Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MtxMan
Contributor
Jump to solution

Create ClusterXL from Single Firewall - Step

Hi Checkmates,

i have an use case in my customer environment, so currently they use 5200 single for Perimeter and External firewall + smart-1 410.

and in this month, they will buy a new 2 firewall using 6200 for perimeter. so 5200 would use as clusterXL for external firewall.

 

does anyone has idea in the easiest way how to create clusterxl on 5200 when running single firewall at beginning? do i need to scratch/fresh install to do that? thanks!

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend

Hey @MtxMan ,

As promised in my last reply, Im sending you steps TAC gave me almost 2 years ago when customer needed this done. Since it does not let me attach a file here, I pasted the actual link he sent us a reference (Version is R80.30, as thats what customer was on back then, but Im positive process is exactly the same for any version)

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_ClusterXL_AdminGuide/html_fr...

https://dl3.checkpoint.com/paid/48/4808360334cfd91e38eb192da36ea686/CP_R80.30_ClusterXL_AdminGuide.p...  (same doc, just in pdf format)

Below is exactly what TAC guy sent us and we followed it and worked fine. Its pretty much boils what @PhoneBoy described in layman terms.

Andy

Process:

The documentation mentions the Standalone deployment for those who have a Standalone firewall and would like to convert it to ClusterXL. In your situation, you can go straight to page 151. "Creating the ClusterXL Object"

Computer B refers to your new firewall and Computer A is your current firewall. 

Basically here are the steps: 

  1. Install and configure the new cluster member. (Computer B)
    1. make sure that the new firewall can talk to the old firewall and vice versa. 
    2. Configure the local configuration such as authentication server, hostname, static route, dynamic route etc.
  2. In the policy, remove any references to the old firewall.
  3. Create a new cluster object in SmartConsole.
    1. Configure the interfaces, Antispoofing, Office mode etc. 
      • The cluster VIP will be the old firewall local IP
  4. Open the Cluster object and in the "Cluster Members" page, click Add, and select New Cluster Member.
    1. Establish SIC
    2. Get interface without topology 
    3. Define a Sync interface 
  5. Install the policy on the cluster currently including member B only. 
  6. On the old firewall. 
    1. Disconnect all proposed cluster and Synchronization interfaces. New connections now open
      through the cluster, instead of through computer 'A'.
    2. Change the addresses of these interfaces to some other unique IP address which is on the
      same subnet as computer B.
    3. Connect each pair of interfaces of the same subnet using a dedicated network. Any hosts or
      Security Gateways previously connected to the Security Gateway must now be connected to
      both members, using a hub/switch.
  7. Update the topology of the Security Gateway that you just added by clicking Get Topology without interface.
  8. In the Cluster Members page, click Add and select "Add Security Gateway to Cluster" 
    1. Select the old firewall 
    2. In the "Edit Topology" page, determine the interface type. 
  9. Configure the Policy base. (VPN domain, rule base, NAT if needed)
  10. Install the policy. 

View solution in original post

0 Kudos
6 Replies
the_rock
Legend
Legend
0 Kudos
PhoneBoy
Admin
Admin

Sounds like they already have external management.
You build the second gateway object, then create the cluster using the two existing gateways.
If you want to make the ClusterXL VIPs use the same IPs as the first gateway, then you should probably change it before creating the cluster object.

_Val_
Admin
Admin

Nope, this one is to break StandAlone config and make it a distributed implementation. The topic starter is asking about how to replace a single GW with a cluster.

the_rock
Legend
Legend

Yup, my bad. I think what @PhoneBoy wrote makes sense. I will see if I can find what TAC guy gave me last year for that for a customer who wanted to do the same.

Chris_Atkinson
Employee Employee
Employee

If the firewall is changing role from external / internal this sounds like it would require changes & down time - what is the concern about starting from scratch here?

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend

Hey @MtxMan ,

As promised in my last reply, Im sending you steps TAC gave me almost 2 years ago when customer needed this done. Since it does not let me attach a file here, I pasted the actual link he sent us a reference (Version is R80.30, as thats what customer was on back then, but Im positive process is exactly the same for any version)

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_ClusterXL_AdminGuide/html_fr...

https://dl3.checkpoint.com/paid/48/4808360334cfd91e38eb192da36ea686/CP_R80.30_ClusterXL_AdminGuide.p...  (same doc, just in pdf format)

Below is exactly what TAC guy sent us and we followed it and worked fine. Its pretty much boils what @PhoneBoy described in layman terms.

Andy

Process:

The documentation mentions the Standalone deployment for those who have a Standalone firewall and would like to convert it to ClusterXL. In your situation, you can go straight to page 151. "Creating the ClusterXL Object"

Computer B refers to your new firewall and Computer A is your current firewall. 

Basically here are the steps: 

  1. Install and configure the new cluster member. (Computer B)
    1. make sure that the new firewall can talk to the old firewall and vice versa. 
    2. Configure the local configuration such as authentication server, hostname, static route, dynamic route etc.
  2. In the policy, remove any references to the old firewall.
  3. Create a new cluster object in SmartConsole.
    1. Configure the interfaces, Antispoofing, Office mode etc. 
      • The cluster VIP will be the old firewall local IP
  4. Open the Cluster object and in the "Cluster Members" page, click Add, and select New Cluster Member.
    1. Establish SIC
    2. Get interface without topology 
    3. Define a Sync interface 
  5. Install the policy on the cluster currently including member B only. 
  6. On the old firewall. 
    1. Disconnect all proposed cluster and Synchronization interfaces. New connections now open
      through the cluster, instead of through computer 'A'.
    2. Change the addresses of these interfaces to some other unique IP address which is on the
      same subnet as computer B.
    3. Connect each pair of interfaces of the same subnet using a dedicated network. Any hosts or
      Security Gateways previously connected to the Security Gateway must now be connected to
      both members, using a hub/switch.
  7. Update the topology of the Security Gateway that you just added by clicking Get Topology without interface.
  8. In the Cluster Members page, click Add and select "Add Security Gateway to Cluster" 
    1. Select the old firewall 
    2. In the "Edit Topology" page, determine the interface type. 
  9. Configure the Policy base. (VPN domain, rule base, NAT if needed)
  10. Install the policy. 
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events