Upgrading VSX cluster members from any version to R77.20 / R77.30 (using clean installation).
Part 1 - Upgrade of Security Management Server / Multi-Domain Security Management Server
Backup the involved machines at the same time:
Security Management Server / Multi-Domain Security Management Server
All VSX cluster members
Note: Refer to "Related Documentation" section below - "How to Backup".
If required, upgrade your Security Management Server / Multi-Domain Security Management Server to the desired version.
R77.20 / R77.30 Security Gateways (in Gateway mode and in VSX mode) can be managed by the following Security Management Servers / Multi-Domain Security Management Servers:
Note: Only features relevant to the version installed on the Security Management Servers / Multi-Domain Security Management Server will be available in SmartDashboard and in 'vsx_util' command. Examples:
You will not be able to upgrade the VSX Gateway / VSX cluster configuration from R77 to R77.20, if you manage it with R77 Security Management server.
You will not be able to use Mobile Access Blade on VSX R77.20, if you manage it with R76 Security Management server.
You will not be able to use Multi Bridge capability on R77.30, if you manage it with prior version to R77.30 Security Management server.
Part 2 - Upgrade of VSX Cluster
The following references are used in the procedure below:
Last upgraded - denotes last member to be upgraded (in HA cluster, this should be the Active member).
First upgraded - denotes first member to be upgraded and reconfigured.
Procedure:
Upgrade the configuration of the VSX cluster object to R77.20 / R77.30 version on the Security Management Server / Main Domain Management Server.
Note:
If your VSX cluster object is R77, and you do not want new R77.20 / R77.30 features on the VSX Cluster, then skip this step (proceed to Step 2 below).
If your VSX cluster object is R76 and lower, then this step is mandatory.
Run the 'vsx_util upgrade' command and follow on-screen instructions. Select your VSX Cluster and then select the R77.20 / R77.30 version.
Important Note: On Management Server R77.20 and lower, when 'vsx_util upgrade' operation completes, user is prompted to reconfigure the VSX machines. User must refuse - select "no" - and proceed to Step 2 below.
Stop Check Point services on the first upgraded VSX cluster member:
[Expert@HostName:0]# cpstop
Note: In VSX Load Sharing (VSLS) cluster, this will cause a fail-over.
Perform clean installation of R77.20 / R77.30 on the first upgraded VSX cluster member (refer to "Related Documentation" section below).
Run Gaia First Time Configuration Wizard on the first upgraded VSX cluster member (refer to sk71000 and sk69701). You must use the same Management IP address as was used by the previous cluster member (prior to the upgrade).
Note: On R77.30 configure the Cluster ID to be the same as the fwha_mac_magic parameter from the previous cluster version.
In case Bonding needs to be configured, then configure it now on the first upgraded VSX cluster member. Refer to the R77 Gaia Administration Guide.
Prevent the first upgraded VSX cluster member from becoming Active before the reconfigure process ends:
[Expert@HostName]# cphastop
[Expert@HostName]# cphaconf fini
[Expert@HostName]# touch /dev/shm/during_vsx_reconfigure
Install the required licenses on the first upgraded VSX cluster member using cplic put command.
Important Note: If you have vital configuration in Gaia OS / FireWall / SecureXL / CoreXL / etc. (e.g., Dynamic Routing, DHCP Relay, $FWDIR/boot/modules/fwkern.conf, $PPKDIR/boot/modules/simkern.conf, $FWDIR/conf/fwaffinity.conf, or any other special configuration), then reconfigure the required Gaia OS settings in Clish, add the required settings in the configuration files, and do NOT reboot. Proceed to the next step.
Important Note: Make sure that the CCP mode (Multicast or Broadcast) is the same on both cluster members.
Start the reconfigure process on the Security Management Server / Main Domain Management Server.
Run the 'vsx_util reconfigure' command and follow on-screen instructions. Select the first upgraded VSX cluster member.
On the first upgraded VSX cluster member, verify that this cluster member is ready for fail-over:
All Virtual Systems must be up with the correct policy (this may take few minutes):
[Expert@HostName:0]# vsx stat -v
The state of the cluster member must be 'Ready':
[Expert@HostName:0]# cphaprob state
Stop Check Point services on the last upgraded VSX cluster member (the one still running on old VSX version):
[Expert@HostName:0]# cpstop
Note: This will cause a fail-over, and the first upgraded VSX cluster member will become Active.
Perform clean installation of R77.20 / R77.30 on the last upgraded VSX cluster member (refer to "Related Documentation" section below).
Run Gaia First Time Configuration Wizard on the last upgraded VSX cluster member (refer to sk71000 and sk69701). You must use the same Management IP address as was used by the previous cluster member (prior to the upgrade).
Note: On R77.30 configure the Cluster ID to be the same as the fwha_mac_magic parameter from the previous cluster version.
In case Bonding needs to be configured, then configure it now on the last upgraded VSX cluster member. Refer to the R77 Gaia Administration Guide.
Prevent the last upgraded VSX cluster member from becoming Active before the reconfigure process ends:
[Expert@HostName]# cphastop
[Expert@HostName]# cphaconf fini
[Expert@HostName]# touch /dev/shm/during_vsx_reconfigure
Install the required licenses on the last upgraded VSX cluster member using cplic put command.
Important Note: If you have vital configuration in Gaia OS / FireWall / SecureXL / CoreXL / etc. (e.g., Dynamic Routing, DHCP Relay, $FWDIR/boot/modules/fwkern.conf, $PPKDIR/boot/modules/simkern.conf, $FWDIR/conf/fwaffinity.conf, or any other special configuration), then reconfigure the required Gaia OS settings in Clish, add the required settings in the configuration files, and do NOT reboot. Proceed to the next step.
Important Note: Make sure that the CCP mode (Multicast or Broadcast) is the same on both cluster members.
Start the reconfigure process on the Security Management Server / Multi-Domain Security Management Server.
Run the 'vsx_util reconfigure' command and follow on-screen instructions. Select the last upgraded VSX cluster member.
