Checkpoint NGX Upgrade Guide

7/31/2019 Checkpoint NGX Upgrade Guide

1/194

The Upgrade Guide

NGX (R60)

For additional technical information about Check Point products, consult Check Points SecureKnowledge at

https://secureknowledge.checkpoint.com

See the latest version of this document in the User Center at:http://www.checkpoint.com/support/technical/documents/docs_r60.html

Part Number 701313

August 2005
https://secureknowledge.checkpoint.com/http://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttp://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttps://secureknowledge.checkpoint.com/


2/194


3/194

Check Point Software Technologies Ltd.U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, [email protected] Headquarters: 3A Jabotinsky Street, Ramat Gan, 52520, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com

2003-2005 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyrightand distributed under licensing restricting their use, copying, distribution, anddecompilation. No part of this product or related documentation may be reproduced inany form or by any means without prior written authorization of Check Point. While everyprecaution has been taken in the preparation of this book, Check Point assumes noresponsibility for errors or omissions. This publication and features described herein aresubject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth insubparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause atDFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

2003-2005 Check Point Software Technologies Ltd. All rights reserved.

Check Point, Application Intelligence, Check Point Express, the Check Point logo,AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa,Cooperative Security Alliance, Eventia, Eventia Analyzer, FireWall-1, FireWall-1 GX,FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL,Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy LifecycleManagement, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge,

SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate,SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security,SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView,SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker,SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM,User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge,VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1VSX, VPN-1 XL, Web Intelligence, ZoneAlarm, ZoneAlarm Pro, Zone Labs, and the ZoneLabs logo, are trademarks or registered trademarks of Check Point SoftwareTechnologies Ltd. or its affiliates. All other product names mentioned herein aretrademarks or registered trademarks of their respective owners. The products describedin this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935 and6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending

applications.

THIRD PARTIES:

Entrust is a registered trademark of Entrust Technologies, Inc. in the United States andother countries. Entrusts logos and Entrust product and service names are alsotrademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly ownedsubsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporatecertificate management technology from Entrust.

Verisign is a trademark of Verisign Inc.

The following statements refer to those portions of the software copyrighted by Universityof Michigan. Portions of the software copyright1992-1996 Regents of the University of

Michigan. All rights reserved. Redistribution and use in source and binary forms arepermitted provided that this notice is preserved and that due credit is given to theUniversity of Michigan at Ann Arbor. The name of the University may not be used toendorse or promote products derived from this software without specific prior writtenpermission. This software is provided as is without express or implied warranty.CopyrightSax Software (terminal emulation only).

The following statements refer to those portions of the software copyrighted by CarnegieMellon University.

Copyright 1997 by Carnegie Mellon University. All Rights Reserved.

Permission to use, copy, modify, and distribute this software and its documentation forany purpose and without fee is hereby granted, provided that the above copyright noticeappear in all copies and that both that copyright notice and this permission notice appear

in supporting documentation, and that the name of CMU not be used in advertising orpublicity pertaining to distribution of the software without specific, written priorpermission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, INNO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT ORCONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROMLOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR INCONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

The following statements refer to those portions of the software copyrighted by The OpenGroup.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND

NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANYCLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THESOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

The following statements refer to those portions of the software copyrighted by TheOpenSSL Project. This product includes software developed by the OpenSSL Project foruse in the OpenSSL Toolkit (http://www.openssl.org/).

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY *EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS

CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANYTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THEUSE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE.

The following statements refer to those portions of the software copyrighted by EricYoung. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANYEXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR

CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANYTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THEUSE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE. Copyright1998The Open Group.The following statements refer to those portions of the software copyrighted by Jean-loupGailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. Thissoftware is provided 'as-is', without any express or implied warranty. In no event will theauthors be held liable for any damages arising from the use of this software. Permissionis granted to anyone to use this software for any purpose, including commercial

applications, and to alter it and redistribute it freely, subject to the following restrictions:1. The origin of this software must not be misrepresented; you must not claim that youwrote the original software. If you use this software in a product, an acknowledgment inthe product documentation would be appreciated but is not required.

2. Altered source versions must be plainly marked as such, and must not bemisrepresented as being the original software.

3. This notice may not be removed or altered from any source distribution.

The following statements refer to those portions of the software copyrighted by the GnuPublic License. This program is free software; you can redistribute it and/or modify itunder the terms of the GNU General Public License as published by the Free SoftwareFoundation; either version 2 of the License, or (at your option) any later version. Thisprogram is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;without even the implied warranty of MERCHANTABILITY or FITNESS FOR APARTICULAR PURPOSE. See the GNU General Public License for more details.Youshould have received a copy of the GNU General Public License along with this program;if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,USA.

The following statements refer to those portions of the software copyrighted by ThaiOpen Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expatmaintainers. Permission is hereby granted, free of charge, to any person obtaining acopy of this software and associated documentation files (the "Software"), to deal in theSoftware without restriction, including without limitation the rights to use, copy, modify,merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permitpersons to whom the Software is furnished to do so, subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies orsubstantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUTWARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITEDTO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS ORCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHERLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,

ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USEOR OTHER DEALINGS IN THE SOFTWARE.GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions of the code MUSTreference the author, and include any and all original documentation. Copyright. BruceVerderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998,1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999,

2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999,


4/194

2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001,2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 JohnEllson ([email protected]). Portions relating to gdft.c copyright 2001, 2002 John Ellson([email protected]). Portions relating to JPEG and to color quantization copyright2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999,2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of theIndependent JPEG Group. See the file README-JPEG.TXT for more information.Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Vanden Brande. Permission has been granted to copy, distribute and modify gd in anycontext without fee, including a commercial application, provided that this notice ispresent in user-accessible supporting documentation. This does not affect your

ownership of the derived work itself, and the intent is to assure proper credit for theauthors of gd, not to interfere with your productive use of gd. If you have questions, ask."Derived works" includes all programs that utilize the library. Credit must be given inuser-accessible documentation. This software is provided "AS IS." The copyright holdersdisclaim all warranties, either express or implied, including but not limited to impliedwarranties of merchantability and fitness for a particular purpose, with respect to thiscode and accompanying documentation. Although their code does not appear in gd 2.0.4,the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue SoftwareCorporation for their prior contributions.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use thisfile except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0

The curl license

COPYRIGHT AND PERMISSION NOTICECopyright (c) 1996 - 2004, Daniel Stenberg, .All rights reserved.

Permission to use, copy, modify, and distribute this software for any purpose

with or without fee is hereby granted, provided that the above copyright

notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OROTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OROTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWAREOR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Except as contained in this notice, the name of a copyright holder shall not be used inadvertising or otherwise to promote the sale, use or other dealings in this Softwarewithout prior written authorization of the copyright holder.

The PHP License, version 3.0

Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, ispermitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list ofconditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list ofconditions and the following disclaimer in the documentation and/or other materialsprovided with the distribution.

3. The name "PHP" must not be used to endorse or promote products derived from thissoftware without prior written permission. For written permission, please [email protected].

4. Products derived from this software may not be called "PHP", nor may "PHP" appearin their name, without prior written permission from [email protected]. You may indicatethat your software works in conjunction with PHP by saying "Foo for PHP" instead ofcalling it "PHP Foo" or "phpfoo"

5. The PHP Group may publish revised and/or new versions of the license from time totime. Each version will be given a distinguishing version number. Once covered code hasbeen published under a particular version of the license, you may always continue to useit under the terms of that version. You may also choose to use such covered code underthe terms of any subsequent version of the license published by the PHP Group. No oneother than the PHP Group has the right to modify the terms applicable to covered codecreated under this License.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

"This product includes PHP, freely available from ".

THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' ANDANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR APARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHPDEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ORSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OROTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVENIF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This software consists of voluntary contributions made by many individuals on behalf ofthe PHP Group. The PHP Group can be contacted via Email at [email protected].

For more information on the PHP Group and the PHP project, please see . This product includes the Zend Engine, freely available at .

This product includes software written by Tim Hudson ([email protected]).

Copyright (c) 2003, Itai Tzur

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, arepermitted provided that the following conditions are met:

Redistribution of source code must retain the above copyright notice, this list ofconditions and the following disclaimer.

Neither the name of Itai Tzur nor the names of other contributors may be used toendorse or promote products derived from this software without specific prior writtenpermission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS ANDCONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AREDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS

BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENTOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; ORBUSINESS

INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCEOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd

Permission is hereby granted, free of charge, to any person obtaining a copy of thissoftware and associated documentation files (the "Software"), to deal in the Softwarewithout restriction, including without limitation the rights to use, copy, modify, merge,publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons

to whom the Software is furnished to do so, subject to the following conditions: Theabove copyright notice and this permission notice shall be included in all copies orsubstantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHTHOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHERIN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF ORIN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS INTHE SOFTWARE.

Copyright 2003, 2004 NextHop Technologies, Inc. All rights reserved.

Confidential Copyright Notice

Except as stated herein, none of the material provided as a part of this document may becopied, reproduced, distrib-uted, republished, downloaded, displayed, posted ortransmitted in any form or by any means, including, but not lim-ited to, electronic,mechanical, photocopying, recording, or otherwise, without the prior written permission ofNextHop Technologies, Inc. Permission is granted to display, copy, distribute anddownload the materials in this doc-ument for personal, non-commercial use only,provided you do not modify the materials and that you retain all copy-right and otherproprietary notices contained in the materials unless otherwise stated. No materialcontained in this document may be "mirrored" on any server without written permission ofNextHop. Any unauthorized use of any material contained in this document may violatecopyright laws, trademark laws, the laws of privacy and publicity, and communicationsregulations and statutes. Permission terminates automatically if any of these terms orcondi-tions are breached. Upon termination, any downloaded and printed materials must

be immediately destroyed.Trademark Notice

The trademarks, service marks, and logos (the "Trademarks") used and displayed in thisdocument are registered and unregistered Trademarks of NextHop in the US and/or othercountries. The names of actual companies and products mentioned herein may beTrademarks of their respective owners. Nothing in this document should be construed asgranting, by implication, estoppel, or otherwise, any license or right to use any Trademarkdisplayed in the document. The owners aggressively enforce their intellectual propertyrights to the fullest extent of the law. The Trademarks may not be used in any way,including in advertising or publicity pertaining to distribution of, or access to, materials in

this document, including use, without prior, written permission. Use of Trademarks as a"hot" link to any website is prohibited unless establishment of such a link is approved inadvance in writing. Any questions concerning the use of these Trademarks should bereferred to NextHop at U.S. +1 734 222 1600.


5/194

U.S. Government Restricted Rights

The material in document is provided with "RESTRICTED RIGHTS." Software andaccompanying documentation are provided to the U.S. government ("Government") in atransaction subject to the Federal Acquisition Regulations with Restricted Rights. TheGovernment's rights to use, modify, reproduce, release, perform, display or disclose are

restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software andNoncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of theCommer-cial

Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987).

Use of the material in this document by the Government constitutes acknowledgment ofNextHop's proprietary rights in them, or that of the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043.Use, duplication, or disclosure by the Government is subject to restrictions as set forth inapplicable laws and regulations.

Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty

THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIESOF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLEPURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRANTIES,

EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIEDWARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR

ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THISDOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THEUSE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USEOF, OR OTHERWISE RESPECTING, THE MATERIAL IN THIS DOCUMENT.

Limitation of Liability

UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT,INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING,BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, ORTHE INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOPOR A NEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THEPOSSIBILITY OF SUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THISDOCUMENT RESULTS IN THE NEED FOR SERVICING, REPAIR OR CORRECTIONOF EQUIPMENT OR DATA, YOU ASSUME ANY COSTS THEREOF. SOME STATES DO

NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL ORCONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAYNOT FULLY APPLY TO YOU.

Copyright ComponentOne, LLC 1991-2002. All Rights Reserved.

BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC"))

Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release

PCRE LICENCE

PCRE is a library of functions to support regular expressions whose syntax andsemantics are as close as possible to those of the Perl 5 language. Release 5 of PCREis distributed under the terms of the "BSD" licence, as specified below. Thedocumentation for PCRE, supplied in the "doc" directory, is distributed under the sameterms as the software itself.

Written by: Philip Hazel

University of Cambridge Computing Service, Cambridge, England. Phone:

+44 1223 334714.

Copyright (c) 1997-2004 University of Cambridge All rights reserved.

Redistribution and use in source and binary forms, with or without modification, arepermitted provided that the following conditions are met:

* Redistributions of source code must retain the above copyright notice, this list ofconditions and the following disclaimer.

* Redistributions in binary form must reproduce the above copyright notice, this list ofconditions and the following disclaimer in the documentation and/or other materialsprovided with the distribution.

* Neither the name of the University of Cambridge nor the names of its contributors maybe used to endorse or promote products derived from this software without specific priorwritten permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS ANDCONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF

MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AREDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORSBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENTOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; ORBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OFLIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDINGNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THISSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.


6/194


7/194

Table of Contents 7

Table Of Contents

Chapter 1 Introduction to the Upgrade ProcessUpgrading Successfully 11

Documentation 12

NGX License Upgrade 13

Supported Upgrade Paths and Interoperability 14

Obtaining Software Installation Packages 15Terminology 15

Upgrade Tools 17

Chapter 2 Upgrading VPN-1 Pro/Express LicensesOverview of NGX License Upgrade 20

Introduction to License Upgrade in VPN-1 Express/Pro Environments 20

Software Subscription Requirements 20

Licensing Terminology 21The License_Upgrade Tool 22

Tool Location 22

Tool Options 22

Simulating the License Upgrade 23

Performing the License Upgrade 25

License Upgrade Methods 25

Deployments with Licenses Managed Centrally Using SmartUpdate 27

Deployments with Licenses Managed Locally 33

Trial Licenses 36Troubleshooting License Upgrade 37

Error: License version might be not compatible 37

Evaluation Licenses Created in the User Center 38

Evaluation Licenses Not Created in the User Center 38

Licenses of Products That Are Not Supported in NGX 39

License Enforcement on Module is now on Management 39

License Not in Any Of Your User Center Accounts 40

User Does Not Have Permissions on User Center Account 41

SKU Requires Two Licenses in NG and One License in NGX 41

SmartDefense Licenses 42

License Upgrade Partially Succeeds 42

Upgraded Licenses Do Not Appear in the Repository 43

Cannot Connect to the User Center 43

Chapter 3 Backup and Revert for VPN-1 Pro/ExpressIntroduction 45

Backup your Current Deployment 46Restore a Deployment 46


8/194

8

SecurePlatform Backup and Restore Commands 47

Backup 47

Restore 48

SecurePlatform Snapshot Image Management 49

Snapshot 49

Revert 50

Revert to your Previous Deployment 52

Chapter 4 Upgrading a Distributed VPN-1 Pro/Express DeploymentIntroduction 55

Pre-Upgrade Considerations 56

License Upgrade to NGX R60 56

Web Intelligence License Enforcement 56

Upgrading Products on a SecurePlatform Operating System 57

VPN-1 Edge/Embedded Gateways Prior to Version 5.0 57

Reverting to your Previous Software Version 57

Upgrading the SmartCenter Server Component 58

Using the Pre Upgrade Verification Tool 59

Upgrading a SmartCenter High Availability Deployment 60

SmartCenter Upgrade on a Windows Platform 61

SmartCenter Upgrade on SecurePlatform R54, R55 and Later Versions 62SmartCenter Upgrade on SecurePlatform NG FP2, FP3, or FP3 Edition 2 63

SmartCenter Server Upgrade on a Solaris Platform 64

SmartCenter Upgrade on an IPSO Platform 65

Migrate your Current SmartCenter Configuration and Upgrade 68

Upgrading the Enforcement Module 71

Upgrading a Clustered Deployment 71

Upgrading the Enforcement Module Using SmartUpdate 72

Enforcement Module Upgrade Process on a Windows Platform 76

Enforcement Module Upgrade on SecurePlatform R54, R55 and Later Versions 77Enforcement Module Upgrade on SecurePlatform NG FP2, FP3, or FP3 Edition 2 78

Enforcement Module Upgrade on a Solaris Platform 80

Enforcement Module Upgrade on an IPSO Platform 81

Chapter 5 Upgrading a Standalone VPN-1 Pro/Express DeploymentIntroduction 85

Pre-Upgrade Considerations 86

License Upgrade to NGX 87Upgrading Products on a SecurePlatform Operating System 87

Reverting to your Previous Software Version 87

Using the Pre-Upgrade Verification Tool 87

Standalone VPN-1 Gateway Upgrade on a Windows Platform 89

Standalone VPN-1 Gateway Upgrade on SecurePlatform R54, R55 and Later Versions 90

Standalone VPN-1 Gateway Upgrade on SecurePlatform NG FP2, FP3, FP3 Edition 2 91

Standalone VPN-1 Gateway Upgrade on a Solaris Platform 92

Standalone VPN-1 Gateway Upgrade on an IPSO Platform 93

Migrate your Current VPN-1 Gateway Configuration and Upgrade 96


9/194

Table of Contents 9

Chapter 6 Upgrading ClusterXLLicense Upgrade to NGX 97

Tools for Gateway Upgrades 97

Planning a Cluster Upgrade 99Permanent Kernal Global Variables 99

Ready state during Cluster Upgrade/Downgrade operations 99

Upgrading OPSEC Certified Third Party Clusters Products 101

Performing a Minimal Effort Upgrade on a ClusterXL Cluster 101

Performing a Zero Down Time Upgrade on a ClusterXL Cluster 101

Supported Modes 101

Performing a Full Connectivity Upgrade on a ClusterXL Cluster 104

Understanding a Full Connectivity Upgrade 104

Supported Modes 104Terminology 104

Implementing a Full Connectivity Upgrade 105

Chapter 7 Upgrading Provider-1Introduction 110

Scope 110

Before You Begin 110

Supported Platforms 111Supported Versions for Upgrade 111

Summary of Sections in this Chapter 111

Provider-1/SiteManager-1 Upgrade Tools 113

Pre-Upgrade Verifiers and Fixing Utilities 113

Installation Script 114

pv1_license_upgrade 115

license_upgrade 116

cma_migrate 117

migrate_assist 119

migrate_global_policies 119

Backup and Restore 120

Provider-1/SiteManager-1 License Upgrade 122

Overview of NGX License Upgrade 123

Introduction to License Upgrade in Provider-1 Environments 124

Software Subscription Requirements 124

Understanding Provider-1/SiteManager-1 Licenses 124

Before License Upgrade 126Choosing The Right License Upgrade Procedure 131

License upgrade of Entire System Before Software Upgrade 133

License Upgrade of Entire System Using Wrapper 136

License upgrade of Entire System After Software Upgrade 137

License Upgrade for a Single CMA 140

License Upgrade Using the User Center 146

SmartUpdate Considerations for License upgrade 146

Troubleshooting License Upgrade 147

Provider-1/SiteManager-1 Upgrade Practices 152In-place Upgrade 152


10/194

10

Replicate and Upgrade 154

Gradual Upgrade to Another Machine 155

Migrating from a Standalone Installation to CMA 158

MDS Post Upgrade Procedures 162

Upgrading in a Multi MDS Environment 163

Pre-Upgrade Verification and Tools 163

Upgrading an NG with Application Intelligence Multi-MDS System 163

Restoring your Original Environment 166

Before the Upgrade 166

Restoring your Original Environment 167

Renaming Customers 167

Identifying Non-Compliant Customer Names 167

High-Availability Environment 168Automatic Division of Non-compliant Names 168

Resolving the Non-compliance 168

Advanced Usage 169

Changing MDS IP address and External Interface 171

IP Address Change 171

Interface Change 172

Chapter 8 Upgrading SmartLSM ROBO GatewaysPlanning the ROBO Gateway Upgrade 173Adding a ROBO Gateway Upgrade Package to SmartUpdate Repository 174

License Upgrade for a ROBO Gateway 174

Using SmartLSM to Attach the Upgraded Licenses 174

License Upgrade on Multiple ROBO Gateways 175

Upgrading a ROBO Gateway Using SmartLSM 175

Upgrading a VPN-1 Express/Pro ROBO Gateway 175

Full Upgrade 176

Specific Installation 176Upgrading a VPN-1 Edge ROBO Gateway 177

Upgrading a VPN-1 Express/Pro ROBO Gateway In Place 178

Using the Command Line Interface 179

SmartLSM Upgrade Tools 179

Upgrading a VPN-1 Express/Pro ROBO Gateway Using LSMcli 180

Upgrading a VPN-1 Edge ROBO Gateway Using LSMcli 181

Using the LSMcli in Scripts 182

Chapter 9 Upgrading VSX SmartCenter ManagementBefore You begin 185

License Upgrade 186

Tools for Upgrading a SmartCenter 186

Supported VSX Upgrade Paths 188

Upgrading VSX NG AI to NGX R60 SmartCenter 188

Upgrading VSX NG AI R2 to NGX R60 SmartCenter 189

Supported VSX Upgrade Procedures 190

Advanced Upgrade Procedures 190

Export and Import Commands 191


11/194

11

CHAPTER 1

Introduction to the

Upgrade Process

In This Chapter

Upgrading Successfully

All successful upgrades begin with a solid game plan and a full understanding of the

steps you need to follow in order to succeed. This book provides tips and instructions

to make the upgrade process as clear as possible.

It is not necessary to read the entire book. In fact, there may be large portions of this

guide that may not apply to you. The guide is structured to sections of typicaldeployments for easy navigation.

We hope that your upgrade goes smoothly but in the event that you run into

unexpected snags, please contact your Reseller or our SecureKnowledge support center

at: https://secureknowledge.checkpoint.com

Upgrading Successfully page 11

Documentation page 12NGX License Upgrade page 13

Supported Upgrade Paths and Interoperability page 14

Obtaining Software Installation Packages page 15

Terminology page 15

Upgrade Tools page 17
https://secureknowledge.checkpoint.com/https://secureknowledge.checkpoint.com/


12/194

Documentation

12

Documentation

This guide was created to explain all available upgrade paths for Check Point products

from VPN-1/FireWall-1 NG forward. This guide is specifically geared towards

upgrading to NGX R60.

Before you begin please:

Make sure that you have the latest version of this document in the User Center at

0http://www.checkpoint.com/support/technical/documents/docs_r60.html

It is a good idea to have the latest version of the NGX R60 Release Notes handy.

Download them from:

http://www.checkpoint.com/support/technical/documents/docs_r60.htmlFor a new features list refer to the NGX R60 Whats New Guide:

http://www.checkpoint.com/support/technical/documents/docs_r60.html
http://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttp://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttp://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttp://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttp://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttp://www.checkpoint.com/support/technical/documents/docs_r60.html


13/194

Chapter 1 Introduction to the Upgrade Process 13

NGX License Upgrade

To upgrade to NGX R60, you must first upgrade licenses for all NG products. NGX

R60 with licenses from previous versions will not function.

The license upgrade procedure can be performed if you have purchased any of the

Enterprise Software Subscription services. License upgrade will fail for products and

accounts for which you do not have software subscription. Login to

http://usercenter.checkpoint.com to manage your accounts, licenses, and Enterprise

Support Programs coverage (under Support Programs).

License upgrade is performed by means of an easy to use tool that automatically

upgrades both locally and centrally managed licenses. Using the tool you can upgradeall licenses in the entire managed system. License upgrade can also be done manually,

per license, in the User Center.

The automatic license upgrade tool allows you to:

1 View the status of the currently installed licenses. On a SmartCenter server (or a

CMA, for Provider-1), you can also view the licenses in the SmartUpdate license

repository.

2 Simulate the license upgrade process.

3 Perform the actual license upgrade process.

During the license upgrade, all eligible licenses are gathered and sent in SSL encrypted

format to the User Center. Upgraded licenses are returned from the User center, and

automatically installed. The license upgrade process adds only NGX licenses. Old

licenses and non-eligible licenses (e.g., evaluation licenses, or licenses that pertain to IPaddresses no longer used) remain untouched.

When running on a SmartCenter Server (or a CMA, for Provider-1), the license

upgrade process also handles licenses in the SmartUpdate license repository. After the

software upgrade, SmartUpdate is used to attach the new NGX licenses to the gateways.

License upgrade for VPN-1 Pro/Express deployments is described in chapter 2,

Upgrading VPN-1 Pro/Express Licenses on page 19.

License upgrade for Provider-1 deployments is described in

Provider-1/SiteManager-1 License Upgrade on page 122.

License upgrade for SmartLSM deployments is described in License Upgrade for a

ROBO Gateway on page 174.

It is recommended to check

http://www.checkpoint.com/techsupport/ngx/license_upgrade.html for up to date

information and downloads regarding NGX license upgrade.
http://usercenter.checkpoint.com/http://usercenter.checkpoint.com/http://usercenter.checkpoint.com/http://www.checkpoint.com/techsupport/ngx/license_upgrade.htmlhttp://www.checkpoint.com/techsupport/ngx/license_upgrade.htmlhttp://usercenter.checkpoint.com/


14/194

Supported Upgrade Paths and Interoperability

14

Supported Upgrade Paths and Interoperability

Upgrading to NGX R60 is supported on the following versions:

NG NG FP1

NG FP2

NG FP3

NG With Application Intelligence R54


NG R55W GX 2.5

VSX NG AI

VSX NG AI Release 2

Backward compatibility to NGX R60 is supported on the following versions:

NG FP3



NG R55W

GX 2.5

VSX NG AI

VSX NG AI Release 2

Upgrading from versions prior to NG (4.0-4.1) is not supported. In order to upgrade

FireWall-1 versions 4.0-4.1, upgrade the installed version to VPN-1 NG R55 (refer to

the NG with Application Intelligence R55 Upgrade Guide). Once the VPN-1 NG R55

upgrade is complete, perform an upgrade to NGX R60.


15/194


Obtaining Software Installation Packages

NGX R60 software installation packages for Solaris, Windows, Linux and

SecurePlatform are available on the product CD.

NGX R60 software packages for Nokia IPSO 3.9 are available at the online download

center in the following location:

http://www.checkpoint.com/techsupport/downloads.jsp

Terminology

Security Policy - A Security Policy is created by the system administrator in order toregulate the incoming and outgoing flow of communication.

Enforcement Module - An Enforcement module is the VPN-1 Pro engine which

actively enforces the Security Policy of the organization.

SmartCenter Server - The SmartCenter Server is used by the system administrator to

manage the Security Policy. The databases and policies of the organization are stored on

the SmartCenter Server, and are downloaded from time to time to the Enforcement

modules.

SmartConsole Clients - The SmartConsole Clients are GUI applications which are

used to manage different aspects of the Security Policy. For instance SmartView Trackeris

a GUI client used to view logs.

SmartDashboard - a GUI client that is used to create Security Policies.

Check Point Gateway - otherwise known as an Enforcement module or sometimes

module is the VPN-1 Pro engine that actively enforces your organizations Security

Policy.

SmartUpdate - allows you to centrally upgrade and manage Check Point software and

licenses.

Package Repository - This is a SmartUpdate repository on the SmartCenter Server

that stores uploaded Packages. These packages are then used by SmartUpdate to

perform upgrades of Check Point Gateways.

Standalone Deployment - A Standalone deployment is performed when the Check

Point components that are responsible for the management of the Security Policy (the

SmartCenter Server and the Enforcement Module) are installed on the same machine.

Distributed Deployment - A Distributed deployment is performed when the

Enforcement Module and the SmartCenter Server are deployed on different machines.
http://www.checkpoint.com/techsupport/downloads.jsphttp://www.checkpoint.com/techsupport/downloads.jsp


16/194

Terminology

16

Advanced Upgrade - In order to avoid unnecessary risks, it is possible to migrate the

current configuration to a spare server. Once this is completed an upgrade process

should be performed on the migrated server, leaving the production server intact.

In Place Upgrade - In Place upgrades are upgrades performed locally.

ClusterXL- is a software-based load sharing and high availability solution for Check

Point gateway deployments. It distributes traffic between clusters of redundant gateways

so that the computing capacity of multiple machines may be combined to increase total

throughput. In the event that any individual gateway becomes unreachable, all

connections are re-directed to a designated backup without interruption. Tight

integration with Check Point's SmartCenter management and enforcement point

solutions ensures that ClusterXL deployment is a simple task for VPN-1 Pro

administrators.

ROBO Gateways - A Remote Office/Branch Office Gateway.

ROBO Profile - An object that you define to represent properties of multiple ROBO

Gateways. Profile objects are version dependent; therefore, when you plan to upgrade

ROBO Gateways to a new version, first define new Profile objects for your new

version. In general, you will want to keep the Profile objects of the previous versionsuntil all ROBO Gateways of the previous version are upgraded to the new version. For

further information about defining a ROBO Profile see the Defining Policies for the

Gateway Profile Objects chapter in the SmartLSM Guide.

LSM - Large Scale Manager. SmartLSMenables enterprises to easily scale, deploy and

manage VPNs and security for thousands of remote locations.

Management Virtual System (MVS) is a default Virtual System created by the VSXinstallation process during installation. The MVS:

Handles provisioning and configuration of Virtual Systems and Virtual Routers.

Manages Gateway State Synchronization when working with clusters.

Virtual Routers are independent routing domains within a VSX Gateway that

function like physical routers.

VSX Clustering involves connecting two or more VSX Gateways in such a way thatif one fails, another immediately takes its place. A single VSX Gateway contains

multiple Virtual Routers and Virtual Systems.

Virtual System is a routing and security domain featuring firewall and VPN

capabilities supported by a standard Check Point Gateway. Multiple Virtual Systems can

run concurrently on a single VSX Gateway, isolated from one another by their use of

separate system resources and data storage.


17/194


Upgrade Tools

Various upgrade tools are provided for migration and compatibility verification of your

current deployment. These tools will help you successfully upgrade to NGX R60.

The upgrade tools can be found in the following locations:

in the NGX R60 $/FWDIR/bin/upgrade_tools directory.

http://www.checkpoint.com/techsupport/ngx/utilities.html

d l
http://www.checkpoint.com/techsupport/ngx/utilities.htmlhttp://www.checkpoint.com/techsupport/ngx/utilities.html


18/194

Upgrade Tools

18


19/194

19

CHAPTER 2

Upgrading VPN-1Pro/Express Licenses

In This Chapter

Overview of NGX License Upgrade page 20

Introduction to License Upgrade in VPN-1 Express/Pro Environments page 20Software Subscription Requirements page 20

Licensing Terminology page 21

The License_Upgrade Tool page 22

Simulating the License Upgrade page 23

Performing the License Upgrade page 25

Trial Licenses page 36

Troubleshooting License Upgrade page 37

Overview of NGX License Upgrade


20/194


20


To upgrade to NGX R60, you must first upgrade licenses for all NG products. NGX

R60 with licenses from previous versions will not function.



accounts for which you do not have software subscription. Login to

http://usercenter.checkpoint.com to manage your accounts, licenses, and Enterprise

Support Programs coverage (under Support Programs).

License upgrade is performed by means of an easy to use tool that automatically

upgrades both locally and centrally managed licenses. Using the tool you can upgradeall licenses in the entire managed system.

License upgrade can also be done manually, per license, in the User Center. For

instructions, see the Step by Step guide to the User Center at

https://usercenter.checkpoint.com/pub/usercenter/faq_us.html.

For instructions on upgrading license for Provider-1 and SmartLSM deployments, see

Provider-1/SiteManager-1 License Upgrade on page 122. License Upgrade for a ROBO Gateway on page 174.

For the latest information and downloads regarding NGX license upgrade, check

http://www.checkpoint.com/techsupport/ngx/license_upgrade.html.

Introduction to License Upgrade in VPN-1 Express/Pro

EnvironmentsLicenses are required for the SmartCenter Server and for the enforcement modules. Nolicense is required for the SmartConsole management clients.

The license upgrade procedure uses the license_upgrade command line tool that

makes it simple to automatically upgrade licenses without having to do so manually

through the Check Point User Center Web site https://usercenter.checkpoint.com.

Version 4.1 licenses cannot be upgraded directly to NGX. You must first upgrade thelicense to NG and then to NGX. License upgrade from version 4.1 to NG can be done

only from User Center web site. It is not supported by the upgrade tool.

Software Subscription Requirements



accounts for which you do not have software subscription.
http://usercenter.checkpoint.com/http://usercenter.checkpoint.com/http://usercenter.checkpoint.com/https://usercenter.checkpoint.com/pub/usercenter/faq_us.htmlhttp://www.checkpoint.com/techsupport/ngx/license_upgrade.htmlhttps://usercenter.checkpoint.com/https://usercenter.checkpoint.com/pub/usercenter/faq_us.htmlhttp://www.checkpoint.com/techsupport/ngx/license_upgrade.htmlhttp://usercenter.checkpoint.com/https://usercenter.checkpoint.com/


21/194

Chapter 2 Upgrading VPN-1 Pro/Express Licenses 21

You can see exactly the products and accounts for which you have software subscription

by looking in your User Center account at https://usercenter.checkpoint.com. In the

Accounts page, Enterprise Contract column, and in the Products page, Subscription and

Support column, if the account or product is covered, the expiration date is shown.Otherwise, the entry says Join Now, with a link to get a quote for purchasing Enterprise

Support.

You can purchase an Enterprise Software Subscription for the whole account, in which

case all the products in the account will be covered, or you can purchase Enterprise

Software Subscription for individual products.

Licensing TerminologyThe license upgrade procedures use specialized licensing terminology. It is important to

understand the terminology in order to successfully perform the license upgrade.

License Upgrade is the process of upgrading version NG licenses to NGX.

Software Upgrade is the process of upgrading Check Point software to version

NGX.

License Repository is a repository on the SmartCenter Server that stores licensesfor Check Point products. It is used by SmartUpdate to install and manage licenses

on Check Point Gateways.

Wrapper is the wizard application on the Check Point CD that allows you to

install and upgrade Check Point products and upgrade licenses.

The License_Upgrade Tool
https://usercenter.checkpoint.com/https://usercenter.checkpoint.com/


22/194

pg

22

The License_Upgrade Tool

The license_upgrade tool allows you to:

1 View the status of the currently installed licenses. On a SmartCenter server (or aCMA, for Provider-1), you can also view the licenses in the SmartUpdate license

repository.

2 Simulate the license upgrade process.

3 Perform the actual license upgrade process.

During the license upgrade, all eligible licenses are gathered and sent in SSL encrypted

format to the User Center. Upgraded licenses are returned from the User center, andautomatically installed. The license upgrade process adds only NGX licenses. Old

licenses and non-eligible licenses (e.g., evaluation licenses, or licenses that pertain to IP

addresses no longer used) remain untouched.

When running on a SmartCenter Server (or a CMA, for Provider-1), the license

upgrade tool also handles licenses in the SmartUpdate license repository. After using the

tool, SmartUpdate is used to attach the new NGX licenses in the license repository to

the gateways.

Tool Location

The license_upgrade tool can be found in one of the following locations:

On the NGX product CD at \

In the Check Point Download site at

http://www.checkpoint.com/techsupport/ngx/license_upgrade.html. It is also part of the NGX installation, located at $CPDIR/bin.

Tool Options

The license_upgrade command line tool has a number of options. To see all the

options, run:

license_upgrade

Tool Options
http://www.checkpoint.com/techsupport/ngx/license_upgrade.htmlhttp://www.checkpoint.com/techsupport/ngx/license_upgrade.htmlhttp://www.checkpoint.com/techsupport/ngx/license_upgrade.html


23/194


The options are:

Simulating the License UpgradeBefore performing the license upgrade, it is recommended to simulate the License

Upgrade. Do this in order to find and solve potential problems in upgrading specific

licenses. The simulation is an exact replica of the license upgrade process. It sends

existing licenses to User Center Web site to verify that the upgrade is possible, however,

no actual upgrade is done and no new licenses are returned. If the actual license

upgrade will fail for some reason, error messages are displayed and available in a log file,

which can be used for troubleshooting.

1 Copy the license_upgrade tool from \ on the NGX

product CD, or from the Check Point Download site athttp://www.checkpoint.com/techsupport/ngx/license_upgrade.html.

2 Place the license_upgrade tool on the NG machine.

3 To simulate the license upgrade, run the license_upgrade tool option

[S] Simulate the license upgrade.

TABLE 2-1 license_upgrade tool options

Option Meaning[L] View the licenses installed on your machine.

[S] Sends existing licenses to User Center Web site to simulate the license

upgrade in order to verify that it can be performed. No actual upgrade is

done and no new licenses are returned

[U] Sends existing licenses to the User Center Web site to perform upgrade

and (by default, in online mode) installs them on the machine.[C] Reports whether or not there are licenses on the machine that need to be

upgraded.

[O] Perform license upgrade on a license file that was generated on a machine

with no Internet access to the User Center.

[V] View log of last license upgrade or last upgrade simulation.

Note - License upgrade simulation can only be performed on a machine with Internetconnectivity to the Check Point User Center.

Simulating the License Upgrade
http://www.checkpoint.com/techsupport/ngx/license_upgrade.htmlhttp://www.checkpoint.com/techsupport/ngx/license_upgrade.html


24/194

24

4 Be sure to deal with all the reported issues, so that the actual license upgrade will

succeed for all licenses.

For further assistance:

See Troubleshooting License Upgrade on page 37.

Refer to SecureKnowledge at https://secureknowledge.checkpoint.com .

License Upgrade Methods
https://secureknowledge.checkpoint.com/https://secureknowledge.checkpoint.com/


25/194


Performing the License Upgrade

In This Section

License Upgrade Methods

There are two methods of upgrading licenses to NGX in a VPN-1 Pro/Expressdeployment. The right method to use depends on how you manage your licenses:

Centrally, from the SmartCenter Server by means of SmartUpdate, or

Locally at the Check Point machine.

If you use SmartUpdate to manage your licenses, you can update all licenses in your

entire managed system in a single procedure.

For both methods, the upgrade is performed using the license_upgrade tool.

For each method the actual procedure that is used depends on whether or not the

machine on which the license upgrade is to be run is online or offline. An online

machine is one with Internet connectivity to the Check Point User Center.

It is highly recommended to perform the license upgrade beforeperforming any software

upgrade. This ensures that the products will continue to function after the software

upgrade. However, if necessary, the software upgrade can be done first.

License Upgrade Methods page 25

Deployments with Licenses Managed Centrally Using SmartUpdate page 27

Deployments with Licenses Managed Locally page 33

Note - Version 4.1 licenses cannot be upgraded directly to NGX. You must first upgradesoftware and licenses to version NG.



26/194

26

The following table shows the Check Point licenses that are upgraded for each license

upgrade method:

What Next?

Now choose the right procedure for you:

Deployments with Licenses Managed Centrally Using SmartUpdate on page 27

Deployments with Licenses Managed Locally on page 33

LicenseManagementmethod

License Upgrade for License that are upgraded

Centrally managed

using SmartUpdate

Entire managed System

(Run upgrade tool on

SmartCenter Server)

Local machine licenses

(for SmartCenter)

License Repository

(for enforcement

modules)Locally managed Enforcement module Local machine licenses

SmartCenter Server Local machine licenses

Standalone Gateway

deployment, containing both

a SmartCenter and an

enforcement module.

(that manages no remote

enforcement modules)

Local machine licenses

(for SmartCenter and

enforcement module).

Deployments with Licenses Managed Centrally Using SmartUpdate


27/194


Deployments with Licenses Managed Centrally UsingSmartUpdate

In This Section

Introduction to Using SmartUpdate

In distributed deployments with multiple enforcement modules, SmartUpdate must be

used to distribute licenses from the SmartCenter to the enforcement modules after

performing the license upgrade.

With SmartUpdate, you can manage all licenses for Check Point packages throughout

the organization that are managed by the SmartCenter Server. SmartUpdate provides a

global view of all available and installed licenses, and allows you to perform operations

on Check Point Gateways such as adding new licenses, attaching licenses and deletingexpired licenses.

After the SmartCenter Server is upgraded, SmartUpdate must be used to complete the

License Upgrade process. When SmartUpdate is opened, the upgraded licenses areimported into the license repository and are Assigned to the appropriate enforcement

module.

1. License Upgrade for an Online SmartCenter

Use this procedure to upgrade the licenses of the entire distributed deployment to

NGX beforethe software upgrade, for a deployment with an online SmartCenter Server.

An online SmartCenter Server is one with Internet connectivity to the Check PointUser Center Web site https://usercenter.checkpoint.com.

Introduction to Using SmartUpdate on page 27

1. License Upgrade for an Online SmartCenter on page 27

2. License Upgrade for an Offline SmartCenter on page 30

Note - SmartUpdate license management capabilities are free of charge.

Note - If the license upgrade is performed before the software upgrade, Check Pointproducts will generate warning messages until all the software on the machine has been

upgraded. See Error: License version might be not compatible on page 37 for details.

https://usercenter.checkpoint.com/https://usercenter.checkpoint.com/


28/194

28

1 At the SmartConsole GUI machine, open SmartUpdate, connect to the

SmartCenter Server, and select Licenses > Get all licenses. This ensures that the

License Repository is updated.

2 Copy the license_upgrade tool from \ on the NGXproduct CD, or from the Check Point Download site at


3 Place the license_upgrade tool on the SmartCenter NG machine.

4 On the Smartcenter Server, perform the license upgrade procedure by running

license_upgrade tool (on SecurePlatform, you must be in expert mode).

5 Choose the [U] option. This does the following:

Collects all the licenses that exist on the machine.

Fetches updated licenses from the User Center. Installs new licenses on the local machine.

On the SmartCenter machine, if Management High Availability licenses exist,

they are upgraded.

6 Perform the software upgrade to NGX on the SmartCenter machine andon the

SmartConsole GUI machine.

7 At the SmartConsole GUI machine, open SmartUpdate, and connect to theSmartCenter Server. The updated licenses are displayed as Assigned. Use the Attach

assigned licenses option to Attach the Assigned licenses to enforcement modules.

8 Perform the software upgrade to NGX on the enforcement module machine(s).

9 Delete obsolete licenses from NGX modules. At the SmartConsole GUI machine,

open SmartUpdate and connect to the SmartCenter Server. In the License

Repository, sort by the State column, select all the Obsolete licenses, Detach them,and then Delete them.

Note - License upgrade using the CD Wrapper does not work for SmartCenter machines onWindows platforms with via-proxy Internet connectivity.



29/194


License Statuses in SmartUpdate

SmartUpdate shows whether a license isAttachedorUnattached, and the license State.

An:

Attached license is associated with the enforcement module in License Repository,and is installed on the remote enforcement module. In order for the NGX software

to work, a valid NGX license must be Attached.

Unattached license is not installed on any enforcement module.

A license can be in one of the following States:

Assigned is an NGX license that is associated with the enforcement module in

License Repository, but is not yet installed on the module as a replacement for anexisting NG license.

Obsolete is an NG license for which a replacement NGX license is installed on an

NGX enforcement module.

Requires Upgrade is an NG license that is installed on an NGX machine, and for

which no replacement upgraded license exists.

No NGX license is an NG license that does not need to be upgraded, or one for

which the license upgrade failed.



30/194

30

2. License Upgrade for an Offline SmartCenter

Use this procedure to upgrade the licenses of the entire distributed deployment before

the software upgrade, where the SmartCenter Server is offline.

An offline SmartCenter Server is one that does nothave Internet connectivity to the

Check Point User Center Web site https://usercenter.checkpoint.com.

1 At the SmartConsole GUI machine, open SmartUpdate and connect to theSmartCenter Server. Select Licenses > Get all licenses. This ensures that the License

Repository is updated.

2 Copy the license_upgrade tool from \ on the NGX CD,

or from the Check Point Download site at


3 Place the license_upgrade tool on the offline SmartCenter Server NG.

4 At the offline SmartCenter, run

license_upgrade

On SecurePlatform, run the option in expert mode.

5 From the menu of options choose:

[U] to run the upgrade operation.

[N] to specify that you dont have an internet connection.

[E] to copy the licenses to a license file.

Enter the name of the license package file that will be created.

[Q] to quit the license upgrade tool.

6 Copy the license package file from the offline SmartCenter to any online machine.

The online machine does not need to be a Check Point-installed machine.

7 Copy the license_upgrade tool to the online machine from the location specified

in step 2.

8 Run the license_upgrade tool at the online machine:

[O] to run the upgrade operation in offline mode.

Enter the name of the exported file with the location of the package file that is

the result ofstep 5.



https://usercenter.checkpoint.com/http://www.checkpoint.com/techsupport/ngx/license_upgrade.htmlhttp://www.checkpoint.com/techsupport/ngx/license_upgrade.htmlhttps://usercenter.checkpoint.com/


31/194


Enter the name of the file that will be created with all the upgraded licenses

(output file name).

Press [Y] when asked Is this machine connected to the Internet?.

Press [Y] if you are connected to the internet via a proxy and supply the proxyIP port and username password.

Press [N] if you are not connected via proxy and continue with the upgrade.

Enter the user and password of your User Center Account.

This fetches new licenses from the User Center and puts them in a cache file.

9 Copy the cache file (with the new licenses) to the offline SmartCenter. Copy the

file to the same directory as the license upgrade tool.

10 Run license_upgrade tool on the offline SmartCenter.

Press [U] to run the Upgrade operation.

Press [N] when asked Is this machine connected to the Internet?.

Press [I] to import the output file with all the upgraded licenses back to the

SmartCenter.

Enter the output file name with all the upgraded licenses.

11 Return to the main menu and press

[C] Check if currently installed licenses have been upgraded.

This shows the number of upgraded licenses on the machine and whether the

original NG licenses have a replacement NGX license.

12 Perform the software upgrade to NGX on the SmartCenter machine andon the

SmartConsole GUI machine.

13 At the SmartConsole GUI machine, open SmartUpdate and connect to the

SmartCenter Server. The updated licenses are displayed as Assigned. Use the Attach

assigned licenses option to Attach the Assigned licenses to enforcement modules.

14 Perform the software upgrade to NGX on the enforcement module machine(s).

15 Delete obsolete licenses from NGX modules. At the SmartConsole GUI machine,open SmartUpdate and connect to the SmartCenter Server. In the License

Repository, sort by the State column, select all the Obsolete licenses, Detach them,

and then Delete them.



32/194

32

License Statuses in SmartUpdate

SmartUpdate shows whether a license isAttachedorUnattached, and the license State.

An:

Attached license is associated with the enforcement module in License Repository,and is installed on the remote enforcement module. In order for the NGX software

to work, a valid NGX license must be Attached.

Unattached license is not installed on any enforcement module.

A license can be in one of the following States:

Assigned is an NGX license that is associated with the enforcement module in

License Repository, but is not yet installed on the module as a replacement for anexisting NG license.

Obsolete is an NG license for which a replacement NGX license is installed on an

NGX enforcement module.

Requires Upgrade is an NG license that is installed on an NGX machine, and for

which no replacement upgraded license exists.

No NGX license is an NG license that does not need to be upgraded, or one for

which the license upgrade failed.

Deployments with Licenses Managed Locally


33/194



In This Section

3. License Upgrade for an Online Machine

Use this procedure to upgrade the licenses on a single online NG machine beforethe

software upgrade.

An online machine is one with Internet connectivity to the Check Point User Center

Web site https://usercenter.checkpoint.com.

The single machine can be a

SmartCenter Server.

Enforcement module.

Standalone Gateway containing a SmartCenter Server and an enforcement module.



http://www.checkpoint.com/techsupport/ngx/license_upgrade.html.2 Place the license_upgrade tool on the online NG machine.

3 At the online machine, perform the license upgrade procedure by running

license_upgrade tool (on SecurePlatform, you must be in expert mode).

4 Choose the [U] option. This does the following:

Collects all the licenses that exist on the machine.

Fetches updated licenses from the User Center.

Installs new licenses on the local machine.

On a SmartCenter machine, if Management High Availability licenses exist, theyare upgraded.

3. License Upgrade for an Online Machine on page 33

4. License Upgrade for an Offline Machine on page 34



Note - License upgrade using the CD Wrapper does not work for SmartCenter machines onWindows platforms with via-proxy Internet connectivity.



34/194

34

5 Perform the software upgrade to NGX.

6 Find out which license on the machine are obsolete. Run

cplic print

7 Delete the obsolete licenses from the machine: For each obsolete license, run

cplic -del

4. License Upgrade for an Offline Machine

Use this procedure to upgrade the licenses for a single offline machine beforethe

software upgrade.

An offline machine is one that does nothave Internet connectivity to the Check PointUser Center Web site https://usercenter.checkpoint.com.

The single machine can be a

SmartCenter Server.

Enforcement module.

Standalone Gateway containing a SmartCenter Server and an enforcement module.




2 Place the license_upgrade tool on the offline machine.

3 At the offline machine, run

license_upgrade

On SecurePlatform, run the option in expert mode.

4 From the menu of options choose:

[U] to run the upgrade operation.

[N] to specify that you dont have an internet connection.

[E] to copy the licenses to a license file.

Enter the name of the license package file that will be created.

[Q] to quit the license upgrade tool.

5 Copy the license package file from the offline machine to any online machine. The

online machine does not need to be a Check Point-installed machine.




h l h l h h l l d


35/194


6 Copy the license_upgrade tool to the online machine. The tool is located at the

location specified in step 1.

7 Run the license_upgrade tool at the online machine:

[O] to run the upgrade operation in offline mode.

Enter the name of the exported file with the location of the package file that is

the result ofstep 5.

Enter the name of the file that will be created with all the upgraded licenses

(output file name).

Press [Y] when asked Is this machine connected to the Internet?.

Press [Y] if you are connected to the internet via a proxy and supply the proxyIP port and username password.

Press [N] if you are not connected via proxy and continue with the upgrade.

Enter the user and password of your User Center Account.

This fetches new licenses from the User Center and puts them in a cache file.

8 Copy the cache file (with the new licenses) to the offline machine. Copy the file to

the same directory as the license_upgrade tool.

9 Run license_upgrade tool on the offline machine.

Press [U] to run the Upgrade operation.

Press [N] when asked Is this machine connected to the Internet?.

Press [I] to import the output file with all the upgraded licenses back to the

SmartCenter.

Enter the output file name with all the upgraded licenses.

10 Return to the main menu and press

[C] Check if currently installed licenses have been upgraded.

This shows the number of upgraded licenses on the machine and whether the

original NG licenses have a replacement NGX license.

11 Perform the software upgrade to NGX on the offline machine.

12 Find out which license on the machine are obsolete. Run

cplic print

13 Delete the obsolete licenses from the machine: For each obsolete license, run

cplic -del

Trial Licenses

Trial Licenses


36/194

36

Trial Licenses

Every Check Point product comes with a Trial License that allows unrestricted use of

the product for 15 days.

After the software upgrade, the Trial License continues to work for the remaining days

of the license. There is no need to upgrade the Trial License.

The Trial License does not work if you migrate your current SmartCenter

configuration to a new machine, and then upgrade the new machine to NGX.

Error: License version might be not compatible

Troubleshooting License Upgrade


37/194



License upgrade is a smooth and easy process. There are a few predictable cases where

you may come across some problems. Use this section to solve those license upgrade

problems.

In This Section

Error: License version might be not compatible

SecureKnowledge solution sk30478

Symptoms Error: Warning: Can't find .... in cp.macro. License version might be

not compatible

Error occurs with commands such as cplic print, cpstop, cpstart, and fw ver.

The error occurs when a license upgrade is performed before a software upgrade.

The error appears in any situation where a licensed version is not compatible with

the version installed on a machine, for example, an NGX license on an NG

machine.

Cause

License on the target machine was upgraded to NGX before the software was upgraded

from a previous NG version to NGX.

Error: License version might be not compatible page 37

Evaluation Licenses Created in the User Center page 38

Evaluation Licenses Not Created in the User Center page 38

Licenses of Products That Are Not Supported in NGX page 39

License Enforcement on Module is now on Management page 39

License Not in Any Of Your User Center Accounts page 40

User Does Not Have Permissions on User Center Account page 41

SKU Requires Two Licenses in NG and One License in NGX page 41

SmartDefense Licenses page 42

License Upgrade Partially Succeeds page 42

Upgraded Licenses Do Not Appear in the Repository page 43

Cannot Connect to the User Center page 43


If the license upgrade is performed before the software upgrade Check Point products


38/194

38

If the license upgrade is performed before the software upgrade, Check Point products

will generate warning messages until all the software on the machine has been

upgraded. Refer to License Upgrade Methods on page 25 to determine the upgrade

path that best applies to your current configuration.

Resolution

Upgrade the software to version NGX. Errors will not appear after the upgrade.

Note that these errors do not affect the functionality of the version NG software.

Evaluation Licenses Created in the User Center

Symptoms

User Center message (Error code: 106):

Cause

Evaluation licenses are not entitled to a license upgrade.

Resolution

Evaluation licenses cannot be upgraded. If you dont need the evaluation license, delete

it. If you do need it, contact Account Services at US +1 817 606 6600, option 7 or

e-mail [email protected].

Evaluation Licenses Not Created in the User Center

Symptoms

User Center message (Error code: 151):

Cause

These evaluation licenses do not exist in the User Center. Evaluation licenses are not

entitled to a license upgrade.

An evaluation license can be identified by examining the license string. Evaluation

licenses may contain one of the following strings in the Features description:

CK-CP

or

No license upgrade is available for evaluation product.

Your license contains a Certificate Key (CK) which is not found inUser Center.

Licenses of Products That Are Not Supported in NGX

CK-CHECK-POINT-INTERNAL-USE-ONLY


39/194


Resolution

Evaluation licenses cannot be upgraded. If you dont need the evaluation license, delete

it. If you do need it, contact Account Services at US +1 817 606 6600, option 7 or

e-mail [email protected].

Licenses of Products That Are Not Supported in NGX

Symptoms

User Center Message (Error code: 154):

Cause

VPN-1 Net and VPN-1 SmallOffice are not supported in NGX. Therefore, if an

attempt is made to upgrade the license for these products, the User Center generates an

error message. The affected SKUs are:

VPN-1 Net Family SKUs: CPVP-VNT and LS-CPVP-VNT families

SmallOffice family SKUs: CPVP-VSO and LS- CPVP-VSO families

Resolution

Contact Account Services at US +1 817 606 6600, option 7 or e-mail

[email protected].

License Enforcement on Module is now on Management

Symptoms


Cause

The enforcement of NG module features is now performed by the NGX management.

For example, the licensing model of QOS (formerly FloodGate-1) for VPN-1 Express

was changed in NGX, and VPN-1 Express NGX modules with QoS require an

This product is not upgradeable to NGX version and therefore alicense upgrade is not needed. The product continues to besupported in its NG Release

The license enforcement of NG gateway is now performed by the NGX

management server. Perform Change IP operation in User Center andinstall the NGX license on the management server


appropriate license to be installed on the management. License Upgrade in this scenario


40/194

40

pp p g pg

is not handled automatically by the license upgrade. The affected SKU family for QoS

is: CPXP-QOS

Resolution

If you have an NG Express gateway with a QoS (FloodGate-1) license, and in any other

case where this problem occurs, proceed as follows:

1 Perform a license upgrade at the User Center web site to generate a new license.

2 Install the new, upgraded license on the NGX management machine (even if you

do not upgrade the gateway).

3 Upgrade the gateway.

4 Delete the unneeded license from the gateway in one of two ways:

Run the command line command at the gateway:

cplic del

Using SmartUpdate, select the unneeded license, Detach it, and then Delete it.

License Not in Any Of Your User Center Accounts

Symptoms

User Center Message (Error Code 17):

Cause

This specific license does not exist in any of the accounts that belong to this user.

Resolution

Run the tool again with the appropriate username.

Note that each time you run the tool with a different username, upgraded licenses fromthe User Center are added to a cache file located on your machine. This file contains

the successfully upgraded licenses from previous runs.

If the partially successful license upgrade was performed via the Wrapper, then after the

Wrapper has finished, run the license upgrade again via the command line, with the

appropriate username.

This license is not in any of your accounts. Run the licenseupgrade again with the username that owns this license in the User

Center.

User Does Not Have Permissions on User Center Account

User Does Not Have Permissions on User Center Account


41/194


Symptoms

User Center Message (Error Code 19):

Cause

This user is not authorized to change this license in the User Center.

Resolution

Run the tool again with the appropriate username.

Note that each time you run the tool with a different username, upgraded licenses from

the User Center are added to a cache file located on your machine. This file contains

the successfully upgraded licenses from previous runs.

If the partially successful license upgrade was performed via the Wrapper, then after theWrapper has finished, run the license upgrade again via the command line, with the

appropriate username.

SKU Requires Two Licenses in NG and One License in NGX

Symptoms


Cause

The NG version of SecureClient requires two licenses: one license for the module and

one for the management. In NGX only the management license is needed. The modulelicense (CPVP-VPS-1-NG) is no longer needed because it is incorporated in the

VPN-1 Pro license. The relevant SKU families are:

CPVP-VSC,

LS- CPVP-VSC,

CPVP-VMC,

LS-CPVP-VMC,

CPVP-VSC-100-DES-NG

This license is in your account but you are not authorized toupgrade licenses in this account because you have just view-onlypermissions. Run license upgrade again with a username that isauthorized to change the license in the User Center.

This license is no longer needed in the version you are upgradingto. It can be safely removed from the machine after the softwareupgrade.


Resolution


42/194

42

After the software upgrade, delete the unneeded module license from the machine. Do

this in one of two ways:

Using the command line: Runcplic del

Using SmartUpdate: Select the unneeded license, Detach it, and then Delete it.

SmartDefense Licenses

Symptoms


Cause

In NGX, enforcement of SmartDefense licenses is handled by the User Center. The

SKU families for which this issue is relevant are SU-SMRD and SU-SMDF.

Resolution

Delete the unneeded license from the machine.

License Upgrade Partially Succeeds

Symptoms

License upgrade fails for some of the licenses but succeeds for others.

Cause

License upgrade may fail for some licenses and succeed for others. A license may fail to

upgrade for a number of reasons. For example, you may not have an Enterprise

Subscription contract for these licensed product. See some of the other items in

Troubleshooting License Upgrade on page 37 for more reasons why license upgrade

may fail.

Resolution

After solving all or some of the licensing problems referred to in the error log, run the

license_upgrade tool. This will upgrade the licenses for which the problem has been

solved.

The tool can be found in one of the following locations

On the CD at

SmartDefense License is not needed on the gateway.

Upgraded Licenses Do Not Appear in the Repository

In the Check Point Download site at

h // h k i / h / /li d h l


43/194



When the license_upgrade tool is run several times, the results are cumulative. This

means that if the upgrade of some licenses failed and the tool is run again: Licenses that were successfully upgraded to NGX remain unchanged.

Licenses that failed to upgrade in a previous

Documents

Checkpoint NGX Upgrade Guide