This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Adel_Guia_Cruz
Participant
‎2018-11-29 06:36 AM

ClusterXL maintenance

Hi,

I have a clusterXL of two 5200 FWs, each one R80.10. FW1 is connected to SW1 and FW2 is connected to SW2. FW1 is active and FW2 standby. SW1 and SW2 are connected back to back with a trunk link, cluster is working good, diagram below.

FW1---SW1
              |
FW2---SW2

We need to replace SW1 and SW2 by new SWs with same configuration. This is my plan to replace the switches without downtime:
1.Power of FW2 and then power off SW2.
2.Replace SW2.
3.Power on new SW2 then power on FW2.
4.Verify that cluster is healthy.
5.Make FW2 active and FW1 standby.
6.Power off FW1 and then power off SW1.
7.Replace SW1.
8.Power on new SW1 then power on FW1.
9.Verify that cluster is healthy.
10.Make FW1 active and FW2 standby.
11.End of maintenance.


Q. Should I power off the Firewalls as above? or Should I keep them up and let them resync after each SW is replaced? What is better according your experience and best practices?

Thanks !!

Adel

5 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-11-29 06:55 AM

First documentation to be used is sk107042: ClusterXL upgrade methods and paths - important fact here: Installing a hotfix does not change the Minor software version, therefore cluster members will still be able to perform State Synchronization. Meaning, there is no need to follow 'Full Connectivity Upgrade.'  In order to install a hotfix, follow either 'Minimal Effort Upgrade' or 'Zero Downtime Upgrade'.

So after changing the switch, cluster members will still be able to perform State Synchronization.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Benoit_Verove
Contributor
‎2018-11-29 06:56 AM

Hi Adel,

Since you shutdown the switch in front of the standby member, you don't need to poweroff the firewall.

However, you can additionnaly use the commands "cphastop" and "cphastart" to prevent any unwanted failover to the standby member.

cphastop
Running cphastop on a cluster member stops the cluster member from passing traffic. State synchronization also stops. It is still possible to open connections directly to the cluster member.

cphastart
Running cphastart on a cluster member activates ClusterXL on the member. It does not initiate full synchronization. cpstart is the recommended way to start a cluster member.

Regards,

Benoit

0 Kudos
Adel_Guia_Cruz
Participant
‎2018-11-29 08:58 AM

Hi guys,

Gunther:

We are not going to upgrade neither patch the firewalls, juts replace the switches where firewalls connect to. 

Benoit:

As per Checkpoint documentation, those commands should only be run by the Security Gateway, and not directly by the user. 

ClusterXL R80.10 (Part of Check Point Infinity) Administration Guide 

What do you think about leave FWs up and restart them just in case of issues? Does it sound better?

Thanks for taking your time and help me on this!!!!

Adel

0 Kudos
Mike_A
Advisor
‎2018-11-30 05:32 AM
In response to Adel_Guia_Cruz

Adel,

You can leave the standby firewall powered on and run 'clusterXL_admin down' this will force the standby member to be  'down' when running a cphaprob stat. You can do your maintenance on the switch. When you are done with switch2, run 'clusterXL_admin up' on FW2, wait for them to be Active/Standby. Then, fail traffic over to FW02 when ready so you can do maintenance on SW1 but issuing the same 'clusterXL_admin down' command on FW1, forcing the failover to FW2. 

Steps:

1.) Issue clusterXL_admin down on FW2

2.) Replace SW2 & being back online

3.) Issue clusterXL_admin up on FW2

4.) Verify cluster is back to Active (FW1)/Standby(FW2)

5.) If you want verify state table with fw tab -t connections -s on FW1/FW2 before moving on to next step

6.) Issue clusterXL_admin down on FW1

7.) Verify FW2 is active and passing traffic

8.) Replace SW1 & being back online

9.) Issue clusterXL_admin up on FW1

10.) Verify cluster is back to Active(FW2)/Standby(FW1)

11.) Fail back to FW1 to verify new switch config and successful traffic on new switch

      a.) To fail back to FW1, go back through commands 1 & 3 to force the failover to FW1 and then bring FW2 back in as standby. 

Adel_Guia_Cruz
Participant
‎2018-12-03 09:03 AM

Hi guys,

Thanks so much for your feedback. I definitely will keep firewalls power up during the maintenance and use the commands you have recommended it.(I still need to take some decisions on which to use and when). It will save me some time which is great.

Thanks

Adel

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events