topic Re: Upgrading an standalone cluster offline in General Topics

Upgrading an standalone cluster offline

Jose_Luis_Mart1 — Thu, 22 Feb 2024 16:17:57 GMT

Hi all.

We've got an standalone cluster (that is, two machines, both SG and MGMT, un MGMT primary, the other secondary) still in R77.30 and with no connection to the Internet.

So the challenge is to upgrade them to R81.10 (we are not using R81.20 yet). I expected that getting the package from Check Point, copying the file to the appliances and doing an installer import local would be enough. But CPUSE says it's not a valid CPUSE package.

I've tried also getting the package from a same series appliance (5xxxx), copying it to the appliances, installer import... Nothing. Same result.

Could anybody please point me to the correct packages to download?

Thanks

Re: Upgrading an standalone cluster offline

the_rock — Thu, 22 Feb 2024 16:22:09 GMT

So you have full-HA? 2 standalone in a cluster? I wish upgrade wizard was available, but it is not. Maybe contact TAC to confirm the right package...do you see anything from web UI that shows as valid if you right click and verify for upgrade?

Best,

Andy

Re: Upgrading an standalone cluster offline

Jose_Luis_Mart1 — Thu, 22 Feb 2024 16:25:52 GMT

Hi!

Well, WebUI is another problem. 🙂 It's an R77.30 and the machines we have to acces it don't have Internet Explorer anymore. I've tried an old Firefox portable and nothing.

Anyway, I'm going through command line with installer. And since it gets no packages, nothing to verify...

I think you are right, I can ask TAC the right way to do this. Thanks!

Re: Upgrading an standalone cluster offline

the_rock — Thu, 22 Feb 2024 16:46:58 GMT

Try this, its an old trick I used to do for who knows how long...do windows + R, type iexplore and see if that works, though that may open edge browser lol

Andy

Re: Upgrading an standalone cluster offline

the_rock — Thu, 22 Feb 2024 17:04:59 GMT

I also found that sometimes it works in private window (any browser really, but most likely Google Chrome)

Best,

Andy

Re: Upgrading an standalone cluster offline

Bob_Zimmerman — Thu, 22 Feb 2024 18:51:27 GMT

You should upgrade in at least two steps. One to R80.40, then one to R81.10.

If you aren't already running CPUSE 2379, you may also need to update it manually.

Note that there are some significant OS improvements you don't get from an upgrade (filesystem, partition table alignment, etc.). You should eventually reinstall from scratch at R81.20 using ISOmorphic. You can bring your configuration over, but it takes a few extra steps. You should start researching and planning all that now.

Re: Upgrading an standalone cluster offline

the_rock — Thu, 22 Feb 2024 18:55:17 GMT

Excellent point Bob.

Andy

Re: Upgrading an standalone cluster offline

Jose_Luis_Mart1 — Fri, 23 Feb 2024 10:18:34 GMT

You are right, hadn't noticed till now that the management needs a two step with R80.40 as the first one. That's probably why currently cpuse is saying the R81.10 packages are not right.

So, more work to do... Nice... 🙂 Thanks!

Re: Upgrading an standalone cluster offline

the_rock — Fri, 23 Feb 2024 12:06:24 GMT

Is web ui still broken?

Re: Upgrading an standalone cluster offline

Jose_Luis_Mart1 — Thu, 29 Feb 2024 11:51:29 GMT

Hi! Yes, no way to get an IE working to access WebUI. But no problem, I can work on CLI.

I'm still struggling anyway. Now I've tried to import locally the R80.40 upgrade package and... again, installer says it is not a valid CPUSE package.

I guess next try is to upgrade installer, but I wonder if an R77.30 is going to accept the latest version

Re: Upgrading an standalone cluster offline

the_rock — Thu, 29 Feb 2024 13:16:24 GMT

There is command to trey update it from cli, I mean da agent, not sure if it works in R77.30...

Here it is in R81.20

Andy

you can simply type da_cli, hit enter and it will give all the options

[Expert@cpazurecluster1:0]# da_cli check_for_updates
{
"Action ID" : "-1",
"Message" : "Checking for new available packages. This operation may take a few moments"
}

[Expert@cpazurecluster1:0]#

Re: Upgrading an standalone cluster offline

Bob_Zimmerman — Thu, 29 Feb 2024 19:06:47 GMT

Absolute worst case, this process should get you to R80.40:

Use ISOmorphic and the R81.20 ISO image to build an R81.20 installation drive. Use R81.20, as it has some fixes during the installation which persist even when you downgrade. Some of these fixes make disk access dramatically faster, so the import in step 9 won't take as long.
Use the upgrade tools ('migrate server', I think; might be 'migrate export' on R77.30) on your existing primary management (note, this may not be your active management; I forget how to confirm which one is primary on R77.30 full HA) to export a copy of your management config.
Save a copy of the clish config.
Use the R81.20 thumb drive to wipe one node and install R81.20 on it.
Import the R80.40 package to CPUSE.
Use 'installer clean-install Check_Point_R80.40_T294_Fresh_Install_and_Upgrade.tgz' to downgrade in-place to R80.40.
Go through the first-time config. This can be done with the web UI, but I prefer the command line tool config_system.
After rebooting, apply your clish config.
Use the upgrade tools to import the config into the R80.40 member. Management sync will not work, but you should be able to log in to the R80.40 member with SmartConsole and see all your rules and objects.
Push policy from the R80.40 member to itself. Be sure to uncheck the box which says to push to both cluster members.
Install jumbo 206 on the R80.40 member.
Enable cross-version sync on the R80.40 member (cphaconf mvc on). After a few seconds, the firewall software should go from Ready to Standby.
Fail over from the R77.30 member to the R80.40 member.
Repeat steps 3-8 and 11 on the second member. No need to do the management-side stuff again, since it will just synchronize with the existing R80.40 member.
Establish SIC trust from the management to the second member. Start the management sync.
Push policy to both members.

Check Point's big advantage to me is it's just software. Except at the low end (Quantum Spark) and high end (Maestro, Quantum LightSpeed), their hardware is nothing special; it's just overpriced x86 servers with weird card slots. This is relevant here because their software works just as well in a VM as it does on real hardware.

Build some VMs and try this process at least once. I probably forgot something in that list of steps. Testing it on VMs will help confirm the process works before you try it on your production boxes. This process is complicated enough I would try it several times. Back when I was doing upgrades by hand, I would try most of my significant upgrades in VMs at least 20 times to build familiarity before trying them for real.

Re: Upgrading an standalone cluster offline

Jose_Luis_Mart1 — Thu, 04 Apr 2024 13:50:05 GMT

Hi! Still working on this. I'm stuck on the migrate import step.

After a while importing I get an error saying import has failed. Checking the migrate log file:

[4 Apr 15:41:51] [ExecCommandGetOutput] Going to execute command: '"/opt/CPsuite-R80.40/fw1/bin/upgrade_tools/././/ips_upgrade_tool" import "/opt/CPsuite-R80.40/fw1/tmp/migrate/regular_files/fwdir/tmp/ips_files" "/opt/CPsuite-R80.40/fw1/bin/upgrade_tools/././/"'
[4 Apr 15:41:52] [ExecCommandGetOutput] Command completed with an exit code 1
[4 Apr 15:41:52] [ExecCommandGetOutput] ERR: The given exit code indicates an error
[4 Apr 15:41:52] ...<-- ExecCommandGetOutput
[4 Apr 15:41:52] [CommandRunner::exec] ERR: Command execution had failed

And then in the ips upgrade log file:

[4 Apr 15:41:52] [ReadFwsetFile] Going to read file '/opt/CPsuite-R80.40/fw1/tmp
/migrate/regular_files/fwdir/tmp/ips_files/ips_upgrade_tool.conf'
[4 Apr 15:41:52] [ReadFwsetFile] ERR: Failed to open file: No such file or direc
tory
[4 Apr 15:41:52] ..<-- ReadFwsetFile
[4 Apr 15:41:52] .<-- GetConfigFileSet
[4 Apr 15:41:52] [RunSMCImport] ERR: Failed to read configuration file!
[4 Apr 15:41:52] <-- RunSMCImport

Any idea? Thanks!

Re: Upgrading an standalone cluster offline

the_rock — Thu, 04 Apr 2024 13:55:11 GMT

Appears something wrong with config file, thats final error it gives...did you ever open TAC case on it?

Andy

Re: Upgrading an standalone cluster offline

Jose_Luis_Mart1 — Thu, 04 Apr 2024 14:05:49 GMT

I'm on it 🙂