Upgrading Maestro Environment - Zero Downtime

This section describes the steps for upgrading a Maestro environment (the Quantum Maestro Orchestrators and the Security Groups) with Zero Downtime - as a Multi-Version Cluster (MVC).

This procedure supports only these upgrade paths for Security Groups:

  • from R81.10 to R81.20

  • from R81 to R81.20

Warning - Multi-Version Cluster (Zero Downtime) upgrade from R81 / R81.10 to R81.20 is not supported if a Security Group has Bond interfaces in the 802.3ad (LACP) mode on Uplink ports (Known Limitation PMTR-88191).

Important - See these rollback procedures:

Important Notes for Quantum Maestro Orchestrators:

  • We recommend to schedule a maintenance window for all Orchestrators on all sites.

  • The major software version on the Orchestrators must be equal to or higher than the major software version on the managed Security Group (PMTR-86785).

  • This procedure keeps the current configuration on the Orchestrators.

  • Upgrade all Orchestrators and only then upgrade the Security Groups.

  • Upgrade one Orchestrator at a time.

  • In a Dual Site environment:

    1. Upgrade the Orchestrators on the Standby Site (Site 2)

    2. Initiate a fail-over in each Security Group from the non-upgraded Active Site (Site 1) to the upgraded Standby Site (Site 2):

      1. Connect to the command line on each Security Group.

      2. If your default shell is Gaia gClish, then go to the Expert mode:

        expert

      3. Initiate a fail-over:

        chassis_admin -c <ID of Active Site> down

        chassis_admin -c <ID of Former Active Site> up

    3. Upgrade the Orchestrators on the new Standby Site (Site 1).

Important Notes for Security Groups:

  • Before you upgrade the Security Groups, you must upgrade the Management Server that manages the Security Groups.

    See the R81.20 Installation and Upgrade Guide.

  • This procedure applies to Security Groups in the Gateway mode and the VSX mode.

    In VSX mode, you must run all the commands in the context of VS0.

  • During the upgrade process, it is:

    • Forbidden to install policy on the Security Group, unless the upgrade procedure explicitly shows how to do it.

    • Forbidden to reboot Security Group Members, unless the upgrade procedure explicitly shows how to do it.

    • Forbidden to change the configuration of the Security Group and its Security Group Members.

    • Forbidden to install Hotfixes on the Security Group Members, unless Check Point Support or R&D explicitly instructs you to do so.

    • Forbidden to install the Jumbo Hotfix Accumulator on the Security Group Members, unless Check Point Support or R&D explicitly instructs you to do so.

  • To prevent down time, do not upgrade all the Security Group Members in a specific Security Group at the same time.

  • In this upgrade procedure, you divide all Security Group Members in a specific Security Group into two or more logical groups.

    In the procedure below, we use two logical groups denoted below as "A" and "B".

    You upgrade one logical group of the Security Group Members at one time.

    The other logical group(s) of the Security Group Members continues to handle traffic.

    Each logical group should contain the same number of Security Group Members - as close as possible.

    Environment

    Description

    Single Site

    • There are 8 Security Group Members in the Security Group.

    • The Logical Group "A" contains Security Group Members from 1_1 to 1_4.

    • The Logical Group "B" contains Security Group Members from 1_5 to 1_8.

    Single Site

    • There are 5 Security Group Members in the Security Group.

    • The Logical Group "A" contains Security Group Members from 1_1 to 1_3.

    • The Logical Group "B" contains Security Group Members from 1_4 to 1_5.

    Dual Site

    • There are 4 Security Group Members in the Security Group (on each Site).

    • The Logical Group "A" contains Security Group Members on Site 1 from 1_1 to 1_4.

    • The Logical Group "B" contains Security Group Members on Site 2 from 2_1 to 2_4.

  • In a Dual Site environment:

    • We recommend to upgrade all Security Group Members in each Security Group on one Site, and then upgrade all Security Group Members in the same Security Group on the next Site.

      Do this on one Security Group at a time.

    • To prevent a fail-over between Sites during the upgrade, we recommend these steps for each Security Group:

      1. Connect to the command line on a Security Group.

      2. If your default shell is the Expert mode, then go to Gaia gClish:

        gclish

      3. Get the current Dual Site Active/Standby mode:

        show chassis high-availability mode

        Available Modes:

        Mode ID

        Mode Title

        Mode Description

        0

        Active/Standby - Active Up

        No primary Site.

        The currently Active Site stays Active unless it goes DOWN, or the Standby Site has a higher Site quality grade.

        1

        Active/Standby - Primary Up

        Active Site, always stays Active unless it goes DOWN, or the Standby Site has a higher Site quality grade.

        2

        Not available

        Not supported.

        3

        Standby Chassis VSLS Mode

        In VSX, provides Virtual System Load Sharing.

      4. Decide which of the Sites is Active.

      5. Change the Dual Site Active/Standby mode to "Active/Standby - Primary Up":

        set chassis high-availability mode 1

      6. Change the Site Priority (enter the number of the currently Active Site):

        set chassis high-availability vs chassis_priority {1 | 2}

      7. Upgrade all Security Group Members on the "Standby" Site.

      8. On the upgraded Site, change the Dual Site Active/Standby mode to "Primary Up":

        set chassis high-availability mode 1

      9. On the upgraded Site, change the Site Priority (enter the number of the currently Active Site):

        set chassis high-availability vs chassis_priority {1 | 2}

      10. Upgrade all Security Group Members on the new "Standby" Site (former "Active" Site).

      11. Change the Dual Site Active/Standby mode to the previous mode:

        set chassis high-availability mode <Mode ID>

Required software packages:

Download the required software packages from sk177624:

  1. The required Take of the Jumbo Hotfix Accumulator

  2. The required CPUSE Deployment Agent for Scalable Platforms

  3. The R81.20 Upgrade Package for Scalable Platforms

Workflow:

  1. On the Management Server - Upgrade to the required version that can manage an R81.20 Security Group (see sk113113).

  2. On the Orchestrator - Upgrade to R81.20 and install the R81.20 Jumbo Hotfix Accumulator.

  3. On the Security Group - Run the Pre-Upgrade Verifier to make sure it is possible to upgrade the Security Group.

  4. On the Security Group - Install the required Jumbo Hotfix Accumulator (using two logical groups of Security Group Members).

  5. On the Security Group - Install the required CPUSE Deployment Agent package for the Security Group.

  6. On the Security Group - Upgrade to R81.20 (using two logical groups of Security Group Members).

  7. In SmartConsole, install the policy.

Procedure:

Upgrade the Management Server to the required version that can manage an R81.20 Security Group (see the R81.20 Release Notes).

Step

Instructions

A

If the Orchestrator runs R80.20SP, then install the R80.20SP Jumbo Hotfix Accumulator Take 326 or higher on the Orchestrator.

B

In the Orchestrator's Gaia Portal, from the left tree, go to Upgrades (CPUSE) > Status and Actions.

C

In the top right section, click Import Package.

D

Click Browse.

E

Go to the folder where you put the R81.20 Upgrade Package for Scalable Platforms from sk177624.

F

Select the R81.20 Upgrade Package for Scalable Platforms.

G

Click Open.

H

Click Import.

I

Above the list of packages, near the help icon, click the filter button that currently says "Showing Recommended packages" and click "All".

The filter must change to "Showing All packages".

J

Right-click the imported R81.20 CPUSE Offline Package and click Verify Update.

K

Right-click the imported R81.20 CPUSE Offline Package and click Upgrade.

Important:

  • Make sure to click Upgrade

    (do not click Install because it performs a clean install, which deletes all configuration and reboots all Security Group Members).

  • At the end of the upgrade, the Orchestrator reboots automatically.

L

Install the Recommended Take of the R81.20 Jumbo Hotfix Accumulator.

See Installing and Uninstalling a Hotfix on Quantum Maestro Orchestrators.

Step

Instructions

A

Download this script to your computer:

https://supportcenter.checkpoint.com/file_download?id=124062

B

Copy this script from your computer to the Security Group.

Copy the script to some directory (for example, /var/log/).

C

Connect to the command line on the Security Group.

D

Log in to the Expert mode.

E

Run these commands in the order listed below:

cd /var/log/

chmod +x pre_upgrade_verifier.sh

./pre_upgrade_verifier.sh

Important - This step applies only when the Security Group works in the VSX mode.

Step

Instructions

A

Connect to the command line on the Management Server.

B

Log in to the Expert mode.

C

On a Multi-Domain Server, go to the context of the applicable Domain Management Server that manages this Security Group in VSX mode:

mdsenv <IP Address or Name of Domain Management Server>

D

Upgrade the version of a VSX Gateway object in the management database:

Warning - Make sure to close all SmartConsole clients connected to this Management Server.

vsx_util upgrade [-s <Mgmt Server>] [-u <UserName>]

For more information, see the R81.20 VSX Administration Guide > Chapter "Command Line Reference" > Section "vsx_util".

E

Log in with the Management Server administrator credentials.

F

Select the VSX Gateway object for this Security Group.

G

Change the version to R81.20.

Note - The SMO Image Cloning feature automatically clones all the required software packages to the Security Group Members during their boot. When you install or remove software packages gradually on Security Group Members, it is necessary to disable this feature, so that after a reboot the updated Security Group Members do not clone the software packages from the existing non-updated Security Group Members.

Step

Instructions

A

Connect to the command line on the Security Group.

B

If your default shell is /bin/bash (Expert mode), then go to Gaia gClish:

gclish

C

Examine the state of the SMO Image Cloning feature:

show smo image auto-clone state

D

Disable the SMO Image Cloning feature, if it is enabled:

set smo image auto-clone state off

E

Examine the state of the SMO Image Cloning feature:

show smo image auto-clone state

Important:

  • You must install the required Jumbo Hotfix Accumulator on all Security Group Members in the Security Group.

  • Before you install Jumbo Hotfix Accumulator, this procedure requires you to disable the SMO Image Cloning feature on the Security Group.

    Do not enable the SMO Image Cloning feature on the Security Group until the upgrade procedure instructs you to do so.

Follow these instructions to install the required Jumbo Hotfix Accumulator from sk177624:

Installing a Hotfix Package on Security Group Members

Important - You must do this step even if you upgrade again after a rollback procedure on the Security Group.

Step

Instructions

A

Transfer the CPUSE Deployment Agent package for Scalable Platforms (from sk177624) to the Security Group (into some directory, for example /var/log/).

B

Connect to the command line on the Security Group.

C

If your default shell is /etc/gclish (Gaia gClish), then go to the Expert mode:

expert

D

Make sure the CPUSE Deployment Agent package exists:

ls -l /<Full Path>/<Name of CPUSE Deployment Agent Package>

E

Upgrade the CPUSE Deployment Agent:

update_sp_da /<Full Path>/<Name of CPUSE Deployment Agent Package>

Example:

update_sp_da /var/log/DeploymentAgent_XXXXXXXXX.tgz

F

Go from the Expert mode to Gaia gClish:

  • If your default shell is /bin/bash (the Expert mode), then run:

    gclish

  • If your default shell is /etc/gclish (Gaia gClish), then run:

    exit

G

Make sure all Security Group Members have the same build of the CPUSE Deployment Agent:

show installer status build

Step

Instructions

A

Make sure you have the applicable CPUSE Offline package:

R81.20 Upgrade Package for Scalable Platforms

B

Transfer the CPUSE Offline package to the Security Group (into some directory, for example /var/log/).

C

Connect to the command line on the Security Group.

D

If your default shell is /bin/bash (the Expert mode), then go to Gaia gClish:

gclish

E

Import the CPUSE Offline package from the hard disk:

installer import local /<Full Path>/<Name of the CPUSE Offline Package>

Example:

[Global] HostName-ch01-01 > installer import local /var/log/Check_Point_R81.20_SP_Install_and_Upgrade.tar

F

Show the imported CPUSE packages:

show installer packages imported

G

Make sure the imported CPUSE package can be installed on this Security Group:

installer verify [Press Tab]

installer verify <Number of CPUSE Package> member_ids all

Example:

[Global] HostName-ch01-01 > installer verify 2 member_ids all
... ...
Update Service Engine
+-----------------------------------------------------------+
|Member ID    |Status                                       |
+-----------------------------------------------------------+
|1_01 (local) |Upgrade is allowed.                          |
|1_02         |Upgrade is allowed.                          |
|1_03         |Upgrade is allowed.                          |
|1_04         |Upgrade is allowed.                          |
|1_05         |Upgrade is allowed.                          |
|1_06         |Upgrade is allowed.                          |
|1_07         |Upgrade is allowed.                          |
|1_08         |Upgrade is allowed.                          |
+-----------------------------------------------------------+
[Global] HostName-ch01-01 >

Step

Instructions

A

Connect in one of these ways:

  • Connect to one of the Security Group Members in the Logical Group "A" through the console.

  • Connect to one of the Security Group Members in the Logical Group "B" over SSH.

B

Go to the context of one of the Security Group Members in the Logical Group "A":

member <Member ID>

Example:

member 1_1

C

If your default shell is /etc/gclish (Gaia gClish), then go to the Expert mode:

expert

D

Set the Security Group Members in the Logical Group "A" to the state "DOWN":

g_clusterXL_admin –b <SGM IDs in Group "A"> down

Example:

[Expert@HostName-ch0x-0x:0]# g_clusterXL_admin -b 1_1-1_4 down

E

Go from the Expert mode to Gaia gClish:

  • If your default shell is /bin/bash (the Expert mode), then run:

    gclish

  • If your default shell is /etc/gclish (Gaia gClish), then run:

    exit

F

Upgrade the Security Group Members in the Logical Group "A":

installer upgrade [Press the Tab key]

installer upgrade <Number of CPUSE Package> member_ids <SGM IDs in Group "A">

Example:

[Global] HostName-ch01-01 > installer upgrade 2 member_ids 1_1-1_4
... ...
Update Service Engine
+-----------------------------------------------------------+
|Member ID    |Status                                       |
+-----------------------------------------------------------+
|1_01 (local) |Package is ready for installation            |
|1_02         |Package is ready for installation            |
|1_03         |Package is ready for installation            |
|1_04         |Package is ready for installation            |
+-----------------------------------------------------------+
The machines (1_02,1_02,1_03,1_04) will automatically reboot after upgrade.
Do you want to continue? ([y]es / [n]o) y
[Global] HostName-ch01-01 >

G

Go from Gaia gClish to the Expert mode:

  • If your default shell is /bin/bash (the Expert mode), then run:

    exit

  • If your default shell is /etc/gclish (Gaia gClish), then run:

    expert

H

Monitor the Security Group Members in the Logical Group "A" until they boot:

asg monitor

Important - By design, these Security Group Members boot into the "Down" state because these Critical Devices report their state as "problem" (run the "cphaprob state" command):

  • Fullsync

  • during_upgrade

  • DSD

Step

Instructions

A

Connect to one of the Security Group Members in the Logical Group "A" through the console.

B

If your default shell is /etc/gclish (Gaia gClish), then go to the Expert mode:

expert

C

Run the upgrade script and follow the steps below:

sp_upgrade

Warning - This step applies only if Check Point Support or R&D explicitly instructed you to install a specific Hotfix on your specific Security Group in the middle of the upgrade.

For example, your Security Group might require a specific hotfix or a Jumbo Hotfix Accumulator Take to resolve a specific issue.

You are still connected to one of the Security Group Members in the Logical Group "A" and you are still working in the Expert mode.

Step

Instructions

A

Back up the current $SMODIR/bin/sp_upgrade script to your home directory:

cp -v $SMODIR/bin/sp_upgrade ~

ls -l ~/sp_upgrade

B

Transfer the CPUSE package for this Hotfix to the Security Group (into some directory, for example /var/log/).

C

Go from the Expert mode to Gaia gClish:

  • If your default shell is /bin/bash (the Expert mode), then run:

    gclish

  • If your default shell is /etc/cli.sh (Gaia Clish), then run:

    exit

D

Import the CPUSE package from the hard disk:

installer import local /<Full Path>/<Name of the CPUSE Offline Package>

E

Show the imported CPUSE packages:

show installer packages imported

F

Make sure the imported CPUSE package can be installed on this Security Group:

installer verify [Press Tab]

installer verify <Number of CPUSE Package> member_ids <SGM IDs in Group "A">

G

Install the CPUSE package on the Security Group Members in the Logical Group "A":

installer install [Press the Tab key]

installer install <Number of CPUSE Package> member_ids <SGM IDs in Group "A">

H

Go from Gaia gClish to the Expert mode:

  • If your default shell is /bin/bash (the Expert mode), then run:

    exit

  • If your default shell is /etc/cli.sh (Gaia Clish), then run:

    expert

I

Go to your home directory:

cd ~

pwd

J

Continue the upgrade procedure:

./sp_upgrade

Note - This step applies only to a Security Group in the Gateway mode.

In the VSX mode, you changed the object version earlier with the "vsx_util upgrade" command.

Step

Instructions

A

Connect with SmartConsole to the Management Server that manages this Security Group.

B

From the left navigation panel, click Gateways & Servers.

C

Double-click the Security Gateway object for this Security Group.

D

In the left tree, click General.

E

In the Version field, select R81.20.

F

Click OK.

G

Publish the session (do not install the policy).

H

In the 'sp_upgrade' shell script session, enter y or yes to confirm.

Important - This step applies only to a Security Group in the Gateway mode.

In the VSX mode, the "vsx_util upgrade" command installed the required policy earlier.

Step

Instructions

A

Connect to the command line on the Management Server.

B

Go to the Expert mode:

expert

C

Run the "install-policy" API (see the Check Point Management API Reference - search for install-policy).

 

On a Security Management Server, run:

mgmt_cli -d "SMC User" --format json install-policy policy-package <Name of Policy Package> --sync false targets <Name of Security Gateway Object> prepare-only true [--port <Apache Gaia Port>]

Notes:

  • "SMC User" is a mandatory name of the Domain.

  • The default Apache Gaia port on the Management Server is 443.

    If you configured a different port, you must specify it explicitly in the syntax.

    To see the configured port, run this command in the Expert mode:

    api status | grep "APACHE Gaia Port"

  • This API prompts you to log in. Use the Management Server's administrator credentials.

Example:

mgmt_cli -d "SMC User" --format json install-policy policy-package MyPolicyPackage --sync false targets MySecurityGroup prepare-only true --port 443

 

On a Multi-Domain Server, run:

mgmt_cli -d "<IP Address or Name of Domain Management Server that manages this Security Gateway Object>" --format json install-policy policy-package <Name of Policy Package> --sync false targets <Name of Security Gateway Object> prepare-only true [--port <Apache Gaia Port>]

Notes:

  • The default Apache Gaia port on the Management Server is 443.

    If you configured a different port, you must specify it explicitly in the syntax.

    To see the configured port, run this command in the Expert mode:

    api status | grep "APACHE Gaia Port"

  • This API prompts you to log in. Use the Domain Management Server's administrator credentials.

Example:

mgmt_cli -d "MyDomainServer" --format json install-policy policy-package MyPolicyPackage --sync false targets MySecurityGroup prepare-only true --port 443

D

In the 'sp_upgrade' shell script session, enter y or yes to confirm.

In the 'sp_upgrade' shell script session, enter y or yes to activate the Security Group Members that were upgraded in the Multi-Version Cluster mode.

Note - If the SSH section closed, connect again and run:

sp_upgrade --continue

Important - In the Multi-Version Cluster mode, it is not necessary to choose all of the remaining Security Group Members that you did not upgrade yet.

You can repeat the previous steps for different logical groups of Security Group Members until you upgrade all Security Group Members in the Security Group.

Step

Instructions

A

Connect in one of these ways:

  • Connect to one of the Security Group Members in the Logical Group "B" through the console.

  • Connect to one of the Security Group Members in the Logical Group "A" over SSH.

B

Set the Security Group Members in the Logical Group "B" to the state "DOWN":

g_clusterXL_admin –b <SGM IDs in Group "B"> down

Example:

[Expert@HostName-ch0x-0x:0]# g_clusterXL_admin -b 2_1-2_4 down

Note - It is not necessary to set the Security Group Members in the Logical Group "B" to the state "DOWN", because the 'sp_upgrade' shell script already made this change.

Step

Instructions

A

Connect in one of these ways:

  • Connect to one of the Security Group Members in the Logical Group "B" through the console.

  • Connect to one of the Security Group Members in the Logical Group "A" over SSH.

B

Go to the context of one Security Group Members in the Logical Group "B":

member <Member ID>

Example:

member 1_5

C

If your default shell is /bin/bash (the Expert mode), then go to Gaia gClish:

gclish

D

Upgrade the Security Group Members in the Logical Group "B":

installer upgrade [Press the Tab key]

installer upgrade <Number of CPUSE Package> member_ids <SGM IDs in Group "B">

Example:

[Global] HostName-ch01-01 > installer upgrade 2 member_ids 1_5-1_8
... ...
Update Service Engine
+-----------------------------------------------------------+
|Member ID    |Status                                       |
+-----------------------------------------------------------+
|1_05 (local) |Package is ready for installation            |
|1_06         |Package is ready for installation            |
|1_07         |Package is ready for installation            |
|1_08         |Package is ready for installation            |
+-----------------------------------------------------------+
The machines (1_05,1_06,1_07,1_08) will automatically reboot after upgrade.
Do you want to continue? ([y]es / [n]o) y
[Global] HostName-ch01-01 >

E

Go from Gaia gClish to the Expert mode:

  • If your default shell is /bin/bash (the Expert mode), then run:

    exit

  • If your default shell is /etc/gclish (Gaia gClish), then run:

    expert

F

Monitor the Security Group Members in the Logical Group "B" until they boot:

asg monitor

Step

Instructions

A

Connect to Security Group Members in the Logical Group "B", and run in the Expert mode):

sp_upgrade

B

In the 'sp_upgrade' shell script session, enter y or yes to confirm.

Warning - This step applies only if Check Point Support or R&D explicitly instructed you to install a specific Hotfix on your specific Security Group in the middle of the upgrade.

For example, your Security Group might require a specific hotfix or a Jumbo Hotfix Accumulator Take to resolve a specific issue.

You are still connected to one of the Security Group Members in the Logical Group "A" and you are still working in the Expert mode.

Step

Instructions

A

Back up the current $SMODIR/bin/sp_upgrade script to your home directory:

cp -v $SMODIR/bin/sp_upgrade ~

ls -l ~/sp_upgrade

B

Transfer the CPUSE package for this Hotfix to the Security Group (into some directory, for example /var/log/).

C

Go from the Expert mode to Gaia gClish:

  • If your default shell is /bin/bash (the Expert mode), then run:

    gclish

  • If your default shell is /etc/cli.sh (Gaia Clish), then run:

    exit

D

Import the CPUSE package from the hard disk:

installer import local /<Full Path>/<Name of the CPUSE Offline Package>

E

Show the imported CPUSE packages:

show installer packages imported

F

Make sure the imported CPUSE package can be installed on this Security Group:

installer verify [Press Tab]

installer verify <Number of CPUSE Package> member_ids <SGM IDs in Group "A">

G

Install the CPUSE package on the Security Group Members in the Logical Group "A":

installer install [Press the Tab key]

installer install <Number of CPUSE Package> member_ids <SGM IDs in Group "A">

H

Go from Gaia gClish to the Expert mode:

  • If your default shell is /bin/bash (the Expert mode), then run:

    exit

  • If your default shell is /etc/cli.sh (Gaia Clish), then run:

    expert

I

Go to your home directory:

cd ~

pwd

J

Continue the upgrade procedure:

./sp_upgrade

Step

Instructions

A

Connect with SmartConsole to the Management Server that manages this Security Group.

B

Install the applicable Access Control policy on the Security Gateway object for this Security Group.

If this Security Group is configured in the VSX mode, you must install the applicable Access Control policy on each Virtual System.

C

On the Security Group, in the 'sp_upgrade' shell script session, enter y or yes to confirm.

Step

Instructions

A

Connect to the command line on the Security Group.

B

If your default shell is /etc/gclish (Gaia gClish), then go to the Expert mode:

expert

C

Run these commands:

asg diag verify

hcp -m all -r all