Upgrading the Check Point CloudGuard Network High Availability Solution

Note - In-Place upgrade is now supported, for more information refer to sk177714.

Use these instructions to upgrade a deployed Check Point CloudGuard Network High Availability A redundant cluster mode, where only one Cluster Member (Active member) processes all the traffic, while other Cluster Members (Standby members) are ready to be promoted to Active state if the current Active member fails. In the High Availability mode, the Cluster Virtual IP address (that represents the cluster on that network) is associated: (1) With physical MAC Address of Active member (2) With virtual MAC Address. Synonym: Active/Standby. Acronym: HA. solution.

Note - During the upgrade process, a new Check Point CloudGuard Network High Availability solution is deployed. The upgrade will maintain the network configurations used in the original Check Point CloudGuard Network High Availability solution.

Step-by-step instructions for upgrading to a new version:

1. Log in to the GCP Google® Cloud Platform is a suite of products and services that includes hosting, cloud computing, database services and more. portal.

2. Open the source CloudGuard High Availability instances (member-a and member-b):

   1. In the active State of a Cluster Member that is fully operational: (1) In ClusterXL, this applies to the state of the Security Gateway component (2) In 3rd-party / OPSEC cluster, this applies to the state of the cluster State Synchronization mechanism. member page:

      Locate the primary cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. address (nic0 External IP) and copy its name to use later ('XXX-primary-cluster-address').

   2. In the stand-by member page:

      Locate the secondary cluster address (nic0 External IP) and copy its name to use later ('XXX-secondary-cluster-address').

3. Deploy a new Check Point CloudGuard Network High Availability solution (this is the "target solution").

   1. Under High Availability Version, select the version.

   2. Under Instance Configuration, select the same configurations as in the Source solution.

   3. Under Check Point, select the same configurations as in the Source solution.

   4. Under Networking, select the same network configurations as in the Source solution, such as Cluster external subnet, Management external subnet, and internal networks.

4. Adjust the configuration file of the target solution instances to match the Source solution's external IP addresses. For both instances of the target solution:

   1. Log in to SSH.

   2. From the Expert Mode The name of the elevated command line shell that gives full system root permissions in the Check Point Gaia operating system., run:

      vi $FWDIR/conf/gcp-ha.json

   3. Edit the file to match these lines:

      "public_ip": "<primary cluster address name (copied in 2.a)>", "secondary_public_ip": "<secondary cluster address name (copied in 2.b)>",

      Keep the other lines in the file the same.

      Note - The separating commas at the end of each line.

   4. Save the changes in the file and exit the editor.

   Important - Connectivity loss will occur during the next steps.

5. Stop the source cluster’s instances.

6. Delete routes from the source cluster's internal networks manually:

   Go to the Navigation menu > NETWORKING > VPC network > VPC networks.

   Do the following for each internal network in the solution:

   1. Select the internal network.

   2. Select Routes.

   3. Delete these routes:

      • Start with "x-chkp" and ends with "to-member-a" (if exists, this depends on the identity of the current active member).

      • Start with "x-chkp" and ends with "to-member-b".

7. Release the primary and secondary IP addresses of the source cluster.

   From the Navigation menu > NETWORKING > VPC network > External IP addresses.

   1. Locate the primary cluster address name (see 2.a above) and the secondary cluster address name (see 2.b above).

   2. For both IP addresses:

      1. Select Change. The Attach IP address window opens.

      2. Under Attach to, choose None, and then clear the Assign a new ephemeral IP address box.

8. Configure in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.

   In Gateways & Servers, click twice on the cluster object and edit these:

   1. Under General Properties, select the new version (the version of the Target solution created in step 3).

   2. Under Cluster Members, update members to match the members of the Target solution:
      For each member update the IPv4 Address (management - the network's external IP).

   3. Under Network management, modify the interfaces to match the Target solution members.

   4. Reinitialize SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. between the target cluster and the management server.

   5. Install policy on the cluster.

   Note - At this point, and after the all new routes and IP addresses configurations are finished, the Target CloudGuard Network High Availability handles all the traffic in the environment (such as inbound, outbound, E-W, and VPN tunneling). Make sure that all the traffic flows work as expected (you can also check for failover Transferring of a control over traffic (packet filtering) from a Cluster Member that suffered a failure to another Cluster Member (based on internal cluster algorithms). Synonym: Fail-over.) before proceeding.

9. Delete your source CloudGuard Network High Availability instances and release redundant IP addresses.

   Important - Do not delete the entire deployment of the source solution since the Target solution uses the primary and secondary IP addresses.