Connectivity Upgrade of a VSX Cluster

The procedure below describes an example VSX Cluster with three members M1, M2 and M3. However, it can be used for clusters that consist of two or more members.

Cluster States	General Upgrade Workflow
The VSX Cluster Member M1 has the lowest Cluster Member ID and is the Active member. The VSX Cluster Members M2 and M3 are Standby.	On the Management Server - upgrade the configuration of the VSX Cluster object to R80.20. Upgrade, or Clean Install the Standby VSX Cluster Members M2 and M3. The VSX Cluster Members M2 and M3 change their cluster state to Ready. The VSX Cluster Member M1 changes its cluster state to Active(!). From the Management Server, reconfigure the Standby VSX Cluster Members M2 and M3. Stop all the upgraded VSX Cluster Members (for example, M3), except one (for example, M2). Start and finish the Connectivity Upgrade on the working upgraded VSX Cluster Member M2. Perform a controlled cluster failover from the Active old VSX Cluster Member M1 to the upgraded and synchronized VSX Cluster Member M2. The upgraded VSX Cluster Member M2 changes its cluster state to Active. Start the upgraded VSX Cluster Members that were stopped (M3). Upgrade, or Clean Install the old VSX Cluster Member M1. From the Management Server, reconfigure the VSX Cluster Member M1. Cluster states of the members are: one is Active, others are Standby. On each cluster member, change the CCP mode to Auto. Install the Threat Prevention Policy on the VSX Cluster object.

Cluster States

General Upgrade Workflow

The VSX Cluster Member M1 has the lowest Cluster Member ID and is the Active member.

The VSX Cluster Members M2 and M3 are Standby.

On the Management Server - upgrade the configuration of the VSX Cluster object to R80.20.
Upgrade, or Clean Install the Standby VSX Cluster Members M2 and M3.
The VSX Cluster Members M2 and M3 change their cluster state to Ready.

The VSX Cluster Member M1 changes its cluster state to Active(!).
From the Management Server, reconfigure the Standby VSX Cluster Members M2 and M3.
Stop all the upgraded VSX Cluster Members (for example, M3), except one (for example, M2).
Start and finish the Connectivity Upgrade on the working upgraded VSX Cluster Member M2.
Perform a controlled cluster failover from the Active old VSX Cluster Member M1 to the upgraded and synchronized VSX Cluster Member M2.
The upgraded VSX Cluster Member M2 changes its cluster state to Active.
Start the upgraded VSX Cluster Members that were stopped (M3).
Upgrade, or Clean Install the old VSX Cluster Member M1.
From the Management Server, reconfigure the VSX Cluster Member M1.
Cluster states of the members are: one is Active, others are Standby.
On each cluster member, change the CCP mode to Auto.
Install the Threat Prevention Policy on the VSX Cluster object.

Step 1 of 21: On the Management Server - Upgrade the configuration of the VSX Cluster object to R80.20

Step	Description
1	Connect to the command line on the Security Management Server or Multi-Domain Server that manages this VSX Cluster.
2	Log in to the Expert mode.
3	On a Multi-Domain Server, switch to the context of the Main Domain Management Server that manages this VSX Cluster object: `mdsenv <`IP Address or Name of Main Domain Management Server`>`
4	Upgrade the configuration of the VSX Cluster object to R80.20:
4A	Run: `vsx_util upgrade` This command is interactive.
4B	Enter these details to log in to the management database: IP address of the Security Management Server or Main Domain Management Server that manages this VSX Gateway Management Server administrator's username Management Server administrator's password
4C	Select your VSX Cluster.
4D	Select the R80.20.
4E	For auditing purposes, save the `vsx_util` log file: On a Security Management Server: `/opt/CPsuite-R80.20/fw1/log/vsx_util_`YYYYMMDD_HH_MM`.log` On a Multi-Domain Server: `/opt/CPmds-R80.20/customers/<`Name_of_Domain`>/CPsuite-R80.20/fw1/log/vsx_util_`YYYYMMDD_HH_MM`.log`
5	Connect with SmartConsole to the R80.20 Security Management Server or Main Domain Management Server that manages this VSX Cluster.
6	From the left navigation panel, click Gateways & Servers.
7	Open the VSX Cluster object.
8	From the left navigation tree, click the General Properties page.
9	Make sure in the Platform section, the Version field shows R80.20.
10	Click Cancel (do not click OK).

Step 2 of 21: Get the R80.20 image

Step	Description
1	Download the applicable R80.20 image from the R80.20 Home Page SK - CPUSE upgrade image, or Clean Install image.
2	Transfer the upgrade image to the current VSX Cluster Members to some directory (for example, `/var/log/path_to_upgrade_image/`). Note - Make sure to transfer the file in the binary mode.

Step

Description

Download the applicable R80.20 image from the R80.20 Home Page SK - CPUSE upgrade image, or Clean Install image.

Transfer the upgrade image to the current VSX Cluster Members to some directory (for example, /var/log/path_to_upgrade_image/).

Note - Make sure to transfer the file in the binary mode.

Step 3 of 21: On each VSX Cluster Member - Examine the cluster state and get the Cluster Member IDs

Step	Description
1	Connect to the command line on each VSX Cluster Member.
2	Log in to the Expert mode.
3	Examine the cluster state: `vsenv 0` `cphaprob state` Identify the VSX Cluster Member with the lowest Cluster Member ID.

Step

Description

Connect to the command line on each VSX Cluster Member.

Examine the cluster state:

vsenv 0

cphaprob state

Identify the VSX Cluster Member with the lowest Cluster Member ID.

Step 4 of 21: On all VSX Cluster Members with higher Cluster Member IDs - Upgrade to R80.20 with CPUSE, or perform a Clean Install of R80.20

Upgrade or perform Clean Install on all of the VSX Cluster Members (in our example, M2 and M3),
except for the VSX Cluster Member with the lowest Cluster Member ID (in our example, M1).

For upgrade instructions (recommended), see Upgrading a VSX Gateway with CPUSE.
Note that you already upgraded the configuration of the VSX Cluster object to R80.20.
For clean install instructions, see Installing a VSX Cluster.

Notes:

You must reboot the VSX Cluster Member after the upgrade or clean install.
Configure dynamic routing based on the Connectivity Upgrade Limitations.

Step 5 of 21: In SmartConsole - Install the Access Control Policy

Step	Description
1	Connect with SmartConsole to the R80.20 Security Management Server or Main Domain Management Server that manages this VSX Cluster.
2	From the left navigation panel, click Gateways & Servers.
3	Click Install Policy.
4	In the Install Policy window: In the Policy field, select the applicable Access Control Policy that is called: <Name_of_VSX_Cluster_object>_VSX In the Install Mode section, configure these two options: Select Install on each selected gateway independently. Clear For gateway clusters, if installation on a cluster member fails, do not install on that cluster. Click Install.
5	The Access Control Policy successfully installs on the upgraded VSX Cluster Members M2 and M3. The Access Control Policy installation fails on the old VSX Cluster Member M1 with a warning. Ignore this warning.

Step 6 of 21: On each VSX Cluster Member - Examine the cluster state

Step	Description
1	Connect to the command line on each VSX Cluster Member.
2	Examine the cluster state: In Gaia Clish (R80.20 and above), run: `set virtual-system 0` `show cluster state` In Expert mode, run: `vsenv 0` `cphaprob state` Notes: The cluster states of the upgraded members M2 and M3 are Ready. The cluster state of the old member M1 is Active(!).

Step

Description

Connect to the command line on each VSX Cluster Member.

Examine the cluster state:

In Gaia Clish (R80.20 and above), run:
set virtual-system 0

show cluster state
In Expert mode, run:
vsenv 0

cphaprob state

Notes:

The cluster states of the upgraded members M2 and M3 are Ready.
The cluster state of the old member M1 is Active(!).

Step 7 of 21: Stop all, except one, of the upgraded VSX Cluster Members

Step	Description
1	Connect to the command line on all the upgraded VSX Cluster Members M2 and M3.
2	Stop all Check Point services on all upgraded members (for example, M3), except one (for example, M2): `cpstop`

Step

Description

Connect to the command line on all the upgraded VSX Cluster Members M2 and M3.

Stop all Check Point services on all upgraded members (for example, M3), except one (for example, M2):

cpstop

Step 8 of 21: On each VSX Cluster Member - Examine the cluster state

Step	Description
1	Connect to the command line on each VSX Cluster Member.
2	Examine the cluster state: In Gaia Clish (R80.20 and above), run: `set virtual-system 0` `show cluster state` In Expert mode, run: `vsenv 0` `cphaprob state` Notes: The cluster state of the working upgraded member M2 is Ready. The cluster state of the stopped upgraded members M3 is HA not started. The cluster state of the old member M1 is Active(!).

Step

Description

Connect to the command line on each VSX Cluster Member.

Examine the cluster state:

In Gaia Clish (R80.20 and above), run:
set virtual-system 0

show cluster state
In Expert mode, run:
vsenv 0

cphaprob state

Notes:

The cluster state of the working upgraded member M2 is Ready.
The cluster state of the stopped upgraded members M3 is HA not started.
The cluster state of the old member M1 is Active(!).

Step 9 of 21: On the working upgraded VSX Cluster Member - Start the Connectivity Upgrade

Step	Description
1	Connect to the command line on the working upgraded VSX Cluster Member M2.
2	Log in to the Expert mode.
3	Start the Connectivity Upgrade: If you wish to synchronize the dynamic routing information during the upgrade: `cphacu start` If you do not wish to synchronize the dynamic routing information during the upgrade: `cphacu start no_dr`

Step

Description

Connect to the command line on the working upgraded VSX Cluster Member M2.

Start the Connectivity Upgrade:

If you wish to synchronize the dynamic routing information during the upgrade:
cphacu start
If you do not wish to synchronize the dynamic routing information during the upgrade:
cphacu start no_dr

Step 10 of 21: On the old VSX Cluster Member - Make sure it handles the traffic

Step	Description
1	Connect to the command line on the Active old VSX Cluster Member M1.
2	Log in to the Expert mode.
3	Make sure it handles the traffic: `cphacu stat`

Step

Description

Connect to the command line on the Active old VSX Cluster Member M1.

Make sure it handles the traffic:

cphacu stat

Step 11 of 21: On the working upgraded VSX Cluster Member - Make sure the Connectivity Upgrade is complete

Step	Description
1	When the Connectivity Upgrade finishes on the working upgraded VSX Cluster Member M2, this message shows: `Connectivity upgrade status: Ready for Failover`
2	If you synchronized the Dynamic Routing information: Connect to the command line on both the working upgraded VSX Cluster Member M2 and on the Active old VSX Cluster Member M1. Log in to Gaia Clish. Examine the routes in each applicable Virtual System: `set virtual-system <`VSID`>` `show route summary` Make sure that the dynamic routes on the working upgraded VSX Cluster Member M2 match the dynamic routes on the Active old VSX Cluster Member M1.

Step

Description

When the Connectivity Upgrade finishes on the working upgraded VSX Cluster Member M2, this message shows:

Connectivity upgrade status: Ready for Failover

If you synchronized the Dynamic Routing information:

Connect to the command line on both the working upgraded VSX Cluster Member M2 and on the Active old VSX Cluster Member M1.
Log in to Gaia Clish.
Examine the routes in each applicable Virtual System:
set virtual-system <VSID>

show route summary

Make sure that the dynamic routes on the working upgraded VSX Cluster Member M2 match the dynamic routes on the Active old VSX Cluster Member M1.

Step 12 of 21: On the stopped upgraded VSX Cluster Members - Start all Check Point services

Step	Description
1	Connect to the command line on the stopped upgraded VSX Cluster Members (in our example, M3).
2	Start all Check Point services: `cpstart`

Step

Description

Connect to the command line on the stopped upgraded VSX Cluster Members (in our example, M3).

Start all Check Point services:

cpstart

Step 13 of 21: On each VSX Cluster Member - Examine the cluster state

Step	Description
1	Connect to the command line on each VSX Cluster Member.
2	Examine the cluster state: In Gaia Clish (R80.20 and above), run: `set virtual-system 0` `show cluster state` In Expert mode, run: `vsenv 0` `cphaprob state` Notes: The cluster states of the upgraded members M2 and M3 are Down. The cluster state of the old member M1 is Active(!).

Step

Description

Connect to the command line on each VSX Cluster Member.

Examine the cluster state:

In Gaia Clish (R80.20 and above), run:
set virtual-system 0

show cluster state
In Expert mode, run:
vsenv 0

cphaprob state

Notes:

The cluster states of the upgraded members M2 and M3 are Down.
The cluster state of the old member M1 is Active(!).

Step 14 of 21: On the Active old VSX Cluster Member - Stop all Check Point services

Step	Description
1	Connect to the command line on the Active old VSX Cluster Member M1.
2	Stop all Check Point services: `cpstop` Important - At this moment, the connections fail over from the old VSX Cluster Member M1 to the Active upgraded VSX Cluster Member (M2 or M3).

Step

Description

Connect to the command line on the Active old VSX Cluster Member M1.

Stop all Check Point services:

cpstop

Important - At this moment, the connections fail over from the old VSX Cluster Member M1 to the Active upgraded VSX Cluster Member (M2 or M3).

Step 15 of 21: On the upgraded VSX Cluster Members - Examine the cluster state and make sure the Active handles the traffic

Step	Description
1	Connect to the command line on the upgraded VSX Cluster Members M2 and M3.
2	Examine the cluster state: In Gaia Clish, run: `set virtual-system 0` `show cluster state` In Expert mode, run: `vsenv 0` `cphaprob state` Notes: The cluster states of the upgraded members M2 and M3 are: one is Active, the other is Standby. The cluster state of the old member M1 is either ClusterXL is inactive, or the machine is down, or Down.
3	Make sure the Active upgraded member handles the traffic: `cphacu stat`
4	Make sure to stop the Connectivity Upgrade on the Active upgraded member. Log in to the Expert mode and run: `cphacu stop`

Step 16 of 21: On the former Active old VSX Cluster Member - Upgrade to R80.20 with CPUSE, or perform a Clean Install of R80.20

For upgrade instructions, see Upgrading a VSX Gateway with CPUSE.
Note that you already upgraded the configuration of the VSX Cluster object to R80.20.
For clean install instructions, see Installing a Security Gateway.

Notes:

You must reboot the VSX Cluster Member after the upgrade or clean install.
Configure dynamic routing based on the Connectivity Upgrade Limitations.

Step 17 of 21: In SmartConsole - Install the Access Control Policy

Step	Description
1	Connect with SmartConsole to the R80.20 Security Management Server or Main Domain Management Server that manages this VSX Cluster.
2	From the left navigation panel, click Gateways & Servers.
3	Click Install Policy.
4	In the Install Policy window: In the Policy field, select the applicable Access Control Policy that is called: <Name_of_VSX_Cluster_object>_VSX In the Install Mode section, select these two options: Install on each selected gateway independently For gateway clusters, if installation on a cluster member fails, do not install on that cluster Click Install.
5	The Access Control Policy successfully installs on all the VSX Cluster Members.

Step 18 of 21: On each VSX Cluster Member - Examine the cluster state

Step	Description
1	Connect to the command line on each cluster member.
2	Examine the cluster state: In Gaia Clish, run: `set virtual-system 0` `show cluster state` In Expert mode, run: `vsenv 0` `cphaprob state` Note - Cluster states of the members are: one is Active, others are Standby.

Step

Description

Connect to the command line on each cluster member.

Examine the cluster state:

In Gaia Clish, run:
set virtual-system 0

show cluster state
In Expert mode, run:
vsenv 0

cphaprob state

Note - Cluster states of the members are: one is Active, others are Standby.

Step 19 of 21: On each VSX Cluster Member - Change the CCP mode to Auto

Step	Description
1	Connect to the command line on each VSX Cluster Member.
2	Change the CCP mode: In Gaia Clish, run: `set virtual-system 0` `set cluster member ccp auto` `save config` In Expert mode, run: `vsenv 0` `cphaconf set_ccp auto` Notes: This change does not require a reboot. This change applies immediately and survives reboot.
3	Make sure the CCP mode is set to Auto: In Gaia Clish, run: `show cluster members interfaces all` In Expert mode, run: `cphaprob -a if`

Step

Description

Connect to the command line on each VSX Cluster Member.

Change the CCP mode:

In Gaia Clish, run:
set virtual-system 0

set cluster member ccp auto

save config
In Expert mode, run:
vsenv 0

cphaconf set_ccp auto

Notes:

This change does not require a reboot.
This change applies immediately and survives reboot.

Make sure the CCP mode is set to Auto:

In Gaia Clish, run:
show cluster members interfaces all
In Expert mode, run:
cphaprob -a if

Step 20 of 21: In SmartConsole - Install the Threat Prevention Policy

Step	Description
1	Connect with SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this VSX Cluster.
2	From the left navigation panel, click Gateways & Servers.
3	Click Install Policy.
4	In the Policy field, select the applicable Threat Prevention Policy.
5	Click Install.

Step 21 of 21: Test the functionality

Step	Description
1	Connect with SmartConsole to the R80.20 Security Management Server or Main Domain Management Server that manages this VSX Cluster.
2	From the left navigation panel, click Logs & Monitor > Logs.
3	Examine the logs from Virtual Systems on this VSX Cluster to make sure they inspect the traffic as expected.

For more information, see the: