Migrating from VSX to non VSX

Louis_Poulin · ‎2019-04-12

Here we have a R80.20 VSX Cluster in VSLS. The VS responsible for Internet web browsing is to be taken out of VSX to be put on a cluster of two Check Point appliances in an attempt to have more stability (and performance).

The VS uses the following blades/functionnalities:

Firewall
App Control
URL Filtering
HTTPS Inspection
Identity Awareness (+sharing identities with others)
Monitoring
IPS
Anti-Virus
Anti-Bot

The plan is to create a new firewall on the new cluster, "turn off" the VS by deleting all the interfaces but one (and changing its IP) and then "turn on" the new firewall. We plan on keeping the same IP addresses and using the exact same policy by just modifying the target.

We'll keep an eye for ARP cache entries that might need to be flushed. And we are going to work something for the HTTPS Inspection certificate.

Do you guy have some recommendations or some points to be carefull about?

Thanks!

Maarten_Sjouw · ‎2019-04-12

Been there done that, your plan is exactly how we did it.
On the HTTPS Certificate Authority front, this one is just set the HTTPS CA from the SmartConsole and push policy.
We turned off the vlans on the switch interface towards the VSX box and switch the switch interfaces on to the new cluster.
This allowed us to prepare the cluster and push the policy already before the actual migration.

Regards, Maarten

Are you a member of CheckMates?

Migrating from VSX to non VSX