This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ash_james
Participant
‎2018-08-07 10:27 AM

Checkpoint r77.30 cluster migration from hardware to VM

Hello,

I need to migrate an in production Checkpoint r77.30 cluster currently running on 5200 hardware to virtual machines. The management server would remain the same but firewall interfaces will change. The cluster runs multiple S2S VPN's and mobile access authenticating to LDAP. What would be the best way to achieve this ?

Appreciate any suggestions!

0 Kudos
6 Replies
Kaspars_Zibarts
Employee Employee
Employee
‎2018-08-08 01:13 AM

Just that we understand correctly - what interface changes are you expecting? Names obviously will change (although you can trick VM to use the same names as on  appliances). Will you be changing actual IPs? Will you change number of interfaces or they will simply map to new IPs?

0 Kudos
ash_james
Participant
‎2018-08-08 05:03 AM
In response to Kaspars_Zibarts

Hello Mr. Zibarts,

1) number of interfaces changes (sub-interfaces on hardware will become dedicated interfaces on the VM)

2) IP changes for sync, mgmt and inside interfaces.

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2018-08-08 07:19 AM
In response to ash_james

In that case I would stick with Danny's suggestion - basically creating new firewall cluster from scratch. There's not a lot you can copy in such case. 

Danny
Champion Champion
Champion
‎2018-08-08 01:28 AM

Step 1: Get the required VE licenses.

Step 2: Install the VMs with the new interfaces and perform the GAiA 1st Install wizard

Step 3: Create the new cluster object within SmartDashboard, establish SIC, attach the VE licneses

Step 4: Create and new policy package for the cluster or modify your existing one for it; Install the security policy

Step 4: Plan and migrate the S2S VPNs and MOB authentication to the new cluster

Step 5: Shut down the old cluster and delete the related objects and rules within SmartDashboard

_Val_
Admin
Admin
‎2018-08-08 03:42 AM
In response to Danny

To simplify Step 2, I would suggest copying out the old "show configuration" CLISH info and just changing interface names there to keep IPs, DNS, hostnames and routes as is. You can paste this config into CLISH on the new VMs. You still need to run the first wizard and to setup new SIC

0 Kudos
ash_james
Participant
‎2018-08-08 05:26 AM
In response to Danny

Hello Mr. Jung, thank you for your response.

Step 1: what factors have to be considered while requesting the VE license ? will it make sense to replicate the license feature set running on the hardware firewall at present ?

Step 4: for VPN migration, will replacing the old CL object with new CL object in communities do ? and if possible can you elaborate on migrating MOB authentication ?

Any additional factors to be looked into prior to the migration ? I am trying to collect as much information as I can before the migration to avoid any surprises.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events