Important - Before you upgrade a cluster:
Step |
Description |
---|---|
1 |
Back up your current configuration. Important - Back up both the Management Server and the VSX Cluster Members. Follow sk100395: How to backup and restore VSX gateway. |
2 |
See the Upgrade Options and Prerequisites. |
3 |
See the Planning a Cluster Upgrade. |
4 |
Upgrade the Management Server and Log Servers to R80.20 version. |
5 |
Schedule a full maintenance window to make sure you can make all the desired custom configurations again after the upgrade. |
The procedure below describes an example VSX Cluster with three Cluster Members M1, M2 and M3. However, you can use it for clusters that consist of two or more Cluster Members.
Cluster States |
General Upgrade Action Plan |
---|---|
The VSX Cluster Member M1 is the Active. The VSX Cluster Members M2 and M3 are Standby. |
|
Workflow:
Step 1 of 21: On the Management Server - Upgrade the configuration of the VSX Cluster object to R80.20
Step |
Description |
---|---|
1 |
Connect to the command line on the Security Management Server or Multi-Domain Server that manages this VSX Cluster. |
2 |
Log in to the Expert mode. |
3 |
On a Multi-Domain Server, go to the context of the Main Domain Management Server that manages this VSX Cluster object:
|
4 |
Upgrade the configuration of the VSX Cluster object to R80.20: |
4A |
Run:
This command is interactive. |
4B |
Enter these details to log in to the management database:
|
4C |
Select your VSX Cluster. |
4D |
Select R80.20. |
4E |
For auditing purposes, save the
|
5 |
Connect with SmartConsole to the R80.20 Security Management Server or Main Domain Management Server that manages this VSX Cluster. |
6 |
From the left navigation panel, click Gateways & Servers. |
7 |
Open the VSX Cluster object. |
8 |
From the left navigation tree, click the General Properties page. |
9 |
Make sure in the Platform section, the Version field shows R80.20. |
10 |
Click Cancel (do not click OK). Note - If you click OK, the Management Server pushes the VSX configuration to the VSX Cluster Members. Because the VSX Cluster Members are not upgraded yet, this operation would fail. |
Step 2 of 21: On the VSX Cluster Member M2 - Upgrade to R80.20 with CPUSE, or perform a Clean Install of R80.20
Installation Method |
Instructions |
---|---|
Upgrade to R80.20 with CPUSE |
See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. Select the R80.20 package and perform Upgrade. |
Clean Install of R80.20 with CPUSE |
See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. Select the R80.20 package and perform Clean Install. |
Clean Install of R80.20 from scratch |
|
Note - You must reboot the VSX Cluster Member after the upgrade or clean install.
Step 3 of 21: On the VSX Cluster Member M3 - Upgrade to R80.20 with CPUSE, or perform a Clean Install of R80.20
Installation Method |
Instructions |
---|---|
Upgrade to R80.20 with CPUSE |
See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. Select the R80.20 package and perform Upgrade. |
Clean Install of R80.20 with CPUSE |
See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. Select the R80.20 package and perform Clean Install. |
Clean Install of R80.20 from scratch |
|
Note - You must reboot the VSX Cluster Member after the upgrade or clean install.
Step 4 of 21: In SmartConsole - Install the Access Control Policy
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the R80.20 Security Management Server or Main Domain Management Server that manages this VSX Cluster. |
2 |
From the left navigation panel, click Gateways & Servers. |
3 |
Click Install Policy. |
4 |
In the Install Policy window:
|
5 |
The Access Control Policy successfully installs on the upgraded VSX Cluster Members M2 and M3. The Access Control Policy installation fails on the old VSX Cluster Member M1 with a warning. Ignore this warning. |
Step 5 of 21: On each VSX Cluster Member - Examine the cluster state
Step |
Description |
---|---|
1 |
Connect to the command line on each VSX Cluster Member. |
2 |
Examine the cluster state:
Notes:
|
Step 6 of 21: Disconnect the upgraded VSX Cluster Members M2 and M3 from their networks
Step |
Description |
---|---|
1 |
Select one VSX Cluster Member M1 to process the current connections. |
2 |
Completely disconnect all other VSX Cluster Members M2 and M3 from their networks (this includes the Management Server). |
Step 7 of 21: On one of the upgraded VSX Cluster Members M2 connect the Sync cable
Step |
Description |
---|---|
1 |
Connect all the cables to one of the upgraded VSX Cluster Members M2. |
2 |
Make sure traffic (for example, pings) can pass on the Sync interface to the old VSX Cluster Member M1. |
Step 8 of 21: On the old VSX Cluster Member M1 - Start the Optimal Service Upgrade
Step |
Description |
---|---|
1 |
Connect to the command line on the old VSX Cluster Member M1. |
2 |
Log in to the Expert mode. |
3 |
Start the Optimal Service Upgrade:
|
Step 9 of 21: On the connected upgraded VSX Cluster Member M2 - Start the Optimal Service Upgrade
Step |
Description |
---|---|
1 |
Connect to the command line on the connected upgraded VSX Cluster Member M2. |
2 |
Log in to the Expert mode. |
3 |
Start the Optimal Service Upgrade:
|
Step 10 of 21: On the old VSX Cluster Member M1 - Stop the Optimal Service Upgrade
Step |
Description |
---|---|
1 |
Connect to the command line on the old VSX Cluster Member M1. |
2 |
Log in to the Expert mode. |
3 |
Monitor the amount of traffic for some time:
|
4 |
When the old VSX Cluster Member does not have many connections (in your opinion), stop the Optimal Service Upgrade:
|
Step 11 of 21: On the connected upgraded VSX Cluster Member M2 - Stop the Optimal Service Upgrade
Step |
Description |
---|---|
1 |
Connect to the command line on the connected upgraded VSX Cluster Member M2. |
2 |
Log in to the Expert mode. |
4 |
Stop the Optimal Service Upgrade:
|
Step 12 of 21: Disconnect the old VSX Cluster Member M1 from its networks
Completely disconnect the old VSX Cluster Member M1 from its networks (this includes the Management Server).
Step 13 of 21: Reconnect the upgraded VSX Cluster Member M2 to its networks
Step |
Description |
---|---|
1 |
Connect to the command line on the upgraded VSX Cluster Member M2. |
2 |
Log in to the Expert mode. |
3 |
Stop the cluster:
|
4 |
Connect the upgraded VSX Cluster Member M2 to all its network (this includes the Management Server) |
5 |
Start the cluster:
|
Step 14 of 21: Reconnect the upgraded VSX Cluster Member M3 to its networks
Step |
Description |
---|---|
1 |
Connect to the command line on the upgraded VSX Cluster Member M3. |
2 |
Log in to the Expert mode. |
3 |
Stop the cluster:
|
4 |
Connect the upgraded VSX Cluster Member M3 to all its network (this includes the Management Server) |
5 |
Start the cluster:
|
Step 15 of 21: On the old VSX Cluster Member M1 - Upgrade with CPUSE, or perform a Clean Install
Upgrade or perform Clean Install for all the VSX Cluster Members (in our example, M2 and M3),
except for the VSX Cluster Member with the lowest Cluster Member ID (in our example, M1).
Installation Method |
Instructions |
---|---|
Upgrade to R80.20 with CPUSE |
See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. Select the R80.20 package and perform Upgrade. |
Clean Install of R80.20 with CPUSE |
See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. Select the R80.20 package and perform Clean Install. |
Clean Install of R80.20 from scratch |
|
Note - You must reboot the VSX Cluster Member after the upgrade or clean install.
Step 16 of 21: In SmartConsole - Install the Access Control Policy
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this VSX Cluster. |
2 |
From the left navigation panel, click Gateways & Servers. |
3 |
Click Install Policy. |
4 |
In the Install Policy window:
|
5 |
The Access Control Policy successfully installs on all the VSX Cluster Members. |
Step 17 of 21: On each VSX Cluster Member - Examine the VSX state
Step |
Description |
---|---|
1 |
Connect to the command line on each VSX Cluster Member. |
2 |
Log in to the Expert mode. |
3 |
Examine the VSX state:
Notes:
|
Step 18 of 21: On each VSX Cluster Member - Examine the cluster state
Step |
Description |
---|---|
1 |
Connect to the command line on each VSX Cluster Member. |
2 |
Examine the cluster state:
Note - The cluster states of the VSX Cluster Members are: one is Active, others are Standby. |
Step 19 of 21: On each VSX Cluster Member - Change the CCP mode to Auto
Step |
Description |
---|---|
1 |
Connect to the command line on each VSX Cluster Member. |
2 |
Change the CCP mode:
Notes:
|
3 |
Make sure the CCP mode is set to Auto:
|
Step 20 of 21: In SmartConsole - Install the Threat Prevention Policy
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the R80.20 Security Management Server or Domain Management Server that manages this VSX Cluster. |
2 |
From the left navigation panel, click Gateways & Servers. |
3 |
Click Install Policy. |
4 |
In the Policy field, select the applicable Threat Prevention Policy. |
5 |
Click Install. |
Step 21 of 21: Test the functionality
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the R80.20 Security Management Server or Main Domain Management Server that manages the Virtual Systems on this VSX Cluster. |
2 |
From the left navigation panel, click Logs & Monitor > Logs. |
3 |
Examine the logs from Virtual Systems on this VSX Cluster to make sure they inspect the traffic as expected. |
For more information, see the: