HFA Install procedure

[1q2w3e]

Hi All

We have 2 Checkpoint Secure Platform in HA ( high availability) together with the Management on Windows.

In what order do I install the HFA_R55_17.linuz.tgz? Do I need to do it on all 3? Is there any documentation I can read on this?

Do I install on the Smartcenter and then push to the SecurePlatforms using SecureUpdate or do it individually on each of the 3 one at a time but in what order.

Thanks

[kva.kva]

Upgrading ClusterXL

Solution ID: #sk30518

There are some maintenance tasks Security Administrators need to perform on Security Gateways. These tasks include applying OS service packs or patches, upgrading the OS and adding or removing interfaces, upgrading VPN-1/FireWall-1, applying Check Point's HotFix Accumulator, and adding new cluster members. In a cluster environment, the steps for applying those changes are very important.

When a cluster needs an upgrade, it is imperative the SmartCenter Server be upgraded before any of the cluster members. If cluster members need to be upgraded to a new version (for example, from NG FP3 to NG with Application Intelligence), performing a fresh new install is easier than the upgrade.

OVERVIEW
1) UPGRADING SMARTCENTER SERVER
2) UPGRADING NEW NODE MEMBERS
3) UPGRADING LOAD SHARING MEMBERS
4) UPGRADING ALL BUT ONE CLUSTER MEMBER
5) UPGRADING LAST CLUSTER MEMBER

================================================== ============================

STEP 1: UPGRADING SMARTCENTER SERVER

The SmartCenter Server must be upgraded first. Upgrade the SmartCenter Server exactly as you upgrade a Check Point distributed installation. Follow the upgrade steps in the "SmartCenter User Guide" on the Check Point Software Subscription Download site. To patch the HotFix Accumulator (HFA) on the SmartCenter Server, follow the HFA release notes on the Software Subscription Downloads site.

================================================== ============================

STEP 2: UPGRADING NEW NODE MEMBERS

When upgrading New mode High Availability cluster members, never let the cluster nodes see each other when they are on different versions of Check Point software. It is important to remember that the SmartCenter must be upgraded first. The following steps apply to upgrading and patching the HFA. The SmartCenter Server must be patched to the latest HFA, before applying HFA to cluster members.

On the standby node, perform the following steps:
1) Stop the standby member with the cpstop command.

2) Upgrade or patch the HFA on the standby member.

3) Reboot the standby member.

4) Before the standby reboots, stop the active node with the cpstop command. There will be a two- or three-minute downtime. After rebooting, the upgraded node will pass traffic.

On the active node, perform the following steps:
1) Upgrade or patch the HFA on the other node, and reboot. Both nodes should see each other and be on the same version.

2) Log in to SmartDashboard and edit the cluster object. Change the cluster object to the new version in the General Properties screen.

3) If you are patching the HFA, the NG version number does not change in the cluster object. If you are upgrading from an older version to a newer version, change the version accordingly in the cluster object¿s General Properties screen.

4) Install the Security Policy on the cluster object, for the new version or HFA to take effect.

================================================== ============================

STEP 3: UPGRADING LOAD SHARING MEMBERS

Assume a cluster with three members (A, B and C). The upgrade stage is divided into three parts:

1) Upgrade or patch the latest HFA on the SmartCenter Server.

2) Upgrade or patch the latest HFA on all but one of the cluster members.

3) Upgrade or patch the latest HFA on the last cluster member.

================================================== ===========================

STEP 4: UPGRADING ALL BUT ONE CLUSTER MEMBER

1) Select cluster Member A, which will be the last upgraded member. Upgrade cluster members B and C either directly, or by using SmartUpdate.

2) After upgrade of B and C is finished, reboot them both.

3) When machines B and C reboot, change the cluster version to the new NG version on the General screen of the cluster object, and reestablish Secure Internal Communications (SIC) with the upgraded cluster members.

4) Clear the box On Gateway clusters, "Install on all members, if it fails do not install at all". Install the Security Policy on the cluster. The Policy will be successfully installed on cluster members B and C, and will fail on Member A.

5) SmartView Status should show the status of cluster Member A as Active, and the other cluster members as Ready. Execute cpstop on cluster Member A. Machines B and/or C will process traffic, depending on Load Sharing or High Availability configuration.

================================================== =====================================

STEP 5: UPGRADING LAST CLUSTER MEMBER

1) Upgrade cluster Member A, either directly or by using SmartUpdate. (See the "SmartCenter User Guide.")

2) Reboot cluster Member A.

3) Reestablish SIC with Member A.

4) Install the Policy on the cluster object.

NOTE: All cluster members must be upgraded to the same version, or State Synchronization will fail.

[1q2w3e]

Thank you so very very very much. I will read this through thoroughly and let you know how I get along.

[1q2w3e]

Hi and Thanks. I have tred looking for how to install the patchHFA onto the SmartCneter but

http://www.checkpoint.com/support/do...p3/HFA_327.pdf

or

http://updates.checkpoint.com/filese..._r55_17-rn.pdf

or

http://updates.checkpoint.com/filese..._r55_17-rn.pdf.

or

https://downloads.checkpoint.com/dc/...n=1070&os=1009

(fw1_HFA_R55_17.linux22.tgz)

This is the environement

SmartCenter On Windows
Enforcement module on SecurePlatform

Wich of the below should I be downloading for the above.

FP3_HFA_327 for SecurePlatform (SHF_HFA_327.linux.tgz)
FP3_HFA_327 for Windows (SHF_HFA_327.win32.zip)

Thanks