Upgrade Checkpoint Firewall VSX cluster from R77.20 TO R77.30 with Jumbo HFA installation. Upgrading a firewall is a tedious task for any operations engineer.
This article will help you plan and execute your next implementation better. following article demonstrates the steps to how to take the backup, how to upgrade both gateways with the latest build, and if something goes wrong how to rollback.
Step 1 – Obtaining Existing Backup & Snapshot for the Firewalls
Login to the CLISH mode of the Firewall – CheckpointFW1 and execute the below commandHostname> add backup local
Login to the CLISH mode of the Firewall – CheckpointFW2 and execute the below command
Hostname> add backup local
Confirm the status of the backup using the command
Hostname> show backup status
Retrieve the backup on a local computer from the path /var/log/CPbackup/backups/
from the both the firewalls – CheckpointFW1 & CheckpointFW2
Obtain the snapshot of the device using the following commands –
Hostname> add snapshot snapshotR77_20_take191
Verify the status of the snapshot
Hostname> show snapshots
Export image to a path so that it can be removed from the:Hostname> set snapshot export snapshot snapshotR77_20_take191 path
/var/tmp name snapshot snapshotR77_20_take191
Step 2 – Take a backup of the contents of the following files if they contain any data
$FWDIR/boot/modules/fwkern.conf
(This path contains the following configuration – fwha_vmac_global_param_enabled=1 fw_allow_simultaneous_ping=1)
$FWDIR/boot/modules/vpnkern.conf
$PPKDIR/boot/modules/simkern.conf
$PPKDIR/boot/modules/sim_aff.conf
$FWDIR/conf/fwaffinity.conf
$FWDIR/conf/fwauthd.conf
$FWDIR/conf/local.arp
$FWDIR/conf/discntd.if
$FWDIR/conf/cpha_bond_ls_config.conf
$FWDIR/conf/resctrl
$FWDIR/conf/vsaffinity_exception.conf
/var/ace/sdconf.rec
/var/ace/sdopts.rec
Step 3 – Upgrade to the latest CPUSE build on each gateway – CheckpointFW1 & CheckpointFW2
- Install the latest build of CPUSE Agent from the below link to sk92449- https://supportcenter.checkpoint.com/supportcenter/portal/role/supportcenterUser/page/default.psml/media- type/html?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=55944
- Transfer the CPUSE Agent package (DeploymentAgent_000001272_1.gz) to the machine –
/var/tmp
- Unpack the CPUSE Agent package:
[Expert@HostName:0]# cd /var/tmp
[Expert@HostName:0]# tar -zxvf DeploymentAgent_000001272_1.gz - Install the CPUSE Agent RPM:
[Expert@HostName:0]# rpm -Uhv --force CPda-00-00.i386.rpm
- Start the CPUSE Agent manually:
[Expert@HostName:0]# $DADIR/bin/dastart
Step 4 – Un-Install Jumbo HFA 191 using Legacy Method or CPUSE
Note: As the Jumbo HFA 191 was installed using the Legacy method we would be installing the same using the Legacy
- Unpack the Jumbo Hotfix Accumulator (you need to use the Take that is currently installed or higher):
- Transfer the Jumbo Hotfix Accumulator package (you need to use the Take that is currently installed or higher) to the machine (into some directory, e.g.,
/var /tmp).
- Connect to command line on Gaia OS.
- Log in to Expert mode.
- Unpack the hotfix package:
[Expert@HostName:0]# cd /var/tmp
[Expert@HostName:0]# tar -zxvf .tgz - Run the installation script with ‘-u’ flag:
[Expert@HostName:0]# ./UnixInstallScript -u
Should get the following text on the screen:
*** Welcome to Check Point Uninstall Utility
All packages will be uninstalled.
Uninstallation program is about to stop all Check Point processes. Do you want to continue (y/n) ?
Note: The script will stop all of Check Point services (cpstop) – read the output on the screen.
7. Reboot the machine
Step 5 – Download the R77.30 Upgrade TGZ package and have it import to CPUSE repository
Download the CPUSE package for upgrade from R77.20 to R77.30 from the below link – https://supportcenter.checkpoint.com/supportcenter/portal/role/supportcenterUser/page/default.psml/media- type/html?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=41380
Transfer the file to the location – /var/tmp/
on both the Firewalls CheckpointFW1 and CheckpointFW2
Log in to Clish.
Acquire the lock over Gaia configuration database:HostName:0> lock database override
Import the package from the hard disk:HostName:0> installer import local var/tmp/<77.30UpgrdPkg>.tgz
Show the imported packages:HostName:0> show installer packages imported
Step 6 – Upgrade using CPUSE via CLI
The following references are used in the procedure below:
Last upgraded – denotes last member to be upgraded (in HA cluster, this should be the Active member –
CheckpointFW1).
First upgraded – denotes first member to be upgraded and reconfigured – CheckpointFW2
- Stop Check Point services on the first upgraded VSX cluster member:
[Expert@HostName:0]# cpstop
Note: In VSX Load Sharing (VSLS) cluster, this will cause a fail-over.
2. Perform in-place upgrade from R77 to R77.20 / R77.30, or from R77.10 to R77.20 / R77.30, or from R77.20 to R77.30, on the first upgraded cluster member.
Log into the CPUSE CLI.
Execute –Hostname> installer verify { | } Hostname> installer install { | }
Hostname> installer install {<Package_Number> | <Package_Name>}
Note Installation starts immediately. It reboots the device automatically.
3. On the first upgraded VSX cluster member, verify that this cluster member is ready for fail-over:
o All Virtual Systems must be up with the correct policy (this may take a few minutes) [Expert@HostName:0]# vsx stat -v
o The state of the cluster member must be ‘Ready’:[Expert@HostName:0]# cphaprob state
4. To upgrade to R77.30, you can use either –
a. Connectivity Upgrade (CU)
b. Optimal Service Upgrade (OSU)
The process from Point 5 shows the Optimal Service Upgrade.
5. Stop Check Point services on the last upgraded VSX cluster member (the one still running on old VSX version):
[Expert@HostName:0]# cpstop
Note: This will cause a fail-over, and the first upgraded VSX cluster member will become Active.
6. Perform in-place upgrade from R77 to R77.20 / R77.30, or from R77.10 to R77.20 / R77.30, or from R77.20 to R77.30 on the last upgraded cluster member.
Log into the CPUSE CLI.
Execute –Hostname> installer install { | }
Installation will start immediately. It reboots the device automatically. From R77 versions, after the device is rebooted, the installation is complete.
Rollback
Single Step Roll Back Procedure –
- Ensure that the concerned Firewall device CLI is accessible.
- Ensure that the snapshot image obtained during the step 1 is present in the snapshot repository using the command –
Hostname> show snapshots
- If Snapshot is not present in the repository, import the Snapshot from the directory to which it has been exported to –
Hostname> Hostname> set snapshot import snapshot snapshotR77_20_take191 path /var/tmp name snapshot snapshotR77_20_take191
- Revert to the snapshot image using the below command –
Hostname> set snapshot revert snapshotR77_20_take191
Note Installation starts immediately. It reboots the device automatically, the installation is complete.
Installing R77.30 Jumbo Hotfix Take 216
Note: below steps are to be performed on both CheckpointFW1 and CheckpointFW2
a. The uninstall will be first performed on CheckpointFW1 by bringing it in Standby state using the below commands in the following order
[Expert@HostName:0]# clusterXL_admin down
[Expert@HostName:0]# clusterXL_admin up
Check the status of the cluster [Expert@HostName:0]# cphaprob stat
b. Once the uninstall is successfu on CheckpointFW1, then perform it on CheckpointFW2, by executing the below commands on the CheckpointFW2 to make it standby –
[Expert@HostName:0]# clusterXL_admin down [Expert@HostName:0]# clusterXL_admin up
Check the status of the cluster [Expert@HostName:0]# cphaprob stat
[Expert@HostName:0]# clusterXL_admin up
Check the status of the cluster [Expert@HostName:0]# cphaprob stat
b. Once the uninstall is successful on CheckpointFW1, perform it on CheckpointFW2, by executing the following commands on the CheckpointFW2 to make it standby – [Expert@HostName:0]# clusterXL_admin down [Expert@HostName:0]# clusterXL_admin up
Check the status of the cluster
[Expert@HostName:0]# cphaprob stat
- Log in to Clish.
- Acquire the lock over Gaia configuration database:
HostName:0> lock database override
- Import the package from the hard disk:
Note: Once the import completes, this package is deleted from the original location.HostName:0> installer import local var/tmp/Check_Point_R77_30_JUMBO_HF_1_Bundle_T216_FULL.tgz
- Show the imported packages:
HostName:0> show installer packages imported
- Verify this package is installed without conflicts:
HostName:0> installer verify
- Install the imported package:
HostName:0> installer install
Note: Machine will be reboot automatically.
NOTES
- Don’t make any changes in checkpoint CMA database from the time Snapshot is obtained from the device to the time snapshot is reverted.
- If any change has been made in the CMA database, then it is advised to use the snapshot mechanism for rollback. Rather a clean install procedure followed by a ‘
vsx_util reconfigure’
via CMA should be performed. - Before taking the snapshot, please ensure the Backup partition has more than 1.15 times the space occupied by the root partition.
Do not rename the exported image. If renamed, it is not possible to revert the snapshot image.