FireWall-1 FAQ: Upgrading FireWall-1 to a Current Release
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
Before upgrading: Make a backup of your $FWDIR, whatever that may be. Usually, nothing bad happens, but just in case it does, you have something to fall back on. Before beginning, make sure you have the appropriate license for your new version. The general order of upgrades looks like this:
- If you are on a version prior to 2.1c, upgrade to that.
- Upgrade to 3.0a.p1.
- Upgrade to 3.0b.
- If staying on 3.0 series, upgrade to SP9.
- Upgrade to 4.0SP1.
- Upgrade to 4.0SP5
- Upgrade to 4.1SP0 or SP1 (i.e. no Service Pack)
- Upgrade to 4.1SP5
As far as “how” to upgrade, you should just be able to run the installation program, tell it where your current installation is, and hit “upgrade” when it asks. Reboot if necessary. Re-install your security policy when you’re all done.
If that seems like a lot work (well, it is!), then there’s another approach you can take. Install whatever major version of FireWall-1 you want to be on, and apply the appropriate service packs. Merge in the old conf/objects.C file (see Merging objects.C files) and copy old conf/fwauth.NDB* and conf/rulebases.fws into your new conf directory. This may or may not work all that well depending on what version you are upgrading from or to, but some have had more success with this.
Note on IPSO, you may also have to upgrade the OS as well as FireWall-1. Resolution 1947 in Nokia’s Knowledge Base discusses how to upgrade both IPSO and FireWall-1 in the right order.
Going Past 4.1SP5
Once you get to the latest 4.1 release it should be possible to utilize the various Check Point utilities to migrate the configuration from one major version to the next (e.g. 4.1 to R55, R55 to R65, R65 to R77). These utilities are available on Check Point User Center.
Where Did My Network Objects Go?
Recently, I’ve seen problems where upgrading from version 3 to version 4 on NT management consoles. It appears that both network objects and rules don’t always migrate across. As long as you made backups before you began (you did, right?), you should be able to recover by doing the following:
- Do a confmerge on the old and new objects.C. See this FAQ: Merging objects.C files
- Copy rulebases.fws from old installation to new installation. This file has not changed format. See also: Where Did My Rulebases Go?
- Resolve “Not in Scope” messages that may appear when loading rulebases. See this FAQ: Not in Scope