Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
R80D2
Explorer
Jump to solution

Disable VLAN Interface on Checkpoint Gateway + SMS

Hello, 

 

For a migration from 1 Checkpoint Cluster to another Firewall, i will have to migrate VLAN Interfaces 1 by 1 from Firewall Cluster A to Firewall Cluster B. The Checkpoint Cluster A is running R80.40, the SMS is also running R80.40

 

Example: 

Firewall A holds a VLAN Interface with vlanid 10, and prefix 10.10.10.0/24, gateway ip 10.10.10.1. 

Firewall B holds a VLAN Interface with vlanid 10, and prefix 10.10.10.0/24, gateway ip 10.10.10.1.  in status shutdown.

 

Goal: 

I would like to move the VLAN Interface to the Firewall B with as little steps as possible on the Check Point side (firewall A). Steps for taking Firewall B Interface online are worked out ( it is a diffferent fw vendor). 

 

Now the question: How do I disable (adminstrative shutdown) the cluster vlan interface 10 on Firewall A ( Check Point)?

I dont want to delete the interface on SMS and trigger a topology change as described in sk57100, so that a fallback scenario is in place. 

 

Also for the above example, i think a shutdown of the vlan interface on both security gateways of Firewall A is neccessary in addition to disabling the cluster vlan interface, so that Firewall A updates it's routing table removing vlan10 prefix 10.10.10.0/24 as direct-connected route 

"set interface vlan10 state off" run on both gateways of Firewall A 

Is this assumption correct? 

Many thanks in advance.

 

0 Kudos
1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

@Chris_Atkinson has described it correctly.
You still need to change the topology in the Smart Console

1) On both gateways:

    set interface eth1.10 state off
    delete interface eth1 vlan 10

2) Smart Console

    a) Delete vlan interface eth1.10
        Gateways & Servers -> [Cluster Object] -> Network Management ->  [eth1.10] -> Action -> Delete Interface

    b) Install policy

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

0 Kudos
5 Replies
Chris_Atkinson
Employee Employee
Employee

Understanding sk92826 might also be helpful to your plight.

Example commands: 

set interface eth1.10 state off

delete interface eth1 vlan 10 (shouldn't be needed here)

 

 

CCSM R77/R80/ELITE
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

@Chris_Atkinson has described it correctly.
You still need to change the topology in the Smart Console

1) On both gateways:

    set interface eth1.10 state off
    delete interface eth1 vlan 10

2) Smart Console

    a) Delete vlan interface eth1.10
        Gateways & Servers -> [Cluster Object] -> Network Management ->  [eth1.10] -> Action -> Delete Interface

    b) Install policy

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
R80D2
Explorer

i appreciate all of your answers.


Another note on the example: 

Firewall A will have a static route set beforehand for 10.10.10.0/24 via an existing linknet to Firewall B. The idea is to ensure, that after migration of vlan interface 10, services from Firewall A can still communicate with Firewall B, once the direct-connected interface, and therefore the d-c route, is deleted on Firewall A, and the static route will be the best route. 



Regarding VLAN Interface Removal and VLAN Monitoring: 
 Thank you @Chris_Atkinson . I will go through our current configuration regarding sk92826- as i understand it, as long as CP cluster is in default configuration, the monitored VLAN interfaces for HA failover should be lowest (e.g. vlan1) and highest (e.g. vlan4094).



Regarding the steps to "disable" the Cluster VLAN Interface:

Is there no other way to get rid of the cluster interface supplying the exampled default gateway 10.10.10.1?
I am thinking of changing the prefix on the vlan 10 interface to some RFC specified non-routed prefix e.g. 169.254.1.1, so that i can keep the interface in smart console? This might be a more wild implementation, but might work. 

The reason i am asking is, i will have to do the exampled vlan migration for roughly 50 vlan interfaces. Hence, i would like the steps on the production Firewall A as small as possible. 

 

@the_rock : Is get interfaces without topology mandatory, after deleting the interfaces on the gateways? I typically don't use "get interfaces with/without topology" at all, hence the question.

The steps that i would go for, if no other steps are recommended, are these then:  

1) On both gateways:

    set interface eth1.10 state off
    delete interface eth1 vlan 10

2) Smart Console

    a) Delete vlan interface eth1.10
        Gateways & Servers -> [Cluster Object] -> Network Management ->  [eth1.10] -> Action -> Delete Interface


0 Kudos
the_rock
Legend
Legend

I had always been updating topology after any interface change on OS level. I would say its certainly recommended, so management smart console is "aware" of the changes.

 

Kind regards,

 

Andy

the_rock
Legend
Legend

Personally, I always do it on OS level first, then dashboard (network topology) and never had an issue with doing so.

Kind regards,

Andy

As a side note, but important, I would say always do "get interfaces WITHOUT topology", so nothing is overwritten.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events