CloudGuard VMSS Solution Upgrade

This section provides instructions for upgrading an already deployed CloudGuard VMSS solution.

The upgrade procedure includes these steps:

Deploying a new version of the CloudGuard VMSS solution alongside the older version (a side-by-side upgrade).

Reconfiguring Azure resources and Check Point configuration to use this new version of the CloudGuard VMSS solution.

Note - This procedure includes a connection draining mechanism which allows in-flight sessions to complete gracefully before de-allocating Virtual Machines. This ensures continuous service availability and supports zero-downtime deployments during instance scale-in, maintenance, or updates.

Deleting the older version of the CloudGuard VMSS solution.

Note:

Do not upgrade the CloudGuard VMSS solution to get newer images of the same Check Point CloudGuard version. During each Scale Out operation, an instance with the latest available image for the current version (the most recent build within the same major version of CloudGuard Network for Azure VMSS) deploys automatically.
Make sure your current Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Multi-Domain Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. is compatible with the newer CloudGuard VMSS image you are deploying.

Terms:

Source - The original template and solution (with the lower version)
Target - The new template and solution (with the higher version)

To upgrade the CloudGuard VMSS solution

Step

Description

Open the resource group of the source CloudGuard VMSS solution.

For the External Load Balancer ("frontend-lb") and the Internal Load Balancer ("backend-lb"):

Get resource IDs of those load balancers and write them down for future reference.
Get the names of their related backend pools and write them down for future reference.

Deploy a target CloudGuard VMSS solution from the Azure Marketplace. To do this:

On the Basics tab, fill in the fields based on the Deployment Guide.
On the Check Point VMSS settings tab:
1. Select "Yes" in "Are you upgrading your CloudGuard VMSS solution?"
2. Use the same Management Server name as for the source CloudGuard VMSS solution.
3. Use a different configuration template name than in the source CloudGuard VMSS solution.
4. Select the same Load Balancers deployment mode as for the source CloudGuard VMSS solution.
5. Enter resource IDs of the External Load Balancer and Internal Load Balancer (from Step 3).
6. Enter names of the related backend pools (from Step 3).
On the Check Point CloudGuard settings tab, fill in the fields based on the Deployment Guide.
On the Network settings tab, use the same network settings (VNET and subnets) as for the source CloudGuard VMSS solution.
On the Tags tab, fill in the fields based on the Deployment Guide.

Configure the CME template.

For this, run:

autoprov_cfg add template -tn "<Template-Name>" -otp "<SIC-key>" -ver <Version> -po "<Policy-Name>"

Wait for provisioning to complete and for the policy to install on the new CloudGuard VMSS instances.

Make sure the new Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. instances are added to the Frontend-LB and Backend-LB backend pools and new Security Gateway objects appear in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

Drain connections from source CloudGuard VMSS instances. For that:

Connect to the sourceCloudGuard VMSS instance via SSH.
Check if there are active connections to that instance.

For that, in Expert mode, run the following command to view the number of active connections:

fw tab -t connections -s
Check the current Load Balancer health probe port number with this command:

fw ctl get int cloud_balancer_port

The default port number is 8117.
Disable CloudGuard VMSS instance responses to Load Balancer health probes. This stops creation of new connections. For that, run:

fw ctl set int cloud_balancer_port 0

Monitor traffic drain with this command:

fw tab -t connections -s

Wait until the number of active connections decreases significantly.

Note - System connections usually persist so the value will never be 0.

Note - In this step, all open connections on the source CloudGuard VMSS become closed.

Shut down the source CloudGuard VMSS and make sure that traffic flows correctly. For that:

In the Azure Portal, go to the Virtual Machine Scale Set.
Select the source Scale Set.
Go to the Scaling section.
Set Instance Limits to Minimum 0, Maximum 0, Default 0.

Note - Before proceeding, make sure the target VMSS handles all traffic (inbound, outbound, East-West) as expected.

Delete the CME template of the source CloudGuard VMSS. For this, run:

autoprov_cfg delete template -tn "<Template-Name>"

Delete the corresponding VMSS resource.

Important - Do NOT delete the resource group of the source CloudGuard VMSS, as it can contain the VNET resource and Load Balancers currently in use.