This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
peter_schumache
Collaborator
‎2020-05-18 01:32 PM

Blink upgrade with CPUSE

Has anyone done a cluster upgrade from R80.10 to R80.30 using the blink method based on CPUSE?

What are the experiences?

Any gotchas?

Thanks for your feedback

17 Replies
peter_schumache
Collaborator
‎2020-05-20 09:39 AM

In the meantime I can answer the question myself.This afternoon we upgraded a cluster of 2 4800 appliances from R80.10 to R80.30 take 191 using the blink image with CPUSE.

The upgrade went very fast and smoothly, the old Gaia Configuration was restored correctly and the SIC state was restored as well. The second member even picked up its policy from the SmartCenter without our intervention. ALl final tests run without any errors.

 

Thats the way it should be. Many thanks and congratulations to the blink R&D Team

Tsahi_Etziony
Employee
Employee
‎2020-05-24 03:52 AM
In response to peter_schumache

I was waiting to hear feedback from others, but I am happy that you went along and tried it. I am very pleased that it worked well and I will make sure the R&D team is aware of your thanks.
Arne_Boettger
Collaborator
‎2020-06-09 01:50 AM
In response to peter_schumache

I was wondering on how to use Blink images for this purpose, too.

Can you give us a short how-to or an insight which documentation you followed?

0 Kudos
Tsahi_Etziony
Employee
Employee
‎2020-06-09 03:14 AM
In response to Arne_Boettger

The simplest way is to use Blink with CPUSE, just like any other major upgrade package. this is described in the Blink SK.

Bryan_Harrell
Participant
‎2020-05-26 06:35 AM

Yea, I've been waitign for others experiences with this as well, and what issues they ran into. I rea briefly thru the DOC's on using Blink to fresh-reimage an appliance remotely, as we've done several in-place upgrades withot issues, however I don't like to do more than a couple before fresh re-imaging, and with the pandemic goign on limiting travel, I am unable to get to our DR site to do the upgrades up there there, and Blink sounds like the best solution, but the documentation on it is a bit thin... anyone have an example of the file you used to create the blink reconfig following the re-image process? 

0 Kudos
_Val_
Admin
Admin
‎2020-06-09 03:41 AM
In response to Bryan_Harrell

@Bryan_Harrell Blink "answers" file answers.xml  structure is fully outlined in the Blink SK article. It also should address most of your questions. If you miss anything else, please elaborate, I will do my best to help you out.

Bryan_Harrell
Participant
‎2020-06-09 08:30 AM
In response to _Val_

Thanks...
0 Kudos
peter_schumache
Collaborator
‎2020-06-09 07:45 AM
In response to Bryan_Harrell

Last year I wrote the attached paper as a basis to upgrade a couple of VRRP-based Clusters. In the meantime, things have got dramatically simple by offering the blink mechanism within CPUSE.

My screenplay got obsolete, except of the snapshot and testing part 😉

 

Screenplay_Upgrade_R80-20.pdf
Preview file
1638 KB
Bryan_Harrell
Participant
‎2020-06-09 09:01 AM
In response to peter_schumache

WOW, this is way more than what I was looking for, but is in right in line with what I normally like to create for DR documentation in my job, so if we get hit by a disaster that takes us one or more of us out of action, the rest of the team will have a step-by-step playbook to work from until they can get their feet underneath them if it turns out it will be a long-term recovery process, and this will save me much time trying to figure this out for the first time as a result - I have an R80.40 upgrade planned for the end of the month- just gotta get past a data center rack consolidation/move project next weekend where we're shutting down the core of the network including the firewalls, to move it all to new racks about 30 feet away- again, thanks so much for offering your play-book as an example!
ttyser
Participant
‎2020-09-24 02:22 AM
In response to Bryan_Harrell

Hello guys, I have a question. It can sounds stupid to you but I am not experienced as you are so.. I have read through multiple Blink threads and Blink SK and I would like to still ask something 🙂 When I am doing for example upgrade from R77.30 to R80.10 and its production device(cluster) is there a possibility that blink will save the system configuration(IPs, interfaces, snmp, dns, etc) and when the upgrade is done it will apply the system configuration back? Considering the Blink will do clean install and only info in SK is about the possibility to do initial configuration with the answers.xml file I guess there isnt such option? Thank you for any reply!

_Val_
Admin
Admin
‎2020-09-24 03:17 AM
In response to ttyser

The best is to capture OS config with "show configuration" CLISH command and then copy/paste to the new installed device before the first time wizard. 

ttyser
Participant
‎2020-09-24 04:12 AM
In response to _Val_

Thank you for the info! I just wanted to be sure I am not missing anything. 

Tsahi_Etziony
Employee
Employee
‎2020-09-24 04:20 AM
In response to ttyser

CPUSE upgrade does exactly that, no matter it is a "regular" version upgrade or a Blink upgrade. when you select upgrade on the CPUSE WebUI page, the configuration will be kept, including all that you mentioned. if you select clean installation, the configuration will be discarded and default configuration will be used (only the IP will be kept so you'll still be able to communicate with the remote appliance) 

ttyser
Participant
‎2020-09-24 04:57 AM
In response to Tsahi_Etziony

Hey Tsahi, thank you for the info. I was looking into the CPUSE option too, but noticed that in case of just upgrading, one can run into problems after the verification phase. So my logic was that with clean install, there are no post-verification problems 🙂 I just wasn't sure about that system config, because one colleague told me, the blink does store the system config for post-upgrade use, but based on my research, I wasn't sure that's the true. But anyway, thank you guys for all the info, really appreciate it.

Tim_Spencer
Contributor
‎2021-05-12 03:54 AM
In response to Tsahi_Etziony

I think Tsahi has answered my question but would love to check with you all just in case I've misunderstood.

I've been reading the blink documentation but any first hand advice would be great.

We have a lot of openserver firewalls. I upgraded our openserver managers the other day and having booted off the r80.40 clean install usb image, found that my server NICs weren't correctly recognised at the check hardware stage. The Check Point hardware compatability guide says they are fine in r80.40 so long as you use blink r80.40 jhf25 or above. So I'm guessing from that, they added the necessary drivers in with jhf25.  I ended up getting round the issue by trying several different NIC cards until they were recognised and then continued as normal.

Anyway the main question!!! I'm thinking for the rest of my upgrades, (upgrades not clean installs) use the latest 80.40 blink image via CPUSE. The documentation discusses an xml file and other packages but I'm assuming that is if you wish to do a clean wipe remote/unattended build? In the case of an upgrade, would I just select in CPUSE the latest blink image which includes the hotfixes, download in CPUSE and this click upgrade? No need to do anything else or add any other config files like the XML and that will upgrade to 80.40 with that hotfix and all my config will remain as before and most importantly understand their NIC drivers!?!?? I'm hoping that is the case!! Can't be driving all over the county with NIC cards again!!! 

Thanks all

0 Kudos
Tsahi_Etziony
Employee
Employee
‎2021-05-20 03:38 AM
In response to Tim_Spencer

That is correct. the mxl files and other configuration are for clean installation and specifically if you want to bypass the short configuration page after you install the Blink image. 

In case of an upgrade, just like any CPUSE upgrade, the configuration is being copied from the previous version to the new one. 

Still - I would try it out first on a single machine, preferably somewhere close by 😉

0 Kudos
Tim_Spencer
Contributor
‎2021-05-20 03:43 AM
In response to Tsahi_Etziony

Many thanks for your response. I got impatient and tried it on an appliance the other day and it worked like a charm, upgrading and installing the latest hotfix all in one go 🙂

Have just run the verifier to do the same on some more of my firewalls  and got an error warning my my lv_current was 18Gb and needed to be 20Gb to do an upgrade.

So frustrating.

Will have to do an LVM_manager grow of lv_current now.

Was hoping that wouldn't need an outage for the disk grow but of course it does!

Never rains but it pours!!!

Thanks again.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top