1

Back up your current configuration.

Important - Back up both the Management Server and the VSX Cluster Members. Follow sk100395: How to backup and restore VSX gateway.

2

See the Upgrade Options and Prerequisites.

3

See the Planning a Cluster Upgrade.

4

Upgrade the Management Server and Log Servers to R80.20 version.

5

Schedule a full maintenance window to make sure you can make all the desired custom configurations again after the upgrade.

The VSX Cluster Member M1 is the Active.

The VSX Cluster Members M2 and M3 are Standby.

1. On the Management Server - upgrade the configuration of the VSX Cluster object to R80.20.
2. Upgrade, or Clean Install the Standby VSX Cluster Members M2 and M3.

   The upgraded VSX Cluster Members M2 and M3 change their cluster state to Ready.

   The old VSX Cluster Member M1 changes its cluster state to Active Attention.

3. From the Management Server, reconfigure the Standby VSX Cluster Members M2 and M3.
4. Disconnect the upgraded VSX Cluster Members M2 and M3 from their networks.
5. On one of the upgraded VSX Cluster Members (M2), connect the Sync cable.
6. Start the Optimal Service Upgrade - on the Active old VSX Cluster Member M1 and on the connected upgraded VSX Cluster Member M2.
7. Stop the Optimal Service Upgrade - on the Active old VSX Cluster Member M1 and on the connected upgraded VSX Cluster Member M2.
8. Disconnect the Active old VSX Cluster Member M1 from its networks.
9. Reconnect the upgraded VSX Cluster Members M2 and M3 (one by one) to their networks.
10. Upgrade, or Clean Install the old VSX Cluster Member M1.
11. From the Management Server, reconfigure the VSX Cluster Member M1.
12. Cluster states of the VSX Cluster Members are: one is Active, others are Standby.
13. On each VSX Cluster Member, change the CCP mode to Auto.
14. Install the Threat Prevention Policy on the VSX Cluster object.

1

Connect to the command line on the Security Management Server or Multi-Domain Server that manages this VSX Cluster.

2

Log in to the Expert mode.

3

On a Multi-Domain Server, go to the context of the Main Domain Management Server that manages this VSX Cluster object:

mdsenv <IP Address or Name of Main Domain Management Server>

4

Upgrade the configuration of the VSX Cluster object to R80.20:

4A

Run:

vsx_util upgrade

This command is interactive.

4B

Enter these details to log in to the management database:

• IP address of the Security Management Server or Main Domain Management Server that manages this VSX Cluster
• Management Server administrator's username
• Management Server administrator's password

4C

Select your VSX Cluster.

4D

Select R80.20.

4E

For auditing purposes, save the vsx_util log file:

• On a Security Management Server:

  /opt/CPsuite-R80.20/fw1/log/vsx_util_YYYYMMDD_HH_MM.log

• On a Multi-Domain Server:

  /opt/CPmds-R80.20/customers/<Name_of_Domain>/CPsuite-R80.20/fw1/log/vsx_util_YYYYMMDD_HH_MM.log

5

Connect with SmartConsole to the R80.20 Security Management Server or Main Domain Management Server that manages this VSX Cluster.

6

From the left navigation panel, click Gateways & Servers.

7

Open the VSX Cluster object.

8

From the left navigation tree, click the General Properties page.

9

Make sure in the Platform section, the Version field shows R80.20.

10

Click Cancel (do not click OK).

Note - If you click OK, the Management Server pushes the VSX configuration to the VSX Cluster Members. Because the VSX Cluster Members are not upgraded yet, this operation would fail.

Upgrade to R80.20 with CPUSE

See Installing Software Packages on Gaia.

Follow the applicable action plan for the local or central installation.

Select the R80.20 package and perform Upgrade.

Clean Install of R80.20 with CPUSE

See Installing Software Packages on Gaia.

Follow the applicable action plan for the local or central installation.

Select the R80.20 package and perform Clean Install.

Clean Install of R80.20 from scratch

See Installing a VSX Cluster.

1. In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous VSX Cluster Member (prior to the upgrade).
2. After you complete the Gaia First Time Configuration Wizard and reboot, run the vsx_util reconfigure command on the Management Server to push the VSX configuration to the VSX Cluster Member. You must enter the same Activation Key you entered during the First Time Configuration Wizard of the VSX Cluster Member.

Upgrade to R80.20 with CPUSE

See Installing Software Packages on Gaia.

Follow the applicable action plan for the local or central installation.

Select the R80.20 package and perform Upgrade.

Clean Install of R80.20 with CPUSE

See Installing Software Packages on Gaia.

Follow the applicable action plan for the local or central installation.

Select the R80.20 package and perform Clean Install.

Clean Install of R80.20 from scratch

See Installing a VSX Cluster.

1. In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous VSX Cluster Member (prior to the upgrade).
2. After you complete the Gaia First Time Configuration Wizard and reboot, run the vsx_util reconfigure command on the Management Server to push the VSX configuration to the VSX Cluster Member. You must enter the same Activation Key you entered during the First Time Configuration Wizard of the VSX Cluster Member.

1

Connect with SmartConsole to the R80.20 Security Management Server or Main Domain Management Server that manages this VSX Cluster.

2

From the left navigation panel, click Gateways & Servers.

3

Click Install Policy.

4

In the Install Policy window:

1. In the Policy field, select the applicable Access Control Policy that is called:

   <Name_of_VSX_Cluster_object>_VSX

2. In the Install Mode section, configure these two options:
   • Select Install on each selected gateway independently.
   • Clear For gateway clusters, if installation on a cluster member fails, do not install on that cluster.
3. Click Install.

5

The Access Control Policy successfully installs on the upgraded VSX Cluster Members M2 and M3.

The Access Control Policy installation fails on the old VSX Cluster Member M1 with a warning. Ignore this warning.

1

Connect to the command line on each VSX Cluster Member.

2

Examine the cluster state:

• In Gaia Clish (R80.20 and above), run:

  set virtual-system 0

  show cluster state

• In Expert mode, run:

  vsenv 0

  cphaprob state

Notes:

• The cluster states of the upgraded VSX Cluster Members M2 and M3 are Ready.
• The cluster state of the old VSX Cluster Member M1 is Active Attention.

1

Select one VSX Cluster Member M1 to process the current connections.

2

Completely disconnect all other VSX Cluster Members M2 and M3 from their networks (this includes the Management Server).

1

Connect all the cables to one of the upgraded VSX Cluster Members M2.

2

Make sure traffic (for example, pings) can pass on the Sync interface to the old VSX Cluster Member M1.

1

Connect to the command line on the old VSX Cluster Member M1.

2

Log in to the Expert mode.

3

Start the Optimal Service Upgrade:

[Expert@MemberOld:0]# cphaosu start

1

Connect to the command line on the connected upgraded VSX Cluster Member M2.

2

Log in to the Expert mode.

3

Start the Optimal Service Upgrade:

[Expert@MemberNew:0]# cphaosu start

1

Connect to the command line on the old VSX Cluster Member M1.

2

Log in to the Expert mode.

3

Monitor the amount of traffic for some time:

[Expert@MemberOld:0]# cphaosu stat

4

When the old VSX Cluster Member does not have many connections (in your opinion), stop the Optimal Service Upgrade:

[Expert@MemberOld:0]# cphaosu finish

1

Connect to the command line on the connected upgraded VSX Cluster Member M2.

2

Log in to the Expert mode.

4

Stop the Optimal Service Upgrade:

[Expert@MemberNew:0]# cphaosu finish

1

Connect to the command line on the upgraded VSX Cluster Member M2.

2

Log in to the Expert mode.

3

Stop the cluster:

[Expert@MemberNew:0]# cphastop

4

Connect the upgraded VSX Cluster Member M2 to all its network (this includes the Management Server)

5

Start the cluster:

[Expert@MemberNew:0]# cphastart

1

Connect to the command line on the upgraded VSX Cluster Member M3.

2

Log in to the Expert mode.

3

Stop the cluster:

[Expert@MemberNew:0]# cphastop

4

Connect the upgraded VSX Cluster Member M3 to all its network (this includes the Management Server)

5

Start the cluster:

[Expert@MemberNew:0]# cphastart

Upgrade to R80.20 with CPUSE

See Installing Software Packages on Gaia.

Follow the applicable action plan for the local or central installation.

Select the R80.20 package and perform Upgrade.

Clean Install of R80.20 with CPUSE

See Installing Software Packages on Gaia.

Follow the applicable action plan for the local or central installation.

Select the R80.20 package and perform Clean Install.

Clean Install of R80.20 from scratch

See Installing a VSX Cluster.

1. In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous VSX Cluster Member (prior to the upgrade).
2. After you complete the Gaia First Time Configuration Wizard and reboot, run the vsx_util reconfigure command on the Management Server to push the VSX configuration to the VSX Cluster Member. You must enter the same Activation Key you entered during the First Time Configuration Wizard of the VSX Cluster Member.

1

Connect with SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this VSX Cluster.

2

From the left navigation panel, click Gateways & Servers.

3

Click Install Policy.

4

In the Install Policy window:

1. In the Policy field, select the applicable Access Control Policy that is called:

   <Name_of_VSX_Cluster_object>_VSX

2. In the Install Mode section, select these two options:
   • Install on each selected gateway independently
   • For gateway clusters, if installation on a cluster member fails, do not install on that cluster
3. Click Install.

5

The Access Control Policy successfully installs on all the VSX Cluster Members.

1

Connect to the command line on each VSX Cluster Member.

2

Log in to the Expert mode.

3

Examine the VSX state:

vsenv 0

vsx stat -v

Notes:

• Make sure all the configured Virtual Devices are loaded.
• Make sure all Virtual Systems and Virtual Routers have policy and SIC.

1

Connect to the command line on each VSX Cluster Member.

2

Examine the cluster state:

• In Gaia Clish (R80.20 and above), run:

  set virtual-system 0

  show cluster state

• In Expert mode, run:

  vsenv 0

  cphaprob state

Note - The cluster states of the VSX Cluster Members are: one is Active, others are Standby.

1

Connect to the command line on each VSX Cluster Member.

2

Change the CCP mode:

• In Gaia Clish, run:

  set virtual-system 0

  set cluster member ccp auto

  save config

• In Expert mode, run:

  vsenv 0

  cphaconf set_ccp auto

Notes:

• This change does not require a reboot.
• This change applies immediately and survives reboot.

3

Make sure the CCP mode is set to Auto:

• In Gaia Clish, run:

  set virtual-system 0

  show cluster members interfaces all

• In Expert mode, run:

  vsenv 0

  cphaprob -a if

1

Connect with SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this VSX Cluster.

2

From the left navigation panel, click Gateways & Servers.

3

Click Install Policy.

4

In the Policy field, select the applicable Threat Prevention Policy.

5

Click Install.

1

Connect with SmartConsole to the R80.20 Security Management Server or Main Domain Management Server that manages the Virtual Systems on this VSX Cluster.

2

From the left navigation panel, click Logs & Monitor > Logs.

3

Examine the logs from Virtual Systems on this VSX Cluster to make sure they inspect the traffic as expected.