https://community.checkpoint.com/t5/Firewall-and-Security-Management/Converting-a-Security-Gateway-to-a-ClusterXL/m-p/99863#M10271 <P>Hi all.</P> <P>What are the best practices for converting a Security Gateway to a ClusterXL en HA?</P> <P>There is a guide in&nbsp; ClusterXL Administration Guide, the steps are the following:</P> <P>-Install a new Security Gateway.&nbsp;Use the standard procedure&nbsp;to create a new Cluster Member.&nbsp;Different IP from old fw.<BR />-In SmartConsole,&nbsp;create a new cluster object. Configuration same as old fw. In topology, virtual IP would be the same address of original fw.<BR />-Replace old fw object with new cluster object in policy rules, VPNs, etc.<BR />-In the&nbsp;Cluster Members&nbsp;page, click&nbsp;Add &gt; Add Existing Gateway. Select the newly installed Security gateway as cluster member and define topology.<BR />-Then Install policy.</P> <P>-In old fw, change the IP addresses of interfaces<BR />-In the&nbsp;Cluster Members&nbsp;page, click&nbsp;Add &gt; Add Existing Gateway. Select the old Security gateway as cluster member and define topology.<BR />-Then Install policy.</P> <P>What happens to VPNs?&nbsp; Should i define a different Office Mode network in the new cluster object? If there is a VTI numbered VPN to AWS, could I configure any address in the field "<STRONG>Local Address"&nbsp;</STRONG></P> <P>&nbsp;</P> Wed, 28 Oct 2020 09:41:13 GMT GioH 2020-10-28T09:41:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Converting-a-Security-Gateway-to-a-ClusterXL/m-p/99863#M10271 <P>Hi all.</P> <P>What are the best practices for converting a Security Gateway to a ClusterXL en HA?</P> <P>There is a guide in&nbsp; ClusterXL Administration Guide, the steps are the following:</P> <P>-Install a new Security Gateway.&nbsp;Use the standard procedure&nbsp;to create a new Cluster Member.&nbsp;Different IP from old fw.<BR />-In SmartConsole,&nbsp;create a new cluster object. Configuration same as old fw. In topology, virtual IP would be the same address of original fw.<BR />-Replace old fw object with new cluster object in policy rules, VPNs, etc.<BR />-In the&nbsp;Cluster Members&nbsp;page, click&nbsp;Add &gt; Add Existing Gateway. Select the newly installed Security gateway as cluster member and define topology.<BR />-Then Install policy.</P> <P>-In old fw, change the IP addresses of interfaces<BR />-In the&nbsp;Cluster Members&nbsp;page, click&nbsp;Add &gt; Add Existing Gateway. Select the old Security gateway as cluster member and define topology.<BR />-Then Install policy.</P> <P>What happens to VPNs?&nbsp; Should i define a different Office Mode network in the new cluster object? If there is a VTI numbered VPN to AWS, could I configure any address in the field "<STRONG>Local Address"&nbsp;</STRONG></P> <P>&nbsp;</P> Wed, 28 Oct 2020 09:41:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Converting-a-Security-Gateway-to-a-ClusterXL/m-p/99863#M10271 GioH 2020-10-28T09:41:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Converting-a-Security-Gateway-to-a-ClusterXL/m-p/100071#M10272 <P>Are the VPN endpoints managed by the same management, third party, or?<BR />There will be different certificates used for the cluster but they would be signed by the same CA.<BR />Assuming the cluster IP is the same as the original gateway, the remote end probably won’t need a configuration change.<BR />That said, the change is likely to be disruptive to the VPN due to the policy install, so it should be done during an appropriate maintenance window.&nbsp;</P> Sat, 24 Oct 2020 23:47:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Converting-a-Security-Gateway-to-a-ClusterXL/m-p/100071#M10272 PhoneBoy 2020-10-24T23:47:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Converting-a-Security-Gateway-to-a-ClusterXL/m-p/100208#M10273 <P>Yes, VPN endpoints are managed by the same security management. Remote access users IP addressess are assigned following file configuration $FWDIR/conf/ipassignment.conf, so first column is updated to new cluster object name.</P> Tue, 27 Oct 2020 04:37:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Converting-a-Security-Gateway-to-a-ClusterXL/m-p/100208#M10273 GioH 2020-10-27T04:37:59Z