Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Luis1980
Participant

Replacement of the checkpoint 12000 r80.40 model, associated with an R80.40 console, by the 1800 spl

I need help.

 

I have to change an old appliance model 12000 with gaia R80.40, which its policies are under the MGMT at R80.40. The new appliance is a model 1800 with Gaia R80.20 that is supported by the MGMT, I need help in the steps to follow to change from one model to another, how to integrate the policies. In the new model I have replicated the configuration of interfaces and static routes. But I need to know what else I have to do before changing the cables from one to another.

 

Thank you.

0 Kudos
(1)
22 Replies
Chris_Atkinson
Employee Employee
Employee

Note there was a similar discussion recently here regarding this uncommon scenario:

https://community.checkpoint.com/t5/SMB-Gateways-Spark/Use-Policy-for-a-12400-with-a-new-SMB-Cluster...

CCSM R77/R80/ELITE
0 Kudos
Luis1980
Participant

thanks, But I see that in the end, nothing is said about how to do it.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Let me explain it this way: Usually, customers change from Embedded SMB appliances to bigger GAiA appliances, but not the other way 😊.

Here, you just have to check the old policy for SMB limitations (see SKs) and change the IPS configs for the smaller HW footprint.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Luis1980
Participant

Can you explain more about this? Or can you provide me with some SK.
Apart from the policies, I would have to carry out the SIC of the new appliances with the MGMT.

 

Thankss

0 Kudos
_Val_
Admin
Admin

Yes, you will have to re-establish SIC

0 Kudos
Luis1980
Participant

 

I understand that the sic configuration is the same as with another fw checkpoint?

And I have to follow these steps

  1. Open the command line interface on the Security Gateway.

  2. Run:

    cpconfig

  3. Enter the number for Secure Internal Communication and press Enter.

  4. Enter y to confirm.

  5. Enter and confirm the activation key.

  6. When done, enter the number for Exit.

  7. Wait for Check Point processes to stop and automatically restart.

In SmartConsole:

  1. In the General Properties window of the Security Gateway, click Communication.

  2. In the Trusted Communication window, enter the one-time password (activation key) that you entered on the Security Gateway.

  3. Click Initialize.

  4. Wait for the Certificate State field to show Trust established.

  5. Click OK.

0 Kudos
_Val_
Admin
Admin

Cluster or a single appliance? 

Mind, 12000 has much more firepower than 1800, so there might be issues with performance. 

If you reviewed your policy and found no limitations mentioned in sk178604, then here is how you proceed.

- replicate topology with interfaces and IP addresses identical to your old FW

- disconnect the old FW

- connect new appliance

- in SmartConsole, change FW object to be Spark, adjust GW version, reset and re-establish SIC, push policy

- check traffic flow and other functionalities. 

Luis1980
Participant

It is not a cluster, I have 2 appliances but in standlone.
What do you mean by push politics?

I had also thought about creating a new object and using it for the new FW, what do you think of this idea?

0 Kudos
_Val_
Admin
Admin

How new are you to Check Point? Push policy means applying your Security policy package to your Security gateway. 

You can create a new object, but it will have the same management IP address as the old FW, so there will be a conflict. 

0 Kudos
Luis1980
Participant

I've been using checkpoint for a few years, but I've never made a change from old FW or new ones.

Are you referring to installing policies?

Thank you for your answers.

G_W_Albrecht
Legend Legend
Legend

The procedure would be rather simple if you do replace a GAiA appliance with a newer GAiA appliance. SMB units are basically not intended as a 12000 replacement but for SMBs 😎

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Luis1980
Participant


I am only using the old FW blades firewall, IPSec VPN and IPS, that's why I thought to go down to a lower model, because they are for a backup center.

0 Kudos
_Val_
Admin
Admin

yes

0 Kudos
Luis1980
Participant

Thank you very much for all your answers.

So these are the steps I'm going to take.

I will try with the management interface of the equipment, the configuration of the old FW has already been replicated, to the new FW.

Will I have to change the name of this interface in the topoly? Since in the new FW the name is LAN1 and in the old one it is eth1.

I will change the name in the platform, hardaware, operating system version, I will then perform the SIC with the MGMT, I understand that it is done the same as in any FW checkpoint.

Push policies.

And I will test traffic and functionalities.

If all goes well I will connect the rest of the interfaces.

Do you think there may be any addictional problem?

Or do you think I'm missing a step.

0 Kudos
_Val_
Admin
Admin

Yes, the interface names are not the same, so you will need to adjust them in the topology tab. Initializing SIC is a bit different as well, please follow the documentation. 

Once more, you need to make sure that the performance of your new 1800 appliance is enough for your needs. 

Another important note, I believe you will have to use R81.10 or a higher version of your management server to manage the 1800 appliance. 

0 Kudos
Luis1980
Participant

 
 

According to the information I found, R80.40 is compatible.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

This is for the older firmware versions R80.20.xx that have end of support in Oct-23, and end of support for R80.40 is January 2024.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Luis1980
Participant

don't understand your answer. According to the documentation found if it is compatible with an MGMT with R80.40 version

Management

1600 and 1800 Security Gateways are conveniently managed locally via a Web interface (offering simple and intuitive management and configuration), and centrally by Cloud-hosted SMP (Security Management Portal) which can scale to manage over 10,000 Check Point SMB Appliances. The Gateways can also be managed centrally by Check Point's central management solutions: SmartConsole, MDM, and LSM.

You can manage 1600 / 1800 Quantum Spark Appliances with these on-premises Management Servers:

  • R81 and higher versions
  • R80.40 Jumbo Hotfix Accumulator Take 91 and higher
  • R80.30 Jumbo Hotfix Accumulator Take 227 and higher
0 Kudos
G_W_Albrecht
Legend Legend
Legend

The older firmware version branch R80.20.xx is compatible with an MGMT with R80.40 version !

But older firmware version branch R80.20.xx has end of support in Oct-23, and end of support for R80.40 MGMT is January 2024. So support would end next October for e.g. R80.20.50 firmware...

You have to decide if it makes sense to use software versions with less than a year support left.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Luis1980
Participant

One question, the name change in the network topology, I have to do it before changing the cables? I understand that it must be so, I am not quite sure about this step.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Better update interfaces and topology from SMB as found here: https://sc1.checkpoint.com/documents/SMB_R81.10.00/AdminGuides/Centrally_Managed/EN/Topics/Configuri...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
RamGuy239
Advisor
Advisor

This should be pretty straightforward unless you have something in your R80.40 policy package that is not supported by Quantum Spark / Small Business Appliances as they tend to have some features they don't support when compared to enterprise appliances running full gaia.

If you upgrade your 1800 series SMB appliance to R81.10.00 firmware, you are removing quite a few limitations, Quantum Spark / SMB appliances are almost on-par with regular appliances in terms of features supported when running R81.10.00 firmware. This will require you to run R81.10 JHF Take 66 or higher or R81.20 on your management server in order to able to manage Quantum Spark SMB appliances running R81.10.00 firmware.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...


You still have to take into consideration that a move from 12000 series enterprise gaia appliance, to an 1800 series small business gaia embedded appliance is a rather extensive downgrade in terms of hardware and performance. It might be that you will have to tweak your policy and deployment to be able to make this run efficiently on more limited hardware.

Quantum Spark SMB appliances are pretty capable for their price, but their performance relies heavily on hardware acceleration. Any rules that might kill acceleration, any site-2-site IP-sec VPN tunnels that are not using encryption settings that can be accelerated using AES-NI and SecureXL etc. is going to be very slow on this hardware.


You should at least update your 1800 series to be running R80.20.60 as minimum before making the transition.

https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&so...

 

I find it rather strange that you ended up with 1800 series as a replacement for a 12000 series appliance. Unless you are planning a downscale of the installation?

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events