This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
RS_Daniel
Advisor
‎2024-05-24 03:57 PM
Jump to solution

Upgrading Maestro R81.20 Zero Downtime

Hi ChackMates,

I will be upgrading a maestro security group from R81.10 to R81.20 soon (3 X 6200 appliances). We have a  bond configured on Uplinks interfaces in 802.ad mode, and according to Maestro admin Guide we cannot use Zero Downtime method (MVC).

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Maestro_AdminGuide/Content/T...

So i think we only have the option Minimun Downtime. I understand we well have a small services outage as the SG members will not be synced, and the cluster failover we'll cause al current connections to be lost and need to be stablished again, is this correct?

So at this moment is not possible to upgrade from R81.10 to R81.20 on maestro without any services outage? It is very importan in many scenarios.

I been thinking to disable statefull inspection temporaly during upgrade. Wanted to ask if someone has any tip so we have zero or almost zero downtime with any other action we can take before/during the upgrade. Thanks in advance.

Regards

0 Kudos
2 Solutions

Accepted Solutions
JozkoMrkvicka
Authority
Authority
‎2024-05-24 10:54 PM
Jump to solution

In the Admin guide it is mentioned that MVC upgrade from R81 to R81.20 while LACP bonds are used is not possible.

If you are running R81.10 (NOT R81), I suspect this limitation is not relevant and you can use MVC while LACP bonds are used. But I can also imagine that Check Point did not update this statement and it is still valid even for R81.10. R81 is major release while R81.10 and R81.20 are marked as minor releases.

The sk178045 has some workarounds for this limitation.

In any case, I would ask TAC if this limitation applies while original version is R81.10, or only R81.

Kind regards,
Jozko Mrkvicka

View solution in original post

emmap
Employee
Employee
‎2024-05-26 07:21 PM
In response to JozkoMrkvicka
Jump to solution

The limitation only applies to R81, R81.10 is fine. You can do Zero Downtime in this scenario. Don't disable stateful inspection, there's no need to. Just follow the instructions and you'll be fine.

View solution in original post

3 Replies
JozkoMrkvicka
Authority
Authority
‎2024-05-24 10:54 PM
Jump to solution

In the Admin guide it is mentioned that MVC upgrade from R81 to R81.20 while LACP bonds are used is not possible.

If you are running R81.10 (NOT R81), I suspect this limitation is not relevant and you can use MVC while LACP bonds are used. But I can also imagine that Check Point did not update this statement and it is still valid even for R81.10. R81 is major release while R81.10 and R81.20 are marked as minor releases.

The sk178045 has some workarounds for this limitation.

In any case, I would ask TAC if this limitation applies while original version is R81.10, or only R81.

Kind regards,
Jozko Mrkvicka
emmap
Employee
Employee
‎2024-05-26 07:21 PM
In response to JozkoMrkvicka
Jump to solution

The limitation only applies to R81, R81.10 is fine. You can do Zero Downtime in this scenario. Don't disable stateful inspection, there's no need to. Just follow the instructions and you'll be fine.

RS_Daniel
Advisor
‎2024-05-30 06:07 PM
Jump to solution

Hi @emmap and @JozkoMrkvicka ,

It is clear now, thank you!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events
    li.common.scroll-to.top