This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dave_Taylor1
Collaborator
‎2019-03-26 01:16 PM
Jump to solution

Production cluster upgrade R77.30 to R80.10

We attempted to upgrade a production cluster today from R77.30 to R80.10. We started with the standby first. Once upgraded it was not able to fetch policy.  It indicated a version mismatch.

We didn’t want to upgrade the active since it was handling production data and we didn’t want to block ourselves from access.

what is the recommendation path to upgrade a production cluster?

 

 

0 Kudos
3 Solutions

Accepted Solutions
Maarten_Sjouw
Champion
Champion
‎2019-03-26 02:52 PM
Jump to solution

Is this centrally managed (separate management server) if so when you say I was doing a fetch policy, this will not work when you have not changed the version of the cluster and pushed the policy first, It needs to be compiled for the R80.10 version first on management.
When you install policy you need to untick the Install Mode option that when you push to a cluster it will not push when either member fails, like this:

Install Mode R80.PNG
So you want 1 member to be pushed while the other fails as the versions of the 2 members are different.
Now your upgraded member will have the new policy loaded and you will be able to continue your steps.

Regards, Maarten

View solution in original post

0 Kudos
Vladimir
Champion
Champion
‎2019-03-29 08:22 AM
In response to Dave_Taylor1
Jump to solution

Have you changed the Cluster version to R80.10 AND Unchecked the box "For gateway clusters, if installation on a cluster member fails, do not install on that cluster"?

 

If the above two steps are done and changes are published, you should be able to install the policy from the SmartConsole.

It will fail on the cluster member running R77.30 and will succeed on the cluster member running R80.10.

Monitor the progress of the policy installation by clicking "Details" and watching it being applied on individual cluster members.

Then follow the "connectivity upgrade" instructions to complete the upgrade of the cluster.

 

View solution in original post

0 Kudos
Vladimir
Champion
Champion
‎2019-04-02 03:26 AM
In response to Dave_Taylor1
Jump to solution

Glad it worked.

It is actually in documentation but, perhaps, worded a bit differently.

If the answer above was helpful, please click on "Accept as Solution" button under it. 

Regards,

Vladimir

View solution in original post

0 Kudos
13 Replies
JozkoMrkvicka
Authority
Authority
‎2019-03-26 02:03 PM
Jump to solution

Have a look on Check Point Backward compatibility Map.

In order to upgrade gateway to R80.10, you first need to upgrade management to R80.10 or R80.20.
Security gateway with R80.10 cannot be managed from R77.30 management server.

Kind regards,
Jozko Mrkvicka
0 Kudos
Dave_Taylor1
Collaborator
‎2019-04-08 06:14 PM
In response to JozkoMrkvicka
Jump to solution

Thanks for your advice. I am aware the management has to be R80.10.

I was speaking of the cluster gateway.

This has been resolved.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-03-26 02:52 PM
Jump to solution

Is this centrally managed (separate management server) if so when you say I was doing a fetch policy, this will not work when you have not changed the version of the cluster and pushed the policy first, It needs to be compiled for the R80.10 version first on management.
When you install policy you need to untick the Install Mode option that when you push to a cluster it will not push when either member fails, like this:

Install Mode R80.PNG
So you want 1 member to be pushed while the other fails as the versions of the 2 members are different.
Now your upgraded member will have the new policy loaded and you will be able to continue your steps.

Regards, Maarten
0 Kudos
Dave_Taylor1
Collaborator
‎2019-03-29 06:49 AM
In response to Maarten_Sjouw
Jump to solution

I tried this option and had no luck. It still gave me the same error

0 Kudos
Vladimir
Champion
Champion
‎2019-03-29 08:22 AM
In response to Dave_Taylor1
Jump to solution

Have you changed the Cluster version to R80.10 AND Unchecked the box "For gateway clusters, if installation on a cluster member fails, do not install on that cluster"?

 

If the above two steps are done and changes are published, you should be able to install the policy from the SmartConsole.

It will fail on the cluster member running R77.30 and will succeed on the cluster member running R80.10.

Monitor the progress of the policy installation by clicking "Details" and watching it being applied on individual cluster members.

Then follow the "connectivity upgrade" instructions to complete the upgrade of the cluster.

 

0 Kudos
Dave_Taylor1
Collaborator
‎2019-04-01 06:35 PM
In response to Maarten_Sjouw
Jump to solution

I tried this in the lab and it worked.

Thank you, very much!

I have yet to find “This” portion mentioned in any documentation. 

0 Kudos
Vladimir
Champion
Champion
‎2019-04-02 03:26 AM
In response to Dave_Taylor1
Jump to solution

Glad it worked.

It is actually in documentation but, perhaps, worded a bit differently.

If the answer above was helpful, please click on "Accept as Solution" button under it. 

Regards,

Vladimir

0 Kudos
Martin_Valenta
Advisor
‎2019-03-27 03:17 AM
Jump to solution

Dude, just read documentations sometimes..

https://sc1.checkpoint.com/documents/Best_Practices/Cluster_Connectivity_Upgrade/html_frameset.htm

0 Kudos
Dave_Taylor1
Collaborator
‎2019-03-29 06:55 AM
In response to Martin_Valenta
Jump to solution

I read documentation. Thanks.

0 Kudos
RickLin
Advisor
Advisor
‎2019-03-27 06:52 AM
Jump to solution

Reference the Best Practices Guide is the first thing, I think you should do the upgrade in your lab first.

Or you can reference your local SI or CheckPoint Professional Service who have rich experience about ClusterXL upgrade.

Besides, the R80.x Security Management needs more and more hardware resource, include the Hard Disk I/O and space. 

0 Kudos
Dave_Taylor1
Collaborator
‎2019-03-29 06:53 AM
In response to RickLin
Jump to solution

Thanks. That is my next step.

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2019-04-06 12:39 PM
In response to Dave_Taylor1
Jump to solution

More see here:

R80.x - cheat sheet - ClusterXL

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Yogesh_Vashisht
Explorer
‎2019-11-22 02:09 PM
In response to HeikoAnkenbrand
Jump to solution

Hi All, 

This post is very helpful.

Just wondering if someone can also help in confirming if any Hotfix installation is mandatory while upgrade cluster from R77.30 to R80.10 ?

We are using VRRP and DA Build number: 1786 (agent build is up to date) already on devices.

Thanks in advance!

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events