cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Backup Distributed Environment prior to Jumbo Hotfix

I am a bit confused about recommended backups to be done prior to applying a Jumbo Hotfix.

Can someone tell me if you need to apply a hotfix to a SMS and a cluster what steps should you take to backup?

Do you backup each firewall in the cluster or the cluster itself?

thanks

Cath

Tags (1)
0 Kudos
6 Replies

Re: Backup Distributed Environment prior to Jumbo Hotfix

You can install only on gateways or only on SMS, but then it might not fix some of the issues in the list. It would be much-much better to install jumbo hotfixes on all gateways and on management server (Logs or SmartEvent servers too). Also, for R80.10 there are updated versions of SmartConsole, which also should be installed after Jumbo Hotifx installation on SMS. But if we are talking about R80.10 version, please read carefully all the limitations, like for example:

R80.10 Jumbo Hotfix Accumulator Take_70 should not be installed on Smart-1 525 / 5050 / 5150 appliances

If you're installing Jumbo Hotfix to a cluster of security gateways, it means that you need to install it on both gateways in a cluster. For the case of HA cluster - install on secondary, reboot it, check if everything looks fine, do a failover to secondary, install on the primary, reboot. You need to create separate backups for each of gateways in cluster, and for SMS. As you install Jumbo Hotfix on each of the devices separetely.

I believe you would use CPUSE for installation of Jumbo Hotfix. It creates a sort of a backup of some specific files that would be replaced during installation of this specific hotfix. If something goes wrong, there is an automatic revert or you can do it manually later by just uninstalling this hotfix.

If you want to have a better and much bigger backup option, you can use a snapshot (from web-interface or clish). I think I would use a snapshot for SMS, especially if it is a multi-domain server. It will save the full system state at that time, but will take quite some time to revert.

There is an option to do a simple backup (from web-interface or clish). There is an option for this in web-interface. This should be a good option for gateways. This can be also used for SMS.

If you want a maximum backup option, go for snapshots for all upgraded devices.

Highlighted

Re: Backup Distributed Environment prior to Jumbo Hotfix

Thanks for the info Aleksei. Much appreciated.

0 Kudos

Re: Backup Distributed Environment prior to Jumbo Hotfix

Every installation poses a certain risk for then working installation. So backups should be performed in a certain schedule, read more in sk108902 Best Practices - Backup on Gaia OS. Performing a backup before Jumbo HFA install seems superfluous as files from the old config are saved in a backup by CPUSE, but safety and security suggest that one backup more is always a good idea . SMS installs are the more critical ones, as a GW can usually be rebuildt from scratch in a short time.

And yes, i have already heard an accusation once that a Jumbo install did kill a CP installation so it could only be revived by restoring a backup - but we could neither replicate nor in any way proove that...

Re: Backup Distributed Environment prior to Jumbo Hotfix

Great. Thank you Gunther. Appreciated.

0 Kudos

Re: Backup Distributed Environment prior to Jumbo Hotfix

I have seen the application of an ongoing jumbo HFA take cause major problems on a gateway, but I wouldn't quite say that it "killed" it.  I've been pretty lucky loading the GA jumbo HFA takes, but I always ensure that those GA takes have been continuously available for 2 weeks before applying unless there is a desperate need for a fix provided in the jumbo.  I have occasionally seen GA jumbo HFA takes get suddenly withdrawn after a few days of availability and quickly replaced with a new take number, you can probably guess what happened there...

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos

Re: Backup Distributed Environment prior to Jumbo Hotfix

Yes, that are very wise suggestions - the R77.30 ongoing Jumbo HFs have had some issues, some were withdrawn, and you can still see that history in sk106162. And while it is good practice to install the GA take after waiting for a certain time, i would suggest ongoing takes for production units only if they fix current issues of the customer.

0 Kudos