Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
bcrecords
Explorer

Procedure for installing jumbo hotfix T87

Hi everyone

 

This may be a basic question but I was hoping somebody could verify that my plan was correct. I've had a case with TAC who advise me to resolve the issue we're seeing, I should install JHF Take 87 (see attached) to our Checkpoint cluster. Both firewalls in the cluster are running R81.10. I've downloaded the files already, ready for install and plan to install over the weekend.

 

Here's my plan

  • Install on standby member
  • Reboot
  • Install on active member 
  • Reboot
  • Check correct firewall is active

 

I need assistance with the failover steps if possible. Also, I want to ensure both firewalls are in sync once done. I was planning on installing from the GAIA but more than happy to use CLI for checking failover status, etc.

 

Is there anything I'm missing?

 

Thank you

 

 

0 Kudos
11 Replies
Gregory_Azratz
Employee
Employee

Hi @bcrecords,

Just as FYI - Inside R81.10 SMC you have the option to deploy jumbos/major images on different Security Gateways and Clusters,
This method will take care of the failover, validation of the jumbo installation as well as the overall final status of the cluster.
you can find more information here - LINK

 

If you prefer more command line approach / more options during the installation flow- you can check the Central Deployment Tool -  CDT

 

Thanks,

Gregory

(1)
Wolfgang
Authority
Authority

With R81.10 the installation of jumbohotfixes or new versions from Smartconsole is a great valuable  and nice working enhancement. The last 20 years I already used the command line tools and later with CDT but I‘m happy now with these nice feature. You can verify the installation and then start. Get a coffee or tea, sit down, relaxe and let the systems do their work.

 

D_W
Advisor

Quick question:

how do I have to use the gateway update Feature via SmartConsole when I want to Upgrade from R80.40 to R81.10 incl. recommended JHF?!

0 Kudos
Wolfgang
Authority
Authority

@D_W  same way, instead choosing "Install Hotfix/Jumbo"  use "Version Upgrade" and use blink image with included hotfix for the new version.

2023-04-03.png

0 Kudos
D_W
Advisor

thx 🙂 ok i see - was already aware of this menu point - now where do I get the correct file name?
I copied the file name  from https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.10/R81.10/R81.10_Downloads.htm but didn't work.
image.png

 
To be honest when you try these steps via the official r81.10 documentation you're pretty lost 😉

0 Kudos
D_W
Advisor

@Wolfgang NOW with upper case "B" in the string, the file can be found 😤 !!
We tried it with lower case because that's how it is mentioned at the official download site.image.png

 

image.png

Case closed.

 

Cheers,
David

0 Kudos
the_rock
Legend
Legend

Good point there...I never really noticed that in older versions, but I guess it matters now 🙂

0 Kudos
Bob_Zimmerman
Mentor
Mentor

Yeah, this case difference can lead to some incredibly annoying failures. For a recent update, I had uploaded a version of a package to the management server which started with a lowercase letter. Trying to save some time in the implementation window, I also downloaded the package in CPUSE on the active cluster member. The standby member couldn't talk to the Internet, so I copied the package from the active member's /var/log/CPda/repository and imported it on the standby. I didn't notice this at the time, but the package downloaded on the active and copied to the standby started with an uppercase letter.

When I started the update with CDT in SmartConsole, it pushed the file from the management to the standby and imported it. CPUSE on the standby apparently looks for the package in a case-sensitive way, so didn't recognize that it already had a copy. Both were imported to the same directory in /var/log/CPda/repository, since Linux filesystems are case-sensitive.

The update then failed to install since there were "other files" in the CPUSE repository directory for the package.

SmartConsole reported total success. I realized the member updated WAY too quickly, so I looked at the command line which confirmed the update had not been installed.

Installing updates through SmartConsole works really well as long as you use one consistent source for the packages you're going to install. Either download the package and import that exact package to SmartConsole's repository and to the firewalls, or leave SmartConsole's repository empty and have the firewalls download the package on their own. I favor the former.

0 Kudos
genisis__
Leader Leader
Leader

See below:
- Snapshot system
- Uninstall old jumbo (I don't think you need to do this, but I do it)
- Install on standby member (This will reboot as part of the process)
- Failover and test services
- Snapshot system
- Uninstall old jumbo
- Install on active member (This will reboot as part of the process)
- Fail back
- Test services

0 Kudos
(1)
bcrecords
Explorer

Thanks so much for your replies, it was very helpful.

For the failover step, would you suggest this done from the GAIA interface or CLI? If CLI, I suspect it would be the 'admin down' and 'admin up' commands (I know there's something before admin but can't remember off the top of my head 🙂 ) Is that right?

0 Kudos
genisis__
Leader Leader
Leader

To be honest makes no difference, I personally do it from CLI.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events