This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chckpnt_Charlie
Explorer
‎2018-12-28 07:32 AM

Deploy ClusterXL with no/minimum downtime?

Hi,

I have an existing 12200 fw instance in place, and a new one I'd like to add to it. So, my question is could someone suggest a least service interruptive way to deploy a cluster which will assume the same IPs of the current instance as its VIPs?

Even if there's no other tricks other than following the official ClusterXL deployment guide I'd be interested to know if someone did something similar in the past and could provide a ballpark service outage duration?

Thanks!

0 Kudos
6 Replies
Vladimir
Champion
Champion
‎2018-12-28 10:10 AM

Please specify the version you are running, describe devices the 12000 unit is connected to presently and if it is involved in a dynamic routing.

0 Kudos
Mike_A
Advisor
‎2018-12-28 10:34 AM

Also, I would ask, what version are you running on your "current" gateways, and what version will you be running on the "new" hardware.

Example, currently running R75.47 going to R77.30, or running R77.20 going to R77.30, or R80.10. Or will they be the same version?

I've done this in the past going from Fujitsu;s to appliances as well as upgrading the version the gateways were on as the new hardware came into the cluster. Along with Vladimir's questions, I think some of these answers would determine a desired path. 

0 Kudos
Chckpnt_Charlie
Explorer
‎2018-12-28 11:51 AM
In response to Mike_A

running r80.10 on 12200 appliance which sits in between our WAN router and a core switch (no dynamic routing).

the second appliance matches the first one, so no upgrades or hw migrations. Just need to create a ClusterXl and add the current one and later on the second one to it in active/standby.

0 Kudos
Chckpnt_Charlie
Explorer
‎2019-01-04 10:38 AM

Also, the current appliance is distributed SMS/firewall. We have the fw license for the secondary FW appliance but not for the secondary SMS. Can I still build a ClusterXL with two appliances to achieve HA for firewalls but only run SMS on the active instance? Or do I positively need to migrate the SMS off of that appliance before I can ClusterXl the two?

0 Kudos
PhoneBoy
Admin
Admin
‎2019-01-04 11:22 AM
In response to Chckpnt_Charlie

You can only run management on both members of an HA cluster (a so-called Full HA setup).

Running management on one member of a cluster only is not supported.

0 Kudos
Hugo_vd_Kooij
Advisor
‎2019-01-09 03:47 AM
In response to PhoneBoy

Not to mention that management on the box in HA is .... rather clumsy.

I suggest you create a seperate management system.

The migration might be a bit of a steep path if you haven't the experience. So unless you have plenty of time to tinker with it without someone clubbing you for a day long outage I suggest you hire someone to help you out there.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top