Upgrading Multi-Domain Servers in High Availability from R80.20 and higher with CPUSE

In a CPUSEClosed Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself. upgrade scenario, you perform the upgrade procedure on the same Multi-Domain Servers.

Notes:

  • This procedure is supported only for servers that run R80.20.M1, R80.20, R80.20.M2, R80.30, or higher versions.

  • For additional information related to this upgrade, see sk163814.

Important - Before you upgrade Multi-Domain Servers:

Step

Instructions

1

Back up your current configuration (see Backing Up and Restoring).

2

See the Upgrade Options and Prerequisites.

3

Only the latest published database revision is upgraded.

If there are pending changes, we recommend to Publish the session.

4

If there are Global Policies configured on the Global Domain:

  1. Connect with SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Global Domain on your source Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS..

  2. Reassign all Global Policies to all applicable Domains.

Important - Do not publish any changes in the Global Domain until you complete the upgrade to the next available version. This is necessary to avoid any potential issues caused by different policy revisions on the Global Domain and on other Domains.

5

You must close all GUI clients (SmartConsole applications) connected to the source Multi-Domain Server.

6

Install the latest version of the CPUSE from sk92449.

Note - This is to make sure the CPUSE is able to support the required Upgrade Tools package.

7

Run the Pre-Upgrade Verifier on all source servers and fix all detected issues before you start the upgrade.

8

In Management High Availability, before you start the upgrade on other servers:

  1. Make sure the Primary Multi-Domain Server is upgraded and runs.

  2. Make sure the Multi-Domain Security Management Servers can communicate with each other and SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. works between these servers. For details, see sk179794.

Important - Before you can install Hotfixes on servers that work in Management High Availability, you must upgrade all these servers.

Procedure:

  1. For instructions, see the R82 Multi-Domain Security Management Administration Guide - Chapter Working with High Availability - Section Failure Recovery - Subsection Promoting the Secondary Multi-Domain Server to Primary.

  2. Step

    Instructions

    1

    Connect with SmartConsole to the Primary Multi-Domain Server.

    2

    From the left navigation panel, click Multi Domain > Domains.

    The table shows Domains and Multi-Domain Servers:

    • Every column shows a Multi-Domain Server.

    • Active Domain Management Servers (for a Domain) are marked with a solid black "barrel" icon.

    • Standby Domain Management Servers (for a Domain) are marked with an empty "barrel" icon.

    3

    In the leftmost column Domains, examine the bottom row Global for the Primary Multi-Domain Server.

    If the Global Domain is in the Standby state on the Primary Multi-Domain Server (marked with an empty "barrel" icon), then make it Active:

    1. Right-click on the Primary Multi-Domain Server and click Connect to Domain Server.

      The High Availability Status window opens.

    2. In the section Connected To, click Actions > Set Active.

    3. Click Yes to confirm.

    4. Wait for the full synchronization to complete.

    5. Close SmartConsole.

  3. Important - See Upgrade Tools to understand if your server can download and install the latest version of the Upgrade Tools automatically.

    Step

    Instructions

    1

    Download the R82 Upgrade Tools from the sk135172..

    Note - This is a CPUSE Offline package.

    2

    Install the R82 Upgrade Tools with CPUSE.

    See Installing Software Packages on Gaia and follow the applicable action plan for the Local - Offline installation.

    3

    Make sure the package is installed.

    Run this command in the Expert mode:

    cpprod_util CPPROD_GetValue CPupgrade-tools-R82 BuildNumber 1

    The output must show the same build number you see in the name of the downloaded TGZ package.

    Name of the downloaded package: ngm_upgrade_wrapper_993000222_1.tgz

    [Expert@HostName:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R82 BuildNumber 1

    993000222

    [Expert@HostName:0]#

    Note - The command "migrate_server" from these Upgrade Tools always tries to connect to Check Point Cloud over the Internet.

    This is to make sure you always have the latest version of these Upgrade Tools installed.

    If the connection to Check Point Cloud fails, this message appears:

    Timeout. Failed to retrieve Upgrade Tools package. To download the package manually, refer to sk135172.

  4. Important:

    • If none of the servers in the same Multi-Domain Security Management environment changed their original IP addresses, then you do not need to create the special JSON configuration file.

      Skip this step.

    • Even if only one of the servers migrates to a new IP address, all the other servers (including all Multi-Domain Log Servers, Log Servers, and SmartEvent Servers) must get this configuration file.

      You must use the same JSON configuration file on all servers (including the Secondary Multi-Domain Servers, Multi-Domain Log Servers, Log Servers and SmartEvent Servers) in the same Multi-Domain Security Management environment.

    To create the required JSON configuration file:

    Step

    Instructions

    1

    Connect to the command line on the Primary Multi-Domain Security Management Server.

    2

    Log in to the Expert mode.

    3

    Create the /var/log/mdss.json file that contains each server that migrates to a new IP address.

    Format for migrating a Secondary Multi-Domain Server / Multi-Domain Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs in a Multi-Domain Security Management environment. The Multi-Domain Log Server consists of Domain Log Servers that store and process logs from Security Gateways that are managed by the corresponding Domain Management Servers. Acronym: MDLS. / Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs. / SmartEvent Server to a new IP address:

    [{"name":"<Name of Server #1 Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of R82 Server #1>"},

    {"name":"<Name of Server #2 Object in SmartConsole>","newIpAddress4":"<New IPv4 Address of R82 Server #2>"}]

     

    There are 2 servers in the R80.30 Multi-Domain Security Management environment - the Multi-Domain Server and the Multi-Domain Log Server. The Multi-Domain Server remains with the original IP address. The Multi-Domain Log Server migrates to a new IP address.

    1. The current IPv4 address of the source R80.30 Multi-Domain Log Server is:

      192.168.10.21

    2. The name of the source R80.30 Multi-Domain Log Server object in SmartConsole is:

      MyMultiDomainLogServer

    3. The new IPv4 address of the target R82 Multi-Domain Log Server is:

      172.30.40.51

    4. The required syntax for the JSON configuration file you must use on the Multi-Domain Server and on the Multi-Domain Log Server:

      [{"name":"MyMultiDomainLogServer","newIpAddress4":"172.30.40.51"}]

      Important - All servers in this environment must get the same configuration file.

  5. See Installing Software Packages on Gaia and follow the applicable action plan.

  6. See Installing SmartConsole.

  		7.

    Note - This step is needed only to be able to export the entire management database (for backup purposes) with the latest Upgrade Tools.

    Important - See Upgrade Tools to understand if your server can download and install the latest version of the Upgrade Tools automatically.

    Step

    Instructions

    1

    Download the R82 Upgrade Tools from the sk135172..

    Note - This is a CPUSE Offline package.

    2

    Install the R82 Upgrade Tools with CPUSE.

    See Installing Software Packages on Gaia and follow the applicable action plan for the Local - Offline installation.

    3

    Make sure the package is installed.

    Run this command in the Expert mode:

    cpprod_util CPPROD_GetValue CPupgrade-tools-R82 BuildNumber 1

    The output must show the same build number you see in the name of the downloaded TGZ package.

    Name of the downloaded package: ngm_upgrade_wrapper_993000222_1.tgz

    [Expert@HostName:0]# cpprod_util CPPROD_GetValue CPupgrade-tools-R82 BuildNumber 1

    993000222

    [Expert@HostName:0]#

    Note - The command "migrate_server" from these Upgrade Tools always tries to connect to Check Point Cloud over the Internet.

    This is to make sure you always have the latest version of these Upgrade Tools installed.

    If the connection to Check Point Cloud fails, this message appears:

    Timeout. Failed to retrieve Upgrade Tools package. To download the package manually, refer to sk135172.

  8. See Installing Software Packages on Gaia and follow the applicable action plan.

  9. Step

    Instructions

    1

    Connect with SmartConsole to the R82 Primary Multi-Domain Server.

    2

    From the left navigation panel, click Multi-Domain > Domains.

    3

    From the top toolbar, open the Secondary Multi-Domain Server object.

    4

    From the left tree, click General.

    5

    In the Platform section > in the Version field, select R82.

    6

    Click OK.

  10. Important - If your Multi-Domain Server manages Multi-Domain Log Servers, dedicated Log Servers, or dedicated SmartEvent Servers, you must upgrade these dedicated servers to the same version as the Multi-Domain Server.

    Select the applicable upgrade option:

  		11.

    Important - This step applies only if the User and Device Management (UDM) is configured on one of the Domain Management Servers.

    Step

    Instructions

    1

    Close all SmartConsole clients connected the R82 Multi-Domain Server.

    2

    Connect to the command line on the R82 Multi-Domain Server.

    3

    Log in with the superuser credentials.

    4

    Log in to the Expert mode.

    5

    Go to the main MDS context:

    mdsenv

    6

    Examine the port numbers configured in the file $MDSDIR/conf/mdsdb/webservices_cmas_ports.conf in the attribute "port ()":

    cat $MDSDIR/conf/mdsdb/webservices_cmas_ports.conf

    Example:

    (
  : (My_Domain_Management_Server_1:port (30000)
    :port_SL (30001)
    :ip_addr (192.168.2.1)
  )
  : (My_Domain_Management_Server_2:port (30002)
    :port_SL (30003)
    :ip_addr (192.168.2.2)
  )
)

    7

    Configure the same port numbers in the file $UDMDIR/conf/cmas_list.conf in the attribute "WSPort":

    vi $UDMDIR/conf/cmas_list.conf

    Example:

    192.168.2.1:WSPort=30000:MDSip=192.168.2.254

    192.168.2.2:WSPort=30002:MDSip=192.168.2.254

    8

    		 Save the changes in the file and exit the editor.

    9

    Restart the User and Device Management services:

    udmstop ; udmstart

  12. Important - This step applies to each Domain Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that manages SmartLSM Security Profiles.

    Step

    Instructions

    1

    Install the Access Control Policy:

    1. Click Install Policy.

    2. In the Policy field, select the applicable Access Control Policy.

    3. Select the applicable SmartLSM Security Profile objects.

    4. Click Install.

    5. The Access Control Policy must install successfully.

    2

    Install the Threat Prevention Policy:

    1. Click Install Policy.

    2. In the Policy field, select the applicable Threat Prevention Policy.

    3. Select the applicable SmartLSM Security Profile objects.

    4. Click Install.

    5. The Threat Prevention Policy must install successfully.

    For more information, see the R82 SmartProvisioning Administration Guide.

  13. Step

    Instructions

    1

    Connect with SmartConsole to the Primary R82 Multi-Domain Server.

    2

    Make sure the management database and configuration were upgraded correctly.

    3

    Test the Management High Availability functionality.