CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: Security management server and VSX gateways upgrade from R77.30 to R80.20

  1. #1
    Join Date
    2019-05-17
    Posts
    4
    Rep Power
    0

    Default Security management server and VSX gateways upgrade from R77.30 to R80.20

    Hello Guys,

    Hope all good.

    I need your suggestions/help to migrate our existing checkpoint VSX R77.30 environment into R80.20 , and here some details about environment.

    8 gateways (All are physical appliances) running in VSX mode in 4 different-2 DCs. Three DCs are running R77.30 while single DC is running on R77.20
    2 Management servers in 2 separate DCs in active standby , Both are running R77.30

    I did lots of search on the internet regarding this upgrade however did not find any suitable article/document thus i got confused , What i need from you now that

    what is the best option for upgrade like , less risky and zero downtime ,Specific tool for this upgrade , key considerations and appropriate article which has step by step process.

    Thank you.

  2. #2
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    308
    Rep Power
    13

    Default Re: Security management server and VSX gateways upgrade from R77.30 to R80.20

    First, it's important to define "downtime".

    When you are upgrading your management server, you will not be able to access it to make changes or view logs (the management will be totally down). You should be able to use the secondary SmartCenter to view logs, but you should not make any changes on it.

    When you are upgrading the firewalls, there will be a point when you fail over from the old version to the new version. The "Connectivity Upgrade" and "Optimal Service Upgrade" are both supported R77.20->R80.20 and R77.30->R80.20, but I've seen those go badly wrong. I highly recommend you plan for downtime, then be happy if there isn't any.



    On the primary SmartCenter, you should get a 'migrate export' (copy it off-box, and make sure a copy unzips properly; this is your last-resort backup) and a snapshot, then do a "clean install". In clish:

    installer download [tab]
    installer clean-install [tab]


    This will build your SmartCenter with the new kernel and import your existing management config.

    Your secondary SmartCenter should just be rebuilt from the ground up. This generally isn't a big deal, since it's just a secondary SmartCenter.



    Finally, for the firewalls, you should follow the R80.20 Installation and Upgrade Guide's sections on "Upgrading a VSX gateway" and "Upgrading VSX High Availability Cluster".

    If you have never done this before, the actual upgrade process is very easy. You run 'vsx_util upgrade' on the management and follow a series of prompts to update the cluster object to the new version. Once that's done, you treat it like you're replacing a failed cluster member. You wipe a member, reinstall it from scratch at the new version, and use 'vsx_util reconfigure' on the management to reprovision it.

    Again, even though the Connectivity Upgrade method is offered for this, assume it will go wrong until you have tested it several times. Once I've written a plan to upgrade a VSX cluster, I generally test it in a VM environment at least 15 times to drill any fiddly little details of that specific cluster into my head before doing it for real. There are quite a few files used to customize a box which don't survive reinstallation of the OS (fwkern.conf, for example), so if these clusters predate you, it's easy to miss a setting somewhere.
    Zimmie

  3. #3
    Join Date
    2019-05-17
    Posts
    4
    Rep Power
    0

    Default Re: Security management server and VSX gateways upgrade from R77.30 to R80.20

    Thanks a lot Zimmie for the such clean explanation however if i plan smart center upgrade with CPUSE and clean install on the secondary smart center and then hook with primary , isn't that good ? and as you have mentioned perform clean install of R80.20 on new server and import the existing smart center configurations and then another R80.20 server as secondary and then hook with primary so in these two upgrade options how the licensing part involve i mean do i need to reinstall/reactivate/re import the licenses on these new appliances (Will keep the same IPs on both the new servers) ?
    Also if go with CU then is there any official docs (Since i didn't see ) for performing the steps and any key considerations ?

    Thank you.

  4. #4
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    308
    Rep Power
    13

    Default Re: Security management server and VSX gateways upgrade from R77.30 to R80.20

    Licensing is kind of a pain. I believe SmartCenter licenses come over with a migrate export and migrate import. Worst case, you can log in to the User Center, go to your account, and download the licenses again.

    Firewall licenses are a bit of a different story. If you use local licenses, you will need to download them from the User Center and apply them again, as above. If you use central licenses (which are highly recommended), the actual license is stored in the SmartCenter's database. You just use SmartUpdate to attach it again.

    sk107042, "ClusterXL upgrade methods and paths", describes the general form of each available upgrade path, along with outage considerations and limitations of each, and contains a table showing which paths are available between which versions. Once you know which path you want to take, there are links to further documentation of that path. You will probably be most interested in the "Connectivity Upgrade (CU) Best Practices Guide".
    Zimmie

Similar Threads

  1. Management Interface on Security Management Server
    By bhavinjbhatt in forum R77.30
    Replies: 1
    Last Post: 2016-02-04, 11:49
  2. Migrating Security management server to CMA
    By cybercop in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 3
    Last Post: 2015-04-22, 21:42
  3. Replies: 1
    Last Post: 2013-05-31, 07:33
  4. Upgrade Security Management gateway from R71.45 to R75.40
    By OleksandrBolshov in forum Check Point SecurePlatform (SPLAT)
    Replies: 1
    Last Post: 2012-09-03, 08:55
  5. Standalone Security Management Server to Multi-Domain Security Management
    By DaniloNC in forum Provider-1 (Multi-Domain Management)
    Replies: 1
    Last Post: 2011-12-08, 16:59

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •