Upgrading to VPN-1/FireWall-1 NG
Now that you've performed a successful installation of FireWall-1 NG,
it's time to understand how to upgrade from a previous version of VPN-1/ FireWall-1. At the time of this writing, many companies are looking to upgrade from an older version of VPN-1/FireWall-1 (usually 4.1 SP3 or higher) to NG FP3. You can upgrade to NG FP1 from version 4.0 and higher.
If you are running a version older than 4.0, you must upgrade to version 4.0 first, and then upgrade to NG.
With the many enhancements in NG, it's better to create a fresh install of NG and then migrate your existing configuration files over to the newly created NG firewall. The upgrade technique discussed here will upgrade version 4.1 Service Pack 6 configuration files to NG configuration files. It is recommended that the 4.1 files are upgraded to Service Pack 6 before convertingthem to NG.
In many instances, companies are viewing the NG upgrade as an opportunity to upgrade the current platform on which their firewalls are running.
For example, this is an chance to upgrade operating systems from Solaris 2.6 to 2.8, or to upgrade hardware from a Pentium II machine with limited hard drive space and memory to a Pentium IV with lots of hard drive space and much more memory.
In order to make the NG upgrade a smooth and convenient process,
Check Point has developed an upgrade script that helps convert 4.1 configuration files to NG configuration files. This scripts automates the conversion by using theconfmergecommand on theobjects.C,fwauth.NDB, and rulebases.fwsfiles. (This script is not meant for people who are moving from a Windows machine to a Unix machine, or for people running Flood- Gate.) The script is in a zipped file calledupgrade.4.3.tgzand can be downloaded from thesupport.checkpoint.comwebsite. Here are the steps to use theupgrade script:
1.Create a new SmartCenterServer machine with the desired Feature Pack
version of NG (FP1, FP2 or FP3), based on the installation guidelines
previously discussed. This upgrade procedure will upgrade to FP3.
2.Download and unzip theupgrade.4.3.tgzfile. This file opens into
a directory namedupgrade.
3.Place the 4.1 SP6 files on the SmartCenter Server underupgrade/4.1:
a.objects.C.
b.fwauth.NDB. On Windows machines, this file is only the pointer
to the real database file-for example,fwauth.NDB522. In this
case, take the real database file(fwauth.NDB522), rename it
fwauth.NDB, and put it in the\upgrade\4.1directory.
c.rulebases.fws.
4.Stop the FireWall-1 Services (cpstop),cdto the<upgrade_directory>,
and issue the following command
in Windows (upgrade from 4.1 to FP3):
upgrade.bat < upgrade_directory>\upgrade FP3 4.1
In Unix, enter this command (upgrade from 4.1 to FP3):
upgrade.csh < upgrade_directory>/upgrade FP3 4.1
5.Restart the FireWall Services (cpstart) and log in to the GUI.
After you have successfully run the script, in order to transfer the remaining configuration files (such asgui-clients,masters, and so on), copy the following files from the VPN-1/FireWall-1 4.1$FWDIR/confdirectory to the VPN-1/FireWall-1 NG$FWDIR/confdirectory:
xlate.conf,aftpd.conf,smtp.conf,sync.conf,masters,
clients,fwmusers,gui-clients,slapd.conf,serverkeys,
product.conf
In addition to understanding which configuration files are important in upgrading to Check Point NG, it's important to understand which configuration files need to be saved for backup in case of a failure or loss of files. The next section talks about backup and restore options and identifies the critical configuration files needed for backup.