Zero Downtime Upgrade of a VSX Cluster

Important - Before you upgrade a cluster:

Step	Description
1	Back up your current configuration. Important - Back up both the Management Server and the VSX Cluster Members. Follow sk100395: How to backup and restore VSX gateway.
2	See the Upgrade Options and Prerequisites.
3	See the Planning a Cluster Upgrade.
4	Upgrade the Management Server and Log Servers to R80.30 version.
5	Schedule a full maintenance window to make sure you can make all the desired custom configurations again after the upgrade.

The procedure below describes an example VSX Cluster with three Cluster Members M1, M2 and M3. However, you can use it for clusters that consist of two or more Cluster Members.

Cluster States	General Upgrade Action Plan
The VSX Cluster Member M1 is the Active. The VSX Cluster Members M2 and M3 are Standby.	On the Management Server - upgrade the configuration of the VSX Cluster object to R80.30. Upgrade, or Clean Install the Standby VSX Cluster Member M2 and M3. The upgraded VSX Cluster Members M2 and M3 change their cluster state to Ready. The old VSX Cluster Member M1 changes its cluster state to Active Attention. From the Management Server, reconfigure the Standby VSX Cluster Members M2 and M3. Perform a controlled cluster failover from the Active old VSX Cluster Member M1. The upgraded VSX Cluster Member M2 (or M3) changes its cluster state to Active. The other upgraded VSX Cluster Member M3 (or M2) changes its cluster state to Standby. Upgrade, or Clean Install the old VSX Cluster Member M1. From the Management Server, reconfigure the VSX Cluster Member M1. Cluster states of the VSX Cluster Members are: one is Active, others are Standby. On each VSX Cluster Member, change the CCP mode to Auto. Install the Threat Prevention Policy on the VSX Cluster object.

Cluster States

General Upgrade Action Plan

The VSX Cluster Member M1 is the Active.

The VSX Cluster Members M2 and M3 are Standby.

On the Management Server - upgrade the configuration of the VSX Cluster object to R80.30.
Upgrade, or Clean Install the Standby VSX Cluster Member M2 and M3.
The upgraded VSX Cluster Members M2 and M3 change their cluster state to Ready.

The old VSX Cluster Member M1 changes its cluster state to Active Attention.
From the Management Server, reconfigure the Standby VSX Cluster Members M2 and M3.
Perform a controlled cluster failover from the Active old VSX Cluster Member M1.
The upgraded VSX Cluster Member M2 (or M3) changes its cluster state to Active.
The other upgraded VSX Cluster Member M3 (or M2) changes its cluster state to Standby.
Upgrade, or Clean Install the old VSX Cluster Member M1.
From the Management Server, reconfigure the VSX Cluster Member M1.
Cluster states of the VSX Cluster Members are: one is Active, others are Standby.
On each VSX Cluster Member, change the CCP mode to Auto.
Install the Threat Prevention Policy on the VSX Cluster object.

Workflow:

On the Management Server - Upgrade the configuration of the VSX Cluster object to R80.30
On each VSX Cluster Member - Change the CCP mode to Broadcast
On the VSX Cluster Member M2 - Upgrade to R80.30 with CPUSE, or perform a Clean Install of R80.30
On the VSX Cluster Member M3 - Upgrade to R80.30 with CPUSE, or perform a Clean Install of R80.30
In SmartConsole - Install the Access Control Policy
On each VSX Cluster Member - Examine the cluster state
On the old VSX Cluster Member M1 - Stop all Check Point services
On the upgraded VSX Cluster Members M2 and M3 - Examine the cluster state
On the old VSX Cluster Member M1 - Upgrade to R80.30 with CPUSE, or perform a Clean Install of R80.30
In SmartConsole - Install the Access Control Policy
On each VSX Cluster Member - Examine the VSX state
On each VSX Cluster Member - Examine the cluster state
On each VSX Cluster Member - Change the CCP mode to Auto
In SmartConsole - Install the Threat Prevention Policy
Test the functionality

Step 1 of 15: On the Management Server - Upgrade the configuration of the VSX Cluster object to R80.30

Step	Description
1	Connect to the command line on the Security Management Server or Multi-Domain Server that manages this VSX Cluster.
2	Log in to the Expert mode.
3	On a Multi-Domain Server, go to the context of the Main Domain Management Server that manages this VSX Cluster: `mdsenv <`IP Address or Name of Main Domain Management Server`>`
4	Upgrade the configuration of the VSX Cluster object to R80.30:
4A	Run: `vsx_util upgrade` This command is interactive.
4B	Enter these details to log in to the management database: IP address of the Security Management Server or Main Domain Management Server that manages this VSX Cluster Management Server administrator's username Management Server administrator's password
4C	Select your VSX Cluster.
4D	Select R80.30.
4E	For auditing purposes, save the `vsx_util` log file: On a Security Management Server: `/opt/CPsuite-R80.30/fw1/log/vsx_util_`YYYYMMDD_HH_MM`.log` On a Multi-Domain Server: `/opt/CPmds-R80.30/customers/<`Name_of_Domain`>/CPsuite-R80.30/fw1/log/vsx_util_`YYYYMMDD_HH_MM`.log`
5	Connect with SmartConsole to the R80.30 Security Management Server or Main Domain Management Server that manages this VSX Cluster.
6	From the left navigation panel, click Gateways & Servers.
7	Open the VSX Cluster object.
8	From the left navigation tree, click the General Properties page.
9	Make sure in the Platform section, the Version field shows R80.30.
10	Click Cancel (do not click OK).

Step 2 of 15: On each VSX Cluster Member - Change the CCP mode to Broadcast

To avoid possible problems with switches around the VSX Cluster during the upgrade, we recommend changing the Cluster Control Protocol (CCP) mode to Broadcast.

Step	Description
1	Connect to the command line on each VSX Cluster Member.
2	Log in to the Expert mode.
3	Change the CCP mode to Broadcast: `cphaconf set_ccp broadcast` Notes: This change does not require a reboot. This change applies immediately and survives reboot.
4	Make sure the CCP mode is set to Broadcast: `cphaprob -a if`

Step 3 of 15: On the VSX Cluster Member M2 - Upgrade to R80.30 with CPUSE, or perform a Clean Install of R80.30

Installation Method	Instructions
Upgrade to R80.30 with CPUSE	See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. Select the R80.30 package and perform Upgrade.
Clean Install of R80.30 with CPUSE	See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. Select the R80.30 package and perform Clean Install.
Clean Install of R80.30 from scratch	See Installing a VSX Cluster. In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous VSX Cluster Member (prior to the upgrade). After you complete the Gaia First Time Configuration Wizard and reboot, run the `vsx_util reconfigure` command on the Management Server to push the VSX configuration to the VSX Cluster Member. You must enter the same Activation Key you entered during the First Time Configuration Wizard of the VSX Cluster Member.

Installation Method

Instructions

Upgrade to R80.30 with CPUSE

See Installing Software Packages on Gaia.

Follow the applicable action plan for the local or central installation.

Select the R80.30 package and perform Upgrade.

Clean Install of R80.30 with CPUSE

See Installing Software Packages on Gaia.

Follow the applicable action plan for the local or central installation.

Select the R80.30 package and perform Clean Install.

Clean Install of R80.30 from scratch

See Installing a VSX Cluster.

In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous VSX Cluster Member (prior to the upgrade).
After you complete the Gaia First Time Configuration Wizard and reboot, run the vsx_util reconfigure command on the Management Server to push the VSX configuration to the VSX Cluster Member. You must enter the same Activation Key you entered during the First Time Configuration Wizard of the VSX Cluster Member.

Note - You must reboot the VSX Cluster Member after the upgrade or clean install.

Step 4 of 15: On the VSX Cluster Member M3 - Upgrade to R80.30 with CPUSE, or perform a Clean Install of R80.30

Installation Method	Instructions
Upgrade to R80.30 with CPUSE	See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. Select the R80.30 package and perform Upgrade.
Clean Install of R80.30 with CPUSE	See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. Select the R80.30 package and perform Clean Install.
Clean Install of R80.30 from scratch	See Installing a VSX Cluster. In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous VSX Cluster Member (prior to the upgrade). After you complete the Gaia First Time Configuration Wizard and reboot, run the `vsx_util reconfigure` command on the Management Server to push the VSX configuration to the VSX Cluster Member. You must enter the same Activation Key you entered during the First Time Configuration Wizard of the VSX Cluster Member.

Installation Method

Instructions

Upgrade to R80.30 with CPUSE

See Installing Software Packages on Gaia.

Follow the applicable action plan for the local or central installation.

Select the R80.30 package and perform Upgrade.

Clean Install of R80.30 with CPUSE

See Installing Software Packages on Gaia.

Follow the applicable action plan for the local or central installation.

Select the R80.30 package and perform Clean Install.

Clean Install of R80.30 from scratch

See Installing a VSX Cluster.

In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous VSX Cluster Member (prior to the upgrade).
After you complete the Gaia First Time Configuration Wizard and reboot, run the vsx_util reconfigure command on the Management Server to push the VSX configuration to the VSX Cluster Member. You must enter the same Activation Key you entered during the First Time Configuration Wizard of the VSX Cluster Member.

Note - You must reboot the VSX Cluster Member after the upgrade or clean install.

Step 5 of 15: In SmartConsole - Install the Access Control Policy

Step	Description
1	Connect with SmartConsole to the R80.30 Security Management Server or Main Domain Management Server that manages this VSX Cluster.
2	From the left navigation panel, click Gateways & Servers.
3	Click Install Policy.
4	In the Install Policy window: In the Policy field, select the applicable Access Control Policy that is called: <Name_of_VSX_Cluster_object>_VSX In the Install Mode section, configure these two options: Select Install on each selected gateway independently. Clear For gateway clusters, if installation on a cluster member fails, do not install on that cluster. Click Install.
5	The Access Control Policy successfully installs on the upgraded VSX Cluster Members M2 and M3. The Access Control Policy installation fails on the old VSX Cluster Member M1 with a warning. Ignore this warning.

Step 6 of 15: On each VSX Cluster Member - Examine the cluster state

Step

Description

Connect to the command line on each VSX Cluster Member.

Examine the cluster state:

In Gaia Clish (R80.20 and above), run:
set virtual-system 0

show cluster state
In Expert mode, run:
vsenv 0

cphaprob state

Notes:

The cluster states of the upgraded VSX Cluster Members M2 and M3 are Ready.
The cluster state of the old VSX Cluster Member M1 is Active Attention.

Step 7 of 15: On the old VSX Cluster Member M1 - Stop all Check Point services

Step	Description
1	Connect to the command line on the old VSX Cluster Member M1.
2	Stop all Check Point services: `cpstop` Notes: This forces a controlled cluster failover from the old VSX Cluster Member M1 to one of the upgraded VSX Cluster Members. At this moment, all connections that were initiated through the old VSX Cluster Member M1 are dropped (because Cluster Members with different software versions cannot synchronize).

Step

Description

Connect to the command line on the old VSX Cluster Member M1.

Stop all Check Point services:

cpstop

Notes:

This forces a controlled cluster failover from the old VSX Cluster Member M1 to one of the upgraded VSX Cluster Members.
At this moment, all connections that were initiated through the old VSX Cluster Member M1 are dropped (because Cluster Members with different software versions cannot synchronize).

Step 8 of 15: On the upgraded VSX Cluster Members M2 and M3 - Examine the cluster state

Step

Description

Connect to the command line on each VSX Cluster Member.

Examine the cluster state:

In Gaia Clish (R80.20 and above), run:
set virtual-system 0

show cluster state
In Expert mode, run:
vsenv 0

cphaprob state

Notes:

One of the VSX Cluster Members (M2 or M3) changes its cluster state to Active.
The other VSX Cluster Member (M3 or M2) changes its cluster state to Standby.

Step 9 of 15: On the old VSX Cluster Member M1 - Upgrade to R80.30 with CPUSE, or perform a Clean Install of R80.30

Installation Method	Instructions
Upgrade to R80.30 with CPUSE	See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. Select the R80.30 package and perform Upgrade.
Clean Install of R80.30 with CPUSE	See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. Select the R80.30 package and perform Clean Install.
Clean Install of R80.30 from scratch	See Installing a VSX Cluster. In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous VSX Cluster Member (prior to the upgrade). After you complete the Gaia First Time Configuration Wizard and reboot, run the `vsx_util reconfigure` command on the Management Server to push the VSX configuration to the VSX Cluster Member. You must enter the same Activation Key you entered during the First Time Configuration Wizard of the VSX Cluster Member.

Installation Method

Instructions

Upgrade to R80.30 with CPUSE

See Installing Software Packages on Gaia.

Follow the applicable action plan for the local or central installation.

Select the R80.30 package and perform Upgrade.

Clean Install of R80.30 with CPUSE

See Installing Software Packages on Gaia.

Follow the applicable action plan for the local or central installation.

Select the R80.30 package and perform Clean Install.

Clean Install of R80.30 from scratch

See Installing a VSX Cluster.

In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous VSX Cluster Member (prior to the upgrade).
After you complete the Gaia First Time Configuration Wizard and reboot, run the vsx_util reconfigure command on the Management Server to push the VSX configuration to the VSX Cluster Member. You must enter the same Activation Key you entered during the First Time Configuration Wizard of the VSX Cluster Member.

Note - You must reboot the VSX Cluster Member after the upgrade or clean install.

Step 10 of 15: In SmartConsole - Install the Access Control Policy

Step	Description
1	Connect with SmartConsole to the R80.30 Security Management Server or Main Domain Management Server that manages this VSX Cluster.
2	From the left navigation panel, click Gateways & Servers.
3	Click Install Policy.
4	In the Install Policy window: In the Policy field, select the applicable Access Control Policy that is called: <Name_of_VSX_Cluster_object>_VSX In the Install Mode section, select these two options: Install on each selected gateway independently For gateway clusters, if installation on a cluster member fails, do not install on that cluster Click Install.
5	The Access Control Policy successfully installs on all the VSX Cluster Members.

Step 11 of 15: On each VSX Cluster Member - Examine the VSX state

Step

Description

Connect to the command line on each VSX Cluster Member.

Examine the VSX state:

vsenv 0

vsx stat -v

Notes:

Make sure all the configured Virtual Devices are loaded.
Make sure all Virtual Systems and Virtual Routers have policy and SIC.

Step 12 of 15: On each VSX Cluster Member - Examine the cluster state

Step

Description

Connect to the command line on each VSX Cluster Member.

Examine the cluster state:

In Gaia Clish (R80.20 and above), run:
set virtual-system 0

show cluster state
In Expert mode, run:
vsenv 0

cphaprob state

Note - The cluster states of the VSX Cluster Members are: one is Active, others are Standby.

Step 13 of 15: On each VSX Cluster Member - Change the CCP mode to Auto

Step

Description

Connect to the command line on each VSX Cluster Member.

Change the CCP mode:

In Gaia Clish, run:
set virtual-system 0

set cluster member ccp auto

save config
In Expert mode, run:
vsenv 0

cphaconf set_ccp auto

Notes:

This change does not require a reboot.
This change applies immediately and survives reboot.

Make sure the CCP mode is set to Auto:

In Gaia Clish, run:
set virtual-system 0

show cluster members interfaces all
In Expert mode, run:
vsenv 0

cphaprob -a if

Step 14 of 15: In SmartConsole - Install the Threat Prevention Policy

Step	Description
1	Connect with SmartConsole to the R80.30 Security Management Server or Domain Management Server that manages this VSX Cluster.
2	From the left navigation panel, click Gateways & Servers.
3	Click Install Policy.
4	In the Policy field, select the applicable Threat Prevention Policy.
5	Click Install.

Step 15 of 15: Test the functionality

Step	Description
1	Connect with SmartConsole to the R80.30 Security Management Server or Main Domain Management Server that manages the Virtual Systems on this VSX Cluster.
2	From the left navigation panel, click Logs & Monitor > Logs.
3	Examine the logs from Virtual Systems on this VSX Cluster to make sure they inspect the traffic as expected.

For more information, see the: