Important:
|
Important - Before you upgrade a cluster:
Step |
Description |
---|---|
1 |
|
2 |
See the Upgrade Options and Prerequisites. |
3 |
See the Planning a Cluster Upgrade. |
4 |
Upgrade the Management Server and Log Servers to R80.30 version. |
5 |
Schedule a full maintenance window to make sure you can make all the desired custom configurations again after the upgrade. |
The procedure below describes an example cluster with three Cluster Members M1, M2 and M3. However, you can use it for clusters that consist of two or more Cluster Members.
Cluster Mode |
Cluster States |
General Upgrade Action Plan |
---|---|---|
High Availability |
The Cluster Member M1 is Active. The Cluster Members M2 and M3 are Standby. |
Action plan:
|
Workflow:
Step 1 of 15: On each Cluster Member - Change the CCP mode to Broadcast
To avoid possible problems with switches around the cluster during the upgrade, we recommend to change the Cluster Control Protocol (CCP) mode to Broadcast.
Step |
Description |
---|---|
1 |
Connect to the command line on each Cluster Member. |
2 |
Log in to the Expert mode. |
3 |
Change the CCP mode to Broadcast:
Notes:
|
4 |
Make sure the CCP mode is set to Broadcast:
|
Step 2 of 15: On the Cluster Member M2 - Upgrade to R80.30 with CPUSE, or perform a Clean Install of R80.30
Installation Method |
Instructions |
---|---|
Upgrade to R80.30 with CPUSE |
See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. Select the R80.30 package and perform Upgrade. |
Clean Install of R80.30 with CPUSE |
See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. Select the R80.30 package and perform Clean Install. |
Clean Install of R80.30 from scratch |
See Installing a ClusterXL Cluster, or Installing a VRRP Cluster. In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous Cluster Member (prior to the upgrade). |
Note - You must reboot the Cluster Member after the upgrade or clean install.
Step 3 of 15: On the Cluster Member M3 - Upgrade to R80.30 with CPUSE, or perform a Clean Install of R80.30
Installation Method |
Instructions |
---|---|
Upgrade to R80.30 with CPUSE |
See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. |
Clean Install of R80.30 |
See Installing a ClusterXL Cluster, or Installing a VRRP Cluster. In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous Cluster Member (prior to the upgrade). |
Note - You must reboot the Cluster Member after the upgrade or clean install.
Step 4 of 15: In SmartConsole - Change the version of the cluster object
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the R80.30 Security Management Server or Domain Management Server that manages this cluster. |
2 |
From the left navigation panel, click Gateways & Servers. |
3 |
Open the Cluster object. |
4 |
From the left navigation tree, click the General Properties page. |
5 |
In the Platform section > Version field, select R80.30. |
6 |
If you performed a Clean Install of R80.30 on the Cluster Member, then establish the Secure Internal Communication (SIC) between the Management Server and this Cluster Member:
|
7 |
Click OK to close the Gateway Cluster Properties window. |
Step 5 of 15: In SmartConsole - Install the Access Control Policy
Step |
Description |
---|---|
1 |
Click Install Policy. |
2 |
In the Install Policy window:
|
3 |
The Access Control Policy successfully installs on the upgraded Cluster Members M2 and M3. The Access Control Policy installation fails on the old Cluster Member M1 with a warning. Ignore this warning. |
Step 6 of 15: On each Cluster Member - Examine the cluster state
Step |
Description |
---|---|
1 |
Connect to the command line on each Cluster Member. |
2 |
Examine the cluster state in one of these ways:
Notes:
|
Step 7 of 15: On the old Cluster Member M1 - Stop all Check Point services
Step |
Description |
---|---|
1 |
Connect to the command line on the Cluster Member M1. |
2 |
Stop all Check Point services:
Notes:
|
Step 8 of 15: On the upgraded Cluster Members M2 and M3 - Examine the cluster state
Step |
Description |
---|---|
1 |
Connect to the command line on each Cluster Member. |
2 |
Examine the cluster state in one of these ways:
Notes:
|
Step 9 of 15: On the old Cluster Member M1 - Upgrade to R80.30 with CPUSE, or perform a Clean Install of R80.30
Installation Method |
Instructions |
---|---|
Upgrade to R80.30 with CPUSE |
See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. |
Clean Install of R80.30 |
See Installing a ClusterXL Cluster, or Installing a VRRP Cluster. In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous Cluster Member (prior to the upgrade). |
Note - You must reboot the Cluster Member after the upgrade or clean install.
Step 10 of 15: In SmartConsole - Establish SIC with the former old Cluster Member M1
This step is required only if you performed a Clean Install of R80.30 on this Cluster Member.
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the R80.30 Security Management Server or Main Domain Management Server that manages this Cluster. |
2 |
From the left navigation panel, click Gateways & Servers. |
3 |
Open the cluster object. |
4 |
From the left tree, click Cluster Members. |
5 |
Select the object of the Cluster Member M1. |
6 |
Click Edit. |
7 |
On the General tab, click the Communication button. |
8 |
Click Reset. |
9 |
In the One-time password field, enter the same Activation Key you entered during the First Time Configuration Wizard of the Cluster Member. |
10 |
In the Confirm one-time password field, enter the same Activation Key again. |
11 |
Click Initialize. |
12 |
The Trust state field must shows Trust established. |
13 |
Click Close to close the Communication window. |
14 |
Click OK to close the Cluster Member Properties window. |
Step 11 of 15: In SmartConsole - Install the Access Control Policy
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the R80.30 Security Management Server or Domain Management Server that manages this cluster. |
2 |
From the left navigation panel, click Gateways & Servers. |
3 |
Click Install Policy. |
4 |
In the Install Policy window:
|
5 |
The Access Control Policy successfully installs on all the Cluster Members. |
Step 12 of 15: On each Cluster Member - Examine the cluster state
Step |
Description |
---|---|
1 |
Connect to the command line on each Cluster Member. |
2 |
Examine the cluster state:
Notes:
|
Step 13 of 15: On each Cluster Member - Change the CCP mode to Auto
Step |
Description |
---|---|
1 |
Connect to the command line on each Cluster Member. |
2 |
Change the CCP mode:
Notes:
|
3 |
Make sure the CCP mode is set to Auto:
|
Step 14 of 15: In SmartConsole - Install the Threat Prevention Policy
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the R80.30 Security Management Server or Domain Management Server that manages this cluster. |
2 |
From the left navigation panel, click Gateways & Servers. |
3 |
Click Install Policy. |
4 |
In the Policy field, select the applicable Threat Prevention Policy. |
5 |
Click Install. |
Step 15 of 15: Test the functionality
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the R80.30 Security Management Server or Domain Management Server that manages this cluster. |
2 |
From the left navigation panel, click Logs & Monitor > Logs. |
3 |
Examine the logs from this Cluster to make sure it inspects the traffic as expected. |
For more information: