Upgrading from FireWall-1 4.1

Upgrading FireWall-1 from one release to the next has never been a walk in the park unless you have a relatively simple configuration. My advice is to not attempt to upgrade. The reason is simple: Quite a lot has changed between FireWall-1 4.1 and FireWall-1 NG, more so than, say, an upgrade from version 3.0 to version 4.1. In the vast majority of cases, you are much better off simply recreating the configuration from scratch.

In case you decide to ignore my advice and attempt to upgrade anyway, here are a few pointers.

  1. Make sure that you've upgraded to 4.1 SP6 before attempting any upgrades. Upgrades from previous versions are known to fail. NG AI supposedly supports upgrades from 4.1 SP5 and above, but I have not tried that.

  2. Before you even think about upgrading, make a backup of your current $FWDIR on your management station first. In fact, you might want to back up at each step just in case. If you upgrade to NG AI, Check Point will offer to make a backup of your management station before upgrading. Take advantage of that too.

  3. Analyze all of your workstation objects. All object names should be fewer than 18 characters long and should start with a letter. Underscores were allowed in previous versions of FireWall-1 but are not allowed under NG.

  4. Analyze all of your services, especially ones you have added. Compare the service names with a list of predefined services in the version of NG you plan to upgrade to. Upgrades to NG will fail if the services you have created happen to match a predefined service (either in name or in port). An easy way to get a list of predefined services is to load the appropriate version of the GUI client on a workstation and log in using the Demo mode or with the *local trick (see Chapter 4).

  5. Check that all the policy names in your system start with a letter. Numbers were permitted in previous versions, but not in NG. The upgrade will succeed in this case, but you will have problems working with the policy?even to save it to a different name!

  6. Remove any unnecessary policies and objects. The fewer policies that the upgrade process has to deal with, the better.

  7. Remove the services VDO-live, cooltk, and the group CoolTalk. The conversion process will say they are being removed, but you will be asked to manually remove these services when you verify a policy. You won't be able to remove them because they won't be listed as services.

  8. Obtain a copy of the Upgrade Verification Utilities, available from http://www.checkpoint.com/techsupport/downloadsng/utilities.html. These programs are designed to catch some of the items mentioned above and a few other things not mentioned here. There are pre-upgrade and post-upgrade utilities, both of which should be run at the appropriate time to ensure a smooth(er) upgrade.