Thread: HFA Install procedure
View Single Post
  #2 (permalink)  
Old 2006-02-10
kva.kva kva.kva is offline
Senior Member
  
Join Date: 2006-01-26
Location: Moscow, Russia
Posts: 706
Rep Power: 3
kva.kva has an average reputation (10+)
Default Re: HFA Install procedure
Upgrading ClusterXL

Solution ID: #sk30518

There are some maintenance tasks Security Administrators need to perform on Security Gateways. These tasks include applying OS service packs or patches, upgrading the OS and adding or removing interfaces, upgrading VPN-1/FireWall-1, applying Check Point's HotFix Accumulator, and adding new cluster members. In a cluster environment, the steps for applying those changes are very important.

When a cluster needs an upgrade, it is imperative the SmartCenter Server be upgraded before any of the cluster members. If cluster members need to be upgraded to a new version (for example, from NG FP3 to NG with Application Intelligence), performing a fresh new install is easier than the upgrade.

OVERVIEW
1) UPGRADING SMARTCENTER SERVER
2) UPGRADING NEW NODE MEMBERS
3) UPGRADING LOAD SHARING MEMBERS
4) UPGRADING ALL BUT ONE CLUSTER MEMBER
5) UPGRADING LAST CLUSTER MEMBER

================================================== ============================

STEP 1: UPGRADING SMARTCENTER SERVER

The SmartCenter Server must be upgraded first. Upgrade the SmartCenter Server exactly as you upgrade a Check Point distributed installation. Follow the upgrade steps in the "SmartCenter User Guide" on the Check Point Software Subscription Download site. To patch the HotFix Accumulator (HFA) on the SmartCenter Server, follow the HFA release notes on the Software Subscription Downloads site.

================================================== ============================

STEP 2: UPGRADING NEW NODE MEMBERS

When upgrading New mode High Availability cluster members, never let the cluster nodes see each other when they are on different versions of Check Point software. It is important to remember that the SmartCenter must be upgraded first. The following steps apply to upgrading and patching the HFA. The SmartCenter Server must be patched to the latest HFA, before applying HFA to cluster members.

On the standby node, perform the following steps:
1) Stop the standby member with the cpstop command.

2) Upgrade or patch the HFA on the standby member.

3) Reboot the standby member.

4) Before the standby reboots, stop the active node with the cpstop command. There will be a two- or three-minute downtime. After rebooting, the upgraded node will pass traffic.

On the active node, perform the following steps:
1) Upgrade or patch the HFA on the other node, and reboot. Both nodes should see each other and be on the same version.

2) Log in to SmartDashboard and edit the cluster object. Change the cluster object to the new version in the General Properties screen.

3) If you are patching the HFA, the NG version number does not change in the cluster object. If you are upgrading from an older version to a newer version, change the version accordingly in the cluster object¿s General Properties screen.

4) Install the Security Policy on the cluster object, for the new version or HFA to take effect.

================================================== ============================

STEP 3: UPGRADING LOAD SHARING MEMBERS

Assume a cluster with three members (A, B and C). The upgrade stage is divided into three parts:

1) Upgrade or patch the latest HFA on the SmartCenter Server.

2) Upgrade or patch the latest HFA on all but one of the cluster members.

3) Upgrade or patch the latest HFA on the last cluster member.

================================================== ===========================

STEP 4: UPGRADING ALL BUT ONE CLUSTER MEMBER

1) Select cluster Member A, which will be the last upgraded member. Upgrade cluster members B and C either directly, or by using SmartUpdate.

2) After upgrade of B and C is finished, reboot them both.

3) When machines B and C reboot, change the cluster version to the new NG version on the General screen of the cluster object, and reestablish Secure Internal Communications (SIC) with the upgraded cluster members.

4) Clear the box On Gateway clusters, "Install on all members, if it fails do not install at all". Install the Security Policy on the cluster. The Policy will be successfully installed on cluster members B and C, and will fail on Member A.

5) SmartView Status should show the status of cluster Member A as Active, and the other cluster members as Ready. Execute cpstop on cluster Member A. Machines B and/or C will process traffic, depending on Load Sharing or High Availability configuration.

================================================== =====================================

STEP 5: UPGRADING LAST CLUSTER MEMBER

1) Upgrade cluster Member A, either directly or by using SmartUpdate. (See the "SmartCenter User Guide.")

2) Reboot cluster Member A.

3) Reestablish SIC with Member A.

4) Install the Policy on the cluster object.

NOTE: All cluster members must be upgraded to the same version, or State Synchronization will fail.
Reply With Quote