VSX Upgrade R77.30 to R80.30
Summary:
Step 1. Take a snapshot of management server or MDS server
Step 2. Upgrade object for the management of VSX firewall
Step 3. Backup VSX firewalls
Step 4. Upgrade CPUSE
Step 5. Upload and verify upgrade files
Step 6. Upgrade and install jumbo hotfix
Details:
Step 1. Take a snapshot of management server or MDS server
Step 2. Upgrade object for the management of VSX firewall
Run this on the management server and follow the screen prompt: vsx_util upgrade
Step 3. Backup VSX firewalls (also keep a copy of "show configuration")
See: R77 Gaia Admin Guide, search for "System Configuration Backup"
Main SK: sk100395
Step 4. Upgrade CPUSE
Download the latest CPUSE from sk92449
Note: if running a version below DeploymentAgent version 802, you will need to manually install the Deployment agent.
Follow the links:
https://checkpointengineer.com/install-gaia-cpuse-deployment-agent/
And
http://dkcheckpoint.blogspot.com/2017/11/how-to-fix-deployment-agent-issues.html
tar -zxvf DeploymentAgent_000001865_1.tgz
rpm -Uhv --force CPda-00-00.i386.rpm
killall -v clish clishd
$DADIR/bin/dastart
Step 5. Upload and verify upgrade files
installer import local /var/tmp/Check_Point_R80.30_T200_Fresh_Install_and_Upgrade_Security_Gateway.tgz
show installer packages
installer verify [tab]
installer verify 1
Step 6. Upgrade and install jumbo hotfix
6.1 upgrade the standby first
-
installer upgrade [package_number]
-
Once the firewall reboots, run "fw ver"
-
On the upgraded member, run: cphaprob state
-
Make sure that this cluster member is in the Ready state.
-
On the cluster member that still runs the previous version, run: cphaprob state
-
Make sure that this cluster member is in Active or Active Attention state, and that the upgraded member is in Down state.
6.2 install jumbo hotfix on the secondary firewall
-
Install jumbo hotfix (note, you will need to transfer the hotfix file after upgrade because it removes all files during upgrade)
-
installer import local /var/tmp/Check_Point_R80_30_JUMBO_HF_Bundle_T155_sk153152_Security_Gateway_and_Standalone_2_6_18_FULL.tgz
-
Installer verify [jumbo_hotfix_package_number]
-
Installer install [jumbo_hotfix_package_number]
6.3 upgrade the primary firewall
-
On the cluster member that still runs the previous version, run:
vsenv 0
fwaccel off -a
fwaccel stat -a
-
On the upgraded cluster member, run: cphaprob state
-
Make sure this cluster member is in Active state and taking traffic
-
Make sure the cluster policy and vsx policy are still attached
-
Check firewall logs and/or ask customer to test
-
-
Failover the firewall cpstop (this will fail over the firewalls)
-
If everything looks good, repeat 5.1 and 5.2 to upgrade the primary firewall and install jumbo hotfix
6.4 failover the traffic back to the primary firewall
6.5 push policy to both cluster and vsx firewalls