Support Center > Search Results > SecureKnowledge Details
Optimal Service Upgrade (OSU) from R67.10 / R75.40VS to R75.40VS / R76 / R77 / R77.10 / R77.20 / R77.30
Solution

Table of Contents:

  • Introduction
  • Cluster Upgrading Procedure from VSX R67.10 to R75.40VS
  • Cluster Upgrading Procedure from VSX R67.10 to R76
  • Cluster Upgrading Procedure from VSX R67.10 to R77
  • Cluster Upgrading Procedure from R75.40VS to R76
  • Cluster Upgrading Procedure from R75.40VS to R77 / R77.10
  • Cluster Upgrading Procedure from R76 / R77 to R77.10
  • Cluster Upgrading Procedure from R77 / R77.10 to R77.20 / R77.30
  • Troubleshooting the Upgrade Procedure
  • Limitations
  • Related solutions

 

Introduction

This feature provides the ability to upgrade Cluster deployment (both in Gateway Mode and in VSX Mode) with a minimum loss of connectivity. New connections that are opened during the upgrade procedure will survive the upgrade while old long lived connections that were opened on the old version will not survive the upgrade.

This feature supports upgrade only between the following versions:

  • VSX Cluster from SecurePlatform VSX R67.10 to Gaia R75.40VS
  • VSX Cluster from SecurePlatform VSX R67.10 to Gaia R76
  • VSX Cluster from SecurePlatform VSX R67.10 to Gaia R77
  • Gateway Cluster / VSX Cluster from Gaia R75.40VS to Gaia R76
  • Gateway Cluster / VSX Cluster from Gaia R75.40VS to Gaia R77 / R77.10
  • Gateway Cluster / VSX Cluster from Gaia R76 / R77 to Gaia R77.10
  • Gateway Cluster / VSX Cluster from Gaia R77 / R77.10 to Gaia R77.20 / R77.30

 

Cluster Upgrading Procedure from VSX R67.10 to R75.40VS

Refer to R75.40VS Home Page and to R75.40VS Installation and Upgrade Guide - Chapter 9 'Upgrading ClusterXL Deployments' - VSX Cluster Optimal Service Upgrade:

  • Upgrade Workflow
  • Upgrading the Cluster

 

Procedure:

  1. To perform an upgrade from VSX R67.10, one member should be installed with VSX R67.10 Optimal Service Upgrade hotfix:

    Download the hotfix package and install it. This is now the old cluster member (with hotfix):

    1. Download the hotfix package onto VSX R67.10 machine (e.g., into /var/log/HF_OSU/):



    2. Unpack the hotfix package:
      [Expert@HostName:VSID]# tar -zxvf fw1_HOTFIX_NAME.tgz

    3. Install the hotfix:
      [Expert@HostName:VSID]# ./fw1_HOTFIX_NAME

    4. Reboot the machine.


  2. One cluster member is used to maintain connectivity, while all the other cluster members need to be upgraded.
    Disconnect all other old cluster members from the network, except for the old cluster member that was installed with the hotfix.
    The management interface can be left connected to the network (only if it is not defined as "Cluster" interface).

  3. Install R75.40VS on all the cluster members that are not connected to the network.

    For more information about installing R75.40VS, refer to the R75.40VS Installation and Upgrade Guide - Chapter 2 'Installing Security Management Server and Security Gateways' - Installing Security Gateway.

    Note: If the external DVD-ROM is not recognized by Check Point appliance, then instead of ISO image, download the TGZ package (R75.40VS Gaia Upgrade Package for WebUI and SmartUpdate), and follow the:
    R75.40VS Installation and Upgrade Guide - Chapter 5 'Upgrading Security Management Server and Security Gateways' - Upgrading Security Gateways - Upgrading Security Gateways on Appliances - UTM-1, Power-1, and 2012 Models - SecurePlatform to Gaia.

  4. Configure a unique value of fwha_mac_magic kernel parameter on the old cluster member per sk25977:

    [Expert@HostName:VSID]# fw ctl set int fwha_mac_magic VALUE

    Make sure that the old and new cluster members use the same value for the fwha_mac_magic parameter.

  5. On the old cluster member (with hotfix), disable SecureXL and run:

    [Expert@HostName:VSID]# cphaosu start

  6. Reconnect the SYNC interface of one of the new upgraded cluster members to the network.

  7. Start forwarding new connections to that new upgraded cluster member:

    1. Make sure the new upgraded cluster member is in "Ready" state.

    2. Connect the member's other interfaces to the network.

    3. On the new cluster member, run:

      [Expert@HostName:VSID]# cphaosu start

    4. On the old cluster member (with hotfix), run:

      [Expert@HostName:VSID]# cphaosu stat

      The network traffic statistics are shown.

    5. When the old cluster member (with hotfix) does not have many connections, run:

      [Expert@HostName:VSID]# cphaosu finish


  8. On the new cluster member, run:

    [Expert@HostName:VSID]# cphaosu finish

  9. Disconnect the old cluster member (with hotfix) from the network.

  10. Reconnect the other new cluster members to the network, one at a time.

  11. Upgrade the old cluster member (with hotfix) and reconnect it also to the network.

 

Cluster Upgrading Procedure from VSX R67.10 to R76

Refer to R76 Home Page and to R76 Installation and Upgrade Guide:

  • Chapter 12 'Upgrading ClusterXL Deployments' - ClusterXL Optimal Service Upgrade:
    • Upgrade Workflow from R67.10 VSX
    • Upgrading the Cluster R67.10 VSX


  • Chapter 7 'Upgrading Security Management Server and Security Gateways' - Upgrading Security Gateways.

Note: If the external DVD-ROM is not recognized by Check Point appliance, then instead of ISO image, download the TGZ package (R76 Gaia Upgrade Package for WebUI and SmartUpdate), and follow the:
R76 Installation and Upgrade Guide - Chapter 7 'Upgrading Security Management Server and Security Gateways' - Upgrading Security Gateways - Upgrading Security Gateways on Appliances - UTM-1, Power-1, and 2012 Models - SecurePlatform to Gaia.

 

Cluster Upgrading Procedure from VSX R67.10 to R77

Refer to R77 Home Page / R77.10 Home Page and to R77 Gaia Installation and Upgrade Guide:

  • Chapter 12 'Upgrading ClusterXL Deployments' - ClusterXL Optimal Service Upgrade:
    • Upgrade Workflow from R67.10 VSX
    • Upgrading the VSX Cluster from R67.10


  • Chapter 8 'Upgrading Security Management Server and Security Gateways' - Upgrading Security Gateways.

Note: If the external DVD-ROM is not recognized by Check Point appliance, then instead of ISO image, download the TGZ package (R77 Gaia Upgrade Package for WebUI and SmartUpdate), and follow the:
R77 Gaia Installation and Upgrade Guide - Chapter 8 'Upgrading Security Management Server and Security Gateways' - Upgrading Security Gateways - Upgrading Security Gateways on Appliances - UTM-1, Power-1, and 2012 Models - SecurePlatform to Gaia.

 

Cluster Upgrading Procedure from R75.40VS to R76

Refer to R76 Home Page and to R76 Installation and Upgrade Guide:

  • Chapter 12 'Upgrading ClusterXL Deployments' - ClusterXL Optimal Service Upgrade:
    • Upgrade Workflow from R75.40VS
    • Upgrading the Cluster from R75.40VS


  • Chapter 7 'Upgrading Security Management Server and Security Gateways' - Upgrading Security Gateways.

Note: If the external DVD-ROM is not recognized by Check Point appliance, then instead of ISO image, download the TGZ package (R76 Gaia Upgrade Package for WebUI and SmartUpdate), and follow the:
R76 Installation and Upgrade Guide - Chapter 7 'Upgrading Security Management Server and Security Gateways' - Upgrading Security Gateways - Upgrading Security Gateways on Appliances - UTM-1, Power-1, and 2012 Models - Gaia to Gaia.

 

Cluster Upgrading Procedure from R75.40VS to R77 / R77.10

Refer to R77 Home Page and to R77 Gaia Installation and Upgrade Guide:

  • Chapter 12 'Upgrading ClusterXL Deployments' - ClusterXL Optimal Service Upgrade:
    • Upgrade Workflow from R75.40VS
    • Upgrading the Cluster from R75.40VS


  • Chapter 8 'Upgrading Security Management Server and Security Gateways' - Upgrading Security Gateways.

Note: If the external DVD-ROM is not recognized by Check Point appliance, then instead of ISO image, download the TGZ package (R77 Gaia Upgrade Package for WebUI and SmartUpdate), and follow the:
R77 Gaia Installation and Upgrade Guide - Chapter 8 'Upgrading Security Management Server and Security Gateways' - Upgrading Security Gateways - Upgrading Security Gateways on Appliances - UTM-1, Power-1, and 2012 Models - Gaia to Gaia.

 

Cluster Upgrading Procedure from R76 / R77 to R77.10

Note: The same instructions for upgrading from R75.40VS to R77 / R77.10 also apply to upgrading from R76 / R77 to R77.10.

Refer to R77 Home Page, R77.10 Home Page and to R77 Gaia Installation and Upgrade Guide:

  • Chapter 12 'Upgrading ClusterXL Deployments' - ClusterXL Optimal Service Upgrade:
    • Upgrade Workflow from R75.40VS
    • Upgrading the Cluster from R75.40VS


  • Chapter 8 'Upgrading Security Management Server and Security Gateways' - Upgrading Security Gateways.

Note: If the external DVD-ROM is not recognized by Check Point appliance, then instead of ISO image, download the TGZ package (R76 to R77.10 Gaia Upgrade Package / R77 to R77.10 Gaia Upgrade package), and follow the:
R77 Gaia Installation and Upgrade Guide - Chapter 8 'Upgrading Security Management Server and Security Gateways' - Upgrading Security Gateways - Upgrading Security Gateways on Appliances - UTM-1, Power-1, and 2012 Models - Gaia to Gaia.

 

Cluster Upgrading Procedure from R77 / R77.10 to R77.20 / R77.30

Note: The same instructions for upgrading from R75.40VS to R77 / R77.10 also apply to upgrading from from R77 / R77.10 to R77.20 / R77.30.

Refer to R77 Home Page, R77.10 Home Page and to R77 Gaia Installation and Upgrade Guide:

  • Chapter 12 'Upgrading ClusterXL Deployments' - ClusterXL Optimal Service Upgrade:
    • Upgrade Workflow from R75.40VS
    • Upgrading the Cluster from R75.40VS


  • Chapter 8 'Upgrading Security Management Server and Security Gateways' - Upgrading Security Gateways.

Note: If the external DVD-ROM is not recognized by Check Point appliance, then instead of ISO image, download the TGZ package (R76 to R77.10 Gaia Upgrade Package / R77 to R77.10 Gaia Upgrade package), and follow the:
R77 Gaia Installation and Upgrade Guide - Chapter 8 'Upgrading Security Management Server and Security Gateways' - Upgrading Security Gateways - Upgrading Security Gateways on Appliances - UTM-1, Power-1, and 2012 Models - Gaia to Gaia.


For additional information, refer to sk97552 - VSX Reconfigure and Upgrade Matrix to R77.10 / R77.20 / R77.30.

 

Troubleshooting the Upgrade Procedure

Use these cphaosu commands, if there are problems during the Optimal Service Upgrade process.

  • If it is necessary to rollback the upgrade, run on the new member:

    [Expert@HostName:VSID]# cphaosu cancel

    The old member processes all the traffic.

  • After you run cpshaosu finish command on the old member, you can continue to process the old traffic on the old member, and the new traffic on the new member. Run on the old member:

    [Expert@HostName:VSID]# cphaosu restart

 

Limitations

  • Upgrade procedure should be implemented during low network traffic time.

  • Optimal Service Upgrade procedure does not provide redundancy if a member fails.

  • Configuration changes should not be performed during the upgrade process.

  • Complex connections are not supported.

    Examples:

    • DCE RPC
    • SUN RPC
    • Back Web
    • DHCP
    • llOP
    • FreeTel
    • WinFrame
    • NCP


  • OSU procedure does not support VPN traffic.

  • OSU procedure does not support Dynamic Routing.

  • OSU procedure does not support Layer2 configuration.

 

Applies To:
  • 01122532 , 01122542
  • 01122544 , 01122546

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment