Multi-Version Cluster Upgrade Procedure - VSX Mode

Note - The procedure below is for VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing.. For ClusterXL and VRRP Cluster, see Multi-Version Cluster Upgrade Procedure - Gateway Mode.

Important - Before you upgrade a VSX Cluster:

Step

Instructions

1

Back up your current configuration (see Backing Up and Restoring).

2

See Upgrade Options and Prerequisites.

3

Upgrade the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. and Log Servers.

4

See Planning a Cluster Upgrade.

5

Schedule a full maintenance window to make sure you can make all the custom configurations again after the upgrade.

Note - MVC supports VSX Cluster Members with different GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. kernel editions (R81 64-bit and R77.30 / R80.10 32-bit).

The procedure described below is based on an example cluster with three VSX Cluster Members M1, M2 and M3.

However, you can use it for clusters that consist of two or more.

Action plan:

  1. On the Management Server, upgrade the VSX Cluster object to R81.

  2. On the VSX Cluster MemberClosed Security Gateway that is part of a cluster. M3:

    1. Upgrade to R81

      Note - If you perform a Clean InstallClosed Installation of a Check Point Operating System from scratch on a computer. of R81, then push the VSX configuration from the Management Server to this VSX Cluster Member

    2. Enable the MVC

  3. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., install the Access Control Policy on the R81 VSX Cluster Member M3

  4. On the next VSX Cluster Member M2:

    1. Upgrade to R81

      Note - If you perform a Clean Install of R81, then push the VSX configuration from the Management Server to this VSX Cluster Member

    2. Enable the MVC

  5. In SmartConsole, install the Access Control Policy on the R81 VSX Cluster Members M3 and M2.

  6. On the remaining VSX Cluster Member M1:

    • Upgrade to R81

      Note - If you perform a Clean Install of R81, then push the VSX configuration from the Management Server to this VSX Cluster Member

  7. In SmartConsole, install the Access Control Policy and the Threat Prevention Policy on the VSX Cluster object.

  8. In SmartConsole, install the Access Control Policy and the Threat Prevention Policy on each Virtual System object.

Procedure:

  1. Follow the R81 VSX Administration Guide > Chapter Command Line Reference > Section vsx_util > Section vsx_util upgrade.

  		2.

    Important - You must reboot the VSX Cluster Member after the upgrade or clean install.

    Installation Method

    Instructions

    Upgrade to R81 with CPUSEClosed Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself. For details, see sk92449.

    See Installing Software Packages on Gaia.

    Follow the applicable action plan for the local or central installation.

    In local installation, select the R81 package and perform Upgrade. See sk92449 for detailed steps.

    Clean Install of R81 with CPUSE

    Follow these steps:

    1. See Installing Software Packages on Gaia.

      Follow the applicable action plan for the local or central installation.

      In local installation, select the R81 package and perform Clean Install. See sk92449 for detailed steps.

      Important - In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous VSX Cluster Member (prior to the upgrade).

    2. Run the "vsx_util reconfigure" command on the Management Server to push the VSX configuration to this VSX Cluster Member.

      See the R81 VSX Administration Guide > Chapter Command Line Reference > Section vsx_util > Section vsx_util reconfigure.

      Important - You must enter the same Activation Key you entered during the Gaia First Time Configuration Wizard of this VSX Cluster Member.

    3. Configure the required settings on this VSX Cluster Member:

      • OS configuration (for example, DNS, NTP, DHCP, Dynamic Routing, DHCP Relay, and so on).

      • Settings manually defined in various configuration files.

      • Applicable Check Point configuration files.

    Clean Install of R81 from scratch

    Follow these steps:

    1. Follow Installing a VSX Cluster - only the step "Install the VSX Cluster Members".

      Important - In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous VSX Cluster Member (prior to the upgrade).

    2. Run the "vsx_util reconfigure" command on the Management Server to push the VSX configuration to this VSX Cluster Member.

      See the R81 VSX Administration Guide > Chapter Command Line Reference > Section vsx_util > Section vsx_util reconfigure.

      Important - You must enter the same Activation Key you entered during the Gaia First Time Configuration Wizard of this VSX Cluster Member.

    3. Configure the required settings on this VSX Cluster Member:

      • OS configuration (for example, DNS, NTP, DHCP, Dynamic Routing, DHCP Relay, and so on).

      • Settings manually defined in various configuration files.

      • Applicable Check Point configuration files.

  3. Step

    Instructions

    1

    Connect to the command line on each VSX Cluster Member.

    2

    Log in to the Expert mode.

    3

    Examine the VSX configuration:

    vsx stat -v

    Important:

    4

    Examine the cluster state in one of these ways:

    5

    Examine the cluster interfaces in one of these ways:

    • In Gaia Clish, run:

      set virtual-system 0

      show cluster members interfaces all

    • In the Expert mode, run:

      vsenv 0

      cphaprob -a if

    Important:

    • The upgraded VSX Cluster Member M3 shows its cluster state as Ready.

    • Other VSX Cluster Members M2 and M1 show the cluster state of the upgraded VSX Cluster Member M3 as Lost, or do not detect it.

    • All Virtual Systems must show the same information about the states of all Virtual Systems.

  4. Step

    Instructions

    1

    Connect to the command line on the VSX Cluster Member.

    2

    Go to the context of Virtual System 0:

    • In Gaia Clish:

      set virtual-system 0

    • In the Expert mode:

      vsenv 0

    3

    Enable the MVC Mechanism:

    • In Gaia Clish:

      set cluster member mvc on

    • In the Expert mode:

      cphaconf mvc on

    4

    Examine the state of the MVC Mechanism:

    • In Gaia Clish:

      show cluster members mvc

    • In the Expert mode:

      cphaprob mvc

  5. Step

    Instructions

    1

    Click Install Policy.

    2

    In the Install Policy window:

    1. In the Policy field, select the applicable Access Control Policy.

    2. In the Install Mode section, select these two options:

      • Select Install on each selected gateway independently.

      • Clear For gateway clusters, if installation on a cluster member fails, do not install on that cluster.

    3. Click Install.

    3

    The Access Control Policy installation:

    • Succeeds on the upgraded VSX Cluster Member M3.

    • Fails on the old VSX Cluster Members M1 and M2 with a warning. Ignore this warning.

  6. Step

    Instructions

    1

    Connect to the command line on each VSX Cluster Member.

    2

    Log in to the Expert mode.

    3

    Examine the VSX configuration:

    vsx stat -v

    Important:

    • Make sure all the configured Virtual Devices are loaded.

    • Make sure all Virtual Systems and Virtual Routers have SIC Trust and policy.

    4

    Examine the cluster state in one of these ways:

    • In Gaia Clish, run:

      set virtual-system 0

      show cluster state

    • In the Expert mode, run:

      vsenv 0

      cphaprob state

    5

    Examine the cluster interfaces in one of these ways:

    • In Gaia Clish, run:

      set virtual-system 0

      show cluster members interfaces all

    • In the Expert mode, run:

      vsenv 0

      cphaprob -a if

    Important:

    • In High Availability mode:

      • The upgraded VSX Cluster Member M3 changes its cluster state to Active.

      • Other VSX Cluster Members change their state to Standby.

    • In the Virtual System Load Sharing mode:

      • The upgraded VSX Cluster Member M3 changes its cluster state to Active.

      • Other VSX Cluster Members change their state to Standby and Backup.

    • All Virtual Systems must show the same information about the states of all Virtual Systems.

  7. Important - You must reboot the VSX Cluster Member after the upgrade or clean install.

    Installation Method

    Instructions

    Upgrade to R81 with CPUSE

    See Installing Software Packages on Gaia.

    Follow the applicable action plan for the local or central installation.

    In local installation, select the R81 package and perform Upgrade. See sk92449 for detailed steps.

    Clean Install of R81 with CPUSE

    Follow these steps:

    1. See Installing Software Packages on Gaia.

      Follow the applicable action plan for the local or central installation.

      In local installation, select the R81 package and perform Clean Install. See sk92449 for detailed steps.

      Important - In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous VSX Cluster Member (prior to the upgrade).

    2. Run the "vsx_util reconfigure" command on the Management Server to push the VSX configuration to this VSX Cluster Member.

      See the R81 VSX Administration Guide > Chapter Command Line Reference > Section vsx_util > Section vsx_util reconfigure.

      Important - You must enter the same Activation Key you entered during the Gaia First Time Configuration Wizard of this VSX Cluster Member.

    3. Configure the required settings on this VSX Cluster Member:

      • OS configuration (for example, DNS, NTP, DHCP, Dynamic Routing, DHCP Relay, and so on).

      • Settings manually defined in various configuration files.

      • Applicable Check Point configuration files.

    Clean Install of R81 from scratch

    Follow these steps:

    1. Follow Installing a VSX Cluster - only the step "Install the VSX Cluster Members".

      Important - In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous VSX Cluster Member (prior to the upgrade).

    2. Run the "vsx_util reconfigure" command on the Management Server to push the VSX configuration to this VSX Cluster Member.

      See the R81 VSX Administration Guide > Chapter Command Line Reference > Section vsx_util > Section vsx_util reconfigure.

      Important - You must enter the same Activation Key you entered during the Gaia First Time Configuration Wizard of this VSX Cluster Member.

    3. Configure the required settings on this VSX Cluster Member:

      • OS configuration (for example, DNS, NTP, DHCP, Dynamic Routing, DHCP Relay, and so on).

      • Settings manually defined in various configuration files.

      • Applicable Check Point configuration files.

  8. Step

    Instructions

    1

    Connect to the command line on each VSX Cluster Member.

    2

    Log in to the Expert mode.

    3

    Examine the VSX configuration:

    vsx stat -v

    Important:

    • Make sure all the configured Virtual Devices are loaded.

    • Make sure all Virtual Systems and Virtual Routers have SIC Trust and policy.

    4

    Examine the cluster state in one of these ways:

    • In Gaia Clish, run:

      set virtual-system 0

      show cluster state

    • In the Expert mode, run:

      vsenv 0

      cphaprob state

    5

    Examine the cluster interfaces in one of these ways:

    • In Gaia Clish, run:

      set virtual-system 0

      show cluster members interfaces all

    • In the Expert mode, run:

      vsenv 0

      cphaprob -a if

    Important:

    • In the High Availability mode:

      • One of the upgraded VSX Cluster Members has the cluster state Active.

      • Other VSX Cluster Members have the cluster state Standby.

    • In the Virtual System Load Sharing mode:

      • One of the upgraded VSX Cluster Members has the cluster state Active.

      • Other VSX Cluster Members have the cluster states Standby and Backup.

    • All Virtual Systems must show the same information about the states of all Virtual Systems.

  9. Step

    Instructions

    1

    Connect to the command line on the VSX Cluster Member.

    2

    Go to the context of Virtual System 0:

    • In Gaia Clish:

      set virtual-system 0

    • In the Expert mode:

      vsenv 0

    3

    Enable the MVC Mechanism:

    • In Gaia Clish:

      set cluster member mvc on

    • In the Expert mode:

      cphaconf mvc on

    4

    Examine the state of the MVC Mechanism:

    • In Gaia Clish:

      show cluster members mvc

    • In the Expert mode:

      cphaprob mvc

  10. Step

    Instructions

    1

    Click Install Policy.

    2

    In the Install Policy window:

    1. In the Policy field, select the applicable Access Control Policy.

    2. In the Install Mode section, select these two options:

      • Select Install on each selected gateway independently.

      • Clear For gateway clusters, if installation on a cluster member fails, do not install on that cluster.

    3. Click Install.

    3

    The Access Control Policy installation:

    • Succeeds on the upgraded VSX Cluster Members M3 and M2.

    • Fails on the old VSX Cluster Member M1 with a warning. Ignore this warning.

  11. Step

    Instructions

    1

    Connect to the command line on each VSX Cluster Member.

    2

    Log in to the Expert mode.

    3

    Examine the VSX configuration:

    vsx stat -v

    Important:

    • Make sure all the configured Virtual Devices are loaded.

    • Make sure all Virtual Systems and Virtual Routers have SIC Trust and policy.

    4

    Examine the cluster state in one of these ways:

    • In Gaia Clish, run:

      set virtual-system 0

      show cluster state

    • In the Expert mode, run:

      vsenv 0

      cphaprob state

    5

    Examine the cluster interfaces in one of these ways:

    • In Gaia Clish, run:

      set virtual-system 0

      show cluster members interfaces all

    • In the Expert mode, run:

      vsenv 0

      cphaprob -a if

    Important:

    • In the High Availability mode:

      • One of the upgraded VSX Cluster Members has the cluster state Active.

      • Other VSX Cluster Members have the cluster state Standby.

    • In the Virtual System Load Sharing mode:

      • One of the upgraded VSX Cluster Members has the cluster state Active.

      • Other VSX Cluster Members have the cluster states Standby and Backup.

    • All Virtual Systems must show the same information about the states of all Virtual Systems.

  12. Important - You must reboot the VSX Cluster Member after the upgrade or clean install.

    Installation Method

    Instructions

    Upgrade to R81 with CPUSE

    See Installing Software Packages on Gaia.

    Follow the applicable action plan for the local or central installation.

    In local installation, select the R81 package and perform Upgrade. See sk92449 for detailed steps.

    Clean Install of R81 with CPUSE

    Follow these steps:

    1. See Installing Software Packages on Gaia.

      Follow the applicable action plan for the local or central installation.

      In local installation, select the R81 package and perform Clean Install. See sk92449 for detailed steps.

      Important - In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous VSX Cluster Member (prior to the upgrade).

    2. Run the "vsx_util reconfigure" command on the Management Server to push the VSX configuration to this VSX Cluster Member.

      See the R81 VSX Administration Guide > Chapter Command Line Reference > Section vsx_util > Section vsx_util reconfigure.

      Important - You must enter the same Activation Key you entered during the Gaia First Time Configuration Wizard of this VSX Cluster Member.

    3. Configure the required settings on this VSX Cluster Member:

      • OS configuration (for example, DNS, NTP, DHCP, Dynamic Routing, DHCP Relay, and so on).

      • Settings manually defined in various configuration files.

      • Applicable Check Point configuration files.

    Clean Install of R81 from scratch

    Follow these steps:

    1. Follow Installing a VSX Cluster - only the step "Install the VSX Cluster Members".

      Important - In the Gaia First Time Configuration Wizard, for the Management Connection IP address, you must use the same IP address as was used by the previous VSX Cluster Member (prior to the upgrade).

    2. Run the "vsx_util reconfigure" command on the Management Server to push the VSX configuration to this VSX Cluster Member.

      See the R81 VSX Administration Guide > Chapter Command Line Reference > Section vsx_util > Section vsx_util reconfigure.

      Important - You must enter the same Activation Key you entered during the Gaia First Time Configuration Wizard of this VSX Cluster Member.

    3. Configure the required settings on this VSX Cluster Member:

      • OS configuration (for example, DNS, NTP, DHCP, Dynamic Routing, DHCP Relay, and so on).

      • Settings manually defined in various configuration files.

      • Applicable Check Point configuration files.

  13. Step

    Instructions

    1

    Connect to the command line on each VSX Cluster Member.

    2

    Log in to the Expert mode.

    3

    Examine the VSX configuration:

    vsx stat -v

    Important:

    • Make sure all the configured Virtual Devices are loaded.

    • Make sure all Virtual Systems and Virtual Routers have SIC Trust and policy.

    4

    Examine the cluster state in one of these ways:

    • In Gaia Clish, run:

      set virtual-system 0

      show cluster state

    • In the Expert mode, run:

      vsenv 0

      cphaprob state

    5

    Examine the cluster interfaces in one of these ways:

    • In Gaia Clish, run:

      set virtual-system 0

      show cluster members interfaces all

    • In the Expert mode, run:

      vsenv 0

      cphaprob -a if

    Important:

    • In the High Availability mode:

      • One of the VSX Cluster Members has the cluster state Active.

      • Other VSX Cluster Members have the cluster state Standby.

    • In the Virtual System Load Sharing mode:

      • One of the VSX Cluster Members has the cluster state Active.

      • Other VSX Cluster Members have the cluster states Standby and Backup.

    • All Virtual Systems must show the same information about the states of all Virtual Systems.

  14. Step

    Instructions

    1

    Connect with SmartConsole to the R81 Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Domain Management Server that manages this cluster.

    2

    From the left navigation panel, click Gateways & Servers.

    3

    Install the Access Control Policy:

    1. Click Install Policy.

    2. In the Policy field, select the applicable Access Control Policy.

    3. In the Install Mode section, select these two options:

      • Install on each selected gateway independently

      • For gateway clusters, if installation on a cluster member fails, do not install on that cluster

    4. Click Install.

    5. The Access Control Policy must install successfully on all the Cluster Members.

    4

    Install the Threat Prevention Policy:

    1. Click Install Policy.

    2. In the Policy field, select the applicable Threat Prevention Policy.

    3. Click Install.

    4. The Threat Prevention Policy must install successfully on all the Cluster Members.

  15. Step

    Instructions

    1

    Connect to the command line on each VSX Cluster Member.

    2

    Log in to the Expert mode.

    3

    Examine the VSX configuration:

    vsx stat -v

    Important:

    • Make sure all the configured Virtual Devices are loaded.

    • Make sure all Virtual Systems and Virtual Routers have SIC Trust and policy.

    4

    Examine the cluster state in one of these ways:

    • In Gaia Clish, run:

      set virtual-system 0

      show cluster state

    • In the Expert mode, run:

      vsenv 0

      cphaprob state

    Important:

    • All VSX Cluster Members must show the same information about the states of all VSX Cluster Members.

    • In the High Availability mode, one VSX Cluster Member must be in the Active state, and all other VSX Cluster Members must be in Standby state.

    • In the Virtual System Load Sharing mode, all VSX Cluster Members must be in the Active state.

    • All Virtual Systems must show the same information about the states of all Virtual Systems.

    5

    Examine the cluster interfaces in one of these ways:

    • In Gaia Clish, run:

      set virtual-system 0

      show cluster members interfaces all

    • In the Expert mode, run:

      vsenv 0

      cphaprob -a if

    Important:

    • In the High Availability mode:

      • One of the VSX Cluster Members has the cluster state Active.

      • Other VSX Cluster Members have the cluster state Standby.

    • In the Virtual System Load Sharing mode:

      • One of the VSX Cluster Members has the cluster state Active.

      • Other VSX Cluster Members have the cluster states Standby and Backup.

    • All Virtual Systems must show the same information about the states of all Virtual Systems.

  16. Step

    Instructions

    1

    Connect to the command line on each VSX Cluster Member.

    2

    Go to the context of Virtual System 0:

    • In Gaia Clish:

      set virtual-system 0

    • In the Expert mode:

      vsenv 0

    3

    Disable the MVC Mechanism:

    • In Gaia Clish:

      set cluster member mvc off

    • In the Expert mode:

      cphaconf mvc off

    4

    Examine the state of the MVC Mechanism:

    • In Gaia Clish:

      show cluster members mvc

    • In the Expert mode:

      cphaprob mvc

  17. Step

    Instructions

    1

    Connect with SmartConsole to the R81 Security Management Server or each Target Domain Management Server that manages the Virtual System on this VSX Cluster.

    2

    Install the Access Control Policy on the Virtual System object.

    3

    Install the Threat Prevention Policy on the Virtual System object.

  18. Step

    Instructions

    1

    Connect with SmartConsole to the R81 Security Management Server or each Target Domain Management Server that manages the Virtual Systems on this VSX Cluster.

    2

    From the left navigation panel, click Logs & Monitor > Logs.

    3

    Examine the logs from the Virtual Systems on this VSX Cluster to make sure they inspect the traffic as expected.

For more information, see the: