Multi-Version Cluster Upgrade Procedure - Gateway Mode

Note - The procedure below is for ClusterXL and VRRP Cluster. For VSX Cluster, see Multi-Version Cluster Upgrade Procedure - VSX Mode.

Important - Before you upgrade a Cluster:

Step

Instructions

1

Back up your current configuration (see Backing Up and Restoring).

2

See Upgrade Options and Prerequisites.

3

Upgrade the Management Server and Log Servers.

4

See Planning a Cluster Upgrade.

5

Schedule a full maintenance window to make sure you can make all the custom configurations again after the upgrade.

Note - MVC supports Cluster Members with different Gaia kernel editions (R80.40 64-bit and R77.30 / R80.10 32-bit).

The procedure described below is based on an example cluster with three Cluster Members M1, M2 and M3.

However, you can use it for clusters that consist of two or more.

Action plan:

  1. In SmartConsole, change the cluster object version to R80.40.

  2. On the Cluster Member M3:

    1. Upgrade to R80.40

      Note - If you perform a Clean Install of R80.40, then you must establish SIC in SmartConsole with this Cluster Member and install Access Control Policy on it

    2. Enable the MVC

  3. In SmartConsole, install the Access Control Policy on the Cluster Member M3.

  4. On the next Cluster Member M2:

    1. Upgrade to R80.40

      Note - If you perform a Clean Install of R80.40, then you must establish SIC in SmartConsole with this Cluster Member and install Access Control Policy on it

    2. Enable the MVC

  5. In SmartConsole, install the Access Control Policy on the Cluster Member M3 and M2.

  6. On the remaining Cluster Member M1:

    • Upgrade to R80.40

      Note - If you perform a Clean Install of R80.40, then you must establish SIC in SmartConsole with this Cluster Member

  7. In SmartConsole, install the Access Control Policy and the Threat Prevention Policy on the Cluster object.

Procedure:

  1. Step

    Instructions

    1

    Connect with SmartConsole to the R80.40 Security Management Server or Domain Management Server that manages this cluster.

    2

    From the left navigation panel, click Gateways & Servers.

    3

    Open the Cluster object.

    4

    From the left tree, click the General Properties page.

    5

    In the Platform section > Version field, select R80.40.

    6

    Click OK to close the Gateway Cluster Properties window.

  2. Important - You must reboot the Cluster Member after the upgrade or clean install.

    Installation Method

    Instructions

    Upgrade to R80.40 with CPUSE

    See Installing Software Packages on Gaia.

    Follow the applicable action plan for the local or central installation.

    In local installation, select the R80.40 package and perform Upgrade. See sk92449 for detailed steps.

    Clean Install of R80.40 with CPUSE

    See Installing Software Packages on Gaia.

    Follow the applicable action plan for the local or central installation.

    In local installation, select the R80.40 package and perform Clean Install. See sk92449 for detailed steps.

    Important - In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous Cluster Member (prior to the upgrade).

    Clean Install of R80.40 from scratch

    Installing a Cluster Member

    Follow Installing a ClusterXL Cluster - only the step "Install the Cluster Members".

    Important - In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous Cluster Member (prior to the upgrade).

    Installing a VRRP Cluster Member

    Follow Installing a VRRP Cluster - only the step "Install the VRRP Cluster Members".

    Important - In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous VRRP Cluster Member (prior to the upgrade).

  3. Important - This step is required only if you performed a Clean Install of R80.40 on this Cluster Member.

    Step

    Instructions

    1

    Connect with SmartConsole to the R80.40 Security Management Server or Main Domain Management Server that manages this Cluster.

    2

    From the left navigation panel, click Gateways & Servers.

    3

    Open the cluster object.

    4

    From the left tree, click Cluster Members.

    5

    Select the object of this Cluster Member.

    6

    Click Edit.

    7

    On the General tab, click the Communication button.

    8

    Click Reset.

    9

    In the One-time password field, enter the same Activation Key you entered during the First Time Configuration Wizard of the Cluster Member.

    10

    In the Confirm one-time password field, enter the same Activation Key again.

    11

    Click Initialize.

    12

    The Trust state field must show Trust established.

    13

    Click Close to close the Communication window.

    14

    Click OK to close the Cluster Member Properties window.

    15

    Click OK to close the Gateway Cluster Properties window.

    16

    Publish the SmartConsole session.

  4. Important - This step is required only if you performed a Clean Install of R80.40 on the Cluster Member M3.

    Step

    Instructions

    1

    Click Install Policy.

    2

    In the Install Policy window:

    1. In the Policy field, select the applicable Access Control Policy.

    2. In the Install Mode section, select these two options:

      • Select Install on each selected gateway independently.

      • Clear For gateway clusters, if installation on a cluster member fails, do not install on that cluster.

    3. Click Install.

    3

    The Access Control Policy installation:

    • Succeeds on the upgraded Cluster Member M3.

    • Fails on the old Cluster Members M1 and M2 with a warning. Ignore this warning.

  5. Step

    Instructions

    1

    Connect to the command line on the Cluster Member.

    2

    Enable the MVC Mechanism:

    • In Gaia Clish:

      set cluster member mvc on

    • In the Expert mode:

      cphaconf mvc on

    3

    Examine the state of the MVC Mechanism:

    • In Gaia Clish:

      show cluster members mvc

    • In the Expert mode:

      cphaprob mvc

  6. Step

    Instructions

    1

    Click Install Policy.

    2

    In the Install Policy window:

    1. In the Policy field, select the applicable Access Control Policy.

    2. In the Install Mode section, select these two options:

      • Select Install on each selected gateway independently.

      • Clear For gateway clusters, if installation on a cluster member fails, do not install on that cluster.

    3. Click Install.

    3

    The Access Control Policy installation:

    • Succeeds on the upgraded Cluster Member M3.

    • Fails on the old Cluster Members M1 and M2 with a warning. Ignore this warning.

  7. Step

    Instructions

    1

    Connect to the command line on each Cluster Member.

    2

    Examine the cluster state in one of these ways:

    • In Gaia Clish, run:

      show cluster state

    • In the Expert mode, run:

      cphaprob state

    Important:

    • In the High Availability mode, one of the upgraded Cluster Members (M2 or M3) changes its cluster state to Active.

      The other upgraded Cluster Member (M2 or M3) changes its cluster state to Standby.

    • In the Load Sharing modes, all Cluster Members must be in the Active state.

  8. Important - You must reboot the Cluster Member after the upgrade or clean install.

    Installation Method

    Instructions

    Upgrade to R80.40 with CPUSE

    See Installing Software Packages on Gaia.

    Follow the applicable action plan for the local or central installation.

    In local installation, select the R80.40 package and perform Upgrade. See sk92449 for detailed steps.

    Clean Install of R80.40 with CPUSE

    See Installing Software Packages on Gaia.

    Follow the applicable action plan for the local or central installation.

    In local installation, select the R80.40 package and perform Clean Install. See sk92449 for detailed steps.

    Important - In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous Cluster Member (prior to the upgrade).

    Clean Install of R80.40 from scratch

    Installing a Cluster Member

    Follow Installing a ClusterXL Cluster - only the step "Install the Cluster Members".

    Important - In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous Cluster Member (prior to the upgrade).

    Installing a VRRP Cluster Member

    Follow Installing a VRRP Cluster - only the step "Install the VRRP Cluster Members".

    Important - In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous VRRP Cluster Member (prior to the upgrade).

  9. Important - This step is required only if you performed a Clean Install of R80.40 on this Cluster Member.

    Step

    Instructions

    1

    Connect with SmartConsole to the R80.40 Security Management Server or Main Domain Management Server that manages this Cluster.

    2

    From the left navigation panel, click Gateways & Servers.

    3

    Open the cluster object.

    4

    From the left tree, click Cluster Members.

    5

    Select the object of this Cluster Member.

    6

    Click Edit.

    7

    On the General tab, click the Communication button.

    8

    Click Reset.

    9

    In the One-time password field, enter the same Activation Key you entered during the First Time Configuration Wizard of the Cluster Member.

    10

    In the Confirm one-time password field, enter the same Activation Key again.

    11

    Click Initialize.

    12

    The Trust state field must show Trust established.

    13

    Click Close to close the Communication window.

    14

    Click OK to close the Cluster Member Properties window.

    15

    Click OK to close the Gateway Cluster Properties window.

    16

    Publish the SmartConsole session.

  10. Important - This step is required only if you performed a Clean Install of R80.40 on the Cluster Member M2.

    Step

    Instructions

    1

    Click Install Policy.

    2

    In the Install Policy window:

    1. In the Policy field, select the applicable Access Control Policy.

    2. In the Install Mode section, select these two options:

      • Select Install on each selected gateway independently.

      • Clear For gateway clusters, if installation on a cluster member fails, do not install on that cluster.

    3. Click Install.

    3

    The Access Control Policy installation:

    • Succeeds on the upgraded Cluster Members M3 and M2.

    • Fails on the old Cluster Member M1 with a warning. Ignore this warning.

  11. Step

    Instructions

    1

    Connect to the command line on the Cluster Member.

    2

    Enable the MVC Mechanism:

    • In Gaia Clish:

      set cluster member mvc on

    • In the Expert mode:

      cphaconf mvc on

    3

    Examine the state of the MVC Mechanism:

    • In Gaia Clish:

      show cluster members mvc

    • In the Expert mode:

      cphaprob mvc

  12. Step

    Instructions

    1

    Click Install Policy.

    2

    In the Install Policy window:

    1. In the Policy field, select the applicable Access Control Policy.

    2. In the Install Mode section, select these two options:

      • Select Install on each selected gateway independently.

      • Clear For gateway clusters, if installation on a cluster member fails, do not install on that cluster.

    3. Click Install.

    3

    The Access Control Policy installation:

    • Succeeds on the upgraded Cluster Members M3 and M2.

    • Fails on the old Cluster Member M1 with a warning. Ignore this warning.

  13. Step

    Instructions

    1

    Connect to the command line on each Cluster Member.

    2

    Examine the cluster state in one of these ways:

    • In Gaia Clish, run:

      show cluster state

    • In the Expert mode, run:

      cphaprob state

    Important:

    • In the High Availability mode, one of the upgraded Cluster Members (M2 or M3) changes its cluster state to Active.

      The other upgraded Cluster Member (M2 or M3) changes its cluster state to Standby.

    • In the Load Sharing modes, all Cluster Members must be in the Active state.

  14. Important - You must reboot the Cluster Member after the upgrade or clean install.

    Installation Method

    Instructions

    Upgrade to R80.40 with CPUSE

    See Installing Software Packages on Gaia.

    Follow the applicable action plan for the local or central installation.

    In local installation, select the R80.40 package and perform Upgrade. See sk92449 for detailed steps.

    Clean Install of R80.40 with CPUSE

    See Installing Software Packages on Gaia.

    Follow the applicable action plan for the local or central installation.

    In local installation, select the R80.40 package and perform Clean Install. See sk92449 for detailed steps.

    Important - In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous Cluster Member (prior to the upgrade).

    Clean Install of R80.40 from scratch

    Installing a Cluster Member

    Follow Installing a ClusterXL Cluster - only the step "Install the Cluster Members".

    Important - In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous Cluster Member (prior to the upgrade).

    Installing a VRRP Cluster Member

    Follow Installing a VRRP Cluster - only the step "Install the VRRP Cluster Members".

    Important - In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous VRRP Cluster Member (prior to the upgrade).

  15. Important - This step is required only if you performed a Clean Install of R80.40 on this Cluster Member.

    Step

    Instructions

    1

    Connect with SmartConsole to the R80.40 Security Management Server or Main Domain Management Server that manages this Cluster.

    2

    From the left navigation panel, click Gateways & Servers.

    3

    Open the cluster object.

    4

    From the left tree, click Cluster Members.

    5

    Select the object of this Cluster Member.

    6

    Click Edit.

    7

    On the General tab, click the Communication button.

    8

    Click Reset.

    9

    In the One-time password field, enter the same Activation Key you entered during the First Time Configuration Wizard of the Cluster Member.

    10

    In the Confirm one-time password field, enter the same Activation Key again.

    11

    Click Initialize.

    12

    The Trust state field must show Trust established.

    13

    Click Close to close the Communication window.

    14

    Click OK to close the Cluster Member Properties window.

    15

    Click OK to close the Gateway Cluster Properties window.

    16

    Publish the SmartConsole session.

  16. Step

    Instructions

    1

    Connect with SmartConsole to the R80.40 Security Management Server or Domain Management Server that manages this cluster.

    2

    From the left navigation panel, click Gateways & Servers.

    3

    Install the Access Control Policy:

    1. Click Install Policy.

    2. In the Policy field, select the applicable Access Control Policy.

    3. In the Install Mode section, select these two options:

      • Install on each selected gateway independently

      • For gateway clusters, if installation on a cluster member fails, do not install on that cluster

    4. Click Install.

    5. The Access Control Policy must install successfully on all the Cluster Members.

    4

    Install the Threat Prevention Policy:

    1. Click Install Policy.

    2. In the Policy field, select the applicable Threat Prevention Policy.

    3. Click Install.

    4. The Threat Prevention Policy must install successfully on all the Cluster Members.

  17. Step

    Instructions

    1

    Connect to the command line on each Cluster Member.

    2

    Examine the cluster state in one of these ways:

    • In Gaia Clish, run:

      show cluster state

    • In the Expert mode, run:

      cphaprob state

    Important:

    • All Cluster Members must show the same information about the states of all Cluster Members.

    • In the High Availability mode, one Cluster Member must be in the Active state, and all other Cluster Members must be in Standby state.

    • In the Load Sharing modes, all Cluster Members must be in the Active state.

  18. Step

    Instructions

    1

    Connect to the command line on each Cluster Member.

    2

    Disable the MVC Mechanism:

    • In Gaia Clish:

      set cluster member mvc off

    • In the Expert mode:

      cphaconf mvc off

    3

    Examine the state of the MVC Mechanism:

    • In Gaia Clish:

      show cluster members mvc

    • In the Expert mode:

      cphaprob mvc

  19. Step

    Instructions

    1

    Connect with SmartConsole to the R80.40 Security Management Server or Domain Management Server that manages this cluster.

    2

    From the left navigation panel, click Logs & Monitor > Logs.

    3

    Examine the logs from this Cluster to make sure it inspects the traffic as expected.

For more information, see the: