Upgrading Scalable Chassis Environment to R81.20 - Zero Downtime

This section describes the steps for upgrading Scalable Chassis as a Multi-Version Cluster (MVC).

This procedure supports only these upgrade paths for Security Groups:

  • from R81.10 to R81.20

  • from R81 to R81.20

Warning - Multi-Version Cluster (Zero Downtime) upgrade from R81 / R81.10 to R81.20 is not supported if a Security GroupClosed A logical group of Security Gateway Modules that provides Active/Active cluster functionality. A Security Group can contain one or more Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. has Bond interfaces in the 802.3ad (LACP) mode on Uplink ports (Known Limitation PMTR-88191).

Important - See these rollback procedures:

Important Notes for Scalable Chassis:

Important Notes for Security Groups:

  • Before you upgrade the Security Groups, you must upgrade the Management Server that manages the Security Groups.

    See the R81.20 Installation and Upgrade Guide.

  • This procedure applies to Security Groups in the Gateway mode and the VSX mode.

    In VSX mode, you must run all the commands in the context of VS0.

  • During the upgrade process, it is:

    • Forbidden to install policy on the Security Group, unless the upgrade procedure explicitly shows how to do it.

    • Forbidden to reboot Security Group Members, unless the upgrade procedure explicitly shows how to do it.

    • Forbidden to change the configuration of the Security Group and its Security Group Members.

    • Forbidden to install Hotfixes on the Security Group Members, unless Check Point Support or R&D explicitly instructs you to do so.

    • Forbidden to install the Jumbo Hotfix Accumulator on the Security Group Members, unless Check Point Support or R&D explicitly instructs you to do so.

  • To prevent down time, do not upgrade all the Security Group Members in a specific Security Group at the same time.

  • In this upgrade procedure, you divide all Security Group Members in a specific Security Group into two or more logical groups.

    In the procedure below, we use two logical groups denoted below as "A" and "B".

    You upgrade one logical group of the Security Group Members at one time.

    The other logical group(s) of the Security Group Members continues to handle traffic.

    Each logical group should contain the same number of Security Group Members - as close as possible.

    Environment

    Description

    Single Chassis

    • There are 8 SGMs in the Security Group.

    • The Logical Group "A" contains SGMs from 1_1 to 1_4.

    • The Logical Group "B" contains SGMs from 1_5 to 1_8.

    Single Chassis

    • There are 5 SGMs in the Security Group.

    • The Logical Group "A" contains SGMs from 1_1 to 1_3.

    • The Logical Group "B" contains SGMs from 1_4 to 1_5.

    Dual Chassis

    • There are 4 SGMs in the Security Group (on each Chassis).

    • The Logical Group "A" contains SGMs on Chassis1 from 1_1 to 1_4.

    • The Logical Group "B" contains SGMs on Chassis2 from 2_1 to 2_4.

  • In a Dual Chassis environment:

    • We recommend to upgrade all Security Group Members in each Security Group on one Chassis, and then upgrade all Security Group Members in the same Security Group on the next Chassis.

      Do this on one Security Group at a time.

    • To prevent a fail-over between Chassis during the upgrade, we recommend these steps for each Security Group:

      1. Connect to the command line on a Security Group.

      2. If your default shell is the Expert mode, then go to Gaia gClish:

        gclish

      3. Get the current Dual Chassis Active/Standby mode:

        show chassis high-availability mode

        Available Modes:

        Mode ID

        Mode Title

        Mode Description

        0

        Active/Standby - Active Up

        No primary Chassis.

        The currently Active Chassis stays Active unless it goes DOWN, or the Standby Chassis has a higher Chassis quality grade.

        1

        Active/Standby - Primary Up

        Active Chassis, always stays Active unless it goes DOWN, or the Standby Chassis has a higher Chassis quality grade.

        2

        Not available

        Not supported.

        3

        Standby Chassis VSLS Mode

        In VSX, provides Virtual System Load Sharing.

      4. Decide which of the Chassis is Active.

      5. Change the Dual Chassis Active/Standby mode to "Active/Standby - Primary Up":

        set chassis high-availability mode 1

      6. Change the Chassis Priority (enter the number of the currently Active Chassis):

        set chassis high-availability vs chassis_priority {1 | 2}

      7. Upgrade all Security Group Members on the "Standby" Chassis.

      8. On the upgraded Chassis, change the Dual Chassis Active/Standby mode to "Primary Up":

        set chassis high-availability mode 1

      9. On the upgraded Chassis, change the Chassis Priority (enter the number of the currently Active Chassis):

        set chassis high-availability vs chassis_priority {1 | 2}

      10. Upgrade all Security Group Members on the new "Standby" Chassis (former "Active" Chassis).

      11. Change the Dual Chassis Active/Standby mode to the previous mode:

        set chassis high-availability mode <Mode ID>

Required software packages:

Download the required software packages from sk177624:

  1. The required Take of the Jumbo Hotfix Accumulator

  2. The required CPUSE Deployment Agent for Scalable Platforms

  3. The R81.20 Upgrade Package for Scalable Platforms

Workflow:

  1. On the Management Server - Upgrade to the required version that can manage an R81.20 Security Group (see sk113113).

  2. On the Security Group - Install the required Jumbo Hotfix Accumulator (using two logical groups of Security Group Members).

  3. On the Security Group - Install the required CPUSE Deployment Agent package for the Security Group.

  4. On the Security Group - Upgrade to R81.20 (using two logical groups of Security Group Members).

  5. In SmartConsole, install the policy.

Procedure:

Upgrade the Management Server to the required version that can manage an R81.20 Security Group (see the R81.20 Release Notes).

Note - The SMOClosed See "SMO". Image Cloning feature automatically clones all the required software packages to the SGMs during their boot. When you install or remove software packages gradually on SGMs, it is necessary to disable this feature, so that after a reboot the updated SGMs do not clone the software packages from the existing non-updated SGMs.

Step

Instructions

A

Connect to the command line on the Security Group.

B

If your default shell is /bin/bash (Expert mode), then go to Gaia gClish:

gclish

C

Examine the state of the SMO Image Cloning feature:

show smo image auto-clone state

D

Disable the SMO Image Cloning feature, if it is enabled:

set smo image auto-clone state off

E

Examine the state of the SMO Image Cloning feature:

show smo image auto-clone state

Important:

  • You must install the required Jumbo Hotfix Accumulator on all SGMs in the Security Group.

  • Before you install Jumbo Hotfix Accumulator, this procedure requires you to disable the SMO Image Cloning feature on the Security Group.

    Do not enable the SMO Image Cloning feature on the Security Group until the upgrade procedure instructs you to do so.

Follow these instructions to install the required Jumbo Hotfix Accumulator from sk177624:

Installing and Uninstalling a Hotfix on SGMs

Important - You must do this step even if you upgrade again after a rollback procedure on the Security Group.

Step

Instructions

A

Transfer the CPUSE Deployment Agent package for Scalable Platforms (from sk177624) to the Security Group (into some directory, for example /var/log/).

B

Connect to the command line on the Security Group.

C

If your default shell is /etc/gclish (Gaia gClish), then go to the Expert mode:

expert

D

Make sure the CPUSE Deployment Agent package exists:

ls -l /<Full Path>/<Name of CPUSE Deployment Agent Package>

E

Upgrade the CPUSE Deployment Agent:

update_sp_da /<Full Path>/<Name of CPUSE Deployment Agent Package>

Example:

update_sp_da /var/log/DeploymentAgent_XXXXXXXXX.tgz

F

Go from the Expert mode to Gaia gClish:

  • If your default shell is /bin/bash (the Expert mode), then run:

    gclish

  • If your default shell is /etc/gclish (Gaia gClish), then run:

    exit

G

Make sure all Security Group Members have the same build of the CPUSE Deployment Agent:

show installer status build

Step

Instructions

A

Make sure you have the applicable CPUSE Offline package:

R81.20 Upgrade Package for Scalable Platforms

B

Transfer the CPUSE Offline package to the Security Group (into some directory, for example /var/log/).

C

Connect to the command line on the Security Group.

D

If your default shell is /bin/bash (the Expert mode), then go to Gaia gClish:

gclish

E

Import the CPUSE Offline package from the hard disk:

installer import local /<Full Path>/<Name of the CPUSE Offline Package>

Example:

[Global] HostName-ch01-01 > installer import local /var/log/Check_Point_R81.20_SP_Install_and_Upgrade.tar

F

Show the imported CPUSE packages:

show installer packages imported

G

Make sure the imported CPUSE package can be installed on this Security Group:

installer verify [Press Tab]

installer verify <Number of CPUSE Package> member_ids all

Example:

[Global] HostName-ch01-01 > installer verify 2 member_ids all
... ...
Update Service Engine
+-----------------------------------------------------------+
|Member ID    |Status                                       |
+-----------------------------------------------------------+
|1_01 (local) |Upgrade is allowed.                          |
|1_02         |Upgrade is allowed.                          |
|1_03         |Upgrade is allowed.                          |
|1_04         |Upgrade is allowed.                          |
|1_05         |Upgrade is allowed.                          |
|1_06         |Upgrade is allowed.                          |
|1_07         |Upgrade is allowed.                          |
|1_08         |Upgrade is allowed.                          |
+-----------------------------------------------------------+
[Global] HostName-ch01-01 >

Step

Instructions

A

Connect in one of these ways:

  • Connect to one of the Security Group Members in the Logical Group "A" through the console.

  • Connect to one of the Security Group Members in the Logical Group "B" over SSH.

B

Go to the context of one of the Security Group Members in the Logical Group "A":

member <Member ID>

Example:

member 1_1

C

If your default shell is /etc/gclish (Gaia gClish), then go to the Expert mode:

expert

D

Set the Security Group Members in the Logical Group "A" to the state "DOWN":

g_clusterXL_admin –b <SGM IDs in Group "A"> down

Example:

[Expert@HostName-ch0x-0x:0]# g_clusterXL_admin -b 1_1-1_4 down

E

Go from the Expert mode to Gaia gClish:

  • If your default shell is /bin/bash (the Expert mode), then run:

    gclish

  • If your default shell is /etc/gclish (Gaia gClish), then run:

    exit

F

Upgrade the Security Group Members in the Logical Group "A":

installer upgrade [Press the Tab key]

installer upgrade <Number of CPUSE Package> member_ids <SGM IDs in Group "A">

Example:

[Global] HostName-ch01-01 > installer upgrade 2 member_ids 1_1-1_4
... ...
Update Service Engine
+-----------------------------------------------------------+
|Member ID    |Status                                       |
+-----------------------------------------------------------+
|1_01 (local) |Package is ready for installation            |
|1_02         |Package is ready for installation            |
|1_03         |Package is ready for installation            |
|1_04         |Package is ready for installation            |
+-----------------------------------------------------------+
The machines (1_02,1_02,1_03,1_04) will automatically reboot after upgrade.
Do you want to continue? ([y]es / [n]o) y
[Global] HostName-ch01-01 >

G

Go from Gaia gClish to the Expert mode:

  • If your default shell is /bin/bash (the Expert mode), then run:

    exit

  • If your default shell is /etc/gclish (Gaia gClish), then run:

    expert

H

Monitor the Security Group Members in the Logical Group "A" until they boot:

asg monitor

Important - By design, these Security Group Members boot into the "Down" state because these Critical Devices report their state as "problem" (run the "cphaprob state" command):

  • Fullsync

  • during_upgrade

  • DSD

Warning -If the Access Control policy contains Updatable Objects, then before you perform the upgrade, you must follow sk131852 > section "Troubleshooting" > "Scenario 1 - The Updatable Objects package is missing on the Security Gateway".

Step

Instructions

A

Connect to one of the Security Group Members in the Logical Group "A" through the console.

B

If your default shell is /etc/gclish (Gaia gClish), then go to the Expert mode:

expert

C

Run the upgrade script and follow the steps below:

sp_upgrade

Step

Instructions

A

Connect with SmartConsole to the Management Server that manages this Security Group.

B

From the left navigation panel, click Gateways & Servers.

C

Double-click the Security Gateway object for this Security Group.

D

In the left tree, click General.

E

In the Version field, select R81.20.

F

Click OK.

G

Publish the session (do not install the policy).

H

In the 'sp_upgrade' shell script session, enter y or yes to confirm.

Step

Instructions

A

Connect to the command line on the Management Server.

B

Log in to the Expert mode.

C

On a Multi-Domain Server, go to the context of the Main Domain Management Server that manages ‎this VSX Gateway:

mdsenv <IP Address or Name of Domain Management Server>

D

Run this command:

vsx_util upgrade

For more information, see the R81.20 VSX Administration Guide.

E

Log in with the administrator credentials.

F

Select this VSX Gateway object.

G

Change the object version to R81.20.

H

Follow the instructions on the screen.

Important - This step applies only to a Security Group in the Gateway mode.

In the VSX mode, the "vsx_util upgrade" command installed the required policy earlier.

Step

Instructions

A

Connect to the command line on the Management Server.

B

Go to the Expert mode:

expert

C

Run the "install-policy" API (see the Check Point Management API Reference - search for install-policy).

 

On a Security Management Server, run:

mgmt_cli -d "SMC User" --format json install-policy policy-package <Name of Policy Package> --sync false targets <Name of Security Gateway Object> prepare-only true [--port <Apache Gaia Port>]

Notes:

  • "SMC User" is a mandatory name of the Domain.

  • The default Apache Gaia port on the Management Server is 443.

    If you configured a different port, you must specify it explicitly in the syntax.

    To see the configured port, run this command in the Expert mode:

    api status | grep "APACHE Gaia Port"

  • This API prompts you to log in. Use the Management Server's administrator credentials.

Example:

mgmt_cli -d "SMC User" --format json install-policy policy-package MyPolicyPackage --sync false targets MySecurityGroup prepare-only true --port 443

 

On a Multi-Domain Server, run:

mgmt_cli -d "<IP Address or Name of Domain Management Server that manages this Security Gateway Object>" --format json install-policy policy-package <Name of Policy Package> --sync false targets <Name of Security Gateway Object> prepare-only true [--port <Apache Gaia Port>]

Notes:

  • The default Apache Gaia port on the Management Server is 443.

    If you configured a different port, you must specify it explicitly in the syntax.

    To see the configured port, run this command in the Expert mode:

    api status | grep "APACHE Gaia Port"

  • This API prompts you to log in. Use the Domain Management Server's administrator credentials.

Example:

mgmt_cli -d "MyDomainServer" --format json install-policy policy-package MyPolicyPackage --sync false targets MySecurityGroup prepare-only true --port 443

D

In the 'sp_upgrade' shell script session, enter y or yes to confirm.

In the 'sp_upgrade' shell script session, enter y or yes to confirm the cluster failover from the Security Group Members in the Logical Group "B" to the Security Group Members in the Logical Group "A".

Note - If the SSH section closed, connect again and run:

sp_upgrade --continue

Step

Instructions

A

Connect in one of these ways:

  • Connect to one of the Security Group Members in the Logical Group "B" through the console.

  • Connect to one of the Security Group Members in the Logical Group "A" over SSH.

B

Go to the context of one Security Group Members in the Logical Group "B":

member <Member ID>

Example:

member 1_5

C

If your default shell is /bin/bash (the Expert mode), then go to Gaia gClish:

gclish

D

Upgrade the Security Group Members in the Logical Group "B":

installer upgrade [Press the Tab key]

installer upgrade <Number of CPUSE Package> member_ids <SGM IDs in Group "B">

Example:

[Global] HostName-ch01-01 > installer upgrade 2 member_ids 1_5-1_8
... ...
Update Service Engine
+-----------------------------------------------------------+
|Member ID    |Status                                       |
+-----------------------------------------------------------+
|1_05 (local) |Package is ready for installation            |
|1_06         |Package is ready for installation            |
|1_07         |Package is ready for installation            |
|1_08         |Package is ready for installation            |
+-----------------------------------------------------------+
The machines (1_05,1_06,1_07,1_08) will automatically reboot after upgrade.
Do you want to continue? ([y]es / [n]o) y
[Global] HostName-ch01-01 >

E

Go from Gaia gClish to the Expert mode:

  • If your default shell is /bin/bash (the Expert mode), then run:

    exit

  • If your default shell is /etc/gclish (Gaia gClish), then run:

    expert

F

Monitor the Security Group Members in the Logical Group "B" until they boot:

asg monitor

In the 'sp_upgrade' shell script session, enter y or yes to confirm the upgrade.

Note - If the SSH section closed, connect again and run:

sp_upgrade --continue

Step

Instructions

A

Connect with SmartConsole to the Management Server that manages this Security Group.

B

Install the applicable Access Control policy on the Security Gateway object for this Security Group.

If this Security Group is configured in the VSX mode, you must install the applicable Access Control policy on each Virtual System.

C

On the Security Group, in the 'sp_upgrade' shell script session, enter y or yes to confirm.

Step

Instructions

A

Connect to the command line on the Security Group.

B

If your default shell is /etc/gclish (Gaia gClish), then go to the Expert mode:

expert

C

Run these commands:

asg diag verify

hcp -m all -r all