Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
CONNECTIVITY UPGRADE
Best Practices
Classification: [Protected]
CHAPTE R 1
Certifications
For third party independent certification of Check Point products, see the Check
Point Certifications page.
More Information
Visit the Check Point Support Center.
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments.
Revision History
Date Description
02 April 2019 Improved formatting and document layout
28 March 2019 Updated:
• Connectivity Upgrade of a VSX Cluster (on page 20) - removed the
step "Stop the SecureXL"
• Connectivity Upgrade of a VRRP Cluster (on page 30) - removed the
step "Stop the SecureXL"
10 October 2018 Updated:
• Connectivity Upgrade Limitations (on page 10) - added "VPN
connections that originate from a DAIP Gateway, do not survive the
Connectivity Upgrade."
26 September 2018 Added:
• Support for R80.20
Updated:
• Connectivity Upgrade of a VSX Cluster (on page 20) - added the
"cphacu stop" command
27 August 2018 General Updates
05 August 2018 Updated:
• Other Upgrade Methods (on page 43)
19 July 2018 Updated:
• Upgrading a Security Gateway ClusterXL with 2 Members - improved
instructions
• Upgrading a Security Gateway ClusterXL with More Than 2 Members
(on page 12) - improved instructions
• Upgrading a VSX Cluster with 2 Members - instead of upgrade with a
clean install, use CPUSE
• Upgrading a VSX Cluster with More Than 2 Members (on page 20) -
instead of upgrade with a clean install, use CPUSE
01 May 2018 General Updates
14 May 2017 General Updates
09 April 2017 Dynamic Routing support and minor improvements
30 December 2015 First release of this document
Contents
Important Information................................................................................................... 3
Introduction ................................................................................................................... 6
Connectivity Upgrade Prerequisites.............................................................................. 7
Supported Versions for Connectivity Upgrade .............................................................. 8
Connectivity Upgrade Limitations ............................................................................... 10
Connectivity Upgrade of a Security Gateway Cluster .................................................. 12
Connectivity Upgrade of a VSX Cluster ........................................................................ 20
Connectivity Upgrade of a VRRP Cluster ..................................................................... 30
Troubleshooting the Connectivity Upgrade ................................................................. 40
Connectivity Upgrade Error Messages ........................................................................ 41
Other Cluster Upgrade Methods ................................................................................. 43
Backing Up and Restoring ........................................................................................... 44
CHAPTE R 2
Introduction
Important - Starting from R80.20, this guide is a part of the Installation and Upgrade Guide.
A Connectivity Upgrade (CU) lets you upgrade ClusterXL clusters on live systems without
downtime.
In a Connectivity Upgrade:
• Connection failover is guaranteed.
• There is always at least one Active cluster member that handles the traffic.
• Connections are synchronized among cluster members, which run different Check Point
software versions.
Connectivity Upgrade supports Dynamic Routing Synchronization when you upgrade to:
• R80.10 and above
• R77.30DR (R77.30 Jumbo Hotfix Take 198 and above)
• R77.20DR (R77.20 Jumbo Hotfix Take 198 and above)
3 Upgrade the Management Server and Log Servers to the same version or above, to which
you wish to upgrade your cluster.
4 Schedule a full maintenance window to make sure you can make all the desired custom
configurations again after the upgrade.
Upgrade to version
Upgrade from version R77.20 R77.20DR R77.30 R77.30DR R80.10 R80.20 (*)
CU with
R80.10 x x x x x
DR
CU with CU with
R77.30DR x x x x
DR DR
CU with CU with
R77.30 x x x x
DR DR
CU with CU with CU with
R77.20DR x x CU
DR DR DR
CU with CU with CU with
R77.20 x x CU
DR DR DR
CU with CU with CU with
R77.10 x x CU
DR DR DR
CU with CU with CU with
R77 x x CU
DR DR DR
CU with CU with CU with CU with
R76 CU CU
DR DR DR DR
CU with CU with CU with CU with
R75.47 CU CU
DR DR DR DR
CU with CU with CU with CU with
R75.46 CU CU
DR DR DR DR
CU with CU with CU with CU with
R75.40VS CU CU
DR DR DR DR
Notes:
• For supported upgrade paths, see the Release Notes for the version, to which you wish to
upgrade.
• For upgrade action plans, during which the Dynamic Routing information is synchronized, see
sk107042.
• "R77.20DR" denotes R77.20 with Take 200 (or higher) of R77.20 Jumbo Hotfix Accumulator.
• "R77.30DR" denotes R77.30 with Take 198 (or higher) of R77.30 Jumbo Hotfix Accumulator.
• "x" denotes that such upgrade path is not supported.
• "CU" denotes Connectivity Upgrade, during which the Dynamic Routing information is not
synchronized.
• "CU with DR" denotes Connectivity Upgrade, during which the Dynamic Routing information is
synchronized.
• Notes for VRRP Clusters on Gaia:
• To upgrade a VRRP Cluster to R80.20 with the Connectivity Upgrade, you must install the
R80.20 Jumbo Hotfix Accumulator - Take 17 and above (to resolve PMTR-23850)
• Connectivity Upgrade without Dynamic Routing synchronization supports:
upgrades to R80.20 and above
upgrades to R80.10
upgrades to "R77.30DR"
upgrades to "R77.20DR"
• Connectivity Upgrade with Dynamic Routing synchronization supports only:
upgrades from R80.10 to R80.20, and above
upgrades from R77.30 to R80.10, and above
The procedure below describes an example High Availability cluster with three members M1, M2
and M3. However, it can be used for clusters that consist of two or more members.
Step 2 of 19: On the Standby cluster member M2 - Upgrade to R80.20 with CPUSE, or
perform a Clean Install of R80.20
See these sections in the R80.20 Installation and Upgrade Guide:
• For upgrade instructions, see Upgrading a Security Gateway with CPUSE.
• For clean install instructions, see Installing a ClusterXL Cluster, or Installing a VRRP Cluster.
Notes:
• You must reboot the cluster member after the upgrade or clean install.
• Configure dynamic routing based on the Connectivity Upgrade Known Limitations (on page 10).
Step 3 of 19: On the Standby cluster member M3 - Upgrade to R80.20 with CPUSE, or
perform a Clean Install of R80.20
See these sections in the R80.20 Installation and Upgrade Guide:
• For upgrade instructions, see Upgrading a Security Gateway with CPUSE.
• For clean install instructions, see Installing a ClusterXL Cluster, or Installing a VRRP Cluster.
Notes:
• You must reboot the cluster member after the upgrade or clean install.
• Configure dynamic routing based on the Connectivity Upgrade Known Limitations (on page 10).
Step 4 of 19: In SmartConsole - Modify the Cluster object and install the Access Control
Policy
Step Description
1 Connect with SmartConsole to the R80.20 Security Management Server or Domain
Management Server that manages this cluster.
4 From the left navigation tree, click the General Properties page.
6 Click OK.
9 The Access Control Policy successfully installs on the upgraded cluster members M2 and
M3.
The Access Control Policy installation fails on the old cluster member M1 with a warning.
Ignore this warning.
Step 6 of 19: Stop all, except one, of the upgraded Standby cluster members
Step Description
1 Connect to the command line on all the upgraded cluster members (for example, M3),
except one (for example, M2).
2 Stop all Check Point services on all the upgraded members (for example, M3), except one
(for example, M2):
cpstop
Step 8 of 19: On the working upgraded cluster member - Start the Connectivity Upgrade
Step Description
1 Connect to the command line on the working upgraded cluster member M2.
Step 9 of 19: On the old cluster member - Make sure it handles the traffic
Step Description
1 Connect to the command line on the Active old cluster member M1.
Step 10 of 19: On the working upgraded cluster member - Make sure the Connectivity
Upgrade is complete
Step Description
1 When the Connectivity Upgrade finishes on the working upgraded cluster member M2, this
message shows:
Connectivity upgrade status: Ready for Failover
Step 11 of 19: On the stopped upgraded cluster member - Start all Check Point services
Step Description
1 Connect to the command line on the stopped upgraded cluster members (in our example,
M3).
Step 13 of 19: On the Active old cluster member - Stop all Check Point services
Step Description
1 Connect to the command line on the Active old cluster member M1.
Step 14 of 19: On the upgraded cluster members - Examine the cluster state and make
sure the Active handles the traffic
Step Description
1 Connect to the command line on the upgraded cluster members M2 and M3.
Step 15 of 19: On the former Active old cluster member - Upgrade to R80.20 with
CPUSE, or perform a Clean Install of R80.20
See these sections in the R80.20 Installation and Upgrade Guide:
• For upgrade instructions, see Upgrading a Security Gateway with CPUSE.
• For clean install instructions, see Installing a ClusterXL Cluster, or Installing a VRRP Cluster.
Notes:
• You must reboot the cluster member after the upgrade or clean install.
• Configure dynamic routing based on the Connectivity Upgrade Known Limitations (on page 10).
5 The Access Control Policy successfully installs on all the cluster members.
Step 18 of 19: On each cluster member - Change the CCP mode to Auto
Step Description
1 Connect to the command line on each cluster member.
2 From the left navigation panel, click Logs & Monitor > Logs.
3 Examine the logs from this Cluster to make sure it inspects the traffic as expected.
Step 1 of 20: On the Management Server - Upgrade the configuration of the VSX Cluster
object to R80.20
Step Description
1 Connect to the command line on the Security Management Server or Multi-Domain Server
that manages this VSX Cluster.
3 On a Multi-Domain Server, switch to the context of the Main Domain Management Server
that manages this VSX Cluster object:
mdsenv <IP Address or Name of Main Domain Management Server>
4A Run:
vsx_util upgrade
This command is interactive.
5 Connect with SmartConsole to the R80.20 Security Management Server or Main Domain
Management Server that manages this VSX Cluster.
8 From the left navigation tree, click the General Properties page.
9 Make sure in the Platform section, the Version field shows R80.20.
2 Transfer the upgrade image to the current VSX Cluster Members to some directory (for
example, /var/log/path_to_upgrade_image/).
Note - Make sure to transfer the file in the binary mode.
Step 3 of 20: On each VSX Cluster Member - Examine the cluster state and get the
Cluster Member IDs
Step Description
1 Connect to the command line on each VSX Cluster Member.
Step 4 of 20: On all VSX Cluster Members with higher Cluster Member IDs - Upgrade to
R80.20 with CPUSE, or perform a Clean Install of R80.20
Upgrade or perform Clean Install on all of the VSX Cluster Members (in our example, M2 and M3),
except for the VSX Cluster Member with the lowest Cluster Member ID (in our example, M1).
• For upgrade instructions (recommended), see Upgrading a VSX Gateway with CPUSE.
Note that you already upgraded the configuration of the VSX Cluster object to R80.20.
• For clean install instructions, see Installing a VSX Cluster.
Notes:
• You must reboot the VSX Cluster Member after the upgrade or clean install.
• Configure dynamic routing based on the Connectivity Upgrade Limitations (on page 10).
5 The Access Control Policy successfully installs on the upgraded VSX Cluster Members M2
and M3.
The Access Control Policy installation fails on the old VSX Cluster Member M1 with a
warning. Ignore this warning.
Step 6 of 20: On each VSX Cluster Member - Examine the cluster state
Step Description
1 Connect to the command line on each VSX Cluster Member.
Step 7 of 20: Stop all, except one, of the upgraded VSX Cluster Members
Step Description
1 Connect to the command line on all the upgraded VSX Cluster Members M2 and M3.
2 Stop all Check Point services on all upgraded members (for example, M3), except one (for
example, M2):
cpstop
Step 8 of 20: On each VSX Cluster Member - Examine the cluster state
Step Description
1 Connect to the command line on each VSX Cluster Member.
Step 9 of 20: On the working upgraded VSX Cluster Member - Start the Connectivity
Upgrade
Step Description
1 Connect to the command line on the working upgraded VSX Cluster Member M2.
Step 10 of 20: On the old VSX Cluster Member - Make sure it handles the traffic
Step Description
1 Connect to the command line on the Active old VSX Cluster Member M1.
Step 11 of 20: On the working upgraded VSX Cluster Member - Make sure the
Connectivity Upgrade is complete
Step Description
1 When the Connectivity Upgrade finishes on the working upgraded VSX Cluster Member M2,
this message shows:
Connectivity upgrade status: Ready for Failover
Step 12 of 20: On the stopped upgraded VSX Cluster Members - Start all Check Point
services
Step Description
1 Connect to the command line on the stopped upgraded VSX Cluster Members (in our
example, M3).
Step 13 of 20: On each VSX Cluster Member - Examine the cluster state
Step Description
1 Connect to the command line on each VSX Cluster Member.
Step 14 of 20: On the Active old VSX Cluster Member - Stop all Check Point services
Step Description
1 Connect to the command line on the Active old VSX Cluster Member M1.
Step 15 of 20: On the upgraded VSX Cluster Members - Examine the cluster state and
make sure the Active handles the traffic
Step Description
1 Connect to the command line on the upgraded VSX Cluster Members M2 and M3.
Step 16 of 20: On the former Active old VSX Cluster Member - Upgrade to R80.20 with
CPUSE, or perform a Clean Install of R80.20
See these sections in the R80.20 Installation and Upgrade Guide:
• For upgrade instructions, see Upgrading a VSX Gateway with CPUSE.
Note that you already upgraded the configuration of the VSX Cluster object to R80.20.
• For clean install instructions, see Installing a Security Gateway.
Notes:
• You must reboot the VSX Cluster Member after the upgrade or clean install.
• Configure dynamic routing based on the Connectivity Upgrade Limitations (on page 10).
5 The Access Control Policy successfully installs on all the VSX Cluster Members.
Step 18 of 20: On each VSX Cluster Member - Examine the cluster state
Step Description
1 Connect to the command line on each cluster member.
Step 19 of 20: On each VSX Cluster Member - Change the CCP mode to Auto
Step Description
1 Connect to the command line on each VSX Cluster Member.
2 From the left navigation panel, click Logs & Monitor > Logs.
3 Examine the logs from Virtual Systems on this VSX Cluster to make sure they inspect the
traffic as expected.
Step 1 of 24: On each VRRP Cluster Member - Examine the VRRP state
Step Description
1 Connect to the command line on each VRRP Cluster Member.
Step 2 of 24: On the VRRP Master cluster member M1 - Examine the Critical Devices
Step Description
1 Connect to the command line on each VRRP Cluster Member.
Step 3 of 24: On the VRRP Master cluster member M1 - Enable the Monitor Firewall
State feature
Enable the Monitor Firewall State feature (if not already enabled) in one of these ways:
Where Instructions
In Gaia Clish Run:
1. set vrrp monitor-firewall on
2. save config
Step 4 of 24: On the VRRP Master cluster member M1 - Make sure it is still the VRRP
Master:
Where Instructions
In Gaia Clish Run:
show vrrp summary
Step 6 of 24: On the VRRP Backup cluster member M2 - Upgrade to R80.20 with CPUSE,
or perform a Clean Install of R80.20
See these sections in the R80.20 Installation and Upgrade Guide:
• For upgrade instructions, see Upgrading a Security Gateway with CPUSE
• For clean install instructions, see Installing a VRRP Cluster.
Notes:
• You must reboot the cluster member after the upgrade or clean install.
• You must disable the preemptive mode (if it is enabled).
• Configure dynamic routing based on the Connectivity Upgrade Limitations (on page 10).
Step 7 of 24: On the upgraded VRRP Cluster Member M2 - Install the R80.20 Jumbo
Hotfix Accumulator
You must install Take 17 and above. Follow the instructions in sk137592.
Step 8 of 24: In SmartConsole - Modify the Cluster object and install the Access Control
Policy
Step Description
1 Connect with SmartConsole to the R80.20 Security Management Server or Domain
Management Server that manages this VRRP Cluster.
4 From the left navigation tree, click the General Properties page.
6 Click OK.
9 The Access Control Policy successfully installs on the upgraded cluster member M2.
The Access Control Policy installation fails on the old cluster member M1 with a warning.
Ignore this warning.
Step 9 of 24: On each VRRP Cluster Member - Examine the cluster state
Step Description
1 Connect to the command line on each VRRP Cluster Member.
Step 10 of 24: On each VRRP Cluster Member - Examine the VRRP state
Step Description
1 Connect to the command line on each VRRP Cluster Member.
Step 11 of 24: On the upgraded VRRP Cluster Member M2 - Start the Connectivity
Upgrade
Step Description
1 Connect to the command line on the upgraded VRRP Cluster Member M2.
Step 12 of 24: On the old VRRP Cluster Member M1 - Make sure it handles the traffic
Step Description
1 Connect to the command line on the old VRRP Cluster Member M1.
Step 13 of 24: On the upgraded VRRP Cluster Member M2 - Make sure the Connectivity
Upgrade is complete
Step Description
1 When the Connectivity Upgrade finishes on the upgraded VRRP Cluster Member M2, this
message shows:
Connectivity upgrade status: Ready for Failover
Step 14 of 24: On each VRRP Cluster Member - Examine the cluster state
Step Description
1 Connect to the command line on each VRRP Cluster Member.
Step 15 of 24: On each VRRP Cluster Member - Examine the VRRP state
Step Description
1 Connect to the command line on each VRRP Cluster Member.
Step 16 of 24: On the old VRRP Cluster Member M1 - Stop all Check Point services
Step Description
1 Connect to the command line on the old VRRP Cluster Member M1.
Step 17 of 24: On the upgraded VRRP Cluster Member M2 - Examine the cluster state
and make sure it handles the traffic
Step Description
1 Connect to the command line on the upgraded VRRP Cluster Member M2.
Step 18 of 24: On the old VRRP Cluster Member M1 - Upgrade to R80.20 with CPUSE, or
perform a Clean Install of R80.20
See these sections in the R80.20 Installation and Upgrade Guide:
• For upgrade instructions, see Upgrading a Security Gateway with CPUSE.
• For clean install instructions, see Installing a VRRP Cluster.
Notes:
• You must reboot the cluster member after the upgrade or clean install.
• Configure dynamic routing based on the Connectivity Upgrade Limitations (on page 10).
Step 19 of 24: On the upgraded VRRP Cluster Member M1 - Install the R80.20 Jumbo
Hotfix Accumulator
You must install Take 17 and above.
You must install the same Take you installed on the VRRP Cluster Member M2.
Follow the instructions in sk137592.
5 The Access Control Policy successfully installs on all the cluster members.
Step 21 of 24: On each VRRP Cluster Member - Examine the cluster state
Step Description
1 Connect to the command line on each VRRP Cluster Member.
Step 22 of 24: On each VRRP Cluster Member - Examine the VRRP state
Step Description
1 Connect to the command line on each VRRP Cluster Member.
Step 23 of 24: On each VRRP Cluster Member - Change the CCP mode to Auto
Step Description
1 Connect to the command line on each VRRP Cluster Member.
2 From the left navigation panel, click Logs & Monitor > Logs.
3 Examine the logs from this VRRP Cluster to make sure it inspects the traffic as expected.
Error Description
Failed to get kernel parameter ### CU could not retrieve the kernel parameter,
which can happen if CU is on the old Cluster
Member.
You must specify the Sync IP and the The user did not pass the sync IP and Cluster
member Id of the old member Member ID to the CU script.
Invalid IP address The IP address passed to the CU script is not in
valid format.
The member Id must be between 1-4 An invalid Cluster Member ID was passed to the
CU script.
Only a single instance of The CU script is already running, and the user
connectivity upgrade can run at a time is trying to run CU again.
Run the ps auxw | cphacu command to make
sure that the CU script is running and wait until
CU finishes running.
Failed to get member state CU could not get the cluster state of the local
Cluster Member.
Run cphaprob state command on the local
Cluster Member and make sure that the output
shows the state of the local Cluster Member.
Connectivity upgrade failed since the CU only runs, if the state of the new Cluster
local member is not in Ready state Member is in the Ready state.
CU examines many times, if the Cluster
Member is in the Ready state.
If the Cluster Member is still not in the Ready
state, then the CU script exits.
Connectivity upgrade failed since For Security Gateways only: CU only runs, if the
Synchronization PNote is set to Critical Device Synchronization reports its state
problem
as OK.
CU examines many times, if the Critical Device
Synchronization reports its state as OK.
If the Critical Device Synchronization reports
its state as PROBLEM, then the CU script exits.
If you get this error, install policy on this cluster
and run the cphacu script again.
Error Description
Connectivity upgrade failed because When CU starts, the two Cluster Members
CPHAPROB cannot see the old member's begin to communicate, and the new Cluster
state. Member sees the old Cluster Member as
Active.
Check communication on the Sync interface,
and make sure that the MAC Magic
Configuration is correct.
Failed to enable Connectivity Upgrade CU could not update the kernel about the status
of this kernel parameter.
Failed to get fwha_version
Failed to get This can happen, if you run CU on a version that
fwha_cu_override_last_heard_ccp_ver does not support CU.
sion of the other member
Failed to get
fwha_cu_last_heard_ccp_version of
the other member
Failed to initialize full sync for VS CU failed to start a Full Sync for this Virtual
###; Connectivity Upgrade failed System, which synchronizes the connections
from the old Cluster Member to the new
Cluster Member.
Failed to run fullsync for VS ###; The Full Sync started, but did not finish for this
Connectivity Upgrade failed Virtual System.
This means that some of the connections were
not synchronized.
Failed to run cphacu state for VS ### The script cphacu state failed to show the
current CU state for this Virtual System.
Error printing connections table per CU failed to print the connection table summary
vs for each Virtual System.
For more information, see the Installation and Upgrade Guide for the version, to which you wish
to upgrade.
2 Immediately after the Pre-Upgrade Verifier (PUV) finishes successfully and does not show
you further suggestions:
• Save a second snapshot of your source system.
• Save a second backup of your source system.
• Collect a second CPinfo file from your source system.
3 Transfer the CPinfo file, snapshot, backup files, and exported database files to external
storage devices. Make sure to transfer the files in the binary mode.