This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Tim_Spencer
Contributor
‎2020-05-13 08:09 AM

Advice on installing replacement licenses to double the number of licensed CORES on a FW cluster

Jump to solution

Hey everyone, hope you are all well.

Background for this query is we have a clustered Active/Passive pair of R0.30 firewalls currently Centrally managed for 4CPUs.

We have already been to CheckPoint and traded the 4 Core licenses in for replacement 8 Core licenses. 

I now need to get round to adding the new licenses to the Manager and applying it cluster. I need to make sure the firewalls continue to process traffic when applying the new licenses.

I'm not clear whether any rebooting is required to get the firewalls to light up the new cores?

I am guessing that it will allow me to apply the 8 core licenses along side the 4 core licensed and then will just spawn some additional fw_workers straight away. I can then safely remove the old 4 core license?

But its only a guess!

Can anyone advise?

Many thanks

Tim

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
Leader
Leader
‎2020-05-15 01:28 AM
In response to Tim_Spencer

Jump to solution

Adding the eval license changes nothing.

I found  Graceful failover with CoreXL mismatch after a CoreXL license upgrade .

Looks like state sync is possible like the same procedure for upgrades with "cphacu". That's new for me, but interesting that a change like  you do could be done without interruption.

Wolfgang

View solution in original post

8 Replies
PhoneBoy
Admin
Admin
‎2020-05-14 10:57 AM

Jump to solution
Any change to the number of licensed cores requires a reboot to take effect.
This is indicated whenever a new license is applied and the number of licensed cores changes.

I don't believe it will impact traffic to apply the license.
However, I highly recommend performing this activity during a maintenance window.
Tim_Spencer
Contributor
‎2020-05-15 12:46 AM
In response to PhoneBoy

Jump to solution
Thanks for the response. Given this is a cluster would you expect me to be able to apply the licenses and then reboot one half of the cluster and then seamlessly fail the cluster over to reboot the other half or do you think it will drop the connections table during the failover.

(PS. I feel like I'm talking to the God of CheckPoint! I've have been following your advise for years!)
0 Kudos
Wolfgang
Leader
Leader
‎2020-05-15 12:57 AM
In response to Tim_Spencer

Jump to solution

@Tim_Spencer you lost your connections, because state synchronization between the nodes does not work if they have a different count of cores. You can change add the new licenses, change the cores and then reboot one by one. But be aware of the small gap.

Cluster will be failover but no state synchronization.

Wolfgang

PS: regarding @PhoneBoy , yes he's someone with a really great knowledge about all CheckPoint things, but in contrast to god he is a real awesome person 😉

0 Kudos
Tim_Spencer
Contributor
‎2020-05-15 01:05 AM
In response to Wolfgang

Jump to solution
@Wofgang thanks for your response. Such a shame everything I seem to do requires a non stateful failover! LOL I don't suppose adding an eval license to both firewalls before hand would help would it?

PS. LOL
0 Kudos
Wolfgang
Leader
Leader
‎2020-05-15 01:28 AM
In response to Tim_Spencer

Jump to solution

Adding the eval license changes nothing.

I found  Graceful failover with CoreXL mismatch after a CoreXL license upgrade .

Looks like state sync is possible like the same procedure for upgrades with "cphacu". That's new for me, but interesting that a change like  you do could be done without interruption.

Wolfgang

View solution in original post

Tim_Spencer
Contributor
‎2020-05-15 01:30 AM
In response to Wolfgang

Jump to solution
@Wolfgang. Bravo! I've been searching articles for days regarding license upgrade process. Thanks again.
0 Kudos
Timothy_Hall
Champion
Champion
‎2020-05-15 05:59 AM
In response to Tim_Spencer

Jump to solution

You can uncheck "Drop Out of State TCP" on the Stateful Inspection screen of Global Properties to help blunt the effects of a non-stateful failover.  Be sure to recheck the box when all done!

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
PhoneBoy
Admin
Admin
‎2020-05-15 12:46 PM
In response to Wolfgang

Jump to solution
I'm just some guy who's been doing Check Point stuff for...24 years. 😳