This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
scottikon
Contributor
‎2020-11-17 02:55 AM

Upgrading CloudGuard IaaS Security Gateway in Azure - What is your experience?

What is your experience with upgrading CGI Security Gateways in Azure?

I understand there are two options: -

1) Deploy new gateway with same IPs and migrate

  1. Deploy new gateway 
  2. Stop the new GW in order to change the static IPs associated with the VM instance.
  3. Console on to the new GW to change the IPs in clish.
  4. Detach interfaces on old gateway. 
  5. Attach interface on new gateway. 
  6. Reset SIC
  7. Install policy

Advantages are that no changes in the routing in Azure is required but does require more downtime as you will need to detach the interfaces on the old GW before attached interfaces on the new GW. 

 

2) Deploy new gateway with new IPs and update UDRs

  1. Deploy new gateway
  2. Create gateway object and set SIC
  3. Update policy with new gateway wherever old gateway is referenced
  4. Re-IP licence and re-attach to new gateway.
  5. Install policy
  6. Update all UDRs to reference new IP/VM

 

First of all, do the above steps look correct or if anyone can help identify any errors or omissions that would be great. 

Secondly, if others have followed this to deploy new versions, how did it go? Any pitfalls, gotchas? What was the downtime?

 

Thanks

Scott

 

Advantage is that downtime is minimised as sessions will be interrupted but will then match the policy and connect. Disadvantage, significant more changes in preparation to migrate. 

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2020-11-20 05:57 PM

I moved this into the public Cloud spaces so more people can comment.

One thing to also be aware of with your second approach is you will, at least for a brief time, have extra managed gateways.
This could cause issues with your management license, which is capped at a specific number of gateways.
So...it's possible you may need to apply an eval license in some cases.

This might also drop established connections on the floor when the routes are swung over.
If that is problematic, it's probably a good idea to temporarily turn off the "drop out-of-state" Global Properties for a period of time to allow the connections to more gracefully recover.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events