Begin typing here…
Begin typing here…
Begin typing here…
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
How to Upgrade to a<br />
Management Server<br />
February 2003<br />
0
How to Upgrade to a<br />
Management Server<br />
1. Introduction<br />
1.1. General<br />
This document describes the upgrade procedure of Check Point’s Management<br />
Server, from 4.1 (or a pre NG FP3 version), to NG FP3.<br />
Check Point’s Management Server upgrade consists of two main phases:<br />
� Changing the Management Server software.<br />
� Upgrading the server database format to the one required by the new<br />
software.<br />
This document describes in detail the alternative methods of upgrading Check<br />
Point’s Management Server to NG FP3, allowing you to select the method best to<br />
fit your needs. This document focuses on an upgrade procedure using a<br />
duplicate machine.<br />
1.2. Terms<br />
1. Production machine – The production Management Server you wish to<br />
upgrade.<br />
2. Duplicate machine – A new machine, which, at the end of the process, will be<br />
identical to the production machine, and will be upgraded to NG FP3.<br />
1.3. Assumptions<br />
This document assumes that your duplicate machine has the same IP/hostname<br />
and the same OS as the production machine. Otherwise, refer to the relevant<br />
appendices.<br />
1.4. Basics<br />
There are two basic methods of upgrading Check Point’s Management Server:<br />
� Upgrade on the actual production management machine.<br />
� Upgrade on a duplicate machine, while the production Management<br />
Server is fully operational. Testing the full functionality of the new<br />
management Server, with the ability to either switch to new upgraded<br />
machine or copy the upgraded environment onto the production machine.<br />
Upgrade on the production management is done by choosing upgrade when<br />
installing NG FP3 software from the Check Point’s CD.<br />
Upgrade on a duplicate machine can be done in two ways that will be explained<br />
thoroughly throughout this document. Cases in which the machines have<br />
Check Point Software Technologies Ltd 1
How to Upgrade to a<br />
Management Server<br />
different IP addresses, host names or Operation Systems, will also be<br />
addressed.<br />
1.5. Common Upgrade Scenarios on a Duplicate Machine<br />
There are two common scenarios for upgrading Check Point’s Management<br />
Server on a duplicate machine (Manual Upgrade is the recommended path,<br />
though the second method will yield with the same results):<br />
1.5.1. Manual Upgrade<br />
1. Install the Check Point NG FP3 Management Server software on the<br />
duplicate machine.<br />
2. Copy the database files from the production Management Server onto the<br />
newly installed server.<br />
3. Perform a manual upgrade to translate the database files into the NG FP3<br />
format.<br />
1.5.2. Replication and Upgrade<br />
1. Replicate the production Management Server on the duplicate machine.<br />
2. Install the NG FP3 Management Server software on the duplicate machine<br />
from the Check Point CD choosing the Upgrade option.<br />
The following sections describe each of the scenarios listed in 1.5 above in<br />
detail. You can choose from either of these scenarios.<br />
2. Manual Upgrade in Details<br />
2.1. When the production machine Management Server software<br />
version is 4.1<br />
1. Run the PreUpgrade_Verifier tool on the production machine to detect<br />
potential problems that need to be addressed prior to upgrading. This is a read<br />
only tool which will not change the database.<br />
Check Point Software Technologies Ltd 2
How to Upgrade to a<br />
Management Server<br />
2. Install the Check Point NG FP3 software on the duplicate machine. Take<br />
extra care to install the exact same products that are installed on the<br />
production machine. There is no need to install a license at this stage as each<br />
new NG FP3 machine has a built- in evaluation license for 15 days.<br />
3. Run the Manual Upgrade command on the new machine to change the<br />
database format into NG FP3 format:<br />
3.1. Download the upgrade script from SecureKnowledge solution<br />
#SK11635.<br />
3.2. Decompress the downloaded file to receive a structure of directories.<br />
Note: On Windows platforms, the manual upgrade script should be<br />
installed on the same disk drive as the Management Server installation.<br />
3.3. Stop Check Point software on both machines by executing the cpstop<br />
command.<br />
3.4. Copy the following files from the production machine to the 4.1<br />
subdirectory on the duplicate machine:<br />
� $FWDIR/conf<br />
objects.C<br />
rulebases.fws<br />
fwauth.NDB*<br />
fgrulebases.fws (if exists)<br />
xlate.conf (if exists)<br />
aftpd.conf (if exists)<br />
smtp.conf (if exists)<br />
sync.conf (if exists)<br />
masters (if exists)<br />
clients (if exists)<br />
fwmusers (if exists)<br />
gui-clients (if exists)<br />
slapd.conf (if exists)<br />
serverkeys (if exists)<br />
product.conf (if exists)<br />
Check Point Software Technologies Ltd 3
How to Upgrade to a<br />
Management Server<br />
� $FWDIR/database<br />
InternalCA.DB (if exists)<br />
Note: In case your duplicate machine has an OS different from the duplicate<br />
machine, see Appendix B.<br />
3.5. Restart the Check Point software on your production machine by<br />
executing the cpstart command to get it back into operation.<br />
3.6. If $FWDIR/database/InternalCA.DB file exists, run fwm sic_reset on the<br />
duplicate machine.<br />
3.7. Activate the Upgrade Script on the duplicate machine:<br />
� For UNIX platforms:<br />
upgrade.csh FP3<br />
� For Windows platforms:<br />
upgrade.bat FP3;<br />
upgrade_script_directory is the path of the upgrade script, created<br />
after decompressing the script file.<br />
4. Run the PostUpgrade_Verifier tool on the duplicate machine to validate<br />
integrity of the upgraded environment.<br />
5. Use the Check Point Configuration Tool to initialize the Internal CA.<br />
6. Disconnect the production machine from the network and connect the<br />
duplicate machine.<br />
7. Test your duplicate machine according to the instructions listed under<br />
Appendix E.<br />
8. If the duplicate machine will function as the production machine, go to step 12.<br />
9. If duplicate machine works as expected, backup the production machine<br />
(backup the files as defined in sub-section 3.4).<br />
10. Upgrade the production machine using the process defined above.<br />
11. Disconnect new machine; connect the production machine.<br />
Check Point Software Technologies Ltd 4
How to Upgrade to a<br />
Management Server<br />
12. Test your production machine according to Appendix E.<br />
13. Done.<br />
2.2. When the production machine Management Server software<br />
version is NG<br />
1. Run the PreUpgrade_Verifier tool on the production machine to detect<br />
potential problems that need to be addressed prior to upgrade. This is a read<br />
only tool, which will not change the database.<br />
2. Install the Check Point NG FP3 software on a duplicate machine. Take extra<br />
care to install the exact same products installed on the production machine.<br />
There is no need to install a license at this stage as each new NG FP3 machine<br />
has a built- in evaluation license for 15 days.<br />
3. In cases where your duplicate machine has a different IP/hostname, see<br />
Appendix A. If your duplicate machine has a different OS, see Appendix B.<br />
4. Stop Check Point software on both machines by executing the cpstop<br />
command.<br />
5. Copy the following files to their corresponding destination on the duplicate<br />
machine:<br />
� $CPDIR/conf<br />
1. cp.license<br />
2. sic_cert.p12<br />
� $CPDIR/database<br />
1. *.C<br />
Check Point Software Technologies Ltd 5
How to Upgrade to a<br />
Management Server<br />
� $FWDIR/conf<br />
1. lists/*<br />
2. *.fws<br />
3. *.conf (except for components_reg.conf fwrl.conf,<br />
cpmad_rulebase.conf)<br />
4. fwmusers<br />
5. *.C (except for mv_doc.C, classes.C, scheme.C, fields.C,<br />
tables.C, rtmclasses.C, default_objects.C)<br />
6. db_versions/Database/versioning_db.fws<br />
7. gui-clients<br />
8. vpe/*<br />
9. XML/*<br />
10. cpsc/*<br />
11. I*<br />
12. crls/*<br />
13. db_versions/repository/*<br />
14. fwauth.NDB.<br />
15. DiapCpdList.NDB<br />
16. DiapFwmList.NDB<br />
17. DAIP_RS_Database.NDB<br />
18. robo-gateways.NDB<br />
19. robo-control.NDB<br />
20. robo-ike.NDB<br />
� $FWDIR/log<br />
1. *.*<br />
6. Start the Check Point software on your production machine by executing the<br />
cpstart command to get it back into operation.<br />
7. Activate the command $FWDIR/bin/fwm up fp3 on the<br />
duplicate machine, where fpx is the current version of the production<br />
Management Server.<br />
For example: if the server version is NG FP1 run: fwm up fp1 fp3.<br />
8. Run the PostUpgrade_Verifier tool on duplicate machine to validate the<br />
integrity of the upgraded environment.<br />
Check Point Software Technologies Ltd 6
How to Upgrade to a<br />
Management Server<br />
9. Disconnect the production machine from the network and connect the<br />
duplicate machine.<br />
10. Test your upgraded duplicate machine according to the instructions listed in<br />
Appendix E.<br />
11. If the new duplicate machine will function as the production machine, go to<br />
step 14.<br />
12. If the duplicate machine works as expected, backup the production machine.<br />
13. Upgrade production machine:<br />
� Uninstall Check Point software.<br />
� Go over steps 2-10.<br />
14. Disconnect the duplicate machine; connect the production machine.<br />
15. Test your production machine according to Appendix E.<br />
16. Done.<br />
3. Replication and Upgrade<br />
3.1. When the production machine Management Server software version<br />
is 4.1<br />
1. Run the PreUpgrade_Verifier tool on the production machine to detect<br />
potential problems that need to be addressed prior to upgrade. This it is a read<br />
only tool with no effect on the database.<br />
2. Install the 4.1 Check Point Management Server software on the duplicate<br />
machine. Take extra care to install the exact same products installed on the<br />
production machine. Put appropriate licenses on the duplicate machine.<br />
3. Stop Check Point software on both machines by executing the cpstop<br />
command.<br />
Check Point Software Technologies Ltd 7
How to Upgrade to a<br />
Management Server<br />
4. Copy the following files from the $FWDIR/conf directory of the production<br />
machine to $FWDIR/conf directory of the duplicate machine:<br />
� $FWDIR/conf<br />
objects.C<br />
rulebases.fws<br />
fwauth.NDB*<br />
fgrulebases.fws (if exists)<br />
xlate.conf (if exists)<br />
aftpd.conf (if exists)<br />
smtp.conf (if exists)<br />
sync.conf (if exists)<br />
masters (if exists)<br />
clients (if exists)<br />
fwmusers (if exists)<br />
gui-clients (if exists)<br />
slapd.conf (if exists)<br />
serverkeys (if exists)<br />
product.conf (if exists)<br />
� $FWDIR/database<br />
InternalCA.DB (if exists)<br />
Note: In case your duplicate machine has a different OS, see Appendix B.<br />
5. Start Check Point software on your production machine by executing the<br />
cpstart command.<br />
6. In order to make sure that the replicated Management Server has been<br />
successfully upgraded as expected, try to push policy on the modules, receive<br />
logs and check the module’s status.<br />
7. Install the Check Point NG FP3 software on the duplicate machine using the<br />
NG FP3 CD, and select the upgrade option to automatically upgrade of the<br />
software and the database format.<br />
8. Run the PostUpgrade_Verifier tool on the duplicate machine to validate<br />
integrity of the upgraded environment.<br />
Check Point Software Technologies Ltd 8
How to Upgrade to a<br />
Management Server<br />
9. Disconnect the production machine from the network and connect the<br />
duplicate machine.<br />
10. Test your upgraded machine according to the instructions listed under<br />
Appendix E.<br />
11. If the duplicate machine will function as the production machine,<br />
go to step 15.<br />
12. If duplicate machine works as expected, backup the production machine.<br />
13. Upgrade the production machine:<br />
� Uninstall Check Point software.<br />
� Go over steps 2-10.<br />
14. Disconnect the duplicate machine; reconnect the production machine.<br />
15. Test your production machine according to Appendix E.<br />
16. Done.<br />
3.2. When the production machine Management Server software version<br />
is NG<br />
1. Run the PreUpgrade_Verifier tool on the production machine to detect<br />
potential problems that need to be addressed prior to upgrade. This is a read<br />
only tool with no effect on the database.<br />
2. Install the Check Point NG software on the duplicate machine. Take extra<br />
care to install the exact same FP (feature pack), hotfixes and products that are<br />
installed on the production server. Put the appropriate licenses on the duplicate<br />
machine.<br />
3. If your duplicate machine has a different IP/hostname or has a different OS,<br />
See Appendix A for different IP, and Appendix B for a different OS.<br />
4. Stop the Check Point software on both machines by executing the cpstop<br />
command.<br />
Check Point Software Technologies Ltd 9
How to Upgrade to a<br />
Management Server<br />
5. Copy the following files from the production machine to their corresponding<br />
place on the duplicate machine:<br />
� $CPDIR/conf<br />
1. cp.license<br />
2. sic_cert.p12<br />
� $CPDIR/database<br />
1. *.C<br />
� $FWDIR/conf<br />
1. lists/*<br />
2. *.fws<br />
3. *.conf (except for components_reg.conf fwrl.conf,<br />
cpmad_rulebase.conf)<br />
4. fwmusers<br />
5. masters<br />
6. *.C (except for mv_doc.C, classes.C, scheme.C, fields.C,<br />
tables.C, rtmclasses.C, default_objects.C)<br />
7. db_versions/Database/versioning_db.fws<br />
8. gui-clients<br />
9. vpe/*<br />
10. XML/*<br />
11. cpsc/*<br />
12. I*<br />
13. crls/*<br />
14. db_versions/repository/*<br />
15. fwauth.NDB.<br />
16. DiapCpdList.NDB<br />
17. DiapFwmList.NDB<br />
18. DAIP_RS_Database.NDB<br />
19. robo-gateways.NDB<br />
20. robo-control.NDB<br />
21. robo-ike.NDB<br />
� $FWDIR/log<br />
1. *.*<br />
6. Start the Check Point software on your production machine by executing the<br />
cpstart command.<br />
Check Point Software Technologies Ltd 10
How to Upgrade to a<br />
Management Server<br />
7. If they exist, Remove the $FWDIR/conf/CPMILinksMgr.* and<br />
$FWDIR/conf/applications.*.<br />
8. Copy the SIC key from the Check Point registry on the production machine to<br />
the registry on the duplicate machine. See Appendix D for a detailed description<br />
of copying Check Point’s SIC regis try entries.<br />
9. Install Check Point NG FP3 software on the duplicate machine using the NG<br />
FP3 CD, and select the Upgrade Option to automatically upgrade the software<br />
and database format.<br />
10. Run the PreUpgrade_Verifier tool on the duplicate machine to fix potential<br />
upgrade problems that need to be addressed prior to upgrade. This is a read only<br />
tool, which will not change the database.<br />
11. Disconnect the production machine from the network and connect the<br />
duplicate machine.<br />
12. Test your upgraded machine according to the instructions listed under<br />
Appendix E.<br />
13. If the duplicate machine will function as the production machine,<br />
go to step 15.<br />
14. If the duplicate machine works as expected, backup the production machine.<br />
15. Upgrade the production machine:<br />
� Uninstall Check Point software.<br />
� Go over steps 2-10.<br />
16. Disconnect the duplicate machine; connect the production machine.<br />
17. Test your production machine according to Appendix E.<br />
18. Done.<br />
Check Point Software Technologies Ltd 11
How to Upgrade to a<br />
Management Server<br />
Appendix A - Duplicate machine with a different IP address or hostname<br />
This appendix specifies the steps that should be taken in case the duplicate<br />
machine has a different IP address or host name.<br />
1. Before stopping the production machine, add rules that allow the new<br />
duplicate machine to access the modules it is managing:<br />
� Create a Management Object that includes the duplicate machine’s IP<br />
address:<br />
� When the production machine Management Server software version is<br />
4.1 –From the Policy Editor: Manage > Network Objects > New…><br />
Workstation and mark it as a Management Station.<br />
� When the production machine Management Server software version is<br />
NG – From the Policy Editor: Manage > Network Objects > New…><br />
Check Point > Host/Gateway and mark it as Secondary<br />
Management.<br />
Note: If this object already exists, make sure it is marked as a Management.<br />
� Create a rule, on the production machine, which allows FireWall-1<br />
and CPD (NG only) services from the above object you have just<br />
created, to go to all managed gateways.<br />
� Install the rule on all managed gateways.<br />
� Delete the rule once you have completed this process.<br />
2. Continue with the instructions given under section 2.2 or 3.2. Do not copy the<br />
$CPDIR/conf/cp.license file.<br />
3. Update the primary management object on the duplicate machine.<br />
3.1. Start the Check Point Management Server on the duplicate machine<br />
by applying the cpstart command.<br />
3.2. Connect to the SmartDashboard (Policy Editor).<br />
3.3. If a new primary management object was created, its IP address<br />
and topology should be configured to match the duplicate machine. If the<br />
same primary object exists, edit its IP address and topology to match its<br />
new configuration.<br />
Check Point Software Technologies Ltd 12
How to Upgrade to a<br />
Management Server<br />
3.4. Replace all occurrences of the production object with the newly<br />
created duplicate machine object. You can find all occurrences with the<br />
Where Used… utility (right-click on the object to choose the command).<br />
4. If a new primary object was created then both objects now have the same SIC<br />
name. This must be corrected:<br />
4.1. Close the SmartDashboard (Policy Editor).<br />
4.2. Use Check Point Database Tool or the dbedit command to clear the<br />
SIC name from the old object. The attribute is called sic_name; the object<br />
is in the network_objects table.<br />
After the update it should look like this “:sic_name ()”.<br />
5. If you would like to delete the production management object:<br />
5.1. Stop the duplicate machine by running the cpstop command.<br />
Make the following change in $FWDIR/conf/objects_5_0.C:<br />
5.1.1. Find the production management’s object.<br />
5.1.2. Change the attribute Deleteable (if exists) to true (under<br />
AdminInfo).<br />
5.1.3. Save the changes.<br />
5.2. Start the Management Server by running the cpstart command.<br />
5.3. Connect to the SmartDashboard (Policy Editor) and delete the<br />
production management object. This will revoke all of Check Point’s<br />
internal CA IKE certificates for that object.+<br />
6. If the $FWDIR/conf/mgmtha* where created:<br />
6.1. Stop the duplicate machine by running the command cpstop.<br />
6.2. Delete $FWDIR/conf/mgmtha* files.<br />
6.3. Start the Management Server by running the cpstart command.<br />
7. Use the Check Point Configuration Tool by running the cpconfig commmand ><br />
Certificate Authority to set the FQDN (You should enter the FQDN of the<br />
duplicate machine).<br />
Check Point Software Technologies Ltd 13
How to Upgrade to a<br />
Management Server<br />
Exceptions:<br />
If the gateways managed by this Management Server are involved in VPN with<br />
external entities, and the authentication of these VPN connections is based on<br />
ICA certificates, then the external gateways will use the distribution point on<br />
these certificates to access the relevant CRL. There are two alternatives for<br />
succeeding after the upgrade procedure:<br />
7.1. Change the FQDN in the ICA to the duplicate machine’s FQDN, and<br />
reassign new certificates to all gateways and users.<br />
7.2. Update the DNS so that the production’s FQDN will now be resolved<br />
to the duplicate machine.<br />
After doing this, the production machine’s FQDN should be changed to avoid<br />
ambiguity.<br />
8. Adjust masters and log servers for each module before installing on it a policy.<br />
You should add the duplicate machine’s object to the ‘masters list’, and if<br />
needed,<br />
add it to the ‘log servers list’ on each module.<br />
9. Re-establish trust with any module by using the putkey command (for 4.1<br />
modules).<br />
Appendix B - Duplicate machine using an OS different than the<br />
production machine<br />
This appendix specifies the steps that should be taken in case the duplicate<br />
machine is using an OS that differs from the production machine.<br />
When the production machine Management Server software is 4.1<br />
1. See Appendix C for an explanation about copying NDB files.<br />
2. When moving from a Windows platform to a UNIX like platform, run the<br />
dos2unix command on all the files you have copied, except fwauth.NDB and<br />
serverkeys.<br />
When the production machine Management Server software is NG<br />
1. Clear the log files on the production machine, by applying $FWDIR/bin/fw<br />
logswitch.<br />
Check Point Software Technologies Ltd 14
How to Upgrade to a<br />
Management Server<br />
2. Copy the files as specified in 3.2. If the production machine platform is<br />
Windows and<br />
the duplicate machine is Unix, copy the *.NDB files according to the explanation<br />
in Appendix C.<br />
3. If the production machine platform is Windows and the duplicate machine is<br />
Unix, run the dos2unix command on all the files listed under 3.2, except for:<br />
1. $FWDIR/conf/I*<br />
2. $FWDIR/conf/crls/*<br />
3. $CPDIR/conf/sic_cert.p12<br />
4. $FWDIR/conf/ fwauth.NDB.<br />
5. $FWDIR/conf/DiapCpdList.NDB<br />
6. $FWDIR/conf/DiapFwmList.NDB<br />
7. $FWDIR/conf/DAIP_RS_Database.NDB<br />
8. $FWDIR/conf/robo-gateways.NDB<br />
9. $FWDIR/conf/robo-control.NDB<br />
10. $FWDIR/conf/robo-ike.NDB<br />
11. $FWDIR/conf/InternalCA.NDB<br />
4. If it exists, remove $FWDIR/conf/CPMILinksMgr.*<br />
5. Run the $FWDIR/bin/cpca_dbutil d2u command.<br />
6. Copy the SIC key from the Check Point registry on the production machine to<br />
the registry on the duplicate machine, see Appendix D for details.<br />
Appendix C – How to copy NDB files (Windows to Unix)<br />
In Windows platforms the *.NDB files are pointers to another file:<br />
1. Open the .NDB file with a text editor.<br />
2. Find the number of the link which appears after the string __FWNTLINK<br />
3. Copy the .NDB file which includes that number in its NDB suffix, and rename<br />
its NDB suffix by removing that number on the duplicate machine.<br />
For example:<br />
Check Point Software Technologies Ltd 15
How to Upgrade to a<br />
Management Server<br />
� The file fwauth.NDB contains the line __FWNTLINK3<br />
� Copy the file fwauth.NDB3 from the production machine to the duplicate<br />
machine and call it fwauth.NDB<br />
Appendix D – Copy the ‘SIC’ registry key<br />
1. Run the following command on the production machine:<br />
$CPDIR/bin/cpprod_util CPPROD_GetValue SIC ICAdn 1.<br />
2. Run the following command on the duplicate machine:<br />
$CPDIR/bin/cpprod_util CPPROD_SetValue SIC ICAdn 1 1<br />
3. Run the following command on the production machine:<br />
$CPDIR/bin/cpprod_util CPPROD_GetValue SIC HasCertificate 1.<br />
4. Run the following command on the duplicate machine:<br />
$CPDIR/bin/cpprod_util CPPROD_SetValue SIC HasCertificate 4<br />
1.<br />
5. Run the following command on the production machine:<br />
$CPDIR/bin/cpprod_util CPPROD_GetValue SIC MySICname 1.<br />
6. Run the following command on the duplicate machine:<br />
$CPDIR/bin/cpprod_util CPPROD_SetValue SIC MySICname 1 1.<br />
7. Run the following command on the production machine:<br />
$CPDIR/bin/cpprod_util CPPROD_GetValue SIC ICAState 1.<br />
8. Run the following command on the duplicate machine:<br />
$CPDIR/bin/cpprod_util CPPROD_SetValue SIC ICAState 4 1<br />
9. Run the following command on the duplicate machine: $CPDIR/bin/cpprod_util<br />
CPPROD_GetCpdir.<br />
10. Run the following command on the duplicate machine:<br />
$CPDIR/bin/cpprod_util CPPROD_SetValue SIC CertPath 1 /sic_cert.p12 1<br />
Appendix E – Testing your upgraded machine<br />
1. Start the Check Point software by applying the cpstart command.<br />
2. Open your SmartDashboard client.<br />
3. Make sure all the rule bases, network objects, resources, servers, users and<br />
administrators and VPN settings are properly set.<br />
4. Test SIC communication with the modules.<br />
Check Point Software Technologies Ltd 16
How to Upgrade to a<br />
Management Server<br />
5. Install policy on the modules.<br />
6. Open the SmartView Status. Make sure each module has the proper status.<br />
7. Try to fetch policy from each of your modules by running the fw fetch<br />
command.<br />
Notes and limitations:<br />
1. If both Management Servers are used simultaneously, and changes are done<br />
to both, these changes cannot be merged automatically. To synchronize them<br />
you will need to manually apply all changes to both.<br />
2. Special care should be given to operations that involve Check Point internal<br />
CA modifications, like issuing or revoking certificates. These changes cannot be<br />
merged, even manually, and will result in different CA databases on both servers.<br />
For example, revoking a certificate on one Management Server will add it to the<br />
CRL on that Management Server, but there is no way to add this certificate to the<br />
other CRL.<br />
It is highly recommended not to perform any such changes as long as both<br />
Management Servers are in use.<br />
Check Point Software Technologies Ltd 17