How to upgrade a FireWall-1 4.1 Module to FireWall-1 NG using SecureUpdate

How to upgrade a FireWall-1 4.1 Module to FireWall-1 NG using SecureUpdate

Solution:
Note, There are various ways to upgrade a VPN-1/FireWall-1 4.1 Module to VPN-1/FireWall-1 NG using SecureUpdate. This solution describes two scenarios:

1. The management is VPN-1/FireWall-1 4.1 and the Module is VPN-1/FireWall-1 4.1
2. The management is VPN-1/FireWall-1 NG (a new installation) and the Module is VPN-1/FireWall-1 4.1

VPN-1/FireWall-1 4.1 Management and 4.1 Module
======================================

1. The prerequisites for upgrading a version 4.1 Module in this case are as follows:
On the Module-
- VPN-1/FireWall-1 4.1 SP2 and above
- CPutil package installed. (Can be obtained from CP2000 CD.)

On the Management Server-
- VPN-1/FireWall-1 4.1 SP2 and above.
- CPutil package installed. (Can be obtained from CP2000 CD.)

2. Exchange putkeys between the Management Server and the Module, and then run cpbconfig, where the Module is the Subscriber and the Management Server is the Publisher. Run cpbconfig on the Module first (See CPutil documentation for details).

3. Upgrade the Management to NG with the Backwards Compatibility package.

4. After completing the installation, check that the Module is defined in the Policy Editor with it's correct version (4.1), interfaces and other properties.

5. Test that the upgrade was successful by installing a policy on the remote Module (it should work as the Back Compatibility package was installed).

6. Add the SVN Foundation and a FireWall-1 package to the package repository on the Management Server using the following command:

cppkg add <path_to NG_installation_directory>
The path can be the CD or any other directory with the NG installation folders in it.
Follow the instructions on the screen.

7. Define the following rule on the Management Server:
Source: Management Server
Destination: FireWall-1 Module workstation
Service: CPRID
Action: ACCEPT

8. Open the SecureUpdate GUI and the Package Repository.

9. Choose the SVN Foundation product from the repository and drag-and-drop it onto the version 4.1 Module.

10. Follow the progress of the installation in the Active Status pane.

At the end of the installation, the Module will be automatically rebooted.

11. After the Module reboots, Open the SecureUpdate GUI and install the VPN-1/FireWall-1 NG package from the repository.

At the end of the installation the Module will be automatically rebooted.

12. After the Module reboots, open the SecureUpdate GUI and install a NG license on your new NG Module.

VPN-1/FireWall-1 NG Management (Fresh Install) and 4.1 Module
================================================

1. The prerequisite requirements for upgrading version a 4.1 Module in this case are as follows:
On the Module-
- VPN-1/FireWall-1 4.1 SP2 and above
- CPUtil package installed. (Can be obtained from CP2000 CD)

On the Management-
- VPN-1/FireWall-1 NG with Backwards Compatibility.

2. Exchange putkeys between the Management Server and the Module.

3. After completing the installation, check that the Module is defined in the Policy Editor with it's correct version (4.1), interfaces and other properties.

4. Test that the upgrade was successful by installing a policy on the remote Module (it should work as the Back Compatibility package was installed).

5. Run cpbconfig on the Module. (See CPutil documentation for details).

6. Download the opsec_putkey utility for VPN-1/FireWall-1 NG from Here

and put it under $CPDIR\database\cprid\cprid_util_keys. Then, run the following:

opsec_putkey -ssl -p <CPRID key> -port 18208 <Module IP>

<CPRID key> must be the same key that was used for the cpbconfig. It doesn't have to be the same one that was used for fw putkey.

7. Add the SVN Foundation and a FireWall-1 package to the package repository on the Management Server using the following command:

cppkg add <path_to NG_installation_directory>
The path can be the CD or any other directory with the NG installation folders in it.
Follow the instructions on the screen.

8. Define the following rule on the Management Server:
Source: Management Server
Destination: FireWall-1 Module workstation
Service: CPRID
Action: ACCEPT

9. Open the SecureUpdate GUI and the Package Repository.

10. Choose the SVN Foundation product from the repository and drag-and-drop it on the version 4.1 Module.

Follow the progress of the installation in the Active Status pane.
At the end of the installation the Module will be automatically rebooted.

11. After the Module reboots, issue the following:

cpd_admin stop
and then:
cpd
This updates the SIC name of the Module workstation.

12. Open the SecureUpdate GUI and install the VPN-1/FireWall-1 NG package from the repository.
At the end of the installation the Module will be automatically rebooted.

13. After the Module reboots, open the SecureUpdate GUI and install a NG license on the new NG Module.

06/MAY/02 Jim Parker

< back