VRRP upgrade procedures

[charliey_2000]

Can someone with real working experience outline the steps to upgrade a VRRP HA environment. Ideally I would like to have any down time to a minimum if any at all. This would include upgrading IPSO and Checkpoint from NG 55 to NGX 61.

[chrisbw]

Hi Charliey 2000,

I did this years ago when going from NG FP3 to NGAI R55. First off start with upgradng your licenses in usercentre and download the licenses ready for use. The best way to do this is to upgrade your mgmt server first and ensure that it works with your enforcment nodes first (remember to use new version of gui too). Once you have confirmed that, then in smartdashboard remove the backup node from the cluster object. Next step woud be to upgrade your backup node's IPSO and CP to the versions you want and configured inc vrrp (again as backup).Next you will need to go into smartdashboard and remove the master node from the cluster object, amend the cluster object up to the new version of CP and then add the backup node into the cluster object and push the policy.
You now have 1 node with old CP and 1 with new CP version. Fail the firewall over to the backup node by increasing the priority on the backup node to more than the master.
Repeat process of upgrading the master node and import into cluster object and push policy again and now you have working HA cluster at new version - with only a 3 second downtime whilst you failed over.

Worked for me very well and my last company were well impressed!!