This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Vanness_Chen
Explorer
3 weeks ago
Jump to solution

Maestro + VSX - MDS Upgrade from R81.20 to R82

I have a similar requirement as well this year to upgrade from R81.20 to R82.
The customer environment is based on Maestro + VSX, which I believe makes the upgrade even more complex.
I’d really appreciate hearing from anyone who has gone through a similar upgrade, and any lessons learned or pitfalls to watch out for.

0 Kudos
1 Solution

Accepted Solutions
Serge_Wuethrich
Explorer
Explorer
3 weeks ago
Jump to solution

Last year I was verifying a Maestro upgrade (R81.20 to R82) in a lab environment. The setup is exactly what you mentioned (MDS + Maestro + VSX).

I cannot say much about the MDS upgrade, but the Maestro environment is pretty much unaffected by this anyway.

For the Maestro upgrade stick to the procedure in the Admin Guide. This should be pretty much straight forward:
https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_ScalablePlatforms_AdminGuide/Conte...

I took some notes during the upgrade procedure because I ran into several problems. They may or may not have been fixed in a more recent JHF take.

In general be aware, that you have to update the CPUSE agent to 2550 or higher and install JHF take 92 or higher before you upgrade the MHO or SG (https://support.checkpoint.com/results/sk/sk181127). This may take a lot of time, especially on the SGM. Also run the HCP utility before you upgrade to avoid troubleshooting errors which existed before already. HCP will be your friend, especially after the upgrade.

The MHO upgrade went through pretty much seamless. Just be aware, that the disk space on the MHO is very limited. Delete any existing snapshots and do not upload JHF or upgrade packages to the disk. Instead download or upload them directly to the CPUSE repository -> avoid using "installer import local".

The upgrade for the SG was also not really an issue and worked as described in the guide (including vsx_util upgrade). However, after running hcp again after the upgrade I noticed several issues:

  • HCP Post Upgrade Verifier (check 109). MVC was not turned off automatically after the last SGM was upgraded. HCP adviced me to run "sp_upgrade cleanup_upgrade" which did not fix the issue. Instead I ran "g_all chpaconf mvc off", which the cleanup script should do anyway.
  • HCP Policy in Security Group (check 108). The FW policy for the VS had a signature mismatch on the SGM. I opened an SR with support and we were able to fix it by deleting all policy files in the VS context -> rm -rf $FWDIR/state/__tmp/FW1/*; rm -rf $FWDIR/state/local/FW1/*. And then installing the policy again. This fixed the issue.
  • I was not able to view the performance statistics for a VS in Insights. Insights just crashed when doing so. Same for the new "cluster-cli" command which was introduced for Maestro in R82. I opened another SR. It looks like a daemon is not registered correctly when doing an upgrade. We fixed it by running "stats-streamer-cli daemon register". You have to run this on each SGM locally. Do not run it with g_all, since this does not work.

Apart from those issues, I had no other problems and and everything went as expected.

View solution in original post

4 Replies
Don_Paterson
MVP Gold
MVP Gold
3 weeks ago
Jump to solution

Probably best to open a new thread for your question/s. 

Be sure to read all the R82 documentation that is relevant (links above) and pay attention to the VSX parts and Maestro parts. 

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_RN/Content/Topics-RN/Supported-Upg...

 

If you can test upgrades and procedures in the lab first that will be a big benefit. 

0 Kudos
_Val_
Admin
Admin
3 weeks ago
In response to Don_Paterson
Jump to solution

@Vanness_Chen @Don_Paterson I moved the discussion to the Maestro space and changed the title, for convenience

AkosBakos
MVP Silver
MVP Silver
3 weeks ago
Jump to solution

Thil will a really interesting topic 🙂

----------------
\m/_(>_<)_\m/
0 Kudos
Serge_Wuethrich
Explorer
Explorer
3 weeks ago
Jump to solution

Last year I was verifying a Maestro upgrade (R81.20 to R82) in a lab environment. The setup is exactly what you mentioned (MDS + Maestro + VSX).

I cannot say much about the MDS upgrade, but the Maestro environment is pretty much unaffected by this anyway.

For the Maestro upgrade stick to the procedure in the Admin Guide. This should be pretty much straight forward:
https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_ScalablePlatforms_AdminGuide/Conte...

I took some notes during the upgrade procedure because I ran into several problems. They may or may not have been fixed in a more recent JHF take.

In general be aware, that you have to update the CPUSE agent to 2550 or higher and install JHF take 92 or higher before you upgrade the MHO or SG (https://support.checkpoint.com/results/sk/sk181127). This may take a lot of time, especially on the SGM. Also run the HCP utility before you upgrade to avoid troubleshooting errors which existed before already. HCP will be your friend, especially after the upgrade.

The MHO upgrade went through pretty much seamless. Just be aware, that the disk space on the MHO is very limited. Delete any existing snapshots and do not upload JHF or upgrade packages to the disk. Instead download or upload them directly to the CPUSE repository -> avoid using "installer import local".

The upgrade for the SG was also not really an issue and worked as described in the guide (including vsx_util upgrade). However, after running hcp again after the upgrade I noticed several issues:

  • HCP Post Upgrade Verifier (check 109). MVC was not turned off automatically after the last SGM was upgraded. HCP adviced me to run "sp_upgrade cleanup_upgrade" which did not fix the issue. Instead I ran "g_all chpaconf mvc off", which the cleanup script should do anyway.
  • HCP Policy in Security Group (check 108). The FW policy for the VS had a signature mismatch on the SGM. I opened an SR with support and we were able to fix it by deleting all policy files in the VS context -> rm -rf $FWDIR/state/__tmp/FW1/*; rm -rf $FWDIR/state/local/FW1/*. And then installing the policy again. This fixed the issue.
  • I was not able to view the performance statistics for a VS in Insights. Insights just crashed when doing so. Same for the new "cluster-cli" command which was introduced for Maestro in R82. I opened another SR. It looks like a daemon is not registered correctly when doing an upgrade. We fixed it by running "stats-streamer-cli daemon register". You have to run this on each SGM locally. Do not run it with g_all, since this does not work.

Apart from those issues, I had no other problems and and everything went as expected.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events