This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
_Daniel_
Contributor
‎2019-08-22 09:32 PM

Standalone upgrade to R80.20

Hi There,

 

Just trying to get some thoughts about upgrading a standalone cluster in load sharing mode from R77.30 to R80.20 with minimal downtime.

 

We’re fully aware that load sharing is not supported on R80.20 and we need to go to HA mode, also standalone isn’t recommended, though these firewalls are used purely for remote access and they’re on the road map to be replaced in less than a year.

 

We’re planning it as below:

 

  • Already checked the hardware compatibility and we’re upgrading the firewalls (pair of 4600's) memory to 8GB
  • Copy R80.20 upgrade tools , run a pre upgrade verifier and then do a migrate export –on primary gateway- scp’g it out
  • Copy Gaia configuration
  • Take member 1 (M1) offline
  • Fresh install R80.20, followed by migrate import and latest HFA (based on few experiences, fresh install is still better than using CPUSE), then copy the GAIA config, install the policy (after changing the clusterXL mode and the version, etc.)

 

Here we’re not 100% how to proceed as we’re not sure the 2 members will sync, but we’re thinking of

  • Connect M1 back to the network
  • Hope that the 2 members will sync (keep an eye on HA status), though we’re not sure as we changed the clustexl mode
  • In case it’s sync’d, cpstop on M2
  • Take M2 off the network, fresh install (making it as secondary) and then put it back online

 

 

Have anyone came across this scenario, any input/thoughts are much appreciated

 

Cheers,

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2019-08-25 06:30 PM

You might just wait for the JHF that includes ClusterXL Load Sharing in R80.30 (without VPN) and upgrade to that instead.
0 Kudos
_Daniel_
Contributor
‎2019-08-25 06:36 PM
In response to PhoneBoy

Thanks Dameon,
Not sure if it's worth waiting, as I mentioned these gateway are purely used for remote access (VPN), and they're already on the decommissioning path.

Any thoughts about the upgrade plan?
0 Kudos
PhoneBoy
Admin
Admin
‎2019-08-25 08:11 PM
In response to _Daniel_

This is actually covered in the upgrade guide.
Specifically the section on "Upgrading a Full High Availability Cluster": https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_Installation_and_Upgrade_...

My understanding is that Full HA (as we refer to it) is only HA, not load sharing.
If you're using Load Sharing now, you definitely need to change it to HA mode before upgrading to R80.20.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top