Applying a Check Point HFA on a cluster without downtime

Article Id: 168103
Status: Published
Updated On: 13-05-2017 11:22
Legacy Id: TECH244591
Products:
XOS
Issue/Introduction:

This article describes how to apply a Check Point HFA on a Check Point Cluster without downtime.This article describes how to apply a Check Point HFA on a Check Point Cluster without downtime.

Cause:

Goal: To install a Check Point HFA on a Check Point Cluster without downtime.

Resolution:

Installing a Check Point HFA without Downtime

In order to apply software changes on a production cluster with two VAPs, you can stop sending flows to one VAP, and failover the existing flows to the other VAP.

Note: Because all flows are merged on a single VAP during this procedure, please avoid peak time periods.

The default Check Point synchronization protocol is multicast. Before running the upgrade, change the protocol to broadcast on each Firewall VAP:

      #cphaconf set_ccp broadcast

Changing the cluster control protocol to broadcast instead of multicast will insure that during the upgrade the newly upgraded VAP members remain in the Ready state as long as another member that has not been upgraded is Active.

To Install the HFA

Note: The following example assumes two VAP members, with fw_2 being upgraded first.

1.   Prevent the NPM from sending flows to the VAP member (fw_2) you want to upgrade by removing VAP member from the load balance VAP list:

       CBS# configure vap-group fw load-balance-vap-list 1

New connections will be processed only by fw_1.

2.   Cause a failover so that existing flows on fw_2 are processed on fw_1 (you must use the backup mode group on the fw vap group to maintain existing flows):

      CBS# reload vap-group fw 2

3.   Apply maintenance changes on fw_2 by using the HFA script procedure or by using Smart Update and then reload it.

4.   Reverse the VAP members in the load balance vap list:

      CBS# configure vap-group fw load-balance-vap-list 2

5.   Cause a failover so that the existing flows on fw_1 are now processed on fw_2:

      CBS# reload vap-group fw 1

6.   Apply the maintenance changes on fw_1 and then reload it.

7.   Change the load balance VAP list back to the original configuration to load balance flows on the cluster between fw_1 and fw_2:

      CBS# configure vap-group fw load-balance-vap-list 1 2

Note: This procedure was tested on XOS 7.0.4 and NGX R60.

Workaround

N/A