This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JozkoMrkvicka
Authority
Authority
‎2018-10-22 01:41 PM
Jump to solution

Changing of External interface

Hello mates,

We have 1 cluster where we need to change physical cabling of External Interface on both members of cluster. IPs and netmask will be exactly the same for both members and cluster. The only thing what will be changed from FW point of view is physical interface.

Currently we have External interface eth4 and we need to change it to eth2. 

I need to change Topology in Dashboard, set IP on eth2, delete IP from eth4, change management interface and push the policy.

Default route will be the same.

Is there any way how to do it without outage? We have dozens of VPNs established via External interface.

If I will do the job with IPs on Standby member only, modify Topology and push the firewall... how will cluster react? It will push the policy on both members or only on Standby ?

We are running R77.30.

Kind regards,
Jozko Mrkvicka
0 Kudos
1 Solution

Accepted Solutions
JozkoMrkvicka
Authority
Authority
‎2018-10-22 02:22 PM
In response to PhoneBoy
Jump to solution

something just come to my mind - what about to add both eth4 and eth2 as bond interface? Not sure if this will work as on the other side there will be no LACP configured.

Another very elegant solution would be just to move cable on the other site (from old router) to another router (the new one). In fact this will be outage tollerant as this can be one on standby member and once done, we can also test the connectivity from standby member to the world. After all is green on standby member, just do failover and repeat for another member.

Kind regards,
Jozko Mrkvicka

View solution in original post

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2018-10-22 02:07 PM
Jump to solution

Generally speaking when you push policy, it happens to all members of the cluster.

There is an option not to do this, but I'm pretty sure you'd have to take the cluster member offline to prevent the policy from being pushed to the other member.

What you are describing is going to be fairly disruptive no matter how you do it.

Even if someone here has a procedure to accomplish this with minimal disruption, I would still not do it outside of an outage window.

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2018-10-22 02:22 PM
In response to PhoneBoy
Jump to solution

something just come to my mind - what about to add both eth4 and eth2 as bond interface? Not sure if this will work as on the other side there will be no LACP configured.

Another very elegant solution would be just to move cable on the other site (from old router) to another router (the new one). In fact this will be outage tollerant as this can be one on standby member and once done, we can also test the connectivity from standby member to the world. After all is green on standby member, just do failover and repeat for another member.

Kind regards,
Jozko Mrkvicka
0 Kudos
Roman_Niewiado1
Contributor
‎2018-10-23 08:05 AM
In response to JozkoMrkvicka
Jump to solution

Dont forget to set the new interface as external, because of anti-spoofing.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events