Rolling Back a Failed Upgrade of a Maestro Orchestrator from R82

This section describes the steps for rolling back a failed upgrade of a Maestro Orchestrator to R82.

Warning - If after an upgrade of the Orchestrator to R82 you made changes in topology of Security Groups (added or removed Security Appliances, added or removed interfaces, changed settings of physical ports), then do NOT use this rollback procedure on the Orchestrator.

You must contact Check Point Support for assistance.

Important:

  • If you also upgraded Security Groups to R82, then before you revert the Orchestrator, you must revert all Security Groups.

    Follow this procedure - Rolling Back a Failed Upgrade of a Security Group from R82 - Zero Downtime (MVC):

  • This rollback procedure reverts the Orchestrator to the configuration prior to the upgrade (Gaia configuration, topology of Security Groups, configuration of physical ports, and so on).

  • Perform this rollback procedure on one Orchestrator at a time on each Site.

  • In a Dual Site environment:

    1. In each Security Group, perform a failover of all Security Group Members from one Site (for example, Site 2) to another Site (for example, Site 1).

    2. Perform this rollback procedure on each Orchestrator on the site, from which you failed over all Security Group Members.

      In our example, perform this rollback procedure on each Orchestrator on Site 2.

    3. In each Security Group, perform a failover of all Security Group Members from their current Site to the reverted Site.

      In our example, perform this failover from Site 1 to Site 2.

    4. Perform this rollback procedure on each Orchestrator on the site, from which you failed over all Security Group Members.

      In our example, perform this rollback procedure on each Orchestrator on Site 1.

Procedure for each Orchestrator:

Step

Instructions

1

Connect to the command line on the Orchestrator (in our example, "Orchestrator 1_1").

2

If your default shell is Gaia Clish (/etc/cli.sh), then go to the Expert mode:

expert

3

Stop the Orchestrator service:

orchd stop

Warning - This immediately stops all traffic through Security Groups running on this Orchestrator.

4

Go from the Expert mode to Gaia Clish:

  • If your default shell is the Expert mode (/bin/bash), then run:

    clish

  • If your default shell is Gaia Clish (/etc/cli.sh), then run:

    exit

5

Restore the Gaia snapshot, which was created automatically during the upgrade:

set snapshot revert[Press Space][Press Tab]

The Orchestrator automatically reboots and starts the revert.

For more information, see the R82 Gaia Administration Guide > Chapter Maintenance > Section Snapshot Management.

6

Wait for the reverted Orchestrator to boot.

7

Configure the same date and time settings on all other Orchestrators in your environment.

For more information, see the R82 Gaia Administration Guide > Chapter System Management > Section Time.

8

Make sure all Orchestrators in your environment can communicate with each other.

Connect to the command line on the reverted Orchestrator (in our example, "1_1").

Send pings to other Orchestrator(s):

  • In a Single Site environment:

    ping 1_2

  • In a Dual Site environment:

    ping 1_2

    ping 2_1

    ping 2_2

9

Make sure the Security Group Members can pass traffic to each other:

  1. Connect to the command line on the Security Group.

  2. If your default shell is Gaia gClish (/etc/gclish), then go to the Expert mode:

    expert

  3. Examine the cluster state of the Security Group Members.

    On the SMO Security Group Member, run:

    cphaprob state

    The output must show that all Security Group Members are active.

  4. Send pings between Security Group Members:

    1. Connect to one of the Security Group Members

      (in our example, we connect to the first one - "1_1"):

      member 1_1

    2. On this Security Group Member, send ping to any other Security Group Member

      (in our example, we send pings to the second one - "1_2" / "2_2"):

      • In a Single Site environment:

        ping 1_2

      • In a Dual Site environment:

        ping 1_2

        ping 2_2

10

On each Security Group Member, make sure all links are up in the Security Group:

  1. Connect to the command line on the Security Group.

  2. Log in to Gaia gClish.

  3. Examine the state of links:

    show cluster info interfaces

    See show cluster info.