This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
emichalitsis
Explorer
‎2021-02-28 11:49 PM

Change Gateway in a cluster from ready state to active

Hi to all,

 

I would like to ask you something regarding the upgrade process of a Cluster Gateways from R80.10 to R80.40.

 

I upgraded a Checkpoint 5400 from R80.10 to R80.40. The steps that i followed was:

 

1. I switched the traffic from primary to secondary

2. I upgraded the Primary gateway from R80.10 to R80.40 (clean install)

3. I migrated import the Primary gateway

4. When everything was ok on the Primary gateway and with R80.40 version i switched the traffic to Primary gateway. The procedure was to close all the interfaces from Secondary gateway (with R80.10 version) and to open all the interfaces to Primary gateway (with R80.40)

5. One note: Before the upgrade, the Secondary gateway has higher priority than Primary and i had choose to switch to higher priority in the SmartConsole.

6. From a mistake i plugged in the mgmt interface on the Secondary gateway and because of higher priority it becomed again active and the Primary gateway change his state to "ready"!

7. After that, every time i tried to pass the traffic to R80.40 Primary gateway was unsuccess, because of the "ready" state. So i was unable to switch the traffic to Primary Gateway in order to upgrade the Secondary Gateway to R80.40 without downtime!

 

I hope to explain the problem fine. So, my question is: Is there a way to change the "ready" state to "active(!)" without  reinstalling the primary gateway to R80.40? Because i can't have large downtime window in order to upgrade the Secondary Gateway to R80.40 and after that Primary Gateway take over.

 

Regards

 

0 Kudos
8 Replies
MartinTzvetanov
Advisor
‎2021-03-01 11:56 PM

Hello, no matter what the priority is set on SmartConsole, if you have 2 gateways with different version/cores, the active one is always the one with lowest version/lowest number of cores. In your case you have 2 GWs 1st R80.40 and 2nd R80.10, R80.10 will be always the active one, R80.40 will show itself as ready. When you shut all the network ports on R80.10, the device with R80.40 will see that there is no active device and will become active. This cause a minimal downtime - all connections are cut and must be reinitiate. You don't have to reinstall your device with R80.40. Just make sure both devices are in a cluster (Active/Ready in your case) and have the same policy installed, shut all the ports on the R80.10 device and the traffic must pass thru R80.40 and after everything is OK, upgrade the R80.10 device.

emichalitsis
Explorer
‎2021-03-02 12:33 AM
In response to MartinTzvetanov

Martin thank you for your answer, it was very clear!

 

Regards

 

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2021-03-02 01:47 AM
In response to emichalitsis

This is covered on a step-by-step basis in Installation and Upgrade Guide R80.40 p.194ff - also the Multi-Version Cluster (MVC) Upgrade that i would suggest as appropriate in your case...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
emichalitsis
Explorer
‎2021-03-02 02:03 AM
In response to G_W_Albrecht

G_W_Albrecht thank you!

0 Kudos
genisis__
MVP Silver
MVP Silver
‎2021-03-08 08:05 AM
In response to emichalitsis

I've used MVC when upgrade VSX i.e. R80.20 to R80.40 and found this to work fine, clearly you still need to change the cluster object to R80.40 in order for a policy be to pushed to the R80.40 gateway.

0 Kudos
Scott_Paisley
Advisor
‎2021-03-08 08:09 AM
In response to MartinTzvetanov

This is how I have been doing it. I upgrade (clean install in fact) the secondary, change the policy to R80.40 in the management console and push to that gateway. Then I do a cpstop on the primary forcing the failover. If everything works I upgrade the primary and when I install the policy it fails back. If not I can restart the primary and restore the secondary from the snapshot.

0 Kudos
genisis__
MVP Silver
MVP Silver
‎2021-03-08 09:53 AM
In response to Scott_Paisley

Agree, I think with R80.40 its best to do a clean install, one key point, do benchmark service testing before an upgrade,  that way you won't get the scope creepers coming out the wood work saying things are not working.

0 Kudos
Scott_Paisley
Advisor
‎2021-03-08 09:55 AM
In response to genisis__

Absolutely on the testing. we have calls before and after with all the app owners

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events