Upgrading Multi-Domain Servers in High Availability from R80.10 and lower with CPUSE

In a CPUSE upgrade scenario, you perform the upgrade procedure on the same Multi-Domain Servers.

Notes:

Important - Before you upgrade Multi-Domain Servers:

Step

Instructions

1

Back up your current configuration (see Backing Up and Restoring).

2

See the Upgrade Options and Prerequisites.

3

In R80 and higher, examine the SmartConsole sessions:

  1. Connect with the SmartConsole to each Domain Management Server.

  2. From the left navigation panel, click Manage & Settings > Sessions > View Sessions.

  3. You must publish or discard all sessions, for which the Changes column shows a number greater than zero.

    Right-click on such session and select Publish or Discard.

4

In Multi-Domain Server R80 or R80.10 with enabled vSEC Controller:

  1. Connect with SmartConsole to the Global Domain.

  2. Delete all global Data Centers objects.

  3. Assign the modified Global Policies.

5

You must close all GUI clients (SmartConsole applications) connected to the source Multi-Domain Server.

6

Run the Pre-Upgrade Verifier on all source servers and fix all detected issues before you start the upgrade.

7

In Management High Availability, before you start the upgrade on other servers:

  1. Make sure the Primary Multi-Domain Server is upgraded and runs.

  2. Make sure the Multi-Domain Security Management Servers can communicate with each other and SIC works between these servers. For details, see sk179794.

Important - Before you can install Hotfixes on servers that work in Management High Availability, you must upgrade all these servers.

Procedure:

  1. For instructions, see the R80.40 Multi-Domain Security Management Administration Guide - Chapter Working with High Availability - Section Failure Recovery - Subsection Promoting the Secondary Multi-Domain Server to Primary.

  2. See Installing Software Packages on Gaia and follow the applicable action plan.

  3. See Installing SmartConsole.

  4. Step

    Instructions

    1

    Connect with SmartConsole to the R80.40 Primary Multi-Domain Server.

    2

    From the left navigation panel, click Multi-Domain > Domains.

    3

    From the top toolbar, open the Secondary Multi-Domain Server object.

    4

    From the left tree, click General.

    5

    In the Platform section > in the Version field, select R80.40.

    6

    Click OK.

  5. Step

    Instructions

    1

    Connect with SmartConsole to each Domain Management Server of the Primary Multi-Domain Server.

    2

    In the top left corner, click Menu > Install database.

    3

    Select all objects.

    4

    Click Install.

    5

    Click OK.

  6. See Installing Software Packages on Gaia and follow the applicable action plan.

  7. Step

    Instructions

    1

    Connect with SmartConsole to each Domain Management Server of the Secondary Multi-Domain Server.

    2

    In the top left corner, click Menu > Install database.

    3

    Select all objects.

    4

    Click Install.

    5

    Click OK.

  8. Important - If your Multi-Domain Server manages Multi-Domain Log Servers, dedicated Log Servers, or dedicated SmartEvent Servers, you must upgrade these dedicated servers to the same version as the Multi-Domain Server.

    Select the applicable upgrade option:

  		9.

    Important - Perform this steps on every Multi-Domain Server with Active Domain Management Servers.

    To determine which Multi-Domain Servers run Active Domain Management Servers:

    1. Connect with SmartConsole to a Multi-Domain Server and select the MDS context.

    2. From the left navigation panel, click Multi Domain > Domains.

    The table shows Domains and Multi-Domain Servers:

    • Every column shows a Multi-Domain Server.

    • Active Domain Management Servers (for a Domain) are marked with a solid black "barrel" icon.

    • Standby Domain Management Servers (for a Domain) are marked with an empty "barrel" icon.

    Step

    Instructions

    1

    Connect to the command line on the R80.40 Multi-Domain Server.

    2

    Log in with the superuser credentials.

    3

    Log in to the Expert mode.

    4

    Make sure that all the required daemons (FWM, FWD, CPD, and CPCA) are in the state "up" and show their PID (the "pnd" state is also acceptable):

    mdsstat

    If some of the required daemons on a Domain Management Server are in the state "down", then wait for 5-10 minutes, restart that Domain Management Server, and check again. Run these three commands:

    mdsstop_customer <IP Address or Name of Domain Management Server>

    mdsstart_customer <IP Address or Name of Domain Management Server>

    mdsstat

    5

    Go to the main MDS context:

    mdsenv

    6

    Upgrade the attributes of all managed objects in all Domain Management Servers at once:

    $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL

    Notes:

    • Because the command prompts you for a 'yes/no' for each Domain and each object in the Domain, you can explicitly provide the 'yes' answer to all questions with this command:

      yes | $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL

    • You can perform this action on one Multi-Domain Server at a time with this command:

      $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL -n <Name of Multi-Domain Server>

    7

    Allow the database synchronization to run:

    $CPDIR/bin/cpprod_util CPPROD_SetValue "FW1/6.0" AfterUpgradeDbsyncIndication 1 1 0

    Restart the Check Point services:

    mdsstop

    mdsstart

    For more information, see sk121718.

    8

    Make sure that all the required daemons (FWM, FWD, CPD, and CPCA) are in the state "up" and show their PID (the "pnd" state is also acceptable):

    mdsstat

    If some of the required daemons on a Domain Management Server are in the state "down", then wait for 5-10 minutes, restart that Domain Management Server, and check again. Run these three commands:

    mdsstop_customer <IP Address or Name of Domain Management Server>

    mdsstart_customer <IP Address or Name of Domain Management Server>

    mdsstat

  10. Step

    Instructions

    1

    Connect to the command line on the server.

    2

    Log in to the Expert mode.

    3

    Restore the Log Exporter configuration as described in sk127653.

    4

    Reconfigure the Log Exporter:

    cp_log_export reconf

    5

    Restart the Log Exporter:

    cp_log_export restart

    For more information, see the R80.40 Logging and Monitoring Administration Guide > Chapter Log Exporter.

  		11.

    Important - This step applies to each Domain Management Server that manages SmartLSM Security Profiles.

    Step

    Instructions

    1

    Install the Access Control Policy:

    1. Click Install Policy.

    2. In the Policy field, select the applicable Access Control Policy.

    3. Select the applicable SmartLSM Security Profile objects.

    4. Click Install.

    5. The Access Control Policy must install successfully.

    2

    Install the Threat Prevention Policy:

    1. Click Install Policy.

    2. In the Policy field, select the applicable Threat Prevention Policy.

    3. Select the applicable SmartLSM Security Profile objects.

    4. Click Install.

    5. The Threat Prevention Policy must install successfully.

    For more information, see the R80.40 SmartProvisioning Administration Guide.

  12. Step

    Instructions

    1

    Connect with SmartConsole to the Primary R80.40 Multi-Domain Server.

    2

    Make sure the management database and configuration were upgraded correctly.

    3

    Test the Management High Availability functionality.