PDA

View Full Version : R77.20 to R77.30 fresh intall upgrade



penix
2016-06-10, 03:17
Hi forum,

I'm preparing a fresh install upgrade for my ClusterXL, from R77.20 to R77.30, and I have some simple questions.
The VM Management Gateway is already in R77.30 version, so there is no action required.

These are my expected steps:

Step1 - Do a backup for each Gateway from WebUI>Maintenance>SystemBackup
Step2 - Do a fresh install R77.30 in my Standby Gateway
Step3 - Do a restore for my upgraded gateway with the backup done before
Step3' - Re-set de SIC between the upgraded gateway and the CMC
Step4 - Push the policy to both gateways in order to push the policies to the upgraded gateway, and check everything is working
Step5 - Stop (cpstop or clusterxl_admin down) in my Master Gateway. I've read that the upgraded Gateway will remain in a "Ready" state while there is al older version Gateway in the ClusterXL and won't become Master in that state.
Step6 - Confirm that everything is working with that R77.30 and the fresh install + restore worked as intended. I may leave the traffic going through that gateway for 2-3 days before upgrading the other gateway, just to make sure everything is OK and nothing pops.
Step7 - Do a fresh install R77.30 in the other Gateway.
Step8 - Do a restore for that recently fresh installed gateway
Step8' - Re-set de SIC between the upgraded gateway and the CMC
Step9 - Push the policy to both gateways again, check that it works and I can manage the whole cluster.
Step10- Check that there is no gateway running in Ready state or any other non-expected state, and sessions are syncing.

Questions:

Regarding step1 and step3: Will the RESTORE operation work, if the backup is done in R77.20 and restored to a R77.30?
Regarding step1 and step3: Will I have to do any step with the LICENSES? or the backup takes the licenses with that export and import operation?
Regarding step5/6: Will my Standby (upgraded) gateway work (traffic will work going through that gateway) if it's in that Ready State (assuming the other gateway is in clusterxl_admin down?

I'lll be glad if there is any checkpoint sheet with all that information, sorry if I didn't manage to find the answer to my questions in the official documentation. If not, I hope you can help me to confirm the steps, additional considerations and have an answer for my questions.

King Regards and thanks in advance!

PS: Additional respective Gateway snapshots will be done for the rollback operation if needed.

mcnallym
2016-06-10, 04:46
BACKUP/RESTORE - Backups are version specific -ie you backup R77.20 then restore to R77.20

Licensing - You won't be able to restore, however simply in SmartUpdate do a detach the license and reattach the license once SIC is established with the box. Will recognise that not on the box after the clean install and then allow you to reattach

When you cpstop or clusterXL_admin down the Older Non-Upgraded Box then the Upgraded should go from Ready to Active Attention state. If in Ready then does NOT pass traffic

penix
2016-06-10, 08:07
BACKUP/RESTORE - Backups are version specific -ie you backup R77.20 then restore to R77.20

Licensing - You won't be able to restore, however simply in SmartUpdate do a detach the license and reattach the license once SIC is established with the box. Will recognise that not on the box after the clean install and then allow you to reattach

When you cpstop or clusterXL_admin down the Older Non-Upgraded Box then the Upgraded should go from Ready to Active Attention state. If in Ready then does NOT pass traffic

Thanks for your response @mcnallym

If I can't restore a backup from other version, then there should be a procedure to do a new version fresh install without having to configure both appliances again from scratch. Am I right? I was not able to find that document in Checkpoint's KB.

Can you McNallym or anyone clarify that for me?

Thanks again

mcnallym
2016-06-10, 09:41
clish -c "show configuration"

from expert mode should print out the Gaia OS Configuration to the screen.

Should be able to use the sk104221 bit with the copy and paste into a text file and then transfer the file to the new box and import that configuration file using what is in the SK article.

That will do the Gaia OS config, any Check Point config such as the $FWDIR/boot/modules/fwkern.conf or other such config files on the box will need to add back in manually as they are Check Point configuration not Gaia OS.

jdmoore0883
2016-06-10, 10:11
That will do the Gaia OS config, any Check Point config such as the $FWDIR/boot/modules/fwkern.conf or other such config files on the box will need to add back in manually as they are Check Point configuration not Gaia OS.

As a final note on this, I wouldn't just go and copy/paste the contents of $FWDIR/boot/modules/fwkern.conf, as some of these settings can be changed in the new version. I would suggest investigating why these entries exist, and see if they still need to be in the new version. I have seen many a case where this was just copy/pasted and resulted in problems.

penix
2016-06-14, 02:57
clish -c "show configuration"

from expert mode should print out the Gaia OS Configuration to the screen.

Should be able to use the sk104221 bit with the copy and paste into a text file and then transfer the file to the new box and import that configuration file using what is in the SK article.

That will do the Gaia OS config, any Check Point config such as the $FWDIR/boot/modules/fwkern.conf or other such config files on the box will need to add back in manually as they are Check Point configuration not Gaia OS.

Thanks for your answers. Then I may conclude there is no REAL procedure to perform a configuration restoration in fact from my actual R77.20 to R77.30. All "procedures" include reconfiguring in some way the interfaces, routing, etc.
Regarding the Licenses the solution is detach+attach.

King Regards dudes!

mcnallym
2016-06-14, 06:56
Thanks for your answers. Then I may conclude there is no REAL procedure to perform a configuration restoration in fact from my actual R77.20 to R77.30. All "procedures" include reconfiguring in some way the interfaces, routing, etc.
Regarding the Licenses the solution is detach+attach.

King Regards dudes!

That is correct. Backup File is Version Specific, so requires that perform the work manually ( in some fashion ) if upgrading by doing a clean image build to the new version. Backup isn't intended to be used for upgrades as such.

Have seen some people do the following.

1.) Prepare existing backup on current version
2.) Do inplace upgrade on box
3.) Backup upgraded version
4.) Clean Build to upgraded version
5.) Restore backup taken at 3.

However you are restoring the confg between the same version.

penix
2016-06-15, 10:46
That is correct. Backup File is Version Specific, so requires that perform the work manually ( in some fashion ) if upgrading by doing a clean image build to the new version. Backup isn't intended to be used for upgrades as such.

Have seen some people do the following.

1.) Prepare existing backup on current version
2.) Do inplace upgrade on box
3.) Backup upgraded version
4.) Clean Build to upgraded version
5.) Restore backup taken at 3.

However you are restoring the confg between the same version.

Quiiieeeet stange... It may be a good idea but it's quite tricky. I'm thinking on doing a R77.20 snapshot, and just do the upgrade and see if everything looks fine. If something is wrong I'll think about the clean install and just push the policy from the Manager.

Thanks for your help and comments guys.
King Regards!