Upgrade

Upgrading a Check Point CloudGuard Network Security High Availability Solution

Note - In-Place upgrade is now supported. For more information, refer to sk177714.

Use these instructions to upgrade a deployed Check Point CloudGuard Network High Availability.

Notes:

Step

Description

1

Log in to the Azure portal.

2

Deploy a new Check Point CloudGuard Network High Availability in the needed version.

You need to deploy it to the same subnets as in the existing CloudGuard Network High Availability solution.

3

Provide an access role with Contributor permission for the new CloudGuard Network High Availability members to these resource groups:

  1. The resource group that contains the original VNet.

  2. The resource group that contains the old Cluster IP addresses and the Load Balancer.

For more information, see Step 2: Set Credentials in Azure.

Note - Access is granted after a few minutes to an hour.

4

Setup routes on Cluster Members to the Internal Subnets:

5

You have two options to use the old Cluster VIP address:

  • Option one: Move the old Cluster VIP resource to the new resource group:

    1. From the Azure Portal > original resource group, access the public IP resource of the VIP.

    2. In the Overview tab, click (move) next to the resource group.

    3. Below Target, next to Resource group, select the name of the new resource group.

    4. Click Next.

    5. Click Move.

    6. Edit the configuration file $FWDIR/conf/azure-ha.json as shown in Option two below, and replace the public IP name with the original cluster VIP resource name.

  • Option two: Reference the old Cluster VIP from the old resource group:

    On each Cluster Member, edit the configuration file located at $FWDIR/conf/azure-ha.json

    • Starting from image build number 1266 the configuration schema is modified.

      Under "clusterNetworkInterfaces" > "eth0" > "pub", replace the public IP name with the original cluster VIP resource id.

      Example:

      • Old:

        "clusterNetworkInterfaces": {
          "eth0": [
            {
             "name":"cluster-vip",
             "addr":"10.4.0.6",
             "pub":"ClusterNameTest"
            {
          ]
        },
      • New:

        "clusterNetworkInterfaces": {
          "eth0": [
            {
            "name":"cluster-vip",
            "addr":"10.4.0.6",
            "pub":"/subscriptions/123/resourceGroups/ha-rg/providers/Microsoft.Network/publicIPAddresses/originalHAClusterIp"
            }
          ]
        },
    • For image build number 1265 and lower, under "clusterNetworkInterfaces" > "etho", replace the public IP name with the original Cluster VIP resource id.

      Example:

      • Old:

        "clusterNetworkInterfaces": {
          "eth0": [
            "10.72.0.6",
            "newHAClusterIp"
          ]
        },
      • New:

        "clusterNetworkInterfaces": {
          "eth0": [
            "10.72.0.6",
            "/subscriptions/123/resourceGroups/ha-rg/providers/Microsoft.Network/publicIPAddresses/originalHAClusterIp"
          ]
        },

6

Update the existing Cluster object in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.:

Important - Do not install policy.

  1. In SmartConsole, double-click on the existing Cluster object.

  2. In Cluster Members, update each member to match the compatible member of the new Check Point CloudGuard Network Security High Availability. Enter the IPv4 address, and then create a SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. connection (after resetting the current communication).

    If you are managing the Cluster from the same Virtual Network, enter the Cluster Member's private IP address. Otherwise, enter the Cluster Member's public IP address.

  3. In General Properties > Platform, update the version of your new CloudGuard Network High Availability, and then click Get.

  4. In Network Management:

    1. Double-click the interface eth0: In the Virtual IPv4 field, and then enter the private VIP address and subnet mask of the new CloudGuard Network Security High Availability.

    2. For both eth0 and eth1, modify the Members IPs to match the new CloudGuard Network Security High Availability members IP addresses. Also, enter the external private IP address in eth0 and the internal private IP address in eth1.

  5. For a VPN configuration in IPsec VPNClosed Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access., select Link selection.

    In the Outgoing Route Selection:

    1. Click Source IP address settings.

    2. Select Manual.

    3. Click Selected addresses from topology table.

    4. Select the private Cluster object VIP address of your new CloudGuard Network for Azure High Availability Cluster.

7

Delete the External Load Balancer and the Internal Load Balancer. Dissociate the public Cluster address created in the deployment of the new Check Point CloudGuard Network Security High Availability (step 1), then delete it as well. All of the above are located in the new Check Point CloudGuard Network Security High Availability resource group.

 

Important - Connectivity will be lost during the next steps.

8

Add the new Check Point CloudGuard Network Security High Availability members to the backend pools:

For each Load Balancer used in the original solution, add the new members to the existing backend pools.

Make sure to select the right IP address (private internal for the backend Load Balancer and private external to the frontend Load Balancer).

9

Edit the backend rules to use only the new backend pool, then remove the checkbox marking the previous pool.

10

Delete the old Check Point CloudGuard Network Security High Availability members from the backend pools of each Load Balancer used in the original solution.

11

Install the applicable Policy on the Cluster object.

12

Detach the Cluster VIP from the original Check Point CloudGuard Network High Availability members:

  1. Stop both original Check Point CloudGuard Network High Availability's members from the Azure portal.

  2. Select the Active Cluster Member's primary NIC > IP configuration > "cluster-vip" in the original Check Point CloudGuard Network Cluster and delete it.

Initiate a failover in the new CloudGuard Network High Availability to attach the original Cluster VIP to the new members.

 

Note - After an access role to the new members has been granted, the new CloudGuard Network Security High Availability now handles all traffic in the environment (inbound, outbound, E-W, VPN Tunneling).

Verify that all the traffic flows work as expected before proceeding, and that the Cluster failover works as expected.

13

Delete the original Check Point CloudGuard Network Security Cluster and other redundant resources.

Note - If you are using resources from the old resource group, such as VNETs or Cluster IP addresses, do not delete them.

Upgrade a Check Point Cluster to the CloudGuard Network High Availability Solution

Use these instructions to upgrade a deployed Check Point CloudGuard Network Cluster for the CloudGuard Network High Availability solution.

Notes:

  • All public IP addresses associated with the Cluster solution will change. This is because the High Availability solution uses a "Standard" SKU Load Balancer. "Basic" SKU public IP address resources cannot be associated with "Standard" SKU Load Balancers.

  • To upgrade a "Basic" SKU public IP address resource to a "Standard" SKU public IP resource, refer to Upgrading a basic public IP address to Standard SKU.

  • Update all VPN endpoints to use a new public VIP.

  • Before starting the upgrade, read the steps below and prepare an upgrade plan.

Step

Description

 

Important - Before you start, make sure that your deployed Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. or Multi-Domain Security Management server can manage the version of the CloudGuard Network High Availability solution that you intend to upgrade to. If the Management Server is an earlier version, you may need to install a HotfixClosed Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior.. Contact Check Point Support for more information.

1

Log in to the Azure portal.

2

Deploy a new Check Point CloudGuard Network Security High Availability solution.

Use the same network configurations as in the existing CloudGuard Network Security Cluster solution.

Important - When deploying an existing VNet, you must either create or change the Network Security Groups, as they are not automatically created.

3

Provide an access role for the virtual network in which the new CloudGuard Network Security High Availability solution is deployed to the CloudGuard Network Security High Availability members.

For more information see Step 2: Set Credentials in Azure.

Note - Granting access will take a few minutes to an hour.

4

Setup routes on Cluster Members to the Internal Subnets.

5

Create load balancing rules:

6

Update your existing Cluster object in SmartConsole:

Important - Do not install policy.

  1. In SmartConsole, double-click on the existing Cluster object.

  2. In General Properties:

    1. In the Virtual IPv4 address, enter the public address allocated for the new CloudGuardNetwork Security High Availability.
      Note - The Cluster IP address is found in the Azure portal by selecting the Active Cluster Member's NIC > IP configuration > "cluster-vip".

    2. If necessary, update the version.

  3. Under Cluster Members update each member to match the compatible member of the new Check Point Network Security High Availability. Enter the IPv4 address and then create a SIC connection (after resetting the current communication).

    If you manage the Cluster from the same Virtual Network, enter the Cluster Member's private IP address. Otherwise, enter the Cluster Member's public IP address.

  4. In Network Management:

    1. Double-click the interface eth0: In the Virtual IPv4 field, and then enter the private VIP address and subnet mask of the new Network Security High Availability.

    2. For both eth0 and eth1, Modify the Members IPs to match the new IP addresses of Network Security High Availability members.

      Enter the external private IP address in eth0 and internal private IP address in eth1.

  5. For a VPN configuration, click IPsec VPN > Link selection.

    In the Outgoing Route Selection:

    1. Click Source IP address settings.

    2. Select Manual.

    3. Click Selected address from topology table.

    4. Select the private Cluster VIP address of the new Network Security High Availability.

7

In SmartConsole, configure the policy and NAT rules as needed

 

Important - Connectivity will be lost during the next steps.

8

Update route tables in the Azure portal:

9

Install the applicable Policy on the Cluster object.

 

Note - After an access role to the new members has been granted, the new Network Security High Availability now handles all traffic in the environment (inbound, outbound, E-W, VPN Tunneling).

Verify that all the traffic flows work as expected before proceeding

10

Delete the original Check Point CloudGuard Network Security Cluster and other redundant resources.

Note - If you are using resources from the old resource group, such as VNets, do not delete them.