This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RemoteUser
Advisor
‎2025-08-07 07:22 AM
Jump to solution

Best Practices for Upgrading an HA Cluster from R81.10 to R81.20

Hi everyone,
In a few days, I’ll be performing an upgrade of an HA cluster from R81.10 to R81.20, and I was wondering if anyone here has already done this kind of operation on-site.

What steps do you usually follow?
Do you typically go for a fresh install and then migrate the data from the old version to the new one?

Thanks a lot!

0 Kudos
1 Solution

Accepted Solutions
Bob_Zimmerman
Authority
Authority
‎2025-08-07 09:15 AM
Jump to solution

Is it full HA (management HA and firewall HA on two boxes total), a VSX cluster, or a normal HA cluster?

For full HA, I would take a migrate_export (to restore to your current version if needed) and a 'migrate server' for the upgrade. I would then wipe the box, do a clean installation, and import the 'migrate server' file. This is pretty complicated. Management upgrades go wrong much more often than firewall upgrades do.

For VSX, I would use 'vsx_util upgrade' on the management, reinstall one member, use 'vsx_util reconfigure' on the management to reprovision it (same process you would use to replace a failed member), then repeat on the other member(s).

For a normal HA cluster, I would right-click the cluster in SmartConsole and pick Actions > Version Upgrade. Pick the version, hit "Install", and let it cook for about an hour. Out pops an upgraded cluster, though one without a jumbo. You can use Actions > Install Hotfix/Jumbo to handle that. This method is super simple, and there's no opportunity to forget a step and cause an outage.

View solution in original post

4 Replies
the_rock
Legend
Legend
‎2025-08-07 08:44 AM
Jump to solution

I just do it this way:

-get backup of backup fw

-in web UI, verify upgrade is possible

-if good, upgrade to R81.20 with recommended jumbo 105

-once rebooted, confirm cluster state with cphaprob state

-if good, follow same process for current master

-once rebooted, you can flip the cluster over (if needed

No need to enable MVC, as it is on by default starting R80.40, but you can check by running cphaprob mvc

Andy

Bob_Zimmerman
Authority
Authority
‎2025-08-07 09:15 AM
Jump to solution

Is it full HA (management HA and firewall HA on two boxes total), a VSX cluster, or a normal HA cluster?

For full HA, I would take a migrate_export (to restore to your current version if needed) and a 'migrate server' for the upgrade. I would then wipe the box, do a clean installation, and import the 'migrate server' file. This is pretty complicated. Management upgrades go wrong much more often than firewall upgrades do.

For VSX, I would use 'vsx_util upgrade' on the management, reinstall one member, use 'vsx_util reconfigure' on the management to reprovision it (same process you would use to replace a failed member), then repeat on the other member(s).

For a normal HA cluster, I would right-click the cluster in SmartConsole and pick Actions > Version Upgrade. Pick the version, hit "Install", and let it cook for about an hour. Out pops an upgraded cluster, though one without a jumbo. You can use Actions > Install Hotfix/Jumbo to handle that. This method is super simple, and there's no opportunity to forget a step and cause an outage.

RemoteUser
Advisor
‎2025-08-08 12:12 AM
In response to Bob_Zimmerman
Jump to solution

Thank you very much. Yes, it’s a normal HA (active-standby), so there’s no major problem doing it from SmartConsole. Also, by doing it this way, the current configuration will remain, right? You’ll just need to apply the JHF afterward.

Bob_Zimmerman
Authority
Authority
‎2025-08-08 05:56 AM
In response to RemoteUser
Jump to solution

Yes, upgrading with CDT in SmartConsole keeps the CLI config. Internally, it's running the upgrade using the same steps you would use on the command line, it's just doing all the steps in order for you.

And of course, the rule config lives on the management, which isn't directly affected by a firewall upgrade.

I would take a manual snapshot ahead of time so you can revert if the upgrade goes wrong, but it has been a few years since this upgrade method has gone wrong for me.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events