This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kamiar_Sh
Contributor
‎2018-11-01 06:17 AM
Jump to solution

HA cluster interfaces move to Cisco switch

I have a cluster Checkpoint firewall (R77.30) with 8 Interfaces and connected to two old Nortel switches and now I am going to move two cables ( Eth4 and 5) to new Cisco switch and there are 5 VLANs assigned to Eth 4 so the question is what  are the steps should be to this approach?  any outage or failover may appear?

FW1 active

FW2 standby

appreciate if I get some advise. 

Preview file
44 KB
0 Kudos
1 Solution

Accepted Solutions
Daniel_Taney
Advisor
‎2018-11-02 01:45 PM
In response to Kamiar_Sh
Jump to solution

I hate to fall back on the age-old response of "it shouldn't have an impact on production traffic, but I'd still do it in a maintenance window!" But that would be my advice. Smiley Happy

Anecdotally,  I believe I did this on a live Cluster and did not see an adverse effect but starting with the Standby cluster first and then changing it on the Primary.

R80 CCSA / CCSE

View solution in original post

4 Replies
Vladimir
Champion
Champion
‎2018-11-01 08:47 AM
Jump to solution

You really not giving us enough information to work with. Topology map would've been useful.

That being said, please make sure that:

Two switches (Nortel and Cisco) are interconnected by a trunk with all the VLANs present in Nortel also present on Cisco and allowed on that trunk.

Depending on particulars of your implementation you may want to switch CCP to a broadcast from multicast, if not already done.

Move standby member to Cisco and attempt the failover. I suggest doing it in a maintenance window approved by the company.

Once the unit connected to Cisco is active and you have verified the health state of the cluster, move the remaining unit from Nortel to Cisco.

These are suggestions, not instructions, so use them at your own risk.

Daniel_Taney
Advisor
‎2018-11-02 07:25 AM
Jump to solution

I recently upgraded the core switches in our network and did it exactly how Vladimir suggested. We were already using CCP in broadcast mode, but you can read how to change and/or change that in this SK (sk20576).

Test and make sure connectivity between new and old switches is good and that all VLANS are defined and accessible. 

Once you know all the connectivity is good, move all the links from the Standby gateway to the new switch. When all the links come up, run cphaprob -a if to make sure ClusterXL sees all VLANs and Interfaces as "UP". I'd also just check in Smart Console and make sure the Gateway status is good there, too. If it all checks out, fail it over and test!

I kept pings running during the switch migration and did not see any interruption to service during the move. That said, I'd still do it in a maintenance window just in case!! 

Good luck! 

R80 CCSA / CCSE
0 Kudos
Kamiar_Sh
Contributor
‎2018-11-02 09:44 AM
In response to Daniel_Taney
Jump to solution

Thanks for your reply, I have a question:

1-CCP mode is multicast now so for this change do I need to to change it to broadcast? if yes, does it have any impact to existing traffic?

0 Kudos
Daniel_Taney
Advisor
‎2018-11-02 01:45 PM
In response to Kamiar_Sh
Jump to solution

I hate to fall back on the age-old response of "it shouldn't have an impact on production traffic, but I'd still do it in a maintenance window!" But that would be my advice. Smiley Happy

Anecdotally,  I believe I did this on a live Cluster and did not see an adverse effect but starting with the Standby cluster first and then changing it on the Primary.

R80 CCSA / CCSE

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events