Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Network_M
Collaborator

Upgrade R80.30 to R81.10

I'm planning upgrade from R80.30 to R81.10.

As it is first time for me, I am a beginner.

I read Upgrading Guide.

want shortly to share my steps of upgrading with you and take some advice from mates.

My structure: 2 Security gateways running as Active/Passive HA and 1 Management device.

 

Steps I am going to do:

1. Take snapshots and backups of all 3 devices and export them to my PC (Gui, browser).

2. Download package from CPUSE and install (upgrade) it on Management device.

3. After upgrading Management, install database and event policy.

4. Upgrade  CP2 passive Security gateway like in 2nd step.

5. Upgrade CP1 active Security gateway like in 2nd step.

6. Enter SmartConsole and change versions of OS to R81.10, push the policy.

 

Are these steps correct? Anyone can add something? Maybe I miss some points.

Thank you!

0 Kudos
9 Replies
Chris_Atkinson
Employee
Employee

For greater context can you please share the JHF version and appliance model?

0 Kudos
Network_M
Collaborator

Of course, JHF Take 237, CP SMART 1205 MGMT, CP 5100 Security Gateways.

0 Kudos
Chris_Atkinson
Employee
Employee

Please note that the Smart-1 205 appliances can only be upgraded to R80.40 (RAM population may also be a consideration).

To move to R81+ you should discuss options with your local SE.

Refer: https://www.checkpoint.com/support-services/support-life-cycle-policy/

 

Network_M
Collaborator

Thank you very much for the link.

On my gateways, cpuse shows fresh install of R81.10, but MGMT does not show, even if I check for updates.

I opened a case about that and support team offered me to import offline R81.10 fresh install package for MGMT.

I don't know how safe it is, but I am planning to check it.

0 Kudos
Gregory_Azratz
Employee
Employee

Hi,

Regarding the Management upgrade -

You are correct, you can do the upgrade via CPUSE .
Regarding the backup, CPUSE takes care of the backup for you, once the process is done you will have the old version as a snapshot.
but as always backing up to an external location is always recommended in order to be on the safe side.

regarding the Security Gateway- 
once your Management is on R81.10 you will have the option to preform the cluster upgrade right from the SMC -
we will  upgrade the backup member, perform failover and upgrade the former active member.

you can read more about it In the R81.10  management admin guide 

 

the_rock
Champion
Champion

I will tell you what I always do and never had a problem. Since everything nowadays when it comes to upgrades is done via CPUSE, just make sure you have latest deployment agent installed (can also be checked via web UI) and take backups, upgrade mgmt first, then gateways. For gateways, I ALWAYS follow zero downtime upgrade procedure (does not matter which version document you use, that literally has not changed since long time ago)

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Installation_and_Upgrade_Gui...

I never bother changing cup mode to broadcast, as indicated in the doc and that was never a problem. In short, upgrade backup, reboot, make sure that setting is checked when pushing policy and change object cluster to new version. Once done, do same on current master and confirm failover and push policy. That's pretty much it. To make it even easier, CP actually offers blink images, which deploy the versions way faster than regular ones, so whole process, depending on your environment, should not take more than, I would say 90 mins, if that.

Andy

genisis__
Advisor

Think to consider here is XFS, cpuse upgrade will not allow you to use XFS.  Additionally for me I would also prefer to do a clean install and then import data.

0 Kudos
K_montalvo
Advisor

@Network_M Since you have Smart One Appliance issue i think your best bet is to do a fresh install of r81.10 on VM Ware and try a migrate_server method https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

To upgrade HA check they are properly sync with cphaprob stat and do a clusterXL_admin down on primary gateway > upgrade de secondary gateway (make sure you have the cluster object configure with the active member first in the priority and to be primary after recover. *Also make sure to have the checkbox of if installation fails on that cluster member do not install on that object. After policy install standby member now should become primary > after primary member upgrade completes and policy install it should automatically become primary you could do a clusterXL_admin up (but this shall do it automatic). Copiying a friend to confirm if its possible to achieve this the way i proposed or shared any other comments. @the_rock

Garrett_DirSec
Advisor

Hello -- I'm sure will you receive a bunch of suggestions on this post.    Some aspects and recommendations will be personal (and professional) preference based on past scar tissues doing similar CP upgrades.

Without going through the exact details, I strongly recommend splitting this into "phases".   First phase is only upgrading Smartcenter instance.   You do this successfully and let "dust settle" for period of time (days/weeks/etc) before moving on to gateways.

If on Vmware/HyperV/Nutanix, this is fantastic and makes the procedure VERY flexible from operational standpoint.   If on physical hardware, you lose some flexibility but overall procedure very similar =>  "advanced upgrade".

you'll be doing what is called an "advanced upgrade" which means you'll build an entirely NEW instance in separate VM, install GAIA from scratch from ISO, run wizard, update to latest GA JUMBO, then IMPORT config via migration tools.  

There are obvious sequence of events that have to happen -- example:    turning OFF the OLD R80.30 instance before you install new instance and pick the same IP address.    there is scenario where you can install new to different IP, import, and test access with SmartConsole and "cut over" IP when appropriate (turning off OLD and changing IP of NEW to production IP).  The "cut over" is complete with a policy push to make gateways aware of new instance.    Yes, SmartCenter can be newer version managing older gateway versions.

Second key recommendation during advance upgrade:    insure the SmartCenter object name (in CP software Smartconsole) is same as GAIA hostname on new instance.     Do NOT change this during upgrade (due to reasons beyond scope of this thread).

the gateway upgrades are relatively easy --   HERE.