A cikin kaka na 2019, Check Point ya daina tallafawa nau'ikan R77.XX, kuma ya zama dole a sabunta. An riga an faɗi abubuwa da yawa game da bambanci tsakanin sigogin, ribobi da fursunoni na canzawa zuwa R80. Bari mu yi magana game da yadda ake sabunta kayan aikin kama-da-wane na Check Point (CloudGuard don VMware ESXi, Hyper-V, KVM Gateway NGTP) da abin da zai iya yin kuskure.
Don haka, muna da injiniyoyi 2 na CCSE, fiye da dozin Check Point R77.30 gungu masu kama da juna, gajimare da yawa, ƴan hotfixes da dukan teku na kwari iri-iri, glitches da duk wannan, na kowane launi da girma, kuma Hakanan maƙarƙashiya sosai. Mu tafi!
Abubuwan:
Wannan shine abin da kayan aikin girgije na abokin ciniki na yau da kullun tare da Duban Dubawa na kama-da-wane
Horo
Mataki na farko shine bincika ko akwai isassun albarkatun don sabuntawa. Mafi ƙarancin buƙatun da aka ba da shawarar don R80.20 a halin yanzu yayi kama da haka:
Na'ura
CPU
RAM
HDD
Ƙofar Tsaro
2 core
4 Gb
Daga 15 GB
SMS
2 core
6 Gb
-
An bayyana shawarwarin a cikin takaddar .
Amma za mu kasance masu gaskiya. Idan wannan ya isa a cikin mafi ƙarancin tsari, to, kamar yadda aikin ya nuna, yawanci muna da kunna binciken https, SmartEvent yana gudana akan SMS, da sauransu, wanda, ba shakka, yana buƙatar ƙarfin daban-daban. Amma gabaɗaya, bai wuce R77.30 ba.
Amma akwai nuances. Kuma suna da alaƙa, da farko, da girman ƙwaƙwalwar jiki. Yawancin ayyuka kai tsaye yayin aiwatar da sabuntawa zasu buƙaci sarari diski.
Don uwar garken gudanarwa, girman sararin faifai kyauta zai dogara sosai akan girman rajistan ayyukan yanzu (idan muna son adana su) da kuma adadin da aka adana bayanan Revisions, kodayake ba za mu ƙara buƙatar su da yawa ba. Tabbas, ga nodes na gungu (sai dai idan kuna adana rajistan ayyukan a cikin gida) duk wannan ba shi da mahimmanci. Anan ga yadda zaku bincika idan kuna da sarari da kuke buƙata:
- Muna haɗi zuwa Smart Management Server ta ssh, je zuwa yanayin ƙwararru kuma shigar da umarni:
[Masanin @cp-sms:0] # ff -h
- A fitarwa za mu ga wani abu kamar wannan tsarin:
Girman Tsarin Fayil da Aka Yi Amfani da Amfani% An kunna shi
/dev/mapper/vg_splat-lv_current 30G 7.4G 21G 27% /
/dev/sda1 289M 24M 251M 9% /boot
tmpfs 2.0G 0 2.0G 0% / dev/shm
/dev/mapper/vg_splat-lv_log 243G 177G 53G 78% /var/log - A halin yanzu muna sha'awar sashin / var / log
Lura cewa ya danganta da manufofin adanawa da share tsoffin fayilolin log ɗin, da girman girman bayanan da aka fitar, ana iya buƙatar ƙarin sarari. Idan, lokacin ƙirƙirar rumbun adana bayanai, akwai ƙarancin sarari kyauta fiye da ƙayyadadden ƙayyadaddun tsarin ajiyar fayil ɗin log, tsarin zai fara goge tsoffin rajistan ayyukan kuma ba zai haɗa su a cikin tarihin ba.
Hakanan, don tsarin sabuntawa da kansa, tsarin zai buƙaci aƙalla 13 GB na sararin diski mara izini. Kuna iya bincika kasancewarsa tare da umarnin:
[Masanin @cp-sms:0]# pvs
Za mu ga wani abu kamar haka:
PV VG Fmt Attr PSize PFree
/dev/sda3 vg_splat lvm2 a- 141.69G 43.69G
A wannan yanayin muna da 43 GB. Akwai wadatattun albarkatu. Kuna iya fara sabuntawa.
Ana ɗaukaka uwar garken sarrafa SMS Check Point
Kafin fara aikin kuna buƙatar yin waɗannan abubuwa:
- Sanya kunshin Kayan Aikin Hijira akan sabar gudanarwa. Don yin wannan, kuna buƙatar zazzage hoton daga portal.
- Loda tarihin zuwa uwar garken gudanarwa ta hanyar WinSCP cikin babban fayil /var/log/UpgradeR77.30_R80.20 (idan ya cancanta, fara ƙirƙirar babban fayil).
- Haɗa zuwa uwar garken gudanarwa ta hanyar SSH kuma je zuwa babban fayil tare da tarihin:cd /var/log/UpgradeR77.30_R80.20/
- Cire fayil ɗin:tar -zxvf ./< sunan fayil> .tgz
- Mun ƙaddamar da kayan aikin pre_upgrade_verifier tare da umarni: ./pre_upgrade_verifier -p $FWDIR -c R77 -t R80.20
- Bayan aiwatar da umarnin, za a samar da rahoto kan saitunan da ba su dace ba. Ana samunsa a: /opt/CPsuite-R77/fw1/log/pre_upgrade_verification_report.(xls, html, txt). Ya fi dacewa don loda shi ta hanyar SCP kuma duba shi ta hanyar bincike.
Don warware kowane saitunan da ba su dace ba, yi amfani. - Sannan sake kunna aikin pre_upgrade_verifier don tabbatar da cewa an kawar da duk abubuwan da ke haifar da rashin jituwa.
- Bayan haka, muna tattara bayanai game da musaya na hanyar sadarwa, tebur mai tuƙi da loda tsarin GAIA:
ip a > /var/log/UpgradeR77.30_R80.20/cp-sms-config.txt
ip r > /var/log/UpgradeR77.30_R80.20/cp-sms-config.txt
clish -c "show sanyi"> /var/log/UpgradeR77.30_R80.20/cp-sms-config.txt - Loda sakamakon fayil ta hanyar SCP.
- Muna ɗaukar hoto a matakin ƙira.
- Muna ƙara lokacin ƙarewar zaman SSH zuwa awanni 8. Ya dogara da sa'ar ku: dangane da girman bayanan da aka fitar, yana iya wucewa daga mintuna da yawa zuwa sa'o'i da yawa. Don wannan:
[Masanin @ Mai watsa shiriName] # clish -c "nuna rashin aiki-lokaci" duba clish na lokaci-lokaci na yanzu,[Masanin @ Mai watsa shiriName] # clish -c "saitin rashin aiki-lokaci 720" saka sabon zaɓin lokacin ƙarewa (a cikin mintuna),
[Masanin @ Mai watsa shiriName]# amsa $TMOUT duba yanayin ƙwararrun lokaci na yanzu,
[Masanin @ Mai watsa shiriName]# fitarwa TMOUT=3600 saka sabon yanayin ƙwararrun lokacin ƙarewa (a cikin daƙiƙa), idan kun saita ƙimar zuwa 0, to za a kashe lokacin ƙarewa.
- Muna saukewa kuma muna hawa hoton shigarwa na SMS.iso zuwa injin kama-da-wane.
Kafin mataki na gaba, KA TSAYA don bincika sau biyu cewa kana da isasshen sarari mara izini akan rumbun kwamfutarka (tuna, kana buƙatar 13 GB).
- Kafin fara fitar da saitin, canza fayil ɗin log tare da umarni: fw logswitch
Tsarin fitarwa da rajistan ayyukan
- Gudanar da aikin migrate_export don zazzage tsarin. Don yin wannan, je zuwa babban fayil ɗin da aka ƙirƙira a baya: cd /var/log/UpgradeR77.30_R80.20/ kuma yi amfani da umarnin: ./ ƙaura fitarwa -l /var/log/UpgradeR77.30_R80.20/SMS_w_logs_export_r77_r80.tgz
ko
je zuwa babban fayil: cd $FWDIR/bin/upgrade_tools/ и
gudanar da umarni daga can: ./ ƙaura fitarwa -l /var/log/UpgradeR77.30_R80.20/SMS_w_logs_export_r77_r80.tgz - Muna cire checksum daga rumbun adana bayanai: md5sum /var/log/UpgradeR77.30_R80.20/SMS_w_logs_export_r77_r80.tgz
- Ajiye sakamakon da aka samu zuwa faifan rubutu.
- Muna haɗi zuwa SMS ta hanyar SCP kuma muna loda tarihin tare da daidaitawa zuwa wurin aiki. Tabbatar amfani da canja wurin fayil a tsarin Binary.
Export Database SmartEvent
Anan muna buƙatar sigar SMS R80 da aka riga aka shigar. Duk wani gwaji zai yi.
- Daga SMS muna buƙatar rubutun dake nan:$RTDIR/bin/eva_db_backup.csh
- Loda rubutun ta hanyar SCP eva_db_backup.csh zuwa babban fayil: /var/log/UpgradeR77.30_R80.20/
- Haɗa ta hanyar SSH zuwa SMS. Kwafi fayil zuwa babban fayil: cp /var/log/UpgradeR77.30_R80.20/eva_db_backup.csh
$RTDIR/bin/eva_db_backup.csh - Canza rikodin: dos2unix $RTDIR/bin/eva_db_backup.csh
- Ƙara mai shi: chown -v admin: tushen $RTDIR/bin/eva_db_backup.csh
- Ƙara haƙƙoƙin: chmod -v 0755 $RTDIR/bin/eva_db_backup.csh
- Bari mu fara fitar da bayanan SmartEvent: $RTDIR/bin/eva_db_backup.csh
- Loda fayilolin da aka karɓa ta hanyar SCP: $RTDIR/bin/<kwanan wata>-db-backup.backup и $RTDIR/bin/eventiaUpgrade.tar zuwa wurin aiki.
Sabuntawa
- Je zuwa WebUI GAIA SMS → CPUSE → Nuna duk fakiti.
- Idan CPUSE ya ba da kuskuren haɗawa zuwa gajimaren Check Point, duba DGW, DNS da saitunan wakili.
- Idan komai yayi daidai, kuma kuskuren bai ɓace ba, to kuna buƙatar sabunta CPUSE da hannu, jagorar.
- Zazzage hoton kuma ku wuce Mai tabbatarwa. Idan ya cancanta, muna kawar da rashin daidaituwa.
Sakamakon haka, yakamata ku ga wannan sakon:
- Zaba R80.20 Sabon Shigarwa da Haɓakawa don Gudanar da Tsaro.
- Lokacin shigar da sabuntawa, zaɓi Tsabtace Shigar. Bayan shigarwa, tsarin zai sake yi.
- Mun wuce karo na farko Wizard.
- Bayan samun dama, muna duba asusun.
- Muna haɗi zuwa SMS ta hanyar SSH kuma muna canza harsashin mai amfani zuwa /bin/bash/:
saita mai amfani <sunan mai amfani> harsashi /bin/bash/
saitin saitin (idan muna son barin bin/bash/ azaman tsoho harsashi bayan sake yi).
- Na gaba, muna haɗa zuwa SMS ta hanyar SCP kuma mu canza wurin adana bayanai tare da daidaitawa a cikin Yanayin Binary SMS_w_logs_export_r77_r80.tgz zuwa babban fayil /var/log/UpgradeR77.30_R80.20/
- Muna cire checksum daga rumbun adana bayanai: md5sum /var/log/UpgradeR77.30_R80.20/SMS_w_logs_export_r77_r80.tgz kuma kwatanta da darajar baya. Checksum dole ne ya dace.
- Muna ƙara lokacin ƙarewar zaman SSH zuwa awanni 8. Don wannan:
[Masanin @ Mai watsa shiriName] # clish -c "nuna rashin aiki-lokaci" duba clish na lokaci-lokaci na yanzu,
[Masanin @ Mai watsa shiriName] # clish -c "saitin rashin aiki-lokaci 720" saka sabon zaɓin lokacin ƙarewa (a cikin mintuna),
[Masanin @ Mai watsa shiriName]# amsa $TMOUT duba yanayin ƙwararrun lokaci na yanzu,
[Masanin @ Mai watsa shiriName]# fitarwa TMOUT=3600 saka sabon yanayin ƙwararrun lokacin ƙarewa (a cikin daƙiƙa). Idan ka saita ƙimar zuwa 0, to za a kashe lokacin ƙarewa.
- Don shigo da saituna, gudanar da aikin shigo da ƙaura. Don yin wannan, je zuwa babban fayil: cd $FWDIR/bin/upgrade_tools/kuma gudanar da shigo da kaya: ./ ƙaura imp
ort -l /var/log/UpgradeR77.30_R80.20/SMS_w_logs_export_r77_r80.tgz
Muji dadin rayuwa nan da awanni biyu masu zuwa. KAR KU CUTAR DA ZAMAN SSH ɗin ku yayin aikin. A ƙarshe, tsarin ƙaura zai nuna saƙon nasara ko kuskure.
Jerin abubuwan dubawa bayan sabuntawa
- Samuwar albarkatu.
- SIC da GW.
- Lasisi. Idan an nuna lasisi ba daidai ba ko ba a nuna su akan SMS ba, gudanar da umarnin vsec_central_lasisi don rarraba lasisi.
- Saita manufofin.
Ana shigo da bayanan SmartEvent
- Kunna ruwan SmartEvent.
- Muna haɗa ta WinSCP zuwa SMS kuma muna canja wurin fayilolin da aka sauke a baya a yanayin binary <kwanan wata> -db-backup.backup и EventiaUpgrade.tar zuwa babban fayil /var/log/UpgradeR77.30_R80.20/
- Muna gudanar da rubutun tare da umarni: $RTDIR/bin/eventiaUpgrade.sh -upgrade /var/log/UpgradeR77.30_R80.20/eventiaUpgrade.tar
- Duba halin: watch -n 10 eventiaUpgrade.sh
- Duba rajistan ayyukan a cikin SmartEvent. MAFARKI!
Ana ɗaukaka gungu na Check Point GW (Aiki/Ajiyayyen)
Kafin fara aiki
- Muna adana tsarin GAIA daga kowane kullin gungu zuwa fayil, don yin wannan amfani da umarnin: clish -c "show sanyi" > ./< Sunan fayil> .txt
- Ana loda fayiloli ta amfani da WinSCP.
- Haɗa zuwa WebUI na nodes biyu kuma je zuwa shafin CPUSE → Nuna duk fakiti.
- Nemo fakitin sabuntawa don sigar R80.20 Sabon Shigar, latsa Zazzagewa.
- Mun duba cewa ka'idar CCP tana aiki a cikin yanayin Watsa shirye-shirye, don yin wannan, shigar da umarni: cphaprob - idan
Idan an zaɓi yanayin Multicast, maye gurbin shi da umarnin: cphaconf set_ccp watsa shirye-shirye (an aiwatar da umarnin akan kowane kumburi). - Mun shigar da Downtime don nodes ɗin da ke cikin tsarin sa ido.
- Muna duba cewa an kunna sigogi a matakin ƙirƙira Canjin adireshin MAC и Ƙirƙirar Watsawa don hanyar sadarwa mai daidaitawa.
Sabuntawa
- Muna haɗa ta ssh zuwa kumburi mai aiki kuma muna gudanar da umarni don saka idanu kan matsayin tari: watch -n 2 cphaprob stat
- Koma zuwa shafin yanar gizo Stanby nodes CPUSE kuma don kunshin da aka zaɓa R80.20 Sabon Shigar kaddamar da Mai tabbatarwa.
- Mu yi nazarin rahoton Tabbatarwa. Idan an yarda shigarwa, ci gaba.
- Zaɓi kunshin R80.20 Sabon Shigar da kaddamarwa inganci. Yayin aiwatar da haɓakawa, tsarin zai sake yin aiki. An ajiye saitunan GAIA. A lokacin sake kunnawa, muna saka idanu akan yanayin tari. Bayan lodawa, yakamata matsayin kullin da aka sabunta ya canza zuwa SHIRYA. A yawancin lokuta, mun ci karo da lokacin da kumburin da ba a sabunta shi ba ya canza zuwa matsayin Active Attention kuma ya daina nuna matsayin kumburin da aka sabunta. Kada ku firgita - wannan zaɓin kuma abin karɓa ne.
- Da zarar sabuntawa ya cika, buɗe SmartDashboard.
- Bude abin tari kuma canza sigar tari daga R77.30 zuwa R80.20. Danna Ok. Idan kuskure ya bayyana lokacin adana canje-canje:
An sami kuskuren ciki (Lambar: 0x8003001D, Ba za a iya samun damar fayil don rubuta aiki ba),
bi. Bayan haka, ajiye canje-canje kuma danna Shigar Policy. - A cikin saitunan, cire alamar zaɓi Don gungu na ƙofa, idan shigarwa a kan gungun memba ya gaza, kar a sanya a kan wannan gungu.
- Mun saita manufofin. Tsarin zai haifar da kuskure don kumburin aiki wanda har yanzu ba a sabunta shi ba.
- Muna haɗi zuwa kullin da aka sabunta ta ssh kuma muna gudanar da umarni don saka idanu kan yanayin tari: watch -n 2 cphaprob stat
- Haɗa zuwa kumburin WebUI Active kuma je zuwa shafin CPUSE → Nuna duk fakiti.Nemo fakitin sabuntawa don sigar R80.20 Sabon Shigar, danna Zazzagewa.
- Mun shigar da Downtime don nodes ɗin da ke cikin tsarin sa ido.
- Koma zuwa shafin WebUI Active nodes CPUSE kuma don kunshin da aka zaɓa R80.20 Sabon Shigar kaddamar da Mai tabbatarwa.
- Mu yi nazarin rahoton Tabbatarwa. Idan an yarda shigarwa, ci gaba.
- Zaɓi kunshin R80.20 Sabon Shigar da kaddamarwa Haɓakawa. Yayin aiwatar da haɓakawa, tsarin zai sake yin aiki. An ajiye saitunan GAIA. A lokacin sake kunnawa, muna sa ido kan yanayin gungu akan kullin da aka sabunta. Bayan sake kunnawa, yanayin tari akan kullin da aka sabunta zai canza daga SHIRYA zuwa ACTIVE.
- Lokacin da aikin haɓakawa ya ƙare, ƙaddamar da SmartDashboard kuma saita manufofin.
Jerin abubuwan dubawa bayan sabuntawa
- Rikodin taron a cikin SmartLog, matsayin ramukan VPN.
- Saitunan GAIA.
- Ana dawo da tari bayan gazawar gwaji.
- Lasisi da kwangiloli. Idan an nuna lasisi ba daidai ba ko ba a nuna su akan SMS ba, gudanar da umarnin. vsec_central_licence don rarraba lasisi.
- CoreXL.
- SecureXL.
- Hotfix da CPinfo akan nodes biyu.
ƙarshe
Gabaɗaya, wannan ke nan a wannan lokacin - an sabunta ku.
A gare mu, dukan tsari ya ɗauki matsakaici daga 6 zuwa 12 hours, dangane da girman girman bayanan da aka fitar. An gudanar da aikin a cikin dare biyu: ɗaya don sabunta SMS, na biyu don tari.
Babu lokacin zirga-zirga, duk da cewa mun bincika duk kurakuran da aka ambata a sama akan kanmu.
Tabbas, wani lokacin gaba ɗaya sababbin matsaloli na iya tasowa yayin aiwatar da sabuntawa, amma wannan shine Check Point, kuma kamar yadda muka sani, koyaushe akwai hotfix!
Barka da dare da ruwan hoda da sabuntawa!
source: www.habr.com