topic Re: Gateway upgrade R77.30 to R80.20, CPUSE or Fresh Install? in Firewall and Security Management

Gateway upgrade R77.30 to R80.20, CPUSE or Fresh Install?

Bob_Delinsky — Tue, 11 Dec 2018 20:03:35 GMT

Greetings, There are usually valid arguments to be made when you would chose a fresh install vs an in place upgrade via CPUSE from one version to another, depending on the environment, amount of customization made, etc. As far as I've read, gateway appliances do not take advantage of the new 3.10 kernel yet, which would be a Pro for a fresh install. For the jump to R80.20, what are some of the opinions out there? I've tested both in the lab, and have had positive results with both. Thanks.

Re: Gateway upgrade R77.30 to R80.20, CPUSE or Fresh Install?

Nüüül — Tue, 11 Dec 2018 20:23:08 GMT

If it is possible and needs reasonable effort, i‘d go for the fresh install.

if possible (spare hardware) I would backup the old management, update to r80.10 or .20 and migrate objects and policies via api to an fresh installed machine.

pro:

this is kind of an opportunity for policy review and clean up.

you don’t have to take the Risk in carrying errors or other bugs with you. Or can clean up other workarounds..

con:

more work to do, perhaps additions hardware needed. Takes more time

Re: Gateway upgrade R77.30 to R80.20, CPUSE or Fresh Install?

Bob_Delinsky — Tue, 11 Dec 2018 20:32:51 GMT

Daniel,

For SMS management , 100% agree. Plus mgmt. R80.20 build takes advantage of the new kernel build. Gateway on existing appliances however, do not as far as I've read it is only on some G10 open servers.

I also prefer fresh build when possible and if an in place upgrade has already occurred previously. For current project, client has many modified files on gateways that were fresh build on R77.30, so weighing the odds of both approaches. I am looking for any advantages either in performance gains, etc that a fresh R80.20 build would provide over a CPUSE upgrade.

Thanks

Re: Gateway upgrade R77.30 to R80.20, CPUSE or Fresh Install?

David_C1 — Tue, 11 Dec 2018 20:37:21 GMT

Going from R77.30 -> R80.20, I've used the "Clean Install" option that CPUSE gives in the web UI:

I've done this for management and for gateways. One issue I found was that even with the "Clean Install", the IP addresses (at least for non-vlan'd interfaces) and routes are left behind. It was a bit confusing when I tried to connect to the appliances over the Mgmt interfaces at https://192.168.1.1 only to find that the interfaces still had their previous IPs. I have a ticket open with support about this - my SE thinks this is by design, I think "Clean Install" should mean everything gets wiped out (though I can understand why you would want the IPs still around if you are doing this remotely).

Besides this issue, I've had good success using this method.

Dave

Re: Gateway upgrade R77.30 to R80.20, CPUSE or Fresh Install?

Nüüül — Tue, 11 Dec 2018 21:21:51 GMT

Bob,

Are they aware of the changes or is it kind of an Überraschungsei?

If the gateways are clustered, maybe tear apart the nodes, take a backup of the whole machine, update one with a fresh install. Now you can try to elaborate, what changes are still needed and go for some tests.

Personally i‘d prefer a fresh install on gateways too, if possible and enough time is given.

cheers

daniel