This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Geovanny_Haro
Explorer
‎2020-10-22 08:22 AM

Converting a Security Gateway to a ClusterXL

Hi all.

What are the best practices for converting a Security Gateway to a ClusterXL en HA?

There is a guide in  ClusterXL Administration Guide, the steps are the following:

-Install a new Security Gateway. Use the standard procedure to create a new Cluster Member. Different IP from old fw.
-In SmartConsole, create a new cluster object. Configuration same as old fw. In topology, virtual IP would be the same address of original fw.
-Replace old fw object with new cluster object in policy rules, VPNs, etc.
-In the Cluster Members page, click Add > Add Existing Gateway. Select the newly installed Security gateway as cluster member and define topology.
-Then Install policy.

-In old fw, change the IP addresses of interfaces
-In the Cluster Members page, click Add > Add Existing Gateway. Select the old Security gateway as cluster member and define topology.
-Then Install policy.

What happens to VPNs?  Should i define a different Office Mode network in the new cluster object? If there is a VTI numbered VPN to AWS, could I configure any address in the field "Local Address" 

 

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2020-10-24 04:47 PM

Are the VPN endpoints managed by the same management, third party, or?
There will be different certificates used for the cluster but they would be signed by the same CA.
Assuming the cluster IP is the same as the original gateway, the remote end probably won’t need a configuration change.
That said, the change is likely to be disruptive to the VPN due to the policy install, so it should be done during an appropriate maintenance window. 

0 Kudos
Geovanny_Haro
Explorer
‎2020-10-26 09:37 PM
In response to PhoneBoy

Yes, VPN endpoints are managed by the same security management. Remote access users IP addressess are assigned following file configuration $FWDIR/conf/ipassignment.conf, so first column is updated to new cluster object name.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events