Create a Post
Showing results for 
Search instead for 
Did you mean: 

Migrating from VSX to non VSX

Here we have a R80.20 VSX Cluster in VSLS. The VS responsible for Internet web browsing is to be taken out of VSX to be put on a cluster of two Check Point appliances in an attempt to have more stability (and performance).

The VS uses the following blades/functionnalities:

  • Firewall
  • App Control
  • URL Filtering
  • HTTPS Inspection
  • Identity Awareness (+sharing identities with others)
  • Monitoring
  • IPS
  • Anti-Virus
  • Anti-Bot

The plan is to create a new firewall on the new cluster, "turn off" the VS by deleting all the interfaces but one (and changing its IP) and then "turn on" the new firewall. We plan on keeping the same IP addresses and using the exact same policy by just modifying the target.

We'll keep an eye for ARP cache entries that might need to be flushed. And we are going to work something for the HTTPS Inspection certificate.

Do you guy have some recommendations or some points to be carefull about?


0 Kudos
1 Reply

Been there done that, your plan is exactly how we did it.
On the HTTPS Certificate Authority front, this one is just set the HTTPS CA from the SmartConsole and push policy.
We turned off the vlans on the switch interface towards the VSX box and switch the switch interfaces on to the new cluster.
This allowed us to prepare the cluster and push the policy already before the actual migration.
Regards, Maarten
0 Kudos