- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Can you upgrade to VSX ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you upgrade to VSX ?
Hello All,
I've never used VSX before, but have used ClusterXL. I've been tasked with bringing up a VSX cluster as we are consolidating licenses, and currently we are running physical open server installs of Gaia as a ClusterXL pair. Is there a way to convert this to VSX or is it solely from a clean install ?
I looked in the docs and the KB and either no-one has ever asked, or it's such a ridiculous question it does not need to be asked.
If the answer is no, I will have to find some new hardware.
Many thanks
Ian
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ibrown I recommend to start from scratch. We tried something similar and this ends up in a nightmare and endless debug sessions with TAC. After some discussions and a good migration plan we configured the VSX clusters from scratch, migrate the firewall instance and everything was fine. Without new hardware you‘ll need a longer maintenance schedule, with new hardware you can switch really smooth and fast. Be aware of the limitations of VSX. Have a look VSX supported features and check with your existing environment.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The installation instructions suggest that this is configured from a scratch install of the gateway itself:
https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Installation_and_Upgrade_Gui...
You might be able to do a vsx_util reconfigure AFTER resetting SIC on the gateways and creating the relevant objects in SmartConsole (the VSX specific objects) to reattach the gateways as VSX.
However, I have not tested this theory and would recommend setting this up in a lab (can use VMs for this) to verify it works.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree with Phoneboy, but to be 100% sure, if you cant set this up in the lab, maybe get an official TAC confirmation.
Kind regards,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Save yourself the trouble and do clean installation on new hardware.
Easiest way to justify this is that VSX will most likely requires somewhat diff physical design.
Small things like you need to have a VS0 and most likely u wanna have that on dedicated interfaces.
(maybe u wanna have a bit larger openservers aswell, when it comes to RAM, NICs)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agree - stick to the tried and tested way, clean build, on new hardware ideally and ensure you plan, test in lab, and the deploy in live.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ibrown I recommend to start from scratch. We tried something similar and this ends up in a nightmare and endless debug sessions with TAC. After some discussions and a good migration plan we configured the VSX clusters from scratch, migrate the firewall instance and everything was fine. Without new hardware you‘ll need a longer maintenance schedule, with new hardware you can switch really smooth and fast. Be aware of the limitations of VSX. Have a look VSX supported features and check with your existing environment.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks all. Not what I wanted to hear... but there you are.
I will do a test in some VMs but I suspect I will be begging for hardware.
Many thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know it may take more time, but will save you headache at the end.
Cheers,
Andy