Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Nickel

Advice on installing replacement licenses to double the number of licensed CORES on a FW cluster

Jump to solution

Hey everyone, hope you are all well.

Background for this query is we have a clustered Active/Passive pair of R0.30 firewalls currently Centrally managed for 4CPUs.

We have already been to CheckPoint and traded the 4 Core licenses in for replacement 8 Core licenses. 

I now need to get round to adding the new licenses to the Manager and applying it cluster. I need to make sure the firewalls continue to process traffic when applying the new licenses.

I'm not clear whether any rebooting is required to get the firewalls to light up the new cores?

I am guessing that it will allow me to apply the 8 core licenses along side the 4 core licensed and then will just spawn some additional fw_workers straight away. I can then safely remove the old 4 core license?

But its only a guess!

Can anyone advise?

Many thanks

Tim

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Platinum

Adding the eval license changes nothing.

I found  Graceful failover with CoreXL mismatch after a CoreXL license upgrade .

Looks like state sync is possible like the same procedure for upgrades with "cphacu". That's new for me, but interesting that a change like  you do could be done without interruption.

Wolfgang

View solution in original post

8 Replies
Highlighted
Admin
Admin
Any change to the number of licensed cores requires a reboot to take effect.
This is indicated whenever a new license is applied and the number of licensed cores changes.

I don't believe it will impact traffic to apply the license.
However, I highly recommend performing this activity during a maintenance window.
Highlighted
Nickel
Thanks for the response. Given this is a cluster would you expect me to be able to apply the licenses and then reboot one half of the cluster and then seamlessly fail the cluster over to reboot the other half or do you think it will drop the connections table during the failover.

(PS. I feel like I'm talking to the God of CheckPoint! I've have been following your advise for years!)
0 Kudos
Highlighted
Platinum

@Tim_Spencer you lost your connections, because state synchronization between the nodes does not work if they have a different count of cores. You can change add the new licenses, change the cores and then reboot one by one. But be aware of the small gap.

Cluster will be failover but no state synchronization.

Wolfgang

PS: regarding @PhoneBoy , yes he's someone with a really great knowledge about all CheckPoint things, but in contrast to god he is a real awesome person 😉

0 Kudos
Highlighted
Nickel
@Wofgang thanks for your response. Such a shame everything I seem to do requires a non stateful failover! LOL I don't suppose adding an eval license to both firewalls before hand would help would it?

PS. LOL
0 Kudos
Highlighted
Platinum

Adding the eval license changes nothing.

I found  Graceful failover with CoreXL mismatch after a CoreXL license upgrade .

Looks like state sync is possible like the same procedure for upgrades with "cphacu". That's new for me, but interesting that a change like  you do could be done without interruption.

Wolfgang

View solution in original post

Highlighted
Nickel
@Wolfgang. Bravo! I've been searching articles for days regarding license upgrade process. Thanks again.
0 Kudos
Highlighted

You can uncheck "Drop Out of State TCP" on the Stateful Inspection screen of Global Properties to help blunt the effects of a non-stateful failover.  Be sure to recheck the box when all done!

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
0 Kudos
Highlighted
Admin
Admin
I'm just some guy who's been doing Check Point stuff for...24 years. 😳