topic Re: Confusion with Security Management Upgrade Process (Primary, Secondary, Log) in General Topics

Confusion with Security Management Upgrade Process (Primary, Secondary, Log)

Parabol — Tue, 27 Jun 2023 09:23:25 GMT

Hi all,

We are planning to upgrade our management servers from R81.10 to R81.20. Traditionally in the past we did this all through CPUSE similar to this guide which had always been fairly simple, essentially just download and install in CPUSE.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Installation_and_Upgrade_Guide/Topics-IUG/Upgrading-SecMmgt-Servers-in-Mmgt-HA-from-R80_20-and-higher.htm

However I note it says "This procedure is supported only for servers that run R80.20.M1, R80.20, R80.20.M2, R80.30, or R80.40".

The New Upgrade Process - sk163814 implies it should be upgraded by running a CLI command (migrate_server).

Although in the known limitations section it does say the following, implying that CPUSE upgrades can still be used:

"CPUSE upgrades - Installing Jumbo HF or HF can be done only after upgrade of all servers, otherwise upgrade of Secondary Management or Log Server will fail."

I'm quite confused with the different guides/sk's giving slightly different impressions of how it should be done. Should we be using this new method, or can the "traditional" way through CPUSE still be used?

Thanks!

Re: Confusion with Security Management Upgrade Process (Primary, Secondary, Log)

G_W_Albrecht — Tue, 27 Jun 2023 09:57:50 GMT

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RN/Content/Topics-RN/Supported-Upgrade-Paths.htm?tocpath=Supported%20Upgrade%20Paths%7C_____0#Supported_Upgrade_Paths

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Installation_and_Upgrade_Guide/Content/Topics-IUG/Prerequisites-for-Upgrading-and-Migrating-of-Mgmt-Servers-and-Log-Servers.htm?tocpath=Upgrade%20Options%20and%20Prerequisites%7C_____1

Re: Confusion with Security Management Upgrade Process (Primary, Secondary, Log)

Tal_Paz-Fridman — Tue, 27 Jun 2023 12:03:46 GMT

The first message you gave This procedure is supported only for servers that run R80.20.M1, R80.20, R80.20.M2, R80.30, or R80.40 is from the R81 Installation and Upgrade Guide so the message was correct for that time.

The second message CPUSE upgrades - Installing Jumbo HF or HF can be done only after upgrade of all servers, otherwise upgrade of Secondary Management or Log Server will fail. refers to an issue where HF/JHF were applied before Secondary machines were upgrade to the same Major Version.

Adding @Liat_Cihan and @IrinaK

Re: Confusion with Security Management Upgrade Process (Primary, Secondary, Log)

the_rock — Tue, 27 Jun 2023 12:53:01 GMT

I had done simlar before and what I followd was this...secondary, then primary, then jumbo on both, lastly log server. That seemed to work fine.

Andy

Re: Confusion with Security Management Upgrade Process (Primary, Secondary, Log)

Parabol — Tue, 27 Jun 2023 14:57:03 GMT

Ah that makes sense, thanks for the reply! So in our scenario, with all 3 of the appliances on R81.10, installing the blink package with JHF should be OK, as we're not changing Major version. Initially I wasn't sure if we'd need to update to R81.20 firstly, and then update the JHF secondly in two phases.

The blink package is: R81.20 Security Management + JHF T10 for Appliances and Open Servers.

And I could be getting my documentation mixed up again, but I have a snippet saying to upgrade the primary first, would this be the best practice?

"Primary server should be upgraded first, and should be up and running during upgrades of the Secondary Management server and Log server."

Ah it was from the "new upgrade process" SK:

https://support.checkpoint.com/results/sk/sk163814

Re: Confusion with Security Management Upgrade Process (Primary, Secondary, Log)

Parabol — Tue, 27 Jun 2023 14:56:23 GMT

Thanks for the feedback! I do have a snippet here relating to upgrading the primary first, it might have been in relation to the new upgrade process though.

"Primary server should be upgraded first, and should be up and running during upgrades of the Secondary Management server and Log server."

Ah yes it's from the new upgrade process SK:

https://support.checkpoint.com/results/sk/sk163814

Re: Confusion with Security Management Upgrade Process (Primary, Secondary, Log)

the_rock — Tue, 27 Jun 2023 15:04:05 GMT

Hm, I would always upgrade STANDBY first (like gateway cluster) and it always worked. So, just to make sure we are not confusing the terminology...so secondary will ALWAYS be secondary, and primary will ALWAYS be primary, but secondary can be active and primary can be standby. Now, since sk says to upgrade primary first, follow that, so in case anything gets messed up (hope not...knock on wood), if TAC case is needed, you can be sure proper recommendations were followed.

Andy