Package Installation in Clusters

When all Cluster Members are marked for installation in the Candidates List, the CDT upgrades all Cluster Members automatically:

In ClusterXL High Availability mode - the CDT first upgrades the Standby members, and then the CDT upgrades the former Active member.
In VRRP Cluster - the CDT first upgrades the VRRP Backup member, and then the CDT upgrades the former VRRP Master member.
In VSX Virtual System Load Sharing (VSLS) cluster - the CDT first upgrades all the members listed as VSLS member in the Candidates List, and then the CDT upgrades the member listed as the VSLS active member in the Candidates List.

CDT and the cluster Connectivity Upgrade:

For version upgrades (not installation of Hotfixes), the CDT performs the cluster Connectivity Upgrade (CU) by default. Meaning that the connections are synchronized between the Cluster Members.

If you wish to disable this behavior:

To use the Basic Mode:
In the CDT primary configuration file, add the <PackageToInstall> element, with both the attribute Path="..." and the attribute ConnectivityUpgrade="false":

<PackageToInstall Path="/your_path/to/CPUSE_Offline_package.tgz" ConnectivityUpgrade="false" />

To use the Advanced Mode:

In the Deployment Plan file, in the element <plan_settings>, add the attribute <ConnectivityUpgrade value="false" /> (see Example 5).

Cluster Upgrade	Workflow
Automatic cluster upgrade	Upgrade these Cluster Members: In ClusterXL High Availability mode - the Standby members. In VRRP Cluster - the VRRP Backup member. In VSX VSLS cluster - the cluster members listed as VSLS member in the Candidates List. Perform the Connectivity Upgrade (if it is enabled in the Deployment Plan file). The Connectivity Upgrade performs the cluster failover. Upgrade these Cluster Members: In ClusterXL High Availability mode - the former Active member. In VRRP Cluster - the former VRRP Master member. In VSX VSLS cluster - the cluster member listed as VSLS Active member in the Candidates List. Note - Cluster health checks make sure that the cluster is upgraded successfully.
Semi-automatic cluster upgrade	Unmark this cluster member from the upgrade in the Candidates List: In ClusterXL High Availability mode - the Active member. In VRRP Cluster - the VRRP Master member. In VSX VSLS cluster - the cluster member listed as VSLS Active member in the Candidates List. Install the upgrade package. This upgrades only these cluster members: In ClusterXL High Availability mode - the Standby members. In VRRP Cluster - the VRRP Backup member. In VSX VSLS cluster - the cluster members listed as VSLS member in the Candidates List. Generate the Candidates List again. The CDT marks these cluster members as installed: In ClusterXL High Availability mode - the Standby members. In VRRP Cluster - the VRRP Backup member. In VSX VSLS cluster - the members listed as VSLS member in the Candidates List. The CDT marks these cluster members with "1": In ClusterXL High Availability mode - the Active member. In VRRP Cluster - the VRRP Master member. In VSX VSLS cluster - the member listed as VSLS Active member in the Candidates List. Install the upgrade package again. The CDT performs the upgrade automatically. This upgrades only these cluster members: In ClusterXL High Availability mode - the former Active member. In VRRP Cluster - the former VRRP Master member. In VSX VSLS cluster - the member listed as VSLS Active member in the Candidates List.

Cluster Upgrade

Workflow

Automatic

cluster

upgrade

Upgrade these Cluster Members:
- In ClusterXL High Availability mode - the Standby members.
- In VRRP Cluster - the VRRP Backup member.
- In VSX VSLS cluster - the cluster members listed as VSLS member in the Candidates List.
Perform the Connectivity Upgrade (if it is enabled in the Deployment Plan file). The Connectivity Upgrade performs the cluster failover.
Upgrade these Cluster Members:
- In ClusterXL High Availability mode - the former Active member.
- In VRRP Cluster - the former VRRP Master member.
- In VSX VSLS cluster - the cluster member listed as VSLS Active member in the Candidates List.

Note - Cluster health checks make sure that the cluster is upgraded successfully.

Semi-automatic

cluster

upgrade

Unmark this cluster member from the upgrade in the Candidates List:
- In ClusterXL High Availability mode - the Active member.
- In VRRP Cluster - the VRRP Master member.
- In VSX VSLS cluster - the cluster member listed as VSLS Active member in the Candidates List.
Install the upgrade package. This upgrades only these cluster members:
- In ClusterXL High Availability mode - the Standby members.
- In VRRP Cluster - the VRRP Backup member.
- In VSX VSLS cluster - the cluster members listed as VSLS member in the Candidates List.
Generate the Candidates List again.
The CDT marks these cluster members as installed:
- In ClusterXL High Availability mode - the Standby members.
- In VRRP Cluster - the VRRP Backup member.
- In VSX VSLS cluster - the members listed as VSLS member in the Candidates List.
The CDT marks these cluster members with "1":
- In ClusterXL High Availability mode - the Active member.
- In VRRP Cluster - the VRRP Master member.
- In VSX VSLS cluster - the member listed as VSLS Active member in the Candidates List.
Install the upgrade package again. The CDT performs the upgrade automatically.
This upgrades only these cluster members:
- In ClusterXL High Availability mode - the former Active member.
- In VRRP Cluster - the former VRRP Master member.
- In VSX VSLS cluster - the member listed as VSLS Active member in the Candidates List.

Notes:

The Connectivity Upgrade for VRRP Clusters is supported only when you upgrade to R80.10 version.

When you upgrade to R77.30 or R80.20, there are two options:

Option	Description
A	Disable the Connectivity Upgrade (otherwise, the cluster is marked as "`N/A`"). To disable the Connectivity Upgrade in the Deployment Plan file, in the element `<plan_settings>`, add the attribute `<ConnectivityUpgrade value="false" />` (see Example 5).
B	Perform the Connectivity Upgrade: In the `CentralDeploymentTool.xml` file, add this Debug Configuration: `<Debug CUSyncForVRRP="true">` In the Deployment Plan file, after the installation of an upgrade package, add the installation of a Jumbo Hotfix Accumulator package: For Security Gateways R77.30, you must use the Jumbo Hotfix Accumulator Take 342 or above. See sk106162. For Security Gateways R80.20, you must use the Jumbo Hotfix Accumulator Take 17 or above. See sk137592. Example for a Security Gateway R80.20 (the instructions contain four lines): `<import_package path="/home/admin/Check_Point_R80.20_T101_Fresh_Install_and_Upgrade_Security_Gateway.tgz" />` `<install_package path="/home/admin/Check_Point_R80.20_T101_Fresh_Install_and_Upgrade_Security_Gateway.tgz" />` `<import_package path="/home/admin/Check_Point_R80_20_JUMBO_HF_Bundle_T17_sk137592_FULL.tgz" />` `<install_package path="/home/admin/Check_Point_R80_20_JUMBO_HF_Bundle_T17_sk137592_FULL.tgz" />`

Option

Description

Disable the Connectivity Upgrade (otherwise, the cluster is marked as "N/A").

To disable the Connectivity Upgrade in the Deployment Plan file, in the element <plan_settings>, add the attribute <ConnectivityUpgrade value="false" /> (see Example 5).

Perform the Connectivity Upgrade:

In the CentralDeploymentTool.xml file, add this Debug Configuration:

<Debug CUSyncForVRRP="true">

In the Deployment Plan file, after the installation of an upgrade package, add the installation of a Jumbo Hotfix Accumulator package:

For Security Gateways R77.30, you must use the Jumbo Hotfix Accumulator Take 342 or above. See sk106162.
For Security Gateways R80.20, you must use the Jumbo Hotfix Accumulator Take 17 or above. See sk137592.

Example for a Security Gateway R80.20 (the instructions contain four lines):

<import_package path="/home/admin/Check_Point_R80.20_T101_Fresh_Install_and_Upgrade_Security_Gateway.tgz" />

<install_package path="/home/admin/Check_Point_R80.20_T101_Fresh_Install_and_Upgrade_Security_Gateway.tgz" />

<import_package path="/home/admin/Check_Point_R80_20_JUMBO_HF_Bundle_T17_sk137592_FULL.tgz" />

<install_package path="/home/admin/Check_Point_R80_20_JUMBO_HF_Bundle_T17_sk137592_FULL.tgz" />

Upgrade order in clusters:
- In ClusterXL High Availability mode - You cannot upgrade the ClusterXL Active member before you upgrade all the ClusterXL Standby members.
- In VRRP Cluster - You cannot upgrade the VRRP Master member before you upgrade the VRRP Backup member.
- In VSX VSLS cluster - You cannot upgrade the cluster member listed as VSLS Active member in the Candidates List before you upgrade the cluster members listed as VSLS member in the Candidates List.
Cluster installation stops in these cases:
- In ClusterXL High Availability mode - If the upgrade of the ClusterXL Standby members fails.
- In VRRP Cluster - If the upgrade of the VRRP Backup member fails.
- In VSX VSLS cluster - If the upgrade of the cluster members listed as VSLS member in the Candidates List fails.
If the installation on the first Cluster Member succeeds, but the installation on the other Cluster Members fails, the CDT does not revert the first Cluster Member.