This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Parabol
Contributor
‎2023-06-27 02:23 AM

Confusion with Security Management Upgrade Process (Primary, Secondary, Log)

Hi all,

We are planning to upgrade our management servers from R81.10 to R81.20. Traditionally in the past we did this all through CPUSE similar to this guide which had always been fairly simple, essentially just download and install in CPUSE.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Installation_and_Upgrade_Guide/Top...

However I note it says "This procedure is supported only for servers that run R80.20.M1R80.20R80.20.M2R80.30, or R80.40".

The New Upgrade Process - sk163814 implies it should be upgraded by running a CLI command (migrate_server).

Although in the known limitations section it does say the following, implying that CPUSE upgrades can still be used:

"CPUSE upgrades - Installing Jumbo HF or HF can be done only after upgrade of all servers, otherwise upgrade of Secondary Management or Log Server will fail."

I'm quite confused with the different guides/sk's giving slightly different impressions of how it should be done. Should we be using this new method, or can the "traditional" way through CPUSE still be used?

Thanks!

0 Kudos
6 Replies
Tal_Paz-Fridman
Employee
Employee
‎2023-06-27 05:03 AM

Hi 

The first message you gave This procedure is supported only for servers that run R80.20.M1R80.20R80.20.M2R80.30, or R80.40 is from the R81 Installation and Upgrade Guide so the message was correct for that time. 

The second message CPUSE upgrades - Installing Jumbo HF or HF can be done only after upgrade of all servers, otherwise upgrade of Secondary Management or Log Server will fail. refers to an issue where HF/JHF were applied before Secondary machines were upgrade to the same Major Version.

Adding @Liat_Cihan and @IrinaK 

Parabol
Contributor
‎2023-06-27 07:52 AM
In response to Tal_Paz-Fridman

Ah that makes sense, thanks for the reply! So in our scenario, with all 3 of the appliances on R81.10, installing the blink package with JHF should be OK, as we're not changing Major version. Initially I wasn't sure if we'd need to update to R81.20 firstly, and then update the JHF secondly in two phases.

The blink package is: R81.20 Security Management + JHF T10 for Appliances and Open Servers.

And I could be getting my documentation mixed up again, but I have a snippet saying to upgrade the primary first, would this be the best practice?

"Primary server should be upgraded first, and should be up and running during upgrades of the Secondary Management server and Log server."

Ah it was from the "new upgrade process" SK:

https://support.checkpoint.com/results/sk/sk163814

0 Kudos
the_rock
Legend
Legend
‎2023-06-27 05:53 AM

I had done simlar before and what I followd was this...secondary, then primary, then jumbo on both, lastly log server. That seemed to work fine.

Andy

Parabol
Contributor
‎2023-06-27 07:56 AM
In response to the_rock

Thanks for the feedback! I do have a snippet here relating to upgrading the primary first, it might have been in relation to the new upgrade process though. 

"Primary server should be upgraded first, and should be up and running during upgrades of the Secondary Management server and Log server."

Ah yes it's from the new upgrade process SK:

https://support.checkpoint.com/results/sk/sk163814

0 Kudos
the_rock
Legend
Legend
‎2023-06-27 08:04 AM
In response to Parabol

Hm, I would always upgrade STANDBY first (like gateway cluster) and it always worked. So, just to make sure we are not confusing the terminology...so secondary will ALWAYS be secondary, and primary will ALWAYS be primary, but secondary can be active and primary can be standby. Now, since sk says to upgrade primary first, follow that, so in case anything gets messed up (hope not...knock on wood), if TAC case is needed, you can be sure proper recommendations were followed.

Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events