R77.30 to R80.20 migration.

[samy.ccnp]

Hello guys,

I ma planning to do migration of existing checkpoint version R77.30 to R80.20 so walked through the number of articles and videos but there are lots of things but simply i want to know the steps and recommended options for this upgrade.

so here is the infra 2 Smart center in HA R77.30 and VSX cluster for the GWs. R77.30

so
1- if i want to plan Smart center first then shall plan upgrade with CPUSE on existing machine or clean installation on new VM/Hardware ? Please suggest
2- Clean install on secondary smart center and connect with primary.
3- when upgrading the VSX gateways the best to upgrade .


looking for your kind response.

[Don_Doc]

I am in the same boat as you...

Waiting for response on the thread

[Bob_Zimmerman]

I am told with R80.20, a clean install is preferred. Here's the general process I would use:

1. Export the configuration from the management and import it into a VM for testing purposes. Do you get any errors?
2. When ready to make the upgrade for real, freeze changes to the management.
3. Export a new copy of the configuration.
4. Import into a VM to make sure the file is good.
5. Perform a clean install on whatever platform you want. VM, physical box, wherever you want your primary management to end up.
6. Import the configuration onto the "new" management server.
7. Make sure you can push policy to the firewalls. It should be safe to unfreeze management changes at this point.
8. Do a clean install on the secondary management.
9. Establish communications between the primary and secondary managements, and synchronize them.

Fortunately, VSX means the firewall upgrades will be extremely easy after the management upgrade is done. Again, a general process:

1. Build config_system files for each firewall. These files contain answers for all the first-time wizard questions.
2. Record any local configuration from the contexts. The only local items I can think of are proxy ARP (in the $FWDIR/local.arp for each context) and dynamic routing config.
3. Do a clean install on your first member. Use config_system to configure it according to the file created earlier.
4. Use 'vsx_util reconfigure' on the SmartCenter to establish SIC and provision the first member.
5. Apply any local config for the first member.
6. Do a clean install on your second member. Use config_system to configure it according to the file created earlier.
7. Use 'vsx_util reconfigure' on the SmartCenter to establish SIC and provision the second member.
8. Apply any local config for the second member.

Depending on the traffic outage you can tolerate, it may actually be that simple. You can also use some more involved options like the Connectivity Upgrade (described in sk107042) if you need a shorter outage window. That mostly affects things between the first 'vsx_util reconfigure' and the clean install on the second member.