Thursday, June 22, 2017

How to verify FW version routes hotfix



Show Configuration

arp -a
ifconfig -a
route -n
netstat -an
cphaprob list
cphaprob stat
cphaprob if
cphaprob -a if
cphaconf show_bond -a
fw ctl iflist
cplic print
cpwd_admin list
fw stat
fw ver
fw ctl arp
fw tab -t connections -s


Upgrade Firewall R77.20 to R77.30 JHA 216

  1. Verify access to the devices
  2. Verify firewalls are logging to the mgmt station & that policy push is successful
  3. Verify firewall backups
  4. Verify access to firewall using WINSCP
  5. Verify Console access to the firewall's (Serial Console)
  6. Copy Configuration
  7. Get the output of the following commands prior to any maintenance on the firewalls (whatever is applicable to fw)
  8. Take snapshot from the firewalls before upgrading
  9. Check the uptime of the firewall, if more than 180 days, please reboot prior to upgrade (both members of the cluster)
  10. Download the installations files and copy to the firewalls (CPUSE or CheckPoint website)
  11. Start with the standby firewall, Verify the installation file and proceed with installation.
  12. After the device is upgraded to R77.30, install the take 216 (Will have to use admin account until the policy is pushed)
  13. Change the Gateway Object in fwm to R77.30 and push the policy
  14. Verify Firewall is logging
  15. Verify that the firewall is accessible thru ssh/https
  16. Verify testing with Applications (specific to each fw cluster)
  17. Verify Solarwinds/Indeni alerts have cleared (or any other monitoring software)
  18. Verify TACACS access to the firewall
  19. Verify firewall status via SmartView Monitor
  20. Get the output of the following commands AFTER maintenance on the firewalls

 Rollback - Revert back from R77.30 to R77.20

  1. Revert back to R77.20 using the snapshot on standby
  2. Change the Gateway Object in fwm to R77.20 and push the policy
  3. Do a cpstop on the active member for stopping the CP services and proceed with reverting back to R77.20 using the snapshot
  4. Install the policy


[Expert@myfw-01:0]# fw ver
This is Check Point's software version R77.30 - Build 048

[Expert@myfw-01:0]#  installed_jumbo_take
R77.30 Jumbo Hotfix Accumulator take_216 is installed, see sk106162.

[Expert@myfw-01:0]#  netstat -rn | wc -l
998

[Expert@myfw-01:0]#


[Expert@myfw-02:0]#  fw ver
This is Check Point's software version R77.30 - Build 048

[Expert@myfw-02:0]# installed_jumbo_take
R77.30 Jumbo Hotfix Accumulator take_216 is installed, see sk106162.
[Expert@myfw-02:0]# netstat -rn |wc -l
998
[Expert@myfw-02:0]#



Posted by at