Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kilian_Huber
Contributor

Security Group Upgrade R81.20 & JHFA Installation in one Go

Hi Maestro Masters,

I have a question regarding Security Group upgrades: when doing standard Cluster upgrades, I would usually upgrade the Standby Member to the latest version and then install the recommended Jumbo for that version right away before doing a failover to the upgraded Cluster Member. I consider this best practice because I do not want a Cluster Member with a base image (no Jumbo) to handle production traffic.

With Maestro, this does not seem to be best practice. According to the Admin Guide, there is the possibility to "install the required critical Hotfix on the Security Group Members" but this step applies only if "Check Point Support or R&D explicitly instructed you to install a specific Hotfix on your specific Security Group in the middle of the upgrade".

The standard upgrade procedure would therefore be the following:

  1. Upgrade Security Group Members in Logical Group A to latest version
  2. Failover to Security Group Members in Logical Group A
  3. Upgrade Security Group Members in Logical Group B to latest version
  4. Install Jumbo on Security Group Members in Logical Group B
  5. Failover to Security Group Members in Logical Group B
  6. Install Jumbo on Security Group Members in Logical Group A

How is your approach to this? I personally do not like the idea of SGMs handling traffic when they have no Jumbo applied yet.

Thanks!

Kilian

0 Kudos
2 Replies
Dario_Perez
Employee Employee
Employee

Hi the upgrade should be under maintenance windows, where traffic might be affected total or partially. 

During window you can upgrade both members and start with hotfixes. the impact on traffic should be minimum 

0 Kudos
emmap
Employee
Employee

The upgrade process isn't re-QA'd with each JHF, so we can't say whether there's any degradation in the procedure if the JHF is installed halfway through the upgrade procedure. Hence we have that requirement in the procedure. For a regular cluster I agree and do the same thing as you, but for Maestro the procedure is a little more involved. 

The upgrade to R82 is planned to be smoother, without all the sp_upgrade script stuff. I don't know if we will remove the requirement to avoid the JHF or if we will support blink images out of the gate though.

0 Kudos