Upgrading Maestro Environment to R82 - Zero Downtime (MVC)

This section describes the steps for upgrading a Maestro environment (the Quantum Maestro Orchestrators and the Security Groups) with Zero Downtime - as a Multi-Version Cluster (MVC).

This procedure supports only these upgrade paths for Security Groups:

  • from R81.20 to R82

  • from R81.10 to R82

Important - See these rollback procedures:

Important Notes for Quantum Maestro Orchestrators:

  • We recommend to schedule a maintenance window for all Orchestrators on all sites.

  • The major software version on the Orchestrators must be equal to or higher than the major software version on the managed Security Group (PMTR-86785).

  • This procedure keeps the current configuration on the Orchestrators.

  • Upgrade all Orchestrators and only then upgrade the Security Groups.

  • Upgrade one Orchestrator at a time.

  • In a Maestro Dual Site environment:

    1. Upgrade the Orchestrators on the Standby Site (for example, Site 2).

    2. Initiate a fail-over in each Security Group from the non-upgraded Active Site (Site 1) to the upgraded Standby Site (Site 2):

      1. Connect to the command line on each Security Group that is configured on these Orchestrators.

      2. If your default shell is Gaia gClish (/etc/gcli.sh), then go to the Expert mode:

        expert

      3. Initiate a fail-over of all Security Group Members:

        chassis_admin -c <ID of Active Site> down

        chassis_admin -c <ID of Former Active Site> up

    3. Upgrade the Orchestrators on the new Standby Site (Site 1).

Important Notes for Security Groups:

  • Before you upgrade the Security Groups, you must upgrade the Management Server that manages the Security Groups.

    See the R82 Installation and Upgrade Guide.

  • This procedure applies to Security Groups in the Gateway mode and the Traditional VSX mode.

    In Traditional VSX mode, you must run all the commands in the context of VS0:

    • To change the context in Gaia gClish, run: set virtual-system 0

    • To change the context in the Expert mode, run: vsenv 0

  • During the upgrade process, it is:

    • Forbidden to install policy on the Security Group, unless the upgrade procedure explicitly shows how to do it.

    • Forbidden to reboot Security Group Members, unless the upgrade procedure explicitly shows how to do it.

    • Forbidden to change the configuration of the Security Group and its Security Group Members.

    • Forbidden to install Hotfixes on the Security Group Members, unless Check Point Support or R&D explicitly instructs you to do so.

    • Forbidden to install the Jumbo Hotfix Accumulator on the Security Group Members, unless Check Point Support or R&D explicitly instructs you to do so.

  • To prevent down time, do not upgrade all the Security Group Members in a specific Security Group at the same time.

  • In this upgrade procedure, you divide all Security Group Members in a specific Security Group into two or more logical groups.

    In the procedure below, we use two logical groups denoted below as "A" and "B".

    You upgrade one logical group of the Security Group Members at one time.

    The other logical group(s) of the Security Group Members continues to handle traffic.

    Each logical group should contain the same number of Security Group Members - as close as possible.

    Environment

    Description

    Single Site

    • There are 8 Security Group Members in the Security Group.

    • The Logical Group "A" contains Security Group Members from 1_1 to 1_4.

    • The Logical Group "B" contains Security Group Members from 1_5 to 1_8.

    Single Site

    • There are 5 Security Group Members in the Security Group.

    • The Logical Group "A" contains Security Group Members from 1_1 to 1_3.

    • The Logical Group "B" contains Security Group Members from 1_4 to 1_5.

    Dual Site

    • There are 4 Security Group Members in the Security Group (on each Site).

    • The Logical Group "A" contains Security Group Members on Site 1 from 1_1 to 1_4.

    • The Logical Group "B" contains Security Group Members on Site 2 from 2_1 to 2_4.

  • In a Dual Site environment:

    • We recommend to upgrade all Security Group Members in each Security Group on one Site and then upgrade all Security Group Members in the same Security Group on the next Site.

      Do this on one Security Group at a time.

    • To prevent a fail-over between Sites during the upgrade, we recommend these steps for each Security Group:

      1. Connect to the command line on the Security Group.

      2. If your default shell is the Expert mode (/bin/bash), then go to Gaia gClish:

        gclish

      3. Get the current Active/Standby mode and write it down (you need it at the end of the procedure):

        show cluster configuration high-availability mode

        Available Modes:

        Mode ID

        Mode Title

        Mode Description

        0

        Active/Standby - Active Up

        No primary Site.

        The currently Active Site stays Active until one of these changes:

        • The currently Active Site changes its state to "DOWN".

          If the formerly Active Site changes its state to "UP" again, it becomes the Standby Site.

        • The quality grade of the currently Standby Site becomes greater than the quality grade of the currently Active Site.

        1

        Active/Standby - Primary Up

        The Active Site always stays Active until one of these changes:

        • The currently Active Site changes its state to "DOWN".

          If the formerly Active Site changes its state to "UP" again, it becomes the Active Site again.

        • The quality grade of the currently Standby Site becomes greater than the quality grade of the currently Active Site.

        2

        Not available

        Not supported.

        This mode is reserved.

        3

        Standby Chassis VSLS Mode

        In the Traditional VSX mode, provides Virtual System Load Sharing.

      4. Decide which of the Site should be Active for this procedure.

      5. Change the Active/Standby mode to "Active/Standby - Primary Up" (value "1"):

        set cluster configuration high-availability mode 1

      6. Change the Site Priority - enter the number of the currently Active Site:

        set cluster configuration high-availability vs site_priority {1 | 2}

      7. Upgrade all Security Group Members on the Standby Site.

      8. On the upgraded Standby Site, change the Active/Standby mode to "Active/Standby - Primary Up" (value "1"):

        set cluster configuration high-availability mode 1

      9. On the upgraded Site change the Site Priority - enter the number of the currently Active Site:

        set cluster configuration high-availability vs site_priority {1 | 2}

      10. Upgrade all Security Group Members on the new Standby Site (former Active Site).

      11. Change the Active/Standby mode to the previous mode:

        set cluster configuration high-availability mode <Mode ID>

Required software packages:

Download the required software packages from sk181127:

  1. The required Take of the Jumbo Hotfix Accumulator for R81.10 or R81.20.

  2. The required CPUSE Deployment Agent.

  3. The R82 Upgrade Package for Scalable Platforms.

Workflow:

  1. On the Management Server - Upgrade to the required version that can manage an R82 Security Group (see sk113113).

  2. On the Orchestrator - Upgrade to R82.

  3. On the Security Group - Run the Pre-Upgrade Verifier to make sure it is possible to upgrade the Security Group.

  4. On the Security Group - Install the required Jumbo Hotfix Accumulator (using two logical groups of Security Group Members).

  5. On the Security Group - Install the required CPUSE Deployment Agent package for the Security Group.

  6. On the Security Group - Upgrade to R82 (using two logical groups of Security Group Members).

  7. In SmartConsole, install the policy.

Procedure:

Upgrade the Security Management Server / Multi-Domain Security Management Server to the required version that can manage an R82 Security Group.

See the R82 Release Notes or sk113113.

For more information about the CPUSE Deployment Agent, see sk92449.

Step

Instructions

A

If the Orchestrator runs R80.20SP, then install the R80.20SP Jumbo Hotfix Accumulator Take 326 or higher on the Orchestrator.

B

In the Orchestrator's Gaia Portal, from the left tree, go to Software Updates > Available Updates.

C

In the top left, click Add package > Upload package from local.

D

In the Import package window, click Browse for a file.

E

Go to the folder where you put the R82 Upgrade Package for Scalable Platforms from sk181127.

F

Select the R82 Upgrade Package for Scalable Platforms.

G

Click Open.

H

Click Import.

I

A new row appears in the section Major Versions.

J

In the row of the imported R82 CPUSE Offline Package, click the Verify button.

K

In the row of the imported R82 CPUSE Offline Package, click the Upgrade button.

Important:

  • Do not click the 3-dot menu and do not click Clean install because it performs a clean install, which deletes all configuration and reboots all Security Group Members).

  • At the end of the upgrade, the Orchestrator reboots automatically.

Step

Instructions

A

If the Orchestrator runs R80.20SP, then install the R80.20SP Jumbo Hotfix Accumulator Take 326 or higher on the Orchestrator.

B

In the Orchestrator's Gaia Portal, from the left tree, go to Upgrades (CPUSE) > Status and Actions.

C

In the top right section, click Import Package.

D

Click Browse.

E

Go to the folder where you put the R82 Upgrade Package for Scalable Platforms from sk181127.

F

Select the R82 Upgrade Package for Scalable Platforms.

G

Click Open.

H

Click Import.

I

Above the list of packages, near the help icon, click the filter button that currently says "Showing Recommended packages" and click "All".

The filter must change to "Showing All packages".

J

Right-click the imported R82 CPUSE Offline Package and click Verify Update.

K

Right-click the imported R82 CPUSE Offline Package and click Upgrade.

Important:

  • Make sure to click Upgrade

    (do not click Install because it performs a clean install, which deletes all configuration and reboots all Security Group Members).

  • At the end of the upgrade, the Orchestrator reboots automatically.

Important - This step applies only when the Security Group works in the Traditional VSX mode.

Step

Instructions

A

Connect to the command line on the Management Server.

B

Log in to the Expert mode.

C

On a Multi-Domain Server, go to the context of the applicable Domain Management Server that manages this Security Group in VSX mode:

mdsenv <IP Address or Name of Domain Management Server>

D

Upgrade the version of a VSX Gateway object in the management database:

Warning - Make sure to close all SmartConsole clients connected to this Management Server.

vsx_util upgrade [-s <Mgmt Server>] [-u <UserName>]

For more information, see the R82 VSX Administration Guide > Chapter "Command Line Reference" > Section "vsx_util".

E

Log in with the Management Server administrator credentials.

F

Select the Traditional VSX Gateway object for this Security Group.

G

Change the version to R82.

Follow the instructions on the screen.

Note - The SMO Image Cloning feature automatically clones all the required software packages to the Security Group Members during their boot. When you install or remove software packages gradually on Security Group Members, it is necessary to disable this feature, so that after a reboot the updated Security Group Members do not clone the software packages from the existing non-updated Security Group Members.

Step

Instructions

A

Connect to the command line on the Security Group.

B

If your default shell is the Expert mode, then go to Gaia gClish:

gclish

C

Examine the state of the SMO Image Cloning feature:

show cluster configuration image auto-clone state

D

Disable the SMO Image Cloning feature, if it is enabled:

set cluster configuration image auto-clone state off

E

Examine the state of the SMO Image Cloning feature again:

show cluster configuration image auto-clone state

Important:

  • You must install the required Jumbo Hotfix Accumulator on all Security Group Members in the Security Group.

  • Before you install Jumbo Hotfix Accumulator, this procedure requires you to disable the SMO Image Cloning feature on the Security Group.

    Do not enable the SMO Image Cloning feature on the Security Group until the upgrade procedure instructs you to do so.

Follow these instructions to install the required Jumbo Hotfix Accumulator from sk181127:

Important - You must do this step even if you upgrade again after a rollback procedure on the Security Group.

Step

Instructions

A

Transfer the required CPUSE Deployment Agent package (from sk92449) to the Security Group (into some directory, for example /var/log/).

B

Connect to the command line on the Security Group.

C

If your default shell is Gaia gClish (/etc/gcli.sh), then go to the Expert mode:

expert

D

Make sure the CPUSE Deployment Agent package exists:

ls -l /<Full Path>/<Name of CPUSE Deployment Agent Package>

E

Upgrade the CPUSE Deployment Agent:

update_sp_da /<Full Path>/<Name of CPUSE Deployment Agent Package>

Example:

update_sp_da /var/log/DeploymentAgent_XXXXXXXXX.tgz

F

Make sure all Security Group Members have the same build of the CPUSE Deployment Agent:

gclish -c "show installer status build"

Step

Instructions

A

Make sure you have the applicable CPUSE Offline package:

R82 Upgrade Package for Scalable Platforms

B

Transfer the CPUSE Offline package to the Security Group (into some directory, for example /var/log/).

C

Connect to the command line on the Security Group.

D

If your default shell is the Expert mode (/bin/bash), then go to Gaia gClish:

gclish

E

If you enabled MDPS (sk138672) on the Security Group, then go to the Management Plane:

set mdps environment mplane

F

Import the CPUSE Offline package from the hard disk:

installer import local /<Full Path>/<Name of the CPUSE Offline Package>

Example:

[Global] HostName-s01-01 > installer import local /var/log/Check_Point_R82_Gaia_Install_and_Upgrade.tar

G

Show the imported CPUSE packages:

show installer packages imported

H

Make sure the imported CPUSE package can be installed on this Security Group:

installer verify [Press Tab]

installer verify <Number of CPUSE Package> member_ids all

Example:

[Global] HostName-s01-01 > installer verify 2 member_ids all
... ...
Update Service Engine
+-----------------------------------------------------------+
|Member ID    |Status                                       |
+-----------------------------------------------------------+
|1_01 (local) |Upgrade is allowed.                          |
|1_02         |Upgrade is allowed.                          |
|1_03         |Upgrade is allowed.                          |
|1_04         |Upgrade is allowed.                          |
|1_05         |Upgrade is allowed.                          |
|1_06         |Upgrade is allowed.                          |
|1_07         |Upgrade is allowed.                          |
|1_08         |Upgrade is allowed.                          |
+-----------------------------------------------------------+
[Global] HostName-s01-01 >

Step

Instructions

A

Connect in one of these ways:

  • Connect to one of the Security Group Members in the Logical Group "A" through the console.

  • Connect to one of the Security Group Members in the Logical Group "B" over SSH.

B

Go to the context of one of the Security Group Members in the Logical Group "A":

member <Member ID>

Example:

member 1_1

C

If your default shell is Gaia gClish (/etc/gcli.sh), then go to the Expert mode:

expert

D

Set the Security Group Members in the Logical Group "A" to the state "DOWN":

g_clusterXL_admin –b <SGM IDs in Group "A""> down

Example:

g_clusterXL_admin –b 1_1-1_4 down

E

Examine the state of the Security Group Members:

asg monitor

The state of the Security Group Members must be:

  • In the Logical Group "A" - "DOWN".

  • In the Logical Group "B" - "ACTIVE".

F

Go from the Expert mode to Gaia gClish:

  • If your default shell is the Expert mode (/bin/bash), then run:

    gclish

  • If your default shell is Gaia gClish (/etc/gcli.sh), then run:

    exit

G

Upgrade the Security Group Members in the Logical Group "A":

installer upgrade [Press the Tab key]

installer upgrade <Number of CPUSE Package> member_ids <SGM IDs in Group "A">

Example:

[Global] HostName-s01-01 > installer upgrade 2 member_ids 1_1-1_4
... ...
Update Service Engine
+-----------------------------------------------------------+
|Member ID    |Status                                       |
+-----------------------------------------------------------+
|1_01 (local) |Package is ready for installation            |
|1_02         |Package is ready for installation            |
|1_03         |Package is ready for installation            |
|1_04         |Package is ready for installation            |
+-----------------------------------------------------------+
The machines (1_02,1_02,1_03,1_04) will automatically reboot after upgrade.
Do you want to continue? ([y]es / [n]o) y
[Global] HostName-s01-01 >

H

Go from Gaia gClish to the Expert mode:

  • If your default shell is the Expert mode (/bin/bash), then run:

    exit

  • If your default shell is Gaia gClish (/etc/gcli.sh), then run:

    expert

I

Monitor the Security Group Members in the Logical Group "A" until they boot:

asg monitor

Important:

  • By design, the upgraded Security Group Members boot into the state "DOWN(Policy)(R82)" because the Critical Device "Policy" reports its state as "problem" (you can run the "cluster-cli show pnotes" command).

  • In the Traditional VSX mode, the Security Group Members are pulling the policy automatically from Management Server during their boot.

Note - This step applies only to a Security Group in the Gateway mode.

In the Traditional VSX mode, you changed the object version earlier with the "vsx_util upgrade" command.

Step

Instructions

A

Connect with SmartConsole to the Management Server that manages this Security Group.

B

From the left navigation panel, click Gateways & Servers.

C

Double-click the Security Gateway object for this Security Group.

D

In the left tree, click General.

E

In the Version field, select R82.

F

Click OK.

G

Publish the session.

H

Install the Access Control policy on this Security Gateway object.

Important - You must disable the Accelerated Policy Installation as described in sk168055:

  1. Click Install Policy.

  2. In the Install Policy window, right-click on the Security Gateway object.

  3. Select Do not use Install Policy Acceleration for all gateways.

  4. Select the Security Gateway object.

  5. Click Install.

Note - Only the upgraded R82 Security Group Members install this policy.

The Security Group Members that still run the previous version ignore this policy installation.

I

On the Security Group (in the Expert mode), examine the state of the Security Group Members:

asg monitor

The state of the Security Group Members must be:

  • In the upgraded Logical Group "A" - "DOWN(READY)(R82)".

  • In the Logical Group "B" - "ACTIVE(<previous version>)".

Step

Instructions

A

Set the Security Group Members in the Logical Group "A" to the state "UP":

g_clusterXL_admin –b <SGM IDs in Group "A""> up

Example:

g_clusterXL_admin –b 1_1-1_4 up

B

Examine the state of the Security Group Members:

asg monitor

The state of the Security Group Members must be:

  • In the upgraded Logical Group "A" - "ACTIVE(R82)".

  • In the Logical Group "B" - "ACTIVE(<previous version>)".

Note - Because of the Multi-Version Cluster (MVC) mechanism design, the upgraded Security Group Members also process the traffic.

Important - In the Multi-Version Cluster mode, it is not necessary to choose all of the remaining Security Group Members that you did not upgrade yet.

You can repeat the previous steps for different logical groups of Security Group Members until you upgrade all Security Group Members in the Security Group.

Step

Instructions

A

Connect in one of these ways:

  • Connect to one of the Security Group Members in the Logical Group "B" through the console.

  • Connect to one of the Security Group Members in the Logical Group "A" over SSH.

B

Set the Security Group Members in the Logical Group "B" to the state "DOWN":

g_clusterXL_admin –b <SGM IDs in Group "B""> down

Example:

g_clusterXL_admin –b 1_5-1_8 down

Note - At this time, the Security Group runs only with the upgraded Security Group Members.

You can perform the required tests on your network to make sure the new version works as expected.

If there are any issues:

  1. Set the Security Group Members in the Logical Group "B" to the state "UP".

  2. Set the Security Group Members in the upgraded Logical Group "A" to the state "DOWN".

Step

Instructions

A

Connect in one of these ways:

  • Connect to one of the Security Group Members in the Logical Group "B" through the console.

  • Connect to one of the Security Group Members in the Logical Group "A" over SSH.

B

Go to the context of one Security Group Members in the Logical Group "B":

member <Member ID>

Example:

member 1_5

C

If your default shell is the Expert mode (/bin/bash), then go to Gaia gClish:

gclish

D

Upgrade the Security Group Members in the Logical Group "B":

installer upgrade [Press the Tab key]

installer upgrade <Number of CPUSE Package> member_ids <SGM IDs in Group "B">

Example:

[Global] HostName-s01-01 > installer upgrade 2 member_ids 1_5-1_8
... ...
Update Service Engine
+-----------------------------------------------------------+
|Member ID    |Status                                       |
+-----------------------------------------------------------+
|1_05 (local) |Package is ready for installation            |
|1_06         |Package is ready for installation            |
|1_07         |Package is ready for installation            |
|1_08         |Package is ready for installation            |
+-----------------------------------------------------------+
The machines (1_05,1_06,1_07,1_08) will automatically reboot after upgrade.
Do you want to continue? ([y]es / [n]o) y
[Global] HostName-s01-01 >

E

Go from Gaia gClish to the Expert mode:

  • If your default shell is the Expert mode (/bin/bash), then run:

    exit

  • If your default shell is Gaia gClish (/etc/gcli.sh), then run:

    expert

F

Monitor the Security Group Members in the Logical Group "B" until they boot:

asg monitor

The state of the Security Group Members must be:

  • In the Logical Group "A" - "ACTIVE(R82)".

  • In the Logical Group "B" - "DOWN(READY)(R82)".

G

Set the Security Group Members in the Logical Group "B" to the state "UP":

g_clusterXL_admin –b <SGM IDs in Group "B""> up

Example:

g_clusterXL_admin –b 1_5-1_8 up

Step

Instructions

A

Connect to the command line on the Security Group.

B

If your default shell is Gaia gClish (/etc/gcli.sh), then go to the Expert mode:

expert

C

Examine the state of the Security Group Members:

asg monitor

Each Security Group Members must have the state "ACTIVE".

D

Run this command (see hcp):

hcp -m all -r all