Important - Before you upgrade a cluster:
Step |
Description |
---|---|
1 |
Back up your current configuration. Important - Back up both the Management Server and the VSX Cluster Members. Follow sk100395: How to backup and restore VSX gateway. |
2 |
See the Upgrade Options and Prerequisites. |
3 |
See the Planning a Cluster Upgrade. |
4 |
Upgrade the Management Server and Log Servers to R80.30 version. |
5 |
Schedule a full maintenance window to make sure you can make all the desired custom configurations again after the upgrade. |
The procedure below describes an example VSX Cluster with three Cluster Members M1, M2 and M3. However, you can use it for clusters that consist of two or more Cluster Members.
Cluster States |
General Upgrade Action Plan |
---|---|
The VSX Cluster Member M1 is the Active. The VSX Cluster Members M2 and M3 are Standby. |
|
Workflow:
Step 1 of 15: On the Management Server - Upgrade the configuration of the VSX Cluster object to R80.30
Step |
Description |
---|---|
1 |
Connect to the command line on the Security Management Server or Multi-Domain Server that manages this VSX Cluster. |
2 |
Log in to the Expert mode. |
3 |
On a Multi-Domain Server, go to the context of the Main Domain Management Server that manages this VSX Cluster:
|
4 |
Upgrade the configuration of the VSX Cluster object to R80.30: |
4A |
Run:
This command is interactive. |
4B |
Enter these details to log in to the management database:
|
4C |
Select your VSX Cluster. |
4D |
Select R80.30. |
4E |
For auditing purposes, save the
|
5 |
Connect with SmartConsole to the R80.30 Security Management Server or Main Domain Management Server that manages this VSX Cluster. |
6 |
From the left navigation panel, click Gateways & Servers. |
7 |
Open the VSX Cluster object. |
8 |
From the left navigation tree, click the General Properties page. |
9 |
Make sure in the Platform section, the Version field shows R80.30. |
10 |
Click Cancel (do not click OK). |
Step 2 of 15: On each VSX Cluster Member - Change the CCP mode to Broadcast
To avoid possible problems with switches around the VSX Cluster during the upgrade, we recommend changing the Cluster Control Protocol (CCP) mode to Broadcast.
Step |
Description |
---|---|
1 |
Connect to the command line on each VSX Cluster Member. |
2 |
Log in to the Expert mode. |
3 |
Change the CCP mode to Broadcast:
Notes:
|
4 |
Make sure the CCP mode is set to Broadcast:
|
Step 3 of 15: On the VSX Cluster Member M2 - Upgrade to R80.30 with CPUSE, or perform a Clean Install of R80.30
Installation Method |
Instructions |
---|---|
Upgrade to R80.30 with CPUSE |
See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. Select the R80.30 package and perform Upgrade. |
Clean Install of R80.30 with CPUSE |
See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. Select the R80.30 package and perform Clean Install. |
Clean Install of R80.30 from scratch |
|
Note - You must reboot the VSX Cluster Member after the upgrade or clean install.
Step 4 of 15: On the VSX Cluster Member M3 - Upgrade to R80.30 with CPUSE, or perform a Clean Install of R80.30
Installation Method |
Instructions |
---|---|
Upgrade to R80.30 with CPUSE |
See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. Select the R80.30 package and perform Upgrade. |
Clean Install of R80.30 with CPUSE |
See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. Select the R80.30 package and perform Clean Install. |
Clean Install of R80.30 from scratch |
|
Note - You must reboot the VSX Cluster Member after the upgrade or clean install.
Step 5 of 15: In SmartConsole - Install the Access Control Policy
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the R80.30 Security Management Server or Main Domain Management Server that manages this VSX Cluster. |
2 |
From the left navigation panel, click Gateways & Servers. |
3 |
Click Install Policy. |
4 |
In the Install Policy window:
|
5 |
The Access Control Policy successfully installs on the upgraded VSX Cluster Members M2 and M3. The Access Control Policy installation fails on the old VSX Cluster Member M1 with a warning. Ignore this warning. |
Step 6 of 15: On each VSX Cluster Member - Examine the cluster state
Step |
Description |
---|---|
1 |
Connect to the command line on each VSX Cluster Member. |
2 |
Examine the cluster state:
Notes:
|
Step 7 of 15: On the old VSX Cluster Member M1 - Stop all Check Point services
Step |
Description |
---|---|
1 |
Connect to the command line on the old VSX Cluster Member M1. |
2 |
Stop all Check Point services:
Notes:
|
Step 8 of 15: On the upgraded VSX Cluster Members M2 and M3 - Examine the cluster state
Step |
Description |
---|---|
1 |
Connect to the command line on each VSX Cluster Member. |
2 |
Examine the cluster state:
Notes:
|
Step 9 of 15: On the old VSX Cluster Member M1 - Upgrade to R80.30 with CPUSE, or perform a Clean Install of R80.30
Installation Method |
Instructions |
---|---|
Upgrade to R80.30 with CPUSE |
See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. Select the R80.30 package and perform Upgrade. |
Clean Install of R80.30 with CPUSE |
See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. Select the R80.30 package and perform Clean Install. |
Clean Install of R80.30 from scratch |
|
Note - You must reboot the VSX Cluster Member after the upgrade or clean install.
Step 10 of 15: In SmartConsole - Install the Access Control Policy
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the R80.30 Security Management Server or Main Domain Management Server that manages this VSX Cluster. |
2 |
From the left navigation panel, click Gateways & Servers. |
3 |
Click Install Policy. |
4 |
In the Install Policy window:
|
5 |
The Access Control Policy successfully installs on all the VSX Cluster Members. |
Step 11 of 15: On each VSX Cluster Member - Examine the VSX state
Step |
Description |
---|---|
1 |
Connect to the command line on each VSX Cluster Member. |
2 |
Log in to the Expert mode. |
3 |
Examine the VSX state:
Notes:
|
Step 12 of 15: On each VSX Cluster Member - Examine the cluster state
Step |
Description |
---|---|
1 |
Connect to the command line on each VSX Cluster Member. |
2 |
Examine the cluster state:
Note - The cluster states of the VSX Cluster Members are: one is Active, others are Standby. |
Step 13 of 15: On each VSX Cluster Member - Change the CCP mode to Auto
Step |
Description |
---|---|
1 |
Connect to the command line on each VSX Cluster Member. |
2 |
Change the CCP mode:
Notes:
|
3 |
Make sure the CCP mode is set to Auto:
|
Step 14 of 15: In SmartConsole - Install the Threat Prevention Policy
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the R80.30 Security Management Server or Domain Management Server that manages this VSX Cluster. |
2 |
From the left navigation panel, click Gateways & Servers. |
3 |
Click Install Policy. |
4 |
In the Policy field, select the applicable Threat Prevention Policy. |
5 |
Click Install. |
Step 15 of 15: Test the functionality
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the R80.30 Security Management Server or Main Domain Management Server that manages the Virtual Systems on this VSX Cluster. |
2 |
From the left navigation panel, click Logs & Monitor > Logs. |
3 |
Examine the logs from Virtual Systems on this VSX Cluster to make sure they inspect the traffic as expected. |
For more information, see the: