Upgrade

Upgrading a Check Point CloudGuard Network Security High Availability Solution

In-Place upgrade is now supported, for more information refer to sk177714.

Use these instructions to upgrade a deployed Check Point CloudGuard Network High Availability.

Notes:

  • The upgrade maintains the network configurations used in the existing Check Point CloudGuard Network High Availability solution.

  • The Cluster VIP resource name is cluster object name defined in deploying the solution.

Step

Description

1

Log in to the Azure portal.

2

Deploy a new Check Point CloudGuard Network High Availability in the needed version.

You need to deploy it to the same subnets as in the existing CloudGuard Network High Availability solution.

3

Provide an access role with Contributor permission for the new CloudGuard Network High Availability members to these resource groups:

  1. The resource group that contains the original VNet.

  2. The resource group that contains the old Cluster IP addresses and the Load Balancer.

For more information, see Step 2: Set Credentials in Azure.

Note - Access is granted after a few minutes to an hour.

4

Setup routes on Cluster Members to the Internal Subnets:

Step

Description

1

Connect over SSH to each of the Cluster Members.

2

Log in to Gaia Clish, or Expert mode.

3

Add this route:

  • In Gaia Clish, run these two commands:

    set static-route <Virtual-Network-IP-address/Prefix> nexthop gateway address <eth1-router-IP-address> on

    save config

  • In Expert mode, run this command:

    clish -c 'set static-route <Virtual-Network-IP-address/Prefix> nexthop gateway address <eth1-router-IP-address> on' -s

Example:

set static-route 10.0.0.0/16 nexthop gateway address 10.0.2.1 on

Parameter

Description

<Virtual-Network-IP-address/Prefix>

Specifies the prefix of the entire Virtual Network.

Example:

10.0.0.0/16

<eth1-router-IP-address>

Specifies the first unicast IP address on the subnet, to which the eth1 is connected.

Example:

10.0.2.1

  • Routes to the private address space IP ranges specified in RFC 1918 are configured automatically.

  • If the Virtual Network has several non-contiguous address prefixes, repeat the command for each prefix.

  • For vNET Peering:

    • Add a compatible route on each peer network.

    • Add the route for vNET peering to each Cluster Member.

5

You have two options to use the old Cluster VIP address:

  • Option one: Move the old Cluster VIP resource to the new resource group:

    1. From the Azure Portal > original resource group, access the public IP resource of the VIP.

    2. In the Overview tab, click (move) next to the resource group.

    3. Below Target, next to Resource group, select the name of the new resource group.

    4. Click Next.

    5. Click Move.

    6. Edit the configuration file $FWDIR/conf/azure-ha.json as shown in Option two below, and replace the public IP name with the original cluster VIP resource name.

  • Option two: Reference the old Cluster VIP from the old resource group:

    On each Cluster Member, edit the configuration file located at $FWDIR/conf/azure-ha.json

    • Starting from image build number 1266 the configuration schema is modified.

      Under "clusterNetworkInterfaces" > "eth0" > "pub", replace the public IP name with the original cluster VIP resource id.

      Example:

      • Old:

        "clusterNetworkInterfaces": {
          "eth0": [
            {
             "name":"cluster-vip",
             "addr":"10.4.0.6",
             "pub":"ClusterNameTest"
            {
          ]
        },

      • New:

        "clusterNetworkInterfaces": {
          "eth0": [
            {
            "name":"cluster-vip",
            "addr":"10.4.0.6",
            "pub":"/subscriptions/123/resourceGroups/ha-rg/providers/Microsoft.Network/publicIPAddresses/originalHAClusterIp"
            }
          ]
        },

    • For image build number 1265 and lower, under "clusterNetworkInterfaces" > "etho", replace the public IP name with the original Cluster VIP resource id.

      Example:

      • Old:

        "clusterNetworkInterfaces": {
          "eth0": [
            "10.72.0.6",
            "newHAClusterIp"
          ]
        },

      • New:

        "clusterNetworkInterfaces": {
          "eth0": [
            "10.72.0.6",
            "/subscriptions/123/resourceGroups/ha-rg/providers/Microsoft.Network/publicIPAddresses/originalHAClusterIp"
          ]
        },

6

Update the existing Cluster object in SmartConsole:

Important - Do not install policy.

  1. In SmartConsole, double-click on the existing Cluster object.

  2. In Cluster Members, update each member to match the compatible member of the new Check Point CloudGuard Network Security High Availability. Enter the IPv4 address, and then create a SIC connection (after resetting the current communication).

    If you are managing the Cluster from the same Virtual Network, enter the Cluster Member's private IP address. Otherwise, enter the Cluster Member's public IP address.

  3. In General Properties > Platform, update the version of your new CloudGuard Network High Availability, and then click Get.

  4. In Network Management:

    1. Double-click the interface eth0: In the Virtual IPv4 field, and then enter the private VIP address and subnet mask of the new CloudGuard Network Security High Availability.

    2. For both eth0 and eth1, modify the Members IPs to match the new CloudGuard Network Security High Availability members IP addresses. Also, enter the external private IP address in eth0 and the internal private IP address in eth1.

  5. For a VPN configuration in IPsec VPN, select Link selection.

    In the Outgoing Route Selection:

    1. Click Source IP address settings.

    2. Select Manual.

    3. Click Selected addresses from topology table.

    4. Select the private Cluster object VIP address of your new CloudGuard Network for Azure High Availability Cluster.

7

Delete the External Load Balancer and the Internal Load Balancer. Dissociate the public Cluster address created in the deployment of the new Check Point CloudGuard Network Security High Availability (step 1), then delete it as well. All of the above are located in the new Check Point CloudGuard Network Security High Availability resource group.
 

Important - Connectivity will be lost during the next steps.

8

Add the new Check Point CloudGuard Network Security High Availability's members to the backend pools:

For each Load Balancer used in the original solution, add the new members to the existing backend pools.

Make sure to select the right IP address (private internal for the backend Load Balancer and private external to the frontend Load Balancer).

9

Edit the backend rules to use only the new backend pool, then remove the checkbox marking the previous pool.

10

Delete the old Check Point CloudGuard Network Security High Availability's members from the backend pools of each Load Balancer used in the original solution.

11

Install the applicable Policy on the Cluster object.

12

Detach the Cluster VIP from the original Check Point CloudGuard Network High Availability's members:

  1. Stop both original Check Point CloudGuard Network High Availability's members from the Azure portal.

  2. Select the Active Cluster Member's primary NIC > IP configuration > "cluster-vip" in the original Check Point CloudGuard Network Cluster and delete it.

Initiate a failover in the new CloudGuard Network High Availability to attach the original Cluster VIP to the new members.
 

Note - After an access role to the new members has been granted, the new CloudGuard Network Security High Availability now handles all traffic in the environment (inbound, outbound, E-W, VPN Tunneling).

Verify that all the traffic flows work as expected before proceeding, and that the Cluster failover works as expected.

13

Delete the original Check Point CloudGuard Network Security Cluster and other redundant resources.

Note - If you are using resources from the old resource group, such as VNETs or Cluster IP addresses, do not delete them.

Upgrade a Check Point Cluster to the CloudGuard Network High Availability Solution

Use these instructions to upgrade a deployed Check Point CloudGuard Network Cluster for the CloudGuard Network High Availability solution.

Notes:

  • All public IP addresses associated with the Cluster solution will change. This is because the High Availability solution uses a "Standard" SKU Load Balancer. "Basic" SKU public IP address resources cannot be associated with "Standard" SKU Load Balancers.

  • To upgrade a "Basic" SKU public IP address resources to a "Standard" SKU public IP resource, refer to Upgrading a basic public IP address to Standard SKU.

  • Update all VPN endpoints to use a new public VIP.

  • Before starting the upgrade, read the steps below and prepare an upgrade plan.

Step

Description

 

Important - Before you begin, make sure that your deployed Management Server or Multi-Domain Security Management server can manage the version of the CloudGuard Network High Availability solution that you intend to upgrade to. If the Management Server is an earlier version, you may need to install a Hotfix. Contact Check Point Support for more information.

1

Log in to the Azure portal.

2

Deploy a new Check Point CloudGuard Network Security High Availability solution.

Use the same network configurations as in the existing CloudGuard Network Security Cluster solution.

Important - When deploying an existing VNet, you must either create or change the Network Security Groups, as they are not automatically created.

3

Provide an access role for the virtual network in which the new CloudGuard Network Security High Availability solution is deployed to the CloudGuard Network Security High Availability members.

For more information see Step 2: Set Credentials in Azure.

Note - Granting access will take a few minutes to an hour.

4

Setup routes on Cluster Members to the Internal Subnets.

Step

Description

1

Connect over SSH to each of the Cluster Members.

2

Log in to Gaia Clish, or Expert mode.

3

Add this route:

  • In Gaia Clish, run these two commands:

    set static-route <Virtual-Network-IP-address/Prefix> nexthop gateway address <eth1-router-IP-address> on

    save config

  • In Expert mode, run this command:

    clish -c 'set static-route <Virtual-Network-IP-address/Prefix> nexthop gateway address <eth1-router-IP-address> on' -s

Example:

set static-route 10.0.0.0/16 nexthop gateway address 10.0.2.1 on

Parameter

Description

<Virtual-Network-IP-address/Prefix>

Specifies the prefix of the entire Virtual Network.

Example:

10.0.0.0/16

<eth1-router-IP-address>

Specifies the first unicast IP address on the subnet, to which the eth1 is connected.

Example:

10.0.2.1

  • Routes to the private address space IP ranges specified in RFC 1918 are configured automatically.

  • If the Virtual Network has several non-contiguous address prefixes, repeat the command for each prefix.

  • For vNET Peering:

    • Add a compatible route on each peer network.

    • Add the route for vNET peering to each Cluster Member.

5

Create load balancing rules:

  • For each NAT rule in the Cluster solution's External Load Balancer, create a compatible load balancing rule for the new CloudGuard Network High Availability's External Load Balancer.

6

Update your existing Cluster object in SmartConsole:

Important - Do not install policy.

  1. In SmartConsole, double-click on the existing Cluster object.

  2. In General Properties:

    1. In the Virtual IPv4 address, enter the public address allocated for the new CloudGuardNetwork Security High Availability.
      Note - The Cluster IP address is found in the Azure portal by selecting the Active Cluster Member's NIC > IP configuration > "cluster-vip".

    2. If necessary, update the version.

  3. Under Cluster Members update each member to match the compatible member of the new Check Point Network Security High Availability. Enter the IPv4 address and then create a SIC connection (after resetting the current communication).

    If you manage the Cluster from the same Virtual Network, enter the Cluster Member's private IP address. Otherwise, enter the Cluster Member's public IP address.

  4. In Network Management:

    1. Double-click the interface eth0: In the Virtual IPv4 field, and then enter the private VIP address and subnet mask of the new Network Security High Availability.

    2. For both eth0 and eth1, Modify the Members IPs to match the new IP addresses of Network Security High Availability members.

      Enter the external private IP address in eth0 and internal private IP address in eth1.

  5. For a VPN configuration, click IPsec VPN > Link selection.

    In the Outgoing Route Selection:

    1. Click Source IP address settings.

    2. Select Manual.

    3. Click Selected address from topology table.

    4. Select the private Cluster VIP address of the new Network Security High Availability.

7

In SmartConsole, configure the policy and NAT rules as needed

 

Important - Connectivity will be lost during the next steps.

8

Update route tables in the azure portal:

  • For each route in the App or Web Internal subnet where the Nexthop address matches the active member of your old Check Point Cluster, change it to match the iLB-internal-address.
    Note - If the subnet houses the Security Management Server, managing the Cluster Members, then do not change the route which allows the Security Management Server to communicate directly with each Cluster Member. For more information see "Step 3: Set Up Internal Subnets and Route Tables.

  • In the frontend and backend subnets (in places that Nexthop address match the active member of your old Check Point Cluster), change it to match the iLB-internal-address.

9

Install the applicable Policy on the Cluster object.

 

Note - After an access role to the new members has been granted, the new Network Security High Availability now handles all traffic in the environment (inbound, outbound, E-W, VPN Tunneling).

Verify that all the traffic flows work as expected before proceeding

10

Delete the original Check Point CloudGuard Network Security Cluster and other redundant resources.

Note - If you are using resources from the old resource group, such as VNets, do not delete them.