Multi-Version Cluster Limitations

Specific limitations apply to Multi-Version Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing..

General limitations in Multi-Version Cluster configuration

The Multi-Version Cluster (MVC) upgrade does not support the replacement of the hardware (replacing the entire cluster member Security Gateway that is part of a cluster.).

The MVC upgrade supports only multi-version software.

While the cluster contains Cluster Members that run different software versions (Multi-Version Cluster), it is not supported to change specific settings of the cluster object in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

You cannot change the cluster mode.

For example, from High Availability to Load Sharing.
In the High Availability mode, you cannot change the recovery mode.

For example, from Maintain current active Cluster Member to Switch to higher priority Cluster Member.
You cannot change the cluster topology.

Do not add, remove, or edit settings of cluster interfaces (IP addresses, Network Objectives, and so on).

In a VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster object, do not add, remove, or edit static routes.

Note - You can change these settings either before or after you upgrade all the Cluster Members.

While the cluster contains Cluster Members that run different software versions (Multi-Version Cluster), you must install the policy two times.

Multi-Version Cluster (MVC) does not support Cluster Members with Dynamically Assigned IP Addresses (DAIP).

Procedure

Important - In a VSX Cluster, it is possible to install policy only on the upgradedVSX Cluster Members that run R81.10. After you change the version of the VSX Cluster object to R81.10, the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. does not let you change it to the previous version.

Make the required changes in the Access Control or Threat Prevention policy.
In SmartConsole, change the version of the cluster object to R81.10:

On the General Properties page > in the Platform section > in the Version field, select R81.10 > click OK.
Install policy on the upgradedCluster Members that run R81.10:
1. In the Policy field, select the applicable policy.
2. In the Install Mode section, select these two options:
  - Select Install on each selected gateway independently.
  - Clear For gateway clusters, if installation on a cluster member fails, do not install on that cluster.
3. Click Install.
  
  The Policy installation:
  - Succeeds on the upgradedR81.10Cluster Members.
  - Fails on the oldCluster Members with a warning. Ignore this warning.
In SmartConsole, change the version of the cluster object to the previous version:

On the General Properties page > in the Platform section > in the Version field, select the previous version > click OK.
Install policy on the oldCluster Members that run the previous version:
1. In the Policy field, select the applicable policy.
2. In the Install Mode section, select these two options:
  - Select Install on each selected gateway independently.
  - Clear For gateway clusters, if installation on a cluster member fails, do not install on that cluster.
3. Click Install.
  
  The Policy installation:
  - Succeeds on the oldCluster Members.
  - Fails on the upgradedR81.10Cluster Members with a warning. Ignore this warning.

Limitations during failover in Multi-Version Cluster

These connections do not survive failover between Cluster Members with different versions:

VPN:
- During a cluster failover from an R81.10 Cluster Member to an R77.30 Cluster Member, all VPN connections on an R81.10 Cluster Member that are inspected on CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. Firewall instances #1 and higher, are lost.
- Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. VPN connections.
- Remote Access VPN connections.
- VPN Traditional Mode connections.
Static NAT connections are cut off during a cluster failover from an R81.10 Cluster Member to an R80.10 or R77.30 Cluster Member, if VMAC mode is enabled in this cluster.
Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. connections.
Data Loss Prevention Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP. (DLP) connections.
IPv6 connections.
Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. connections.
PSL connections that are open during fail-over and then fail-back.

In addition, see the R81.10 ClusterXL Administration Guide > Chapter High Availability and Load Sharing Modes in ClusterXL > Section Cluster Failover.