This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
katabey
Explorer
‎2021-02-28 02:15 AM
Jump to solution

Major upgrade and Hot fix order best practice

Hello,

I will be upgrading a couple of 2200 appliance clusters(active-standby) from 77.30 to 80.30. I will be doing the gateway upgrades. Central management is already updated to the latest 80.30.  I will also install Jumbo Hotfix 227 for 80.30.

My question is which method is correct/best practice?

Should I do like

-major upgrade of the standby unit

-Let the guys in HQ do the procedure on the manager.

-major upgrade of the primary unit

-When upgrades are complete and everything is fine, install the hotfix to both appliances.

Or

- Major upgrade the standby unit

-After the appliance boots up without doing anything install the jumbo hotfix

-Let the guys do the procedure on the manager

-Major upgrade of the primary unit and install hotfix again.

 

Best Regards.

 

 

 

0 Kudos
1 Solution

Accepted Solutions
Boaz_Orshav
Employee
Employee
‎2021-02-28 09:09 PM
Jump to solution

Hi

  I recommend using Blink package which includes both the version 80.30 and the Jumbo as well.

  It is faster and easier - only one package which means one reboot, no need to check the machine twice (once after 80.30 and once after the Jumbo), the package is smaller than GA + Jumbo separately.

  Using CDT is a good idea too as it would do some things for you. You need to keep the package only on the management (CDT will pass it to the GWs), cluster version will be changed to 80.30 by CDT and more.

  Please take latest CDT version from SK111158 and if there are any questions you can contact me directly at boazo@checkpoint.com

 

View solution in original post

0 Kudos
6 Replies
Maarten_Sjouw
Champion
Champion
‎2021-02-28 10:41 AM
Jump to solution

In my upgrades I always use the second method, that way I only have 1 failover to the new version and one back to the original primary member.

Regards, Maarten
Vincent_Bacher
Leader Leader
Leader
‎2021-02-28 12:50 PM
Jump to solution

I would use cdt, it does everything automatically and you just have to watch. CDT is included starting from R80.30 at management. It is meant for the simultaneous upgrade of many gateways but why not use it if you have the possibility?  🙂

CDT prepares policy for R80.30, installs major upgrade on standby, reboots, install hf on standby, syncs sessions, performs failover, then upgrade and hf on master. 

Easy going 

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Boaz_Orshav
Employee
Employee
‎2021-02-28 09:09 PM
Jump to solution

Hi

  I recommend using Blink package which includes both the version 80.30 and the Jumbo as well.

  It is faster and easier - only one package which means one reboot, no need to check the machine twice (once after 80.30 and once after the Jumbo), the package is smaller than GA + Jumbo separately.

  Using CDT is a good idea too as it would do some things for you. You need to keep the package only on the management (CDT will pass it to the GWs), cluster version will be changed to 80.30 by CDT and more.

  Please take latest CDT version from SK111158 and if there are any questions you can contact me directly at boazo@checkpoint.com

 

0 Kudos
Vincent_Bacher
Leader Leader
Leader
‎2021-02-28 11:42 PM
In response to Boaz_Orshav
Jump to solution

Hi Boaz,

yes, blink is another option. As i did not not yet dealt intensively with Blink, only read about it in the sk, I would like to ask if i understood right, that the effort using blink for upgrading a single cluster may be bit too high in comparison to using cdt which is editing just the CentralDeploymentTool.xml and a deployment plan?

 

Cheers

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Tsahi_Etziony
Employee
Employee
‎2021-03-01 01:46 AM
In response to Vincent_Bacher
Jump to solution

If the options are either Blink or CDT, let me suggest the best of both - use CDT with Blink 😊

CDT can use Blink for its upgrades, so CDT will take care of the cluster and the management object, while Blink will upgrade directly to the desired version and hotfix. You can use Blink just like any other CPUSE upgrade package in the deployment plan.

0 Kudos
katabey
Explorer
‎2021-03-11 11:38 PM
In response to Boaz_Orshav
Jump to solution

Hello Boaz,

 

Thanks for the advice. I couldn't write earlier since I was on the road for two weeks for these upgrades. Blink is the best option as you suggested, single step, clean and fast.

I did my first cluster with 2 step upgrade, it took 1 hour for each upgrade, thus a total of 4 hours for a single site. Blink package reduced this to 50 minutes per device. CDT was not an option, because of the limited bandwidth of the sites. Only thing was DA agent (CPUSE) was a very old one so I had to use the manual installation method. Let me leave it here.

-go to sk92449 and download agent

-upload it to gateway 

Follow the procedure in Expert mode. (Does not require restart)

# tar -xvzf DeploymentAgent_XXXXXX.tgz
# rpm -Uhv --force CPda-00-00.i386.rpm
Restart all clishd daemons:
# killall -v clish clishd
Restart confd daemon
# tellpm process:confd
# tellpm process:confd t
Start CPUSE agent manually:
# $DADIR/bin/dastart

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events