This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
seanmc12
Contributor
‎2023-12-23 05:39 PM
Jump to solution

Upgrade CP Management/Log Server without disconnecting clients from the GWs

I am upgrading my FWs tomorrow. I am planning to upgrade the Management, then the log servers, then the Gateways. Someone told me at work that I can't upgrade the Mgmt server or log servers without disconnecting clients. Can anyone verify? I think I have upgraded the mgmt servers in the past without disconnecting users from the Gateways.

0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Gold
MVP Gold
‎2023-12-23 06:01 PM
Jump to solution

100% you can. Clients dont vpn into log or mgmt server, but the gateways.

Best,

Andy

Best,
Andy

View solution in original post

(1)
23 Replies
the_rock
MVP Gold
MVP Gold
‎2023-12-23 06:01 PM
Jump to solution

100% you can. Clients dont vpn into log or mgmt server, but the gateways.

Best,

Andy

Best,
Andy
(1)
seanmc12
Contributor
‎2023-12-23 06:06 PM
In response to the_rock
Jump to solution

That is exactly what I thought....but, I was talking to their their tech support about something else...on chat... and the tech told me to call in to verify because clients WILL get disconnected from the security gateway if I upgrade the management server. So frustrating. So...now I'm calling in to verify that it won't impact clients.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-12-23 06:14 PM
In response to seanmc12
Jump to solution

Not sure why he would tell you that. In 16 years dealing with CP I must have done 100+ upgrades, at least, NEVER had an issue where upgrading mgmt server would have caused this problem.

Best,

Andy

Best,
Andy
0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-12-23 06:10 PM
Jump to solution

SmartConsole users will need to be disconnected from Mgmt prior. Which type of clients do you have connecting?

Note you can temporarily disable CRL checks if the Management is planned to be offline for an extended period.

CCSM R77/R80/ELITE
0 Kudos
seanmc12
Contributor
‎2023-12-23 06:13 PM
In response to Chris_Atkinson
Jump to solution

The only clients connecting are those connecting via VPN to the Gateways. I'm thinking their Chat Tech is giving me the wrong info. I should be able to upgrade the Mgmt and Log servers without effecting User client connections to the GWs

the_rock
MVP Gold
MVP Gold
‎2023-12-23 06:15 PM
In response to seanmc12
Jump to solution

100% he is giving you the WRONG info

Best,

Andy

Best,
Andy
0 Kudos
seanmc12
Contributor
‎2023-12-23 06:18 PM
In response to the_rock
Jump to solution

Thanks man. Lots of boxes to check on this and the right info is pretty key. Happy Holidays to .

the_rock
MVP Gold
MVP Gold
‎2023-12-23 06:25 PM
In response to seanmc12
Jump to solution

Here comes my corny joke, last time for 2023 lol

For you mate, no charge...EXCEPT Iphone charge. You dont need to laugh -:)

Best,

Andy

Best,
Andy
0 Kudos
JozkoMrkvicka
Authority
Authority
‎2023-12-24 04:34 AM
Jump to solution

In case you will upgrade management: Clients will be disconnected from MANAGEMENT ONLY, NOT from the gateways.

In case you will upgrade gateways: depending on gateway's current version, it might be possible that clients will be disconnected from upgraded GATEWAY. If management is connected behind same affected gateway, then also clients from management will be disconnected.

Please double-check drawings/topology what is in place to avoid surpises. Proper and up-to-date documentation is a key 😉

Kind regards,
Jozko Mrkvicka
the_rock
MVP Gold
MVP Gold
‎2023-12-24 04:40 AM
In response to JozkoMrkvicka
Jump to solution

All valid points @JozkoMrkvicka 

Best,

Andy

Best,
Andy
0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-12-24 04:45 AM
In response to the_rock
Jump to solution

Note the MVC failover limitations:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Installation_and_Upgrade_Gui...

CCSM R77/R80/ELITE
0 Kudos
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2023-12-24 08:35 AM
Jump to solution

Not only that it won't disconnect (users, if admins have a session open to a server that is going upgrade naturally it will be disconnected ongoing session), if you have more than 1 log server you can totally avoid local logging on GW.

Kind regards, Amir Senn
JozkoMrkvicka
Authority
Authority
‎2023-12-24 11:08 PM
In response to Amir_Senn
Jump to solution

your statement about local logging in not correct. If one of configured log server is down, gateway starts to log locally even second log server is up and logs are sending there.

Kind regards,
Jozko Mrkvicka
Tomer_Noy
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-12-24 11:16 PM
In response to JozkoMrkvicka
Jump to solution

If you used the "Distribute Logs" check box in the log servers configuration page on the gateway / cluster editor, the logs will simply be sent to the available log server when one goes down, without logging locally.

This is a feature from R81 and very useful for better load handling of logs, and log resiliency.

the_rock
MVP Gold
MVP Gold
‎2023-12-25 04:20 AM
In response to Tomer_Noy
Jump to solution

100% true, had customer scenario as such recently.

Best,

Andy

Best,
Andy
0 Kudos
Lloyd_Braun
Advisor
‎2023-12-26 06:21 AM
In response to JozkoMrkvicka
Jump to solution

That is very interesting. That SK says it is "expected behavior" and they are going to change it in the future but it seems more like a bug to me. Certainly not what I would expect/not intuitive that it would behave that way.

JozkoMrkvicka
Authority
Authority
‎2023-12-26 01:04 PM
In response to Lloyd_Braun
Jump to solution

My assumption is that they "fixed" it by the "Dynamic log distribution" feature which Tomer mentioned above, but forgot to update SK.

Kind regards,
Jozko Mrkvicka
(1)
the_rock
MVP Gold
MVP Gold
‎2023-12-26 08:02 PM
In response to JozkoMrkvicka
Jump to solution

That makes total sense @JozkoMrkvicka 

Best,

Andy

Best,
Andy
0 Kudos
JozkoMrkvicka
Authority
Authority
‎2024-01-03 01:06 AM
In response to JozkoMrkvicka
Jump to solution

The relevant article about local logging has been updated 🙂 Now it is crystal clear when the gateway starts to log locally.

Without Dynamic Log Distribution, when the Primary Log Server is down, the Backup Server works with ...

Kind regards,
Jozko Mrkvicka
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2023-12-28 05:10 AM
In response to Lloyd_Braun
Jump to solution

aee681fb-b418-408a-b35f-dfd789e7db2a_text.gif

Kind regards, Amir Senn
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-12-28 09:34 AM
In response to Amir_Senn
Jump to solution

@Amir_Senn 🤣🤣🤣🤣

Best,
Andy
0 Kudos
Lloyd_Braun
Advisor
‎2023-12-28 10:16 AM
In response to Amir_Senn
Jump to solution

serenity now!! 😆😆

the_rock
MVP Gold
MVP Gold
‎2023-12-28 10:19 AM
In response to Lloyd_Braun
Jump to solution

SerenityNowGIF.gif

Best,
Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events