Cluster upgrade

Brianpiraty_Ale — Tue, 26 Jun 2018 14:22:46 GMT

I need to replace checkpoint 4800 cluster R 77.30 with checkpoint 5K R 80.10 with minimal down time. Please provide the steps

Re: Cluster upgrade

Maarten_Sjouw — Tue, 26 Jun 2018 17:51:05 GMT

There is a number of questions that come to mind before being able to answer this:

Local management or central?
If local, is it HA?
If local, are there plans to move to Central?
If central, is management upgrade already?
ClusterXL or VRRP?

The above questions will help build a plan that can be used in your situation.

Re: Cluster upgrade

Brianpiraty_Ale — Tue, 26 Jun 2018 18:10:27 GMT

central management and Manager is already with R 80.10

and it is cluster XL

Re: Cluster upgrade

Maarten_Sjouw — Tue, 26 Jun 2018 21:37:11 GMT

These are the steps we take with a cluster replacement currently planned for next Saturday:

Preparations:

Prepare the full configuration of the new boxes, run the First Time Wizard, plus all the things you configure in Gaia, being:

interfaces (all using the same IP as the current units , except for the 1 interface, see below)
routing
DNS
NTP
Users
passwords
SNMP
etc.

Now see if you have 2 spare IP's on the network that you manage you gateways on, if so apply these to the correct interface.

Prepare your switch(es) to connect all used ports of your new boxes to shutdown ports, except for the management network.

Before you establish SIC to management type cphastop on both new boxes.

Now in SmartConsole in your cluster object you add the 2 new boxes as new members, so you end up with 4 members, make sure the new members have a lower priority..

Set the Clusterversion

Now establish SIC and you can install the policy if you want, with the option to install anyway if any member fails, as you will have 2 members failing.

Now you are ready for the actual change window

On the switch connected to Backup gateway shut down all ports connected to the 4800 backup GW.

On the switch connected to the 5K backup GW enable all ports connected to the 5K backup GW (the one with the same IP's as the 48800 backup GW)

Check connectivty with the new box and the rest of the network. Push policy again, to make sure you have the latest loaded.

On the 5K backup GW issue the command cphastart and on the 4800 Primary GW type cphastop to disable clustering and flip to the new member.

Run tests before you continue.

When all is ok, you go to the next step, move the 4800 Primary out of the way by shutting down it's switch ports and bring the 5K primary online by enabling it's switch ports.

After a connectivity check you can bring the 5K primary GW into play by issuing the cphastart command.

Depending on the setting of the clusterXL setting in the SmartConsole it will either flip to the higher priority or it will remain on the current active one.

Cleanup is done by removing the 2 4800 members from the cluster.

Hope this helps and yes there are some extra things you need to take care of like setting the correct version to make sure you push the right cluster members.

Don't hesitate to ask when you have questions.

topic Cluster upgrade in Firewall and Security Management

Cluster upgrade

Re: Cluster upgrade

Re: Cluster upgrade

Re: Cluster upgrade