https://community.checkpoint.com/t5/Cloud-Firewall/Tips-for-upgrading-HA-clusters-in-GCP/m-p/154227#M944 <P>We have some older R80.30 HA BYOL clusters deployed in Google Cloud and I need to start planning how to upgrade to R80.40 or R81.10 while preserving external IP addresses.&nbsp; I know this can be done by going to deployment manager, deleting the deployment, and selecting the "Keep resources created by it" option, and finally launching a new cluster with the same name.&nbsp; &nbsp;</P><P>The problem though is in Smart Console.&nbsp; It seems that just changing the management IP addresses and resetting SIC doesn't work.&nbsp; Instead, I have to&nbsp;completely remove the cluster from SmartConsole, set it up as if it were a new cluster, then re-install policy.&nbsp; This is fairly time consuming since any "Install on" rules need to be set to "Policy Targets" and then re-entered after the new cluster is up and running.&nbsp; The cluster also needs to be removed from any VPN communities and inspection rules, which takes additional time.&nbsp;&nbsp;</P><P>Is there an easier way to do this?&nbsp; I'm currently estimating 3-4 hours downtime per cluster and would really like to get that to under an hour if possible.&nbsp;&nbsp;</P> Sat, 30 Jul 2022 23:37:07 GMT johnnyringo 2022-07-30T23:37:07Z https://community.checkpoint.com/t5/Cloud-Firewall/Tips-for-upgrading-HA-clusters-in-GCP/m-p/154227#M944 <P>We have some older R80.30 HA BYOL clusters deployed in Google Cloud and I need to start planning how to upgrade to R80.40 or R81.10 while preserving external IP addresses.&nbsp; I know this can be done by going to deployment manager, deleting the deployment, and selecting the "Keep resources created by it" option, and finally launching a new cluster with the same name.&nbsp; &nbsp;</P><P>The problem though is in Smart Console.&nbsp; It seems that just changing the management IP addresses and resetting SIC doesn't work.&nbsp; Instead, I have to&nbsp;completely remove the cluster from SmartConsole, set it up as if it were a new cluster, then re-install policy.&nbsp; This is fairly time consuming since any "Install on" rules need to be set to "Policy Targets" and then re-entered after the new cluster is up and running.&nbsp; The cluster also needs to be removed from any VPN communities and inspection rules, which takes additional time.&nbsp;&nbsp;</P><P>Is there an easier way to do this?&nbsp; I'm currently estimating 3-4 hours downtime per cluster and would really like to get that to under an hour if possible.&nbsp;&nbsp;</P> Sat, 30 Jul 2022 23:37:07 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Tips-for-upgrading-HA-clusters-in-GCP/m-p/154227#M944 johnnyringo 2022-07-30T23:37:07Z https://community.checkpoint.com/t5/Cloud-Firewall/Tips-for-upgrading-HA-clusters-in-GCP/m-p/154231#M945 <P>Are you following the process outlined here or something else?</P> <P><A href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailabilty_for_GCP/Content/Topics-GCP-HA/Additional-Information.htm?TocPath=Additional%20Information%7C_____3#Upgrading_a_Check_Point_CloudGuard_IaaS_High_Availability_Solution_to_a_Newer.." target="_blank" rel="noopener">CloudGuard Network High Availability for Google Cloud Platform R80.30 and Higher Deployment Guide &gt; Additional Information &gt; Upgrading a Check Point CloudGuard IaaS High Availability Solution to a Newer Version</A>.</P> <P>&nbsp;</P> Sun, 31 Jul 2022 02:38:52 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Tips-for-upgrading-HA-clusters-in-GCP/m-p/154231#M945 Chris_Atkinson 2022-07-31T02:38:52Z https://community.checkpoint.com/t5/Cloud-Firewall/Tips-for-upgrading-HA-clusters-in-GCP/m-p/154237#M946 <P>Hi,</P> <P>are you sure you can't just RESET SIC and ReSic the new GWs ? this is usually what I do in any Cluster upgrade in any cloud vendor .</P> <P>do you get any errors or issues doing this process ?</P> Sun, 31 Jul 2022 09:57:20 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Tips-for-upgrading-HA-clusters-in-GCP/m-p/154237#M946 Nir_Shamir 2022-07-31T09:57:20Z https://community.checkpoint.com/t5/Cloud-Firewall/Tips-for-upgrading-HA-clusters-in-GCP/m-p/154491#M947 <P>I'd have to re-lab it, but the problem with just resetting SIC and changing the management IPs is the cluster never forms.&nbsp;&nbsp;</P> Thu, 04 Aug 2022 04:44:27 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Tips-for-upgrading-HA-clusters-in-GCP/m-p/154491#M947 johnnyringo 2022-08-04T04:44:27Z https://community.checkpoint.com/t5/Cloud-Firewall/Tips-for-upgrading-HA-clusters-in-GCP/m-p/154492#M948 <P>Thanks, I had not noticed this section.&nbsp; It will be a couple weeks before I have time to try this out, but it makes sense.&nbsp; The only caveat I can see is GCP doesn't allow instances in the same zone to have the same name, but I'd imagine this can be worked around by just selecting different zones for the old and new cluster members.</P> Thu, 04 Aug 2022 04:48:43 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Tips-for-upgrading-HA-clusters-in-GCP/m-p/154492#M948 johnnyringo 2022-08-04T04:48:43Z