This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Luis_Miguel_Mig
Advisor
‎2024-07-05 02:50 AM

manager upgrade from r81.10 to r81.20

I am planning to upgrade the firewall manager from r81.10 to r81.20.

Cpuse doesn't list r81.20 though. I can see different  r81.10 hot fixes but I can see any r81.20 package. Why would it happen? 
I have another firewall manager vm in the lab running r81.10 and I can see the list of r81.20 packages in cpuse.

0 Kudos
42 Replies
Bob_Zimmerman
MVP Gold
MVP Gold
‎2024-07-12 08:27 AM
In response to Luis_Miguel_Mig

Again, a secondary management only becomes active if you log in to it with SmartConsole and explicitly tell it "The primary is dead. Become active." It's a four or five step process. As long as you don't do that, it will remain standby, and it will keep the data it had when it was last synchronized. Just don't go out of your way to intentionally tell both managements to become active, and this won't be a problem.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-07-12 08:35 AM
In response to Bob_Zimmerman

@Luis_Miguel_Mig 

To ad on top of what @Bob_Zimmerman said, because I see still so many people get confused about it, so I will stress this out, in case its not clear.

-primary server will ALWAYS be primary

-secondary will ALWAYS be secondary (unless rebuilt)

-either one can be active or standby, so primary can be either active or standby and secondary can be either active OR standby

Andy

0 Kudos
Luis_Miguel_Mig
Advisor
‎2024-07-12 08:38 AM
In response to Bob_Zimmerman

It makes sense to make the secondary active before starting the process of upgrading the primary.
And it also makes sense to make the primary active after the upgrade for testing.
So it makes sense that management HA behaves like clusterXL in that sense (like Andy mentioned) to enforce that only one of them can be active at a given time.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-07-12 09:10 AM
In response to Luis_Miguel_Mig

You got it.

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2024-07-12 11:00 AM
In response to Luis_Miguel_Mig

That doesn't make sense at all, no. A management upgrade only takes a few hours. Making the secondary active in that window is asking for trouble. Unless you have a really good reason (like if the upgrade fails and you decide to roll back), you absolutely should not make a secondary management active while upgrading the primary.

What goal are you trying to accomplish by making the secondary management active before you start upgrading the primary?

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-07-12 11:15 AM
In response to Bob_Zimmerman

Well, it can work sort of like clusterxl upgrade. If you leave status as is, its fine, but I know people who flip back and forth during the upgrade, thats fine too. I had done mgmt HA and clusterXL upgrades both ways, never had a problem.

Andy

0 Kudos
Luis_Miguel_Mig
Advisor
‎2024-07-15 01:47 AM
In response to Bob_Zimmerman

I think it make sense to get secondary active a few days before running the firewall manager upgrade. It is just good practice in general, you isolate the device were you are making changes and you test than the secondary is good.

However that is why I am asking here. If management HA doesn't handle well two managers running two major version and this operation is considered risky I will for sure make sure than the secondary is not active when I perform this change.

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-07-15 10:41 PM
In response to Luis_Miguel_Mig

Assuming the primary is currently active, the secondary will not go active unless you log into it and make it active - don't do this unless you have to roll back.

Take an export of the primary using the migrate_server command per the upgrade guide. 

(optional) Test the import of this file in fresh R81.20 VM

Rebuild the primary to a fresh install of R81.20

Install recommended JHF onto primary

Import DB into primary

Make sure it all works (SIC is good, policies install, you get logs, all that), for however long you want. HA will fail so nothing you change will sync to secondary. The secondary won't be affected by this failing so you don't have to do anything about it.

Then if it's all good, fresh install the secondary, install same JHF and re-SIC it to primary.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-07-12 12:32 PM
In response to Luis_Miguel_Mig

That sounds accurate to me.

0 Kudos
JP_Rex
Collaborator
Collaborator
‎2024-07-10 03:42 AM
In response to Luis_Miguel_Mig

The Problem with this update are the traffic logs.

How attached are you to these?

Regards

Peter

0 Kudos
Luis_Miguel_Mig
Advisor
‎2024-07-10 04:53 AM
In response to JP_Rex

Not an issue, we export logs to ELK.


0 Kudos
Luis_Miguel_Mig
Advisor
‎2024-08-13 09:24 AM
In response to Luis_Miguel_Mig

Thanks to everyone. I successfully upgraded both firewall managers to r81.20. Only facing a couple of small issues in r81.20 related with scheduled backup and pki authentication and summary revision changes (this last issue only in the secondary firewall manager) 

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-08-13 09:50 AM
In response to Luis_Miguel_Mig

But otherwise is okay?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events