Solved: Upgrading Cluster Standalone setup

Sanjay_S · ‎2024-03-25

Hi Team,

May i know the best way to upgrade the Firewall cluster without internet and running both Mgmt and Firewall on same box? Standalone architecture.

Also if there is any downtime required? I have done multiple cluster upgrades but they are only firewalls and managed by separate Mgmt server. Is it very similar to this or any difference? Do i need to worry about anything specific here?

Regards,

Sanjay S

the_rock · ‎2024-05-08

Just switch the upgraded management to be active and try install the policy.

Andy

View solution in original post

G_W_Albrecht · ‎2024-05-14

Here you can find the correct upgrade instructions: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Installation_and_Upgrade_Gui...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

_Val_ · ‎2024-03-25

Have you already looked into the upgrade guide, specifically, into this chapter? If yes, which of your questions are still unclear?

the_rock · ‎2024-03-25

If you did regular cluster upgrades, this is not that much different. So, you would follow this logic...ALWAYS upgrade whichever standalone fw portion is backup (mgmt part is not that important, as it does not process the traffic, so even if that one is active, it will become standby mgmt upon reboot), uncheck "do not install..." option when backup fw is upgraded to new version, once rebooted, then follow same process for current active standalone fw part.

Hope that helps.

Remember this, as some people get confused about it...when it comes to mgmgt part, primary is ALWAYS primary and secondary is ALWAYS secondary, but either one can be active or standby, so secondary can be active or standby, thats fine.

Best,

Andy

Sanjay_S · ‎2024-05-08

Hi Andy,

I followed the steps above but the problem is when i upgraded the Stand By firewall to R81.20, but the Management was active on the old version firewall R80.40. So i was not able to push the policy on to the upgraded firewall. Now in a situation where we are unable t o push the policy on to the Standby device at all. So getting the devcie back in cluster is a problem. So not sure how to proceed with the upgrade of the device in R80.40 unless we get this upgraded device the new policy.

the_rock · ‎2024-05-08

Just switch the upgraded management to be active and try install the policy.

Andy

Sanjay_S · ‎2024-05-13

Hi @the_rock

May i know how to switch the upgraded Mgmt to active? Never been across this Standalone setup. Also not getting any CLI commands to manage the Mgmt server from CLI. Generally the Active firewall would be the Active Mgmt Server right. If i need to failover then the firewall will also failover right? Then this will cause problem as the newly upgraded firewall will not have the policy installed in it.

Below are the steps i followed.

> Upgrade the secondary firewall.

> Tried pushing the policy from the existing Mgmt server which did not work.

Please suggest i am stuck here 😞

the_rock · ‎2024-05-13

Hi,

From smart console, just go to menu on upper left, click management HA and you can switch to standby / active

Andy

Sanjay_S · ‎2024-05-13

Thank you @the_rock . I got that option and i will do that.

So once the Standby Firewall is upgraded, i will login to the Active Smart Console and switch it to Standby.

Then login to the new Smart console version R81.20 and then push the policy to the upgraded firewall.

Am i right?

Regards,

Sanjay S

the_rock · ‎2024-05-13

Thats right.

Sanjay_S · ‎2024-05-13

Thanks again @the_rock I will do that tomorrow and then get back here.

the_rock · ‎2024-05-13

In all honesty, in 17 years I had been dealing with CP, I can count on one hand amount of times I had encountered people using full HA. Maybe it used to be more popular in older days, but I dont see it much nowdays at all. Im sure folks like @Timothy_Hall or @PhoneBoy , who had been around way longer than myself, are way more familiar with it, but I really hope what we discussed works.

Please keep us posted.

Best,

Andy

Sanjay_S · ‎2024-05-14

Hello @the_rock,

I upgraded the standby device and the device is now reachable. But is stuck at importing the database at 59%. No progress since 7hours. I see the below logs.

14/05/24 19:09:51,179 INFO upgrade.ngmImport.MultiSiteNewUpgradeSvcImpl [taskExecutor-18]: Waiting for FullSync 21250 seconds
14/05/24 19:10:01,179 INFO upgrade.ngmImport.MultiSiteNewUpgradeSvcImpl [taskExecutor-18]: Waiting for FullSync 21260 seconds
14/05/24 19:10:11,180 INFO upgrade.ngmImport.MultiSiteNewUpgradeSvcImpl [taskExecutor-18]: Waiting for FullSync 21270 seconds

May i know if this mean anything? I am upgrading from R80.40 to R81.20. Still only one device upgraded and that is not yet completely done.

Sanjay_S · ‎2024-05-14

I rebooted the gateway it came up as installed. But as we expected there are issues with Full Sync.

When i try to lauch the dashboard after switching the Active to Standby also getting the error i attached.

Please suggest

G_W_Albrecht · ‎2024-05-14

Here you can find the correct upgrade instructions: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Installation_and_Upgrade_Gui...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

the_rock · ‎2024-05-14

I believe he already followed that.

Andy

Sanjay_S · ‎2024-05-14

Thank you @G_W_Albrecht

I was going through this document. Here it says first upgrade the Active Management server. Active Management server is nothing but the device which is active. Here in our Scenario Device1 is Active(Both Mgmt & GW). Device2 is Standby(Both Mgmt & GW).

So if I upgrade the Active Device1 then it automatically failover to the Secondary device both Mgmt and GW. SO again the same issue will occur with the diffiernt device 😞 That is what i feel. Sorry any thing wrong in my understanding please suggest.

the_rock · ‎2024-05-14

Message me directly, lets do remote. Was working on some Fortinet stuff, sorry.

Andy

the_rock · ‎2024-05-14

Never seen those before, sorry.

PhoneBoy · ‎2024-05-14

Full HA is effectively a cluster of standalone gateways (GW + Management on same box).
Most Quantum Security Gateway Appliances include management for up to two devices precisely for this purpose.

The only reason customers have cited for using Full HA is the cost of external management.
These days, I would recommend using Smart-1 Cloud, which is significantly cheaper than even the smallest Smart-1 appliance or NGSM-5 Open Server license.

Sanjay_S · ‎2024-05-15

Thanks all for your support. I managed to upgrade the devices to R81.20 🙂

@PhoneBoy i will definitely suggest the same to customer.

the_rock · ‎2024-05-15

Great job!

Are you a member of CheckMates?

Upgrading Cluster Standalone setup