This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Joe_Kanaszka
Advisor
‎2025-10-29 11:36 AM
Jump to solution

Migrating R81.20 Cluster XL to new 9100 appliances

Good Afternoon!

I have a project to complete the migration of a two node cluster running on a pair of 5100 appliances to (2) new 9100 appliances.

I have a month but I'd like to get this done sooner than later.

Both new servers are fresh out of the box and racked next to their cluster members they will be replacing. (so old_GW1 is racked next to new_GW1, etc...

I'd rather not change too much at one time, so for now I plan on staying on R81.20 with the latest patches.

My old cluster is not up to date with the latest patches - but still on R81.20.

I have a general idea how this migration will work.

I'm referring to this post:

https://community.checkpoint.com/t5/Security-Gateways/Replace-Upgrade-Cluster/m-p/69251#M5294

Where I'm getting tripped up is with the "initial configuration" phase.  Do I use the "First Time Wizard" on the new appliances?  I'm keeping the same IPs as the old gateways, so I obviously cannot configure the interfaces on the new appliance and have it online at the same time.  I installed LOM cards in the new 9100s so I can work offline.

So that's my first question...how do I get these new appliances to the point that I can perform the actual swapping out, re-cabling, SICing, and pushing policy?

 

One area that is really confusing me are the interface re-mappings to my new gateways.  I know this can be done from the "advanced tab" but not sure how this actually works.

My new 9100s have 8 interfaces plus a management interface.

Here is what my interfaces look like on my old gateways:

ints.jpg

 

 

 

 

 

 

Mgmt is actually an External Standby ISP connection (we ran out of interfaces) - We use ISP redundancy on the Cluster.

eth1 - External - Primary ISP

eth2 - External - No longer used - Decommissioned ISP link - replaced by the link on "Mgmt"

eth 3 & eth4 - internal LAN

eth5 - sync

My new appliance has 8 interfaces plus a Management.  What I would like to do on new appliance:

eth1 - External - Primary ISP

eth2 - External - Standby ISP - (move this interface from Mgmt)

eth 3 & 4 - Internal LANs 

eth5 - sync

Is this possible?  Thank you again!!!

 

Labels
0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Diamond
MVP Diamond
‎2025-10-30 08:03 AM
In response to Joe_Kanaszka
Jump to solution

Here is something I always do:

on current fw, run this from expert:

clish -c "show configuration" > /var/log/config_hostname_date.txt 

then, get the file off the fw, make sure scp is on (chsh -s /bib/bash admin is the command to enable it, or whatever admin name is)

once you got the file, copy bits and pieces to NW fw as we discussed, then when ready, do the same thing on new fw, compare configs, it will give great idea if things look right

Mesage me any time, we can even have a call if needed.

Best,
Andy
"Have a great day and if its not, change it"

View solution in original post

(1)
16 Replies
the_rock
MVP Diamond
MVP Diamond
‎2025-10-29 12:31 PM
Jump to solution

Hey brother,

Here is what I ALWAYS do in this case (must had done it more than 20 times) and never had the issue:

1) Do initial wizard on new appliances, connect them to Internet for time being, so you can install recommended jumbo on version that came with it and enable any needed interfaces

2) follow the same with other appliance

3) install eval licenses for the time being

4 ) generate corresponding show configuration from existing firewalls and copy bits and pieces to corresponding new firewalls, just make sure not to override any IP until cutover and enable whatever interfaces have to be enabled

5) compare the config, make sure all is good, if it is...

6) last step is follow the link you references and NO NEED to delete anything from smart console

7) once done,you can be proud of great job you did 👌👍🙌

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Joe_Kanaszka
Advisor
‎2025-10-29 01:49 PM
In response to the_rock
Jump to solution

Thanks Andy!  

generate corresponding show configuration from existing firewalls and copy bits and pieces to corresponding new firewalls, just make sure not to override any IP until cutover and enable whatever interfaces have to be enabled

So just use Clish to copy the config over (bits and pieces)...What are the necessary pieces of the config that I need from the old gateways?  IPs and interfaces...What about routes?  We have ISP redundancy so my default route will change depending on which ISP link is active.   Would it be easier to use the migrate export and import commands?

And...Sorry Andy - but this part trips me up..

What about my existing interfaces - in particular my standby ISP link that is currently on the MGMT interface?  Can I use the advanced settings in SmartConsole to change the interface on the new device so that link is now on ETH2 - not MGMT?

 

Thanks again Andy!!!

 

 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-10-29 04:09 PM
In response to Joe_Kanaszka
Jump to solution

No problem. Yes, for existing interfaces, thats tricky part, make sure you decide beforehand the CORRESPONDING ones on new firewalls, so then clish config for those can be copied, just make sure name matches name on new firewalls. Also, routes can be copied, but again, as long as new device is NOT on the network, same routes/IPs can be copied, not an issue.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-10-29 04:33 PM
In response to the_rock
Jump to solution

@Joe_Kanaszka 

FWIW brother, I followed that exact same method for every customer I did this for. Last time, it was large hospital...well, truth be told, its NOTHING as bag as say West China Medical centre or Geneva University Hospital, but its hospital that serves city of about 200,000 people, so definitely important and my client there followed exact steps I mentioned, all went so smooth, no issues when we did cutover.

If you need anything else, let me know, I can put together some notes I took about it.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Joe_Kanaszka
Advisor
‎2025-10-30 07:47 AM
In response to the_rock
Jump to solution

Thanks Brother!

So just to clarify re: the interfaces:

If my old 5100 has the Mgmt interface as ISP2 - I can change this to ETH2 on the new device?

So old 5100:

Eth1 - ISP1 (Active ISP in ISP Redundancy)

Eth2 - ISP2 (Decommissioned & not used)

Mgmt - ISP2 (Standby ISP in ISP Redundancy)

I can change this on the new 9100 to :

Eth1 -ISP1 (Active ISP in ISP Redundancy) - no change

Eth2 - ISP2 (Standby ISP in ISP Redundancy) - changed from Mgmt interface on 5100

Mgmt - new management IP (Changed from decommissioned & unused ISP2 on 5100)

 

 

These interface changes can all be made in CLISH on the new 9100 correct?  No need to mess with the Advanced interface settings in Smart Console?

 

 

Thanks again Andy!

 

 

 

 

 

the_rock
MVP Diamond
MVP Diamond
‎2025-10-30 07:52 AM
In response to Joe_Kanaszka
Jump to solution

You got it!

Best,
Andy
"Have a great day and if its not, change it"
the_rock
MVP Diamond
MVP Diamond
‎2025-10-30 08:03 AM
In response to Joe_Kanaszka
Jump to solution

Here is something I always do:

on current fw, run this from expert:

clish -c "show configuration" > /var/log/config_hostname_date.txt 

then, get the file off the fw, make sure scp is on (chsh -s /bib/bash admin is the command to enable it, or whatever admin name is)

once you got the file, copy bits and pieces to NW fw as we discussed, then when ready, do the same thing on new fw, compare configs, it will give great idea if things look right

Mesage me any time, we can even have a call if needed.

Best,
Andy
"Have a great day and if its not, change it"
(1)
Joe_Kanaszka
Advisor
‎2025-10-30 08:23 AM
In response to the_rock
Jump to solution

Thank you again Andy!  What do you mean by NW fw?  Just curious...

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-10-30 08:26 AM
In response to Joe_Kanaszka
Jump to solution

You can tell English is not my first language haha...I meant NEW fw 😂

Best,
Andy
"Have a great day and if its not, change it"
(1)
Joe_Kanaszka
Advisor
‎2025-10-30 08:30 AM
In response to the_rock
Jump to solution

No worries brother!  I envy you for speaking a second language in the first place!

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-10-30 08:32 AM
In response to Joe_Kanaszka
Jump to solution

I always found that to be the biggest sign of respect anywhere in the world you go, and I been to more than 99% of it lol. If you put an effort to learn even few words of the local language, people TRULY APPRECIATE it.

Best,
Andy
"Have a great day and if its not, change it"
(1)
Joe_Kanaszka
Advisor
‎2025-10-30 08:56 AM
In response to the_rock
Jump to solution

I absolutely agree with you!

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-10-30 09:11 AM
In response to Joe_Kanaszka
Jump to solution

2 IMPORTANT things, though kind of goes without saying 🙂

1) make sure default gateway is right on new firewalls

2) DNS servers are correct

Best,
Andy
"Have a great day and if its not, change it"
the_rock
MVP Diamond
MVP Diamond
‎2025-10-30 09:21 AM
In response to Joe_Kanaszka
Jump to solution

I attached basic steps I put together, just ingnore first 2, since we did migrate server last time, as they built new mgmt server.

Best,
Andy
"Have a great day and if its not, change it"
Fw replacement plan (1).docx
(1)
Joe_Kanaszka
Advisor
‎2025-10-31 01:59 PM
In response to the_rock
Jump to solution

Thank you sooo much Andy!  I really appreciate this!  

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-10-31 02:31 PM
In response to Joe_Kanaszka
Jump to solution

Glad we can help you my friend.

Best,
Andy
"Have a great day and if its not, change it"

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events