Upgrading Maestro Environment to R81.20 - Zero Downtime

This section describes the steps for upgrading a Maestro environment (the Quantum Maestro Orchestrators and the Security Groups) with Zero Downtime - as a Multi-Version Cluster (MVC).

This procedure supports only these upgrade paths for Security Groups:

Warning - Multi-Version Cluster (Zero Downtime) upgrade from R81 to R81.20 is not supported if a Security Group has Bond interfaces in the 802.3ad (LACP) mode on Uplink portsClosed Interfaces on the Quantum Maestro Orchestrator used to connect to external and internal networks. Gaia operating system shows these interfaces in Gaia Portal and in Gaia Clish. SmartConsole shows these interfaces in the corresponding SMO Security Gateway object. (Known Limitation PMTR-88191).

Important - See these rollback procedures:

Important Notes for Quantum Maestro Orchestrators:

Important Notes for Security Groups:

  • Before you upgrade the Security Groups, you must upgrade the Management Server that manages the Security Groups.

    See the R81.20 Installation and Upgrade Guide.

  • This procedure applies to Security Groups in the Gateway mode and the VSX mode.

    In VSX mode, you must run all the commands in the context of VS0.

  • During the upgrade process, it is:

    • Forbidden to install policy on the Security Group, unless the upgrade procedure explicitly shows how to do it.

    • Forbidden to reboot Security Group Members, unless the upgrade procedure explicitly shows how to do it.

    • Forbidden to change the configuration of the Security Group and its Security Group Members.

    • Forbidden to install Hotfixes on the Security Group Members, unless Check Point Support or R&D explicitly instructs you to do so.

    • Forbidden to install the Jumbo Hotfix Accumulator on the Security Group Members, unless Check Point Support or R&D explicitly instructs you to do so.

  • To prevent down time, do not upgrade all the Security Group Members in a specific Security Group at the same time.

  • In this upgrade procedure, you divide all Security Group Members in a specific Security Group into two or more logical groups.

    In the procedure below, we use two logical groups denoted below as "A" and "B".

    You upgrade one logical group of the Security Group Members at one time.

    The other logical group(s) of the Security Group Members continues to handle traffic.

    Each logical group should contain the same number of Security Group Members - as close as possible.

  • In a Dual Site environment:

    • We recommend to upgrade all Security Group Members in each Security Group on one Site, and then upgrade all Security Group Members in the same Security Group on the next Site.

      Do this on one Security Group at a time.

    • To prevent a fail-over between Sites during the upgrade, we recommend these steps for each Security Group:

Required software packages:

Download the required software packages from sk177624:

  1. The required Take of the Jumbo Hotfix Accumulator

  2. The required CPUSE Deployment Agent for Scalable Platforms

  3. The R81.20 Upgrade Package for Scalable Platforms

Workflow:

  1. On the Management Server - Upgrade to the required version that can manage an R81.20 Security Group (see sk113113).

  2. On the Orchestrator - Upgrade to R81.20 and install the R81.20 Jumbo Hotfix Accumulator.

  3. On the Security Group - Run the Pre-Upgrade Verifier to make sure it is possible to upgrade the Security Group.

  4. On the Security Group - Install the required Jumbo Hotfix Accumulator (using two logical groups of Security Group Members).

  5. On the Security Group - Install the required CPUSE Deployment Agent package for the Security Group.

  6. On the Security Group - Upgrade to R81.20 (using two logical groups of Security Group Members).

  7. In SmartConsole, install the policy.

Procedure: