Connectivity Upgrade of a Security Gateway Cluster

Important:

Load Sharing modes are only supported with the required R80.20 Jumbo Hotfix Accumulator. For instructions, see sk162637.
To upgrade a ClusterXL that works in a Load Sharing mode from a lower version to R80.20, follow these steps in the same maintenance window:
1. Upgrade the ClusterXL to R80.20.
2. Install the required R80.20 Jumbo Hotfix Accumulator. For instructions, see sk162637.

The procedure below describes an example High Availability cluster with three members M1, M2 and M3. However, it can be used for clusters that consist of two or more members.

Cluster States	General Upgrade Workflow
The cluster member M1 is the Active member. The cluster members M2 and M3 are Standby.	Upgrade, or Clean Install the Standby cluster members M2 and M3. The cluster members M2 and M3 change their cluster state to Ready. The cluster member M1 changes its cluster state to Active(!). In SmartConsole, change the version of the cluster object to R80.20. Install the Access Control Policy on the upgraded cluster members M2 and M3. Stop all the upgraded cluster members (for example, M3), except one (for example, M2). Start and finish the Connectivity Upgrade on the working upgraded cluster member M2. Perform a controlled cluster failover from the Active old cluster member M1 to the upgraded and synchronized cluster member M2. The upgraded cluster member M2 changes its cluster state to Active. Start the upgraded cluster members that were stopped (M3). Upgrade, or Clean Install the old cluster member M1. Install the Access Control Policy on the cluster object. Cluster states of the members are: one is Active, others are Standby. On each cluster member, change the CCP mode to Auto. Install the Threat Prevention Policy on the cluster object.

Cluster States

General Upgrade Workflow

The cluster member M1 is the Active member.

The cluster members M2 and M3 are Standby.

Upgrade, or Clean Install the Standby cluster members M2 and M3.
The cluster members M2 and M3 change their cluster state to Ready.

The cluster member M1 changes its cluster state to Active(!).
In SmartConsole, change the version of the cluster object to R80.20.
Install the Access Control Policy on the upgraded cluster members M2 and M3.
Stop all the upgraded cluster members (for example, M3), except one (for example, M2).
Start and finish the Connectivity Upgrade on the working upgraded cluster member M2.
Perform a controlled cluster failover from the Active old cluster member M1 to the upgraded and synchronized cluster member M2.
The upgraded cluster member M2 changes its cluster state to Active.
Start the upgraded cluster members that were stopped (M3).
Upgrade, or Clean Install the old cluster member M1.
Install the Access Control Policy on the cluster object.
Cluster states of the members are: one is Active, others are Standby.
On each cluster member, change the CCP mode to Auto.
Install the Threat Prevention Policy on the cluster object.

Step 1 of 20: Get the R80.20 image

Download the applicable R80.20 image from the R80.20 Home Page SK - CPUSE upgrade image, or Clean Install image.

If you plan to perform the upgrade in Gaia Portal, use this upgrade image from the computer, on which you connect to Gaia Portal.
If you plan to perform the upgrade in Gaia Clish, then transfer the upgrade image to the current cluster members to some directory (for example, /var/log/path_to_upgrade_image/). Make sure to transfer the file in the binary mode.

Step 2 of 20: On the Standby cluster member M2 - Upgrade to R80.20 with CPUSE, or perform a Clean Install of R80.20

For upgrade instructions, see Upgrading a Security Gateway with CPUSE.
For clean install instructions, see Installing a ClusterXL Cluster, or Installing a VRRP Cluster.

Notes:

You must reboot the cluster member after the upgrade or clean install.
Configure dynamic routing based on the Connectivity Upgrade Known Limitations.

Step 3 of 20: On the Standby cluster member M3 - Upgrade to R80.20 with CPUSE, or perform a Clean Install of R80.20

For upgrade instructions, see Upgrading a Security Gateway with CPUSE.
For clean install instructions, see Installing a ClusterXL Cluster, or Installing a VRRP Cluster.

Notes:

You must reboot the cluster member after the upgrade or clean install.
Configure dynamic routing based on the Connectivity Upgrade Known Limitations.

Step 4 of 20: In SmartConsole - Modify the Cluster object and install the Access Control Policy

Step	Description
1	Connect with SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this cluster.
2	From the left navigation panel, click Gateways & Servers.
3	Open the Cluster object.
4	From the left navigation tree, click the General Properties page.
5	In the Platform section > Version field, select R80.20.
6	Click OK.
7	Click Install Policy.
8	In the Install Policy window: In the Policy field, select the applicable Access Control Policy In the Install Mode section, configure these two options: Select Install on each selected gateway independently. Clear For gateway clusters, if installation on a cluster member fails, do not install on that cluster. Click Install.
9	The Access Control Policy successfully installs on the upgraded cluster members M2 and M3. The Access Control Policy installation fails on the old cluster member M1 with a warning. Ignore this warning.

Step 5 of 20: On each cluster member - Examine the cluster state

Step	Description
1	Connect to the command line on each cluster member.
2	Examine the cluster state: In Gaia Clish (R80.20 and above), run: `show cluster state` In Expert mode, run: `cphaprob state` Notes: The cluster states of the upgraded members M2 and M3 are Ready. The cluster state of the old member M1 is Active(!).

Step

Description

Connect to the command line on each cluster member.

Examine the cluster state:

In Gaia Clish (R80.20 and above), run:
show cluster state
In Expert mode, run:
cphaprob state

Notes:

The cluster states of the upgraded members M2 and M3 are Ready.
The cluster state of the old member M1 is Active(!).

Step 6 of 20: Stop all, except one, of the upgraded Standby cluster members

Step	Description
1	Connect to the command line on all the upgraded cluster members (for example, M3), except one (for example, M2).
2	Stop all Check Point services on all the upgraded members (for example, M3), except one (for example, M2): `cpstop`

Step

Description

Connect to the command line on all the upgraded cluster members (for example, M3), except one (for example, M2).

Stop all Check Point services on all the upgraded members (for example, M3), except one (for example, M2):

cpstop

Step 7 of 20: On each cluster member - Examine the cluster state

Step	Description
1	Connect to the command line on each cluster member.
2	Examine the cluster state: In Gaia Clish (R80.20 and above), run: `show cluster state` In Expert mode, run: `cphaprob state` Notes: The cluster state of the working upgraded member (M2) is Ready. The cluster state of the stopped upgraded members (M3) is HA not started. The cluster state of the old member M1 is Active(!).

Step

Description

Connect to the command line on each cluster member.

Examine the cluster state:

In Gaia Clish (R80.20 and above), run:
show cluster state
In Expert mode, run:
cphaprob state

Notes:

The cluster state of the working upgraded member (M2) is Ready.
The cluster state of the stopped upgraded members (M3) is HA not started.
The cluster state of the old member M1 is Active(!).

Step 8 of 20: On the working upgraded cluster member - Start the Connectivity Upgrade

Step	Description
1	Connect to the command line on the working upgraded cluster member M2.
2	Log in to the Expert mode.
3	Start the Connectivity Upgrade: If you wish to synchronize the dynamic routing information during the upgrade: `cphacu start` If you do not wish to synchronize the dynamic routing information during the upgrade: `cphacu start no_dr`

Step

Description

Connect to the command line on the working upgraded cluster member M2.

Start the Connectivity Upgrade:

If you wish to synchronize the dynamic routing information during the upgrade:
cphacu start
If you do not wish to synchronize the dynamic routing information during the upgrade:
cphacu start no_dr

Step 9 of 20: On the old cluster member - Make sure it handles the traffic

Step	Description
1	Connect to the command line on the Active old cluster member M1.
2	Log in to the Expert mode.
3	Make sure it handles the traffic: `cphacu stat`

Step

Description

Connect to the command line on the Active old cluster member M1.

Make sure it handles the traffic:

cphacu stat

Step 10 of 20: On the working upgraded cluster member - Make sure the Connectivity Upgrade is complete

Step	Description
1	When the Connectivity Upgrade finishes on the working upgraded cluster member M2, this message shows: `Connectivity upgrade status: Ready for Failover`
2	If you synchronized the Dynamic Routing information: Connect to the command line on both the working upgraded cluster member M2 and on the Active old cluster member M1. Log in to Gaia Clish. Examine the routes: `show route summary` Make sure that the dynamic routes on the working upgraded cluster member M2 match the dynamic routes on the Active old cluster member M1.

Step

Description

When the Connectivity Upgrade finishes on the working upgraded cluster member M2, this message shows:

Connectivity upgrade status: Ready for Failover

If you synchronized the Dynamic Routing information:

Connect to the command line on both the working upgraded cluster member M2 and on the Active old cluster member M1.
Log in to Gaia Clish.
Examine the routes:
show route summary

Make sure that the dynamic routes on the working upgraded cluster member M2 match the dynamic routes on the Active old cluster member M1.

Step 11 of 20: On the stopped upgraded cluster member - Start all Check Point services

Step	Description
1	Connect to the command line on the stopped upgraded cluster members (in our example, M3).
2	Start all Check Point services: `cpstart`

Step

Description

Connect to the command line on the stopped upgraded cluster members (in our example, M3).

Start all Check Point services:

cpstart

Step 12 of 20: On each cluster member - Examine the cluster state

Step	Description
1	Connect to the command line on each cluster member.
2	Examine the cluster state: In Gaia Clish (R80.20 and above), run: `show cluster state` In Expert mode, run: `cphaprob state` Notes: The cluster states of the upgraded members M2 and M3 are Down. The cluster state of the old member M1 is Active(!).

Step

Description

Connect to the command line on each cluster member.

Examine the cluster state:

In Gaia Clish (R80.20 and above), run:
show cluster state
In Expert mode, run:
cphaprob state

Notes:

The cluster states of the upgraded members M2 and M3 are Down.
The cluster state of the old member M1 is Active(!).

Step 13 of 20: On the Active old cluster member - Stop all Check Point services

Step	Description
1	Connect to the command line on the Active old cluster member M1.
2	Stop all Check Point services: `cpstop` Important - At this moment, the connections fail over from the old cluster member M1 to the Active upgraded cluster member (M2 or M3).

Step

Description

Connect to the command line on the Active old cluster member M1.

Stop all Check Point services:

cpstop

Important - At this moment, the connections fail over from the old cluster member M1 to the Active upgraded cluster member (M2 or M3).

Step 14 of 20: On the upgraded cluster members - Examine the cluster state and make sure the Active handles the traffic

Step	Description
1	Connect to the command line on the upgraded cluster members M2 and M3.
2	Examine the cluster state: In Gaia Clish (R80.20 and above), run: `show cluster state` In Expert mode, run: `cphaprob state` Notes: The cluster states of the upgraded members M2 and M3 are: one is Active, the other is Standby. The cluster state of the old member M1 is either ClusterXL is inactive, or the machine is down, or Down.
3	Make sure the Active upgraded member handles the traffic: `cphacu stat`

Step

Description

Connect to the command line on the upgraded cluster members M2 and M3.

Examine the cluster state:

In Gaia Clish (R80.20 and above), run:
show cluster state
In Expert mode, run:
cphaprob state

Notes:

The cluster states of the upgraded members M2 and M3 are: one is Active, the other is Standby.
The cluster state of the old member M1 is either ClusterXL is inactive, or the machine is down, or Down.

Make sure the Active upgraded member handles the traffic:

cphacu stat

Step 15 of 20: On the former Active old cluster member - Upgrade to R80.20 with CPUSE, or perform a Clean Install of R80.20

For upgrade instructions, see Upgrading a Security Gateway with CPUSE.
For clean install instructions, see Installing a ClusterXL Cluster, or Installing a VRRP Cluster.

Notes:

You must reboot the cluster member after the upgrade or clean install.
Configure dynamic routing based on the Connectivity Upgrade Known Limitations.

Step 16 of 20: In SmartConsole - Install the Access Control Policy

Step	Description
1	Connect with SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this cluster.
2	From the left navigation panel, click Gateways & Servers.
3	Click Install Policy.
4	In the Install Policy window: In the Policy field, select the applicable Access Control Policy In the Install Mode section, select these two options: Install on each selected gateway independently For gateway clusters, if installation on a cluster member fails, do not install on that cluster Click Install.
5	The Access Control Policy successfully installs on all the cluster members.

Step 17 of 20: On each cluster member - Examine the cluster state

Step	Description
1	Connect to the command line on each cluster member.
2	Examine the cluster state: In Gaia Clish, run: `show cluster state` In Expert mode, run: `cphaprob state` Note - Cluster states of the members are: one is Active, others are Standby.

Step

Description

Connect to the command line on each cluster member.

Examine the cluster state:

In Gaia Clish, run:
show cluster state
In Expert mode, run:
cphaprob state

Note - Cluster states of the members are: one is Active, others are Standby.

Step 18 of 20: On each cluster member - Change the CCP mode to Auto

Step	Description
1	Connect to the command line on each cluster member.
2	Change the CCP mode: In Gaia Clish, run: `set cluster member ccp auto` `save config` In Expert mode, run: `cphaconf set_ccp auto` Notes: This change does not require a reboot. This change applies immediately and survives reboot.
3	Make sure the CCP mode is set to Auto: In Gaia Clish, run: `show cluster members interfaces all` In Expert mode, run: `cphaprob -a if`

Step

Description

Connect to the command line on each cluster member.

Change the CCP mode:

In Gaia Clish, run:
set cluster member ccp auto

save config
In Expert mode, run:
cphaconf set_ccp auto

Notes:

This change does not require a reboot.
This change applies immediately and survives reboot.

Make sure the CCP mode is set to Auto:

In Gaia Clish, run:
show cluster members interfaces all
In Expert mode, run:
cphaprob -a if

Step 19 of 20: In SmartConsole - Install the Threat Prevention Policy

Step	Description
1	Connect with SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this cluster.
2	From the left navigation panel, click Gateways & Servers.
3	Click Install Policy.
4	In the Policy field, select the applicable Threat Prevention Policy
5	Click Install.

Step 20 of 20: Test the functionality

Step	Description
1	Connect with SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this cluster.
2	From the left navigation panel, click Logs & Monitor > Logs.
3	Examine the logs from this Cluster to make sure it inspects the traffic as expected.

For more information:

See the R80.20 ClusterXL Administration Guide.