VSX Upgrade R77.30 to R80.30

Summary:

Step 1. Take a snapshot of management server or MDS server

Step 2. Upgrade object for the management of VSX firewall

Step 3. Backup VSX firewalls

Step 4. Upgrade CPUSE

Step 5. Upload and verify upgrade files

Step 6. Upgrade and install jumbo hotfix

Details:

Step 1. Take a snapshot of management server or MDS server

Step 2. Upgrade object for the management of VSX firewall

             Run this on the management server and follow the screen prompt: vsx_util upgrade

Step 3. Backup VSX firewalls (also keep a copy of "show configuration")

           See: R77 Gaia Admin Guide, search for "System Configuration Backup"

            Main SK: sk100395

Step 4. Upgrade CPUSE

          Download the latest CPUSE from sk92449

          Note: if running a version below DeploymentAgent version 802, you will need to manually install the Deployment agent.     

 

          Follow the links:

                 https://checkpointengineer.com/install-gaia-cpuse-deployment-agent/

                                                     And

                 http://dkcheckpoint.blogspot.com/2017/11/how-to-fix-deployment-agent-issues.html

                             tar -zxvf DeploymentAgent_000001865_1.tgz

                         rpm -Uhv --force CPda-00-00.i386.rpm

                         killall -v clish clishd

                         $DADIR/bin/dastart

Step 5. Upload and verify upgrade files

https://supportcenter.checkpoint.com/supportcenter/portal/role/supportcenterUser/page/default.psml/media-type/html?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=84065

 

                     installer import local /var/tmp/Check_Point_R80.30_T200_Fresh_Install_and_Upgrade_Security_Gateway.tgz

                    show installer packages

                    installer verify [tab]

                    installer verify 1

Step 6. Upgrade and install jumbo hotfix

Main SK: https://community.checkpoint.com/t5/General-Management-Topics/R77-30-VSX-appliance-upgrade-to-R80-10/td-p/5838

 

6.1 upgrade the standby first

  • installer upgrade [package_number]

  • Once the firewall reboots, run "fw ver"

  • On the upgraded member, run: cphaprob state

  • Make sure that this cluster member is in the Ready state.

  • On the cluster member that still runs the previous version, run: cphaprob state

  • Make sure that this cluster member is in Active or Active Attention state, and that the upgraded member is in Down state.

 

6.2 install jumbo hotfix on the secondary firewall

 

  • Install jumbo hotfix (note, you will need to transfer the hotfix file after upgrade because it removes all files during upgrade)

  • installer import local /var/tmp/Check_Point_R80_30_JUMBO_HF_Bundle_T155_sk153152_Security_Gateway_and_Standalone_2_6_18_FULL.tgz

  • Installer verify [jumbo_hotfix_package_number]

  • Installer install [jumbo_hotfix_package_number]

 

6.3 upgrade the primary firewall

 

  • On the cluster member that still runs the previous version, run:

            vsenv 0

        fwaccel off -a

        fwaccel stat -a

 

  • On the upgraded cluster member, run: cphaprob state

    • Make sure this cluster member is in Active state and taking traffic

    • Make sure the cluster policy and vsx policy are still attached

    • Check firewall logs and/or ask customer to test

 

  • Failover the firewall cpstop (this will fail over the firewalls)

 

  • If everything looks good, repeat 5.1 and 5.2 to upgrade the primary firewall and install jumbo hotfix

 

6.4 failover the traffic back to the primary firewall

 

6.5 push policy to both cluster and vsx firewalls