Re: Upgrade R80.30 to R81.10

Network_M · ‎2022-02-06

I'm planning upgrade from R80.30 to R81.10.

As it is first time for me, I am a beginner.

I read Upgrading Guide.

I want shortly to share my steps of upgrading with you and take some advice from mates.

My structure: 2 Security gateways running as Active/Passive HA and 1 Management device.

Steps I am going to do:

1. Take snapshots and backups of all 3 devices and export them to my PC (Gui, browser).

2. Download package from CPUSE and install (upgrade) it on Management device.

3. After upgrading Management, install database and event policy.

4. Upgrade CP2 passive Security gateway like in 2nd step.

5. Upgrade CP1 active Security gateway like in 2nd step.

6. Enter SmartConsole and change versions of OS to R81.10, push the policy.

Are these steps correct? Anyone can add something? Maybe I miss some points.

Thank you!

Chris_Atkinson · ‎2022-02-07

For greater context can you please share the JHF version and appliance model?

CCSM R77/R80/ELITE

Network_M · ‎2022-02-07

Of course, JHF Take 237, CP SMART 1205 MGMT, CP 5100 Security Gateways.

Chris_Atkinson · ‎2022-02-07

Please note that the Smart-1 205 appliances can only be upgraded to R80.40 (RAM population may also be a consideration).

To move to R81+ you should discuss options with your local SE.

Refer: https://www.checkpoint.com/support-services/support-life-cycle-policy/

CCSM R77/R80/ELITE

Network_M · ‎2022-02-07

Thank you very much for the link.

On my gateways, cpuse shows fresh install of R81.10, but MGMT does not show, even if I check for updates.

I opened a case about that and support team offered me to import offline R81.10 fresh install package for MGMT.

I don't know how safe it is, but I am planning to check it.

Gregory_Azratz · ‎2022-02-07

Hi,

Regarding the Management upgrade -

You are correct, you can do the upgrade via CPUSE .
Regarding the backup, CPUSE takes care of the backup for you, once the process is done you will have the old version as a snapshot.
but as always backing up to an external location is always recommended in order to be on the safe side.

regarding the Security Gateway-
once your Management is on R81.10 you will have the option to preform the cluster upgrade right from the SMC -
we will upgrade the backup member, perform failover and upgrade the former active member.

you can read more about it In the R81.10 management admin guide

the_rock · ‎2022-02-07

I will tell you what I always do and never had a problem. Since everything nowadays when it comes to upgrades is done via CPUSE, just make sure you have latest deployment agent installed (can also be checked via web UI) and take backups, upgrade mgmt first, then gateways. For gateways, I ALWAYS follow zero downtime upgrade procedure (does not matter which version document you use, that literally has not changed since long time ago)

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Installation_and_Upgrade_Gui...

I never bother changing cup mode to broadcast, as indicated in the doc and that was never a problem. In short, upgrade backup, reboot, make sure that setting is checked when pushing policy and change object cluster to new version. Once done, do same on current master and confirm failover and push policy. That's pretty much it. To make it even easier, CP actually offers blink images, which deploy the versions way faster than regular ones, so whole process, depending on your environment, should not take more than, I would say 90 mins, if that.

Andy

genisis__ · ‎2022-02-09

Think to consider here is XFS, cpuse upgrade will not allow you to use XFS. Additionally for me I would also prefer to do a clean install and then import data.

Matlu · ‎2023-09-21

Hello,

Taking advantage of the content of this post.

Is it possible to do a version UPGRADE, for example R80.30 to R81, using the Blink Packages (from the GAIA WebUI), for a STANDALONE environment?

I ask, because I am making a LAB for a customer, and all the options that appear from BLINK, none gives me exact reference that the package is for a STANDALONE.

So, it is simply not possible to use BLINK for STANDALONE environments?

Thanks for your comments.

Dov_Fraivert · ‎2023-09-21

@Matlu
You are right, currently there are blink packages for MGMT, GW and MDS and no for Stand Alone.

Matlu · ‎2023-09-21

Thank you for the clarification.

An additional doubt, using Blink Package, for a MGMT, assures me that it will update the version + Hotfix, correct? (For example, from R80.40 to R81.10).
But, it gives me the assurance that the MGMT policy package and all its configuration, such as routes, management IP, etc, all that, will be "preserved" with this type of update (I mean using the Blink Package)?

Thanks for your help.

the_rock · ‎2023-09-21

Thats right bro, you can use blink packages for upgrade, I done it many times. Just right click and then verify its available for the upgrade, but most of them are and everything is preserved (routes, interfaces, config...etc). I always take backup prior to upgrade, just in case, as auto snapshot is generated, at least if its major upgrade.

Andy

K_montalvo · ‎2022-02-07

@Network_M Since you have Smart One Appliance issue i think your best bet is to do a fresh install of r81.10 on VM Ware and try a migrate_server method https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

To upgrade HA check they are properly sync with cphaprob stat and do a clusterXL_admin down on primary gateway > upgrade de secondary gateway (make sure you have the cluster object configure with the active member first in the priority and to be primary after recover. *Also make sure to have the checkbox of if installation fails on that cluster member do not install on that object. After policy install standby member now should become primary > after primary member upgrade completes and policy install it should automatically become primary you could do a clusterXL_admin up (but this shall do it automatic). Copiying a friend to confirm if its possible to achieve this the way i proposed or shared any other comments. @the_rock

Garrett_DirSec · ‎2022-02-09

Hello -- I'm sure will you receive a bunch of suggestions on this post. Some aspects and recommendations will be personal (and professional) preference based on past scar tissues doing similar CP upgrades.

Without going through the exact details, I strongly recommend splitting this into "phases". First phase is only upgrading Smartcenter instance. You do this successfully and let "dust settle" for period of time (days/weeks/etc) before moving on to gateways.

If on Vmware/HyperV/Nutanix, this is fantastic and makes the procedure VERY flexible from operational standpoint. If on physical hardware, you lose some flexibility but overall procedure very similar => "advanced upgrade".

you'll be doing what is called an "advanced upgrade" which means you'll build an entirely NEW instance in separate VM, install GAIA from scratch from ISO, run wizard, update to latest GA JUMBO, then IMPORT config via migration tools.

There are obvious sequence of events that have to happen -- example: turning OFF the OLD R80.30 instance before you install new instance and pick the same IP address. there is scenario where you can install new to different IP, import, and test access with SmartConsole and "cut over" IP when appropriate (turning off OLD and changing IP of NEW to production IP). The "cut over" is complete with a policy push to make gateways aware of new instance. Yes, SmartCenter can be newer version managing older gateway versions.

Second key recommendation during advance upgrade: insure the SmartCenter object name (in CP software Smartconsole) is same as GAIA hostname on new instance. Do NOT change this during upgrade (due to reasons beyond scope of this thread).

the gateway upgrades are relatively easy -- HERE.

Are you a member of CheckMates?

Upgrade R80.30 to R81.10