Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RS_Daniel
Advisor
Jump to solution

Upgrading Maestro R81.20 Zero Downtime

Hi ChackMates,

I will be upgrading a maestro security group from R81.10 to R81.20 soon (3 X 6200 appliances). We have a  bond configured on Uplinks interfaces in 802.ad mode, and according to Maestro admin Guide we cannot use Zero Downtime method (MVC).

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Maestro_AdminGuide/Content/T...

So i think we only have the option Minimun Downtime. I understand we well have a small services outage as the SG members will not be synced, and the cluster failover we'll cause al current connections to be lost and need to be stablished again, is this correct?

So at this moment is not possible to upgrade from R81.10 to R81.20 on maestro without any services outage? It is very importan in many scenarios.

I been thinking to disable statefull inspection temporaly during upgrade. Wanted to ask if someone has any tip so we have zero or almost zero downtime with any other action we can take before/during the upgrade. Thanks in advance.

Regards

0 Kudos
2 Solutions

Accepted Solutions
JozkoMrkvicka
Authority
Authority

In the Admin guide it is mentioned that MVC upgrade from R81 to R81.20 while LACP bonds are used is not possible.

If you are running R81.10 (NOT R81), I suspect this limitation is not relevant and you can use MVC while LACP bonds are used. But I can also imagine that Check Point did not update this statement and it is still valid even for R81.10. R81 is major release while R81.10 and R81.20 are marked as minor releases.

The sk178045 has some workarounds for this limitation.

In any case, I would ask TAC if this limitation applies while original version is R81.10, or only R81.

Kind regards,
Jozko Mrkvicka

View solution in original post

emmap
Employee
Employee

The limitation only applies to R81, R81.10 is fine. You can do Zero Downtime in this scenario. Don't disable stateful inspection, there's no need to. Just follow the instructions and you'll be fine.

View solution in original post

3 Replies
JozkoMrkvicka
Authority
Authority

In the Admin guide it is mentioned that MVC upgrade from R81 to R81.20 while LACP bonds are used is not possible.

If you are running R81.10 (NOT R81), I suspect this limitation is not relevant and you can use MVC while LACP bonds are used. But I can also imagine that Check Point did not update this statement and it is still valid even for R81.10. R81 is major release while R81.10 and R81.20 are marked as minor releases.

The sk178045 has some workarounds for this limitation.

In any case, I would ask TAC if this limitation applies while original version is R81.10, or only R81.

Kind regards,
Jozko Mrkvicka
emmap
Employee
Employee

The limitation only applies to R81, R81.10 is fine. You can do Zero Downtime in this scenario. Don't disable stateful inspection, there's no need to. Just follow the instructions and you'll be fine.

RS_Daniel
Advisor

Hi @emmap and @JozkoMrkvicka ,

It is clear now, thank you!

0 Kudos