Cloud Firewall VMSS Solution Upgrade

This section provides instructions for upgrading an already deployed Cloud Firewall VMSS solution.

The upgrade procedure includes these steps:

Deploying a new version of the Cloud Firewall VMSS solution alongside the older version (a side-by-side upgrade).

Reconfiguring Azure resources and Check Point configuration to use this new version of the Cloud Firewall VMSS solution.

Note - This procedure includes a connection draining mechanism which allows in-flight sessions to complete gracefully before de-allocating Virtual Machines. This ensures continuous service availability and supports zero-downtime deployments during instance scale-in, maintenance, or updates.

Deleting the older version of the Cloud Firewall VMSS solution.

Note:

Do not upgrade the Cloud Firewall VMSS solution to get newer images of the same Check Point Cloud Firewall version. During each Scale Out operation, an instance with the latest available image for the current version (the most recent build within the same major version of Cloud Firewall for Azure VMSS) deploys automatically.
Make sure your current Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. is compatible with the newer Cloud Firewall VMSS image you are deploying.

Terms:

Source - The original template and solution (with the lower version)
Target - The new template and solution (with the higher version)

To upgrade the Cloud Firewall VMSS solution

Step

Description

Open the resource group of the source Cloud Firewall VMSS solution.

For the External Load Balancer ("frontend-lb") and the Internal Load Balancer ("backend-lb"):

Get resource IDs of those load balancers and write them down for future reference.
Get the names of their related backend pools and write them down for future reference.

Deploy a target Cloud Firewall VMSS solution from the Azure Marketplace. To do this:

On the Basics tab, fill in the fields based on the Deployment Guide.
On the Check Point VMSS settings tab:
1. Select "Yes" in "Are you upgrading your CloudGuard VMSS solution?"
2. Use the same Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. name as for the source Cloud Firewall VMSS solution.
3. Use a different configuration template name than in the source Cloud Firewall VMSS solution.
4. Select the same Load Balancers deployment mode as for the source Cloud Firewall VMSS solution.
5. Enter resource IDs of the External Load Balancer and Internal Load Balancer (from Step 3).
6. Enter names of the related backend pools (from Step 3).
On the Check Point Cloud Firewall settings tab, fill in the fields based on the Deployment Guide.
On the Network settings tab, use the same network settings (VNET and subnets) as for the source Cloud Firewall VMSS solution.
On the Tags tab, fill in the fields based on the Deployment Guide.

Configure the CME template.

For this, run:

autoprov_cfg add template -tn "<Template-Name>" -otp "<SIC-key>" -ver <Version> -po "<Policy-Name>"

Wait for provisioning to complete and for the policy to install on the new Cloud Firewall VMSS instances.

Make sure the new Cloud Firewall Gateway instances are added to the Frontend-LB and Backend-LB backend pools and new Cloud Firewall Gateway objects appear in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

Drain connections from source Cloud Firewall VMSS instances:

Connect to the sourceCloud Firewall VMSS instance via SSH.
Check if there are active connections to that instance.

For that, in Expert mode, run the following command to view the number of active connections:

fw tab -t connections -s
Check the current Load Balancer health probe port number with this command:

fw ctl get int cloud_balancer_port

The default port number is 8117.
Disable Cloud Firewall VMSS instance responses to Load Balancer health probes. This stops creation of new connections. For that, run:

fw ctl set int cloud_balancer_port 0

Monitor traffic drain with this command:

fw tab -t connections -s

Wait until the number of active connections decreases significantly.

Note - System connections usually persist so the value will never be 0.

Note - In this step, all open connections on the source Cloud Firewall VMSS become closed.

Shut down the source Cloud Firewall VMSS and make sure that traffic flows correctly:

In the Azure Portal, go to the Virtual Machine Scale Set.
Select the source Scale Set.
Go to the Scaling section.
Set Instance Limits to Minimum 0, Maximum 0, Default 0.

Note - Before proceeding, make sure the target VMSS handles all traffic (inbound, outbound, East-West) as expected.

Delete the CME template of the source Cloud Firewall VMSS. For this, run:

autoprov_cfg delete template -tn "<Template-Name>"

Delete the corresponding VMSS resource.

Important - Do NOT delete the resource group of the source Cloud Firewall VMSS, as it can contain the VNET resource and Load Balancers currently in use.