Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Calvin_Piggott
Contributor

R80.40 Standalone to Distributed sk154033

Jump to solution

Hello fellow members.

 

Would really appreciate your expert opinions on this matter.

 

Currently I'm tasked w/ converting an on-premise standalone R80.40 setup to a distributed management and Cluster-XL setup.

Let's call the current setup old-mgmt-gateway-01.

This also manages an Azure R80.10 CloudGuard IaaS instance, let's call this azure-cg-01.

There's a site to site VPN between old-mgmt-gateway-01 and azure-cg-01.

Remote VPN clients also connect to old-mgmt-gateway-01.

 

I'm proposing the following as per sk154033:

  • Secondary management server, let's call this new-mgmt.
  • New primary gateway only, let's call this new-gateway-01.
  • New secondary gateway only, let's call this new-gateway-02.
  • Cluster-XL object, let's call this new-clusterxl.

 

I've already achieved successful management HA sync.

 

Moving forward, I'm seeking clarity on the following:

  • Since VPN clients are presented w/ the gateway's certificate upon site creation and connection, wouldn't the name new-clusterxl break current Endpoint Security VPN site configuration? I would rather not use the old-mgmt-gateway-01 as the cluster object name.
  • Does the same hold true for site to site VPN w/ azure-cg-01?
  • Outbound HTTPS Inspection is currently enabled, so if the cluster object uses a name other than old-mgmt-gateway-01, does that require the gateway certificate to be regenerated?

If there are any other dependencies that you think I missed, do let me know.

 

Thank you,

Calvin.

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Right-click on one of the instances it is used in the policy and select Where Used.
You can see all the uses of the old object and replace specific instances of it with the new object.

Screen Shot 2021-03-28 at 6.27.18 PM.png

View solution in original post

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

You're creating a new gateway which means a new certificate will be created.
Clients will get prompted on first connection with the new fingerprint but after that, you should be ok.
For Site-to-Site VPN, you should be fine since the CA won’t change and what matters is the endpoints being able to validate the certificate and access the CRL.
Unless you want to regenerate the ICA with the new management server name.
For HTTPS Inspection, what matters is the CA key used for signing the certificates (different from the ICA).
Not sure where that’s stored offhand.

0 Kudos
Calvin_Piggott
Contributor

Thank you sir!

I don't think I'll go down the ICA regeneration road unless necessary.

 

One more thing that I realized is that with a security policy of just over 320 rules, the 'Install On' column has old-mgmt-gateway-01 and adding the gateway new-clusterxl means that I'll need to add it to those rules as well.

SK108538 looks like it will do the trick if I wanted replace, but I want to make it an addition.

Any tips?

Thanks

0 Kudos
PhoneBoy
Admin
Admin

Right-click on one of the instances it is used in the policy and select Where Used.
You can see all the uses of the old object and replace specific instances of it with the new object.

Screen Shot 2021-03-28 at 6.27.18 PM.png

0 Kudos