Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Participant

41k R76SP.50 JHF 215 - update advices

Hi team,

I'm really familiar with all CheckPoint products, but one string is missing to my bow: working on 41k SP appliances. Which will soon be done, since I need to update to latest Jumbo a cluster that's running  R76SP.50 JHF Take55.

Having a look at the other threads into this SP forum, I'd like to gather everyone's experience, feedback and advice in regards to updating 41k to latest Jumbo.

- best upgrade method (I've seen that sometimes updating the whole chassis doesn't work and leads to boot loop)

- the technical test to run / specific log files 

- which rollback worked best for you?

- eventually, the command that saved your life

I need to tell you that I've been through the "60000/40000 Security Platforms R76SP.50 Upgrade Guide" so I'm really looking for real-life experience & feedback.

Hoping this thread will be helping everyone here,

Best regards

Pierre

Tags (2)
4 Replies
Highlighted
Employee++
Employee++

How many SGM & SSM are present in each chassis and is this deployment using VSX?

Version wise are we OS build 84 or something else?

Highlighted
Participant

Hi Chris,

the chassis have 2 SGM and is running VSLS.

I have seen in some topics in checkmate that sometimes the chassis remains in a boot loop. And the solution was to install the the JHF on all SGM instead of the chassis. Is it identified behaviour ?

DO you have any recommendation regarding the check to run before / during and after the installation ?

 

I was thinking of the following : 

  • ASG DIAG VERIFY  
  • asg monitor -all
  • asg policy verify –a [-vs all]
  • asg_route -a
  • asg stat -v

 

Best regards,

Highlighted
Employee++
Employee++

Please check if sk155134 applies.

Highlighted
Participant

Hi Pierre,

I was participating in a few JHF upgrades with R76SP.50 (but no VSX or VSLS systems) on 61k and 64k.

Before the upgrade:
- asg diag verify (and save the output to compare with results afterwards)
- Also save the detailed output of asg diag verify (should be in /var/log/verifier_sum.xxxxx.txt)
- Snapshots on all SGMs (and save one snapshot externaly)
- Basic network/appliaction tests (depeneds which services/blades are active on the 44k)
- Save a "show configuration"
- Check custom files like fwkern.conf


Upgrade:
For the upgrade we also used the "60000/40000 Security Platforms R76SP.50 Upgrade Guide" which was very helpful. Would also suggest to do it in the same way as it is mentioned there (for example using the same directorys where to put and extract the JHF).

We always installed the JHF from the active chassis to all SGMs on the standby chassis and afterwards the way around. Like is is mentioned in the Upgrade Guide. Put the standby chassis to "down" state (not the SMGs) and so on. If you have troubles installing the JHF there are two parameters "force" and "no_crs" which you can use, but better contact Check Point before using those. Could be usefull if you have installed a private Hotfix before which is included in the new JHF for example.

You should also verify if you need to upgrade the SSM and CMM. You should check the chassis ID on the CMM after an upgrade.
Having a serial connection to all of the modules is always a good thing. Sometimes you have to wait some time (like SGMs are rebooting twice or something like that). Dont worry if if a modules doesn't come up straight, better wait another few minutes. Also it is recommended to do the CMM upgrades via serial console and physically removing and reinstalling the module. We also did it completly remote, which was also working, but more risk.


After the Upgrade:
- Afterwards you can do the same steps like I mentioned in "before the upgrade" and compare the results.
- If a test in asg diag verify fails, you can get a detailed view from asg diag list x from the specific failed test and so on.


Rollback:
- I only used snapshots, since its the recommend way. I once tried it with Backups in a Lab enviroment but results were not good.
- You can get more information about this for example from sk84160 (which describes the RMA procedure for an SGM)

 

Best regards,
Johannes