Re: R80.40 upgrade on Checkpoint management and fi...

iancollins · ‎2021-06-01

Hi,

I'm looking for a bit of guidance.

I have a virtual machine running the Checkpoint management

cpmanagement> show version all
Product version Check Point Gaia R80.30
OS build 200
OS kernel version 3.10.0-693cpx86_64
OS edition 64-bit

and two Checkpoint 5600 appliances in a cluster (running r80.30) - call them fwa and fwb

Our task is to upgrade all of them to R80.40.

What is the procedure/order to do the upgrades on cpmanagement, fwa and fwb?

Can you give any guidance for doing this please.

Thanks, Ian Collins

Bob_Zimmerman · ‎2021-06-01

Management first. It's easy and non-disruptive. Use 'migrate export' to export the config ahead of time and test importing it into a new R80.40 management in a VM. Don't actually give the new VM network access. It is simply to prove the upgrade works.

Once you have tested the management upgrade, do it for real. Get a new 'migrate export', flatten the real VM, reinstall from the R80.40 ISO, do the initial config (config_system helps here), and import the management config. Your management should now be R80.40.

As for the firewalls, there are a lot of ways to do that, all described in the R80.40 installation and upgrade guide. I would recommend building config_system files for the firewalls and reading about the Multi-Version Cluster upgrade.

iancollins · ‎2021-06-02

Hi,

Thanks for the reply - That gives me a place to start.

Two more quick questions if you dont mind -

if I upgrade the management to r80.40 while the firewalls are at r80.30 - will the firewalls still function ok? (dont know why I'm asking, I'm sure pretty answer is yes to this... just trying to limit downtime).
If the above is yes, it should be relatively easy to upgrade each firewall separately .... i.e.
when fwa active
upgrade fwb
test
move to fwb
when happy upgrade fwa.
Doesnt that sound good?

Thanks, Ian.

Bob_Zimmerman · ‎2021-06-02

For your first question, yes, R80.40 management can manage R80.30 firewalls, and the firewalls won't care. All management versions can manage a few earlier firewall versions. I think R80.40 management can manage back to R77, which is something like eight years of backwards compatibility.

With a jumbo HFA (patch bundle), management versions can also manage some newer firewall versions. For example, I have an R80.20 management server managing some R80.40 firewalls. You're limited to application features of the lowest version (so in my case, R80.20), but you can use OS-level features of the new version (such as the new kernel and userspace, new filesystem, etc.)

As for question 2, that's roughly how most cluster upgrades go. The installation and upgrade guide has a few. Minimal Effort Upgrade involves an outage window where you shut both members down, upgrade them, then bring them both online at the new version. Zero Downtime Upgrade involves upgrading one member, flipping over to it (which will cause loss of ongoing connections; R80.30 and R80.40 firewalls can't sync normally), testing, then upgrading the other. Multi-Version Cluster Upgrade involves explicitly telling the upgraded cluster member to sync with the older version, which allows ongoing connections to survive the failover with some limitations.

Tomer_Noy · ‎2021-06-02

Your environment sounds pretty simple, so I'm not sure it's worth the effort to do a "migrate export", test it, install from ISO and export+import again.

The easiest way to upgrade the Management is to go into the Gaia portal, into the CPUSE (software) page, then choose the desired version and click "upgrade". This will download the software package of the selected version and perform an in-place CPUSE upgrade of the Management machine. It will even show you a nice report of progress and a summary when done. All your Gaia configuration (system, networking, etc) will seamlessly pass over to the new version.

The CPUSE upgrade is done to a new partition, so in case of failure it will automatically revert to the previous partition with the previous version. You don't even need to take a Gaia snapshot (although a VM snapshot is always a good idea to be safe).

For the cluster upgrade, some good materials were shared in this post to do it correctly.
Note that if your Management was R81, we have a new feature to do the gateway / cluster upgrade directly from SmartConsole. Just right-click your cluster, choose upgrade and select the version. That will orchestrate the relevant CPUSE commands to the cluster members to download the version and perform the upgrade. A nice benefit is that it will automatically do them in order to prevent any networking downtime, including the commands to sync the connections and avoid traffic hiccups during the failover.

iancollins · ‎2021-06-02

Thank you.

I'll investigate moving to r81.

Vladimir · ‎2021-06-02

I agree with @Tomer_Noy in that your environment is simple enough for the CPUSE upgrade to R80.40.

This said, I would never skip the pre-upgrade migrate export from management, and backups and snapshots from gateways to network repository:)

-Better 3xSafe than 1xSorry ™️-

iancollins · ‎2021-06-02

Thanks - Noted - and I agree

Are you a member of CheckMates?

R80.40 upgrade on Checkpoint management and firewalls