Rolling Back a Failed Upgrade of a Security Group - Minimum Downtime

This section describes the steps to roll back a failed upgrade of a Security GroupClosed A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. from R81.10 with Minimum Downtime.

This procedure supports only these downgrade paths for Security Groups:

  • from R81.10 to R81

  • from R81.10 to R80.30SP

  • from R81.10 to R80.20SP

Warning - Before you follow the downgrade procedure, revert all changes in the topology you made after the upgrade procedure. For example, after the upgrade you added / removed interfaces, you changed the configuration of interfaces, you added / removed Security Group Members in the Security Group.

Important:

  • Use this rollback procedure if you upgraded all Security Group Members in the Security Group and it is not necessary to keep the current connections.

    If traffic must not be interrupted, then follow the procedure Rolling Back a Failed Upgrade of a Security Group - Zero Downtime.

  • Schedule a maintenance window because this procedure interrupts all traffic that passes through the Security Group.

    This rollback procedure saves time because you revert all upgraded Security Group Members in a specific Security Group at the same time.

Step

Instructions

1

Connect to the command line on the Security Group.

2

If your default shell is /bin/bash (Expert mode), then go to the Gaia gClishClosed The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators. Commands you run in this shell apply to all Security Appliances in the Security Group.:

gclish

3

Disable the SMO Image Cloning feature:

Note - The SMO Image Cloning feature automatically clones all the required software packages to the Security Group Members during their boot. When you install or remove software packages gradually on Security Group Members, it is necessary to disable this feature, so that after a reboot the updated Security Group Members do not clone the software packages from the existing non-updated Security Group Members.

  1. Examine the state of the SMO Image Cloning feature:

    show smo image auto-clone state

  2. Disable the SMO Image Cloning feature, if it is enabled:

    set smo image auto-clone state off

  3. Examine the state of the SMO Image Cloning feature:

    show smo image auto-clone state

4

Restore the GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. automatic snapshot that was saved automatically before the upgrade.

set snapshot revert AutoSnapShot_<Original-Version>_<Take>

Example:

set snapshot revert AutoSnapShot_AutoSnapShot_R81_47

5

Wait for the Security Group Members to complete the reboot.

6

Connect to the command line on the Security Group.

7

If your default shell is /etc/gclish (Gaia gClish), then go to the Expert mode:

expert

8

Run the upgrade script with the "revert" parameter and follow the instructions on the screen:

sp_upgrade --revert

9

Make sure the downgrade was successful:

asg diag verify