This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Patricio_Cachac
Participant
‎2018-10-24 02:36 PM

Migrate VSX Gateway to New Management

Hi all,

Hi have a enviroment with two 15600 running vsx in R80.10, we need to split the management server that also has the log/event role in two diferente servers, one for management and other for event/log. We already create the two server and migrate the  management database to the new server and build the sic with the new event/log. Now we need to migrate the gateways but we are not sure what could be the steps to migrate only one gateway at a time to minimize the downtime. The new management as a diferent name and ip address. If anyone could give any ideias , will be welcome.

Thanks in adanced,

1 Reply
Kaspars_Zibarts
Employee Employee
Employee
‎2018-10-25 12:35 AM

You may try as follows, this is very brief to give an idea

  1. Create snapshots on both gateways in case you need to go back
  2. Disconnect all but Mgmt interface cables from standby node, lets call it FW2, to prevent uncontrolled traffic failover once you have connected to the new mgmt server and configured firewall
  3. Run reset_gw command on FW2 that will wipe out current VSX config. Ideally from console port, but Mgmt will work too
  4. Make sure that you can reach new management server IP from FW2. Do ping from firewall
  5. From your management server run vsx_util reconfigure command. If your management DB has been migrated correctly and nothing is corrupted regarding VSX objects, than command should complete and you will have full VSX config on FW2. If it fails, you will need to investigate
  6. Set 64 bit mode if it was set originally (check with vs_bits -stat )
  7. Reboot FW2
  8. Set affinities the same way as they are on FW1 
  9. Check/Set MultiQueue
  10. Check/Set CCP broadcast/multicast
  11. Your gateway should be ready now. Check vsx stat -v and cphaprob stat
  12. Try pushing all topologies and policies from new management to FW2 (untick box to allow installation if one gateway in cluster fails)
  13. Cutover - you will not be able to synchronize connections tables as firewalls belong to different clusters. One option is to allow out of state connections before step 12 that will make cutover more seamless
  14. Note your statistics on FW1 (i.e. using cpview) so you know what to expect on FW2
  15. Unplug all interfaces from FW1 (except Mgmt) and plug in all on FW2
  16. Check statistics on FW2 i.e using cpview
  17. Do your testing to make sure everything is working
  18. repeat steps 3-12 with FW1
  19. plug in cables to FW1 and failover to it to check functionality
  20. Double-check licenses on gateway and mgmt
  21. Set out of state back to normal if your changed it and push all policies

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events