A cluster for zero downtime during an upgrade?

[GordonCopestake]

hi Folks,
At one of our sites we have a Sunfire V210 box running Checkpoint R62. This is the only box at this site and in order to bring it inline with our other firewalls we would like to upgrade it to R65.
As we would like as little down time as possible we are investigating using a cluster to bring up a second box (temporarily) to take the load whilst the primary box is upgraded.
Does this sound like a feasable plan? Are there any issues or "gotchas" that I need to look out for? Do the boxes need to be identical hardware wise? OS wise? Checkpoint version wise? Will we have any licence issues as this will only be a temporary cluster up for the length of the upgrade.
Any advise or help minimizing our downtime for this upgrade would be appreciated

[Routerkid1]

The os needs to be the same with R62 and I would put the same memory in both boxes. I would then add them to a New mode HA Cluster with a cross over cable between them for sync traffic. The cluster XL pdf will show you how to set this up.

[MarioL]

I think you might be over complicating the process.

If you can upgrade hardware, just do a fresh install and use the upgrade tools to "migrate" the config. If you can't do it like that, just get a box, install R62 and copy the config, put that one online, test, move to upgrade the original, etc.

In any of these scenarios you should have very limited downtime.

PS Edit... remember "Arp cache is your enemy" ;)

[melipla]

Quote:

Originally Posted by MarioL

I think you might be over complicating the process.

If you can upgrade hardware, just do a fresh install and use the upgrade tools to "migrate" the config. If you can't do it like that, just get a box, install R62 and copy the config, put that one online, test, move to upgrade the original, etc.

Once you move the new box in place (by moving cables) you've disconnected everyone connected. He wants a zero downtime upgrade and that's a necessarily complicated process.

You can do as Routerkid suggests, use the same OS / patch level etc. But there's one catch that may present a problem. For HA clusters to talk to each other there needs to be the HA software installed. During a new SPLAT install for a VPN-1 gateway, there's a question that asks "Will this gateway participate in a cluster?" If you said No to that question then you do not have that piece of the cluster HA software installed. You can install it after the fact, but I do not know if you need to reboot / cprestart for that change to take effect. If you don't have to reboot then you can do the zero downtime upgrade without any problems.

You can install this piece / see if its installed by running cpconfig. It'll be listed as "Enable cluster membership for this gateway" if its not installed or "Disable cluster membership for this gateway" if it is.

HTH

[GordonCopestake]

Thanks for all the replies, it's helped me greatly :)