- Products
- Learn
- Local User Groups
- Partners
- More
Maestro Masters
Round Table session with Maestro experts
Yo,
I am planning an uppgrade from R80.20SP til R81 for mye dual site, two security group, maestro enviroment.
Read trough sk170696, and the 'surrounding' sk's 🙂 But I do not feel 100% comfortable, so - anyone done this before ? tips n tricks ?
What I find a bit hard to wrap my head around is how to handle the interfaces on the orchestrator. Looking at the SK it pretty much tells me to establish the new sec.group with new interfaces (downlinks, I assume) Ste6 tells me to esablish SIC, but then step8 tells me to connect cables ? -- Will I even be able to SIC this with no downlinks available ?
I have tons of interfaces in the old security groups, how do I bring those over ? they might be pulles from the config i put int the appliance in step4 ?
Anyone had any 'hands on' here ? 🙂
I did this some time ago in my lab so take everything below with a grain of salt. The basic steps are: 
1. Split up the old SG into a new and an old SG. Install the new SG with the target version (r81.10).
2. The new SG gets different interfaces on the Orchestrator, disconnect the management interface from the old SG, severing old SG and SMS. The management interface should be used to establish SIC.
3. Transfer all gaia settings from the old SG to the new SG. Change the version of the SMO on the SMS and install policy on the new SG.  Now you have 2 SG with the same settings but different versions, yet one isn't connected to the network yet.
4. This is where the downtime starts: Disconnect the cables from the old SG and connect them to the new SG.
5. Check if everything is working again, keep distribution modes in mind: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Thanks Benedikt,
Starting out with r80.20sp we had to do all the interfaces (all the vlan interfaces) in the orchestrator in addition to the sgm itself. After jumo sometinhsomething ofcoure we did not any longer have to do this - since it will be synched from the SGM.
So I would assume that using different interfaces for the downlinks between orchestrator and appliances is just part of a 'two step rocket' thing ? What I am having a hard time wrapping my head around is why we would need to add new interfaces to the new SG - or if it is just a temporary thing ?
 
					
				
				
			
		
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count | 
|---|---|
| 14 | |
| 5 | |
| 4 | |
| 3 | |
| 3 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | 
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY