https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-a-bond-Interface-without-outage/m-p/160928#M28409 <P>Hi Experts,&nbsp;</P><P>We are running a cluster on r80.40, and need to create a new bond interface as one of our interfaces is being overutilized.</P><P>&nbsp;</P><P>Once new create the new bond interface using two new unused ports we move&nbsp;<SPAN>the IP config of the used Interface to the new bond interface&nbsp;</SPAN></P><P><SPAN>Is there a possibility how i could do this procedure without any downtime?</SPAN></P><P>&nbsp;</P><P><SPAN>Regards,</SPAN></P><P><SPAN>Sijeel&nbsp;</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Tue, 01 Nov 2022 15:27:41 GMT Malik1 2022-11-01T15:27:41Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-a-bond-Interface-without-outage/m-p/160928#M28409 <P>Hi Experts,&nbsp;</P><P>We are running a cluster on r80.40, and need to create a new bond interface as one of our interfaces is being overutilized.</P><P>&nbsp;</P><P>Once new create the new bond interface using two new unused ports we move&nbsp;<SPAN>the IP config of the used Interface to the new bond interface&nbsp;</SPAN></P><P><SPAN>Is there a possibility how i could do this procedure without any downtime?</SPAN></P><P>&nbsp;</P><P><SPAN>Regards,</SPAN></P><P><SPAN>Sijeel&nbsp;</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Tue, 01 Nov 2022 15:27:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-a-bond-Interface-without-outage/m-p/160928#M28409 Malik1 2022-11-01T15:27:41Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-a-bond-Interface-without-outage/m-p/160940#M28411 <P>I dont think you can do it without outage. First, you are "moving" IP config, ports will be different, then you also have to "get topology..." in dashboard and push the policy.</P> Tue, 01 Nov 2022 18:27:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-a-bond-Interface-without-outage/m-p/160940#M28411 the_rock 2022-11-01T18:27:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-a-bond-Interface-without-outage/m-p/160947#M28414 <P>Nope, not possible. Plan a service window.</P> Tue, 01 Nov 2022 19:37:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-a-bond-Interface-without-outage/m-p/160947#M28414 _Val_ 2022-11-01T19:37:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-a-bond-Interface-without-outage/m-p/161044#M28467 <P>Thanks val.&nbsp;</P><P>One more question do we break the clustering during the change to avoid any unwanted failover, we are using VRRP.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 02 Nov 2022 15:42:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-a-bond-Interface-without-outage/m-p/161044#M28467 Malik1 2022-11-02T15:42:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-a-bond-Interface-without-outage/m-p/161078#M28477 <P>No, you have to plan the downtime for this activity.</P> <P>But you can minimize the duration of the downtime.</P> <P>Some steps before migration itself:</P> <P>1. Make sure newly created bond can see Partner's MAC and LACP is working fine.</P> <P>2. Make sure the needed VLANs (if used) are correctly created/tagged on the relevant switch(s).</P> <P>3. Have all the config and steps prepared in advance (including rollback situation)</P> <P>4. Perform backup and snapshot on both cluster members</P> <P>One of the scenario during migration itself:</P> <P>1. Change the topology information in SmartConsole (name of interface) and push the policy. The firewall will not change the VIP since the IPs are assigned to the current interface.</P> <P>2. Bring standby member down (clusterXL_admin down)</P> <P>3. On down member, change the IP config over CLI (remove IP from single interface and assign to the bond)</P> <P>4. Push the policy once again</P> <P>5. Down member should have VIP assigned to the bond, while active member on single current interface</P> <P>6. Cluster_XL admin up on down member. That may cause the failover to the node which already has info about bond interface.</P> <P>7. If the member is still down, try to shutdown some interface on active node or perform cpstop on active node in order to force the failover</P> <P>8. Perform IP config change on former active node</P> Thu, 03 Nov 2022 05:05:40 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-a-bond-Interface-without-outage/m-p/161078#M28477 JozkoMrkvicka 2022-11-03T05:05:40Z