This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
artem_kruhlyi
Contributor
‎2021-07-15 06:00 AM

VSX upgrade

Hi all,

 

We're planning to upgrade our VSX Cluster deployed on Open Server. Currently, it uses R80.30. In February, when we had an open case to TAC, they suggested to use R80.40 for clean install.

What is the situation now?

Maybe something has been changed since that and we should take a look at R81?

Has somebody got an experience in updating Open Server based VSX clusters to R81 and can share feedback?

 

Thank you in advance! 

0 Kudos
14 Replies
the_rock
MVP Gold
MVP Gold
‎2021-07-15 08:02 AM

Personally, I had never done this, but saw a forum online where someone upgraded to R81 and no issues, but it is just one customer though.

artem_kruhlyi
Contributor
‎2021-07-16 04:28 AM
In response to the_rock

Hi!

Thanks for your reply!

I'll add one more R81 case to my statistics.

However, it would be nice to hear something from Check Point people.

RamGuy239
MVP Silver
MVP Silver
‎2021-07-15 08:18 AM

R80.40 is still the widely recommended and default version. I've done a ton of R81 upgrades, on pretty much all kinds of installations besides Scalable Platform / Maestro. My experience so far is that almost all issues I've had with R81 have also existed on R80.40. They are mostly related to 3.10 kernel that becomes the default for gateway installations with R80.40. If you look through the jumbo hotfix changelog for both R80.40 and R81 you'll notice how the same fixes are often released to both versions almost at the same time.

R81 have had some unique issues of its own. Most are related to the accelerated policy installation which is not available for R80.40. At this point, I would be tempted to recommend going with R81.10 over R81. R81.10 already contains all the fixes from R81 Take 34 and so far my experience with R81.10 GA is quite limited but it's been very good.

One thing to remember with R81.10 for VSX is how HA clustering is no longer a thing. On R81.10 it's all going to be VSLS so if you are not running VSLS already this might be something to keep in mind.

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
artem_kruhlyi
Contributor
‎2021-07-16 04:44 AM
In response to RamGuy239

Hi @RamGuy239 ,

Yes, I know that R80.40 is still main release. However, as you said, R81.10 has been released. So I thought that R81 could be considered as a stable enough to use on VSX.

Actually, your point regarding R81.10 us really interesting. I have to think about it. R81.10 is a newborn and we always avoid using new releases but maybe it would be a good advice in this case. VSLS is not a problem in our case because we have already been using it for some time. We have to do Clean Install of VSX Cluster because we got some issue with ClusterXL at VS0 after upgrading from R77.30 to R80.30 and TAC wasn't able to fix that.

It would be nice to hear something from Check Point people about using R81 and R81.10 for upgrading VSX based on Open Servers.

genisis__
MVP Silver
MVP Silver
‎2021-07-16 02:53 PM
In response to artem_kruhlyi

I've done VSX upgrade (ok clean install), from R80.30 to R80.40, in my options (and I'm pretty sure TAC will say the same thing), rebuild your VSX cluster using a clean install.

It sounds pretty bad to do this, but actually its not, the main thing is ensuring all your OS level configuration is the same, then its a simply case of vsx_util reconfigure which then converts the gateway to VSX.

The big reasons to do a clean installation are kernel 3.10 and also xfs filesystem (more relevant to Management the gateway though).

- Ensure you do a snapshot of the manager and gateway before hand, and store the snapshot from the gateway offline.

- Ensure you save the GAIA config from the gateway  and store this offline.

- Ensure you raise a pro-active case with TAC, ensure you run into issue.

- If your install R80.40 ensure you install the latest GA Jumbo (don't install anything less then Jumbo T102 (Latest is T118 at the moment).

 

Now should you go to R81.10...hmmm technically this may not be a bad option, but with VSX I would prefer to wait for a few jumbos to be released.  If you have the luxury of a  test system then worth a go.

I've already attempted to install JHFA34 onto a R81 manager and found and issue, and rolled back to JHFA29.   

Commercially - R80.40 is currently the 'recommended' release by Checkpoint, and  your managers may question why you are installing something that is not the recommended release.

RamGuy239
MVP Silver
MVP Silver
‎2021-07-17 09:19 AM
In response to genisis__

With VSX there is no real harm in doing a clean install as the management server is holding the configuration. With that said, you will still get 3.10 kernel with in-place upgrade. But you won't get XFS but you need to remember that from R80.40 and on-wards the cpuse upgrade packages is a blink package in disguise. One major downside with this is how "clean install" using the cpuse package will not re-format your hard drive. The only way to ensure that you get XFS on your gateway is to use the ISO and isomorphic tool and do a complete install using USB.

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
genisis__
MVP Silver
MVP Silver
‎2021-07-17 09:24 AM
In response to RamGuy239

correct, we used USB installation method.

artem_kruhlyi
Contributor
‎2021-07-19 04:41 AM
In response to genisis__

Hi all,

Thanks for your replies!

Unfortunately, USB install is not our way. Our VSX Cluster is located thousand miles away and it's really hard to organize onsite support. So I guess we'll do the clean install via CPUSE.

All your answers have been adding more and more points to the opinion that it's too early to use R81 for VSX.

0 Kudos
genisis__
MVP Silver
MVP Silver
‎2021-07-19 05:24 AM
In response to artem_kruhlyi

Do you have out of band access to the system? If not  you could lose your connection to the appliance and then you will be in trouble.

What appliances do you have? 

What version of LOM firmware are you running?

Do you have a test system you can attempt this on first?

 

0 Kudos
artem_kruhlyi
Contributor
‎2021-07-19 05:46 AM
In response to genisis__

Hi @genisis__ ,

@genisis__ wrote:

Do you have out of band access to the system? If not  you could lose your connection to the appliance and then you will be in trouble.

Yes, we have.  This is a kind of indisputable prerequisite.

What appliances do you have? 

There are no appliances. We're using Open Server installed on HP ProLiant DL380 Gen9 servers.

What version of LOM firmware are you running?

Do you have a test system you can attempt this on first?

Unfortunately, nope.

 

 

0 Kudos
genisis__
MVP Silver
MVP Silver
‎2021-07-19 05:50 AM
In response to artem_kruhlyi

Ok 

Do the open servers have iLO cards?  I've found with Dell Open Servers, which have iDRAC cards the standard ISO build works fine.

If you do have iLO cards, have you ensured there running the latest firmware?

0 Kudos
artem_kruhlyi
Contributor
‎2021-07-19 06:56 AM
In response to genisis__

Yes, HP ProLiant has iLO card. However, the firmware is pretty old and we have to use java-based console. As far as I remember, there were some bugs when it comes to using ISO images. We can't update iLO firmware.

Anyway, big thanks for your time! I'll check how to use ISO image in our case.

0 Kudos
genisis__
MVP Silver
MVP Silver
‎2021-07-19 07:08 AM
In response to artem_kruhlyi

cool - and I know what you mean about the Java version, it supports a really old version, but HP may have a firmware update for it, worth checking, if you have not done so already.

artem_kruhlyi
Contributor
‎2021-07-19 05:39 AM
In response to genisis__

Hi @genisis__ ,

Big thanks for your recommendations, especially, for raising proactive TAC case. During previous upgrade, it took a long while to get TAC help after facing an issue. We'll definitely raise TAC case ahead of the upgrade.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events