Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kaspars_Zibarts
Authority
Authority

vsx_util downgrade - tested and working?

Has anyone tried and tested downgrading version as it should be fully supported in R80.40. My lab is currently unavailable to check 😞

0 Kudos
15 Replies
Kaspars_Zibarts
Authority
Authority

Had to test myself last night, works like a charm!

 

image.png

 

_Val_
Admin
Admin

Lol, that list is too long for my taste 🙂

0 Kudos
Kaspars_Zibarts
Authority
Authority

that was the reason i posted it here hehe!

0 Kudos
_Val_
Admin
Admin

Yes, I am taking this to R&D for an internal discussion 🙂

 

0 Kudos
Bob_Zimmerman
Advisor

I don't know. It should definitely offer every version supported by the management server, even if that version is no longer supported by Check Point. It would be extremely bad if an upgrade from R77 to R80.40 went poorly, but vsx_util downgrade didn't let you revert the management-side configuration. "Restore to a backup", sure, but I can count on one hand the calls I got in five years in the TAC from people who had tested their backups before needing them.

0 Kudos
Kaspars_Zibarts
Authority
Authority

hehe, it has been a religion till now - MDS backup, VSX snapshot before every upgrade.. looks like MDS bit can be skipped now! Yay

0 Kudos
_Val_
Admin
Admin

@Kaspars_Zibarts Never ever skip MDS backups 🙂

@Bob_Zimmerman I understand the argument, but not sure if I can agree with that 100%. How many people are still running R76 VSX in production? It is always a matter of QA effort as well. Making sure all those combinations work takes time. 

0 Kudos
Bob_Zimmerman
Advisor

I know of at least one mid-to-large customer still running R67 in production.

As for QA, I guarantee the effort to test actually managing a given version will always be far, far higher than the effort to be sure vsx_util can write that version to the object. That's an argument for reducing backwards compatibility entirely, not for limiting the versions vsx_util can write.

0 Kudos
_Val_
Admin
Admin

@Bob_Zimmerman R67 or R76?

0 Kudos
_Val_
Admin
Admin

Regardless, it is very unlikely a customer will jump from R67/R76 VSX to R81 in a single operation. Also, support for R76 expired in February 2017. If that was my account, I would call them every day, urging to upgrade as soon as possible, for 5 years now.

0 Kudos
Bob_Zimmerman
Advisor

R67, as in the version before R68. And yes, they are aware that it went end-of-support in 2014. Due to the switch from gated to routed, GAiA-based VSX wasn't feature-complete until R80.30, I think. R77.30 was the last management version which could manage R67, so they definitely can't do a single-step upgrade.

I don't think any features were lost from R76 to any subsequent version. Still, it's far easier to test vsx_util writing a version to the object than it is to test actually managing that version.

0 Kudos
_Val_
Admin
Admin

>Due to the switch from gated to routed, GAiA-based VSX wasn't feature-complete until R80.30, I think

I beg your pardon???

0 Kudos
Bob_Zimmerman
Advisor

gated supported multiple OSPF instances with route maps to control route propagation between them. routed only supported one OSPF instance per VS until one of the R80-family firewall versions (like I said, I think it was R80.30, but not sure), quite some time after R67 went end-of-support. Some of their VSs had up to four OSPF instances, so there was no feature-complete successor version they could upgrade to, and R77.30 management doesn't have a public API to dump the data for import to an R80-family management for a fast rebuild. While upgrading is at least possible now, it will be multiple steps with an extremely long outage.

0 Kudos
Kaspars_Zibarts
Authority
Authority

we really don't. I just meant explicit manual backup before VSX upgrade. We still have regular nightly backups in place 🙂 so worst case we lose one days effort..

_Val_
Admin
Admin

@Kaspars_Zibarts that is what I like to hear 🙂

0 Kudos