This article describes how to apply a Check Point HFA on a Check Point Cluster without downtime.This article describes how to apply a Check Point HFA on a Check Point Cluster without downtime.
Goal: To install a Check Point HFA on a Check Point Cluster without downtime.
Installing a Check Point HFA without Downtime
In order to apply software changes on a production cluster with two VAPs, you can stop sending flows to one VAP, and failover the existing flows to the other VAP.
Note: Because all flows are merged on a single VAP during this procedure, please avoid peak time periods.
The default Check Point synchronization protocol is multicast. Before running the upgrade, change the protocol to broadcast on each Firewall VAP:
#cphaconf set_ccp broadcast
Changing the cluster control protocol to broadcast instead of multicast will insure that during the upgrade the newly upgraded VAP members remain in the Ready state as long as another member that has not been upgraded is Active.
To Install the HFA
Note: The following example assumes two VAP members, with fw_2 being upgraded first.
1. Prevent the NPM from sending flows to the VAP member (fw_2) you want to upgrade by removing VAP member from the load balance VAP list: