Important:
|
Important - Before you upgrade a cluster:
Step |
Description |
---|---|
1 |
|
2 |
See the Upgrade Options and Prerequisites. |
3 |
See the Planning a Cluster Upgrade. |
4 |
Upgrade the Management Server and Log Servers to R80.20 version. |
5 |
Schedule a full maintenance window to make sure you can make all the desired custom configurations again after the upgrade. |
The procedure below describes an example cluster with three Cluster Members M1, M2 and M3. However, you can use it for clusters that consist of two or more Cluster Members.
Cluster Mode |
Cluster States |
General Upgrade Action Plan |
---|---|---|
High Availability |
The Cluster Member M1 is the Active. The Cluster Members M2 and M3 are Standby. |
Action plan:
|
Workflow:
Step 1 of 21: On the Cluster Member M2 - Upgrade to R80.20 with CPUSE, or perform a Clean Install of R80.20
Installation Method |
Instructions |
---|---|
Upgrade to R80.20 with CPUSE |
See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. Select the R80.20 package and perform Upgrade. |
Clean Install of R80.20 with CPUSE |
See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. Select the R80.20 package and perform Clean Install. |
Clean Install of R80.20 from scratch |
See Installing a ClusterXL Cluster, or Installing a VRRP Cluster. In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous Cluster Member (prior to the upgrade). |
Note - You must reboot the Cluster Member after the upgrade or clean install.
Step 2 of 21: On the Cluster Member M3 - Upgrade to R80.20 with CPUSE, or perform a Clean Install of R80.20
Installation Method |
Instructions |
---|---|
Upgrade to R80.20 with CPUSE |
See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. Select the R80.20 package and perform Upgrade. |
Clean Install of R80.20 with CPUSE |
See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. Select the R80.20 package and perform Clean Install. |
Clean Install of R80.20 from scratch |
See Installing a ClusterXL Cluster, or Installing a VRRP Cluster. In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous Cluster Member (prior to the upgrade). |
Note - You must reboot the Cluster Member after the upgrade or clean install.
Step 3 of 21: In SmartConsole - Change the version of the cluster object
Step |
Description |
---|---|
1 |
Connect with the SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this cluster. |
2 |
From the left navigation panel, click Gateways & Servers. |
3 |
Open the Cluster object. |
4 |
From the left navigation tree, click the General Properties page. |
5 |
In the Platform section > Version field, select R80.20. |
6 |
If you performed a Clean Install of R80.20 on the Cluster Member, then establish the Secure Internal Communication (SIC) between the Management Server and this Cluster Member:
|
7 |
Click OK to close the Gateway Cluster Properties window. |
Step 4 of 21: In SmartConsole - Install the Access Control Policy
Step |
Description |
---|---|
1 |
Click Install Policy. |
2 |
In the Install Policy window:
|
3 |
The Access Control Policy successfully installs on the upgraded Cluster Members M2 and M3. The Access Control Policy installation fails on the old Cluster Member M1 with a warning. Ignore this warning. |
Step 5 of 21: On each Cluster Member - Examine the cluster state
Step |
Description |
---|---|
1 |
Connect to the command line on each Cluster Member. |
2 |
Examine the cluster state:
Notes:
|
Step 6 of 21: Disconnect the upgraded Cluster Members M2 and M3 from their networks
Step |
Description |
---|---|
1 |
Select one Cluster Member M1 to process the current connections. |
2 |
Completely disconnect all other Cluster Members M2 and M3 from their networks (this includes the Management Server). |
Step 7 of 21: On one of the upgraded Cluster Members M2 connect all the cables
Step |
Description |
---|---|
1 |
Connect all the cables to one of the upgraded Cluster Members M2. |
2 |
Make sure traffic (for example, pings) can pass on the Sync interface to the old Cluster Member M1. |
Step 8 of 21: On the old Cluster Member M1 - Start the Optimal Service Upgrade
Step |
Description |
---|---|
1 |
Connect to the command line on the old Cluster Member M1. |
2 |
Log in to the Expert mode. |
3 |
Start the Optimal Service Upgrade:
|
Step 9 of 21: On the connected upgraded Cluster Member M2 - Start the Optimal Service Upgrade
Step |
Description |
---|---|
1 |
Connect to the command line on the connected upgraded Cluster Member M2. |
2 |
Log in to the Expert mode. |
3 |
Start the Optimal Service Upgrade:
|
Step 10 of 21: On the old Cluster Member M1 - Stop the Optimal Service Upgrade
Step |
Description |
---|---|
1 |
Connect to the command line on the old Cluster Member M1. |
2 |
Log in to the Expert mode. |
3 |
Monitor the amount of traffic for some time:
|
4 |
When the old Cluster Member does not have many connections (in your opinion), stop the Optimal Service Upgrade:
|
Step 11 of 21: On the connected upgraded Cluster Member M2 - Stop the Optimal Service Upgrade
Step |
Description |
---|---|
1 |
Connect to the command line on the connected upgraded Cluster Member M2. |
2 |
Log in to the Expert mode. |
4 |
Stop the Optimal Service Upgrade:
|
Step 12 of 21: Disconnect the old Cluster Member M1 from its networks
Completely disconnect the old Cluster Member M1 from its networks (this includes the Management Server).
Step 13 of 21: Reconnect the upgraded Cluster Member M2 to its networks
Step |
Description |
---|---|
1 |
Connect to the command line on the upgraded Cluster Member M2. |
2 |
Log in to the Expert mode. |
3 |
Stop the cluster:
|
4 |
Connect the upgraded Cluster Member M2 to all its network (this includes the Management Server) |
5 |
Start the cluster:
|
Step 14 of 21: Reconnect the upgraded Cluster Member M3 to its networks
Step |
Description |
---|---|
1 |
Connect to the command line on the upgraded Cluster Member M3. |
2 |
Log in to the Expert mode. |
3 |
Stop the cluster:
|
4 |
Connect the upgraded Cluster Member M3 to all its network (this includes the Management Server) |
5 |
Start the cluster:
|
Step 15 of 21: On the old Cluster Member M1 - Upgrade to R80.20 with CPUSE, or perform a Clean Install of R80.20
Installation Method |
Instructions |
---|---|
Upgrade to R80.20 with CPUSE |
See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. Select the R80.20 package and perform Upgrade. |
Clean Install of R80.20 with CPUSE |
See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. Select the R80.20 package and perform Clean Install. |
Clean Install of R80.20 from scratch |
See Installing a ClusterXL Cluster, or Installing a VRRP Cluster. In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous Cluster Member (prior to the upgrade). |
Note - You must reboot the Cluster Member after the upgrade or clean install.
Step 16 of 21: In SmartConsole - Establish SIC with the former old Cluster Member M1
This step is required only if you performed a Clean Install of R80.20 on this Cluster Member.
Step |
Description |
---|---|
1 |
Connect with the SmartConsole to the R80.20 Security Management Server or Main Domain Management Server that manages this Cluster. |
2 |
From the left navigation panel, click Gateways & Servers. |
3 |
Open the cluster object. |
4 |
From the left tree, click Cluster Members. |
5 |
Select the object of the Cluster Member M1. |
6 |
Click Edit. |
7 |
On the General tab, click the Communication button. |
8 |
Click Reset. |
9 |
In the One-time password field, enter the same Activation Key you entered during the First Time Configuration Wizard of the Cluster Member. |
10 |
In the Confirm one-time password field, enter the same Activation Key again. |
11 |
Click Initialize. |
12 |
The Trust state field must shows Trust established. |
13 |
Click Close to close the Communication window. |
14 |
Click OK to close the Cluster Member Properties window. |
Step 17 of 21: In SmartConsole - Install the Access Control Policy
Step |
Description |
---|---|
1 |
Connect with the SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this cluster. |
2 |
From the left navigation panel, click Gateways & Servers. |
3 |
Click Install Policy. |
4 |
In the Install Policy window:
|
5 |
The Access Control Policy successfully installs on all the Cluster Members. |
Step 18 of 21: On each Cluster Member - Examine the cluster state
Step |
Description |
---|---|
1 |
Connect to the command line on each Cluster Member. |
2 |
Examine the cluster state:
Note - Cluster states of the Cluster Members are: one is Active, others are Standby. |
Step 19 of 21: On each Cluster Member - Change the CCP mode to Auto
Step |
Description |
---|---|
1 |
Connect to the command line on each Cluster Member. |
2 |
Change the CCP mode:
Notes:
|
3 |
Make sure the CCP mode is set to Auto:
|
Step 20 of 21: In SmartConsole - Install the Threat Prevention Policy
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this cluster. |
2 |
From the left navigation panel, click Gateways & Servers. |
3 |
Click Install Policy. |
4 |
In the Policy field, select the applicable Threat Prevention Policy. |
5 |
Click Install. |
Step 21 of 21: Test the functionality
Step |
Description |
---|---|
1 |
Connect with the SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this cluster. |
2 |
From the left navigation panel, click Logs & Monitor > Logs. |
3 |
Examine the logs from this Cluster to make sure it inspects the traffic as expected. |
For more information: