Support Center > Search Results > SecureKnowledge Details
VSX Reconfigure and Upgrade Matrix to R77.10 / R77.20 / R77.30
Solution

Table of Contents:

  1. Introduction
  2. Reconfigure
    1. Procedures
    2. Limitations
  3. Upgrade
    1. Methods
    2. Procedures
  4. Rollback
  5. Notes
  6. Related documentation

 

Important Note: To upgrade VSX to R80.10 and higher versions, refer to the Installation and Upgrade Guide of the version, to which you upgrade. (R80.10, R80.20, R80.30)

 

(1) Introduction

This article describes the following procedures for VSX Gateway / VSX Cluster Members:

  • reconfiguring (R77.10 / R77.20 / R77.30) - used to replace / rebuild the VSX machine after a failure or RMA
  • upgrading (to R77.10 / R77.20 / R77.30) - used to upgrade the VSX machine to higher release
  • rollback (from R77.20 / R77.30) - used to downgrade the VSX machine from R77.20 / R77.30

In contrast to non-VSX gateways, the VSX configuration resides on the Security Management Server / Domain Security Management Server that manages the VSX Gateway / VSX cluster member / Virtual Devices (VS, VSW, VR, VSB):

  • Configuration that is stored on the Security Management Server / Domain Security Management Server:
    • names of VSX objects
    • configuration of Wrp/Wrpj interfaces
    • VSX routes
    • etc.
  • Local configuration that is stored on the VSX Gateway / VSX cluster member itself:
    • OS configuration (e.g., DNS, NTP, DHCP, Dynamic Routing, etc.)
    • any settings manually defined in various configuration files on VSX machine
    • etc.

 

(2) Reconfigure process

In the event of a catastrophic failure of a VSX Gateway / VSX cluster member, you can use the 'vsx_util reconfigure' command to restore the configuration of VSX Gateway / VSX cluster member, including the configuration of Virtual Devices (VS, VSW, VR, VSB).

 

(2-A) Reconfigure Procedures

Version Reconfigure
VSX Cluster Member
Reconfigure
single VSX Gateway
R77.20 / R77.30 sk101515 sk101517
R77.10 sk101516

 

(2-B) Reconfigure Limitations

The reconfigure process does not restore the local configuration that was performed on VSX Gateway / VSX cluster member itself. These settings have to be reconfigured manually from scratch / from backed up files.

The following will not be restored during the reconfigure process:

  • Any OS configuration (e.g., DNS, NTP, DHCP, Dynamic Routing, DHCP Relay, etc.)

  • Backup files and snapshots saved on the VSX Gateway / VSX cluster member in the past.

  • Any settings manually defined in various configuration files on VSX machine.

  • Any Check Point configuration files.

    Note: Some of these files do not exist by default. Some files are configured per VSX Gateway / VSX cluster member, and some files are configured per Virtual System.

    List of most important files (many others exist):

    • $FWDIR/boot/modules/fwkern.conf
    • $FWDIR/boot/modules/vpnkern.conf
    • $PPKDIR/boot/modules/simkern.conf
    • $PPKDIR/boot/modules/sim_aff.conf
    • $FWDIR/conf/fwaffinity.conf
    • $FWDIR/conf/fwauthd.conf
    • $FWDIR/conf/local.arp
    • $FWDIR/conf/discntd.if
    • $FWDIR/conf/cpha_bond_ls_config.conf
    • $FWDIR/conf/resctrl
    • $FWDIR/conf/vsaffinity_exception.conf
    • $FWDIR/database/qos_policy.C
    • /var/ace/sdconf.rec
    • /var/ace/sdopts.rec
    • /var/ace/sdstatus.12
    • /var/ace/securid

 

(3) Upgrade process

(3-A) Upgrade Methods

VSX Gateway / VSX cluster member can be upgraded either by clean install, or by in-place upgrade (for minor releases only):

  • Clean install - this procedure is available for upgrade from any version either to R77.10, to R77.20, or to R77.30.
    Note: Before using clean install upgrade, refer to section "(2-B) Reconfigure Limitations".

  • In-place upgrade - this procedure is available only for upgrade either from R77 to R77.10, or from R77 to R77.20, or from R77 to R77.30, or from R77.10 to R77.20, or from R77.10 to R77.30, or from R77.20 to R77.30.
    This procedure keeps all previous configurations.

 

(3-B) Upgrade Procedures

Upgrade Path Upgrade
VSX Cluster
Upgrade
single VSX Gateway
Clean install upgrade
from any version to R77.20 / R77.30
sk101518 sk101519
Clean install upgrade
from any version to R77.10
sk101520 sk101521
In-place upgrade
from R77 / R77.10 to R77.20 / R77.30
or
from R77.20 to R77.30
sk101522 sk101523
In-place upgrade
from R77 to R77.10
sk101529 sk101530

Important Note: You must collect a complete backup of the Security Management Server / Multi-Domain Security Management Server and of the involved VSX Gateway / VSX cluster member. This will be used in case of rollback. Transfer the backup files to an external storage before the upgrade process.

 

(4) Rollback process

In case of problem during the upgrade process, you can perform rollback to your previous state.

From
Version
Rollback
VSX Cluster
Rollback
single VSX Gateway
R77.20 / R77.30 sk101534 sk101563

 

(5) Notes

  • In-place upgrade is supported only:

    • from R77 to R77.10 / R77.20 / R77.30
    • from R77.10 to R77.20 / R77.30
    • from R77.20 to R77.30


  • R77.10, R77.20, and R77.30 Security Gateways (both in Gateway mode and in VSX mode) can be managed by the following Security Management Servers / Multi-Domain Security Management Servers:


    Important Note: Only features relevant to the version installed on the Security Management Servers / Multi-Domain Security Management Server will be available in SmartDashboard and in 'vsx_util' command. Examples:
    • You will not be able to upgrade the VSX Gateway / VSX cluster configuration from R77 to R77.20, if you manage it with R77 Security Management server.
    • You will not be able to use Mobile Access Blade on VSX R77.10, if you manage it with R76 Security Management server.
    • You will not be able to use Multi Bridge capability on R77.30, if you manage it with prior version to R77.30 Security Management server.


  • When upgrading from R77.20 with installed R77.20 Jumbo Hotfix Accumulator to R77.30, refer to sk101975: Jumbo Hotfix Accumulator for R77.20 - section "How to upgrade to R77.30".

 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment