This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Christian
Participant
‎2020-05-01 05:27 AM
Jump to solution

Move Vlans to new Interface (10G-Bond)

Hi CheckMates

We're currently running a clustered Firewall (4800, R80.20) with three connected 1G-interfaces

  • External (eth1): Vlan-Trunk, 1 Vlan
  • Internal (eth2), Vlan-Trunk, 8 Vlans
  • Sync (eth3), Access-Port

The Firewalls were now upgraded with a 2x10G-Module (eth1-01, eth1-02) each. I will create a LACP-bond (2x10G) and would like to move all Vlans from the External- and Internal Interfaces to the new 10G-Bond. The Sync-Traffic will remain on the separate 1G-Interface for now.

My next steps would be:

  1. Create the new LACP-Bond (bond1) on both members and make sure it is UP
  2. Standby-Node: Remove first Vlan-Interface (e.g. eth2.32) including IP-configuration in Web-UI
  3. Standby-Node: Create new Vlan-Interface (e.g. bond1.32) on 10G-Bond with IP-address in Web-UI
  4. Magic in SmartConsole and Policy Push *
  5. Failover
  6. Repeat Steps 2-4
  7. Now repeat steps 1-6 for every Vlan or maybe do all in one run

* Now the part where i'm struggling..

  • Should i now get the new topology of that cluster-interface (Int.32) in SmartConsole?
  • Or rather update the Interface-Name by hand? (see screenshot below)
  • Is it even possible to configure a VIP over two different ports for a short time (member1: eth2.32, member2: bond1.32)

overview.pnginterface-config.png

 

 

 

 

 

Or is there another better and easier way? It wouldn't be a problem to announce a small downtime.

Thanks and regards
Christian

0 Kudos
1 Solution

Accepted Solutions
Maarten_Sjouw
Champion
Champion
‎2020-05-01 10:28 AM
Jump to solution

First do this on all interfaces to be moved, of your backup gateway, in the clusterinterface in SmartConsole just update the name, do not in any case run the get interfaces with topology!!
Once the first member is done, flip the cluster and move the other member to the 10G interface Bond.
Regards, Maarten

View solution in original post

5 Replies
Maarten_Sjouw
Champion
Champion
‎2020-05-01 10:28 AM
Jump to solution

First do this on all interfaces to be moved, of your backup gateway, in the clusterinterface in SmartConsole just update the name, do not in any case run the get interfaces with topology!!
Once the first member is done, flip the cluster and move the other member to the 10G interface Bond.
Regards, Maarten
Christian
Participant
‎2020-05-04 12:15 AM
In response to Maarten_Sjouw
Jump to solution

Hi Maarten

Thanks! Do i need to take precautions before starting with the procedure (like cphastop)?

According to your reply i would now do the following:

  1. Standby-Node: Create new lacp-bond (bond1) and make sure it is UP
  2. Standby-Node: Delete and Re-Create all Vlan-Interfaces (e.g. eth2.32) on new bond1 Interface
  3. Ping-Check to IPs of Vlan-Interfaces / SIC-Test
  4. SmartConsole: Change Interface-Name of all moved interfaces (e.g. eth2.32 => bond1.32)
  5. SmartConsole: Install Policy on both members
  6. Initiate Failover
  7. Run Steps 1-6 on new Standby-Node

And we are done? No need to change the Interface-Names somewhere else?
I'm surprised, this procedure looks pretty easy and straightforward to me.

Regards,
Christian

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-05-04 12:42 AM
In response to Christian
Jump to solution

You will see at some point that the cphaprob will have an issue, you could insert a cphastop before changing the interfaces on the node and cpahastart just before the failover, which can then be initiated by a cphastop on the other node.
Just make sure you do it in a sevice window as you will probaly drop all running connections when failing over.
Regards, Maarten
lambda04
Explorer
‎2022-11-14 09:07 PM
In response to Christian
Jump to solution

Hi Chris,

 

Could you please share how was your activity ? did you follow same method or any changes ?

 

BR

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2022-11-29 02:49 AM
In response to lambda04
Jump to solution

I performed these steps:

 

  • Standby: add new vlan,  delete old vlan, conf new subinterface
  • Get interface without topology
  • Install policy
  • Cphastop;cphastart  Standby node (now you will have desidered output in cphaprob -a if)
  • cphastop on active node (trigger failover)
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events