topic Re: Interface cleanup before migrating to new appliances in Firewall and Security Management

Interface cleanup before migrating to new appliances

Joe_Kanaszka — Mon, 06 Jan 2025 19:33:21 GMT

Good morning and Happy New Year!

We are currently running a (2) node R81.20 cluster - (active / standby) on a pair of 5100 appliances.

We are going to migrate our exact configuration / rule sets to a new pair of 9100s following the below post:

https://community.checkpoint.com/t5/Security-Gateways/Replace-Upgrade-Cluster/m-p/69251#M5294

Before I do the migration, I'd like to cleanup the interfaces on my existing 5100s so I can build out the new appliances with the updated/correct interfaces.

For instance, my eth1 and eth2 had been used for my two external ISP connections.

We configured a third ISP to replace the ISP on eth2. Due to port constraints, we configured this third ISP interface on the interface labeled as "Mgmt".

Our actual interface that we use for management is eth4 - one of our internal LAN interfaces.

We re-configured ISP Redundancy to use interfaces eth1 (Primary) and Mgmt (Backup). (This works as it should).

We have since turned off the service for the old ISP that was on eth2, but the "cable" is still connected to the eth2 port. The "Link Status" is "Down" on both cluster nodes.

See below screenshot of one of my 5100 cluster nodes:

Before I build out the new 9100s, I'd like to delete the "Old ISP" from the eth2 interface and move my new Backup ISP interface currently on Mgmt to eth2.

Then when I configure my new 9100s, I can start with the "cleaned up" interfaces configuration.

How best to go about this?

I'm guessing step 1 is reconfigure the interfaces on the "Standby" node first. Make all the changes in the Gaia portal.

After this step I'm not sure how best to proceed...

Thanks guys!

Edit -

Thank you both Andy and Akos for your assistance!

Re: Interface cleanup before migrating to new appliances

the_rock — Mon, 06 Jan 2025 15:06:32 GMT

Hey brother,

I would definitely remove backup interfaces first, save, then master, save, update topology in smart console (interfaces WITHOUT topology that is).

Take backups first!

Andy

Re: Interface cleanup before migrating to new appliances

AkosBakos — Mon, 06 Jan 2025 15:33:44 GMT

Hi!

First I suggest you to do it in smaller eg. in a LAB environment. Thats gives you confidence.

If I understood correct (from a little pieces of info)

Q: Before I build out the new 9100s, I'd like to delete the "Old ISP" from the eth2 interface and move my new Backup ISP interface currently on Mgmt to eth2.

Here is the exact steps how to add or remove Interface from a Cluster.

https://support.checkpoint.com/results/sk/sk57100

put the standby member to down
You need to remove the ClusterIP-s first -> to achieve this delete the IF in the SmartConsole -> then policy install. Only after this change anything on GAIA portal.
If you do this, the old ISP stopped working immediately, but eth2 will released.

This would be the goal?

Akos

Re: Interface cleanup before migrating to new appliances

the_rock — Mon, 06 Jan 2025 15:30:12 GMT

Good reference sk!

Andy

Re: Interface cleanup before migrating to new appliances

Joe_Kanaszka — Mon, 06 Jan 2025 17:51:48 GMT

Good afternoon Akos and thank you!

What I would like to do is this:

Remove old physical IP and cluster IP from eth2 from both nodes. This interface is currently not being used.

Move my backup ISP connection curently on "Mgmt" to eth2 on both nodes.

After I'm done I should have both of my external ISP connections on eth1 and eth2 on both nodes. The current Mgmt will not be used for "Management".

eth4 will continue to be my local LAN & Management interface.

Does this make sense? So I'm deleting two interfaces: Mgmt & eth2, and then re-configuring eth2 with the same IP that was on Mgmt.

Re: Interface cleanup before migrating to new appliances

Joe_Kanaszka — Mon, 06 Jan 2025 17:52:44 GMT

Thanks Andy! Please see my response to Akos.

I may not have explained myself well the first post.

Re: Interface cleanup before migrating to new appliances

the_rock — Mon, 06 Jan 2025 17:54:22 GMT

K, read it, that makes sense to me, yeah. Just make sure the IP addresses are NOT referenced anywhere else before removing.

Andy

Re: Interface cleanup before migrating to new appliances

the_rock — Mon, 06 Jan 2025 19:03:40 GMT

Forgot to add, maybe do snapshots too if you can.

Andy

Re: Interface cleanup before migrating to new appliances

AkosBakos — Mon, 06 Jan 2025 19:05:14 GMT

Hi K,

If you want to remove the Virtual IP of a Cluster IF, the only way is to delete te if in the SmartConsole, then push policy. Don't forget it, trust me, I know. I can't highlight it enough 🙂

Put the standby member to DOWN state to avoid of unwanted cluster flapping. (with #clusterXL_admin down)

And The holy triumvirate: snapshot, system backup, save configurtaion.

Akos

Re: Interface cleanup before migrating to new appliances

the_rock — Mon, 06 Jan 2025 19:07:09 GMT

Yes, super important!

Re: Interface cleanup before migrating to new appliances

the_rock — Tue, 07 Jan 2025 23:27:29 GMT

Hey Joe,

Forgot to mention something kind of important, though you may not have to do any of this, but better confirm. Whenever I deal with things like this, I always verify afterwards in guidbedit that whatever is supposed to be removed is gone there as well.

Just a suggestion.

Best,

Andy