topic Maestro Upgrade in Hyperscale Firewall (Maestro)

Maestro Upgrade

gemechis — Thu, 09 Apr 2026 14:26:53 GMT

Maestro R81.20 → R82 Zero-Downtime MVC Upgrade – Upgraded SGM stuck in Down(R82) / DETACHED with FSYNC, POLICY, during_upgrade PNOTE
Problem Description:
I am performing a Zero-Downtime Multi-Version Cluster (MVC) upgrade on a Quantum Maestro Security Group from R81.20 to R82.
Environment:

Management Server: R82
Both Maestro Orchestrators (MHOs): R82
Security Group has 2 SGMs:
SGM 1_01 → Upgraded to R82
SGM 2 → Still on R81.20 Jumbo HF Take 119

Mode: [Please specify: Gateway mode or Traditional VSX mode?]

Current Symptoms:

The upgraded member (1_01) is stuck in Down(R82) state and shows as DETACHED in asg monitor.
Security Group status shows: Maestro (During Upgrade)
PNOTE on member 1_01: FSYNC, POLICY, during_upgrade
Previously also saw: "Site HA module not started"
Only SGM 2 (R81.20) is ACTIVE and handling traffic.
Policy installation fails with the classic error:
"Policy installation failed because the gateway version as defined in the SmartConsole does not match the version installed on the gateway."

Actions Already Performed:

Upgraded Management + both Orchestrators to R82 first.
Disabled SMO image auto-cloning (set smo image auto-clone state off).
Changed the Maestro Security Group object version to R82 in SmartConsole (multiple times) + Get Gateway Data.
Disabled Accelerated Policy Installation and attempted policy install multiple times.

Re: Maestro Upgrade

simonemantovani — Thu, 09 Apr 2026 14:45:55 GMT

Just for curiosity, did you follow this procedure?

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_ScalablePlatforms_AdminGuide/Content/Topics-SPG/Maestro/Upgrading-Maestro-Zero-Downtime-MVC.htm

Re: Maestro Upgrade

gemechis — Thu, 09 Apr 2026 15:22:53 GMT

I have tried Step 9 from these, but not succeded.

Re: Maestro Upgrade

simonemantovani — Thu, 09 Apr 2026 15:50:35 GMT

Did you also tried the command g_clusterXL_admin –b 1_1 up?

1_1 should your member with ID 1 (the upgraded member).

and after that tried the command g_clusterXL_admin –b 1_2 down

1_2 should be the member in R81.20, and then try to install the policy ... but it could be better to complete the upgrade to R82 for all the members.

Re: Maestro Upgrade

Tom_Kendrick — Thu, 09 Apr 2026 19:16:50 GMT

Can I just check, when you say "Changed the Maestro Security Group object version to R82 in SmartConsole (multiple times) + Get Gateway Data." Do you mean you clicked "Get" on the right of the SecGroup object?

If yes, you should not, as the 1st step (manually changing the setting) tells the system to use R82 (in your case), and then clicking Get, queries the running Sec Group, and the old member which is active (but still on R81.20) will say "I'm on 81.20" and revert the change you made, causing the policy push to fail due to version mismatch, the upgraded member to likely not leave the DOWN(Policy) state...

That would be my thing to check first.

Re: Maestro Upgrade

gemechis — Fri, 10 Apr 2026 06:52:29 GMT

hi @Tom_Kendrick ,

yes i mean I clicked Get.

But even without clicking the GET , i have tried and it still fails. Below are the screneshots for your refernece.

Re: Maestro Upgrade

gemechis — Fri, 10 Apr 2026 06:56:10 GMT

@simonemantovani

g_clusterXL_admin –b 1_1 up tried this, and it gave an error as per the attached screenshot.

Re: Maestro Upgrade

simonemantovani — Fri, 10 Apr 2026 07:51:14 GMT

What happens if you try from the upgrade member the following command?

fw -d fetch -a -s -f -c

Re: Maestro Upgrade

emmap — Fri, 10 Apr 2026 08:04:24 GMT

Make sure you're installing just the Access Control policy.

Re: Maestro Upgrade

gemechis — Sat, 11 Apr 2026 08:50:14 GMT

@Tom_Kendrick @simonemantovani @emmap

Thank you guys for the help. Finally, it's solved by installing the latest hotfix which Take 91 on R82 on both SMS and the upgraded gateway.