Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ash_james
Participant

Checkpoint r77.30 cluster migration from hardware to VM

Hello,

I need to migrate an in production Checkpoint r77.30 cluster currently running on 5200 hardware to virtual machines. The management server would remain the same but firewall interfaces will change. The cluster runs multiple S2S VPN's and mobile access authenticating to LDAP. What would be the best way to achieve this ?

Appreciate any suggestions!

0 Kudos
6 Replies
Kaspars_Zibarts
Employee Employee
Employee

Just that we understand correctly - what interface changes are you expecting? Names obviously will change (although you can trick VM to use the same names as on  appliances). Will you be changing actual IPs? Will you change number of interfaces or they will simply map to new IPs?

0 Kudos
ash_james
Participant

Hello Mr. Zibarts,

1) number of interfaces changes (sub-interfaces on hardware will become dedicated interfaces on the VM)

2) IP changes for sync, mgmt and inside interfaces.

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

In that case I would stick with Danny's suggestion - basically creating new firewall cluster from scratch. There's not a lot you can copy in such case. 

Danny
Champion Champion
Champion

Step 1: Get the required VE licenses.

Step 2: Install the VMs with the new interfaces and perform the GAiA 1st Install wizard

Step 3: Create the new cluster object within SmartDashboard, establish SIC, attach the VE licneses

Step 4: Create and new policy package for the cluster or modify your existing one for it; Install the security policy

Step 4: Plan and migrate the S2S VPNs and MOB authentication to the new cluster

Step 5: Shut down the old cluster and delete the related objects and rules within SmartDashboard

_Val_
Admin
Admin

To simplify Step 2, I would suggest copying out the old "show configuration" CLISH info and just changing interface names there to keep IPs, DNS, hostnames and routes as is. You can paste this config into CLISH on the new VMs. You still need to run the first wizard and to setup new SIC

0 Kudos
ash_james
Participant

Hello Mr. Jung, thank you for your response.

Step 1: what factors have to be considered while requesting the VE license ? will it make sense to replicate the license feature set running on the hardware firewall at present ?

Step 4: for VPN migration, will replacing the old CL object with new CL object in communities do ? and if possible can you elaborate on migrating MOB authentication ?

Any additional factors to be looked into prior to the migration ? I am trying to collect as much information as I can before the migration to avoid any surprises.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events