Support Center > Search Results > SecureKnowledge Details
Rollback VSX Cluster from R77.20 / R77.30 to previous version Technical Level
Solution

Refer to the main sk97552 (VSX Reconfigure and Upgrade Matrix to R77.10 / R77.20 / R77.30).

 

Table of Contents:

  • Introduction
  • Requirements
  • Procedure
  • Limitations
  • Related Documentation

 

Introduction

This article describes how to downgrade your VSX Cluster from R77.20 / R77.30 to a previous version (from which you have upgraded).

 

Requirements

To be able to downgrade your VSX Cluster, you must have a complete backup of your Security Management Server / Multi-Domain Security Management Server with the desired VSX object configuration.

Example: If you want to downgrade your VSX Cluster from R77.20 to R77, you need a backup of the Security Management Server / Multi-Domain Security Management Server where the your VSX Cluster object is configured as R77.

 

Procedure

Note: The following references are used in the procedure below:

  • Last downgraded - denotes last member to be downgraded (in HA cluster, this should be the 'Active' member).
  • First downgraded - denotes first member to be downgraded.

Procedure:

  1. Backup the involved machines at the same time:

    • Security Management Server / Multi-Domain Security Management Server
    • All VSX cluster members

    Note: Refer to "Related Documentation" section below - "How to Backup".

  2. Restore the Security Management Server / Multi-Domain Security Management Server with the desired VSX object configuration (refer to "Related Documentation" section below - "How to Backup and Restore").

  3. Run this command on the last downgraded VSX cluster member (setting the version of CCP protocol to 870 on last downgraded cluster member forces the last downgraded cluster member to remain Active):

    [Expert@HostName:0]# fw ctl set int fwha_version 870

  4. Perform clean installation of the previous version on the first downgraded VSX cluster member (refer to "Related Documentation" section below).

  5. Run Gaia First Time Configuration Wizard on the first downgraded VSX cluster member (refer to sk71000 and sk69701).
    You must use the same Management IP address as was used by the previous cluster member (prior to the upgrade).

  6. In case Bonding needs to be configured, then configure it now on the first downgraded VSX cluster member. Refer to the R77 Gaia Administration Guide.

  7. If any hotfixes were installed, then install them on the first downgraded VSX cluster member.
    For hotfix installation instructions, refer to the release notes that were provided with the hotfix, or contact Check Point Support.

  8. Install the required licenses on the first downgraded VSX cluster member using cplic put command.

  9. This step applies only to VSX cluster member R76 and lower.

    Enable cluster membership and Per Virtual System state on the first downgraded VSX cluster member:

    1. Go to 'cpconfig' menu:

      [Expert@HostName:0]# cpconfig

    2. Select 'Enable cluster membership for this gateway'

    3. If this cluster runs in VSX Load Sharing (VSLS) mode, then select 'Enable Check Point Per Virtual System State':

      1. Answer "y" when prompted 'Would you like to enable Per Virtual System state'.
      2. Press Enter when notified that changes will take place only after reboot.


    4. Exit from 'cpconfig' menu.

    5. Do NOT reboot.


  10. Start the reconfigure process for the first downgraded VSX cluster member:

    1. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).

    2. Run the 'vsx_util reconfigure' command and follow on-screen instructions.

      Important Note: If you have vital configuration in Gaia OS / FireWall / SecureXL / CoreXL / etc. (e.g., Dynamic Routing, DHCP Relay, $FWDIR/boot/modules/fwkern.conf, $PPKDIR/boot/modules/simkern.conf, $FWDIR/conf/fwaffinity.conf, or any other special configuration), then do NOT reboot after the reconfigure operation. First, reconfigure the required Gaia OS settings in Clish, add the required settings in the configuration files, and only then reboot the machine.


  11. On the first downgraded VSX cluster member, verify that this cluster member is ready for fail-over:

    • All Virtual Systems must be up with the correct policy (this may take few minutes):

      [Expert@HostName:0]# vsx stat -v

    • The state of the cluster member must be 'Ready':

      [Expert@HostName:0]# cphaprob state


  12. Stop Check Point services on the last downgraded VSX cluster member (the one still running R77.20 / R77.30):

    [Expert@HostName:0]# cpstop

    Note: This will cause a fail-over, and the first downgraded VSX cluster member will become Active.

  13. Run this command on the first downgraded VSX cluster member (setting the version of CCP protocol to 870 on first downgraded cluster member forces the first downgraded cluster member to remain Active):

    [Expert@HostName:0]# fw ctl set int fwha_version 870

  14. Perform clean installation of the previous version on the last downgraded VSX cluster member (refer to "Related Documentation" section below).

  15. Run Gaia last Time Configuration Wizard on the last downgraded VSX cluster member (refer to sk71000 and sk69701).
    You must use the same Management IP address as was used by the previous cluster member (prior to the upgrade).

  16. In case Bonding needs to be configured, then configure it now on the last downgraded VSX cluster member. Refer to the R77 Gaia Administration Guide.

  17. If any hotfixes were installed, then install them on the last downgraded VSX cluster member.
    For hotfix installation instructions, refer to the release notes that were provided with the hotfix, or contact Check Point Support.

  18. Install the required licenses on the last downgraded VSX cluster member using cplic put command.

  19. This step applies only to VSX cluster member R76 and lower.

    Enable cluster membership and Per Virtual System state on the last downgraded VSX cluster member:

    1. Go to 'cpconfig' menu:

      [Expert@HostName:0]# cpconfig

    2. Select 'Enable cluster membership for this gateway'

    3. If this cluster runs in VSX Load Sharing (VSLS) mode, then select 'Enable Check Point Per Virtual System State':

      1. Answer "y" when prompted 'Would you like to enable Per Virtual System state'.
      2. Press Enter when notified that changes will take place only after reboot.


    4. Exit from 'cpconfig' menu.

    5. Do NOT reboot.


  20. Start the reconfigure process for the last downgraded VSX cluster member:

    1. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).

    2. Run the 'vsx_util reconfigure' command and follow on-screen instructions.

      Important Note: If you have vital configuration in Gaia OS / FireWall / SecureXL / CoreXL / etc. (e.g., Dynamic Routing, DHCP Relay, $FWDIR/boot/modules/fwkern.conf, $PPKDIR/boot/modules/simkern.conf, $FWDIR/conf/fwaffinity.conf, or any other special configuration), then do NOT reboot after the reconfigure operation. First, reconfigure the required Gaia OS settings in Clish, add the required settings in the configuration files, and only then reboot the machine.


  21. On the last downgraded VSX cluster member, verify that all Virtual Systems are up with the correct policy (this may take few minutes):

    [Expert@HostName:0]# vsx stat -v

  22. On the last downgraded VSX cluster member, get the version of CCP protocol (this would be the default CCP version of the reinstalled VSX):

    [Expert@HostName:0]# fw ctl get int fwha_version

  23. On the first downgraded VSX cluster member, set the version of CCP protocol to the version of last downgraded VSX cluster member:

    [Expert@HostName:0]# fw ctl set int fwha_version VALUE_FROM_PREVIOUS_STEP

 

Limitations

The following limitations apply during downgrade and restore process:

  • Loss of changes on Management Server: Any changes that were made in SmartDashboard after collecting the backup of Security Management Server / Multi-Domain Security Management Server will be lost (this refers to any object managed by this Management Server).

  • VSX Cluster member downtime: You may experience cluster down time for a few seconds. Any existing connections will be terminated.

  • The following will not be restored on VSX Cluster member during the rollback process:

    • Any OS configuration (e.g., DNS, NTP, DHCP, Dynamic Routing, DHCP Relay, etc.)

    • Backup files and snapshots saved on the VSX cluster member in the past.

    • Any user-defined settings in various configuration files.

    • Any Check Point configuration files.

      Note: Some of these files do not exist by default. Some files are configured per VSX cluster member, and some files are configured per Virtual System.

      List of most important files (many others exist):

      • $FWDIR/boot/modules/fwkern.conf
      • $FWDIR/boot/modules/vpnkern.conf
      • $PPKDIR/boot/modules/simkern.conf
      • $PPKDIR/boot/modules/sim_aff.conf
      • $FWDIR/conf/fwaffinity.conf
      • $FWDIR/conf/fwauthd.conf
      • $FWDIR/conf/local.arp
      • $FWDIR/conf/discntd.if
      • $FWDIR/conf/cpha_bond_ls_config.conf
      • $FWDIR/conf/resctrl
      • $FWDIR/conf/vsaffinity_exception.conf
      • $FWDIR/database/qos_policy.C
      • /var/ace/sdconf.rec
      • /var/ace/sdopts.rec

 

Show / Hide documentation

Documents:

 

Solutions:

 

How to Backup and Restore:

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment