This article describes how to upgrade Check Point VSX R65 to VSX R67 on an X-Series Platform. NOTE: These instructions require XOS V9.6.0 or a later release.

This article describes how to upgrade Check Point VSX R65
to VSX R67 on an X-Series Platform.

NOTE: These instructions require XOS V9.6.0 or a later release.

Uninstalling the Previous VSX NGX Version
 
1. Uninstall VSX NGX R65 from the VSX NGX (xslinux_v3) VAP group
    using the following command:
2. Reload the VAP group.

  CBS# reload vap-group <VAP_group_name>

3. Uninstall the VSX NGX R65 RPM, as follows:
    a. Go to the root prompt:

    CBS# unix su

    b. Change to the rpm directory:

        [[email protected] admin]# cd /usr/os/rpm/

    c. Uninstall the RPM:
 
       [[email protected] admin]# rpm -e app-firewallvsx-NGXR65-550
 
Modifying the Configuration
 
1. Upgrade the VAP group operating system to xslinux_v5 for the
    VSX NGX R67 application by executing the following XOS CLI
    command.

    CBS# configure vap-group <VAP_group_name> xslinux_v5

NOTE: Changing the VAP group Operating System version rebuilds the
            VAP group and removes all application files and any other files
            (for example, saved log files, HFAs, scripts, and so on) from the
            VAPs in the VAP group.

           The VAP group will be disabled during this operation.

          After the upgrade has been completed, you must install the application.

2. Enter Y to continue and wait for the VAP group upgrade to be completed.

3. Load the CBI package on the CPM, as follows:
    a. Obtain the VSX R67 CBI package (vsx-R67-1.0.1.0-xy.cbi).
    b. Copy it to the /crossbeam/apps/archive directory on the CPM.
    c. Enter the following XOS CLI command to verify that Check Point
        VSX NGX R67 is loaded in the /crossbeam/apps/archive
        directory on the X-Series Platform.
4. Execute the following command:

    CBS# application vsx vap-group <VAP_group_name> install

5. Answer the interview questions to configure the installation.
    Make sure that you use the same configuration options (HA, SXL) as
    you did for VSX NGX R65.

6. Reload the VAP group:

    CBS# reload vap-group <VAP_group_name>

NOTE: If you installed the VSX application in non-DMI mode,
see Reconfiguring Management IP Addresses for a VSX Cluster
in Non-DMI Mode, later in this article, for details.

7. Save the running configuration.

    CBS# wr
 
Upgrading to a New VSX NGX R67 version
 
To upgrade to a newer version of VSX NGX R67:

1. Download the CBI package for the newer VSX NGX version from the
    Crossbeam web site.

NOTE: You must have a valid support account to obtain the VSX software package.

2. Transfer the downloaded file to the /crossbeam/apps/archive directory.

3. Log in to the Crossbeam chassis and verify that the new version is available
    by entering this command:

  CBS# show application

4. To begin the upgrade, enter this command:

    CBS# application-upgrade vsx vap-group <VAP_group_name>
  version <version_number>
 
Reconfiguring Management IP Addresses for a VSX Cluster in Non-DMI Mode
 
If you installed the VSX application in non-DMI mode, you must
manually reconfigure the IP addresses assigned to the VAP group
management interface (external interface) on the X-Series Platform
to match the management IP addresses assigned to the cluster
members on the Check Point Management Station.
 
To reconfigure management IP addresses for a cluster (VAP group)
in non-DMI mode, perform the following steps.

1. On the X-Series Platform, assign a unique IP address to each
    VAP in the VAP group, in one of the following ways:

    * Use remote shell (rsh) to log in to each VAP and issue the
   ifconfig command to assign an IP address to each VAP.

    * Use the following XOS CLI command to assign unique,
      consecutive IP addresses to all of the VAPs in the VAP group.
            CBS# configure circuit <management_circuit_name>
     vap-group <VAP_group_name>
     ip <IP_address_of_first_VAP_in_group>/<netmask>
     increment-per-vap <IP_address_of_last_VAP_in_group>

NOTE: Sharing a management circuit between DMI and non-DMI VAP
groups is not supported.

2. On the Check Point Management Station, use the vsx_util reconfigure
    command to reconfigure each cluster member (VAP group member), and
    set the IP address for each cluster member (VAP group member) to match
    the management IP address you configured for that VAP.

NOTE: In non-DMI mode, after you reconfigure one cluster member, the
management or external interface on all of the other cluster members is
also assigned that VR IP address. Make sure you use the XOS CLI to
assign an IP address to each VAP group member (cluster member)
before you run vsx_util reconfigure for that cluster member.