Minimum Effort Upgrade of a Security Gateway Cluster

Best Practice - Use the Central Deployment in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.. For more information, see the R81.20 Security Management Administration Guide > Chapter Managing Gateways > Section Central Deployment of Hotfixes and Version Upgrades.

Important - Before you upgrade a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing.: Step Instructions 1 Back up your current configuration (see Backing Up and Restoring). 2 See Upgrade Options and Prerequisites. 3 Upgrade the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. and Log Servers. 4 See Planning a Cluster Upgrade. 5 Schedule a full maintenance window to make sure you can make all the custom configurations again after the upgrade.

Procedure:

1. On each Cluster Member, Upgrade to R81.20 with CPUSE, or perform a Clean Install of R81.20

   Important - You must reboot the Cluster Member Security Gateway that is part of a cluster. after the upgrade or clean install.

   Installation Method	Instructions
   Upgrade to R81.20 with CPUSE Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself.	See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. In local installation, select the R81.20 package and perform Upgrade. See sk92449 for detailed steps.
   Clean Install Installation of a Check Point Operating System from scratch on a computer. of R81.20 with CPUSE	See Installing Software Packages on Gaia. Follow the applicable action plan for the local or central installation. In local installation, select the R81.20 package and perform Clean Install. See sk92449 for detailed steps. Important - In the Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous Cluster Member (prior to the upgrade).
   Clean Install of R81.20 from scratch	Installing a Cluster Member Follow Installing a ClusterXL Cluster - only the step "Install the Cluster Members". Important - In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous Cluster Member (prior to the upgrade). Installing a VRRP Cluster Member Follow Installing a VRRP Cluster - only the step "Install the VRRP Cluster Members". Important - In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous VRRP Cluster Member (prior to the upgrade). Installing a VSX Cluster Member Follow Installing a VSX Cluster - only the step "Install the VSX Cluster Members". Important - In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster Member (prior to the upgrade).

2. In SmartConsole, change the version of the cluster object

   Step	Instructions
   1	Connect with SmartConsole to the R81.20 Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Domain Management Server that manages this cluster.
   2	From the left navigation panel, click Gateways & Servers.
   3	Open the Cluster object.
   4	From the left tree, click the General Properties page.
   5	In the Platform section > Version field, select R81.20.
   6	Click OK to close the Gateway Cluster Properties window.

3. In SmartConsole, establish SIC with the each Cluster Member

   Important - This step is required only if you performed a Clean Install of R81.20 on this Cluster Member.

   Step	Instructions
   1	Connect with SmartConsole to the R81.20 Security Management Server or Main Domain Management Server that manages this Cluster.
   2	From the left navigation panel, click Gateways & Servers.
   3	Open the cluster object.
   4	From the left tree, click Cluster Members.
   5	Select the object of this Cluster Member.
   6	Click Edit.
   7	On the General tab, click the Communication button.
   8	Click Reset.
   9	In the One-time password field, enter the same Activation Key you entered during the First Time Configuration Wizard of the Cluster Member.
   10	In the Confirm one-time password field, enter the same Activation Key again.
   11	Click Initialize.
   12	The Trust state field must show Trust established.
   13	Click Close to close the Communication window.
   14	Click OK to close the Cluster Member Properties window.
   15	Click OK to close the Gateway Cluster Properties window.
   16	Publish the SmartConsole session.

4. In SmartConsole, install the Access Control Policy and Threat Prevention Policy on the Cluster object

   Step	Instructions
   1	Connect with SmartConsole to the R81.20 Security Management Server or Domain Management Server that manages this cluster.
   2	From the left navigation panel, click Gateways & Servers.
   3	Install the Access Control Policy: Click Install Policy. In the Policy field, select the applicable Access Control Policy. In the Install Mode section, select these two options: Install on each selected gateway independently For gateway clusters, if installation on a cluster member fails, do not install on that cluster Click Install. The Access Control Policy must install successfully on all the Cluster Members.
   4	Install the Threat Prevention Policy: Click Install Policy. In the Policy field, select the applicable Threat Prevention Policy. Click Install. The Threat Prevention Policy must install successfully on all the Cluster Members.

5. On each Cluster Member, examine the cluster state

   Step	Instructions
   1	Connect to the command line on each Cluster Member.
   2	Examine the cluster state in one of these ways: In Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)., run: show cluster state In the Expert mode, run: cphaprob state Important: All Cluster Members must show the same information about the states of all Cluster Members. In the High Availability mode, one Cluster Member must be in the Active state, and all other Cluster Members must be in Standby state. In the Load Sharing modes, all Cluster Members must be in the Active state.

6. Test the functionality

   Step	Instructions
   1	Connect with SmartConsole to the R81.20 Security Management Server or Domain Management Server that manages this cluster.
   2	From the left navigation panel, click Logs & Monitor > Logs.
   3	Examine the logs from this Cluster to make sure it inspects the traffic as expected.

For more information:

See the R81.20 ClusterXL Administration Guide.