Support Center > Search Results > SecureKnowledge Details
Upgrade VSX Cluster from any version to R77.10 using clean install Technical Level
Solution

Refer to the main sk97552 (VSX Reconfigure and Upgrade Matrix to R77.10 / R77.20).

 

When to use this procedure

  • Upgrading VSX cluster members from any version to R77.10 (using clean installation).

 

Part 1 - Upgrade of Security Management Server / Multi-Domain Security Management Server

  1. Backup the involved machines at the same time:

    • Security Management Server / Multi-Domain Security Management Server
    • All VSX cluster members

    Note: Refer to "Related Documentation" section below - "How to Backup".

  2. If required, upgrade your Security Management Server / Multi-Domain Security Management Server to the desired version.

    R77.10 Security Gateways (in Gateway mode and in VSX mode) can be managed by the following Security Management Servers / Multi-Domain Security Management Servers:

    Note: Only features relevant to the version installed on the Security Management Servers / Multi-Domain Security Management Server will be available in SmartDashboard and in 'vsx_util' command.
    Examples:
    • You will not be able to upgrade the VSX cluster configuration from R77 to R77.10, if you manage it with R77 Security Management server.
    • You will not be able to use Mobile Access Blade on VSX R77.10, if you manage it with R76 Security Management server.

 

Part 2 - Upgrade of VSX Cluster

The following references are used in the procedure below:

  • Last upgraded - denotes last member to be upgraded (in HA cluster, this should be the Active member).
  • First upgraded - denotes first member to be upgraded and reconfigured.

Procedure:

  1. Upgrade the configuration of the VSX cluster object to R77.10 version on the Security Management Server / Main Domain Management Server.

    Note:

    • If your VSX cluster object is R77, and you do not want new R77.10 features on the VSX Cluster, then skip this step (proceed to Step 2 below).
    • If your VSX cluster object is R76 and lower, then this step is mandatory.

    Run the 'vsx_util upgrade' command and follow on-screen instructions.
    Select your VSX Cluster and then select the R77.10 version.

    Important Note: On Management Server R77.20 and lower, when 'vsx_util upgrade' operation completes, user is prompted to reconfigure the VSX machines. User must refuse - select "no" - and proceed to Step 2 below.

  2. Stop Check Point services on the first upgraded VSX cluster member:

    [Expert@HostName:0]# cpstop

    Note: In VSX Load Sharing (VSLS) cluster, this will cause a fail-over.

  3. Perform clean installation of R77.10 on the first upgraded VSX cluster member (refer to "Related Documentation" section below).

  4. Run Gaia First Time Configuration Wizard on the first upgraded VSX cluster member (refer to sk71000 and sk69701).
    You must use the same Management IP address as was used by the previous cluster member (prior to the upgrade).

  5. In case Bonding needs to be configured, then configure it now on the first upgraded VSX cluster member. Refer to the R77 Gaia Administration Guide.

  6. This step applies only to R77.10 VSX Load Sharing (VSLS) cluster with exactly two members:

    Permanently disable hibernation on first upgraded VSX cluster member - set the value of kernel parameter 'fwha_hibernate_single_member' to 0:

    1. Append the following line to the $FWDIR/boot/modules/fwkern.conf file using Vi editor (spaces are not allowed):

      fwha_hibernate_single_member=0

      Note: If this file does not exist, then create is using the 'touch' command.

    2. Reboot the first upgraded VSX cluster member.


  7. Install the required licenses on the first upgraded VSX cluster member using cplic put command.

  8. Start the reconfigure process on the Security Management Server / Main Domain Management Server.

    Run the 'vsx_util reconfigure' command and follow on-screen instructions.
    Select the first upgraded VSX cluster member.

    Important Note: If you have vital configuration in Gaia OS / FireWall / SecureXL / CoreXL / etc. (e.g., Dynamic Routing, DHCP Relay, $FWDIR/boot/modules/fwkern.conf, $PPKDIR/boot/modules/simkern.conf, $FWDIR/conf/fwaffinity.conf, or any other special configuration), then do NOT reboot after the reconfigure operation. First, reconfigure the required Gaia OS settings in Clish, add the required settings in the configuration files, and only then reboot the machine.

  9. On the first upgraded VSX cluster member, verify that this cluster member is ready for fail-over:

    • All Virtual Systems must be up with the correct policy (this may take few minutes):

      [Expert@HostName:0]# vsx stat -v

    • The state of the cluster member must be 'Ready':

      [Expert@HostName:0]# cphaprob state


  10. Stop Check Point services on the last upgraded VSX cluster member (the one still running on old VSX version):

    [Expert@HostName:0]# cpstop

    Note: This will cause a fail-over, and the first upgraded VSX cluster member will become Active.

  11. Perform clean installation of R77.10 on the last upgraded VSX cluster member (refer to "Related Documentation" section below).

  12. Run Gaia First Time Configuration Wizard on the last upgraded VSX cluster member (refer to sk71000 and sk69701).
    You must use the same Management IP address as was used by the previous cluster member (prior to the upgrade).

  13. In case Bonding needs to be configured, then configure it now on the last upgraded VSX cluster member. Refer to the R77 Gaia Administration Guide.

  14. Run this command on the first upgraded VSX cluster member (setting the version of CCP protocol to 870 on first upgraded cluster member forces the first upgraded cluster member to remain Active):

    [Expert@HostName:0]# fw ctl set int fwha_version 870

  15. This step applies only to R77.10 VSX Load Sharing (VSLS) cluster with exactly two members:

    Permanently disable hibernation on the last upgraded VSX cluster member - set the value of kernel parameter 'fwha_hibernate_single_member' to 0:

    1. Append the following line to the $FWDIR/boot/modules/fwkern.conf file using Vi editor (spaces are not allowed):

      fwha_hibernate_single_member=0

      Note: If this file does not exist, then create is using the 'touch' command.

    2. Reboot the last upgraded VSX cluster member.


  16. Install the required licenses on the last upgraded VSX cluster member using cplic put command.

  17. Start the reconfigure process on the Security Management Server / Multi-Domain Security Management Server that manages this VSX cluster.

    Run the 'vsx_util reconfigure' command and follow on-screen instructions.
    Select the last upgraded VSX cluster member.

    Important Note: If you have vital configuration in Gaia OS / FireWall / SecureXL / CoreXL / etc. (e.g., Dynamic Routing, DHCP Relay, $FWDIR/boot/modules/fwkern.conf, $PPKDIR/boot/modules/simkern.conf, $FWDIR/conf/fwaffinity.conf, or any other special configuration), then do NOT reboot after the reconfigure operation. First, reconfigure the required Gaia OS settings in Clish, add the required settings in the configuration files, and only then reboot the machine.

  18. On the last upgraded VSX cluster member, get the version of CCP protocol (this would be the default CCP version of R77.10):

    [Expert@HostName_Active:0]# fw ctl get int fwha_version

  19. On the first upgraded VSX cluster member, set the version of CCP protocol to the version of the last upgraded VSX cluster member:

    [Expert@HostName:0]# fw ctl set int fwha_version VALUE_FROM_PREVIOUS_STEP

 

Related Documentation

Show / Hide documentation

Documents:

 

Solutions:

 

How to Backup:

This solution is about products that are no longer supported and it will not be updated

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment