topic Re: Migrate stand alone to cluster with new hardware in Firewall and Security Management

Migrate stand alone to cluster with new hardware

Michou — Thu, 01 Dec 2022 09:08:48 GMT

I currently have a 5200 (standalone on r81.10).

I am looking to utilize the same name/IP and replace this gateways with two 6500s on R81.10.

I just wanted to brain storm on the easiest way to accomplish this.

Also, seems like this should be a common ask. Are there any Check Point guides for something like this?

Re: Migrate stand alone to cluster with new hardware

_Val_ — Thu, 01 Dec 2022 10:49:47 GMT

Yes, this is a pretty common operation.

Prepare the new cluster in the lab. You can either re-apply Gaia config or re-build it manually. Mind, interface names may be changing between the GWs.

Set up a service window, disconnect the management interfaces only from the old cluster, and connect to the new cluster members. Re-establish SIC, push policy, and re-cable the rest of the network.

Should be straight forward.

Re: Migrate stand alone to cluster with new hardware

Blason_R — Thu, 01 Dec 2022 11:03:07 GMT

Indeed - Its a straight forward. Even further I used to setup a L3 switch and replicate the exact customer scenario. Establish SIC, policy push, license install everything same that I would do at customer place and then just plug the devices out and put the devices in. You are out of DC in flat 30 mins.

Re: Migrate stand alone to cluster with new hardware

Alex- — Thu, 01 Dec 2022 11:17:27 GMT

sk154033: How to migrate R80.x standalone management environment to a distributed environment

Regardless of the title of the SK, this is also applicable for R81.10, assuming that by Standalone 5200 you mean what the Check Point terminology assumes.

Re: Migrate stand alone to cluster with new hardware

G_W_Albrecht — Thu, 01 Dec 2022 11:21:52 GMT

He has to deploy a new SMS from the StandAlone first, so not really easy...

Re: Migrate stand alone to cluster with new hardware

Blason_R — Thu, 01 Dec 2022 12:25:50 GMT

Well here is the approach that I had taken and I use to take.

Copy object_5_o.c file from management server.
Find out/grep out IP addresses and/or object from that file.
Create a linux script using management API for automatic creation of hosts on new mgmt server. This is pretty simple with bash scripting.
Then its just then creating a rules basis on those object and create a cluster object
On isolated L3 switch create the L3 vlans and exact same IP addresses and networks for firewall/mgmt server.
Connect the mgmt server with firewall establish SIC and installed policy.
Then take a backup of that mgmt server or dbexport; put that on a production server and just a small downtime for firewalls installing firewalls in rack.
Swap the cables and since SIC and policy is already installed even though while booting up if it does not find mgmt server.
It will boot up with last successful install policy and process the traffic

Once the mgmt in network - Install the policy and install database.

Re: Migrate stand alone to cluster with new hardware

the_rock — Thu, 01 Dec 2022 12:41:14 GMT

I read process @Blason_R gave and it definitely makes sense. The article @Alex- provided you is also what Im ware of as supported method.

Andy

Re: Migrate stand alone to cluster with new hardware

Michou — Thu, 01 Dec 2022 17:12:51 GMT

hi,

sorry, I misspoke.
When I say it's a stand alone, it's a single gateway. The smartcenter is already detached on a VM.

Re: Migrate stand alone to cluster with new hardware

the_rock — Thu, 01 Dec 2022 17:30:05 GMT

In that case, please follow below process that TAC gave me for customer that wanted to do EXACT same thing. Version makes no difference, so would not sweat about that.

Link to a document:

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_ClusterXL_AdminGuide/html_frameset.htm

https://dl3.checkpoint.com/paid/48/4808360334cfd91e38eb192da36ea686/CP_R80.30_ClusterXL_AdminGuide.pdf?HashKey=1669922907_dca4cb6270d5eb21ec9785880fd43045&xtn=.pdf

The documentation mentions the Standalone deployment for those who have a Standalone firewall and would like to convert it to ClusterXL. In your situation, you can go straight to page 151. "Creating the ClusterXL Object"

Computer B refers to your new firewall and Computer A is your current firewall.

Basically here are the steps:

Install and configure the new cluster member. (Computer B)

make sure that the new firewall can talk to the old firewall and vice versa.
Configure the local configuration such as authentication server, hostname, static route, dynamic route etc.

In the policy, remove any references to the old firewall.
Create a new cluster object in SmartConsole.

Configure the interfaces, Antispoofing, Office mode etc.

The cluster VIP will be the old firewall local IP

Open the Cluster object and in the "Cluster Members" page, click Add, and select New Cluster Member.

Establish SIC
Get interface without topology
Define a Sync interface

Install the policy on the cluster currently including member B only.
On the old firewall.

Disconnect all proposed cluster and Synchronization interfaces. New connections now open
through the cluster, instead of through computer 'A'.
Change the addresses of these interfaces to some other unique IP address which is on the
same subnet as computer B.
Connect each pair of interfaces of the same subnet using a dedicated network. Any hosts or
Security Gateways previously connected to the Security Gateway must now be connected to
both members, using a hub/switch.

Update the topology of the Security Gateway that you just added by clicking Get Topology without interface.
In the Cluster Members page, click Add and select "Add Security Gateway to Cluster"

Select the old firewall
In the "Edit Topology" page, determine the interface type.

Configure the Policy base. (VPN domain, rule base, NAT if needed)
Install the policy.

Re: Migrate stand alone to cluster with new hardware

the_rock — Thu, 01 Dec 2022 21:08:02 GMT

Btw, I would follow process I gave you, as I did it with 3 customers, never a single problem. TAC guy I worked with on it 2 years ago was AMAZING!