This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Blason_R
Leader
Leader
Tuesday
Jump to solution

Need to reinstall AWS CGNS in a need of upgrade from R81 to R81.20

Hi Team,

Can someone guide about best practices or procedure for reinstalling a new pair of firewall cluster in my existing AWS Tenant? I already R81 running however I am unable to upgrade it to R81.20 or R82  due to non-compliant hardisk partition. Hence the only way I believe possible is to reinstall the machines in AWS and then perform the SIC and install the policy?

What steps that I need to take?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
1 Solution

Accepted Solutions
Blason_R
Leader
Leader
Thursday
In response to Don_Paterson
Jump to solution

Thanks Team for the help. I reinstall new pair of firewalls eventually in a new VPX and done the peering with existing one and then route with TGW

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

View solution in original post

5 Replies
Nir_Shamir
Employee Employee
Employee
Tuesday
Jump to solution

Hi,

Basically it's a side-by-side new deployment.

you deploy your original deployment in the same VPC with the same subnets (or different ones) and changes routes etc. to the new deployment.

this SK describes upgrades in various cloud environments:

https://support.checkpoint.com/results/sk/sk162365

 

0 Kudos
Don_Paterson
Advisor
Advisor
Tuesday
Jump to solution

This is another SK worth bookmarking:

https://support.checkpoint.com/results/sk/sk173705

For best practice I would suggest the relevant deployment guide. Taking note of any version specific configuration that might appear in the guide/s.

For example:

 https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/C... 

 

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CloudGuard_Network_for_AWS_Single_AZ_Clu...

 

Both links are in sk173705.

Pay attention to cluster object topology configuration (cluster + sync configuration on the internal interface).

This is actually from the Azure cluster deployment guide but the wording is a bit better than in the AWS guides so I am sharing it in case it helps.

"Configure the interfaces eth0 and eth1.

  1. Double-click the interface eth0.
    The Network eth0 window shows.

  2. From the General tab, in the Network type field:

    • For version R81.10 and higher, select Cluster.

    • For version R81 and lower, select Cluster + Sync."

 

And also this (for example), from CP_CloudGuard_for_AWS_Cross_AZ_Cluster:

In R82 and higher, after configuring the cluster object and cluster members, you must change the Hardware type of the Security Gateways object that report to the Security Management Server.

0 Kudos
Blason_R
Leader
Leader
Tuesday
In response to Don_Paterson
Jump to solution

So does that mean for version higher than R81.10 in CGNS you can not define internal interface as CLuster+sync?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Don_Paterson
Advisor
Advisor
Tuesday
In response to Blason_R
Jump to solution

Sorry if I introduced any confusion. 

The main point is to follow the deployment guide, which in your case I believe will be an AWS CGNS deployment guide. 

Each cloud service provider has their own SDN (Software Defined Network) and there are differences in their designs, so that Check Point configurations for the same solution (e.g. Cluster) may differ from on CSP to another.

Then there is the possibility of changes in the recommend configuration between Check Point versions. 

It all just highlights the dynamic nature of the cloud. 

Some dynamicness brings nice new features and others new configuration recommendations. 

Either way we have the task of keeping up to date and one of the ways of doing that is using the relevant documentation (Deployment Guide)  

0 Kudos
Blason_R
Leader
Leader
Thursday
In response to Don_Paterson
Jump to solution

Thanks Team for the help. I reinstall new pair of firewalls eventually in a new VPX and done the peering with existing one and then route with TGW

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    Sort by:
    All CloudMates Events