NGAI R55 HFA17 stuffing HA

murawai · #1 (**permalink**) 2006-02-01

Hi There
I have checkpoint NG AI running on SPLAT in distibuted model. Have 2 firewall modules in Active/standby cluster. After I install HFA17 on the redundant firewall enforcement and reboot I can no longer run cphastat and see the status of the active firewall. When I run cphastat it only can see the local firewall which says its ready (with no load). Is this normal? Normally after a HF I can still run this command before I upgarde my other firewall and see the status of both.

Lackie · #2 (**permalink**) 2006-02-02

I have seen this with my customers as well. HFA_17 appears to do this. If you use 'cphaprob state' it will show something about doing an upgrade. As far as I can see you have to upgrade the other appliance before they see each other.

murawai · #3 (**permalink**) 2006-02-06

Thanks for this. My only issue is that after I install the hotfix I lose connection to the enforcement module even though it is installing the correct firewall policy. I am hesitant to upgrade both as this seems very different from every other Hotfix. Did you hotfix both the active and standby modules? What was the outcome?

jamik · #4 (**permalink**) 2006-02-06

Which is why you run a mirror.. Upgrade it all.. If all goes tits up, then just pop the old disks back in and it's back to square one. :p

chillyjim · #5 (**permalink**) 2006-02-07

Quote:

Originally Posted by murawai

Thanks for this. My only issue is that after I install the hotfix I lose connection to the enforcement module even though it is installing the correct firewall policy.

You did upgrade your SmartCenter first, right?

murawai · #6 (**permalink**) 2006-02-09

Yeap - upgraded smartcenter first (after I install hfa17 on one of the enforcement module's and restart the system it installs the lastest policy successfully when it restarts). I have installed hotfixes many times and normally they run extremely smoothly. I have currently rolled back to HFA16 which operates as normal.
Obviolusly I could try and install the hotfix on both enforcement modules to see what happens however this means downtime if its not successful which I am concerned about. It seems very strange that after the hotfix is installed on the backup module it can no longer be managed from remote machines and no longer sees any cluster partner when I run cphaprob.
Is anyone running SPLAT in cluster environment installed HFA17 without the above issues? I am considering just waiting for HFA18 otherwise....

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode