Upgrading Multi-Domain Servers in High Availability from R80.10 and lower with Advanced Upgrade

In an advanced upgrade scenario, you perform the upgrade procedure on the same Multi-Domain Servers.

Note - To upgrade from R80.20 and higher, see Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with Advanced Upgrade.

Important - Before you upgrade Multi-Domain Servers:

Step

Instructions

1

Back up your current configuration (see Backing Up and Restoring).

2

See the Upgrade Options and Prerequisites.

3

In R80 and higher, examine the SmartConsole sessions:

  1. Connect with the SmartConsole to each Domain Management Server.

  2. From the left navigation panel, click Manage & Settings > Sessions > View Sessions.

  3. You must publish or discard all sessions, for which the Changes column shows a number greater than zero.

    Right-click on such session and select Publish or Discard.

4

In Multi-Domain Server R80 or R80.10 with enabled vSEC Controller:

  1. Connect with SmartConsole to the Global Domain.

  2. Delete all global Data Centers objects.

  3. Assign the modified Global Policies.

5

You must close all GUI clients (SmartConsole applications) connected to the source Multi-Domain Server.

6

Run the Pre-Upgrade Verifier on all source servers and fix all detected issues before you start the upgrade.

7

In Management High Availability, before you start the upgrade on other servers:

  1. Make sure the Primary Multi-Domain Server is upgraded and runs.

  2. Make sure the Multi-Domain Security Management Servers can communicate with each other and SIC works between these servers. For details, see sk179794.

Important - Before you can install Hotfixes on servers that work in Management High Availability, you must upgrade all these servers.

Procedure:

  1. For instructions, see the R80.40 Multi-Domain Security Management Administration Guide - Chapter Working with High Availability - Section Failure Recovery - Subsection Promoting the Secondary Multi-Domain Server to Primary.

  2. Step

    Instructions

    1

    Download the R80.40 Clean Install ISO file from the R80.40 Home Page SK.

    2

    Transfer the R80.40 ISO file to the current server to some directory (for example, /var/log/path_to_iso/).

    Note - Make sure to transfer the file in the binary mode.

  3. Step

    Instructions

    1

    Connect to the command line on the Primary Multi-Domain Server.

    2

    Log in with the superuser credentials.

    3

    Log in to the Expert mode.

    4

    Stop all Check Point services:

    mdsstop

    5

    Go to the main MDS context:

    mdsenv

    6

    Mount the R80.40 ISO file:

    mount -o loop /var/log/path_to_iso/<R80.40_Gaia>.iso /mnt/cdrom

    7

    Go to the installation folder in the ISO:

    cd /mnt/cdrom/linux/p1_install/

    8

    Run the installation script:

    ./mds_setup

    This menu shows:

    (1) Run Pre-upgrade verification only [recommended before upgrade]

    (2) Backup current Multi-Domain Server

    (3) Export current Multi-Domain Server

        Or 'Q' to quit.

    9

    Enter 1 to run the Pre-Upgrade Verifier.

    Note - The Pre-Upgrade Verifier analyzes compatibility of the currently installed configuration with the version, to which you upgrade. A detailed report shows the steps to do before and after the upgrade.

    10

    Read the Pre-Upgrade Verifier output.

    If it is necessary to fix errors:

    1. Start all Check Point services:

      mdsstart

    2. Follow the instructions in the report.

    3. Connect with SmartConsole to the Global Domain that is currently in the Active state.

    4. Reassign the Global Policy on all Domains.

    5. In a Management High Availability environment R77.30 and lower:

      If you made changes, synchronize the Domain Management Servers immediately after these changes.

      (In R80 and higher, this synchronization occurs automatically.)

    6. Stop all Check Point services again:

      mdsstop

    7. Run the installation script again:

      ./mds_setup

      This menu shows:

      (1) Run Pre-upgrade verification only [recommended before upgrade]

      (2) Backup current Multi-Domain Server

      (3) Export current Multi-Domain Server

          Or 'Q' to quit.

    11

    Enter 3 to export the current Multi-Domain Server configuration.

    12

    Answer the interactive questions:

    Would you like to proceed with the export now [yes/no] ? yes

    Please enter target directory for your Multi-Domain Server export (or 'Q' to quit): /var/log

    Do you plan to import to a version newer than R80.40 [yes/no] ? no

    Using migrate_tools from disk.

    Do you wish to export the log database [yes/no] ? yes

    Note - If you enter no in the question "Do you wish to export the log database", the configuration is still exported.

    13

    Make sure the export file is created in the specified directory:

    ls -l /var/log/exported_mds.<DDMMYYYY-HHMMSS>.tgz

    14

    Rename the exported file:

    mv -v /var/log/{,Primary_}exported_mds.<DDMMYYYY-HHMMSS>.tgz

    16

    Calculate the MD5 for the exported file:

    md5sum /var/log/Primary_exported_mds.<DDMMYYYY-HHMMSS>.tgz

    16

    Transfer the exported database from the current Multi-Domain Server to an external storage:

    /var/log/Primary_exported_mds.<DDMMYYYY-HHMMSS>.tgz

    Note - Make sure to transfer the file in the binary mode.

  4. See the R80.40 Release Notes for requirements.

    Important - Do not perform initial configuration in SmartConsole.

    Current OS

    Available options

    Gaia Operating System

    Follow one of these procedures:

    Operating System
    other than Gaia

    Follow this procedure:

    Important - The IP addresses of the source and target R80.40 servers must be the same. If it is necessary to have a different IP address on the R80.40 server, you can change it only after the upgrade procedure. Note that you have to issue licenses for the new IP address. See Changing the IP Address of a Multi-Domain Server or Multi-Domain Log Server.

  5. Important - Before you import the management database, we strongly recommend to install the latest General Availability Take of the R80.40 Jumbo Hotfix Accumulator. This makes sure the R80.40 server has the latest improvements for reported import issues.

    Step

    Instructions

    1

    Connect to the command line on the Primary R80.40 Multi-Domain Server.

    2

    Log in with the superuser credentials.

    3

    Log in to the Expert mode.

    4

    Make sure a valid license is installed:

    cplic print

    If it is not already installed, then install a valid license now.

    5

    Transfer the exported database from an external storage to the R80.40 Multi-Domain Server, to some directory.

    Note - Make sure to transfer the file in the binary mode.

    6

    Make sure the transferred file is not corrupted.

    Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the original Primary Multi-Domain Server:

    md5sum /<Full Path>/Primary_exported_mds.<DDMMYYYY-HHMMSS>.tgz

    7

    Import the configuration:

    yes | nohup $MDSDIR/scripts/mds_import.sh /<Full Path>/Primary_exported_mds.<DDMMYYYY-HHMMSS>.tgz &

    Notes:

    • yes | nohup ... & are mandatory parts of the syntax.

    • For details, see the R80.40 CLI Reference Guide - Chapter Multi-Domain Security Management Commands - Section migrate.

    8

    Make sure that all the required daemons (FWM, FWD, CPD, and CPCA) are in the state "up" and show their PID (the "pnd" state is also acceptable):

    mdsstat

    If some of the required daemons on a Domain Management Server are in the state "down", then wait for 5-10 minutes, restart that Domain Management Server, and check again. Run these three commands:

    mdsstop_customer <IP Address or Name of Domain Management Server>

    mdsstart_customer <IP Address or Name of Domain Management Server>

    mdsstat

  6. See Installing SmartConsole.

  7. Step

    Instructions

    1

    Connect to the command line on the Secondary Multi-Domain Server.

    2

    Log in with the superuser credentials.

    3

    Log in to the Expert mode.

    4

    Stop all Check Point services:

    mdsstop

    5

    Go to the main MDS context:

    mdsenv

    6

    Mount the R80.40 ISO file:

    mount -o loop /var/log/path_to_iso/<R80.40_Gaia>.iso /mnt/cdrom

    7

    Go to the installation folder in the ISO:

    cd /mnt/cdrom/linux/p1_install/

    8

    Run the installation script:

    ./mds_setup

    This menu shows:

    (1) Run Pre-upgrade verification only [recommended before upgrade]

    (2) Backup current Multi-Domain Server

    (3) Export current Multi-Domain Server

        Or 'Q' to quit.

    9

    Enter 1 to run the Pre-Upgrade Verifier.

    Note - The Pre-Upgrade Verifier analyzes compatibility of the currently installed configuration with the version, to which you upgrade. A detailed report shows the steps to do before and after the upgrade.

    10

    Read the Pre-Upgrade Verifier output.

    If it is necessary to fix errors:

    1. Start all Check Point services:

      mdsstart

    2. Follow the instructions in the report.

    3. Connect with SmartConsole to the Global Domain that is currently in the Active state.

    4. Reassign the Global Policy on all Domains.

    5. In a Management High Availability environment R77.30 and lower:

      If you made changes, synchronize the Domain Management Servers immediately after these changes.

      (In R80 and higher, this synchronization occurs automatically.)

    6. Stop all Check Point services again:

      mdsstop

    7. Run the installation script again:

      ./mds_setup

      This menu shows:

      (1) Run Pre-upgrade verification only [recommended before upgrade]

      (2) Backup current Multi-Domain Server

      (3) Export current Multi-Domain Server

          Or 'Q' to quit.

    11

    Enter 3 to export the current Multi-Domain Server configuration.

    12

    Answer the interactive questions:

    Would you like to proceed with the export now [yes/no] ? yes

    Please enter target directory for your Multi-Domain Server export (or 'Q' to quit): /var/log

    Do you plan to import to a version newer than R80.40 [yes/no] ? no

    Using migrate_tools from disk.

    Do you wish to export the log database [yes/no] ? yes

    Note - If you enter no in the question "Do you wish to export the log database", the configuration is still exported.

    13

    Make sure the export file is created in the specified directory:

    ls -l /var/log/exported_mds.<DDMMYYYY-HHMMSS>.tgz

    14

    Rename the exported file:

    mv -v /var/log/{,Secondary}exported_mds.<DDMMYYYY-HHMMSS>.tgz

    16

    Calculate the MD5 for the exported file:

    md5sum /var/log/Secondary_exported_mds.<DDMMYYYY-HHMMSS>.tgz

    16

    Transfer the exported database from the current Multi-Domain Server to an external storage:

    /var/log/Secondary_exported_mds.<DDMMYYYY-HHMMSS>.tgz

    Note - Make sure to transfer the file in the binary mode.

  8. See the R80.40 Release Notes for requirements.

    Do not perform initial configuration in SmartConsole.

    Current OS

    Available options

    Gaia Operating System

    Follow one of these procedures:

    Operating System
    other than Gaia

    Follow this procedure:

    Important - The IP addresses of the source and target R80.40 servers must be the same. If it is necessary to have a different IP address on the R80.40 server, you can change it only after the upgrade procedure. Note that you have to issue licenses for the new IP address. See Changing the IP Address of a Multi-Domain Server or Multi-Domain Log Server.

  9. Important - Before you import the management database, we strongly recommend to install the latest General Availability Take of the R80.40 Jumbo Hotfix Accumulator. This makes sure the R80.40 server has the latest improvements for reported import issues.

    The preliminary steps below apply to a Multi-Site setup, in which some of the Domain Management Servers are Active on the Primary Multi-Domain Server, and some of the Domain Management Servers are Active on the Secondary Multi-Domain Servers.

    Note - The example that follows, assumes that you already upgraded the Primary Multi-Domain Server, and upgraded one of the Secondary Multi-Domain Servers with Active Domain Management Servers on it.

    1. Before you can import the entire management database on the second Secondary Multi-Domain Server:

      1. Connect with SmartConsole to each of the upgraded Multi-Domain Servers:

        • The Primary Multi-Domain Server

        • The first Secondary Multi-Domain Server

      2. Make sure the High Availability status of each Multi-Domain Server with the other upgraded Multi-Domain Servers is OK.

        In case of a failure, you must resolve it before you can import the database.

      3. Import the entire management database on the second Secondary Multi-Domain Server.

    2. Before you can import the entire management database on the third Secondary Multi-Domain Server:

      1. Connect with SmartConsole to each of the upgraded Multi-Domain Servers:

        • The Primary Multi-Domain Server

        • The first Secondary Multi-Domain Server

        • The second Secondary Multi-Domain Server

      2. Make sure the High Availability status of each Multi-Domain Server with the other upgraded Multi-Domain Servers is OK.

        In case of a failure, you must resolve it before you can import the database.

      3. Import the entire management database on the third Secondary Multi-Domain Server.

    Repeat the above test on all other Secondary Multi-Domain Servers before you import the entire management database on them.

    Step

    Instructions

    1

    Connect to the command line on the Secondary R80.40 Multi-Domain Server.

    2

    Log in with the superuser credentials.

    3

    Log in to the Expert mode.

    4

    Make sure a valid license is installed:

    cplic print

    If it is not already installed, then install a valid license now.

    5

    Transfer the exported database from an external storage to the R80.40 Multi-Domain Server, to some directory.

    Note - Make sure to transfer the file in the binary mode.

    6

    Make sure the transferred file is not corrupted.

    Calculate the MD5 for the transferred file and compare it to the MD5 that you calculated on the original Secondary Multi-Domain Server:

    md5sum /<Full Path>/Secondary_exported_mds.<DDMMYYYY-HHMMSS>.tgz

    7

    Import the configuration:

    yes | nohup $MDSDIR/scripts/mds_import.sh /<Full Path>/Secondary_exported_mds.<DDMMYYYY-HHMMSS>.tgz &

    Notes:

    • yes | nohup ... & are mandatory parts of the syntax.

    • For details, see the R80.40 CLI Reference Guide - Chapter Multi-Domain Security Management Commands - Section migrate.

    8

    Make sure that all the required daemons (FWM, FWD, CPD, and CPCA) are in the state "up" and show their PID (the "pnd" state is also acceptable):

    mdsstat

    If some of the required daemons on a Domain Management Server are in the state "down", then wait for 5-10 minutes, restart that Domain Management Server, and check again. Run these three commands:

    mdsstop_customer <IP Address or Name of Domain Management Server>

    mdsstart_customer <IP Address or Name of Domain Management Server>

    mdsstat

  10. Step

    Instructions

    1

    Connect with SmartConsole to the R80.40 Primary Multi-Domain Server.

    2

    From the left navigation panel, click Multi-Domain > Domains.

    3

    From the top toolbar, open the Secondary Multi-Domain Server object.

    4

    From the left tree, click General.

    5

    In the Platform section > in the Version field, select R80.40.

    6

    Click OK.

  11. Step

    Instructions

    1

    Connect with SmartConsole to each Domain Management Server of the Primary Multi-Domain Server.

    2

    In the top left corner, click Menu > Install database.

    3

    Select all objects.

    4

    Click Install.

    5

    Click OK.

  12. Step

    Instructions

    1

    Connect with SmartConsole to each Domain Management Server of the Secondary Multi-Domain Server.

    2

    In the top left corner, click Menu > Install database.

    3

    Select all objects.

    4

    Click Install.

    5

    Click OK.

  13. Important - If your Multi-Domain Server manages Multi-Domain Log Servers, dedicated Log Servers, or dedicated SmartEvent Servers, you must upgrade these dedicated servers to the same version as the Multi-Domain Server.

    Select the applicable upgrade option:

  		14.

    Important - Perform this steps on every Multi-Domain Server with Active Domain Management Servers.

    To determine which Multi-Domain Servers run Active Domain Management Servers:

    1. Connect with SmartConsole to a Multi-Domain Server and select the MDS context.

    2. From the left navigation panel, click Multi Domain > Domains.

    The table shows Domains and Multi-Domain Servers:

    • Every column shows a Multi-Domain Server.

    • Active Domain Management Servers (for a Domain) are marked with a solid black "barrel" icon.

    • Standby Domain Management Servers (for a Domain) are marked with an empty "barrel" icon.

    Step

    Instructions

    1

    Connect to the command line on the R80.40 Multi-Domain Server.

    2

    Log in with the superuser credentials.

    3

    Log in to the Expert mode.

    4

    Make sure that all the required daemons (FWM, FWD, CPD, and CPCA) are in the state "up" and show their PID (the "pnd" state is also acceptable):

    mdsstat

    If some of the required daemons on a Domain Management Server are in the state "down", then wait for 5-10 minutes, restart that Domain Management Server, and check again. Run these three commands:

    mdsstop_customer <IP Address or Name of Domain Management Server>

    mdsstart_customer <IP Address or Name of Domain Management Server>

    mdsstat

    5

    Go to the main MDS context:

    mdsenv

    6

    Upgrade the attributes of all managed objects in all Domain Management Servers at once:

    $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL

    Notes:

    • Because the command prompts you for a 'yes/no' for each Domain and each object in the Domain, you can explicitly provide the 'yes' answer to all questions with this command:

      yes | $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL

    • You can perform this action on one Multi-Domain Server at a time with this command:

      $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL -n <Name of Multi-Domain Server>

    7

    Allow the database synchronization to run:

    $CPDIR/bin/cpprod_util CPPROD_SetValue "FW1/6.0" AfterUpgradeDbsyncIndication 1 1 0

    Restart the Check Point services:

    mdsstop

    mdsstart

    For more information, see sk121718.

    8

    Make sure that all the required daemons (FWM, FWD, CPD, and CPCA) are in the state "up" and show their PID (the "pnd" state is also acceptable):

    mdsstat

    If some of the required daemons on a Domain Management Server are in the state "down", then wait for 5-10 minutes, restart that Domain Management Server, and check again. Run these three commands:

    mdsstop_customer <IP Address or Name of Domain Management Server>

    mdsstart_customer <IP Address or Name of Domain Management Server>

    mdsstat

  15. Step

    Instructions

    1

    Connect to the command line on the server.

    2

    Log in to the Expert mode.

    3

    Restore the Log Exporter configuration as described in sk127653.

    4

    Reconfigure the Log Exporter:

    cp_log_export reconf

    5

    Restart the Log Exporter:

    cp_log_export restart

    For more information, see the R80.40 Logging and Monitoring Administration Guide > Chapter Log Exporter.

  		16.

    Important - This step applies to each Domain Management Server that manages SmartLSM Security Profiles.

    Step

    Instructions

    1

    Install the Access Control Policy:

    1. Click Install Policy.

    2. In the Policy field, select the applicable Access Control Policy.

    3. Select the applicable SmartLSM Security Profile objects.

    4. Click Install.

    5. The Access Control Policy must install successfully.

    2

    Install the Threat Prevention Policy:

    1. Click Install Policy.

    2. In the Policy field, select the applicable Threat Prevention Policy.

    3. Select the applicable SmartLSM Security Profile objects.

    4. Click Install.

    5. The Threat Prevention Policy must install successfully.

    For more information, see the R80.40 SmartProvisioning Administration Guide.

  17. Step

    Instructions

    1

    Connect with SmartConsole to the Primary R80.40 Multi-Domain Server.

    2

    Make sure the management database and configuration were upgraded correctly.

    3

    Test the Management High Availability functionality.