This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Raz_Zilberman
Employee
Employee
3 weeks ago

Background Gateway Upgrade – Now Available for EA!

Hi All,

We’re excited to announce the early availability of Background Gateway Upgrade, a major step forward in simplifying Security Gateway upgrade operations — now available for testing by interested customers and partners!

What is it?

Background Gateway Upgrade introduces a new upgrade flow where the majority of the upgrade process is handled in the background, with no impact to gateway performance or traffic.

This new capability is currently available under a feature flag through a specific Deployment Agent version in CPUSE.

Customer Benefits

With Background Gateway Upgrade, you can:

  • Dramatically reduce downtime during major version upgrades or JumboHotfix installations

  • Simplify upgrade planning and execution

  • Minimize upgrade risk by pre-validating the upgrade environment

  • Improve operational continuity — users and traffic stay unaffected until reboot

 

We’re here to support you throughout the process and would love your feedback as we shape this into a standard capability for all customers!

Questions? Want to participate? Drop a comment below or contact me directly.

Thanks,
Raz

(2)
25 Replies
Vincent_Bacher
MVP Silver
MVP Silver
3 weeks ago

Hi Raz,

Change management is quite a challenging topic in our organization.

That's why reducing risks and especially downtimes would be strong arguments in the change request process.
Could you share more details on how this new approach works? I'm really interested.

Best,
Vince

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
Raz_Zilberman
Employee
Employee
3 weeks ago
In response to Vincent_Bacher

Sure, let's have a quick call later this week? ping me in my email - razz@checkpoint.com and I will schedule a call.

Vincent_Bacher
MVP Silver
MVP Silver
3 weeks ago
In response to Raz_Zilberman

Will be happy to contribute.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
the_rock
MVP Diamond
MVP Diamond
3 weeks ago
In response to Raz_Zilberman

I would also be interested to test this in the lab, if possible.

Best,
Andy
0 Kudos
Raz_Zilberman
Employee
Employee
3 weeks ago
In response to the_rock

Sure, ping me at my email - razz@checkpoint.com , and I will schedule a call.

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
3 weeks ago
In response to Vincent_Bacher

I'm also very interested, and I just sent an email.

Based on how it's described above, it sounds to me like this is more or less how Apple upgrades/updates their operating systems now: create a new logical volume, unpack the upgrade/update there, run whatever tests, then set the bootloader to boot from it. It's a little more complicated than something like illumos' or FreeBSD's boot environments, but it can be used with older filesystems like XFS. If I'm right, it will involve heavy I/O (basically a free resource on a healthy firewall) and very little CPU or RAM consumption.

0 Kudos
CheckPointerXL
Advisor
Advisor
3 weeks ago
In response to Bob_Zimmerman

logical volume is cloned and then the upgrade takes place? just to understand how custom files are preserved

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
2 weeks ago
In response to Bob_Zimmerman

As I understand it, our upgrades already work similarly to that. A new root partition is created in the 'upgrade_reserved' disk space, the software is installed and the config is copied over to that new partition. The old root partition is stored as the 'AutoSnapshot' rollback point, which is why it's uncompressed as compared to regular snapshots. I guess we have improved the procedure such that we don't have to stop processes on the running gateway to perform the config copy.

0 Kudos
(1)
the_rock
MVP Diamond
MVP Diamond
3 weeks ago

Wow, that sounds AMAZING!

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
3 weeks ago

Looking forward to seeing this in action!

0 Kudos
Tom_Hinoue
Advisor
Advisor
3 weeks ago

Sounds great!

I'm curious if this can work backwards once the previous version is compatible to this feature.
It's not that I want to do a downgrade, but just wondering if we can uninstall a hotfix or revert to the previous version incase any issues occur. 

Also, does this mean the policy package from previous version will be compatible even after major version upgrade?

the_rock
MVP Diamond
MVP Diamond
3 weeks ago
In response to Tom_Hinoue

Super valid and logical point, Tom.

Best,
Andy
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
2 weeks ago
In response to Tom_Hinoue

I believe the Lightshots introduced in R82 can do this for us. Your system takes a lightshot at 3am every night to provide a rollback point. The most recent 5 automatic lightshot restore points are retained, along with the FCD restore point.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
2 weeks ago
In response to emmap

Good to know!

Best,
Andy
0 Kudos
Tom_Hinoue
Advisor
Advisor
2 weeks ago
In response to emmap

Thanks for the follow up!
Can the restore using Lightshots be processed in the background to restore previous settings without any disruption?
This is what was I was wondering of the reverse of the new background upgrade feature. (background downgrade?) 

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
2 weeks ago
In response to Tom_Hinoue

Ahh, I see what you mean. The current lightshot process certainly isn't intended to be disruption free. I haven't actually tried it yet but I imagine it would still need to reboot.

Tom_Hinoue
Advisor
Advisor
2 weeks ago
In response to emmap

Thanks for checking.
Yes, I assumed backup/snapshots will need a reboot like it has always been 🙂

I guess I will wait for more news about this new feature. Looking forward to it.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
2 weeks ago
In response to Tom_Hinoue

I guess lightshot is not available for R82 on VM in web UI, though I do see add lightshot there in clish.

Best,
Andy
0 Kudos
Raz_Zilberman
Employee
Employee
2 weeks ago
In response to emmap

correct

0 Kudos
Raz_Zilberman
Employee
Employee
2 weeks ago
In response to emmap

indeed, lightshots is part of the new upgrade method

Phil_Pasquier
Participant
Participant
3 weeks ago

This looks like a revolution! Thank you for your efforts.

I'll drop you an email !

Cheers

the_rock
MVP Diamond
MVP Diamond
3 weeks ago

Hey Raz,

Just wanted to circle back on this...is there free demo people can check for this or would I still need to email you to organize a call?

Best,
Andy
0 Kudos
Magnus-Holmberg
MVP Silver
MVP Silver
3 weeks ago

Sounds great, is the plan to have this within the smartconsole?

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
Raz_Zilberman
Employee
Employee
2 weeks ago
In response to Magnus-Holmberg

Yes:) part of R82.20

the_rock
MVP Diamond
MVP Diamond
3 weeks ago

K, just emailed you.

Best,
Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events