 | ||
 Upgrading cluster firewall with ZERO downtime | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2008-09-22 | |||
| |||
 Upgrading cluster firewall with ZERO downtime I have a pair of SPLAT NGx R65 running on IBM x3650 with ClusterXL Unicast Active/Active mode. These firewalls are being managed by a CMA inside of Provider-1. Firewalls are running NGx R65 with HFA_02 and HFA_249. Same thing on the Provider-1 side. I just upgrade the Provider-1 NGx to HFA_30 over the weekend without any issues so far. Now I would like to upgrade both gateways with NO DOWNTIME. Here is my approach: 1) perform cpstop on gw2, 2) upgrade it to HFA_30, 3) reboot gw2, 4) gw2 will come back with HFA_30, 5) perform cpstop on gw1, 6) upgrade it to HFA_30, 7) reboot gw1, 8) gw1 will come back with HFA_30 The issue here is between step 4 and step 6. During this time, gw1 and gw2 will have different HFA version and it will cause problem. Has anyone upgraded a cluster firewall with ZERO DOWNTIME and give me some advice here? Thanks.  |
| 2008-09-22 | |||
| |||
| Re: Upgrading cluster firewall with ZERO downtime Read the ClusterXL guides on this - This will do zero downtime but connections will drop during the cutover. Look up the fw fcu command - this will sync the firewall tables between devices during the upgrade (and is documented in the CXL guides). Also, Valeri's presentation from CPUG2008 had some great tips around this, I strongly recommend you check that out. Good luck! R. |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
