Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Rabin
Explorer

Detaching One SGM from security group and using it to different security group

Hi checkmates !

Just want to know what are precautions that need to be done for detaching a member from a Check Point Maestro Security Group assigning it to another security group to ensure that production environment wont have any impact.

The current scenario is we have three SGM in one security group, now we plan to remove one SGM and use it another Security group.

Thanks 

Rabindra

0 Kudos
6 Replies
AkosBakos
Advisor
Advisor

Hi @Rabin ,

Let's say it is 99.99999% safe to you remove one member from the prodution Security Group if the throughput, etc. allow is (see Datasheet and #asg perf). If I were you, I would simply do a cpstop on the designated SGM and let's see what happens. Stricly in !!maintanance window!! (at least for the first time)

According to the R81.20 Whats' new guide:

Performance Acceleration for Quantum Security Gateways

  • Maestro Auto-Scaling provides dynamic performance scaling for mission critical apps and large workloads. Automatically shifts firewall resources in and out of Security Groups to support critical applications as throughput and compute requirements change.

Here is the Maestro Auto-Scaling feature (page 325):

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Maestro_AdminGuide/CP_R81.20...

The system can do it automatically if the parameters reach the limit.

I did it several times, and nothing happened.

Akos

 

----------------
\m/_(>_<)_\m/
0 Kudos
Rabin
Explorer

Hi @AkosBakos 

Initially, we had three SGM two 6600 and one 6200 in same group, now our requirement is to use one 6600 in another new security group. To achieve this we have manually down the one 6600 using g_clusterXL command and observe the performance so far all is good, now we want that one 6600 to be used in new security group for other purposes.

Should we do cpstop in that member which is in down state and go to orchestrator gui and detach that member and then create new security group and attach that member there, is it as simple as that or do we need to consider other things too. Just want to make sure our flow is correct and have no downtime performing this activities.

I think maestro auto-scaling feature is for unasigned gateway to be used when certain condition are met in same security gateway. Hope you understand our requirements.

Also, we have to create new magg bond for managing the new SMO right does this have any impact on existing environment.

Thank You.

Rabindra

0 Kudos
AkosBakos
Advisor
Advisor

Hi @Rabin 

Yes, the auto-scaling is not for this.

i would say, just simply unattached the SMG from SG on the Orchestrator relevant page, then  do the SG creation steps, as did it before.

what do you think?

akos

----------------
\m/_(>_<)_\m/
0 Kudos
Rabin
Explorer

Hi @AkosBakos 

I think we need reset SGM and create magg bond (management bond ) in mho and create security group.

Rabindra

 

0 Kudos
AkosBakos
Advisor
Advisor

Hi @Rabin 

Yes, but if you FCD the appliance, don't forget to install the GA take, because this will be the one and only SGM in that group, therefore this will be the SMO as well.

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
emmap
Employee
Employee

When you remove an SGM from a Security group it does a 'mini-FCD' to remove all the configuration from the device. It doesn't actually factory default the appliance, but it does clean it up and have it ready to be added into a new Security Group. So no need to reset it or anything manually, just add it to a new security group and continue with normal new Security Group creation process.

0 Kudos