This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
R80D2
Explorer
‎2023-11-03 06:59 AM
Jump to solution

Disable VLAN Interface on Checkpoint Gateway + SMS

Hello, 

 

For a migration from 1 Checkpoint Cluster to another Firewall, i will have to migrate VLAN Interfaces 1 by 1 from Firewall Cluster A to Firewall Cluster B. The Checkpoint Cluster A is running R80.40, the SMS is also running R80.40

 

Example: 

Firewall A holds a VLAN Interface with vlanid 10, and prefix 10.10.10.0/24, gateway ip 10.10.10.1. 

Firewall B holds a VLAN Interface with vlanid 10, and prefix 10.10.10.0/24, gateway ip 10.10.10.1.  in status shutdown.

 

Goal: 

I would like to move the VLAN Interface to the Firewall B with as little steps as possible on the Check Point side (firewall A). Steps for taking Firewall B Interface online are worked out ( it is a diffferent fw vendor). 

 

Now the question: How do I disable (adminstrative shutdown) the cluster vlan interface 10 on Firewall A ( Check Point)?

I dont want to delete the interface on SMS and trigger a topology change as described in sk57100, so that a fallback scenario is in place. 

 

Also for the above example, i think a shutdown of the vlan interface on both security gateways of Firewall A is neccessary in addition to disabling the cluster vlan interface, so that Firewall A updates it's routing table removing vlan10 prefix 10.10.10.0/24 as direct-connected route 

"set interface vlan10 state off" run on both gateways of Firewall A 

Is this assumption correct? 

Many thanks in advance.

 

0 Kudos
1 Solution

Accepted Solutions
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2023-11-04 09:56 AM
Jump to solution

@Chris_Atkinson has described it correctly.
You still need to change the topology in the Smart Console

1) On both gateways:

    set interface eth1.10 state off
    delete interface eth1 vlan 10

2) Smart Console

    a) Delete vlan interface eth1.10
        Gateways & Servers -> [Cluster Object] -> Network Management ->  [eth1.10] -> Action -> Delete Interface

    b) Install policy

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

0 Kudos
5 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-11-04 07:10 AM
Jump to solution

Understanding sk92826 might also be helpful to your plight.

Example commands: 

set interface eth1.10 state off

delete interface eth1 vlan 10 (shouldn't be needed here)

 

 

CCSM R77/R80/ELITE
0 Kudos
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2023-11-04 09:56 AM
Jump to solution

@Chris_Atkinson has described it correctly.
You still need to change the topology in the Smart Console

1) On both gateways:

    set interface eth1.10 state off
    delete interface eth1 vlan 10

2) Smart Console

    a) Delete vlan interface eth1.10
        Gateways & Servers -> [Cluster Object] -> Network Management ->  [eth1.10] -> Action -> Delete Interface

    b) Install policy

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
R80D2
Explorer
‎2023-11-05 03:10 AM
In response to HeikoAnkenbrand
Jump to solution

i appreciate all of your answers.


Another note on the example: 

Firewall A will have a static route set beforehand for 10.10.10.0/24 via an existing linknet to Firewall B. The idea is to ensure, that after migration of vlan interface 10, services from Firewall A can still communicate with Firewall B, once the direct-connected interface, and therefore the d-c route, is deleted on Firewall A, and the static route will be the best route. 



Regarding VLAN Interface Removal and VLAN Monitoring: 
 Thank you @Chris_Atkinson . I will go through our current configuration regarding sk92826- as i understand it, as long as CP cluster is in default configuration, the monitored VLAN interfaces for HA failover should be lowest (e.g. vlan1) and highest (e.g. vlan4094).



Regarding the steps to "disable" the Cluster VLAN Interface:

Is there no other way to get rid of the cluster interface supplying the exampled default gateway 10.10.10.1?
I am thinking of changing the prefix on the vlan 10 interface to some RFC specified non-routed prefix e.g. 169.254.1.1, so that i can keep the interface in smart console? This might be a more wild implementation, but might work. 

The reason i am asking is, i will have to do the exampled vlan migration for roughly 50 vlan interfaces. Hence, i would like the steps on the production Firewall A as small as possible. 

 

@the_rock : Is get interfaces without topology mandatory, after deleting the interfaces on the gateways? I typically don't use "get interfaces with/without topology" at all, hence the question.

The steps that i would go for, if no other steps are recommended, are these then:  

1) On both gateways:

    set interface eth1.10 state off
    delete interface eth1 vlan 10

2) Smart Console

    a) Delete vlan interface eth1.10
        Gateways & Servers -> [Cluster Object] -> Network Management ->  [eth1.10] -> Action -> Delete Interface


0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-11-05 03:35 AM
In response to R80D2
Jump to solution

I had always been updating topology after any interface change on OS level. I would say its certainly recommended, so management smart console is "aware" of the changes.

 

Kind regards,

 

Andy

Best,
Andy
the_rock
MVP Platinum
MVP Platinum
‎2023-11-04 03:51 PM
Jump to solution

Personally, I always do it on OS level first, then dashboard (network topology) and never had an issue with doing so.

Kind regards,

Andy

As a side note, but important, I would say always do "get interfaces WITHOUT topology", so nothing is overwritten.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events