Notes for VRRP Clusters on Gaia:
The procedure below describes an example VRRP Cluster with two members M1 and M2.
Cluster States |
General Upgrade Workflow |
---|---|
The cluster member M1 is the VRRP Master. The cluster member M2 is the VRRP Backup. |
|
Step 1 of 25: On each VRRP Cluster Member - Examine the VRRP state
Step |
Description |
---|---|
1 |
Connect to the command line on each VRRP Cluster Member. |
2 |
Log in to Gaia Clish. |
3 |
Examine the VRRP state:
Notes:
|
Step 2 of 25: On the VRRP Master cluster member M1 - Examine the Critical Devices
Step |
Description |
---|---|
1 |
Connect to the command line on each VRRP Cluster Member. |
2 |
Log in to Gaia Clish, or Expert mode. |
3 |
Examine the Critical Devices:
Make sure there are no Critical Devices that report their state as problem. |
Step 3 of 25: On the VRRP Master cluster member M1 - Enable the Monitor Firewall State feature
Enable the Monitor Firewall State feature (if not already enabled) in one of these ways:
Where |
Instructions |
---|---|
In Gaia Clish |
Run:
|
Gaia Portal |
Perform these steps:
|
Step 4 of 25: On the VRRP Master cluster member M1 - Make sure it is still the VRRP Master:
Where |
Instructions |
---|---|
In Gaia Clish |
Run:
|
Gaia Portal |
Perform these steps:
|
Step 5 of 25: Get the R80.20 image
Download the applicable R80.20 image from the R80.20 Home Page SK - CPUSE upgrade image, or Clean Install image.
/var/log/path_to_upgrade_image/
). Make sure to transfer the file in the binary mode.Step 6 of 25: On the VRRP Backup cluster member M2 - Upgrade to R80.20 with CPUSE, or perform a Clean Install of R80.20
Notes:
Step 7 of 25: On the upgraded VRRP Cluster Member M2 - Install the R80.20 Jumbo Hotfix Accumulator
You must install Take 17 and above.
Follow the instructions in sk137592.
Step 8 of 25: In SmartConsole - Modify the Cluster object and install the Access Control Policy
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this VRRP Cluster. |
2 |
From the left navigation panel, click Gateways & Servers. |
3 |
Open the VRRP Cluster object. |
4 |
From the left navigation tree, click the General Properties page. |
5 |
In the Platform section > Version field, select R80.20. |
6 |
Click OK. |
7 |
Click Install Policy. |
8 |
In the Install Policy window:
|
9 |
The Access Control Policy successfully installs on the upgraded cluster member M2. The Access Control Policy installation fails on the old cluster member M1 with a warning. Ignore this warning. |
Step 9 of 25: On each VRRP Cluster Member - Examine the cluster state
Step |
Description |
---|---|
1 |
Connect to the command line on each VRRP Cluster Member. |
2 |
Examine the cluster state:
Notes:
|
Step 10 of 25: On each VRRP Cluster Member - Examine the VRRP state
Step |
Description |
---|---|
1 |
Connect to the command line on each VRRP Cluster Member. |
2 |
Log in to Gaia Clish. |
3 |
Examine the VRRP state:
Notes:
|
Step 11 of 25: On the upgraded VRRP Cluster Member M2 - Start the Connectivity Upgrade
Step |
Description |
---|---|
1 |
Connect to the command line on the upgraded VRRP Cluster Member M2. |
2 |
Log in to the Expert mode. |
3 |
Start the Connectivity Upgrade:
|
Step 12 of 25: On the old VRRP Cluster Member M1 - Make sure it handles the traffic
Step |
Description |
---|---|
1 |
Connect to the command line on the old VRRP Cluster Member M1. |
2 |
Log in to the Expert mode. |
3 |
Make sure it handles the traffic:
|
Step 13 of 25: On the upgraded VRRP Cluster Member M2 - Make sure the Connectivity Upgrade is complete
Step |
Description |
---|---|
1 |
When the Connectivity Upgrade finishes on the upgraded VRRP Cluster Member M2, this message shows:
|
2 |
If you synchronized the Dynamic Routing information:
Make sure that the dynamic routes on the upgraded VRRP Cluster Member M2 match the dynamic routes on the old VRRP Cluster Member M1. |
Step 14 of 25: On each VRRP Cluster Member - Examine the cluster state
Step |
Description |
---|---|
1 |
Connect to the command line on each VRRP Cluster Member. |
2 |
Examine the cluster state:
Notes:
|
Step 15 of 25: On each VRRP Cluster Member - Examine the VRRP state
Step |
Description |
---|---|
1 |
Connect to the command line on each VRRP Cluster Member. |
2 |
Log in to Gaia Clish. |
3 |
Examine the VRRP state:
Notes:
|
Step 16 of 25: On the old VRRP Cluster Member M1 - Stop all Check Point services
Step |
Description |
---|---|
1 |
Connect to the command line on the old VRRP Cluster Member M1. |
2 |
Stop all Check Point services:
Important - At this moment, the connections fail over from the old VRRP Cluster Member M1 to the upgraded VRRP Cluster Member M2. |
Step 17 of 25: On the upgraded VRRP Cluster Member M2 - Examine the cluster state and make sure it handles the traffic
Step |
Description |
---|---|
1 |
Connect to the command line on the upgraded VRRP Cluster Member M2. |
2 |
Examine the cluster state:
Notes:
|
3 |
Make sure the upgraded VRRP Cluster Member handles the traffic:
|
Step 18 of 25: On the old VRRP Cluster Member M1 - Upgrade to R80.20 with CPUSE, or perform a Clean Install of R80.20
Notes:
Step 19 of 25: On the upgraded VRRP Cluster Member M1 - Install the R80.20 Jumbo Hotfix Accumulator
You must install Take 17 and above.
You must install the same Take you installed on the VRRP Cluster Member M2.
Follow the instructions in sk137592.
Step 20 of 25: In SmartConsole - Install the Access Control Policy
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this VRRP Cluster. |
2 |
From the left navigation panel, click Gateways & Servers. |
3 |
Click Install Policy. |
4 |
In the Install Policy window:
|
5 |
The Access Control Policy successfully installs on all the cluster members. |
Step 21 of 25: On each VRRP Cluster Member - Examine the cluster state
Step |
Description |
---|---|
1 |
Connect to the command line on each VRRP Cluster Member. |
2 |
Examine the cluster state:
Note - Cluster states of the VRRP Cluster Members are: one is Active, the other is Standby. |
Step 22 of 25: On each VRRP Cluster Member - Examine the VRRP state
Step |
Description |
---|---|
1 |
Connect to the command line on each VRRP Cluster Member. |
2 |
Log in to Gaia Clish. |
3 |
Examine the VRRP state:
Notes:
|
Step 23 of 25: On each VRRP Cluster Member - Change the CCP mode to Auto
Step |
Description |
---|---|
1 |
Connect to the command line on each VRRP Cluster Member. |
2 |
Change the CCP mode:
Notes:
|
3 |
Make sure the CCP mode is set to Auto:
|
Step 24 of 25: In SmartConsole - Install the Threat Prevention Policy
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this VRRP Cluster. |
2 |
From the left navigation panel, click Gateways & Servers. |
3 |
Click Install Policy. |
4 |
In the Policy field, select the applicable Threat Prevention Policy. |
5 |
Click Install. |
Step 25 of 25: Test the functionality
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this VRRP Cluster. |
2 |
From the left navigation panel, click Logs & Monitor > Logs. |
3 |
Examine the logs from this VRRP Cluster to make sure it inspects the traffic as expected. |
For more information: