This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Uwe_Herkt
Participant
Participant
‎2023-10-05 02:03 AM

How to migrate/replace new appliance hardware in an existing maestro Security group.

Hi,

we are currently planning to replace the appliances within an existing Maestro environment 2*MHO140 + 2*6800 with MLS200. Does anyone have any experience with a supported migration path. The migration should be done in as short a maintenance window as possible and allow for rollback. I searched the knowledgebase -> According to sk162373 I can't run the two appliance types in one Security Group, but for the migration I can push all four into one Security Group:

"Quantum Maestro supports all other combinations for migration purposes. ...".

Has anyone done this yet? Does this work reliably?

According to sk181239, there are problems if the interface cards in the appliances are different, which would be the case in our case (10 G and 110 G).

"It is intended that all Security Appliances belonging to the same Security Group must use the same type of network card."

What would be a supported migration path then?

Thanks for your help

0 Kudos
6 Replies
Wolfgang
Authority
Authority
‎2023-10-06 12:24 PM

Any suggestions here for this interesting post ?

tagging @Lari_Luoma and @Chris_Atkinson 

0 Kudos
Dario_Perez
Employee Employee
Employee
‎2023-10-06 01:28 PM

they are not compatible to add into existing security group

you have to create a new security group

 

what you can do is create new Security Group using the MHO2 after migrate the traffic to new Security group. add the MHO1 as secondary. 

0 Kudos
Uwe_Herkt
Participant
Participant
‎2023-10-08 11:36 PM
In response to Dario_Perez

Hi Dario, 

Please let me be a little more specific. You say "what you can do is to create a new security group with the MHO2".
But surely the Security Group configuration is automatically synchronized between the MHOs. Or do you think that I should first remove the MHO2 from the ha. Am I understanding your suggestion correctly like this?
- remove the downlink cable to the 6800 appliances on MHO2,
- set the maestro configuration orchestrator-amount 1 on both MHOs,
- disable uplink ports on MHO2
- connect MLS 200 to MHO2
- configure new security group on MHO2
- Clone security group configuration
- Switch to the new security group
- ...

This sounds a bit crazy, is this what you mean?

0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador
‎2023-10-06 07:16 PM

I'm just planning exactly the same type of project.

Here are rough steps:

  1. Upgrade MHOs to R81.10 take 109 or higher.
  2. Create a new Security Group with the MLS-appliances only.
  3. Assign new interfaces to the new Security Group, For MLS you will need to use 100G downlinks.
  4. Clone all configurations, preferably with new management IP-address (If you have a VSX, you have options to either do vsx_util reconfigure or use provisioning tool and build new VSs)
  5. Cut over by disabling/enabling switch ports or moving the physical cables.
  6. Once everything is working, delete the old security group and remove the 6K appliances

You will have to create a new security group with the MLS appliances, 

Remember to use correct SW version as specified in sk176466

Uwe_Herkt
Participant
Participant
‎2023-10-08 11:45 PM
In response to Lari_Luoma

Hi Lari,

thanks for your answer, that sounds understandable. However, if I have understood it correctly, I need new uplink ports for this migration, i.e. additional GBIGs in the MHOs + possibly in the switches, right? These are currently not included in our project.

Is it possible to temporarily use the same physical uplink ports for the new security group?

0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador
‎2023-10-11 08:45 AM
In response to Uwe_Herkt

If you have transceivers, and available ports, allocating extra ports could make cutover easier. Even if you don't have transceivers, but have ports, you can still configure your new ports in the new SG and in the cutover just swap the transceivers.

If you don't have enough ports available for the new Security Group (that turned out to be my issue in the project I'm working at the moment), you can "swap" the existing ports from security group to another.

In dual site, you can do one site at a time that will make it even easier.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events