CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 8 of 8

Thread: R77.20 to R77.30 fresh intall upgrade

  1. #1
    Join Date
    2012-03-15
    Posts
    6
    Rep Power
    0

    Default R77.20 to R77.30 fresh intall upgrade

    Hi forum,

    I'm preparing a fresh install upgrade for my ClusterXL, from R77.20 to R77.30, and I have some simple questions.
    The VM Management Gateway is already in R77.30 version, so there is no action required.

    These are my expected steps:

    Step1 - Do a backup for each Gateway from WebUI>Maintenance>SystemBackup
    Step2 - Do a fresh install R77.30 in my Standby Gateway
    Step3 - Do a restore for my upgraded gateway with the backup done before
    Step3' - Re-set de SIC between the upgraded gateway and the CMC
    Step4 - Push the policy to both gateways in order to push the policies to the upgraded gateway, and check everything is working
    Step5 - Stop (cpstop or clusterxl_admin down) in my Master Gateway. I've read that the upgraded Gateway will remain in a "Ready" state while there is al older version Gateway in the ClusterXL and won't become Master in that state.
    Step6 - Confirm that everything is working with that R77.30 and the fresh install + restore worked as intended. I may leave the traffic going through that gateway for 2-3 days before upgrading the other gateway, just to make sure everything is OK and nothing pops.
    Step7 - Do a fresh install R77.30 in the other Gateway.
    Step8 - Do a restore for that recently fresh installed gateway
    Step8' - Re-set de SIC between the upgraded gateway and the CMC
    Step9 - Push the policy to both gateways again, check that it works and I can manage the whole cluster.
    Step10- Check that there is no gateway running in Ready state or any other non-expected state, and sessions are syncing.

    Questions:

    Regarding step1 and step3: Will the RESTORE operation work, if the backup is done in R77.20 and restored to a R77.30?
    Regarding step1 and step3: Will I have to do any step with the LICENSES? or the backup takes the licenses with that export and import operation?
    Regarding step5/6: Will my Standby (upgraded) gateway work (traffic will work going through that gateway) if it's in that Ready State (assuming the other gateway is in clusterxl_admin down?

    I'lll be glad if there is any checkpoint sheet with all that information, sorry if I didn't manage to find the answer to my questions in the official documentation. If not, I hope you can help me to confirm the steps, additional considerations and have an answer for my questions.

    King Regards and thanks in advance!

    PS: Additional respective Gateway snapshots will be done for the rollback operation if needed.
    Last edited by penix; 2016-06-10 at 03:48. Reason: SIC steps

  2. #2
    Join Date
    2007-06-04
    Posts
    3,278
    Rep Power
    16

    Default Re: R77.20 to R77.30 fresh intall upgrade

    BACKUP/RESTORE - Backups are version specific -ie you backup R77.20 then restore to R77.20

    Licensing - You won't be able to restore, however simply in SmartUpdate do a detach the license and reattach the license once SIC is established with the box. Will recognise that not on the box after the clean install and then allow you to reattach

    When you cpstop or clusterXL_admin down the Older Non-Upgraded Box then the Upgraded should go from Ready to Active Attention state. If in Ready then does NOT pass traffic

  3. #3
    Join Date
    2012-03-15
    Posts
    6
    Rep Power
    0

    Default Re: R77.20 to R77.30 fresh intall upgrade

    Quote Originally Posted by mcnallym View Post
    BACKUP/RESTORE - Backups are version specific -ie you backup R77.20 then restore to R77.20

    Licensing - You won't be able to restore, however simply in SmartUpdate do a detach the license and reattach the license once SIC is established with the box. Will recognise that not on the box after the clean install and then allow you to reattach

    When you cpstop or clusterXL_admin down the Older Non-Upgraded Box then the Upgraded should go from Ready to Active Attention state. If in Ready then does NOT pass traffic
    Thanks for your response @mcnallym

    If I can't restore a backup from other version, then there should be a procedure to do a new version fresh install without having to configure both appliances again from scratch. Am I right? I was not able to find that document in Checkpoint's KB.

    Can you McNallym or anyone clarify that for me?

    Thanks again

  4. #4
    Join Date
    2007-06-04
    Posts
    3,278
    Rep Power
    16

    Default Re: R77.20 to R77.30 fresh intall upgrade

    clish -c "show configuration"

    from expert mode should print out the Gaia OS Configuration to the screen.

    Should be able to use the sk104221 bit with the copy and paste into a text file and then transfer the file to the new box and import that configuration file using what is in the SK article.

    That will do the Gaia OS config, any Check Point config such as the $FWDIR/boot/modules/fwkern.conf or other such config files on the box will need to add back in manually as they are Check Point configuration not Gaia OS.

  5. #5
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    5

    Default Re: R77.20 to R77.30 fresh intall upgrade

    Quote Originally Posted by mcnallym View Post
    That will do the Gaia OS config, any Check Point config such as the $FWDIR/boot/modules/fwkern.conf or other such config files on the box will need to add back in manually as they are Check Point configuration not Gaia OS.
    As a final note on this, I wouldn't just go and copy/paste the contents of $FWDIR/boot/modules/fwkern.conf, as some of these settings can be changed in the new version. I would suggest investigating why these entries exist, and see if they still need to be in the new version. I have seen many a case where this was just copy/pasted and resulted in problems.

  6. #6
    Join Date
    2012-03-15
    Posts
    6
    Rep Power
    0

    Default Re: R77.20 to R77.30 fresh intall upgrade

    Quote Originally Posted by mcnallym View Post
    clish -c "show configuration"

    from expert mode should print out the Gaia OS Configuration to the screen.

    Should be able to use the sk104221 bit with the copy and paste into a text file and then transfer the file to the new box and import that configuration file using what is in the SK article.

    That will do the Gaia OS config, any Check Point config such as the $FWDIR/boot/modules/fwkern.conf or other such config files on the box will need to add back in manually as they are Check Point configuration not Gaia OS.
    Thanks for your answers. Then I may conclude there is no REAL procedure to perform a configuration restoration in fact from my actual R77.20 to R77.30. All "procedures" include reconfiguring in some way the interfaces, routing, etc.
    Regarding the Licenses the solution is detach+attach.

    King Regards dudes!

  7. #7
    Join Date
    2007-06-04
    Posts
    3,278
    Rep Power
    16

    Default Re: R77.20 to R77.30 fresh intall upgrade

    Quote Originally Posted by penix View Post
    Thanks for your answers. Then I may conclude there is no REAL procedure to perform a configuration restoration in fact from my actual R77.20 to R77.30. All "procedures" include reconfiguring in some way the interfaces, routing, etc.
    Regarding the Licenses the solution is detach+attach.

    King Regards dudes!
    That is correct. Backup File is Version Specific, so requires that perform the work manually ( in some fashion ) if upgrading by doing a clean image build to the new version. Backup isn't intended to be used for upgrades as such.

    Have seen some people do the following.

    1.) Prepare existing backup on current version
    2.) Do inplace upgrade on box
    3.) Backup upgraded version
    4.) Clean Build to upgraded version
    5.) Restore backup taken at 3.

    However you are restoring the confg between the same version.

  8. #8
    Join Date
    2012-03-15
    Posts
    6
    Rep Power
    0

    Default Re: R77.20 to R77.30 fresh intall upgrade

    Quote Originally Posted by mcnallym View Post
    That is correct. Backup File is Version Specific, so requires that perform the work manually ( in some fashion ) if upgrading by doing a clean image build to the new version. Backup isn't intended to be used for upgrades as such.

    Have seen some people do the following.

    1.) Prepare existing backup on current version
    2.) Do inplace upgrade on box
    3.) Backup upgraded version
    4.) Clean Build to upgraded version
    5.) Restore backup taken at 3.

    However you are restoring the confg between the same version.
    Quiiieeeet stange... It may be a good idea but it's quite tricky. I'm thinking on doing a R77.20 snapshot, and just do the upgrade and see if everything looks fine. If something is wrong I'll think about the clean install and just push the policy from the Manager.

    Thanks for your help and comments guys.
    King Regards!

Similar Threads

  1. Fresh install of R75.30 on UTM 1070
    By jmcgrady in forum Installing And Upgrading
    Replies: 0
    Last Post: 2012-06-19, 21:40
  2. Fresh install on C2 Platform
    By lukmana in forum Crossbeam
    Replies: 1
    Last Post: 2008-10-21, 06:52
  3. patch add cd or fresh install
    By ngxadmin in forum Installing And Upgrading
    Replies: 9
    Last Post: 2008-08-06, 05:51
  4. Fresh Installation & NO Products
    By Izzio in forum Installing And Upgrading
    Replies: 7
    Last Post: 2008-01-08, 11:54
  5. fresh install
    By humayun in forum Check Point SecurePlatform (SPLAT)
    Replies: 3
    Last Post: 2006-03-10, 10:10

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •