on: January 04, 2012, 12:37:53 PM »

It looks like SPLAT and IPSO are going to be merged to provide the best of both?

CheerZ
Logged

Offline Flintstone

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 584
Re: Checkpoint migration from R65 to R75
« Reply #5 on: January 27, 2012, 03:53:58 AM »
Quote from: Flintstone on December 08, 2011, 11:21:55 AM

(Issues)

We have an outstanding issue on duplicate log files on the SmartCentre which we hope to resolve soon after logging a fault ticket with Checkpoint?


The duplicate log file issue was eventually resolved by applying a patch provided by Checkpoint.  It looks like there was an issue with the 'logswitch' functionality?

CheerZ
Logged
Pages: [1]
« previous next »