Solved: Advice on installing replacement licenses to doubl...

Tim_Spencer · ‎2020-05-13

Hey everyone, hope you are all well.

Background for this query is we have a clustered Active/Passive pair of R0.30 firewalls currently Centrally managed for 4CPUs.

We have already been to CheckPoint and traded the 4 Core licenses in for replacement 8 Core licenses.

I now need to get round to adding the new licenses to the Manager and applying it cluster. I need to make sure the firewalls continue to process traffic when applying the new licenses.

I'm not clear whether any rebooting is required to get the firewalls to light up the new cores?

I am guessing that it will allow me to apply the 8 core licenses along side the 4 core licensed and then will just spawn some additional fw_workers straight away. I can then safely remove the old 4 core license?

But its only a guess!

Can anyone advise?

Many thanks

Tim

Wolfgang · ‎2020-05-15

Adding the eval license changes nothing.

I found Graceful failover with CoreXL mismatch after a CoreXL license upgrade .

Looks like state sync is possible like the same procedure for upgrades with "cphacu". That's new for me, but interesting that a change like you do could be done without interruption.

Wolfgang

View solution in original post

PhoneBoy · ‎2020-05-14

Any change to the number of licensed cores requires a reboot to take effect.
This is indicated whenever a new license is applied and the number of licensed cores changes.

I don't believe it will impact traffic to apply the license.
However, I highly recommend performing this activity during a maintenance window.

Tim_Spencer · ‎2020-05-15

Thanks for the response. Given this is a cluster would you expect me to be able to apply the licenses and then reboot one half of the cluster and then seamlessly fail the cluster over to reboot the other half or do you think it will drop the connections table during the failover.

(PS. I feel like I'm talking to the God of CheckPoint! I've have been following your advise for years!)

Wolfgang · ‎2020-05-15

@Tim_Spencer you lost your connections, because state synchronization between the nodes does not work if they have a different count of cores. You can change add the new licenses, change the cores and then reboot one by one. But be aware of the small gap.

Cluster will be failover but no state synchronization.

Wolfgang

PS: regarding @PhoneBoy , yes he's someone with a really great knowledge about all CheckPoint things, but in contrast to god he is a real awesome person 😉

Tim_Spencer · ‎2020-05-15

@Wofgang thanks for your response. Such a shame everything I seem to do requires a non stateful failover! LOL I don't suppose adding an eval license to both firewalls before hand would help would it?

PS. LOL

Wolfgang · ‎2020-05-15

Adding the eval license changes nothing.

I found Graceful failover with CoreXL mismatch after a CoreXL license upgrade .

Looks like state sync is possible like the same procedure for upgrades with "cphacu". That's new for me, but interesting that a change like you do could be done without interruption.

Wolfgang

View solution in original post

Tim_Spencer · ‎2020-05-15

@Wolfgang. Bravo! I've been searching articles for days regarding license upgrade process. Thanks again.

Timothy_Hall · ‎2020-05-15

You can uncheck "Drop Out of State TCP" on the Stateful Inspection screen of Global Properties to help blunt the effects of a non-stateful failover. Be sure to recheck the box when all done!

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com

PhoneBoy · ‎2020-05-15

I'm just some guy who's been doing Check Point stuff for...24 years. 😳

Advice on installing replacement licenses to double the number of licensed CORES on a FW cluster