Upgrading Maestro Environment - Minimum Downtime

This section describes the steps for upgrading a Maestro environment (the Quantum Maestro Orchestrators and the Security Groups) with Minimum Downtime.

This procedure supports only these upgrade paths for Security Groups:

  • from R81 to R81.10

  • from R80.30SP to R81.10

  • from R80.20SP to R81.10

Important - See these rollback procedures:

Important Notes for Quantum Maestro Orchestrators:

Important Notes for Security Groups:

  • Before you upgrade the Security Groups, you must upgrade the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that manages the Security Groups.

    See the R81.10 Installation and Upgrade Guide.

    Important - If there is at least one Security Group in VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode, then the Management Server must run the R81.10 Jumbo Hotfix Accumulator Take 61 or higher.

  • This procedure applies to Security Groups in the Gateway mode and the VSX mode.

    In VSX mode, you must run all the commands in the context of VS0.

  • During the upgrade process, it is:

    • Forbidden to install policy on the Security Group, unless the upgrade procedure explicitly shows how to do it.

    • Forbidden to reboot Security Group Members, unless the upgrade procedure explicitly shows how to do it.

    • Forbidden to change the configuration of the Security Group and its Security Group Members.

    • Forbidden to install Hotfixes on the Security Group Members, unless Check Point Support or R&D explicitly instructs you to do so.

    • Forbidden to install the Jumbo Hotfix Accumulator on the Security Group Members, unless Check Point Support or R&D explicitly instructs you to do so.

  • To prevent down time, do not upgrade all the Security Group Members in a specific Security Group at the same time.

  • In this upgrade procedure, you divide all Security Group Members in a specific Security Group into two or more logical groups.

    In the procedure below, we use two logical groups denoted below as "A" and "B".

    You upgrade one logical group of the Security Group Members at one time.

    The other logical group(s) of the Security Group Members continues to handle traffic.

    Each logical group should contain the same number of Security Group Members - as close as possible.

    Environment

    Description

    Single Site

    • There are 8 Security Group Members in the Security Group.

    • The Logical Group "A" contains Security Group Members from 1_1 to 1_4.

    • The Logical Group "B" contains Security Group Members from 1_5 to 1_8.

    Single Site

    • There are 5 Security Group Members in the Security Group.

    • The Logical Group "A" contains Security Group Members from 1_1 to 1_3.

    • The Logical Group "B" contains Security Group Members from 1_4 to 1_5.

    Dual Site

    • There are 4 Security Group Members in the Security Group (on each Site).

    • The Logical Group "A" contains Security Group Members on Site 1 from 1_1 to 1_4.

    • The Logical Group "B" contains Security Group Members on Site 2 from 2_1 to 2_4.

  • In a Dual Site environment:

    • We recommend to upgrade all Security Group Members in each Security Group on one Site, and then upgrade all Security Group Members in the same Security Group on the next Site.

      Do this on one Security Group at a time.

    • To prevent a fail-over between Sites during the upgrade, we recommend these steps for each Security Group:

      1. Connect to the command line on a Security Group.

      2. If your default shell is the Expert mode, then go to GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. gClish:

        gclish

      3. Get the current Dual Site Active/Standby mode:

        show chassis high-availability mode

        Available Modes:

        Mode ID

        Mode Title

        Mode Description

        0

        Active/Standby - Active Up

        No primary Site.

        The currently Active Site stays Active unless it goes DOWN, or the Standby Site has a higher Site quality grade.

        1

        Active/Standby - Primary Up

        Active Site, always stays Active unless it goes DOWN, or the Standby Site has a higher Site quality grade.

        2

        Not available

        Not supported.

        3

        Standby Chassis VSLS Mode

        In VSX, provides Virtual System Load Sharing.

      4. Decide which of the Sites is Active.

      5. Change the Dual Site Active/Standby mode to "Active/Standby - Primary Up":

        set chassis high-availability mode 1

      6. Change the Site Priority (enter the number of the currently Active Site):

        set chassis high-availability vs chassis_priority {1 | 2}

      7. Upgrade all Security Group Members on the "Standby" Site.

      8. On the upgraded Site, change the Dual Site Active/Standby mode to "Primary Up":

        set chassis high-availability mode 1

      9. On the upgraded Site, change the Site Priority (enter the number of the currently Active Site):

        set chassis high-availability vs chassis_priority {1 | 2}

      10. Upgrade all Security Group Members on the new "Standby" Site (former "Active" Site).

      11. Change the Dual Site Active/Standby mode to the previous mode:

        set chassis high-availability mode <Mode ID>

  • If you upgrade a Security Group R80.30SP in the Gateway mode with the Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities., follow the instructions in sk175087 to save the Mobile Access configuration. To restore the Mobile Access configuration after the upgrade is complete, you must manually merge the content of the backed up files into the existing files.

Important - You can install the R81.10 Jumbo Hotfix Accumulator only after you complete the entire upgrade procedure. Before you install it, you must log out from all Gaia gClish sessions.

Required software packages:

Download the required software packages from sk173363:

  1. The required Take of the Jumbo Hotfix AccumulatorClosed Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA.

  2. The required CPUSEClosed Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself. For details, see sk92449. Deployment Agent for Quantum Maestro Orchestrators

  3. The required CPUSE Deployment Agent for Scalable Platforms

  4. The R81.10 Upgrade Package for Scalable Platforms

Workflow:

  1. On the Management Server - Upgrade to the required version that can manage an R81.10 Security Group (see sk113113).

  2. On the Orchestrator - Upgrade to R81.10 and install the required CPUSE Deployment Agent.

  3. On the Security Group - Run the Pre-Upgrade Verifier to make sure it is possible to upgrade the Security Group.

  4. On the Security Group R80.30SP in the Gateway mode with the Mobile Access Software Blade - Back up the Mobile Access configuration files.

  5. On the Security Group - Install the required Jumbo HotfixClosed Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. Accumulator (using two logical groups of Security Group Members).

  6. On the Security Group - Install the required CPUSE Deployment Agent package for the Security Group.

  7. On the Security Group - Upgrade to R81.10 (using two logical groups of Security Group Members).

  8. On the Management Server - For the Security Group in the VSX mode, configure the required attribute "scalable_platform"

  9. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., install the policy.

  10. On the Security Group in the Gateway mode with the Mobile Access Software Blade - Restore the Mobile Access configuration.

Procedure:

Upgrade the Management Server to the required version that can manage an R81.10 Security Group (see the R81.10 Release Notes).

Step

Instructions

A

If the Orchestrator runs R80.20SP, then install the R80.20SP Jumbo Hotfix Accumulator Take 326 or higher on the Orchestrator.

B

In the Orchestrator's Gaia PortalClosed Web interface for the Check Point Gaia operating system., from the left tree, go to Upgrades (CPUSE) > Status and Actions.

C

In the top right section, click Import Package.

D

Click Browse.

E

Go to the folder where you put the R81.10 Upgrade Package for Scalable Platforms from sk173363.

F

Select the R81.10 Upgrade Package for Scalable Platforms.

G

Click Open.

H

Click Import.

I

Above the list of packages, near the help icon, click the filter button that currently says "Showing Recommended packages" and click "All".

The filter must change to "Showing All packages".

J

Right-click the imported R81.10 CPUSE Offline Package and click Verify Update.

K

Right-click the imported R81.10 CPUSE Offline Package and click Upgrade.

Important:

  • Make sure to click Upgrade

    (do not click Install because it performs a clean install, which deletes all configuration and reboots all Security Group Members).

  • At the end of the upgrade, the Orchestrator reboots automatically.

You can install the CPUSE Deployment Agent on the Orchestrator in Gaia Portal (recommended), or Gaia ClishClosed The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)..

Step

Instructions

A

With a web browser, connect to Gaia Portal at:

https://<IP address of Gaia Management Interface>

B

From the left tree, go to Upgrades (CPUSE) > Status and Actions.

C

In the top right section, click Install DA.

D

Click Browse.

E

Go to the folder where you put the Deployment Agent TGZ package from sk173363.

F

Select the Deployment Agent TGZ package.

G

Click Open.

H

Click Install.

I

Follow the instructions on the screen.

Step

Instructions

A

Transfer the Deployment Agent TGZ package (from sk173363) to the Orchestrator into some directory (for example /var/log/).

B

Connect to the command line on the Orchestrator.

C

Log in to the Expert mode.

D

Go to the directory with the Deployment Agent TGZ package:

cd /<path to>/<directory>/

Example:

cd /var/log

E

Unpack the TGZ package to extract the RPM package:

tar -zxvf <Name of CPUSE Deployment Agent Package>

Example:

tar -zxvf DeploymentAgent_XXXXXXXXX.tgz

F

Upgrade the current the RPM package:

ls -l

rpm -Uhv --force CPda-00-00.i386.rpm‎

G

Kill all running Gaia Clish daemons (they restart automatically):‎

killall -v clish clishd

H

Restart the Gaia ConfD daemon:

tellpm process:confd

tellpm process:confd t

I

Start the CPUSE Agent manually:

$DADIR/bin/dastart

Step

Instructions

A

Download this script to your computer:

https://supportcenter.checkpoint.com/file_download?id=124062

B

Copy this script from your computer to the Security Group.

Copy the script to some directory (for example, /var/log/).

C

Connect to the command line on the Security Group.

D

Log in to the Expert mode.

E

Run these commands in the order listed below:

cd /var/log/

chmod +x pre_upgrade_verifier.sh

./pre_upgrade_verifier.sh

Note - This step applies only when the Security Group works in the VSX mode.

Step

Instructions

A

Download the script "vsx_util_upgrade_verifier.sh" to your computer:

https://supportcenter.checkpoint.com/file_download?id=123847

B

Copy this script from your computer to the Management Server that manages this Security Group in VSX mode.

Copy the script to some directory (for example, /var/log/).

C

Connect to the command line on the Management Server.

D

Log in to the Expert mode.

E

On a Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., go to the context of the applicable Domain Management Server that manages this Security Group in VSX mode:

mdsenv <IP Address or Name of Domain Management Server>

F

Upgrade the version of a VSX GatewayClosed Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. object in the management database:

Warning - Make sure to close all SmartConsole clients connected to this Management Server.

vsx_util upgrade [-s <Mgmt Server>] [-u <UserName>]

For more information, see the R81.10 VSX Administration Guide > Chapter "Command Line Reference" > Section "vsx_util".

G

Log in with the Management Server administrator credentials.

H

Select the VSX Gateway object for this Security Group.

I

Change the version to R81.10.

J

Run the script you copied earlier to make sure the "vsx_util upgrade" command made the required changes.

Run the commands in the order listed below:

cd /var/log/

chmod +x vsx_util_upgrade_verifier.sh

./vsx_util_upgrade_verifier.sh <Name of the VSX Gateway object> R81.10

If you upgrade a Security Group R80.30SP in the Gateway mode with the Mobile Access Software Blade enabled, then back up the Mobile Access configuration files on the Security Group.

Step

Instructions

A

Connect to the command line on the Security Group.

B

If your default shell is /etc/gclish (Gaia gClish), then go to the Expert mode:

expert

C

Create a directory for the Mobile Access configuration files:

mkdir /var/log/MAB

D

Copy the Mobile Access configuration files to the new directory.

For the list of the files you must collect, see sk175087.

cp -v /<Path>/<File> /var/log/MAB/<Path>-<File>

Example:

cp -v $CVPNDIR/conf/ReverseProxy_conf/ReverseProxyConf.xml /var/log/MAB/CVPNDIR-conf-ReverseProxy_conf-ReverseProxyConf.xml

E

Compress the directory with the Mobile Access configuration files:

tar cvf /var/log/MAB.tar /var/log/MAB

F

Transfer the TAR file from the Security Group to your computer.

Note - The SMO Image Cloning feature automatically clones all the required software packages to the Security Group Members during their boot. When you install or remove software packages gradually on Security Group Members, it is necessary to disable this feature, so that after a reboot the updated Security Group Members do not clone the software packages from the existing non-updated Security Group Members.

Step

Instructions

A

Connect to the command line on the Security Group.

B

If your default shell is /bin/bash (Expert mode), then go to Gaia gClish:

gclish

C

Examine the state of the SMO Image Cloning feature:

show smo image auto-clone state

D

Disable the SMO Image Cloning feature, if it is enabled:

set smo image auto-clone state off

E

Examine the state of the SMO Image Cloning feature:

show smo image auto-clone state

Important:

  • You must install the required Jumbo Hotfix Accumulator on all Security Group Members in the Security Group.

  • Before you install Jumbo Hotfix Accumulator, this procedure requires you to disable the SMO Image Cloning feature on the Security Group.

    Do not enable the SMO Image Cloning feature on the Security Group until the upgrade procedure instructs you to do so.

Follow these instructions to install the required Jumbo Hotfix Accumulator from sk173363:

Installing a Hotfix Package on Security Group Members

Important - You must do this step even if you upgrade again after a rollback procedure on the Security Group.

Step

Instructions

A

Transfer the CPUSE Deployment Agent package for Scalable Platforms (from sk173363) to the Security Group (into some directory, for example /var/log/).

B

Connect to the command line on the Security Group.

C

If your default shell is /etc/gclish (Gaia gClish), then go to the Expert mode:

expert

D

Make sure the CPUSE Deployment Agent package exists:

ls -l /<Full Path>/<Name of CPUSE Deployment Agent Package>

E

Upgrade the CPUSE Deployment Agent:

update_sp_da /<Full Path>/<Name of CPUSE Deployment Agent Package>

Example:

update_sp_da /var/log/DeploymentAgent_XXXXXXXXX.tgz

F

Go from the Expert mode to Gaia gClish:

  • If your default shell is /bin/bash (the Expert mode), then run:

    gclish

  • If your default shell is /etc/gclish (Gaia gClish), then run:

    exit

G

Make sure all Security Group Members have the same build of the CPUSE Deployment Agent:

show installer status build

Step

Instructions

A

Make sure you have the applicable CPUSE Offline package:

R81.10 Upgrade Package for Scalable Platforms

B

Transfer the CPUSE Offline package to the Security Group (into some directory, for example /var/log/).

C

Connect to the command line on the Security Group.

D

If your default shell is /bin/bash (the Expert mode), then go to Gaia gClish:

gclish

E

Import the CPUSE Offline package from the hard disk:

installer import local /<Full Path>/<Name of the CPUSE Offline Package>

Example:

[Global] HostName-ch01-01 > installer import local /var/log/Check_Point_R81.10_SP_Install_and_Upgrade.tar

F

Show the imported CPUSE packages:

show installer packages imported

G

Make sure the imported CPUSE package can be installed on this Security Group:

installer verify [Press Tab]

installer verify <Number of CPUSE Package> member_ids all

Example:

[Global] HostName-ch01-01 > installer verify 2 member_ids all
... ...
Update Service Engine
+-----------------------------------------------------------+
|Member ID    |Status                                       |
+-----------------------------------------------------------+
|1_01 (local) |Upgrade is allowed.                          |
|1_02         |Upgrade is allowed.                          |
|1_03         |Upgrade is allowed.                          |
|1_04         |Upgrade is allowed.                          |
|1_05         |Upgrade is allowed.                          |
|1_06         |Upgrade is allowed.                          |
|1_07         |Upgrade is allowed.                          |
|1_08         |Upgrade is allowed.                          |
+-----------------------------------------------------------+
[Global] HostName-ch01-01 >

Step

Instructions

A

Connect in one of these ways:

  • Connect to one of the Security Group Members in the Logical Group "A" through the console.

  • Connect to one of the Security Group Members in the Logical Group "B" over SSH.

B

Go to the context of one of the Security Group Members in the Logical Group "A":

member <Member ID>

Example:

member 1_1

C

If your default shell is /etc/gclish (Gaia gClish), then go to the Expert mode:

expert

D

Set the Security Group Members in the Logical Group "A" to the state "DOWN":

g_clusterXL_admin –b <SGM IDs in Group "A"> down

Example:

[Expert@HostName-ch0x-0x:0]# g_clusterXL_admin -b 1_1-1_4 down

E

Go from the Expert mode to Gaia gClish:

  • If your default shell is /bin/bash (the Expert mode), then run:

    gclish

  • If your default shell is /etc/gclish (Gaia gClish), then run:

    exit

F

Upgrade the Security Group Members in the Logical Group "A":

installer upgrade [Press the Tab key]

installer upgrade <Number of CPUSE Package> member_ids <SGM IDs in Group "A">

Example:

[Global] HostName-ch01-01 > installer upgrade 2 member_ids 1_1-1_4
... ...
Update Service Engine
+-----------------------------------------------------------+
|Member ID    |Status                                       |
+-----------------------------------------------------------+
|1_01 (local) |Package is ready for installation            |
|1_02         |Package is ready for installation            |
|1_03         |Package is ready for installation            |
|1_04         |Package is ready for installation            |
+-----------------------------------------------------------+
The machines (1_02,1_02,1_03,1_04) will automatically reboot after upgrade.
Do you want to continue? ([y]es / [n]o) y
[Global] HostName-ch01-01 >

G

Go from Gaia gClish to the Expert mode:

  • If your default shell is /bin/bash (the Expert mode), then run:

    exit

  • If your default shell is /etc/gclish (Gaia gClish), then run:

    expert

H

Monitor the Security Group Members in the Logical Group "A" until they boot:

asg monitor

Important - By design, these Security Group Members boot into the "Down" state because these Critical Devices report their state as "problem" (run the "cphaprob state" command):

  • Fullsync

  • during_upgrade

  • DSD

Warning - This step applies only if Check Point Support or R&D explicitly instructed you to install a specific Hotfix on your specific Security Group in the middle of the upgrade.

For example, your Security Group might require a specific hotfix or a Jumbo Hotfix Accumulator Take to resolve a specific issue.

You are still connected to one of the Security Group Members in the Logical Group "A" and you are still working in the Expert mode.

Step

Instructions

A

Back up the current $SMODIR/bin/sp_upgrade script to your home directory:

cp -v $SMODIR/bin/sp_upgrade ~

ls -l ~/sp_upgrade

B

Transfer the CPUSE package for this Hotfix to the Security Group (into some directory, for example /var/log/).

C

Go from the Expert mode to Gaia gClish:

  • If your default shell is /bin/bash (the Expert mode), then run:

    gclish

  • If your default shell is /etc/cli.sh (Gaia Clish), then run:

    exit

D

Import the CPUSE package from the hard disk:

installer import local /<Full Path>/<Name of the CPUSE Offline Package>

E

Show the imported CPUSE packages:

show installer packages imported

F

Make sure the imported CPUSE package can be installed on this Security Group:

installer verify [Press Tab]

installer verify <Number of CPUSE Package> member_ids <SGM IDs in Group "A">

G

Install the CPUSE package on the Security Group Members in the Logical Group "A":

installer install [Press the Tab key]

installer install <Number of CPUSE Package> member_ids <SGM IDs in Group "A">

H

Go from Gaia gClish to the Expert mode:

  • If your default shell is /bin/bash (the Expert mode), then run:

    exit

  • If your default shell is /etc/cli.sh (Gaia Clish), then run:

    expert

I

Go to your home directory:

cd ~

pwd

J

Continue the upgrade procedure:

./sp_upgrade

Step

Instructions

A

Connect to one of the Security Group Members in the Logical Group "A" through the console.

B

If your default shell is /etc/gclish (Gaia gClish), then go to the Expert mode:

expert

C

Run the upgrade script and follow the steps below:

sp_upgrade

Note - This step applies only to a Security Group in the Gateway mode.

In the VSX mode, you changed the object version earlier with the "vsx_util upgrade" command.

Step

Instructions

A

Connect with SmartConsole to the Management Server that manages this Security Group.

B

From the left navigation panel, click Gateways & Servers.

C

Double-click the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object for this Security Group.

D

In the left tree, click General.

E

In the Version field, select R81.10.

F

Click OK.

G

Publish the session (do not install the policy).

H

In the 'sp_upgrade' shell script session, enter y or yes to confirm.

Important - This step applies only to a Security Group in the Gateway mode.

In the VSX mode, the "vsx_util upgrade" command installed the required policy earlier.

Step

Instructions

A

Connect to the command line on the Management Server.

B

Go to the Expert mode:

expert

C

Run the "install-policy" API (see the Check Point Management API Reference - search for install-policy).

 

On a Security Management Server, run:

mgmt_cli -d "SMC User" --format json install-policy policy-package <Name of Policy Package> --sync false targets <Name of Security Gateway Object> prepare-only true [--port <Apache Gaia Port>]

Notes:

  • "SMC User" is a mandatory name of the Domain.

  • The default Apache Gaia port on the Management Server is 443.

    If you configured a different port, you must specify it explicitly in the syntax.

    To see the configured port, run this command in the Expert mode:

    api status | grep "APACHE Gaia Port"

  • This API prompts you to log in. Use the Management Server's administrator credentials.

Example:

mgmt_cli -d "SMC User" --format json install-policy policy-package MyPolicyPackage --sync false targets MySecurityGroup prepare-only true --port 443

 

On a Multi-Domain Server, run:

mgmt_cli -d "<IP Address or Name of Domain Management Server that manages this Security Gateway Object>" --format json install-policy policy-package <Name of Policy Package> --sync false targets <Name of Security Gateway Object> prepare-only true [--port <Apache Gaia Port>]

Notes:

  • The default Apache Gaia port on the Management Server is 443.

    If you configured a different port, you must specify it explicitly in the syntax.

    To see the configured port, run this command in the Expert mode:

    api status | grep "APACHE Gaia Port"

  • This API prompts you to log in. Use the Domain Management Server's administrator credentials.

Example:

mgmt_cli -d "MyDomainServer" --format json install-policy policy-package MyPolicyPackage --sync false targets MySecurityGroup prepare-only true --port 443

D

In the 'sp_upgrade' shell script session, enter y or yes to confirm.

In the 'sp_upgrade' shell script session, enter y or yes to confirm the clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. failover from the Security Group Members in the Logical Group "B" to the Security Group Members in the Logical Group "A".

Note - If the SSH section closed, connect again and run:

sp_upgrade --continue

Note - It is not necessary to set the Security Group Members in the Logical Group "B" to the state "DOWN", because the 'sp_upgrade' shell script already made this change.

Step

Instructions

A

Connect in one of these ways:

  • Connect to one of the Security Group Members in the Logical Group "B" through the console.

  • Connect to one of the Security Group Members in the Logical Group "A" over SSH.

B

Go to the context of one Security Group Members in the Logical Group "B":

member <Member ID>

Example:

member 1_5

C

If your default shell is /bin/bash (the Expert mode), then go to Gaia gClish:

gclish

D

Upgrade the Security Group Members in the Logical Group "B":

installer upgrade [Press the Tab key]

installer upgrade <Number of CPUSE Package> member_ids <SGM IDs in Group "B">

Example:

[Global] HostName-ch01-01 > installer upgrade 2 member_ids 1_5-1_8
... ...
Update Service Engine
+-----------------------------------------------------------+
|Member ID    |Status                                       |
+-----------------------------------------------------------+
|1_05 (local) |Package is ready for installation            |
|1_06         |Package is ready for installation            |
|1_07         |Package is ready for installation            |
|1_08         |Package is ready for installation            |
+-----------------------------------------------------------+
The machines (1_05,1_06,1_07,1_08) will automatically reboot after upgrade.
Do you want to continue? ([y]es / [n]o) y
[Global] HostName-ch01-01 >

E

Go from Gaia gClish to the Expert mode:

  • If your default shell is /bin/bash (the Expert mode), then run:

    exit

  • If your default shell is /etc/gclish (Gaia gClish), then run:

    expert

F

Monitor the Security Group Members in the Logical Group "B" until they boot:

asg monitor

Warning - This step applies only if Check Point Support or R&D explicitly instructed you to install a specific Hotfix on your specific Security Group in the middle of the upgrade.

For example, your Security Group might require a specific hotfix or a Jumbo Hotfix Accumulator Take to resolve a specific issue.

If earlier you installed the specific Hotfix on the Security Group Members in the Logical Group "A", then you must install the same Hotfix on the Security Group Members in the Logical Group "B".

You are still connected to one of the Security Group Members in the Logical Group "B" and you are still working in the Expert mode.

Step

Instructions

A

Back up the current $SMODIR/bin/sp_upgrade script to your home directory:

cp -v $SMODIR/bin/sp_upgrade ~

ls -l ~/sp_upgrade

B

Transfer the CPUSE package for this Hotfix to the Security Group (into some directory, for example /var/log/).

C

Go from the Expert mode to Gaia gClish:

  • If your default shell is /bin/bash (the Expert mode), then run:

    gclish

  • If your default shell is /etc/cli.sh (Gaia Clish), then run:

    exit

D

Import the CPUSE package from the hard disk:

installer import local /<Full Path>/<Name of the CPUSE Offline Package>

E

Show the imported CPUSE packages:

show installer packages imported

F

Make sure the imported CPUSE package can be installed on this Security Group:

installer verify [Press Tab]

installer verify <Number of CPUSE Package> member_ids <SGM IDs in Group "B">

G

Install the CPUSE package on the Security Group Members in the Logical Group "B":

installer install [Press the Tab key]

installer install <Number of CPUSE Package> member_ids <SGM IDs in Group "B">

H

Go from Gaia gClish to the Expert mode:

  • If your default shell is /bin/bash (the Expert mode), then run:

    exit

  • If your default shell is /etc/cli.sh (Gaia Clish), then run:

    expert

I

Go to your home directory:

cd ~

pwd

J

Continue the upgrade procedure:

./sp_upgrade

In the 'sp_upgrade' shell script session, enter y or yes to confirm the upgrade.

Note - If the SSH section closed, connect again and run:

sp_upgrade --continue

Note - This step applies only when the Security Group works in the VSX mode.

Step

Instructions

A

Close all SmartConsole windows.

To make sure, run the "cpstat mg" command on the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. / in the context of each Domain Management Server.

B

Connect with Database Tool (GuiDBEdit Tool) to the Security Management Server / Domain Management Server that manages this Security Group.

C

In the upper left pane, go to Table > Network Objects > network_objects.

D

In the upper right pane, select the VSX Gateway object for this Security Group.

E

Press the CTRL+F keys (or go to Search menu > Find) > paste scalable_platform > click Find Next.

Example:

F

In the lower pane, right-click the scalable_platform attribute > select Edit... > select "true" > click OK.

Example:

G

Save the changes: go to the File menu > click Save All.

H

Repeat Steps D - G for the object of each Virtual System configured on this VSX Gateway.

I

Close the Database Tool (GuiDBEdit Tool).

Note - You install the policy in the next step.

Step

Instructions

A

Connect with SmartConsole to the Management Server that manages this Security Group.

B

Install the applicable Access Control policy on the Security Gateway object for this Security Group.

If this Security Group is configured in the VSX mode, you must install the applicable Access Control policy on each Virtual System.

C

On the Security Group, in the 'sp_upgrade' shell script session, enter y or yes to confirm.

Step

Instructions

A

Connect to the command line on the Security Group.

B

If your default shell is /etc/gclish (Gaia gClish), then go to the Expert mode:

expert

C

Run these commands:

asg diag verify

hcp -m all -r all

If you upgraded a Security Group R80.30SP in the Gateway mode with the Mobile Access Software Blade enabled, then to restore the Mobile Access configuration, you must manually merge the content of the backed up files into the existing files on the Security Group.

Step

Instructions

A

Connect to the command line on the Security Group.

B

If your default shell is /etc/cli.sh (Gaia Clish), then go to the Expert mode:

expert

C

Edit the applicable files:

vi /<Path>/<File>

Important - Do not copy the backed up files to the upgraded Security Group. The file syntax and content change between versions.

D

Save the changes in the file and exit the editor.

E

Copy the modified file to all Security Group Members:

asg_cp2blades /<Path>/<File>

Example:

asg_cp2blades $CVPNDIR/conf/ReverseProxy_conf/ReverseProxyConf.xml

F

Restart the Mobile Access services:

cvpnrestart