Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Darina2019
Participant
Jump to solution

Change External Interface from 1G to 10G

Hello Mates,

I have a challenging question to all of you and hope you can help with advise on the Proper plan.

My case is that, I have three gateways cluster, which I need to change their external interface from one physical interface to another, currently on 1 G, I need to move it to 10G. All the IP addresses on the Interfaces on all three gateways should be the same just I have to move the IPs on another physical interface. The issue is that my Management Server part of the MDS environment is located in another location and the only connectivity to the MDS ( other location) is via VPN from the location which I am making the pre-configuration. As this is external interface ( Public IPs/peer for the that site)once I attempt to shutdown and remove IPs from current external interface this will disconnect all the VPNs as the VIP of that external interface is peer for each VPN tunnel, so I will kick down my connection to the MDS/ CMA ( Management).

So my question is, is there easy way on the Gateway level that I can simply change the IP via command line/ interface file, without the need to " get interfaces with topology" on the Management. If not what is the best plan that you can suggest.

The eventual plan which comes to my mind is:

1. Configure new Interface with the same IPs as other with state down. ( if Gaia allow this as same IPs with same Netmask, will not be allowed to configure as far as I know)

2. Shutdown the old interfaces * this way I will lose the VIP on the external and my VPN connection will be down...

3. Set new Interfaces UP, but without Management Server( CMA/MDS) I will not be possible to point via Smart Console which is the VIP IP ( same OLD IP- re-used)  so to push policy and finish the pre-configuration....

This is all that comes to my mind, but looks like I am not on the right way, so I am looking for your kind advise. 

Could you please share you suggestion and better approach for that case?

 

 

1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

If you have an Open Server, there is an easy way.

Replace the PCI BUS IDs between 10 GBit and 1 GBit interface in the file "/etc/udev/rules.d/00-OS-XX.rules".

udef_change.jpg
For example, if eth0 is a 1G interface and eth3 is a 10G interface, you only need to change the interface PCI bus ID.

After that you just have to reboot the gateway.

If it is an appliance, this hack will not work.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

7 Replies
_Val_
Admin
Admin

You need out of band access to your MGMT servers to complete the operation. There is no any way around it here.

Bob_Zimmerman
Authority
Authority

Related to this, you may want to consider changing the external interface to a bond. Even if you don't add more than one interface, bonds abstract your logical interfaces (with the IP addresses) away from the physical hardware underpinning them. They make this kind of move much easier.

K_montalvo
Advisor

@Bob_Zimmerman Thats a good idea but the thing is hes trying do change from 1G to 10G port and not sure if you can bond those interfaces with different physical duplexing and i assumed on 10G hes going to be using SFP instead of ethernet. So i would go as @_Val_  said confirm and out of band connection in order to work with the MGMT.

Bob_Zimmerman
Authority
Authority

You can. I've done it before to deal with this exact scenario.

The firewall application cares very deeply about the names of the interfaces you give it. This is why you have to update the topology table when you move an IP from a 1g to a 10g interface. Same thing if you move it from a 1g interface to a bond.

However, once the firewall application knows about, e.g., bond0, it doesn't care which physical interfaces make up bond0, or even how the bond is set up. I recommend using bonds for everything possible for this reason.

the_rock
Legend
Legend

Hey brother,

@Bob_Zimmerman is correct as well. In some cases, you are right, might not be optimal, but it works for sure. I had done it on Fortinet and CP before and never had an issue. You can mix 1 G and 10 G interfaces in a bond and works real well.

0 Kudos
the_rock
Legend
Legend

@_Val_ is absolutely right...I dont see any other way myself either.

HeikoAnkenbrand
Champion Champion
Champion

If you have an Open Server, there is an easy way.

Replace the PCI BUS IDs between 10 GBit and 1 GBit interface in the file "/etc/udev/rules.d/00-OS-XX.rules".

udef_change.jpg
For example, if eth0 is a 1G interface and eth3 is a 10G interface, you only need to change the interface PCI bus ID.

After that you just have to reboot the gateway.

If it is an appliance, this hack will not work.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events