Print Download PDF Send Feedback

Previous

Next

Optimal Service Upgrade of a Security Gateway Cluster

Important:

  • Load Sharing modes are only supported with the required R80.20 Jumbo Hotfix Accumulator. For instructions, see sk162637.
  • To upgrade a ClusterXL that works in a Load Sharing mode from a lower version to R80.20, follow these steps in the same maintenance window:
    1. Upgrade the ClusterXL to R80.20.
    2. Install the required R80.20 Jumbo Hotfix Accumulator. For instructions, see sk162637.

Important - Before you upgrade a cluster:

Step

Description

1

Back up your current configuration.

2

See the Upgrade Options and Prerequisites.

3

See the Planning a Cluster Upgrade.

4

Upgrade the Management Server and Log Servers to R80.20 version.

5

Schedule a full maintenance window to make sure you can make all the desired custom configurations again after the upgrade.

The procedure below describes an example cluster with three Cluster Members M1, M2 and M3. However, you can use it for clusters that consist of two or more Cluster Members.

Cluster Mode

Cluster States

General Upgrade Action Plan

High Availability

The Cluster Member M1 is the Active.

The Cluster Members M2 and M3 are Standby.

Action plan:

  1. Upgrade, or Clean Install the Standby Cluster Members M2 and M3.

    The upgraded Cluster Members M2 and M3 change their cluster state to Ready.

    The old Cluster Member M1 changes its cluster state to Active Attention.

  2. In SmartConsole, change the version of the cluster object to R80.20.
  3. Install the Access Control Policy only on the upgraded Cluster Members M2 and M3.
  4. Disconnect the upgraded Cluster Members M2 and M3 from their networks.
  5. On one of the upgraded Cluster Members (M2), connect the Sync cable.
  6. Start the Optimal Service Upgrade - on the Active old Cluster Member M1 and on the connected upgraded Cluster Member M2.
  7. Stop the Optimal Service Upgrade - on the Active old Cluster Member M1 and on the connected upgraded Cluster Member M2.
  8. Disconnect the Active old Cluster Member M1 from its networks.
  9. Reconnect the upgraded Cluster Members M2 and M3 (one by one) to their networks.
  10. Upgrade, or Clean Install the old Cluster Member M1.
  11. Install the Access Control Policy on the cluster object.
  12. Cluster states of the Cluster Members are: one is Active, others are Standby.
  13. On each Cluster Member, change the CCP mode to Auto.
  14. Install the Threat Prevention Policy on the cluster object.

Workflow:

  1. On the Cluster Member M2 - Upgrade to R80.20 with CPUSE, or perform a Clean Install of R80.20
  2. On the Cluster Member M3 - Upgrade to R80.20 with CPUSE, or perform a Clean Install of R80.20
  3. In SmartConsole - Change the version of the cluster object
  4. In SmartConsole - Install the Access Control Policy
  5. On each Cluster Member - Examine the cluster state
  6. Disconnect the upgraded Cluster Members M2 and M3 from their networks
  7. On one of the upgraded Cluster Members M2 connect all the cables
  8. On the old Cluster Member M1 - Start the Optimal Service Upgrade
  9. On the connected upgraded Cluster Member M2 - Start the Optimal Service Upgrade
  10. On the old Cluster Member M1 - Stop the Optimal Service Upgrade
  11. On the connected upgraded Cluster Member M2 - Stop the Optimal Service Upgrade
  12. Disconnect the old Cluster Member M1 from its networks
  13. Reconnect the upgraded Cluster Member M2 to its networks
  14. Reconnect the upgraded Cluster Member M3 to its networks
  15. On the old Cluster Member M1 - Upgrade to R80.20 with CPUSE, or perform a Clean Install of R80.20
  16. In SmartConsole - Establish SIC with the former old Cluster Member M1
  17. In SmartConsole - Install the Access Control Policy
  18. On each Cluster Member - Examine the cluster state
  19. On each Cluster Member - Change the CCP mode to Auto
  20. In SmartConsole - Install the Threat Prevention Policy
  21. Test the functionality

Step 1 of 21: On the Cluster Member M2 - Upgrade to R80.20 with CPUSE, or perform a Clean Install of R80.20

Installation Method

Instructions

Upgrade to R80.20 with CPUSE

See Installing Software Packages on Gaia.

Follow the applicable action plan for the local or central installation.

Select the R80.20 package and perform Upgrade.

Clean Install of R80.20 with CPUSE

See Installing Software Packages on Gaia.

Follow the applicable action plan for the local or central installation.

Select the R80.20 package and perform Clean Install.

Clean Install of R80.20 from scratch

See Installing a ClusterXL Cluster, or Installing a VRRP Cluster.

In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous Cluster Member (prior to the upgrade).

Note - You must reboot the Cluster Member after the upgrade or clean install.

Step 2 of 21: On the Cluster Member M3 - Upgrade to R80.20 with CPUSE, or perform a Clean Install of R80.20

Installation Method

Instructions

Upgrade to R80.20 with CPUSE

See Installing Software Packages on Gaia.

Follow the applicable action plan for the local or central installation.

Select the R80.20 package and perform Upgrade.

Clean Install of R80.20 with CPUSE

See Installing Software Packages on Gaia.

Follow the applicable action plan for the local or central installation.

Select the R80.20 package and perform Clean Install.

Clean Install of R80.20 from scratch

See Installing a ClusterXL Cluster, or Installing a VRRP Cluster.

In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous Cluster Member (prior to the upgrade).

Note - You must reboot the Cluster Member after the upgrade or clean install.

Step 3 of 21: In SmartConsole - Change the version of the cluster object

Step

Description

1

Connect with the SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this cluster.

2

From the left navigation panel, click Gateways & Servers.

3

Open the Cluster object.

4

From the left navigation tree, click the General Properties page.

5

In the Platform section > Version field, select R80.20.

6

If you performed a Clean Install of R80.20 on the Cluster Member, then establish the Secure Internal Communication (SIC) between the Management Server and this Cluster Member:

  1. From the left tree, click Cluster Members.
  2. Select the Cluster Member object.
  3. Click Edit.
  4. On the General tab, click the Communication button.
  5. Click Reset.
  6. In the One-time password field, enter the same Activation Key you entered during the First Time Configuration Wizard of the Cluster Member.
  7. In the Confirm one-time password field, enter the same Activation Key again.
  8. Click Initialize.
  9. The Trust state field must shows Trust established.
  10. Click Close to close the Communication window.
  11. Click OK to close the Cluster Member Properties window.

7

Click OK to close the Gateway Cluster Properties window.

Step 4 of 21: In SmartConsole - Install the Access Control Policy

Step

Description

1

Click Install Policy.

2

In the Install Policy window:

  1. In the Policy field, select the applicable Access Control Policy
  2. In the Install Mode section, configure these two options:
    • Select Install on each selected gateway independently.
    • Clear For gateway clusters, if installation on a cluster member fails, do not install on that cluster.
  3. Click Install.

3

The Access Control Policy successfully installs on the upgraded Cluster Members M2 and M3.

The Access Control Policy installation fails on the old Cluster Member M1 with a warning. Ignore this warning.

Step 5 of 21: On each Cluster Member - Examine the cluster state

Step

Description

1

Connect to the command line on each Cluster Member.

2

Examine the cluster state:

  • In Gaia Clish (R80.20 and above), run:

    show cluster state

  • In Expert mode, run:

    cphaprob state

Notes:

  • The cluster states of the upgraded Cluster Members M2 and M3 are Ready.
  • The cluster state of the old Cluster Member M1 is Active Attention.

Step 6 of 21: Disconnect the upgraded Cluster Members M2 and M3 from their networks

Step

Description

1

Select one Cluster Member M1 to process the current connections.

2

Completely disconnect all other Cluster Members M2 and M3 from their networks (this includes the Management Server).

Step 7 of 21: On one of the upgraded Cluster Members M2 connect all the cables

Step

Description

1

Connect all the cables to one of the upgraded Cluster Members M2.

2

Make sure traffic (for example, pings) can pass on the Sync interface to the old Cluster Member M1.

Step 8 of 21: On the old Cluster Member M1 - Start the Optimal Service Upgrade

Step

Description

1

Connect to the command line on the old Cluster Member M1.

2

Log in to the Expert mode.

3

Start the Optimal Service Upgrade:

[Expert@MemberOld:0]# cphaosu start

Step 9 of 21: On the connected upgraded Cluster Member M2 - Start the Optimal Service Upgrade

Step

Description

1

Connect to the command line on the connected upgraded Cluster Member M2.

2

Log in to the Expert mode.

3

Start the Optimal Service Upgrade:

[Expert@MemberNew:0]# cphaosu start

Step 10 of 21: On the old Cluster Member M1 - Stop the Optimal Service Upgrade

Step

Description

1

Connect to the command line on the old Cluster Member M1.

2

Log in to the Expert mode.

3

Monitor the amount of traffic for some time:

[Expert@MemberOld:0]# cphaosu stat

4

When the old Cluster Member does not have many connections (in your opinion), stop the Optimal Service Upgrade:

[Expert@MemberOld:0]# cphaosu finish

Step 11 of 21: On the connected upgraded Cluster Member M2 - Stop the Optimal Service Upgrade

Step

Description

1

Connect to the command line on the connected upgraded Cluster Member M2.

2

Log in to the Expert mode.

4

Stop the Optimal Service Upgrade:

[Expert@MemberNew:0]# cphaosu finish

Step 12 of 21: Disconnect the old Cluster Member M1 from its networks

Completely disconnect the old Cluster Member M1 from its networks (this includes the Management Server).

Step 13 of 21: Reconnect the upgraded Cluster Member M2 to its networks

Step

Description

1

Connect to the command line on the upgraded Cluster Member M2.

2

Log in to the Expert mode.

3

Stop the cluster:

[Expert@MemberNew:0]# cphastop

4

Connect the upgraded Cluster Member M2 to all its network (this includes the Management Server)

5

Start the cluster:

[Expert@MemberNew:0]# cphastart

Step 14 of 21: Reconnect the upgraded Cluster Member M3 to its networks

Step

Description

1

Connect to the command line on the upgraded Cluster Member M3.

2

Log in to the Expert mode.

3

Stop the cluster:

[Expert@MemberNew:0]# cphastop

4

Connect the upgraded Cluster Member M3 to all its network (this includes the Management Server)

5

Start the cluster:

[Expert@MemberNew:0]# cphastart

Step 15 of 21: On the old Cluster Member M1 - Upgrade to R80.20 with CPUSE, or perform a Clean Install of R80.20

Installation Method

Instructions

Upgrade to R80.20 with CPUSE

See Installing Software Packages on Gaia.

Follow the applicable action plan for the local or central installation.

Select the R80.20 package and perform Upgrade.

Clean Install of R80.20 with CPUSE

See Installing Software Packages on Gaia.

Follow the applicable action plan for the local or central installation.

Select the R80.20 package and perform Clean Install.

Clean Install of R80.20 from scratch

See Installing a ClusterXL Cluster, or Installing a VRRP Cluster.

In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous Cluster Member (prior to the upgrade).

Note - You must reboot the Cluster Member after the upgrade or clean install.

Step 16 of 21: In SmartConsole - Establish SIC with the former old Cluster Member M1

This step is required only if you performed a Clean Install of R80.20 on this Cluster Member.

Step

Description

1

Connect with the SmartConsole to the R80.20 Security Management Server or Main Domain Management Server that manages this Cluster.

2

From the left navigation panel, click Gateways & Servers.

3

Open the cluster object.

4

From the left tree, click Cluster Members.

5

Select the object of the Cluster Member M1.

6

Click Edit.

7

On the General tab, click the Communication button.

8

Click Reset.

9

In the One-time password field, enter the same Activation Key you entered during the First Time Configuration Wizard of the Cluster Member.

10

In the Confirm one-time password field, enter the same Activation Key again.

11

Click Initialize.

12

The Trust state field must shows Trust established.

13

Click Close to close the Communication window.

14

Click OK to close the Cluster Member Properties window.

Step 17 of 21: In SmartConsole - Install the Access Control Policy

Step

Description

1

Connect with the SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this cluster.

2

From the left navigation panel, click Gateways & Servers.

3

Click Install Policy.

4

In the Install Policy window:

  1. In the Policy field, select the applicable Access Control Policy
  2. In the Install Mode section, select these two options:
    • Install on each selected gateway independently
    • For gateway clusters, if installation on a cluster member fails, do not install on that cluster
  3. Click Install.

5

The Access Control Policy successfully installs on all the Cluster Members.

Step 18 of 21: On each Cluster Member - Examine the cluster state

Step

Description

1

Connect to the command line on each Cluster Member.

2

Examine the cluster state:

  • In Gaia Clish (R80.20 and above), run:

    show cluster state

  • In Expert mode, run:

    cphaprob state

Note - Cluster states of the Cluster Members are: one is Active, others are Standby.

Step 19 of 21: On each Cluster Member - Change the CCP mode to Auto

Step

Description

1

Connect to the command line on each Cluster Member.

2

Change the CCP mode:

  • In Gaia Clish, run:

    set cluster member ccp auto

    save config

  • In Expert mode, run:

    cphaconf set_ccp auto

Notes:

  • This change does not require a reboot.
  • This change applies immediately and survives reboot.

3

Make sure the CCP mode is set to Auto:

  • In Gaia Clish, run:

    show cluster members interfaces all

  • In Expert mode, run:

    cphaprob -a if

Step 20 of 21: In SmartConsole - Install the Threat Prevention Policy

Step

Description

1

Connect with SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this cluster.

2

From the left navigation panel, click Gateways & Servers.

3

Click Install Policy.

4

In the Policy field, select the applicable Threat Prevention Policy.

5

Click Install.

Step 21 of 21: Test the functionality

Step

Description

1

Connect with the SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this cluster.

2

From the left navigation panel, click Logs & Monitor > Logs.

3

Examine the logs from this Cluster to make sure it inspects the traffic as expected.

For more information:

See the R80.20 ClusterXL Administration Guide.