Step 3: Upgrading the CloudGuard Gateway for NSX

In This Section: Upgrading the CloudGuard Gateway with the CLI Upgrading the CloudGuard Gateway Manually

You can upgrade the CloudGuard Gateway for NSX manually or with the CLI.

Before you start the upgrade, you have to enable the OVF files.

Notes:

• Make sure:
  • There is connectivity between the OVF URL and the vCenter server and the CloudGuard Controller
  • The OVF file is accessible from the CloudGuard Controller
• If you update the OVF URL now, it affects only the new service registration.

Important - Before the upgrade, make sure the service status in the vSphere web client is UP, or the upgrade fails.

Upgrading the CloudGuard Gateway with the CLI

To upgrade with the CLI:

1. Connect to the command line on the CloudGuard Controller.
2. Log in to the Expert mode.
3. Run:

   # cloudguard_config

4. Select VMware Configuration > Manage Register Service > Upgrade Service > NSX.
5. Select the Service you want to upgrade.
6. Select the Cluster you want to upgrade.
7. To register the service with a default configuration, press y to accept the default settings.

   There are two options:

   • Enter y to automatically create the CloudGuard Gateway object in the CloudGuard Controller and to automatically assign to the CloudGuard Gateway an IP address from the NSX IP pool.
   • Enter n to manually create an object. Then, enter y to automatically assign to CloudGuard Gateway an IP address from the NSX IP pool, or n, to set the IP address manually.

   See below for details to register the service.

8. Enter and confirm the default administrator password for the CloudGuard Gateway.
9. Enter and confirm the SIC one-time password.
10. Select the IP pool, if you had selected to assign the IP gateway address from the NSX IP pool.

    If your IP pool has no IP, you can change your selection, or create new IP pool.

To register the service:

• With a manual configuration, enter n to configure manually.
  • Enter a Service Name.
  • Select how you want to register the service.
• As a tap device.
• As a CloudGuard Gateway, select Inspection.
  • Configure the Failure Policy (for the Inspection Mode only).

    The default policy is Fail close and all packets are dropped. If you choose Fail open, all packets are accepted.

    The Failure Policy determines if packets are allowed or dropped when the ESX kernel cannot communicate with the CloudGuard Gateway agent. This can happen when the CloudGuard Gateway is down, restarts, or has an unexpected error. You can change the policy later.

  • Configure IPv6 support.

The upgrade is now in progress. The process takes some time. You can follow the progress on the Management Server's console.

When the installation is complete, you have to redirect the traffic to the new service.

To redirect traffic to the new service:

1. Select VMware Configuration > Manage Register Service > Change Redirection Rules > NSX.
2. Select the old service.
3. Select the new service.

Use the vSphere Web UI to confirm the new service is running, and then uninstall the old service.

Upgrading the CloudGuard Gateway Manually

To upgrade manually:

1. Provide the OVF URL path and files.
2. Register a new CloudGuard Gateway service.
3. Deploy the new CloudGuard Gateway service.
4. In SmartConsole , install the Access Control Policy on the Check Point Gateway.
5. On the vSphere web UI, change the redirection policy from the old service to the new service.
6. Uninstall the old CloudGuard Gateway service.

Best Practice - Before you install the new CloudGuard Gateway, migrate all the Virtual Machines to another ESXi. There is less downtime when you upgrade.