Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sanjay_S
Advisor
Jump to solution

Upgrading Cluster Standalone setup

Hi Team,

May i know the best way to upgrade the Firewall cluster without internet and running both Mgmt and Firewall on same box? Standalone architecture.

Also if there is any downtime required? I have done multiple cluster upgrades but they are only firewalls and managed by separate Mgmt server. Is it very similar to this or any difference? Do i need to worry about anything specific here?

Regards,

Sanjay S

0 Kudos
2 Solutions

Accepted Solutions
the_rock
Legend
Legend

Just switch the upgraded management to be active and try install the policy.

Andy

View solution in original post

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Here you can find the correct upgrade instructions: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Installation_and_Upgrade_Gui...

 

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

0 Kudos
20 Replies
_Val_
Admin
Admin

Have you already looked into the upgrade guide, specifically, into this chapter? If yes, which of your questions are still unclear?

0 Kudos
the_rock
Legend
Legend

If you did regular cluster upgrades, this is not that much different. So, you would follow this logic...ALWAYS upgrade whichever standalone fw portion is backup (mgmt part is not that important, as it does not process the traffic, so even if that one is active, it will become standby mgmt upon reboot), uncheck "do not install..." option when backup fw is upgraded to new version, once rebooted, then follow same process for current active standalone fw part.

Hope that helps.

Remember this, as some people get confused about it...when it comes to mgmgt part, primary is ALWAYS primary and secondary is ALWAYS secondary, but either one can be active or standby, so secondary can be active or standby, thats fine.

Best,

Andy

0 Kudos
Sanjay_S
Advisor

Hi Andy,

I followed the steps above but the problem is when i upgraded the Stand By firewall to R81.20, but the Management was active on the old version firewall R80.40. So i was not able to push the policy on to the upgraded firewall. Now in a situation where we are unable t o push the policy on to the Standby device at all. So getting the devcie back in cluster is a problem. So not sure how to proceed with the upgrade of the device in R80.40 unless we get this upgraded device the new policy.

0 Kudos
the_rock
Legend
Legend

Just switch the upgraded management to be active and try install the policy.

Andy

0 Kudos
Sanjay_S
Advisor

Hi @the_rock 

May i know how to switch the upgraded Mgmt to active? Never been across this Standalone setup. Also not getting any CLI commands to manage the Mgmt server from CLI. Generally the Active firewall would be the Active Mgmt Server right. If i need to failover then the firewall will also failover right? Then this will cause problem as the newly upgraded firewall will not have the policy installed in it.

Below are the steps i followed.

> Upgrade the secondary firewall. 

> Tried pushing the policy from the existing Mgmt server which did not work.

Please suggest i am stuck here 😞

0 Kudos
the_rock
Legend
Legend

Hi,

From smart console, just go to menu on upper left, click management HA and you can switch to standby / active

Andy

Sanjay_S
Advisor

Thank you @the_rock . I got that option and i will do that.

So once the Standby Firewall is upgraded, i will login to the Active Smart Console and switch it to Standby.

Then login to the new Smart console version R81.20 and then push the policy to the upgraded firewall.

Am i right?

Regards,

Sanjay S

0 Kudos
the_rock
Legend
Legend

Thats right.

Sanjay_S
Advisor

Thanks again @the_rock  I will do that tomorrow and then get back here.

the_rock
Legend
Legend

In all honesty, in 17 years I had been dealing with CP, I can count on one hand amount of times I had encountered people using full HA. Maybe it used to be more popular in older days, but I dont see it much nowdays at all. Im sure folks like @Timothy_Hall or @PhoneBoy , who had been around way longer than myself, are way more familiar with it, but I really hope what we discussed works.

Please keep us posted.

Best,

Andy

0 Kudos
Sanjay_S
Advisor

Hello @the_rock,

I upgraded the standby device and the device is now reachable. But is stuck at importing the database at 59%. No progress since 7hours. I see the below logs.

14/05/24 19:09:51,179 INFO upgrade.ngmImport.MultiSiteNewUpgradeSvcImpl [taskExecutor-18]: Waiting for FullSync 21250 seconds
14/05/24 19:10:01,179 INFO upgrade.ngmImport.MultiSiteNewUpgradeSvcImpl [taskExecutor-18]: Waiting for FullSync 21260 seconds
14/05/24 19:10:11,180 INFO upgrade.ngmImport.MultiSiteNewUpgradeSvcImpl [taskExecutor-18]: Waiting for FullSync 21270 seconds

May i know if this mean anything? I am upgrading from R80.40 to R81.20. Still only one device upgraded and that is not yet completely done.

0 Kudos
Sanjay_S
Advisor

I rebooted the gateway it came up as installed. But as we expected there are issues with Full Sync.

 

When i try to lauch the dashboard after switching the Active to Standby also getting the error i attached.

Please suggest

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Here you can find the correct upgrade instructions: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Installation_and_Upgrade_Gui...

 

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend

I believe he already followed that.

Andy

0 Kudos
Sanjay_S
Advisor

Thank you @G_W_Albrecht 

I was going through this document. Here it says first upgrade the Active Management server. Active Management server is nothing but the device which is active. Here in our Scenario Device1 is Active(Both Mgmt & GW). Device2 is Standby(Both Mgmt & GW).

So if I upgrade the Active Device1 then it automatically failover to the Secondary device both Mgmt and GW. SO again the same issue will occur with the diffiernt device 😞 That is what i feel. Sorry any thing wrong in my understanding please suggest.

0 Kudos
the_rock
Legend
Legend

Message me directly, lets do remote. Was working on some Fortinet stuff, sorry.

Andy

the_rock
Legend
Legend

Never seen those before, sorry.

0 Kudos
PhoneBoy
Admin
Admin

Full HA is effectively a cluster of standalone gateways (GW + Management on same box).
Most Quantum Security Gateway Appliances include management for up to two devices precisely for this purpose.

The only reason customers have cited for using Full HA is the cost of external management.
These days, I would recommend using Smart-1 Cloud, which is significantly cheaper than even the smallest Smart-1 appliance or NGSM-5 Open Server license.

Sanjay_S
Advisor

Thanks all for your support. I managed to upgrade the devices to R81.20 🙂

@PhoneBoy  i will definitely suggest the same to customer.

0 Kudos
the_rock
Legend
Legend

Great job!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events