Upgrade the Check Point Security Management server from SPLAT R71.45 to R75.40

There is official way to upgrade Check Point SPLAT solutions based on SPLAT.

Bellow I've described my way to upgrade CP Security Management server (SMART center).
My SMART center installed on the HP Proliant DL380g6 server.
First of all you have to check state and version :). I've done it using CP SmartView monitor.

As you can read at the upgrade procedure document, you have to check contracts files.
I've done it using SmartUpdate tool.

On the next stage you should do backup your system. I've used two method: backup (using backup script from the CPUG forum) and snapshot.
Here is backup script:

#!/bin/sh -x

# Set Check Point profile for library settings!

. /etc/profile.d/CP.sh

PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/opt/CPsuite-R65/fw1/

FILENAME="`uname -n`"_"`/bin/date +%m-%d-%Y_%H%M`"

### update system clock

###/usr/sbin/ntpdate 4.2.2.2

###

### create /var/tmp/upgrade_export

mkdir /var/tmp/upgrade_export

### Enter /var/tmp directory

###

cd /var/tmp/upgrade_export

###

### Remove the temp directory if exists

rm -rf $FILENAME

###

### Create upgrade_export directory

mkdir /var/tmp/upgrade_export/$FILENAME

###

### Enter temporary upgrade export directory

cd /var/tmp/upgrade_export/$FILENAME

###

### Gather system important information

###

/bin/set_host >> info.txt

/bin/echo ------------- >> info.txt

/bin/save_ifconfig -a >> info.txt

/bin/echo ------------- >> info.txt

/bin/netstat -rnv >> info.txt

/bin/echo ------------- >> info.txt

/bin/cat /etc/hosts >> info.txt

/bin/echo ------------- >> info.txt

/bin/cat /etc/sysconfig/netconf.C >> info.txt

###

### Start the upgrade_export process

###echo Y | /opt/CPsuite-R65/fw1/bin/upgrade_tools/upgrade_export $FILENAME

${FWDIR}/bin/upgrade_tools/upgrade_export -n ${FILENAME}

###

### pack up files and zip them up

cd /var/tmp/upgrade_export

tar -cf $FILENAME.tar $FILENAME

gzip $FILENAME.tar

###

### Remove temporary directory

rm -rf $FILENAME

###

### At this point what you may want is to transfer this $FILENAME.tar.gz file

### to a safe external system with Secure Copy Protocol or scp.

### Make sure to use the "admin" account when you get this file from the SCP

### server.

### Enjoy !!!!!!

### copy this file to a scp server

###/usr/bin/scp $FILENAME.tar.gz root@192.168.1.1:/var/backups/.

### Finish

Script was placed at the admin home folder, and run from expert mode

[Expert@hostname-sc00]# /home/admincp/backup-script

As the result you have one file at the /var/tmp/upgrade_export folder

This file you have to copy to the backup server. I've done it manually using WinSCP.

Next I've used the classical snapshot procedure.

Make sure that snapshot file successfully copied to the FTP-server.

And now you can do the upgrade procedure.

I've used many ways, but only one method was successfully.

It is upgrade through ILO-interface and ISO-file. 

Well, logon to ILO.

Login to CP console.

Add image file.

Start path command.

We've already done snapshot.

After extract files there are welcome window.

Is reading license agreement.

Select the Upgrade option.

Notice about contract information.

Our contract verification succeeded.

Select source for upgrade (from CD).

Pre-upgrade verification procedure.

Warning message.

And next option:

Validation our installed products.

Upgrading.

Installing PSM.

And finish.

Reboot server.

After reboot I've noticed wonderful information at the CP console.

Then you can login through SSH and check version of SPLAT.

[hostname-sc00]# ver

This is Check Point SecurePlatform Pro R75.40 Build 069

[hostname-sc00]#

And using CP SmartView monitor.

That's all. Have a good upgrading!

Internet access control with URL-filtering service

Solution has been realized in the MS Hyper-v environment. It's high availability and expensive solution. Total have been used 6 virtual machines. 

Used software: 

- MS TMG 2010 Enterprise Edition;
- 6 operating systems (like MS Windows server SE)
- Websense Web-filter licences.
- MS SQL Express

Schematic diagram is described bellow.

Creating DMZ infrastructure in MS Hyper-V environment

There are schematic diagram, where you can find information about building Virtual Environment and maintenance virtual machines using products and equipment these vendors MS, HP, Cisco, Check Point.
All IP-addresses are black and can be used in any production.

Upgrade the network infrastructure

The big ugly unmanagement L2 network with one big switch (DES-6000) and a lot of another D-Link switches was upgraded to reliable, with high perfomance network infrastructure.
There is a L1 figure.

And there is a L2 figure.

Trend Micro Enterprise Security Suite solutions in IT-inftrastructure

I have built an anti-malware solution from Trend Micro OfficeScan.
TM OfficeScan server has built in the clustered virtual environment (MS Hyper-v server).
Schematic diagram is displayed bellow.

All communications are controlling by Check Point firewall.

Antispam solution, has named InterScan Security Suite (short IMSS), is displayed bellow

Solution for secure users' web traffic is displayed on the figure bellow. There are two virtual machine - one proxy is server IWSVA (with AD user authentication) and a lot of features, and second is ARM host for advanced logging and reporting.