Connectivity Upgrade of a VRRP Cluster

Notes for VRRP Clusters on Gaia:

VRRP Clusters support only two cluster members.
Connectivity Upgrade without Dynamic Routing synchronization supports upgrades:
- from R7x to R80.20 and above
- from R7x to R80.10
- from R7x to "R77.30DR"
- from R7x to "R77.20DR"
Connectivity Upgrade with Dynamic Routing synchronization supports upgrades only:
- from R80.10 to R80.20, and above
- from R77.30 to R80.10, and above
You must install the R80.20 Jumbo Hotfix Accumulator - Take 17 and above (to resolve PMTR-23850)

The procedure below describes an example VRRP Cluster with two members M1 and M2.

Cluster States	General Upgrade Workflow
The cluster member M1 is the VRRP Master. The cluster member M2 is the VRRP Backup.	Make sure the VRRP states are correct. On the VRRP Master cluster member M1, enable the Monitor Firewall State feature. Upgrade, or Clean Install the VRRP Backup cluster member M2. The upgraded VRRP Cluster Member M2 changes its cluster state to Ready. The old cluster member M1 (VRRP Master) changes its cluster state to Active(!). Install the R80.20 Jumbo Hotfix Accumulator on the upgraded VRRP Cluster Member M2. In SmartConsole, change the version of the VRRP Cluster object to R80.20. Install the Access Control Policy on the upgraded VRRP Cluster Member M2. Start and finish the Connectivity Upgrade on the upgraded VRRP Cluster Member M2. Perform a controlled cluster failover from the old VRRP Cluster Member M1 (VRRP Master) to the upgraded and synchronized VRRP Cluster Member M2. The upgraded VRRP Cluster Member M2 changes its cluster state to Active. Upgrade, or Clean Install the old VRRP Cluster Member M1. Install the R80.20 Jumbo Hotfix Accumulator on the upgraded VRRP Cluster Member M1. Install the Access Control Policy on the VRRP Cluster object. Cluster states of the members are: one is VRRP Master, the other is VRRP Backup. On each cluster member, change the CCP mode to Auto. Install the Threat Prevention Policy on the VRRP Cluster object.

Cluster States

General Upgrade Workflow

The cluster member M1 is the VRRP Master.

The cluster member M2 is the VRRP Backup.

Make sure the VRRP states are correct.
On the VRRP Master cluster member M1, enable the Monitor Firewall State feature.
Upgrade, or Clean Install the VRRP Backup cluster member M2.
The upgraded VRRP Cluster Member M2 changes its cluster state to Ready.

The old cluster member M1 (VRRP Master) changes its cluster state to Active(!).
Install the R80.20 Jumbo Hotfix Accumulator on the upgraded VRRP Cluster Member M2.
In SmartConsole, change the version of the VRRP Cluster object to R80.20.
Install the Access Control Policy on the upgraded VRRP Cluster Member M2.
Start and finish the Connectivity Upgrade on the upgraded VRRP Cluster Member M2.
Perform a controlled cluster failover from the old VRRP Cluster Member M1 (VRRP Master) to the upgraded and synchronized VRRP Cluster Member M2.
The upgraded VRRP Cluster Member M2 changes its cluster state to Active.
Upgrade, or Clean Install the old VRRP Cluster Member M1.
Install the R80.20 Jumbo Hotfix Accumulator on the upgraded VRRP Cluster Member M1.
Install the Access Control Policy on the VRRP Cluster object.
Cluster states of the members are: one is VRRP Master, the other is VRRP Backup.
On each cluster member, change the CCP mode to Auto.
Install the Threat Prevention Policy on the VRRP Cluster object.

Step 1 of 25: On each VRRP Cluster Member - Examine the VRRP state

Step	Description
1	Connect to the command line on each VRRP Cluster Member.
2	Log in to Gaia Clish.
3	Examine the VRRP state: `show vrrp` Notes: Make sure that all the interfaces on one member are in the VRRP Master state. Make sure that all the interfaces on the other member are in the VRRP Backup state. Make sure that the VRRP interface priorities are higher on the VRRP Master member than on the VRRP Backup member.

Step

Description

Connect to the command line on each VRRP Cluster Member.

Examine the VRRP state:

show vrrp

Notes:

Make sure that all the interfaces on one member are in the VRRP Master state.
Make sure that all the interfaces on the other member are in the VRRP Backup state.
Make sure that the VRRP interface priorities are higher on the VRRP Master member than on the VRRP Backup member.

Step 2 of 25: On the VRRP Master cluster member M1 - Examine the Critical Devices

Step	Description
1	Connect to the command line on each VRRP Cluster Member.
2	Log in to Gaia Clish, or Expert mode.
3	Examine the Critical Devices: `cphaprob list` Make sure there are no Critical Devices that report their state as problem.

Step

Description

Connect to the command line on each VRRP Cluster Member.

Examine the Critical Devices:

cphaprob list

Make sure there are no Critical Devices that report their state as problem.

Step 3 of 25: On the VRRP Master cluster member M1 - Enable the Monitor Firewall State feature

Enable the Monitor Firewall State feature (if not already enabled) in one of these ways:

Where	Instructions
In Gaia Clish	Run: `set vrrp monitor-firewall on` `save config`
Gaia Portal	Perform these steps: From the left navigation tree, click High Availability > VRRP. In the VRRP Global Settings section, enable Monitor Firewall State. Click Apply Global Settings.

Where

Instructions

In Gaia Clish

Run:

set vrrp monitor-firewall on
save config

Gaia Portal

Perform these steps:

From the left navigation tree, click High Availability > VRRP.
In the VRRP Global Settings section, enable Monitor Firewall State.
Click Apply Global Settings.

Step 4 of 25: On the VRRP Master cluster member M1 - Make sure it is still the VRRP Master:

Where	Instructions
In Gaia Clish	Run: `show vrrp summary`
Gaia Portal	Perform these steps: From the left navigation tree, click High Availability > VRRP page. In the upper right corner, click Monitoring. In the VRRP Monitor section, select Summary. Click Reload. In the VRRP Summary section, examine the VRRP Router State.

Where

Instructions

In Gaia Clish

Run:

show vrrp summary

Gaia Portal

Perform these steps:

From the left navigation tree, click High Availability > VRRP page.
In the upper right corner, click Monitoring.
In the VRRP Monitor section, select Summary.
Click Reload.
In the VRRP Summary section, examine the VRRP Router State.

Step 5 of 25: Get the R80.20 image

Download the applicable R80.20 image from the R80.20 Home Page SK - CPUSE upgrade image, or Clean Install image.

If you plan to perform the upgrade in Gaia Portal, use this upgrade image from the computer, on which you connect to Gaia Portal.
If you plan to perform the upgrade in Gaia Clish, then transfer the upgrade image to the current cluster members to some directory (for example, /var/log/path_to_upgrade_image/). Make sure to transfer the file in the binary mode.

Step 6 of 25: On the VRRP Backup cluster member M2 - Upgrade to R80.20 with CPUSE, or perform a Clean Install of R80.20

For upgrade instructions, see Upgrading a Security Gateway with CPUSE
For clean install instructions, see Installing a VRRP Cluster.

Notes:

You must reboot the cluster member after the upgrade or clean install.
You must disable the preemptive mode (if it is enabled).
Configure dynamic routing based on the Connectivity Upgrade Limitations.

Step 7 of 25: On the upgraded VRRP Cluster Member M2 - Install the R80.20 Jumbo Hotfix Accumulator

You must install Take 17 and above.

Follow the instructions in sk137592.

Step 8 of 25: In SmartConsole - Modify the Cluster object and install the Access Control Policy

Step	Description
1	Connect with SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this VRRP Cluster.
2	From the left navigation panel, click Gateways & Servers.
3	Open the VRRP Cluster object.
4	From the left navigation tree, click the General Properties page.
5	In the Platform section > Version field, select R80.20.
6	Click OK.
7	Click Install Policy.
8	In the Install Policy window: In the Policy field, select the applicable Access Control Policy In the Install Mode section, configure these two options: Select Install on each selected gateway independently. Clear For gateway clusters, if installation on a cluster member fails, do not install on that cluster. Click Install.
9	The Access Control Policy successfully installs on the upgraded cluster member M2. The Access Control Policy installation fails on the old cluster member M1 with a warning. Ignore this warning.

Step 9 of 25: On each VRRP Cluster Member - Examine the cluster state

Step	Description
1	Connect to the command line on each VRRP Cluster Member.
2	Examine the cluster state: In Gaia Clish, run: `show cluster state` In Expert mode, run: `cphaprob state` Notes: The cluster state of the upgraded VRRP Cluster Member M2 is Ready. The cluster state of the old VRRP Cluster Member M1 is Active(!).

Step

Description

Connect to the command line on each VRRP Cluster Member.

Examine the cluster state:

In Gaia Clish, run:
show cluster state
In Expert mode, run:
cphaprob state

Notes:

The cluster state of the upgraded VRRP Cluster Member M2 is Ready.
The cluster state of the old VRRP Cluster Member M1 is Active(!).

Step 10 of 25: On each VRRP Cluster Member - Examine the VRRP state

Step	Description
1	Connect to the command line on each VRRP Cluster Member.
2	Log in to Gaia Clish.
3	Examine the VRRP state: `show vrrp` Notes: Make sure that all the interfaces on the old VRRP Cluster Member are in the VRRP Master state. Make sure that all the interfaces on the upgraded VRRP Cluster Member are in the VRRP Backup state.

Step

Description

Connect to the command line on each VRRP Cluster Member.

Examine the VRRP state:

show vrrp

Notes:

Make sure that all the interfaces on the old VRRP Cluster Member are in the VRRP Master state.
Make sure that all the interfaces on the upgraded VRRP Cluster Member are in the VRRP Backup state.

Step 11 of 25: On the upgraded VRRP Cluster Member M2 - Start the Connectivity Upgrade

Step	Description
1	Connect to the command line on the upgraded VRRP Cluster Member M2.
2	Log in to the Expert mode.
3	Start the Connectivity Upgrade: If you wish to synchronize the dynamic routing information during the upgrade: `cphacu start` If you do not wish to synchronize the dynamic routing information during the upgrade: `cphacu start no_dr`

Step

Description

Connect to the command line on the upgraded VRRP Cluster Member M2.

Start the Connectivity Upgrade:

If you wish to synchronize the dynamic routing information during the upgrade:
cphacu start
If you do not wish to synchronize the dynamic routing information during the upgrade:
cphacu start no_dr

Step 12 of 25: On the old VRRP Cluster Member M1 - Make sure it handles the traffic

Step	Description
1	Connect to the command line on the old VRRP Cluster Member M1.
2	Log in to the Expert mode.
3	Make sure it handles the traffic: `cphacu stat`

Step

Description

Connect to the command line on the old VRRP Cluster Member M1.

Make sure it handles the traffic:

cphacu stat

Step 13 of 25: On the upgraded VRRP Cluster Member M2 - Make sure the Connectivity Upgrade is complete

Step	Description
1	When the Connectivity Upgrade finishes on the upgraded VRRP Cluster Member M2, this message shows: `Connectivity upgrade status: Ready for Failover`
2	If you synchronized the Dynamic Routing information: Connect to the command line on both the upgraded VRRP Cluster Member M2 and on the old VRRP Cluster Member M1. Log in to Gaia Clish. Examine the routes: `show route summary` Make sure that the dynamic routes on the upgraded VRRP Cluster Member M2 match the dynamic routes on the old VRRP Cluster Member M1.

Step

Description

When the Connectivity Upgrade finishes on the upgraded VRRP Cluster Member M2, this message shows:

Connectivity upgrade status: Ready for Failover

If you synchronized the Dynamic Routing information:

Connect to the command line on both the upgraded VRRP Cluster Member M2 and on the old VRRP Cluster Member M1.
Log in to Gaia Clish.
Examine the routes:
show route summary

Make sure that the dynamic routes on the upgraded VRRP Cluster Member M2 match the dynamic routes on the old VRRP Cluster Member M1.

Step 14 of 25: On each VRRP Cluster Member - Examine the cluster state

Step	Description
1	Connect to the command line on each VRRP Cluster Member.
2	Examine the cluster state: In Gaia Clish (R80.20 and above), run: `show cluster state` In Expert mode, run: `cphaprob state` Notes: The cluster state of the upgraded VRRP Cluster Member M2 is Down. The cluster state of the old VRRP Cluster Member M1 is Active(!).

Step

Description

Connect to the command line on each VRRP Cluster Member.

Examine the cluster state:

In Gaia Clish (R80.20 and above), run:
show cluster state
In Expert mode, run:
cphaprob state

Notes:

The cluster state of the upgraded VRRP Cluster Member M2 is Down.
The cluster state of the old VRRP Cluster Member M1 is Active(!).

Step 15 of 25: On each VRRP Cluster Member - Examine the VRRP state

Step	Description
1	Connect to the command line on each VRRP Cluster Member.
2	Log in to Gaia Clish.
3	Examine the VRRP state: `show vrrp` Notes: Make sure that all the interfaces on the upgraded VRRP Cluster Member are in the VRRP Master state. Make sure that all the interfaces on the old VRRP Cluster Member are in the VRRP Backup state. Make sure that the VRRP interface priorities on the old VRRP Cluster Member are lower than on the upgraded VRRP Cluster Member. This helps prevent the possibility of unwanted failover.

Step

Description

Connect to the command line on each VRRP Cluster Member.

Examine the VRRP state:

show vrrp

Notes:

Make sure that all the interfaces on the upgraded VRRP Cluster Member are in the VRRP Master state.
Make sure that all the interfaces on the old VRRP Cluster Member are in the VRRP Backup state.
Make sure that the VRRP interface priorities on the old VRRP Cluster Member are lower than on the upgraded VRRP Cluster Member. This helps prevent the possibility of unwanted failover.

Step 16 of 25: On the old VRRP Cluster Member M1 - Stop all Check Point services

Step	Description
1	Connect to the command line on the old VRRP Cluster Member M1.
2	Stop all Check Point services: `cpstop` Important - At this moment, the connections fail over from the old VRRP Cluster Member M1 to the upgraded VRRP Cluster Member M2.

Step

Description

Connect to the command line on the old VRRP Cluster Member M1.

Stop all Check Point services:

cpstop

Important - At this moment, the connections fail over from the old VRRP Cluster Member M1 to the upgraded VRRP Cluster Member M2.

Step 17 of 25: On the upgraded VRRP Cluster Member M2 - Examine the cluster state and make sure it handles the traffic

Step	Description
1	Connect to the command line on the upgraded VRRP Cluster Member M2.
2	Examine the cluster state: In Gaia Clish (R80.20 and above), run: `show cluster state` In Expert mode, run: `cphaprob state` Notes: The cluster state of the upgraded VRRP Cluster Member M2 is Active. The cluster state of the old VRRP Cluster Member M1 is either ClusterXL is inactive, or the machine is down, or Down.
3	Make sure the upgraded VRRP Cluster Member handles the traffic: `cphacu stat`

Step

Description

Connect to the command line on the upgraded VRRP Cluster Member M2.

Examine the cluster state:

In Gaia Clish (R80.20 and above), run:
show cluster state
In Expert mode, run:
cphaprob state

Notes:

The cluster state of the upgraded VRRP Cluster Member M2 is Active.
The cluster state of the old VRRP Cluster Member M1 is either ClusterXL is inactive, or the machine is down, or Down.

Make sure the upgraded VRRP Cluster Member handles the traffic:

cphacu stat

Step 18 of 25: On the old VRRP Cluster Member M1 - Upgrade to R80.20 with CPUSE, or perform a Clean Install of R80.20

For upgrade instructions, see Upgrading a Security Gateway with CPUSE.
For clean install instructions, see Installing a VRRP Cluster.

Notes:

You must reboot the cluster member after the upgrade or clean install.
Configure dynamic routing based on the Connectivity Upgrade Limitations.

Step 19 of 25: On the upgraded VRRP Cluster Member M1 - Install the R80.20 Jumbo Hotfix Accumulator

You must install Take 17 and above.

You must install the same Take you installed on the VRRP Cluster Member M2.

Follow the instructions in sk137592.

Step 20 of 25: In SmartConsole - Install the Access Control Policy

Step	Description
1	Connect with SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this VRRP Cluster.
2	From the left navigation panel, click Gateways & Servers.
3	Click Install Policy.
4	In the Install Policy window: In the Policy field, select the applicable Access Control Policy In the Install Mode section, select these two options: Install on each selected gateway independently For gateway clusters, if installation on a cluster member fails, do not install on that cluster Click Install.
5	The Access Control Policy successfully installs on all the cluster members.

Step 21 of 25: On each VRRP Cluster Member - Examine the cluster state

Step	Description
1	Connect to the command line on each VRRP Cluster Member.
2	Examine the cluster state: In Gaia Clish, run: `show cluster state` In Expert mode, run: `cphaprob state` Note - Cluster states of the VRRP Cluster Members are: one is Active, the other is Standby.

Step

Description

Connect to the command line on each VRRP Cluster Member.

Examine the cluster state:

In Gaia Clish, run:
show cluster state
In Expert mode, run:
cphaprob state

Note - Cluster states of the VRRP Cluster Members are: one is Active, the other is Standby.

Step 22 of 25: On each VRRP Cluster Member - Examine the VRRP state

Step	Description
1	Connect to the command line on each VRRP Cluster Member.
2	Log in to Gaia Clish.
3	Examine the VRRP state: `show vrrp` Notes: Make sure that all the interfaces on one VRRP Cluster Member are in the VRRP Master state. Make sure that all the interfaces on the other VRRP Cluster Member are in the VRRP Backup state.

Step

Description

Connect to the command line on each VRRP Cluster Member.

Examine the VRRP state:

show vrrp

Notes:

Make sure that all the interfaces on one VRRP Cluster Member are in the VRRP Master state.
Make sure that all the interfaces on the other VRRP Cluster Member are in the VRRP Backup state.

Step 23 of 25: On each VRRP Cluster Member - Change the CCP mode to Auto

Step	Description
1	Connect to the command line on each VRRP Cluster Member.
2	Change the CCP mode: In Gaia Clish, run: `set cluster member ccp auto` `save config` In Expert mode, run: `cphaconf set_ccp auto` Notes: This change does not require a reboot. This change applies immediately and survives reboot.
3	Make sure the CCP mode is set to Auto: In Gaia Clish, run: `show cluster members interfaces all` In Expert mode, run: `cphaprob -a if`

Step

Description

Connect to the command line on each VRRP Cluster Member.

Change the CCP mode:

In Gaia Clish, run:
set cluster member ccp auto

save config
In Expert mode, run:
cphaconf set_ccp auto

Notes:

This change does not require a reboot.
This change applies immediately and survives reboot.

Make sure the CCP mode is set to Auto:

In Gaia Clish, run:
show cluster members interfaces all
In Expert mode, run:
cphaprob -a if

Step 24 of 25: In SmartConsole - Install the Threat Prevention Policy

Step	Description
1	Connect with SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this VRRP Cluster.
2	From the left navigation panel, click Gateways & Servers.
3	Click Install Policy.
4	In the Policy field, select the applicable Threat Prevention Policy.
5	Click Install.

Step 25 of 25: Test the functionality

Step	Description
1	Connect with SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this VRRP Cluster.
2	From the left navigation panel, click Logs & Monitor > Logs.
3	Examine the logs from this VRRP Cluster to make sure it inspects the traffic as expected.

For more information:

See the R80.20 ClusterXL Administration Guide.