Upgrading Security Management Servers in Management High Availability from R80.20 and higher

Notes:

  • This procedure is supported only for servers that run R80.20.M1, R80.20, R80.20.M2, or R80.30 versions.

  • These instructions equally apply to:

    • Security Management Servers

    • CloudGuard Controllers

  • For additional information related to this upgrade, see sk163814.

Important - Before you upgrade a Security Management Server:

Step

Instructions

1

Back up your current configuration (see Backing Up and Restoring).

2

See the Upgrade Options and Prerequisites.

3

Only the latest published database revision is upgraded.

If there are pending changes, we recommend to Publish the session.

4

You must close all GUI clients (SmartConsole applications) connected to the source Security Management Server.

5

Install the latest version of the CPUSE from sk92449.

Note - This is to make sure the CPUSE is able to support the required Upgrade Tools package.

6

Run the Pre-Upgrade Verifier on all source servers and fix all detected issues before you start the upgrade.

7

In Management High Availability, make sure the Primary Security Management Server is upgraded and runs, before you start the upgrade on other servers.

Important - Before you can install Hotfixes on servers that work in Management High Availability, you must upgrade all these servers.

Procedure:

Step

Instructions

1

Upgrade the Primary Security Management Server with one of the supported methods.

2

Upgrade the Secondary Security Management Server with one of the supported methods.

Important:

  • Make sure the Security Management Servers can communicate with each other and SIC works between these servers. For details, see sk179794.

  • If you upgraded the Primary Security Management Server and changed its IPv4 address before you upgrade the Secondary Security Management Server, then you must put the required JSON file on the Secondary Security Management Server. See the corresponding section below.

3

Get the R80.40 SmartConsole.

See Installing SmartConsole.

4

Connect with SmartConsole to the R80.40 Primary Security Management Server.

5

Update the object version of the Secondary Security Management Server:

  1. From the left navigation panel, click Gateways & Servers.

  2. Open the Secondary Security Management Server object.

  3. From the left tree, click General Properties.

  4. In the Platform section > in the Version field, select R80.40.

  5. Click OK.

6

Make sure Secure Internal Communication (SIC) works correctly with the Secondary Security Management Server:

  1. From the left navigation panel, click Gateways & Servers.

  2. Open the Secondary Security Management Server object.

  3. On the General Properties page, click Communication.

  4. Click Test SIC Status.

    The SIC Status must show Communicating.

  5. Click Close.

  6. Click OK.

7

Upgrade the dedicated Log Servers and SmartEvent Servers.

Follow the applicable procedure in Upgrading a Security Management Server or Log Server from R80.20 and higher.

Important - If you changed the IPv4 address of one of more Security Management Servers during their upgrade, then you must put the required JSON file on the dedicated Log Servers and SmartEvent Servers. See the corresponding section below.

8

Install the management database:

  1. In the top left corner, click Menu > Install database.

  2. Select all objects.

  3. Click Install.

  4. Click OK.

9

Install the Event Policy.

Important - This step applies only if the SmartEvent Correlation Unit Software Blade is enabled on the R80.40 Security Management Server.

  1. In the SmartConsole, from the left navigation panel, click Logs & Monitor.

  2. At the top, click + to open a new tab.

  3. In the bottom left corner, in the External Apps section, click SmartEvent Settings & Policy.

    The Legacy SmartEvent client opens.

  4. In the top left corner, click Menu > Actions > Install Event Policy.

  5. Confirm.

  6. Wait for these messages to appear:

    SmartEvent Policy Installer installation complete

    SmartEvent Policy Installer installation succeeded

  7. Click Close.

  8. Close the Legacy SmartEvent client.

10

Reconfigure the Log Exporter:

  1. Connect to the command line on the server.

  2. Log in to the Expert mode.

  3. Restore the Log Exporter configuration as described in sk127653.

  4. Reconfigure the Log Exporter:

    cp_log_export reconf

  5. Restart the Log Exporter:

    cp_log_export restart

For more information, see the R80.40 Logging and Monitoring Administration Guide > Chapter Log Exporter

11

Synchronize the Security Management Servers:

  1. In the top left corner, click Menu > Management High Availability.

  2. In the Peers section, click Actions > Sync Peer.

  3. The status must show Successfully synced for all peers.