Minimum Downtime Upgrade of a VSX Cluster
|
Best Practice - Use the Central Deployment in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.. For more information, see the R81.10 Security Management Administration Guide > Chapter Managing Gateways > Section Central Deployment of Hotfixes and Version Upgrades. |
|
Important - Before you upgrade a VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing.:
|
The procedure below describes an example VSX Cluster with three VSX Cluster Members M1, M2, and M3.
However, you can use it for clusters that consist of two or more Cluster Members.
Procedure:
-
On the Management Server, upgrade the configuration of the VSX Cluster object to R81.10
Step
Instructions
1
Connect to the command line on the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. that manages this VSX Cluster.
2
Log in to the Expert mode.
3
On a Multi-Domain Server, go to the context of the Main Domain Management Server that manages this VSX Cluster object:
mdsenv <IP Address or Name of Main Domain Management Server>
4
Upgrade the configuration of the VSX Cluster object to R81.10:
vsx_util upgrade
This command is interactive.
Enter these details to log in to the management database:
-
IP address of the Security Management Server or Main Domain Management Server that manages this VSX Cluster
-
Management Server administrator's username
-
Management Server administrator's password
Select your VSX Cluster.
Select R81.10.
For auditing purposes, save the
vsx_util
log file:-
On a Security Management Server:
/opt/CPsuite-R81.10/fw1/log/vsx_util_YYYYMMDD_HH_MM.log
-
On a Multi-Domain Server:
/opt/CPmds-R81.10/customers/<Name_of_Domain>/CPsuite-R81.10/fw1/log/vsx_util_YYYYMMDD_HH_MM.log
5
Connect with SmartConsole to the R81.10 Security Management Server or Main Domain Management Server that manages this VSX Cluster.
6
From the left navigation panel, click Gateways & Servers.
7
Open the VSX Cluster object.
8
From the left tree, click the General Properties page.
9
Make sure in the Platform section, the Version field shows R81.10.
10
Click Cancel (do not click OK).
Note - If you click OK, the Management Server pushes the VSX configuration to the VSX Cluster. Because the VSX Cluster is not upgraded yet, this operation would fail.
-
-
On each VSX Cluster Member, change the CCP mode to Broadcast
Important - This step does not apply to R80.30 with Linux kernel 3.10 (run the "
uname -r
" command).Best Practice - To avoid possible problems with switches around the cluster during the upgrade, we recommend to change the Cluster Control Protocol (CCP) mode to Broadcast.
Step
Instructions
1
Connect to the command line on each VSX Cluster Member Security Gateway that is part of a cluster..
2
Log in to the Expert mode.
3
Change the CCP mode to Broadcast:
cphaconf set_ccp broadcast
Notes:
-
This change does not require a reboot.
-
This change applies immediately and survives reboot.
4
Make sure the CCP mode is set to Broadcast:
cphaprob -a if
-
-
On the VSX Cluster Member M3, upgrade to R81.10 with CPUSE, or perform a Clean Install of R81.10
Important - You must reboot the VSX Cluster Member after the upgrade or clean install.
-
On the VSX Cluster Member M2, upgrade to R81.10 with CPUSE, or perform a Clean Install of R81.10
Important - You must reboot the VSX Cluster Member after the upgrade or clean install.
-
In SmartConsole, establish SIC with the VSX Cluster Member M3
Important - This step is required only if you performed a Clean Install of R81.10 on this VSX Cluster Member.
Step
Instructions
1
Connect with SmartConsole to the R81.10 Security Management Server or Main Domain Management Server that manages this VSX Cluster.
2
From the left navigation panel, click Gateways & Servers.
3
Open the cluster object.
4
From the left tree, click Cluster Members.
5
Select the object of this VSX Cluster Member.
6
Click Edit.
7
On the General tab, click the Communication button.
8
Click Reset.
9
In the One-time password field, enter the same Activation Key you entered during the First Time Configuration Wizard of the Cluster Member.
10
In the Confirm one-time password field, enter the same Activation Key again.
11
Click Initialize.
12
The Trust state field must show Trust established.
13
Click Close to close the Communication window.
14
Click OK to close the Cluster Member Properties window.
15
Click OK to close the Gateway Cluster Properties window.
16
Publish the SmartConsole session.
-
In SmartConsole, establish SIC with the VSX Cluster Member M2
Important - This step is required only if you performed a Clean Install of R81.10 on this VSX Cluster Member.
Step
Instructions
1
Connect with SmartConsole to the R81.10 Security Management Server or Main Domain Management Server that manages this VSX Cluster.
2
From the left navigation panel, click Gateways & Servers.
3
Open the cluster object.
4
From the left tree, click Cluster Members.
5
Select the object of this VSX Cluster Member.
6
Click Edit.
7
On the General tab, click the Communication button.
8
Click Reset.
9
In the One-time password field, enter the same Activation Key you entered during the First Time Configuration Wizard of the Cluster Member.
10
In the Confirm one-time password field, enter the same Activation Key again.
11
Click Initialize.
12
The Trust state field must show Trust established.
13
Click Close to close the Communication window.
14
Click OK to close the Cluster Member Properties window.
15
Click OK to close the Gateway Cluster Properties window.
16
Publish the SmartConsole session.
-
In SmartConsole, install the Access Control Policy
Step
Instructions
1
Connect with SmartConsole to the R81.10 Security Management Server or Main Domain Management Server that manages this VSX Cluster.
2
From the left navigation panel, click Gateways & Servers.
3
Click Install Policy.
4
In the Install Policy window:
-
In the Policy field, select the default policy for this VSX Cluster object.
This policy is called:
<Name of VSX Cluster object>_VSX
-
In the Install Mode section, configure these two options:
-
Select Install on each selected gateway independently.
-
Clear For gateway clusters, if installation on a cluster member fails, do not install on that cluster.
-
-
Click Install.
5
The policy installation:
-
Succeeds on the upgraded VSX Cluster Members M2 and M3.
-
Fails on the old VSX Cluster Member M1 with a warning. Ignore this warning.
-
-
On each VSX Cluster Member, examine the VSX configuration and cluster state
Step
Instructions
1
Connect to the command line on each VSX Cluster Member.
2
Log in to the Expert mode.
3
Examine the VSX configuration:
vsx stat -v
Important:
-
Make sure all the configured Virtual Devices are loaded.
-
Make sure all Virtual Systems and Virtual Routers have SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. Trust and policy.
4
Examine the cluster state in one of these ways:
-
In Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). (R80.20 and higher), run:
set virtual-system 0
show cluster state
-
In the Expert mode, run:
vsenv 0
cphaprob state
Important:
-
The cluster states of the upgraded VSX Cluster Members M2 and M3 are Ready.
-
The cluster state of the old VSX Cluster Member M1 is:
-
In R80.20 and higher - Active(!).
-
In R80.10 and lower - Active Attention.
-
-
-
On the old VSX Cluster Member M1, stop all Check Point services
Step
Instructions
1
Connect to the command line on the VSX Cluster Member M1.
2
Stop all Check Point services:
cpstop
Notes:
-
This forces a controlled cluster failover from the old VSX Cluster Member M1 to one of the upgraded VSX Cluster Members.
-
At this moment, all connections that were initiated through the old VSX Cluster Member M1 are dropped (because VSX Cluster Members with different software versions cannot synchronize).
-
-
On the upgraded VSX Cluster Members M2 and M3, examine the cluster state
Step
Instructions
1
Connect to the command line on each Cluster Member M2 and M3.
2
Examine the cluster state in one of these ways:
-
In Gaia Clish, run:
show cluster state
-
In the Expert mode, run:
cphaprob state
Important:
-
One of the VSX Cluster Members (M2 or M3) changes its cluster state to Active.
-
The other VSX Cluster Member (M2 or M3) changes its cluster state to Standby.
-
-
On the old VSX Cluster Member M1, upgrade to R81.10 with CPUSE, or perform a Clean Install of R81.10
Important - You must reboot the VSX Cluster Member after the upgrade or clean install.
-
In SmartConsole, establish SIC with the VSX Cluster Member M1
Important - This step is required only if you performed a Clean Install of R81.10 on this VSX Cluster Member.
Step
Instructions
1
Connect with SmartConsole to the R81.10 Security Management Server or Main Domain Management Server that manages this VSX Cluster.
2
From the left navigation panel, click Gateways & Servers.
3
Open the cluster object.
4
From the left tree, click Cluster Members.
5
Select the object of this VSX Cluster Member.
6
Click Edit.
7
On the General tab, click the Communication button.
8
Click Reset.
9
In the One-time password field, enter the same Activation Key you entered during the First Time Configuration Wizard of the Cluster Member.
10
In the Confirm one-time password field, enter the same Activation Key again.
11
Click Initialize.
12
The Trust state field must show Trust established.
13
Click Close to close the Communication window.
14
Click OK to close the Cluster Member Properties window.
15
Click OK to close the Gateway Cluster Properties window.
16
Publish the SmartConsole session.
-
In SmartConsole, install the policy
Step
Instructions
1
Connect with SmartConsole to the R81.10 Security Management Server or Main Domain Management Server that manages this VSX Cluster.
2
From the left navigation panel, click Gateways & Servers.
3
Install the default policy on the VSX Cluster object:
-
Click Install Policy.
-
In the Policy field, select the default policy for this VSX Cluster object.
This policy is called:
<Name of VSX Cluster object>_VSX
-
In the Install Mode section, select these two options:
-
Install on each selected gateway independently
-
For gateway clusters, if installation on a cluster member fails, do not install on that cluster
-
-
Click Install.
-
The default policy install successfully on all the VSX Cluster Members.
4
Install the Threat Prevention Policy on the VSX Cluster object:
-
Click Install Policy.
-
In the Policy field, select the applicable Threat Prevention Policy for this VSX Cluster object.
-
Click Install.
-
The Threat Prevention Policy must install successfully on all the VSX Cluster Members.
-
-
On each VSX Cluster Member, examine the VSX configuration and cluster state
Step
Instructions
1
Connect to the command line on each VSX Cluster Member.
2
Log in to the Expert mode.
3
Examine the VSX configuration:
vsx stat -v
Important:
-
Make sure all the configured Virtual Devices are loaded.
-
Make sure all Virtual Systems and Virtual Routers have SIC Trust and policy.
4
Examine the cluster state in one of these ways:
-
In Gaia Clish, run:
set virtual-system 0
show cluster state
-
In the Expert mode, run:
vsenv 0
cphaprob state
Important:
-
All VSX Cluster Members must show the same information about the states of all VSX Cluster Members.
-
In the High Availability mode, one VSX Cluster Member must be in the Active state, and all other VSX Cluster Members must be in Standby state.
-
In the Virtual System Load Sharing mode, all VSX Cluster Members must be in the Active state.
-
All Virtual Systems must show the same information about the states of all Virtual Systems.
5
Examine the cluster interfaces in one of these ways:
-
In Gaia Clish, run:
set virtual-system 0
show cluster members interfaces all
-
In the Expert mode, run:
vsenv 0
cphaprob -a if
-
-
Test the functionality
Step
Instructions
1
Connect with SmartConsole to the R81.10 Security Management Server or each Target Domain Management Server that manages the Virtual Systems on this VSX Cluster.
2
From the left navigation panel, click Logs & Monitor > Logs.
3
Examine the logs from the Virtual Systems on this VSX Cluster to make sure they inspect the traffic as expected.
For more information, see the: