This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
wbberry
Participant
yesterday
Jump to solution

1st timer - upgrade process - R81.10 to R82.10 cluster

Hello all .. 

Checkpoint newbie here and been a while since I needed to post. Hope I get this posted properly ... 

We have an installation that consists of two 3000 appliances in a cluster configuration that we manage with Smart console. Everything is running R81.10 and has been very stable for quite a while. We are in the process of deploying four new 3920 sandblast appliances in two new cluster configurations. These new appliances need 82.10. I am looking for documentation / guidance in upgrading all the existing stuff to support these new appliances so we can get them online. I have started nosing around for upgrade instructions but figured may be simpler and easier to come here and ask. Can someone please point me in the right direction? Also any guidance / advice would also be appreciated since this is the first major undertaking I have had since we did the original install a long time ago. I am thinking this would be considered a major upgrade? 

Thanks in advance..... Brent 

Labels
0 Kudos
1 Solution

Accepted Solutions
Bob_Zimmerman
MVP Gold
MVP Gold
6 hours ago
In response to wbberry
Jump to solution

Cool. I would probably try to break this into four changes total:

  1. Upgrade the management server, but don't change anything else about it. Test to be sure R82 jumbo ≥44 or R82.10 work for you.
  2. Install the new management license and remove the old one. Make sure you can still push policy, and so on.
  3. Build the new cluster. See if your sales team can show you ElasticXL. It's a new cluster mode in R82 which prevents a lot of basic problems people have. It's difficult to switch between older cluster modes and ElasticXL, so this is the ideal time to decide whether to use it or not.
  4. Upgrade your existing cluster from R81.10 to R82 or R82.10.

Each of these is pretty simple, and easy to undo if something goes wrong.

View solution in original post

17 Replies
PhoneBoy
Admin
Admin
yesterday
Jump to solution

Yeah, this is considered a major upgrade.
Is this a Full HA cluster or is there a separate management appliance/VM?

0 Kudos
wbberry
Participant
9 hours ago
In response to PhoneBoy
Jump to solution

Maybe I need to clarify a bit more. The new appliances are going to become HA pairs at two additional locations from the HA pair that I have today. The existing infrastructure is running the 81.10 flavor and it seems the new appliances need the 82.10 flavor. 

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
8 hours ago
In response to wbberry
Jump to solution

Check Point's product has three major parts (at least for this context):

  1. The firewall or "enforcement point"
  2. The management server
  3. SmartConsole (the Windows application; the system running it is sometimes called the management console)

The management server and the firewall can run on separate systems (called a distributed deployment) or they can run together on a single system (called a standalone deployment).

When you launch SmartConsole, it has to connect to something. The thing it connects to is the management server. Is that an IP which belongs to your existing cluster? Does it belong to some other system?

In a standalone deployment, the firewall, management, and SmartConsole must all be upgraded together.

In a distributed deployment, the management server and SmartConsole must be upgraded together, but the firewalls don't need to be upgraded right away.

To manage R82.10, you need your management to run R82 or R82.10. Those versions can both manage R81.10 firewalls, though R81.10 is already end of support. Once you have your management upgraded, you should also plan to upgrade your firewalls.

0 Kudos
wbberry
Participant
7 hours ago
In response to Bob_Zimmerman
Jump to solution

My management server sits here at Corporate with the 172.16.4.37 IP address. (mem-fwmgmt) That is the IP address I use when starting SmartConsole. I then have 192.168.38.50 as the cluster IP with 192.168.38.51 and 192.168.38.52 for the individual appliances. So you are saying I can upgrade the mgmt here independent of the existing cluster to 82 and be able to create and manage new clusters on the 82 level. 

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
6 hours ago
In response to wbberry
Jump to solution

Yes. You can upgrade just your management for now.

Is your management server a physical box, or a VM of some kind? If it's physical, you can take a Gaia-level snapshot, but I would also take a migrate_export just in case you need to rebuild if the upgrade fails. If it's a VM, you should be able to shut it down, take a VM-level snapshot, then roll back to that if the upgrade goes badly.

Management servers are licensed based on the number of gateways they are allowed to manage. Check to confirm you have enough slots for the new cluster. A traditional cluster consumes one license slot per member, whereas an ElasticXL cluster consumes one slot for the whole cluster instead.

0 Kudos
wbberry
Participant
6 hours ago
In response to Bob_Zimmerman
Jump to solution

My management server is a VM on ESX I think it is. I can get with the server group to assist with that. 

We currently have a 5 count license but acquired a 25 count license as part of the appliance purchase. Am awaiting license information to complete this step as well. 

Thanks .... 

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
6 hours ago
In response to wbberry
Jump to solution

Cool. I would probably try to break this into four changes total:

  1. Upgrade the management server, but don't change anything else about it. Test to be sure R82 jumbo ≥44 or R82.10 work for you.
  2. Install the new management license and remove the old one. Make sure you can still push policy, and so on.
  3. Build the new cluster. See if your sales team can show you ElasticXL. It's a new cluster mode in R82 which prevents a lot of basic problems people have. It's difficult to switch between older cluster modes and ElasticXL, so this is the ideal time to decide whether to use it or not.
  4. Upgrade your existing cluster from R81.10 to R82 or R82.10.

Each of these is pretty simple, and easy to undo if something goes wrong.

the_rock
MVP Platinum
MVP Platinum
6 hours ago
In response to Bob_Zimmerman
Jump to solution

Those steps make sense, Bob.

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
yesterday
Jump to solution

Hey Brent,

I will give you method I used many times with people and never failed me, seems to work really well. Obviously, you need to make sure to match everything to right interfaces on the new appliances.

Streps I use:

1) Get show config from existing firewalls (file name can be anything)...from expert mode -> clish -c "show configuration" > /var/log/hostname-date.txt

2) Once you get them off the boxes, go through the config and compare with interfaces on the new firewalls

3) Go through 1st time wizard on new devices, apply eval licences (for the time being) 

4) upgrade management server to R82.10 (if possible, or have it at least on R82 latest jumbo)

5) copy bits and pieces from existing show config files to the clish of new firewalls, just make sure to map proper interfaces, so you can do file compare later

6) do NOT do load config from clish, as that would load config even if its wrong, though would error out, unless you did set clienv on-failure continue, which I do not recomment

7) Once you verify the config, you are ready for the cutover

8) use below post to do this when time comes

https://community.checkpoint.com/t5/Security-Gateways/Replace-Upgrade-Cluster/td-p/69216

9) MAKE SURE that sync interface speed/duplex match, as thats super important for clustering to come up

10) Be proud of GREAT job you did! 🙂

Hope that helps.

Be free to send me a DM if you need further clarification or reply here, either way.

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
yesterday
In response to the_rock
Jump to solution

Forgot to mention, definitely do take backups and snapshots too before doing anything.

Best,
Andy
0 Kudos
wbberry
Participant
9 hours ago
In response to the_rock
Jump to solution

I am making several backup, taking screen shots and anything else I can do in case things go south. 

0 Kudos
wbberry
Participant
9 hours ago
In response to the_rock
Jump to solution

I am not replacing the existing hardware I just need to upgrade the existing implementation to be able to add the new hardware to the Smart Console. 

 
 

 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
9 hours ago
In response to wbberry
Jump to solution

Ok, so then replace post I referenced would not apply to you, if its brand new cluster.

Best,
Andy
0 Kudos
wbberry
Participant
9 hours ago
In response to the_rock
Jump to solution

I tried to take a screen shot and past it into the conversation but it not let me. I am awaiting a call back from my SE to see if he has a  little free time to work with me. 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
8 hours ago
In response to wbberry
Jump to solution

Can you attach it?

Best,
Andy
0 Kudos
wbberry
Participant
8 hours ago
In response to the_rock
Jump to solution

That work? 

Checkpoint Screen shot.docx
0 Kudos
the_rock
MVP Platinum
MVP Platinum
8 hours ago
In response to wbberry
Jump to solution

will review soon.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events