Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AbhishekSisodia
Explorer

Checkpoint VSX Cluster Migration

Hi All,

 

We are using a Checkpoint MDS server with checkpoint vsx Cluster deployed checkpoint 21400 appliances.

We have deployed 4 CMAs over MDS to manage virtual systems for respective departments.

MDS is running on Gaia R80.40 and VSX cluster on R80.10.

 

We are planning to replace the VSX cluster HW with new 26000 appliances. Pls suggest on how to proceed with the migration process. Do we just need to upload the show configuration output on new appliances and reset sic communication and push the existing policy from MDS.

And do suggest if we can use R80.40 new appliances.

Thanks in advance!!

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

The new appliances should support R80.40, though R80.40 will be End of Support in January 2024 and you should upgrade to a later release.

Unfortunately, migrating VSX to new hardware is a little more complicated than copying "show configuration" output.
This script will probably be helpful in capturing some of the data needed: https://support.checkpoint.com/results/sk/sk180485
You'll probably use something similar to the Clean Install procedure with different hardware here: https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_Installation_and_Upgrade_Gui...

0 Kudos
Bob_Zimmerman
Authority
Authority

I would strongly recommend upgrading the management to R81.10 first. As mentioned, R80.40 goes end-of-support soon.

Once you have the management upgraded, I recommend using ISOmorphic to install R81.20 on each firewall, downgrading them in-place to R80.40 (before the first-time wizard, using 'installer clean-install'), running the first-time wizard or config_system, installing jumbo 197, setting up your bonds, then using vsx_util reconfigure to rebuild the members. Plan on a total outage for all traffic through the cluster. There may not be one, but assume there will be.

The reconfigure process is the same process you would use to replace a failed cluster member. Shut down one old member, replace it with one new member, and boot the new member. Once it is running, 'vsx_util reconfigure' on the management establishes SIC, makes some configuration tweaks, then pushes all the VS configuration to it. It might be able to sync with your old member, or it might not. Assume it won't be able to. Once the new member is up and everything on it looks good, apply any local modifications like dynamic routing. When you're done, shut down the second old member. The new member should recognize there are no other members in the cluster anymore, so it should take over the VIPs. If everything works through the new member, repeat the process with the second new member.

Then once you have swapped the hardware, R81.10 management servers have the ability to push upgrade packages to firewalls. Use that to upgrade the cluster from R80.40 to R81.10. This can be a separate window, but it should be as soon after the hardware swap as possible.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events