I have been seeing R80.20 upgrade problems the past few months with a few of my customers. One move was from R77.20 to R80.20 and the other from R77.30 to R80.20. These were “in-place” upgrades.

In both cases, after the Security Management Server (SMS) rebooted there was a problem. That problem in both cases had to do with the SMS not being able to recognize the older gateways. This kept us from installing the policy after the upgrade (not good).

In the R77.30 case, the gateway objects would not display a version in the drop-down list.

For the R77.20 move I saw the following:

I was initially told by Check Point support that I needed to install a “backwards compatibility” package on the gateways. This however was incorrect, and only applies for R75 gateways.

After about ten minutes the support engineer came back and provided a backwards compatibility RPM:

CPR77CMP-R80.20-00.i386.rpm

It is a 7MB package, and after applying the patch (no reboot required) we were able to install the policy.

From what I can tell, any R80.20 SMS should have this file if you need to manage R77.x gateways from an R80.20 SMS. To check if it is installed:

rpm -qa | grep CPR77CMP-R80.20-00.i386

At this time, Check Point still does not have an SK article on this issue, or list the RPM in the Knowledge Base. If you do not see this package on the SMS after the upgrade/reboot, get a hold of Check Point support and ask for it. They will host it on their SCP site.

Download it. Verify the checksum. Then install it with:

rpm -ivh CPR77CMP-R80.20-00.i386.rpm

You will be back in business in no time.

R80.20 Backwards Compatibility Problems

Leave a Reply

Your email address will not be published. Required fields are marked *

three × 3 =