This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
vinceneil666
Advisor
‎2021-02-18 07:04 AM

Maestro replace appliances

Hi,

Currently operating a maestro setup consisting of 6500's. And are now looking into changing this to 6700's.

Does anyone know how I can go about changing the hardware for a security group with minimal down time ? .. As the mixh and match is not an option, I would assume that 'cleaning out' the 6500 appliances of the security group first - and then add the 6700's

But how will the maestro act if I add a 6700 to the excisting secgroup with the 6500's ? Is there a way that I can do this just to get the hardware changed without downtime ? Anyone know ? 

I would think that with a dual chassis setup (dual site) there would be possibilites ? Changing the hardwar eon one site, failing over, then the other.. But for a single sec.group ? 

 

Any tips ? 

0 Kudos
4 Replies
Maarten_Sjouw
Champion
Champion
‎2021-02-18 10:56 AM

You can create a second security group, add all your 6700's to it, add new ports connect them to your switches but leave the ports in shut mode on the switch. Now you can switch over in the time it takes to shut/no shut the ports on both security groups, the Policy will be loaded already as you have the mgmt port that can be enabled before as you need a different management IP for the security group anyway. As long that IP is on the new SG Gateway object is different from the original one this would give no problems for all other interfaces to have the same IP's as the original SG.

In a window you need to make sure the policy is equal on bothe, anti spoofing and all other settings on you SG's is the same then you can go ahead and shut all switch ports to the old SG and unshut the ports to the new SG. After that, issue an arping for all IP's on all interfaces and proxy arp's to make sure the new MAC addresses are propagated to adjacent hardware.

This is the quickest and shortest downtime method I can think of.

Regards, Maarten
vinceneil666
Advisor
‎2021-02-18 11:09 AM
In response to Maarten_Sjouw

Thank you, that is great input !

0 Kudos
PhoneBoy
Admin
Admin
‎2021-02-18 11:37 PM

The ability to mix appliance types in a Security Group is planned for R80.10.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2021-02-19 01:10 AM
In response to PhoneBoy

Lets keep it on R81.10 for that 

😉

Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events
    li.common.scroll-to.top