Upgrading Maestro Environment to R82

This section describes the steps for upgrading a Maestro environment (the Quantum Maestro Orchestrators and the Security Groups) with Zero Downtime - as a Multi-Version Cluster (MVC).

This procedure supports only these upgrade paths for Maestro Security Groups:

Source Version and Mode

Target Version and Mode

R81.20 in the Gateway mode

R82 in the Gateway mode

R81.20 in the Traditional VSX mode

R82 in the Traditional VSX mode

R81.10 in the Gateway mode

R82 in the Gateway mode

R81.10 in the Traditional VSX mode

R82 in the Traditional VSX mode

Important - See these rollback procedures:

Important - You can install the R82 Jumbo Hotfix Accumulator on a Security Group only after you complete the entire upgrade procedure. Before you install it, you must log out from all Gaia gClish sessions.

Important Notes for Quantum Maestro Orchestrators:

  • We recommend to schedule a maintenance window for all Orchestrators on all sites.

  • The major software version on the Orchestrators must be equal to or higher than the major software version on the managed Security Group (PMTR-86785).

  • To prevent traffic outage in an environment with two Orchestrators on a Single Site, make sure the Sync ports of the Orchestrators on the site connect to each other with a bond interface. This bond interface must have a subordinate interface on each Orchestrator.

    Example: Bond interface bond1 with the subordinate interfaces eth1-01 on Orch1_1 and eth1-01 on Orch1_2.

  • This procedure keeps the current configuration on the Orchestrators.

  • Upgrade all Orchestrators and only then upgrade the Security Groups.

  • Upgrade one Orchestrator at a time.

  • In a Maestro Dual Site environment:

    1. Upgrade the Orchestrators on the Standby Site (for example, Site 2).

    2. Initiate a fail-over in each Security Group from the non-upgraded Active Site (Site 1) to the upgraded Standby Site (Site 2):

      1. Connect to the command line on each Security Group that is configured on these Orchestrators.

      2. If your default shell is Gaia gClish (/etc/gcli.sh), then go to the Expert mode:

        expert

      3. Initiate a fail-over of all Security Group Members:

        chassis_admin -c <ID of non-upgraded Active Site> down

        chassis_admin -c <ID of non-upgraded former Active Site> up

    3. Upgrade the Orchestrators on the new Standby Site (Site 1).

Important Notes for Security Groups:

  • Before you upgrade the Security Groups, you must upgrade the Management Server that manages the Security Groups.

    See the R82 Installation and Upgrade Guide.

  • This procedure applies to Security Groups in the Gateway mode and the Traditional VSX mode.

    In Traditional VSX mode, you must run all the commands in the context of VS0:

    • To change the context in Gaia gClish, run: set virtual-system 0

    • To change the context in the Expert mode, run: vsenv 0

  • During the upgrade process, it is:

    • Forbidden to change the configuration of the Security Group and its Security Group Members.

  • To prevent down time, do not upgrade all the Security Group Members in a specific Security Group at the same time.

  • In this upgrade procedure, you divide all Security Group Members in a specific Security Group into two or more logical groups.

    In the procedure below, we use two logical groups denoted below as "A" and "B".

    You upgrade one logical group of the Security Group Members at one time.

    The other logical group(s) of the Security Group Members continues to handle traffic.

    Each logical group should contain the same number of Security Group Members - as close as possible.

    Environment

    Description

    Single Site

    • There are 8 Security Group Members in the Security Group.

    • The Logical Group "A" contains Security Group Members from 1_1 to 1_4.

    • The Logical Group "B" contains Security Group Members from 1_5 to 1_8.

    Single Site

    • There are 5 Security Group Members in the Security Group.

    • The Logical Group "A" contains Security Group Members from 1_1 to 1_3.

    • The Logical Group "B" contains Security Group Members from 1_4 to 1_5.

    Dual Site

    • There are 4 Security Group Members in the Security Group (on each Site).

    • The Logical Group "A" contains Security Group Members on Site 1 from 1_1 to 1_4.

    • The Logical Group "B" contains Security Group Members on Site 2 from 2_1 to 2_4.

  • In a Dual Site environment:

    • We recommend to upgrade all Security Group Members in each Security Group on one Site and then upgrade all Security Group Members in the same Security Group on the next Site.

      Do this on one Security Group at a time.

    • To prevent a fail-over between Sites during the upgrade, we recommend these steps for each Security Group:

      1. Connect to the command line on the Security Group.

      2. If your default shell is the Expert mode (/bin/bash), then go to Gaia gClish:

        gclish

      3. Get the current Active/Standby mode and write it down (you need it at the end of the procedure):

        show chassis high-availability mode

        Available Modes:

        Mode ID

        Mode Title

        Mode Description

        0

        Active/Standby - Active Up

        No primary Site.

        The currently Active Site stays Active until one of these changes:

        • The currently Active Site changes its state to "DOWN".

          If the formerly Active Site changes its state to "UP" again, it becomes the Standby Site.

        • The quality grade of the currently Standby Site becomes greater than the quality grade of the currently Active Site.

        1

        Active/Standby - Primary Up

        The Active Site always stays Active until one of these changes:

        • The currently Active Site changes its state to "DOWN".

          If the formerly Active Site changes its state to "UP" again, it becomes the Active Site again.

        • The quality grade of the currently Standby Site becomes greater than the quality grade of the currently Active Site.

        2

        Not available

        Not supported.

        This mode is reserved.

        3

        Standby Chassis VSLS Mode

        In the Traditional VSX mode, provides Virtual System Load Sharing.

      4. Decide which of the Site should be Active for this procedure.

      5. Change the Active/Standby mode to "Active/Standby - Primary Up" (value "1"):

        set chassis high-availability mode 1

      6. Change the Site Priority - enter the number of the currently Active Site:

        set chassis high-availability vs chassis_priority {1 | 2}

      7. Upgrade all Security Group Members on the Standby Site.

      8. On the upgraded Standby Site, change the Active/Standby mode to "Active/Standby - Primary Up" (value "1"):

        set cluster configuration high-availability mode 1

      9. On the upgraded Site change the Site Priority - enter the number of the currently Active Site:

        set cluster configuration high-availability vs site_priority {1 | 2}

      10. Upgrade all Security Group Members on the new Standby Site (former Active Site).

      11. Change the Active/Standby mode to the previous mode:

        set cluster configuration high-availability mode <Mode ID>

Required software packages:

Download the required software packages from sk181127:

  1. The required CPUSE Deployment Agent.

  2. The required Take of the Jumbo Hotfix Accumulator for the current version.

  3. The R82 Upgrade Package for Scalable Platforms.

Workflow:

  1. On the Management Server - Upgrade to the required version that can manage an R82 Security Group (see sk113113).

  2. On the Orchestrator - Upgrade to R82 and install the R82 Jumbo Hotfix Accumulator.

  3. On the Security Group - Run the Pre-Upgrade Verifier to make sure it is possible to upgrade the Security Group.

  4. On the Security Group - Install the required Jumbo Hotfix Accumulator (using two logical groups of Security Group Members).

  5. On the Security Group - Install the required CPUSE Deployment Agent package for the Security Group.

  6. On the Security Group - Upgrade to R82 (using two logical groups of Security Group Members).

  7. In SmartConsole, install the policy.

Procedure:

Upgrade the Security Management Server / Multi-Domain Security Management Server to the required version that can manage an R82 Security Group.

See the R82 Release Notes or sk113113.

For more information about the CPUSE Deployment Agent, see sk92449.

Step

Instructions

A

If the Orchestrator runs R80.20SP, then install the R80.20SP Jumbo Hotfix Accumulator Take 326 or higher on the Orchestrator.

B

In the Orchestrator's Gaia Portal, from the left tree, go to Software Updates > Available Updates.

C

In the top left, click Add package > Upload package from local.

D

In the Import package window, click Browse for a file.

E

Go to the folder where you put the R82 Upgrade Package for Scalable Platforms from sk181127.

F

Select the R82 Upgrade Package for Scalable Platforms.

G

Click Open.

H

Click Import.

I

A new row appears in the section Major Versions.

J

In the row of the imported R82 CPUSE Offline Package, click the Verify button.

K

In the row of the imported R82 CPUSE Offline Package, click the Upgrade button.

Important:

  • Do not click the 3-dot menu and do not click Clean install because it performs a clean install, which deletes all configuration and reboots all Security Group Members).

  • At the end of the upgrade, the Orchestrator reboots automatically.

L

Install the Recommended Take of the R82 Jumbo Hotfix Accumulator.

See Installing and Uninstalling a Hotfix on Maestro Orchestrators.

Step

Instructions

A

If the Orchestrator runs R80.20SP, then install the R80.20SP Jumbo Hotfix Accumulator Take 326 or higher on the Orchestrator.

B

In the Orchestrator's Gaia Portal, from the left tree, go to Upgrades (CPUSE) > Status and Actions.

C

In the top right section, click Import Package.

D

Click Browse.

E

Go to the folder where you put the R82 Upgrade Package for Scalable Platforms from sk181127.

F

Select the R82 Upgrade Package for Scalable Platforms.

G

Click Open.

H

Click Import.

I

Above the list of packages, near the help icon, click the filter button that currently says "Showing Recommended packages" and click "All".

The filter must change to "Showing All packages".

J

Right-click the imported R82 CPUSE Offline Package and click Verify Update.

K

Right-click the imported R82 CPUSE Offline Package and click Upgrade.

Important:

  • Make sure to click Upgrade

    (do not click Install because it performs a clean install, which deletes all configuration and reboots all Security Group Members).

  • At the end of the upgrade, the Orchestrator reboots automatically.

L

Install the Recommended Take of the R82 Jumbo Hotfix Accumulator.

See Installing and Uninstalling a Hotfix on Maestro Orchestrators.

Important - This step applies only when the Security Group works in the Traditional VSX mode.

Step

Instructions

A

Connect to the command line on the Management Server.

B

Log in to the Expert mode.

C

On a Multi-Domain Server, go to the context of the applicable Domain Management Server that manages this Security Group in VSX mode:

mdsenv <IP Address or Name of Domain Management Server>

D

Upgrade the version of a VSX Gateway object in the management database:

Warning - Make sure to close all SmartConsole clients connected to this Management Server.

vsx_util upgrade [-s <Mgmt Server>] [-u <UserName>]

For more information, see the R82 VSX Administration Guide > Chapter "Command Line Reference" > Section "vsx_util".

E

Log in with the Management Server administrator credentials.

F

Select the Traditional VSX Gateway object for this Security Group.

G

Change the version to R82.

Follow the instructions on the screen.

Note - The SMO Image Cloning feature automatically clones all the required software packages to the Security Group Members during their boot. When you install or remove software packages gradually on Security Group Members, it is necessary to disable this feature, so that after a reboot the updated Security Group Members do not clone the software packages from the existing non-updated Security Group Members. Note - Enable the SMO Image Cloning feature only before you need to add a new Security Group Member and disable it immediately after it joins the Security Group.

Step

Instructions

A

Connect to the command line on the Security Group.

B

If your default shell is the Expert mode, then go to Gaia gClish:

gclish

C

Examine the state of the SMO Image Cloning feature:

show smo image auto-clone state

D

Disable the SMO Image Cloning feature, if it is enabled:

set smo image auto-clone state off

E

Examine the state of the SMO Image Cloning feature again:

show smo image auto-clone state

Important:

  • You must install the required Jumbo Hotfix Accumulator on all Security Group Members in the Security Group.

  • Before you install Jumbo Hotfix Accumulator, this procedure requires you to disable the SMO Image Cloning feature on the Security Group.

    Do not enable the SMO Image Cloning feature on the Security Group until the upgrade procedure instructs you to do so.

Follow these instructions to install the required Jumbo Hotfix Accumulator from sk181127:

Important - You must do this step even if you upgrade again after a rollback procedure on the Security Group.

Step

Instructions

A

Transfer the required CPUSE Deployment Agent package (from sk92449) to the Security Group (into some directory, for example /var/log/).

B

Connect to the command line on the Security Group.

C

If your default shell is Gaia gClish (/etc/gcli.sh), then go to the Expert mode:

expert

D

Make sure the CPUSE Deployment Agent package exists:

ls -l /<Full Path>/<Name of CPUSE Deployment Agent Package>

E

Upgrade the CPUSE Deployment Agent:

update_sp_da /<Full Path>/<Name of CPUSE Deployment Agent Package>

Example:

update_sp_da /var/log/DeploymentAgent_XXXXXXXXX.tgz

F

Make sure all Security Group Members have the same build of the CPUSE Deployment Agent:

gclish -c "show installer status build"

Step

Instructions

A

Make sure you have the applicable CPUSE Offline package:

R82 Upgrade Package for Scalable Platforms

B

Transfer the CPUSE Offline package to the Security Group (into some directory, for example /var/log/).

C

Connect to the command line on the Security Group.

D

If your default shell is the Expert mode (/bin/bash), then go to Gaia gClish:

gclish

E

If you enabled MDPS (sk138672) on the Security Group, then go to the Management Plane:

set mdps environment mplane

F

Import the CPUSE Offline package from the hard disk:

installer import local /<Full Path>/<Name of the CPUSE Offline Package>

Example:

[Global] HostName-s01-01 > installer import local /var/log/Check_Point_R82_Gaia_Install_and_Upgrade.tar

G

Show the imported CPUSE packages:

show installer packages imported

H

Make sure the imported CPUSE package can be installed on this Security Group:

installer verify [Press Tab]

installer verify <Number of CPUSE Package> member_ids all

Example:

[Global] HostName-s01-01 > installer verify 2 member_ids all
... ...
Update Service Engine
+-----------------------------------------------------------+
|Member ID    |Status                                       |
+-----------------------------------------------------------+
|1_01 (local) |Upgrade is allowed.                          |
|1_02         |Upgrade is allowed.                          |
|1_03         |Upgrade is allowed.                          |
|1_04         |Upgrade is allowed.                          |
|1_05         |Upgrade is allowed.                          |
|1_06         |Upgrade is allowed.                          |
|1_07         |Upgrade is allowed.                          |
|1_08         |Upgrade is allowed.                          |
+-----------------------------------------------------------+
[Global] HostName-s01-01 >

Step

Instructions

A

Connect in one of these ways:

  • Connect to one of the Security Group Members in the Logical Group "A" through the console.

  • Connect to one of the Security Group Members in the Logical Group "B" over SSH.

B

Go to the context of one of the Security Group Members in the Logical Group "A":

member <Member ID>

Example:

member 1_1

C

If your default shell is Gaia gClish (/etc/gcli.sh), then go to the Expert mode:

expert

D

Set the Security Group Members in the Logical Group "A" to the state "DOWN":

Best Practice - To ensure correct traffic failover within the Security Group, change the state of Security Group Members in the logical group one by one.

Warning - During this upgrade procedure, you must use only the "g_clusterXL_admin" command in the Expert mode to change the state of Security Group Members.

Syntax:

g_clusterXL_admin –b <ID of first selected SGM in Group "A"> down

g_clusterXL_admin –b <ID of second selected SGM in Group "A"> down

and so on

Example:

g_clusterXL_admin –b 1_1 down

g_clusterXL_admin –b 1_2 down

g_clusterXL_admin –b 1_3 down

g_clusterXL_admin –b 1_4 down

E

Examine the state of the Security Group Members:

asg monitor

The state of the Security Group Members must be:

  • In the Logical Group "A" - "DOWN".

  • In the Logical Group "B" - "ACTIVE".

Warning - During this upgrade procedure, do not use the "insights" command to monitor the state of Security Group Members.

F

Go from the Expert mode to Gaia gClish:

  • If your default shell is the Expert mode (/bin/bash), then run:

    gclish

  • If your default shell is Gaia gClish (/etc/gcli.sh), then run:

    exit

G

Upgrade the Security Group Members in the Logical Group "A":

installer upgrade [Press the Tab key]

installer upgrade <Number of CPUSE Package> member_ids <SGM IDs in Group "A">

Example:

[Global] HostName-s01-01 > installer upgrade 2 member_ids 1_1-1_4
... ...
Update Service Engine
+-----------------------------------------------------------+
|Member ID    |Status                                       |
+-----------------------------------------------------------+
|1_01 (local) |Package is ready for installation            |
|1_02         |Package is ready for installation            |
|1_03         |Package is ready for installation            |
|1_04         |Package is ready for installation            |
+-----------------------------------------------------------+
The machines (1_02,1_02,1_03,1_04) will automatically reboot after upgrade.
Do you want to continue? ([y]es / [n]o) y
[Global] HostName-s01-01 >

H

Go from Gaia gClish to the Expert mode:

  • If your default shell is the Expert mode (/bin/bash), then run:

    exit

  • If your default shell is Gaia gClish (/etc/gcli.sh), then run:

    expert

I

Monitor the Security Group Members in the Logical Group "A" until they boot:

asg monitor

Important:

  • By design, the upgraded Security Group Members boot into the state "DOWN(Policy)(R82)" because the Critical Device "Policy" reports its state as "problem" (you can run the "cluster-cli show pnotes" command).

  • In the Traditional VSX mode, the Security Group Members are pulling the policy automatically from Management Server during their boot.

Warning - During this upgrade procedure, do not use the "insights" command to monitor the state of Security Group Members.

Note - This step applies only to a Security Group in the Gateway mode.

Warning - This step does not apply when the Security Group works in the Traditional VSX mode.

In the Traditional VSX mode, you changed the object version earlier with the "vsx_util upgrade" command.

Step

Instructions

A

Connect with SmartConsole to the Management Server that manages this Security Group.

B

From the left navigation panel, click Gateways & Servers.

C

Double-click the Security Gateway object for this Security Group.

D

In the left tree, click General.

E

In the Version field, select R82.

F

Click OK.

G

Publish the session.

H

Install the Access Control policy on this Security Gateway object.

Important - You must disable the Accelerated Policy Installation as described in sk168055:

  1. Click Install Policy.

  2. In the Install Policy window, right-click on the Security Gateway object.

  3. Select Do not use Install Policy Acceleration for all gateways.

  4. Select the Security Gateway object.

  5. Click Install.

Note - Only the upgraded R82 Security Group Members install this policy.

The Security Group Members that still run the previous version ignore this policy installation.

I

On the Security Group (in the Expert mode), examine the state of the Security Group Members:

asg monitor

The state of the Security Group Members must be:

  • In the upgraded Logical Group "A" - "DOWN(READY)(R82)".

  • In the Logical Group "B" - "ACTIVE(<previous version>)".

Warning - During this upgrade procedure, do not use the "insights" command to monitor the state of Security Group Members.

Step

Instructions

A

Set the Security Group Members in the Logical Group "A" to the state "UP":

Best Practice - To ensure correct traffic failover within the Security Group, change the state of Security Group Members in the logical group one by one.

Warning - During this upgrade procedure, you must use only the "g_clusterXL_admin" command in the Expert mode to change the state of Security Group Members.

Syntax:

g_clusterXL_admin –b <ID of first selected SGM in Group "A"> up

g_clusterXL_admin –b <ID of second selected SGM in Group "A"> up

and so on

Example:

g_clusterXL_admin –b 1_1 up

g_clusterXL_admin –b 1_2 up

g_clusterXL_admin –b 1_3 up

g_clusterXL_admin –b 1_4 up

B

Examine the state of the Security Group Members:

asg monitor

The state of the Security Group Members must be:

  • In the upgraded Logical Group "A" - "ACTIVE(R82)".

  • In the Logical Group "B" - "ACTIVE(<previous version>)".

Warning - During this upgrade procedure, do not use the "insights" command to monitor the state of Security Group Members.

Note - Because of the Multi-Version Cluster (MVC) mechanism design, the upgraded Security Group Members also process the traffic.

Important - If this Security Group works in the Traditional VSX mode, the state of the upgraded Security Group Members may remain "DOWN" because the Critical Device "DSD" reports its state as "problem" (run the "show cluster info pnotes" command).

This issue may occur if before the upgrade you configured static CoreXL Affinity with the command "fw ctl affinity -s -d -fwkall <Number of CPUs>" (to see the current configuration, run the command "fw ctl affinity -l -x").

Follow these workaround steps:

  1. Connect to the command line on the Security Group.

  2. If the default shell is the Expert mode, then go to Gaia gClish:

    gclish

  3. Disable the CoreXL Dynamic Balancing:

    set dynamic-balancing state disable

  4. Reboot the upgraded Security Group Members:

    reboot -b <SGM IDs>

  5. Examine the state of the upgraded Security Group Members:

    show cluster info pnotes

    asg monitor

Important - In the Multi-Version Cluster mode, it is not necessary to choose all of the remaining Security Group Members that you did not upgrade yet.

You can repeat the previous steps for different logical groups of Security Group Members until you upgrade all Security Group Members in the Security Group.

Step

Instructions

A

Connect in one of these ways:

  • Connect to one of the Security Group Members in the Logical Group "B" through the console.

  • Connect to one of the Security Group Members in the Logical Group "A" over SSH.

B

Set the Security Group Members in the Logical Group "B" to the state "DOWN":

Best Practice - To ensure correct traffic failover within the Security Group, change the state of Security Group Members in the logical group one by one.

Warning - During this upgrade procedure, you must use only the "g_clusterXL_admin" command in the Expert mode to change the state of Security Group Members.

Syntax:

g_clusterXL_admin –b <ID of first selected SGM in Group "B"> down

g_clusterXL_admin –b <ID of second selected SGM in Group "B"> down

and so on

Example:

g_clusterXL_admin –b 1_5 down

g_clusterXL_admin –b 1_6 down

g_clusterXL_admin –b 1_7 down

g_clusterXL_admin –b 1_8 down

Note - At this time, the Security Group runs only with the upgraded Security Group Members.

You can perform the required tests on your network to make sure the new version works as expected.

If there are any issues:

  1. Set the Security Group Members in the Logical Group "B" to the state "UP".

  2. Set the Security Group Members in the upgraded Logical Group "A" to the state "DOWN".

Step

Instructions

A

Connect in one of these ways:

  • Connect to one of the Security Group Members in the Logical Group "B" through the console.

  • Connect to one of the Security Group Members in the Logical Group "A" over SSH.

B

Go to the context of one of the Security Group Members in the Logical Group "B":

member <Member ID>

Example:

member 1_5

C

If your default shell is the Expert mode (/bin/bash), then go to Gaia gClish:

gclish

D

Upgrade the Security Group Members in the Logical Group "B":

installer upgrade [Press the Tab key]

installer upgrade <Number of CPUSE Package> member_ids <SGM IDs in Group "B">

Example:

[Global] HostName-s01-01 > installer upgrade 2 member_ids 1_5-1_8
... ...
Update Service Engine
+-----------------------------------------------------------+
|Member ID    |Status                                       |
+-----------------------------------------------------------+
|1_05 (local) |Package is ready for installation            |
|1_06         |Package is ready for installation            |
|1_07         |Package is ready for installation            |
|1_08         |Package is ready for installation            |
+-----------------------------------------------------------+
The machines (1_05,1_06,1_07,1_08) will automatically reboot after upgrade.
Do you want to continue? ([y]es / [n]o) y
[Global] HostName-s01-01 >

E

Go from Gaia gClish to the Expert mode:

  • If your default shell is the Expert mode (/bin/bash), then run:

    exit

  • If your default shell is Gaia gClish (/etc/gcli.sh), then run:

    expert

F

Monitor the Security Group Members in the Logical Group "B" until they boot:

asg monitor

The state of the Security Group Members must be:

  • In the Logical Group "A" - "ACTIVE(R82)".

  • In the Logical Group "B" - "DOWN(READY)(R82)".

Warning - During this upgrade procedure, do not use the "insights" command to monitor the state of Security Group Members.

G

Set the Security Group Members in the Logical Group "B" to the state "UP":

Best Practice - To ensure correct traffic failover within the Security Group, change the state of Security Group Members in the logical group one by one.

Warning - During this upgrade procedure, you must use only the "g_clusterXL_admin" command in the Expert mode to change the state of Security Group Members.

Syntax:

g_clusterXL_admin –b <ID of first selected SGM in Group "B"> up

g_clusterXL_admin –b <ID of second selected SGM in Group "B"> up

and so on

Example:

g_clusterXL_admin –b 1_5 up

g_clusterXL_admin –b 1_6 up

g_clusterXL_admin –b 1_7 up

g_clusterXL_admin –b 1_8 up

Step

Instructions

A

Connect to the command line on the Security Group.

B

If your default shell is Gaia gClish (/etc/gcli.sh), then go to the Expert mode:

expert

C

Examine the state of the Security Group Members:

asg monitor

Each Security Group Members must have the state "ACTIVE".

D

Run this command (see hcp):

hcp -m all -r all