CloudGuard VMSS Solution Upgrade

This section provides instructions for upgrading an already deployed CloudGuard VMSS solution.

The upgrade procedure includes these steps:

Deploying a new version of the CloudGuard VMSS solution alongside the older version (a side-by-side upgrade).
Reconfiguring Azure resources and Check Point configuration to use this new version of theCloudGuard VMSS solution.
Deleting the older version of the CloudGuard VMSS solution.

Note:

Do not upgrade the CloudGuard VMSS solution to get newer images of the same Check Point CloudGuard version. During each Scale Out operation, an instance with the latest available image for the current version deploys automatically.
Make sure your current Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Multi-Domain Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. is compatible with the newer CloudGuard VMSS version you are deploying.

Terms:

Source - The original template and solution (with the lower version)
Target - The new template and solution (with the higher version)

To upgrade the CloudGuard VMSS solution

Step

Description

Open the resource group of the source CloudGuard VMSS solution.

For the External Load Balancer ("frontend-lb") and the Internal Load Balancer ("backend-lb"):

Get resource IDs of those load balancers and write them down for future reference.
Get the names of their related backend pools and write them down for future reference.

Deploy a target CloudGuard VMSS solution from the Azure Marketplace. To do this:

On the Basics tab, fill in the fields based on the Deployment Guide.
On the Check Point VMSS settings tab:
1. Select "Yes" in "Are you upgrading your CloudGuard VMSS solution?"
2. Use the same Management Server name as for the source CloudGuard VMSS solution.
3. Use a different configuration template name than in the source CloudGuard VMSS solution.
4. Select the same Load Balancers deployment mode as for the source CloudGuard VMSS solution.
5. Enter resource IDs of the External Load Balancer and Internal Load Balancer (from Step 3).
6. Enter names of the related backend pools (from Step 3).
On the Check Point CloudGuard settings tab, fill in the fields based on the Deployment Guide.
On the Network settings tab, use the same network settings (VNET and subnets) as for the source CloudGuard VMSS solution.
On the Tags tab, fill in the fields based on the Deployment Guide.

Configure the CME template.

For this, run:

autoprov_cfg add template -tn "<Template-Name>" -otp "<SIC-key>" -ver <Version> -po "<Policy-Name>"

Wait for provisioning to complete and for the policy to install on the new CloudGuard VMSS instances.

Note - In this step, all open connections on the source CloudGuard VMSS become closed.

Shut down the source CloudGuard VMSS and make sure that traffic flows correctly.

Note - Before proceeding, make sure the target VMSS handles all traffic (inbound, outbound, East-West) as expected.

Delete the CME template of the source CloudGuard VMSS.

For this, run:

autoprov_cfg delete template -tn "<Template-Name>"

Delete the corresponding VMSS resource.

Important - Do NOT delete the resource group of the source CloudGuard VMSS, as it can contain the VNET resource and Load Balancers currently in use.