mardi 13 octobre 2009

Upgrading a Nokia Firewall (Flash Based) VRRP (Monitored Circuit) cluster HFA50

 Thanks to CPUG !!

1 Ensure that the Smartcenter is upgraded first to the version you are upgrading the cluster too.

2 For our configuration we were using VRRP monitored circuits.

3 Backup the Nokia configuration within Nokia Voyager for both firewalls.

4 Within Nokia for both firewalls print out the configuration summary.

5 Within checkpoint on the cluster object print out all of the existing topology information (take a screen shot)

6 On both Nokia firewalls disable monitor firewall state within the vrrp configuration

7 On secondary raise the VRRP priority on all VRRP virtual routers

8 Test that outbound traffic is routing via the secondary and that the secondary is now the vrrp master for all of the vrrp virtual routers.

9 Just as a precaution down an interface on the primary too. (Not strictly necessary)

10 On primary pull out internet facing connections (Not strictly necessary)

11 As our firewalls are the 1gb flash based models space is an issue and I had great difficulty applying the hfa even after expanding the nokia disk using then sbin mount command. Due to this issue I ended up going for a most drastic upgrade method (e.g rebuild)

12 Plug into the console port and connect using hyperterminal and reboot the firewall

13 When prompted press a key to get into a boot prompt

14 Type “install” enter (Note this will wipe your firewall)

15 The install procedure will ask a number of questions for example how you want to install and what interface (firewall port to use). I went for an anonymous FTP server option (I set my laptop up with Microsoft ftp installed and anonymous logins accepted) and copied the relevant ipso.tgz file (e.g 4.2build096-ipso.tgz) to the ftproot folder on your laptop

16 Next plug a network cable from your laptop into a switch on the same subnet as the interface you are going to use for building (e.g your LAN port, alternatively you could use a crossover cable)

17 The install will ask for IP address of client (the firewall) and server (the ftp server–laptop). Type in the relevant e.g. TCP/IP details - address, mask, gateway.

18 The path to the ipso file e.g /

19 Hit enter.

20 Install all images without prompting

21 Reboot

22 After reboot assign the original hostname, and setup an initial interface matching one from the topology and nokia information summary printed earlier.

23 Set speed, duplex, route, and choose “config via voyager” option.

24 Now you have got an initial interface setup.

Login using voyager and put back interface information, configure ntp, static routes, vrrp config and proxy arp.

25 The last thing you should do is make sure you assign the original host address back with the nokia voyager configuration (this is important and should match the address checkpoint uses.

26 Check ntp, vrrp routing, etc are working

27 Copy the ipso_wrapper_r65.tgz file to the ftproot folder on the laptop.

28 Reboot Nokia, open a ssh connection to the firewall and run newpkg command

29 Select FTP using anonymous server

30 Put in ip address of laptop and / for path.

31 Checkpoint installs the package, reboot when finished

32 Reconnect using a SSH connection back into the firewall and run cpconfig.

33 Select “Yes to license agreement”

34 “No” to dynamically assigned ip address

35 “Yes” to Install a Checkpoint clustering product

36 “No” to add licenses

37 “No” to group permissions

38 Type in keys for seed

39 Enter and re-enter a SIC password

40 Reboot

41 The reboot will install the default block policy.

42 Reconnect to the firewall via and run fw unloadlocal to unload default policy

43 Connect into the smartcenter using smartdashboard change the cluster version to NGX R65

44 On the firewall member object reset sic and enter the sic password used in the install on the firewall. Test sic is working.

45 Note - for SIC to work there must be a route from the smartcenter directly to physical ip address of the firewall host address.

46 Within Smartupdate detach the license and reattach the license

47 Push the policy to the firewall (Note in doing this you will no longer be able to push the policy to the remaining (live ngx62 firewall) while the cluster is set to NGX R65.

48 Just to warn you Check point will not sync its state while the clusters are different versions

49 If running the “cphaprob stat” command you will see one down due to upgrade.

50 Next apply the hfa to the firewall.

51 To apply the hfa50 open a ssh into the firewall.

52 Cd /opt

53 Mkdir hfa

54 Cd hfa

55 Open a secure ftp session using the ssh client

56 Upload the hfa file to the folder

57 run /sbin/mount –u –o extend_partition /dev/null /opt (this gives more space for the upgrade)

58 tar xzvf hfafile.ipso.tgz (extracts the package)

59 rm hfafile.ipso.tgz (removes the package file)

60 Run df –k | awk ‘ /preserve|opt|var/{print $6,$2 - $3}’

61 The above command will show how how much space is left on the Nokia volumes (/preserve need 455000kb and /opt needs /382000kb to install hfa50)

62 When you have enough space run ./UnixInstallScript and this will apply the hfa. Please note this takes up to 15 min’s to install.

63 Reboot the machine.

64 After the machine has rebooted run Smartupdate within smart dashboard and “get data” from the firewall. hfa50 should now be listed as installed.

65 Once you are happy that everything is running correctly you will need to repeat the upgrade procedure listed above for the secondary firewall (e.g. Repeat the steps above making the primary firewall the primary vrrp master again and upgrade the secondary)

66 When both firewalls are upgraded check that the checkpoint state is working using “cphaprob stat” command it should list both firewalls as active (one being local)

67 If state is working ok re-enable “monitor firewall state” on both of the firewalls vrrp configuration.