- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Re: Need to reinstall AWS CGNS in a need of upgrad...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need to reinstall AWS CGNS in a need of upgrade from R81 to R81.20
Hi Team,
Can someone guide about best practices or procedure for reinstalling a new pair of firewall cluster in my existing AWS Tenant? I already R81 running however I am unable to upgrade it to R81.20 or R82 due to non-compliant hardisk partition. Hence the only way I believe possible is to reinstall the machines in AWS and then perform the SIC and install the policy?
What steps that I need to take?
Blason R
CCSA,CCSE,CCCS
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Team for the help. I reinstall new pair of firewalls eventually in a new VPX and done the peering with existing one and then route with TGW
Blason R
CCSA,CCSE,CCCS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Basically it's a side-by-side new deployment.
you deploy your original deployment in the same VPC with the same subnets (or different ones) and changes routes etc. to the new deployment.
this SK describes upgrades in various cloud environments:
https://support.checkpoint.com/results/sk/sk162365
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is another SK worth bookmarking:
https://support.checkpoint.com/results/sk/sk173705
For best practice I would suggest the relevant deployment guide. Taking note of any version specific configuration that might appear in the guide/s.
For example:
Both links are in sk173705.
Pay attention to cluster object topology configuration (cluster + sync configuration on the internal interface).
This is actually from the Azure cluster deployment guide but the wording is a bit better than in the AWS guides so I am sharing it in case it helps.
"Configure the interfaces eth0 and eth1.
-
Double-click the interface eth0.
The Network eth0 window shows. -
From the General tab, in the Network type field:
-
For version R81.10 and higher, select Cluster.
-
For version R81 and lower, select Cluster + Sync."
-
And also this (for example), from CP_CloudGuard_for_AWS_Cross_AZ_Cluster:
In R82 and higher, after configuring the cluster object and cluster members, you must change the Hardware type of the Security Gateways object that report to the Security Management Server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So does that mean for version higher than R81.10 in CGNS you can not define internal interface as CLuster+sync?
Blason R
CCSA,CCSE,CCCS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry if I introduced any confusion.
The main point is to follow the deployment guide, which in your case I believe will be an AWS CGNS deployment guide.
Each cloud service provider has their own SDN (Software Defined Network) and there are differences in their designs, so that Check Point configurations for the same solution (e.g. Cluster) may differ from on CSP to another.
Then there is the possibility of changes in the recommend configuration between Check Point versions.
It all just highlights the dynamic nature of the cloud.
Some dynamicness brings nice new features and others new configuration recommendations.
Either way we have the task of keeping up to date and one of the ways of doing that is using the relevant documentation (Deployment Guide)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Team for the help. I reinstall new pair of firewalls eventually in a new VPX and done the peering with existing one and then route with TGW
Blason R
CCSA,CCSE,CCCS