Upgrading Scalable Chassis Environment - Minimum Downtime

This section describes the steps for upgrading Scalable Chassis with CPUSEClosed Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself. For details, see sk92449..

This procedure supports only these upgrade paths for Security Groups:

  • from R81 to R81.10

  • from R80.20SP to R81.10

Important - See Rolling Back a Failed Upgrade of a Security Group - Minimum Downtime.

Important Notes for Scalable Chassis:

Important Notes for Security Groups:

  • Before you upgrade the Security Groups, you must upgrade the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that manages the Security Groups.

    See the R81.10 Installation and Upgrade Guide.

    Important - If there is at least one Security Group in VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode, then the Management Server must run the R81.10 Jumbo Hotfix Accumulator Take 61 or higher.

  • This procedure applies to Security Groups in the Gateway mode and the VSX mode.

    In VSX mode, you must run all the commands in the context of VS0.

  • During the upgrade process, it is:

    • Forbidden to install policy on the Security Group, unless the upgrade procedure explicitly shows how to do it.

    • Forbidden to reboot Security Group Members, unless the upgrade procedure explicitly shows how to do it.

    • Forbidden to change the configuration of the Security Group and its Security Group Members.

    • Forbidden to install Hotfixes on the Security Group Members, unless Check Point Support or R&D explicitly instructs you to do so.

    • Forbidden to install the Jumbo Hotfix Accumulator on the Security Group Members, unless Check Point Support or R&D explicitly instructs you to do so.

  • To prevent down time, do not upgrade all the Security Group Members in a specific Security Group at the same time.

  • In this upgrade procedure, you divide all Security Group Members in a specific Security Group into two or more logical groups.

    In the procedure below, we use two logical groups denoted below as "A" and "B".

    You upgrade one logical group of the Security Group Members at one time.

    The other logical group(s) of the Security Group Members continues to handle traffic.

    Each logical group should contain the same number of Security Group Members - as close as possible.

    Environment

    Description

    Single Chassis

    • There are 8 SGMs in the Security Group.

    • The Logical Group "A" contains SGMs from 1_1 to 1_4.

    • The Logical Group "B" contains SGMs from 1_5 to 1_8.

    Single Chassis

    • There are 5 SGMs in the Security Group.

    • The Logical Group "A" contains SGMs from 1_1 to 1_3.

    • The Logical Group "B" contains SGMs from 1_4 to 1_5.

    Dual Chassis

    • There are 4 SGMs in the Security Group (on each Chassis).

    • The Logical Group "A" contains SGMs on Chassis1 from 1_1 to 1_4.

    • The Logical Group "B" contains SGMs on Chassis2 from 2_1 to 2_4.

  • In a Dual Chassis environment:

    • We recommend to upgrade all Security Group Members in each Security Group on one Chassis, and then upgrade all Security Group Members in the same Security Group on the next Chassis.

      Do this on one Security Group at a time.

    • To prevent a fail-over between Chassis during the upgrade, we recommend these steps for each Security Group:

      1. Connect to the command line on a Security Group.

      2. If your default shell is the Expert mode, then go to GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. gClish:

        gclish

      3. Get the current Dual Chassis Active/Standby mode:

        show chassis high-availability mode

        Available Modes:

        Mode ID

        Mode Title

        Mode Description

        0

        Active/Standby - Active Up

        No primary Chassis.

        The currently Active Chassis stays Active unless it goes DOWN, or the Standby Chassis has a higher Chassis quality grade.

        1

        Active/Standby - Primary Up

        Active Chassis, always stays Active unless it goes DOWN, or the Standby Chassis has a higher Chassis quality grade.

        2

        Not available

        Not supported.

        3

        Standby Chassis VSLS Mode

        In VSX, provides Virtual System Load Sharing.

      4. Decide which of the Chassis is Active.

      5. Change the Dual Chassis Active/Standby mode to "Active/Standby - Primary Up":

        set chassis high-availability mode 1

      6. Change the Chassis Priority (enter the number of the currently Active Chassis):

        set chassis high-availability vs chassis_priority {1 | 2}

      7. Upgrade all Security Group Members on the "Standby" Chassis.

      8. On the upgraded Chassis, change the Dual Chassis Active/Standby mode to "Primary Up":

        set chassis high-availability mode 1

      9. On the upgraded Chassis, change the Chassis Priority (enter the number of the currently Active Chassis):

        set chassis high-availability vs chassis_priority {1 | 2}

      10. Upgrade all Security Group Members on the new "Standby" Chassis (former "Active" Chassis).

      11. Change the Dual Chassis Active/Standby mode to the previous mode:

        set chassis high-availability mode <Mode ID>

Important - You can install the R81.10 Jumbo Hotfix Accumulator only after you complete the entire upgrade procedure. Before you install it, you must log out from all Gaia gClish sessions.

Required software packages:

Download the required software packages from sk173363:

  1. The required Take of the Jumbo Hotfix AccumulatorClosed Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA.

  2. The required CPUSE Deployment Agent for Scalable Platforms

  3. The R81.10 Upgrade Package for Scalable Platforms

Workflow:

  1. On the Management Server - Upgrade to the required version that can manage an R81.10 Security Group (see sk113113).

  2. On the Security Group - Install the required Jumbo HotfixClosed Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. Accumulator (using two logical groups of Security Group Members).

  3. On the Security Group - Install the required CPUSE Deployment Agent package for the Security Group.

  4. On the Security Group - Upgrade to R81.10 (using two logical groups of Security Group Members).

  5. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., install the policy.

Procedure:

Upgrade the Management Server to the required version that can manage an R81.10 Security Group (see the R81.10 Release Notes).

Important:

  • You must install the required Jumbo Hotfix Accumulator on all SGMs in the Security Group.

  • Before you install Jumbo Hotfix Accumulator, this procedure requires you to disable the SMOClosed See "SMO". Image Cloning feature on the Security Group.

    Do not enable the SMO Image Cloning feature on the Security Group until the upgrade procedure instructs you to do so.

Follow these instructions to install the required Jumbo Hotfix Accumulator from sk173363:

Installing and Uninstalling a Hotfix on SGMs

Important - You must do this step even if you upgrade again after a rollback procedure on the Security Group.

Step

Instructions

A

Transfer the CPUSE Deployment Agent package for Scalable Platforms (from sk173363) to the Security Group (into some directory, for example /var/log/).

B

Connect to the command line on the Security Group.

C

If your default shell is /etc/gclish (Gaia gClish), then go to the Expert mode:

expert

D

Make sure the CPUSE Deployment Agent package exists:

ls -l /<Full Path>/<Name of CPUSE Deployment Agent Package>

E

Upgrade the CPUSE Deployment Agent:

update_sp_da /<Full Path>/<Name of CPUSE Deployment Agent Package>

Example:

update_sp_da /var/log/DeploymentAgent_XXXXXXXXX.tgz

F

Go from the Expert mode to Gaia gClish:

  • If your default shell is /bin/bash (the Expert mode), then run:

    gclish

  • If your default shell is /etc/gclish (Gaia gClish), then run:

    exit

G

Make sure all Security Group Members have the same build of the CPUSE Deployment Agent:

show installer status build

Step

Instructions

A

Make sure you have the applicable CPUSE Offline package:

R81.10 Upgrade Package for Scalable Platforms

B

Transfer the CPUSE Offline package to the Security Group (into some directory, for example /var/log/).

C

Connect to the command line on the Security Group.

D

If your default shell is /bin/bash (the Expert mode), then go to Gaia gClish:

gclish

E

Import the CPUSE Offline package from the hard disk:

installer import local /<Full Path>/<Name of the CPUSE Offline Package>

Example:

[Global] HostName-ch01-01 > installer import local /var/log/Check_Point_R81.10_SP_Install_and_Upgrade.tar

F

Show the imported CPUSE packages:

show installer packages imported

G

Make sure the imported CPUSE package can be installed on this Security Group:

installer verify [Press Tab]

installer verify <Number of CPUSE Package> member_ids all

Example:

[Global] HostName-ch01-01 > installer verify 2 member_ids all
... ...
Update Service Engine
+-----------------------------------------------------------+
|Member ID    |Status                                       |
+-----------------------------------------------------------+
|1_01 (local) |Upgrade is allowed.                          |
|1_02         |Upgrade is allowed.                          |
|1_03         |Upgrade is allowed.                          |
|1_04         |Upgrade is allowed.                          |
|1_05         |Upgrade is allowed.                          |
|1_06         |Upgrade is allowed.                          |
|1_07         |Upgrade is allowed.                          |
|1_08         |Upgrade is allowed.                          |
+-----------------------------------------------------------+
[Global] HostName-ch01-01 >

Step

Instructions

A

Connect in one of these ways:

  • Connect to one of the Security Group Members in the Logical Group "A" through the console.

  • Connect to one of the Security Group Members in the Logical Group "B" over SSH.

B

Go to the context of one of the Security Group Members in the Logical Group "A":

member <Member ID>

Example:

member 1_1

C

If your default shell is /etc/gclish (Gaia gClish), then go to the Expert mode:

expert

D

Set the Security Group Members in the Logical Group "A" to the state "DOWN":

g_clusterXL_admin –b <SGM IDs in Group "A"> down

Example:

[Expert@HostName-ch0x-0x:0]# g_clusterXL_admin -b 1_1-1_4 down

E

Go from the Expert mode to Gaia gClish:

  • If your default shell is /bin/bash (the Expert mode), then run:

    gclish

  • If your default shell is /etc/gclish (Gaia gClish), then run:

    exit

F

Upgrade the Security Group Members in the Logical Group "A":

installer upgrade [Press the Tab key]

installer upgrade <Number of CPUSE Package> member_ids <SGM IDs in Group "A">

Example:

[Global] HostName-ch01-01 > installer upgrade 2 member_ids 1_1-1_4
... ...
Update Service Engine
+-----------------------------------------------------------+
|Member ID    |Status                                       |
+-----------------------------------------------------------+
|1_01 (local) |Package is ready for installation            |
|1_02         |Package is ready for installation            |
|1_03         |Package is ready for installation            |
|1_04         |Package is ready for installation            |
+-----------------------------------------------------------+
The machines (1_02,1_02,1_03,1_04) will automatically reboot after upgrade.
Do you want to continue? ([y]es / [n]o) y
[Global] HostName-ch01-01 >

G

Go from Gaia gClish to the Expert mode:

  • If your default shell is /bin/bash (the Expert mode), then run:

    exit

  • If your default shell is /etc/gclish (Gaia gClish), then run:

    expert

H

Monitor the Security Group Members in the Logical Group "A" until they boot:

asg monitor

Important - By design, these Security Group Members boot into the "Down" state because these Critical Devices report their state as "problem" (run the "cphaprob state" command):

  • Fullsync

  • during_upgrade

  • DSD

Warning - This step applies only if Check Point Support or R&D explicitly instructed you to install a specific Hotfix on your specific Security Group in the middle of the upgrade.

For example, your Security Group might require a specific hotfix or a Jumbo Hotfix Accumulator Take to resolve a specific issue.

You are still connected to one of the Security Group Members in the Logical Group "A" and you are still working in the Expert mode.

Step

Instructions

A

Back up the current $SMODIR/bin/sp_upgrade script to your home directory:

cp -v $SMODIR/bin/sp_upgrade ~

ls -l ~/sp_upgrade

B

Transfer the CPUSE package for this Hotfix to the Security Group (into some directory, for example /var/log/).

C

Go from the Expert mode to Gaia gClish:

D

Import the CPUSE package from the hard disk:

installer import local /<Full Path>/<Name of the CPUSE Offline Package>

E

Show the imported CPUSE packages:

show installer packages imported

F

Make sure the imported CPUSE package can be installed on this Security Group:

installer verify [Press Tab]

installer verify <Number of CPUSE Package> member_ids <SGM IDs in Group "A">

G

Install the CPUSE package on the Security Group Members in the Logical Group "A":

installer install [Press the Tab key]

installer install <Number of CPUSE Package> member_ids <SGM IDs in Group "A">

H

Go from Gaia gClish to the Expert mode:

  • If your default shell is /bin/bash (the Expert mode), then run:

    exit

  • If your default shell is /etc/cli.sh (Gaia Clish), then run:

    expert

I

Go to your home directory:

cd ~

pwd

J

Continue the upgrade procedure:

./sp_upgrade

Step

Instructions

A

Connect to one of the Security Group Members in the Logical Group "A" through the console.

B

If your default shell is /etc/gclish (Gaia gClish), then go to the Expert mode:

expert

C

Run the upgrade script and follow the steps below:

sp_upgrade

Step

Instructions

A

Connect with SmartConsole to the Management Server that manages this Security Group.

B

From the left navigation panel, click Gateways & Servers.

C

Double-click the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object for this Security Group.

D

In the left tree, click General.

E

In the Version field, select R81.10.

F

Click OK.

G

Publish the session (do not install the policy).

H

In the 'sp_upgrade' shell script session, enter y or yes to confirm.

Step

Instructions

A

Connect to the command line on the Management Server.

B

Log in to the Expert mode.

C

On a Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., go to the context of the Main Domain Management Server that manages ‎this VSX GatewayClosed Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0.:

mdsenv <IP Address or Name of Domain Management Server>

D

Run this command:

vsx_util upgrade

For more information, see the R81.10 VSX Administration Guide.

E

Log in with the administrator credentials.

F

Select this VSX Gateway object.

G

Change the object version to R81.10.

H

Follow the instructions on the screen.

Important - This step applies only to a Security Group in the Gateway mode.

In the VSX mode, the "vsx_util upgrade" command installed the required policy earlier.

Step

Instructions

A

Connect to the command line on the Management Server.

B

Go to the Expert mode:

expert

C

Run the "install-policy" API (see the Check Point Management API Reference - search for install-policy).

 

On a Security Management Server, run:

mgmt_cli -d "SMC User" --format json install-policy policy-package <Name of Policy Package> --sync false targets <Name of Security Gateway Object> prepare-only true [--port <Apache Gaia Port>]

Notes:

  • "SMC User" is a mandatory name of the Domain.

  • The default Apache Gaia port on the Management Server is 443.

    If you configured a different port, you must specify it explicitly in the syntax.

    To see the configured port, run this command in the Expert mode:

    api status | grep "APACHE Gaia Port"

  • This API prompts you to log in. Use the Management Server's administrator credentials.

Example:

mgmt_cli -d "SMC User" --format json install-policy policy-package MyPolicyPackage --sync false targets MySecurityGroup prepare-only true --port 443

 

On a Multi-Domain Server, run:

mgmt_cli -d "<IP Address or Name of Domain Management Server that manages this Security Gateway Object>" --format json install-policy policy-package <Name of Policy Package> --sync false targets <Name of Security Gateway Object> prepare-only true [--port <Apache Gaia Port>]

Notes:

  • The default Apache Gaia port on the Management Server is 443.

    If you configured a different port, you must specify it explicitly in the syntax.

    To see the configured port, run this command in the Expert mode:

    api status | grep "APACHE Gaia Port"

  • This API prompts you to log in. Use the Domain Management Server's administrator credentials.

Example:

mgmt_cli -d "MyDomainServer" --format json install-policy policy-package MyPolicyPackage --sync false targets MySecurityGroup prepare-only true --port 443

D

In the 'sp_upgrade' shell script session, enter y or yes to confirm.

In the 'sp_upgrade' shell script session, enter y or yes to confirm the clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. failover from the Security Group Members in the Logical Group "B" to the Security Group Members in the Logical Group "A".

Note - If the SSH section closed, connect again and run:

sp_upgrade --continue

Note - It is not necessary to set the Security Group Members in the Logical Group "B" to the state "DOWN", because the 'sp_upgrade' shell script already made this change.

Step

Instructions

A

Connect in one of these ways:

  • Connect to one of the Security Group Members in the Logical Group "B" through the console.

  • Connect to one of the Security Group Members in the Logical Group "A" over SSH.

B

Go to the context of one Security Group Members in the Logical Group "B":

member <Member ID>

Example:

member 1_5

C

If your default shell is /bin/bash (the Expert mode), then go to Gaia gClish:

gclish

D

Upgrade the Security Group Members in the Logical Group "B":

installer upgrade [Press the Tab key]

installer upgrade <Number of CPUSE Package> member_ids <SGM IDs in Group "B">

Example:

[Global] HostName-ch01-01 > installer upgrade 2 member_ids 1_5-1_8
... ...
Update Service Engine
+-----------------------------------------------------------+
|Member ID    |Status                                       |
+-----------------------------------------------------------+
|1_05 (local) |Package is ready for installation            |
|1_06         |Package is ready for installation            |
|1_07         |Package is ready for installation            |
|1_08         |Package is ready for installation            |
+-----------------------------------------------------------+
The machines (1_05,1_06,1_07,1_08) will automatically reboot after upgrade.
Do you want to continue? ([y]es / [n]o) y
[Global] HostName-ch01-01 >

E

Go from Gaia gClish to the Expert mode:

  • If your default shell is /bin/bash (the Expert mode), then run:

    exit

  • If your default shell is /etc/gclish (Gaia gClish), then run:

    expert

F

Monitor the Security Group Members in the Logical Group "B" until they boot:

asg monitor

Warning - This step applies only if Check Point Support or R&D explicitly instructed you to install a specific Hotfix on your specific Security Group in the middle of the upgrade.

For example, your Security Group might require a specific hotfix or a Jumbo Hotfix Accumulator Take to resolve a specific issue.

If earlier you installed the specific Hotfix on the Security Group Members in the Logical Group "A", then you must install the same Hotfix on the Security Group Members in the Logical Group "B".

You are still connected to one of the Security Group Members in the Logical Group "B" and you are still working in the Expert mode.

Step

Instructions

A

Back up the current $SMODIR/bin/sp_upgrade script to your home directory:

cp -v $SMODIR/bin/sp_upgrade ~

ls -l ~/sp_upgrade

B

Transfer the CPUSE package for this Hotfix to the Security Group (into some directory, for example /var/log/).

C

Go from the Expert mode to Gaia gClish:

  • If your default shell is /bin/bash (the Expert mode), then run:

    gclish

  • If your default shell is /etc/cli.sh (Gaia Clish), then run:

    exit

D

Import the CPUSE package from the hard disk:

installer import local /<Full Path>/<Name of the CPUSE Offline Package>

E

Show the imported CPUSE packages:

show installer packages imported

F

Make sure the imported CPUSE package can be installed on this Security Group:

installer verify [Press Tab]

installer verify <Number of CPUSE Package> member_ids <SGM IDs in Group "B">

G

Install the CPUSE package on the Security Group Members in the Logical Group "B":

installer install [Press the Tab key]

installer install <Number of CPUSE Package> member_ids <SGM IDs in Group "B">

H

Go from Gaia gClish to the Expert mode:

  • If your default shell is /bin/bash (the Expert mode), then run:

    exit

  • If your default shell is /etc/cli.sh (Gaia Clish), then run:

    expert

I

Go to your home directory:

cd ~

pwd

J

Continue the upgrade procedure:

./sp_upgrade

In the 'sp_upgrade' shell script session, enter y or yes to confirm the upgrade.

Note - If the SSH section closed, connect again and run:

sp_upgrade --continue

Note - This step applies only when the Security Group works in the VSX mode.

Step

Instructions

A

Close all SmartConsole windows.

To make sure, run the "cpstat mg" command on the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. / in the context of each Domain Management Server.

B

Connect with Database Tool (GuiDBEdit Tool) to the Security Management Server / Domain Management Server that manages this Security Group.

C

In the upper left pane, go to Table > Network Objects > network_objects.

D

In the upper right pane, select the VSX Gateway object for this Security Group.

E

Press the CTRL+F keys (or go to Search menu > Find) > paste scalable_platform > click Find Next.

Example:

F

In the lower pane, right-click the scalable_platform attribute > select Edit... > select "true" > click OK.

Example:

G

Save the changes: go to the File menu > click Save All.

H

Repeat Steps D - G for the object of each Virtual System configured on this VSX Gateway.

I

Close the Database Tool (GuiDBEdit Tool).

Note - You install the policy in the next step.

Step

Instructions

A

Connect with SmartConsole to the Management Server that manages this Security Group.

B

Install the applicable Access Control policy on the Security Gateway object for this Security Group.

If this Security Group is configured in the VSX mode, you must install the applicable Access Control policy on each Virtual System.

C

On the Security Group, in the 'sp_upgrade' shell script session, enter y or yes to confirm.

Step

Instructions

A

Connect to the command line on the Security Group.

B

If your default shell is /etc/gclish (Gaia gClish), then go to the Expert mode:

expert

C

Run these commands:

asg diag verify

hcp -m all -r all