Hi the_rock

I dont think so as we can upgrade the GW cluster or MGMT server in Azure as we do in traditional hardware box via WebUI or CLI..  as per my knowledge, there is no upgrade.. there should only be a migrate .. means we need to choose the desired template solution available in Azure Market place and install the cluster as a new GWs which comes along with 2 LBs (Internal and External).

but i want to be double sure on my knowledge as we have to proceed with this activity very soon.

hence waiting for others to reply on this matter please.

Thanks

Upen 

I could be mistaken, but Im pretty sure the ones I upgraded were actually deployed by Azure script/template. Anyway, lets see what other guys have to say, agreed.

Per sk173635, you need to deploy a new GW cluster and move routes/change IPs. It IS possible to use the same public IPs, but it's a little more involved. 

If you can wait a bit, the ability to do in-place upgrades just like our hardware appliances is coming. I can't comment on exact timing, though.

Hi @Upen0003 

In general, I encourage you to check out CloudGuard Network for Public Cloud - Frequently Asked Questions page, as it contains valuable information that may be useful.

Regarding the upgrade procedure, the correct way to do that so far is side-by-side as clearly documented in Azure HA admin guide, in the upgrading section.

Please note that since R80.30, the cluster solution has been changed to the High Availability solution that improves performance, and reduces failover time.

To keep the existing Cluster VIP, you can follow sk173632 to convert the cluster VIP from Basic SKU to Standard SKU, and update the solution.

We are checking internally on the feasibility for an in-place upgrade solution for Azure starting R80.30 version. If relevant, we'll update Azure latest updates sk with a link to the instruction guide.

Thanks,

Ariel

I think you probably got lucky, then, as it's not currently supported. 

Not sure, but it was someone from DTAC I was working with and they mentioned they consulted with Escalations and said they also confirmed it was perfectly fine to do upgrade like regular firewall via web UI, which is exactly what I ended up doing and it worked like a charm.

It may be possible from later versions but definitely not from R80.10.

It was definitely later than R80.10, so it would make sense why it worked.

The likely reason is quite simple: from R80.20 we were using the Linux 3.10 kernel in Public Cloud images as it was necessary to support the newer virtual hardware types.
R80.20/.30 3.10 images were not exactly maintrain, though I believe you can CPUSE upgrade them to R80.40+.
However, don’t believe this was tested in the cloud.
Also, if the upgrade fails, your recovery options are limited since you don’t have console access.

Like @Mark_Halsall said, formal support for in-place upgrades in the cloud are planned.
Can’t see it being supported from R80.10.

Thanks D. Thats definitely good to know! But, just curious, isnt this same method as regular physical device where if upgrade was to fail, it would simply go back to current version or does Azure instance work differently?

Theoretically it should work the same.
However, there may be some differences.
Certainly if the supported underlying hardware changes from version to version (also the case coming from R80.10), you may also have to make some other changes to affect a successful upgrade.

Hi,

The upgrade might have succeeded due to a gap in the deployment rules logic (something we will check and block if indeed permitted). CPUSE upgrades are not supported as the upgrading images do not contain all the necessary content for cloud (python scripts, drivers etc.). Therefore, forcing an upgrade may cause unexpected behavior and may also fail the rollback.

As Ariel wrote above, this capability is on our short-term roadmap for AWS & Azure Gateways and Cluster. Once available we will publish it on our Latest Updates SK articles for AWS & Azure accordingly. We plan to support upgrades from R80.30 to later versions. Upgrading from versions R80.20 and below will not be supported as in-place, rather as side-by-side upgrade as documented in the solution's admin guides.

Thanks,

Dmitry

Thanks to all for your guidance and support, I have successfully upgraded the Checkpoint Gateway from R80.10 to R80.40 now..

but now I got another task where i need to upgrade the R80.40 to R81, so i just want to know if checkpoint have the feature now to upgrade it as normal Firewall upgrade in Azure OR i still use the side-by-side implementation and follow the same procedure to do this tasks...?

Thanks

Hi @Upen0003 

I'm glad to read that you succeeded to upgrade your cluster easily.

In-place upgrade for AWS should be released very soon, however, it will take additional time for Azure.

I would suggest you go ahead with the side-by-side implementation.

Thanks,

Ariel

We are upgrading from R80.10 TO R80.40 , if is possible can u share the procedure you followed, it will be great help.

Thanks,

Sunit Panday

Hello,

For HA deployment, please use 

What is it showing, exactly?
Note that JHFs are included in some of the images, so you might need to check your installed version: https://support.checkpoint.com/results/sk/sk116585
Against the version table here: https://support.checkpoint.com/results/sk/sk132192 

i discoverd that template used for mds deploy was effectivly without any jumbo installed... from SK it seems that every 81.10 template has Take110....but it's not

thank you

I found that even images listed in the sk Phoneboy gave did not have any jumbo included, so sk should probably be redacted to correct that info.

Andy

Hi @the_rock,

I appreciate your feedback, but I need more details to address the issue.
Which images in the SK are not displaying correctly or have errors?

Kind regards

Hello Natalem, according to sk132192 all R81.10 templates should have Take 110 embedded.

Days ago i deployed from azure a Management VM and i found that no Jumbo was installed... maybe something wrong on my side or maybe i interpret that sk wrongly ?

Hey @natanelm 

First off, I hope you are SAFE over there and I always pray for peace 🙌🙌

As far as images I was referring to, its R81.10 jumbo 110 and R81.20 jumbo 6

Andy

Thank you for your kind message, I appreciate your concern and your prayers for peace 🙏

Apologize for the confusion in the SK.
Management images do not include any JHF, the JHF notes in the SK are related only to GW images.
We will revise the SK and make it more accurate and clear.

Thanks

No worries mate. To me, staying safe and healthy is number 1, above anything. Everyone affected is in my thoughts and prayers 🙌🕊