Important:
|
The procedure below describes an example High Availability cluster with three members M1, M2 and M3. However, it can be used for clusters that consist of two or more members.
Cluster States |
General Upgrade Workflow |
---|---|
The cluster member M1 is the Active member. The cluster members M2 and M3 are Standby. |
|
Step 1 of 20: Get the R80.20 image
Download the applicable R80.20 image from the R80.20 Home Page SK - CPUSE upgrade image, or Clean Install image.
/var/log/path_to_upgrade_image/
). Make sure to transfer the file in the binary mode.Step 2 of 20: On the Standby cluster member M2 - Upgrade to R80.20 with CPUSE, or perform a Clean Install of R80.20
Notes:
Step 3 of 20: On the Standby cluster member M3 - Upgrade to R80.20 with CPUSE, or perform a Clean Install of R80.20
Notes:
Step 4 of 20: In SmartConsole - Modify the Cluster object and install the Access Control Policy
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this cluster. |
2 |
From the left navigation panel, click Gateways & Servers. |
3 |
Open the Cluster object. |
4 |
From the left navigation tree, click the General Properties page. |
5 |
In the Platform section > Version field, select R80.20. |
6 |
Click OK. |
7 |
Click Install Policy. |
8 |
In the Install Policy window:
|
9 |
The Access Control Policy successfully installs on the upgraded cluster members M2 and M3. The Access Control Policy installation fails on the old cluster member M1 with a warning. Ignore this warning. |
Step 5 of 20: On each cluster member - Examine the cluster state
Step |
Description |
---|---|
1 |
Connect to the command line on each cluster member. |
2 |
Examine the cluster state:
Notes:
|
Step 6 of 20: Stop all, except one, of the upgraded Standby cluster members
Step |
Description |
---|---|
1 |
Connect to the command line on all the upgraded cluster members (for example, M3), except one (for example, M2). |
2 |
Stop all Check Point services on all the upgraded members (for example, M3), except one (for example, M2):
|
Step 7 of 20: On each cluster member - Examine the cluster state
Step |
Description |
---|---|
1 |
Connect to the command line on each cluster member. |
2 |
Examine the cluster state:
Notes:
|
Step 8 of 20: On the working upgraded cluster member - Start the Connectivity Upgrade
Step |
Description |
---|---|
1 |
Connect to the command line on the working upgraded cluster member M2. |
2 |
Log in to the Expert mode. |
3 |
Start the Connectivity Upgrade:
|
Step 9 of 20: On the old cluster member - Make sure it handles the traffic
Step |
Description |
---|---|
1 |
Connect to the command line on the Active old cluster member M1. |
2 |
Log in to the Expert mode. |
3 |
Make sure it handles the traffic:
|
Step 10 of 20: On the working upgraded cluster member - Make sure the Connectivity Upgrade is complete
Step |
Description |
---|---|
1 |
When the Connectivity Upgrade finishes on the working upgraded cluster member M2, this message shows:
|
2 |
If you synchronized the Dynamic Routing information:
Make sure that the dynamic routes on the working upgraded cluster member M2 match the dynamic routes on the Active old cluster member M1. |
Step 11 of 20: On the stopped upgraded cluster member - Start all Check Point services
Step |
Description |
---|---|
1 |
Connect to the command line on the stopped upgraded cluster members (in our example, M3). |
2 |
Start all Check Point services:
|
Step 12 of 20: On each cluster member - Examine the cluster state
Step |
Description |
---|---|
1 |
Connect to the command line on each cluster member. |
2 |
Examine the cluster state:
Notes:
|
Step 13 of 20: On the Active old cluster member - Stop all Check Point services
Step |
Description |
---|---|
1 |
Connect to the command line on the Active old cluster member M1. |
2 |
Stop all Check Point services:
Important - At this moment, the connections fail over from the old cluster member M1 to the Active upgraded cluster member (M2 or M3). |
Step 14 of 20: On the upgraded cluster members - Examine the cluster state and make sure the Active handles the traffic
Step |
Description |
---|---|
1 |
Connect to the command line on the upgraded cluster members M2 and M3. |
2 |
Examine the cluster state:
Notes:
|
3 |
Make sure the Active upgraded member handles the traffic:
|
Step 15 of 20: On the former Active old cluster member - Upgrade to R80.20 with CPUSE, or perform a Clean Install of R80.20
Notes:
Step 16 of 20: In SmartConsole - Install the Access Control Policy
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this cluster. |
2 |
From the left navigation panel, click Gateways & Servers. |
3 |
Click Install Policy. |
4 |
In the Install Policy window:
|
5 |
The Access Control Policy successfully installs on all the cluster members. |
Step 17 of 20: On each cluster member - Examine the cluster state
Step |
Description |
---|---|
1 |
Connect to the command line on each cluster member. |
2 |
Examine the cluster state:
Note - Cluster states of the members are: one is Active, others are Standby. |
Step 18 of 20: On each cluster member - Change the CCP mode to Auto
Step |
Description |
---|---|
1 |
Connect to the command line on each cluster member. |
2 |
Change the CCP mode:
Notes:
|
3 |
Make sure the CCP mode is set to Auto:
|
Step 19 of 20: In SmartConsole - Install the Threat Prevention Policy
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this cluster. |
2 |
From the left navigation panel, click Gateways & Servers. |
3 |
Click Install Policy. |
4 |
In the Policy field, select the applicable Threat Prevention Policy |
5 |
Click Install. |
Step 20 of 20: Test the functionality
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this cluster. |
2 |
From the left navigation panel, click Logs & Monitor > Logs. |
3 |
Examine the logs from this Cluster to make sure it inspects the traffic as expected. |
For more information: