Installing a Hotfix on Dual Chassis
This procedure describes the Full Connectivity installation of an Offline CPUSE
Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself. For details, see sk92449. package on Dual Chassis.
Important Notes
-
It is not supported to upgrade the CPUSE Agent on SGMs in a Security Group.
-
This procedure keeps the current connections in a Security Group
A logical group of Security Gateway Modules that provides Active/Active cluster functionality. A Security Group can contain one or more Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway.. -
This procedure applies to Security Groups in Security Gateway
Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. mode and VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode.In VSX mode, you must run all the commands in the context of VS0.
-
If you finished a clean install on this chassis, then you can install a Jumbo Hotfix Accumulator
Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. only after you run the Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. First Time Configuration Wizard. -
Do not install the hotfix on all the SGMs at the same time.
If you do so with the command below, traffic stops passing through all SGMs until the hotfix
Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. is installed:installer install <Number of CPUSE Package> member_ids all -
In this procedure, you install the hotfix on one chassis at one time.
The other chassis continues to handle traffic.
-
You install the hotfix on Standby Chassis "A" from an SGM in Standby Chassis "A".
-
You fail over all connections from Active Chassis "B" to Standby Chassis "A".
-
You install the hotfix on Standby Chassis "B" from an SGM in Standby Chassis "B".
In the procedures below:
-
Chassis "A" is the Standby Chassis (
chassis1) -
Chassis "B" is the Active Chassis (
chassis2)
-
|
|
Best Practice - Perform this procedure over the serial console. |
Procedure
Step 1 - Perform the preliminary steps
|
Step |
Instructions |
||
|---|---|---|---|
|
A |
Make sure you have the applicable CPUSE offline package or the exported CPUSE package. |
||
|
B |
Transfer the CPUSE offline or exported package to the Chassis (into some directory, for example: |
||
|
C |
Connect to the command line on each chassis. |
||
|
D |
|||
|
E |
|
||
|
F |
Import the CPUSE package from the hard disk:
Example:
|
||
|
G |
Show the imported CPUSE packages:
|
||
|
H |
Make sure the imported CPUSE package can be installed on this Chassis:
Example: |
Step 2 - Disable the SMO Image Cloning feature
|
|
Note - The SMO |
|
Step |
Instructions |
|
|---|---|---|
|
A |
Connect to the command line on the Security Group. |
|
|
B |
If your default shell is
|
|
|
C |
Examine the state of the SMO Image Cloning feature:
|
|
|
D |
Disable the SMO Image Cloning feature, if it is enabled:
|
|
|
E |
Examine the state of the SMO Image Cloning feature:
|
Step 3 - Install the Hotfix on Standby Chassis "A"
|
Step |
Instructions |
||
|---|---|---|---|
|
A |
Connect to the command line on the Standby Chassis (in our example, Chassis "A" - |
||
|
B |
Log in to the Expert mode. |
||
|
C |
Set the state of the Standby Chassis "A" to "down":
Example:
|
||
|
D |
Connect to one of the SGMs in the Standby Chassis "A":
|
||
|
E |
Go to the Gaia gClish:
|
||
|
F |
Install the CPUSE hotfix package on the Standby Chassis "A":
Example: |
||
|
G |
Exit from Gaia gClish to the Expert mode:
|
||
|
H |
Monitor the system until SGMs on the Standby Chassis "A" are in the state "
|
||
|
I |
Set the state of the Standby Chassis "A" to "up":
Example:
|
||
|
J |
Monitor the system until SGMs on the Chassis "A" are in the state "
|
||
|
K |
Make sure the Hotfix is installed on all SGMs:
|
Step 4 - Fail over from Active Chassis "B" to Standby Chassis "A"
In this step, you fail over all connections from the Active Chassis "B" (chassis2) to the Standby Chassis "A" (chassis1).
|
Step |
Instructions |
||
|---|---|---|---|
|
A |
Connect to the command line on the Active Chassis (in our example, Chassis "B" - |
||
|
B |
Log in to the Expert mode. |
||
|
C |
Set the state of the Active Chassis "B" to "down":
Example:
|
Step 5 - Install the Hotfix on Standby Chassis "B"
In this step, you install the Hotfix on all SGMs on the former Active Chassis "B" (chassis2).
|
Step |
Instructions |
||||
|---|---|---|---|---|---|
|
A |
Connect to the command line on the Standby Chassis (in our example, Standby Chassis "B" - |
||||
|
B |
Log in to the Expert mode. |
||||
|
C |
Set the state of the Standby Chassis "B" to "down":
Example:
|
||||
|
D |
Connect to one of the SGMs in the Standby Chassis "B":
|
||||
|
E |
Go to the Gaia gClish:
|
||||
|
F |
Install the CPUSE hotfix package on the Standby Chassis "B":
Example: |
||||
|
G |
Exit from Gaia gClish to the Expert mode:
|
||||
|
H |
Monitor the system until SGMs on the Standby Chassis "B" are in the state "
|
||||
|
I |
Set the state of the Standby Chassis "B" to "up":
Example:
|
||||
|
J |
Monitor the system until SGMs on the Chassis "B" are in the state "
|
||||
|
K |
Make sure the Hotfix is installed on all SGMs:
|
