If you can afford to have a period of time during which network downtime is allowed, and choose to perform a Minimal Effort Upgrade, each cluster member is upgraded as an individual gateway. For additional instructions, refer to Upgrading Security Gateways.
Zero Downtime Upgrade is supported on all Check Point clusters and third-party clustering products.
During a Zero Downtime Upgrade one member of the cluster remains active, while the other cluster members get upgraded. The active cluster member is upgraded last.
The procedure below describes a three member cluster. However, it can be used for clusters with two or more members.
To upgrade a cluster with the Zero Downtime method:
To avoid possible problems with switches around the cluster, we recommend changing the CCP protocol to Broadcast mode on all cluster members. Run cphaconf set_ccp broadcast
on all cluster members.
Note - cphaconf set_ccp
starts working immediately. It does not require a reboot, and it will survive the reboot. If you want to switch the CCP protocol back to Multicast mode on all cluster members after the upgrade, then run cphaconf set_ccp multicast
on all cluster members.
After the upgrade, reboot M2.
After the upgrade, reboot M3
The policy successfully installs on M2 and M3. Policy installation fails on M1 and generates a warning. You can safely ignore the warning.
cphaprob stat
Verify that the status of cluster M1 is Active
or Active Attention
.
Active Attention
means that the outbound status of the synchronization interface on M1 s down. This is because M1 stopped communicating with other cluster members.
cpstop
. This forces a failover to M2 or M3 (in High Availability mode) or to M2 and M3 (in Load Sharing mode).
Make sure that one member is Active (in High Availability) or that all members are Active (in Load Sharing).
cphaprob stat
cphaconf set_ccp multicast
on all cluster members.