Rolling Back a Failed Upgrade of a Security Group to R81.20 - Zero Downtime

This section describes the steps to roll back a failed upgrade of a Security Group A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. from R81.20 with Zero Downtime.

This section describes the steps for rolling back a failed upgrade of a Security Group to R81.20.

This procedure supports only these downgrade paths for Security Groups:

from R81.20 to R81.10
from R81.20 to R81

Warnings:

Multi-Version Cluster (Zero Downtime) downgrade from R81.20 to R81.10 / R81 is not supported if a Security Group has Bond interfaces in the 802.3ad (LACP) mode on Uplink ports Interfaces on the Quantum Maestro Orchestrator used to connect to external and internal networks. Gaia operating system shows these interfaces in Gaia Portal and in Gaia Clish. SmartConsole shows these interfaces in the corresponding SMO Security Gateway object. (Known Limitation PMTR-88191).
Before you follow the downgrade procedure, revert all changes in the topology you made after the upgrade procedure. For example, after the upgrade you added / removed interfaces, you changed the configuration of interfaces, you added / removed Security Group Members in the Security Group.

Important - While the Security Group still contains Security Group Members that run the R81.20 version, you can only run the script "sp_upgrade --revert" on the R81.20 Security Group Members.

Rolling Back If Only Some of the Security Group Members Were Upgraded

Important - Use this rollback procedure if you upgraded only some (not all) Security Group Members in the Security Group.

Step

Instructions

Connect to the command line on the Security Group.

If your default shell is /bin/bash (Expert mode), then go to the Gaia gClish The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators. Commands you run in this shell apply to all Security Appliances in the Security Group.:

gclish

Disable the SMO Image Cloning feature:

Note - The SMO Image Cloning feature automatically clones all the required software packages to the Security Group Members during their boot. When you install or remove software packages gradually on Security Group Members, it is necessary to disable this feature, so that after a reboot the updated Security Group Members do not clone the software packages from the existing non-updated Security Group Members.

Examine the state of the SMO Image Cloning feature:

show smo image auto-clone state

Disable the SMO Image Cloning feature, if it is enabled:

set smo image auto-clone state off

Examine the state of the SMO Image Cloning feature:

show smo image auto-clone state

Go to the Expert mode:

If your default shell is /bin/bash (Expert mode):

exit

If your default shell is /etc/gclish (Gaia gClish):

expert

Go to the context of one of the Security Group Members that were upgraded to R81.20:

member <Member ID>

Example:

member 1_1

Run the upgrade script with the "revert" parameter and follow the instructions on the screen:

sp_upgrade --revert

On each Security Group Member that was upgraded to R81.20, restore the Gaia automatic snapshot:

Go to the context of each Security Group Member:

member <Member ID>

Example:

member 1_2

Go to Gaia Clish (do not use the Gaia gClish):

clish

Restore the Gaia automatic snapshot that was saved automatically before the upgrade.

set snapshot revert AutoSnapShot_<Original-Version>_<Take>

Example:

set snapshot revert AutoSnapShot_AutoSnapShot_R81_47

Wait for the Security Group Member to complete the reboot.
Repeat Steps a-d for the next Security Group Member that was upgraded.

Connect to the command line on the Security Group.

If your default shell is /etc/gclish (Gaia gClish), then go to the Expert mode:

expert

Run the upgrade script with the "revert" parameter again and follow the instructions on the screen:

sp_upgrade --revert

Make sure the downgrade was successful:

asg diag verify

Rolling Back the Whole Security Group

Use this rollback procedure if you upgraded all Security Group Members in the Security Group and it is necessary to keep the current connections.

Important:

This procedure does not interrupt the traffic and does not require down time.

However, this procedure takes more time comparing with the procedure Rolling Back a Failed Upgrade of a Security Group to R81.20 - Minimum Downtime.
In this rollback procedure, you divide all upgraded Security Group Members in a specific Security Group into two logical groups - denoted below as "A" and "B".

You revert one logical group of the Security Group Members at one time.

The other logical group of the Security Group Members continues to handle traffic.

Each logical group should contain the same number of Security Group Members - as close as possible.

Example 1:
- There are 8 Security Group Members in the Security Group.
- The Logical Group "A" contains Security Group Members from 1_1 to 1_4.
- The Logical Group "B" contains Security Group Members from 1_5 to 1_8.
Example 2:
- There are 5 Security Group Members in the Security Group.
- The Logical Group "A" contains Security Group Members from 1_1 to 1_3.
- The Logical Group "B" contains Security Group Members 1_4 and 1_5.

Procedure

Step

Instructions

Connect to the command line on the Security Group.

Go to the context of one of the Security Group Members in the Logical Group "A":

member <Member ID>

Example:

member 1_1

If your default shell is /etc/gclish (Gaia gClish), then go to the Expert mode:

expert

Run the upgrade script with the "revert" parameter and follow the instructions on the screen:

sp_upgrade --revert

Restore the Gaia automatic snapshot on each Security Group Member in the Logical Group "A" that was upgraded to R81.20:

Go to the context of the Security Group Member:

member <Member ID>

Example:

member 1_2

Go to Gaia Clish (do not use the Gaia gClish):

clish

Restore the Gaia automatic snapshot that was saved automatically before the upgrade.

set snapshot revert AutoSnapShot_<Original-Version>_<Take>

Example:

set snapshot revert AutoSnapShot_AutoSnapShot_R81_47

Wait for the Security Group Member to complete the reboot.
Repeat Steps a-d for the next Security Group Member in the Logical Group "A" that was upgraded.

Connect to the command line on the Security Group.

Go to the context of one of the Security Group Members in the Logical Group "A" that was downgraded from R81.20:

member <Member ID>

Example:

member 1_1

Run the upgrade script with the "revert" parameter again and follow the instructions on the screen:

sp_upgrade --revert

Restore the Gaia automatic snapshot on each Security Group Member in the Logical Group "B" that was upgraded to R81.20:

Go to the context of the Security Group Member:

member <Member ID>

Example:

member 1_5

Go to Gaia Clish (do not use the Gaia gClish):

clish

Restore the Gaia automatic snapshot that was saved automatically before the upgrade.

set snapshot revert AutoSnapShot_<Original-Version>_<Take>

Example:

set snapshot revert AutoSnapShot_AutoSnapShot_R81_47

Wait for the Security Group Member to complete the reboot.
Repeat Steps a-d for the next Security Group Member in the Logical Group "B" that was upgraded.

Connect to the command line on the Security Group.

If your default shell is /etc/gclish (Gaia gClish), then go to the Expert mode:

expert

Run the upgrade script with the "revert" parameter again and follow the instructions on the screen:

sp_upgrade --revert

Make sure the downgrade was successful:

asg diag verify

Rolling Back the Whole Security Group - With Downtime

Use this rollback procedure if you upgraded all Security Group Members in the Security Group and it is not necessary to keep the current connections.

Important - Schedule a maintenance window because this procedure interrupts all traffic that passes through the Security Group.

This rollback procedure save time because you revert all upgraded Security Group Members in a specific Security Group at the same time.

If traffic must not be interrupted, then follow the procedure Rolling Back a Failed Upgrade of a Security Group to R81.20 - Zero Downtime.

Procedure

Step

Instructions

Connect to the command line on the Security Group.

If your default shell is /etc/gclish (Gaia gClish), then go to the Expert mode:

expert

Go from the Expert mode to Gaia gClish.

If your default shell is /etc/gclish (Gaia gClish), then run:

exit

If your default shell is /etc/bash (Expert mode), then run:

gclish

Restore the Gaia automatic snapshot that was saved automatically before the upgrade.

set snapshot revert AutoSnapShot_<Original-Version>_<Take>

Example:

set snapshot revert AutoSnapShot_AutoSnapShot_R81_47

Wait for the Security Group Members to complete the reboot.

Connect to the command line on the Security Group.

If your default shell is /etc/gclish (Gaia gClish), then go to the Expert mode:

expert

Run the upgrade script with the "revert" parameter and follow the instructions on the screen:

sp_upgrade --revert

Make sure the downgrade was successful:

asg diag verify