topic Re: ClusterXL management changes in Firewall and Security Management

ClusterXL management changes

Matlu — Thu, 01 Jun 2023 22:16:32 GMT

Hello, team.

I currently have a couple of ClusterXLs, hooked up to an SMS.
All in version R81.10

I understand that the IPs that appear in the SmartConsole, are the management IPs, is that correct?

By decision and "reordering" of the client, the "management" IPs will be changed to those of the gateways.

What seems strange to me, is that for so long, they have been working with a VIRTUAL IP for each Cluster, which is a PUBLIC IP, and for the gateways as such, they have been working with private IPs.
I don't understand why.

To be able to do the process of changing the IPs of each cluster, it must be considered a "service interruption"?
Is it recommended to have a working window?

What is the order to change the IPs in the gateways?
Should the passive one be started first, then the active one?
At the end change it in the same SmartConsole?

Thanks for your comments.

Re: ClusterXL management changes

PhoneBoy — Thu, 01 Jun 2023 22:30:44 GMT

The "management" IP is the IP that's listed in the General tab of the relevant gateway object (also called the Main IP).
A Cluster IP can be on a different subnet from the gateway's configured interfaces, which is a useful feature: https://support.checkpoint.com/results/sk/sk32073

Generally, changing IP addresses of a gateway or cluster should be done in a maintenance window.
Make the OS level changes first, then make the changes in SmartConsole.
Similar to: https://support.checkpoint.com/results/sk/sk62024

Re: ClusterXL management changes

the_rock — Fri, 02 Jun 2023 01:54:57 GMT

You got perfect answer from @PhoneBoy , thats exactly how you would do the order, as per 2nd sk he provided.

Good luck bro!

Andy

Re: ClusterXL management changes

Matlu — Fri, 02 Jun 2023 12:11:52 GMT

Sorry,

By "start on each operating system", they mean start on each ClusterXL gateway, correct?

Does the order matter?

Or is it better to start by changing the management IPs, always by the passive member, and then the active one?

Or is it indifferent?

Regards.

Re: ClusterXL management changes

the_rock — Fri, 02 Jun 2023 12:23:12 GMT

Hey bro,

Im fairly sure what it implies is to do changes on OS level first (meaning Gaia clish or web UI) and then app level (ie smart console object topology). I always do everything first on standby, then master and that works well.

Cheers,

Andy

Re: ClusterXL management changes

Matlu — Fri, 02 Jun 2023 12:42:20 GMT

For this type of activity (Change the management IP of each GW, of ClusterXL), there is no need to "break" the ClusterXL during the "Maintenance Window", right?

Thanks for your time, and sorry for the "silly" doubts. 🙂

Re: ClusterXL management changes

the_rock — Fri, 02 Jun 2023 12:43:51 GMT

No, you dont need to break the cluster, but to be 100% safe, maybe better to do off hours.

Andy

Re: ClusterXL management changes

the_rock — Fri, 02 Jun 2023 12:46:23 GMT

Never be sorry about asking any questions mate...regardless of some people thinking question may sound silly or stupid, if answer will save you headache down the road, then everyone wins.

Andy

Re: ClusterXL management changes

Matlu — Fri, 02 Jun 2023 13:50:08 GMT

It is better to always keep the criterion of doing it in a "working window", but knowing that it is not necessary to break the ClusterXL.
Just as a "precautionary" measure, right?

Thanks, bro.

Re: ClusterXL management changes

the_rock — Fri, 02 Jun 2023 13:50:54 GMT

Thats my mentality as well, correct.

Andy