Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Upen0003
Explorer

How to Upgrade Checkpoint GW (CloudGuard) in Azure Environement

Hi There

I have a Cluster GWs running on R80.10 in Azure and i want to upgrade it to R80.40, i did not see any link where Upgrade/Migrate process explained, I checked below mentioned link which looks like a new deployment guide.

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailability_for_...

 

But my Question is, once I setup a new cluster in Azure with R80.40 template then what all changes do i need to do in my MGMT server to bring new Cluster into the MGMT... i want to use the same IPs (of Eth0/Eth1 and VIP) on New cluster (R80.40) as I am using with current GWs (R80.10) cause i dont want to touch the Routing (UDRs) in Azure.

 

Is there any upgrade/Migrate guide available from Checkpoint side to do this activity without any issue..

 

Thanks

Upen 

0 Kudos
26 Replies
the_rock
Legend
Legend

I upgraded CP firewalls in Azure via web UI like a regular onprem gateway and did not have any issues. I can logically only assume that process would be exactly the same for cluster (you can do either zero downtime upgrade or MVC (multi version cluster upgrade) as well, but I will let other people confirm for you.

0 Kudos
Upen0003
Explorer

Hi the_rock

 

I dont think so as we can upgrade the GW cluster or MGMT server in Azure as we do in traditional hardware box via WebUI or CLI..  as per my knowledge, there is no upgrade.. there should only be a migrate .. means we need to choose the desired template solution available in Azure Market place and install the cluster as a new GWs which comes along with 2 LBs (Internal and External).

 

but i want to be double sure on my knowledge as we have to proceed with this activity very soon.

hence waiting for others to reply on this matter please.

 

Thanks

Upen 

0 Kudos
the_rock
Legend
Legend

I could be mistaken, but Im pretty sure the ones I upgraded were actually deployed by Azure script/template. Anyway, lets see what other guys have to say, agreed.

0 Kudos
Mark_Halsall
Employee Alumnus
Employee Alumnus

Per sk173635, you need to deploy a new GW cluster and move routes/change IPs. It IS possible to use the same public IPs, but it's a little more involved. 

If you can wait a bit, the ability to do in-place upgrades just like our hardware appliances is coming. I can't comment on exact timing, though.

0 Kudos
arielto
Employee Alumnus
Employee Alumnus

Hi @Upen0003 

In general, I encourage you to check out CloudGuard Network for Public Cloud - Frequently Asked Questions page, as it contains valuable information that may be useful.

Regarding the upgrade procedure, the correct way to do that so far is side-by-side as clearly documented in Azure HA admin guide, in the upgrading section.

Please note that since R80.30, the cluster solution has been changed to the High Availability solution that improves performance, and reduces failover time.

To keep the existing Cluster VIP, you can follow sk173632 to convert the cluster VIP from Basic SKU to Standard SKU, and update the solution.

We are checking internally on the feasibility for an in-place upgrade solution for Azure starting R80.30 version. If relevant, we'll update Azure latest updates sk with a link to the instruction guide.

Thanks,

Ariel

0 Kudos
Mark_Halsall
Employee Alumnus
Employee Alumnus

I think you probably got lucky, then, as it's not currently supported. 

0 Kudos
the_rock
Legend
Legend

Not sure, but it was someone from DTAC I was working with and they mentioned they consulted with Escalations and said they also confirmed it was perfectly fine to do upgrade like regular firewall via web UI, which is exactly what I ended up doing and it worked like a charm.

0 Kudos
PhoneBoy
Admin
Admin

It may be possible from later versions but definitely not from R80.10.

the_rock
Legend
Legend

It was definitely later than R80.10, so it would make sense why it worked.

0 Kudos
PhoneBoy
Admin
Admin

The likely reason is quite simple: from R80.20 we were using the Linux 3.10 kernel in Public Cloud images as it was necessary to support the newer virtual hardware types.
R80.20/.30 3.10 images were not exactly maintrain, though I believe you can CPUSE upgrade them to R80.40+.
However, don’t believe this was tested in the cloud.
Also, if the upgrade fails, your recovery options are limited since you don’t have console access.

Like @Mark_Halsall said, formal support for in-place upgrades in the cloud are planned.
Can’t see it being supported from R80.10.

0 Kudos
the_rock
Legend
Legend

Thanks D. Thats definitely good to know! But, just curious, isnt this same method as regular physical device where if upgrade was to fail, it would simply go back to current version or does Azure instance work differently?

0 Kudos
PhoneBoy
Admin
Admin

Theoretically it should work the same.
However, there may be some differences.
Certainly if the supported underlying hardware changes from version to version (also the case coming from R80.10), you may also have to make some other changes to affect a successful upgrade.

0 Kudos
Dmitry_Gorn
Employee
Employee

Hi,

The upgrade might have succeeded due to a gap in the deployment rules logic (something we will check and block if indeed permitted). CPUSE upgrades are not supported as the upgrading images do not contain all the necessary content for cloud (python scripts, drivers etc.). Therefore, forcing an upgrade may cause unexpected behavior and may also fail the rollback.

As Ariel wrote above, this capability is on our short-term roadmap for AWS & Azure Gateways and Cluster. Once available we will publish it on our Latest Updates SK articles for AWS & Azure accordingly. We plan to support upgrades from R80.30 to later versions. Upgrading from versions R80.20 and below will not be supported as in-place, rather as side-by-side upgrade as documented in the solution's admin guides.

 

Thanks,

Dmitry

Upen0003
Explorer

Thanks to all for your guidance and support, I have successfully upgraded the Checkpoint Gateway from R80.10 to R80.40 now..

 

but now I got another task where i need to upgrade the R80.40 to R81, so i just want to know if checkpoint have the feature now to upgrade it as normal Firewall upgrade in Azure OR i still use the side-by-side implementation and follow the same procedure to do this tasks...?

 

Thanks

 

0 Kudos
arielto
Employee Alumnus
Employee Alumnus

Hi @Upen0003 

I'm glad to read that you succeeded to upgrade your cluster easily.

In-place upgrade for AWS should be released very soon, however, it will take additional time for Azure.

I would suggest you go ahead with the side-by-side implementation.

Thanks,

Ariel

0 Kudos
rionetwork
Participant

We are upgrading from R80.10 TO R80.40 , if is possible can u share the procedure you followed, it will be great help.

 

Thanks,

Sunit Panday

0 Kudos
TomerM
Employee
Employee

Hello,

For HA deployment, please use 

    under
    "Upgrading a Check Point CloudGuard Network Security High Availability Solution to a Newer Version" section.
CheckPointerXL
Advisor

hi all, 

how can i see which JHF is installed on a cloudguard vm on azure?

i'm getting crazy, cpinfo -y all of course not help

0 Kudos
PhoneBoy
Admin
Admin

What is it showing, exactly?
Note that JHFs are included in some of the images, so you might need to check your installed version: https://support.checkpoint.com/results/sk/sk116585
Against the version table here: https://support.checkpoint.com/results/sk/sk132192 

0 Kudos
CheckPointerXL
Advisor

i discoverd that template used for mds deploy was effectivly without any jumbo installed... from SK it seems that every 81.10 template has Take110....but it's not

 

thank you

0 Kudos
the_rock
Legend
Legend

I found that even images listed in the sk Phoneboy gave did not have any jumbo included, so sk should probably be redacted to correct that info.

Andy

0 Kudos
natanelm
Employee
Employee

Hi @the_rock,

I appreciate your feedback, but I need more details to address the issue.
Which images in the SK are not displaying correctly or have errors?

Kind regards

0 Kudos
CheckPointerXL
Advisor

Hello Natalem, according to sk132192 all R81.10 templates should have Take 110 embedded.

Days ago i deployed from azure a Management VM and i found that no Jumbo was installed... maybe something wrong on my side or maybe i interpret that sk wrongly ?

0 Kudos
the_rock
Legend
Legend

Hey @natanelm 

First off, I hope you are SAFE over there and I always pray for peace 🙌🙌

As far as images I was referring to, its R81.10 jumbo 110 and R81.20 jumbo 6

 

Andy

0 Kudos
natanelm
Employee
Employee

Thank you for your kind message, I appreciate your concern and your prayers for peace 🙏

Apologize for the confusion in the SK.
Management images do not include any JHF, the JHF notes in the SK are related only to GW images.
We will revise the SK and make it more accurate and clear.

Thanks

0 Kudos
the_rock
Legend
Legend

No worries mate. To me, staying safe and healthy is number 1, above anything. Everyone affected is in my thoughts and prayers 🙌🕊

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.