Minimum Downtime Upgrade of a Security Gateway Cluster
|
Best Practice - Use the Central Deployment in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.. For more information, see the R81.10 Security Management Administration Guide > Chapter Managing Gateways > Section Central Deployment of Hotfixes and Version Upgrades. |
|
Important - Before you upgrade a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing.:
|
The procedure below is based on an example cluster with three Cluster Members M1, M2, and M3.
However, you can use it for clusters that consist of two or more Cluster Members.
Procedure:
-
On each Cluster Member, change the CCP mode to Broadcast
Important - This step applies only to R80.30 and lower with the Linux kernel 2.6 (run the "
uname -r
" command).Best Practice - To avoid possible problems with switches around the cluster during the upgrade, we recommend to change the Cluster Control Protocol (CCP) mode to Broadcast.
Note - In R80.40 and above, the Cluster Control Protocol (CCP) runs only in the Unicast mode. Therefore, after the upgrade, it is not necessary to change the CCP mode.
Step
Instructions
1
Connect to the command line on each Cluster Member Security Gateway that is part of a cluster..
2
Log in to the Expert mode.
3
Change the CCP mode to Broadcast:
cphaconf set_ccp broadcast
Notes:
-
This change does not require a reboot.
-
This change applies immediately and survives reboot.
4
Make sure the CCP mode is set to Broadcast:
cphaprob -a if
-
-
On the Cluster Member M3, upgrade to R81.10 with CPUSE, or perform a Clean Install of R81.10
Important - You must reboot the Cluster Member after the upgrade or clean install.
-
On the Cluster Member M2, upgrade to R81.10 with CPUSE, or perform a Clean Install of R81.10
Important - You must reboot the Cluster Member after the upgrade or clean install.
-
In SmartConsole, change the version of the cluster object
Step
Instructions
1
Connect with SmartConsole to the R81.10 Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Domain Management Server that manages this cluster.
2
From the left navigation panel, click Gateways & Servers.
3
Open the Cluster object.
4
From the left tree, click the General Properties page.
5
In the Platform section > Version field, select R81.10.
6
Click OK to close the Gateway Cluster Properties window.
-
In SmartConsole, establish SIC with the Cluster Member M3
Important - This step is required only if you performed a Clean Install of R81.10 on this Cluster Member.
Step
Instructions
1
Connect with SmartConsole to the R81.10 Security Management Server or Main Domain Management Server that manages this Cluster.
2
From the left navigation panel, click Gateways & Servers.
3
Open the cluster object.
4
From the left tree, click Cluster Members.
5
Select the object of this Cluster Member.
6
Click Edit.
7
On the General tab, click the Communication button.
8
Click Reset.
9
In the One-time password field, enter the same Activation Key you entered during the First Time Configuration Wizard of the Cluster Member.
10
In the Confirm one-time password field, enter the same Activation Key again.
11
Click Initialize.
12
The Trust state field must show Trust established.
13
Click Close to close the Communication window.
14
Click OK to close the Cluster Member Properties window.
15
Click OK to close the Gateway Cluster Properties window.
16
Publish the SmartConsole session.
-
In SmartConsole, establish SIC with the Cluster Member M2
Important - This step is required only if you performed a Clean Install of R81.10 on this Cluster Member.
Step
Instructions
1
Connect with SmartConsole to the R81.10 Security Management Server or Main Domain Management Server that manages this Cluster.
2
From the left navigation panel, click Gateways & Servers.
3
Open the cluster object.
4
From the left tree, click Cluster Members.
5
Select the object of this Cluster Member.
6
Click Edit.
7
On the General tab, click the Communication button.
8
Click Reset.
9
In the One-time password field, enter the same Activation Key you entered during the First Time Configuration Wizard of the Cluster Member.
10
In the Confirm one-time password field, enter the same Activation Key again.
11
Click Initialize.
12
The Trust state field must show Trust established.
13
Click Close to close the Communication window.
14
Click OK to close the Cluster Member Properties window.
15
Click OK to close the Gateway Cluster Properties window.
16
Publish the SmartConsole session.
-
In SmartConsole, install the Access Control Policy
Step
Instructions
1
Click Install Policy.
2
In the Install Policy window:
-
In the Policy field, select the applicable Access Control Policy.
-
In the Install Mode section, configure these two options:
-
Select Install on each selected gateway independently.
-
Clear For gateway clusters, if installation on a cluster member fails, do not install on that cluster.
-
-
Click Install.
3
The Access Control Policy installation:
-
Succeeds on the upgraded Cluster Members M2 and M3.
-
Fails on the old Cluster Member M1 with a warning. Ignore this warning.
-
-
On each Cluster Member, examine the cluster state
Step
Instructions
1
Connect to the command line on each Cluster Member.
2
Examine the cluster state in one of these ways:
-
In Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). (R80.20 and higher), run:
show cluster state
-
In the Expert mode, run:
cphaprob state
Important:
-
The cluster states of the upgraded Cluster Members M2 and M3 are Ready.
-
The cluster state of the old Cluster Member M1 is:
-
In R80.20 and higher - Active(!).
-
In R80.10 and lower - Active Attention.
-
-
-
On the old Cluster Member M1, stop all Check Point services
Step
Instructions
1
Connect to the command line on the Cluster Member M1.
2
Stop all Check Point services:
cpstop
Notes:
-
This forces a controlled cluster failover from the old Cluster Member M1 to one of the upgraded Cluster Members.
-
At this moment, all connections that were initiated through the old Cluster Member M1 are dropped (because Cluster Members with different software versions cannot synchronize).
-
-
On each Cluster Member, examine the cluster state
Step
Instructions
1
Connect to the command line on each Cluster Member.
2
Examine the cluster state in one of these ways:
-
In Gaia Clish, run:
show cluster state
-
In the Expert mode, run:
cphaprob state
Important:
-
In the High Availability mode, one of the upgraded Cluster Members (M2 or M3) changes its cluster state to Active.
The other upgraded Cluster Member (M2 or M3) changes its cluster state to Standby.
-
In the Load Sharing modes, all Cluster Members must be in the Active state.
-
-
On the old Cluster Member M1, upgrade to R81.10 with CPUSE, or perform a Clean Install of R81.10
Important - You must reboot the Cluster Member after the upgrade or clean install.
-
In SmartConsole, establish SIC with the Cluster Member M1
Important - This step is required only if you performed a Clean Install of R81.10 on this Cluster Member M1.
Step
Instructions
1
Connect with SmartConsole to the R81.10 Security Management Server or Main Domain Management Server that manages this Cluster.
2
From the left navigation panel, click Gateways & Servers.
3
Open the cluster object.
4
From the left tree, click Cluster Members.
5
Select the object of the Cluster Member M1.
6
Click Edit.
7
On the General tab, click the Communication button.
8
Click Reset.
9
In the One-time password field, enter the same Activation Key you entered during the First Time Configuration Wizard of the Cluster Member.
10
In the Confirm one-time password field, enter the same Activation Key again.
11
Click Initialize.
12
The Trust state field must show Trust established.
13
Click Close to close the Communication window.
14
Click OK to close the Cluster Member Properties window.
-
In SmartConsole, install the Access Control Policy and Threat Prevention Policy on the Cluster object
Step
Instructions
1
Connect with SmartConsole to the R81.10 Security Management Server or Domain Management Server that manages this cluster.
2
From the left navigation panel, click Gateways & Servers.
3
Install the Access Control Policy:
-
Click Install Policy.
-
In the Policy field, select the applicable Access Control Policy.
-
In the Install Mode section, select these two options:
-
Install on each selected gateway independently
-
For gateway clusters, if installation on a cluster member fails, do not install on that cluster
-
-
Click Install.
-
The Access Control Policy must install successfully on all the Cluster Members.
4
Install the Threat Prevention Policy:
-
Click Install Policy.
-
In the Policy field, select the applicable Threat Prevention Policy.
-
Click Install.
-
The Threat Prevention Policy must install successfully on all the Cluster Members.
-
-
On each Cluster Member, examine the cluster state
Step
Instructions
1
Connect to the command line on each Cluster Member.
2
Examine the cluster state in one of these ways:
-
In Gaia Clish, run:
show cluster state
-
In the Expert mode, run:
cphaprob state
Important:
-
All Cluster Members must show the same information about the states of all Cluster Members.
-
In the High Availability mode, one Cluster Member must be in the Active state, and all other Cluster Members must be in Standby state.
-
In the Load Sharing modes, all Cluster Members must be in the Active state.
-
-
Test the functionality
Step
Instructions
1
Connect with SmartConsole to the R81.10 Security Management Server or Domain Management Server that manages this cluster.
2
From the left navigation panel, click Logs & Monitor > Logs.
3
Examine the logs from this Cluster to make sure it inspects the traffic as expected.
For more information: