Important:
|
Important - Before you upgrade Cluster Members:
Step |
Description |
---|---|
1 |
|
2 |
See the Upgrade Options and Prerequisites. |
3 |
Upgrade the Management Server and Log Servers to R80.20 version. |
4 |
Upgrade the licenses on the Cluster Members, if needed. See Working with Licenses. |
5 |
If you upgrade a VSX Cluster, then on the Management Server, upgrade the configuration of the VSX Cluster object to R80.20. |
6 |
Schedule a full maintenance window to make sure you can make all the desired custom configurations again after the upgrade. The upgrade process replaces all existing files with default files. If you have custom configurations on the Cluster Members, they are lost during the upgrade. As a result, different issues can occur in the upgraded cluster. Cluster Members can stop detecting each other, Cluster Members can move to undesired state, and traffic can be dropped. |
7 |
Make sure the configuration and the values of the required kernel parameters are the same on all Cluster Members. Log in to the Expert mode on each Cluster Member and run the applicable commands. Note - For more information, see sk25977. |
|
|
|
|
|
|
|
|
|
|
Available upgrade methods:
Because the upgrade process on Cluster Members stops all Check Point services, it disrupts the cluster's ability to inspect and synchronize the connections that pass through the cluster.
The table below describes the available upgrade methods.
For more information, see sk107042: ClusterXL upgrade methods and paths.
Upgrade |
Description |
Maintenance |
Limitations |
---|---|---|---|
Select this method, if connectivity is of utmost concern. Connection failover is guaranteed - no connections are dropped. Connections that were initiated before the upgrade are synchronized with the upgraded Security Gateways and cluster members, so that no connections are dropped. This upgrade method supports cluster members in High Availability mode only. You can select this method, if you upgrade a ClusterXL or a VSX Cluster. You can select this method, if you upgrade a 3rd party cluster (VRRP on Gaia). Note - The CU procedure is very similar to the Zero Downtime procedure with the addition of synchronizing the connections to the upgraded cluster members. |
This upgrade method does not require a maintenance window. Duration of this upgrade is short. |
This upgrade method supports only specific upgrade paths. Many types of connections do not survive after failover to upgraded Cluster Member. See sk107042. |
|
Select this method, if security is of utmost concern. During this type of upgrade, all Cluster Members process the network traffic. Connections that are initiated during the upgrade stay up through the upgrade. A minimal number of connections that were initiated before the upgrade and were not closed during the upgrade procedure, are dropped after the upgrade. Newly established connections are forwarded to the upgraded cluster members while the cluster members running the previous version continue to inspect the old existing connections. The more time the upgrade procedure takes, the less old connections exist, and upon stopping the cluster members running the previous version, the connection drop is minimal. Despite long duration of this upgrade procedure, security and connectivity are fully maintained. You can select this method, if you upgrade a ClusterXL or a VSX Cluster. This method does not support a 3rd party cluster (VRRP on Gaia). |
This upgrade method requires a very short maintenance window for old connections to be dropped. Duration of this upgrade is long. |
This upgrade method supports only specific upgrade paths. This upgrade method does not support some types of connections. See sk107042. |
|
Minimal Effort Upgrade (Simple Upgrade) |
Select this method, if you have a period of time, during which network downtime is allowed. This method is the simplest, because it lets you upgrade each Cluster Member as an independent Security Gateway. All connections that were initiated before the upgrade, are dropped during the upgrade. You can select this method, if you upgrade a ClusterXL or a VSX Cluster. You can select this method, if you upgrade a 3rd party cluster (VRRP on Gaia). |
This upgrade method requires a substantial maintenance window. Duration of this upgrade is as long as it takes to upgrade all Cluster Members. |
None |
Select this method, if you cannot have any network downtime and need to complete the upgrade quickly, with a minimal number of dropped connections. During this type of upgrade, there is always at least one Active Cluster Member in cluster that handles traffic. All connections that were initiated through a Cluster Member that runs the old version, are dropped when you upgrade that Cluster Member to a new version, because Cluster Members that run different Check Point software versions, cannot synchronize connections. Network connectivity, however, remains available during the upgrade, and connections initiated through an upgraded cluster member are not dropped. You can select this method, if you upgrade a ClusterXL or a VSX Cluster. You can select this method, if you upgrade a 3rd party cluster (VRRP on Gaia). |
This upgrade method requires a relatively short maintenance window to drop old connections. Duration of this upgrade is relatively short. |
This upgrade method does not support Dynamic Routing connections. |
Cluster state "Ready" during a cluster upgrade:
When Cluster Members of different versions are on the same network, Cluster Members of the new (upgraded) version remain in the state Ready, and Cluster Members of the previous version remain in state Active Attention. Cluster Members in the state Ready do not process traffic and do not synchronize with other Cluster Members.
To prevent Cluster Members from being in the state "Ready":
Option |
Instructions |
---|---|
1 |
Perform these steps:
|
2 |
Perform these steps:
|
For more information, see sk42096: Cluster member is stuck in 'Ready' state.
Cluster Control Protocol (CCP) packets between Cluster Members that run different software versions during the upgrade:
We do not recommend to connect interfaces of multiple clusters to the same network segment (same VLAN, same switch). For more information about issues in this topology, see sk25977: Connecting multiple clusters to the same network segment (same VLAN, same switch).
In R80.10 and above, the Cluster Members automatically set the value of the 5th byte of the Source MAC address (MAC magic) in all types of CCP packets (CCP Delta Sync packets, CCP Health Check packets, forwarded packets).
When you upgrade the current Cluster Members to R80.10 or above, the upgraded Cluster Members (after you install the Access Control policy on them for the first time) automatically set the value of the 5th byte of the CCP Source MAC address to the same value they detect in the 5th byte of the CCP Source MAC address from the old Cluster Members of the same cluster.
Example for a cluster upgrade from R77.20
fwha_mac_magic
= 200fwha_mac_forward_magic
= 201MAC magic
= 200MAC forward magic
= 201