Solved: Re: Create ClusterXL from Single Firewall - Step

MtxMan · ‎2022-11-17

Hi Checkmates,

i have an use case in my customer environment, so currently they use 5200 single for Perimeter and External firewall + smart-1 410.

and in this month, they will buy a new 2 firewall using 6200 for perimeter. so 5200 would use as clusterXL for external firewall.

does anyone has idea in the easiest way how to create clusterxl on 5200 when running single firewall at beginning? do i need to scratch/fresh install to do that? thanks!

the_rock · ‎2022-11-18

Hey @MtxMan ,

As promised in my last reply, Im sending you steps TAC gave me almost 2 years ago when customer needed this done. Since it does not let me attach a file here, I pasted the actual link he sent us a reference (Version is R80.30, as thats what customer was on back then, but Im positive process is exactly the same for any version)

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_ClusterXL_AdminGuide/html_fr...

https://dl3.checkpoint.com/paid/48/4808360334cfd91e38eb192da36ea686/CP_R80.30_ClusterXL_AdminGuide.p... (same doc, just in pdf format)

Below is exactly what TAC guy sent us and we followed it and worked fine. Its pretty much boils what @PhoneBoy described in layman terms.

Andy

Process:

The documentation mentions the Standalone deployment for those who have a Standalone firewall and would like to convert it to ClusterXL. In your situation, you can go straight to page 151. "Creating the ClusterXL Object"

Computer B refers to your new firewall and Computer A is your current firewall.

Basically here are the steps:

Install and configure the new cluster member. (Computer B)

make sure that the new firewall can talk to the old firewall and vice versa.
Configure the local configuration such as authentication server, hostname, static route, dynamic route etc.

In the policy, remove any references to the old firewall.
Create a new cluster object in SmartConsole.

Configure the interfaces, Antispoofing, Office mode etc.

The cluster VIP will be the old firewall local IP

Open the Cluster object and in the "Cluster Members" page, click Add, and select New Cluster Member.

Establish SIC
Get interface without topology
Define a Sync interface

Install the policy on the cluster currently including member B only.
On the old firewall.

Disconnect all proposed cluster and Synchronization interfaces. New connections now open
through the cluster, instead of through computer 'A'.
Change the addresses of these interfaces to some other unique IP address which is on the
same subnet as computer B.
Connect each pair of interfaces of the same subnet using a dedicated network. Any hosts or
Security Gateways previously connected to the Security Gateway must now be connected to
both members, using a hub/switch.

Update the topology of the Security Gateway that you just added by clicking Get Topology without interface.
In the Cluster Members page, click Add and select "Add Security Gateway to Cluster"

Select the old firewall
In the "Edit Topology" page, determine the interface type.

Configure the Policy base. (VPN domain, rule base, NAT if needed)
Install the policy.

Best,
Andy

View solution in original post

the_rock · ‎2022-11-17

I believe below is an official process:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Andy

Best,
Andy

PhoneBoy · ‎2022-11-17

Sounds like they already have external management.
You build the second gateway object, then create the cluster using the two existing gateways.
If you want to make the ClusterXL VIPs use the same IPs as the first gateway, then you should probably change it before creating the cluster object.

_Val_ · ‎2022-11-18

Nope, this one is to break StandAlone config and make it a distributed implementation. The topic starter is asking about how to replace a single GW with a cluster.

the_rock · ‎2022-11-18

Yup, my bad. I think what @PhoneBoy wrote makes sense. I will see if I can find what TAC guy gave me last year for that for a customer who wanted to do the same.

Best,
Andy

Chris_Atkinson · ‎2022-11-17

If the firewall is changing role from external / internal this sounds like it would require changes & down time - what is the concern about starting from scratch here?

CCSM R77/R80/ELITE

the_rock · ‎2022-11-18

Hey @MtxMan ,

As promised in my last reply, Im sending you steps TAC gave me almost 2 years ago when customer needed this done. Since it does not let me attach a file here, I pasted the actual link he sent us a reference (Version is R80.30, as thats what customer was on back then, but Im positive process is exactly the same for any version)

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_ClusterXL_AdminGuide/html_fr...

https://dl3.checkpoint.com/paid/48/4808360334cfd91e38eb192da36ea686/CP_R80.30_ClusterXL_AdminGuide.p... (same doc, just in pdf format)

Below is exactly what TAC guy sent us and we followed it and worked fine. Its pretty much boils what @PhoneBoy described in layman terms.

Andy

Process:

The documentation mentions the Standalone deployment for those who have a Standalone firewall and would like to convert it to ClusterXL. In your situation, you can go straight to page 151. "Creating the ClusterXL Object"

Computer B refers to your new firewall and Computer A is your current firewall.

Basically here are the steps:

Install and configure the new cluster member. (Computer B)

make sure that the new firewall can talk to the old firewall and vice versa.
Configure the local configuration such as authentication server, hostname, static route, dynamic route etc.

In the policy, remove any references to the old firewall.
Create a new cluster object in SmartConsole.

Configure the interfaces, Antispoofing, Office mode etc.

The cluster VIP will be the old firewall local IP

Open the Cluster object and in the "Cluster Members" page, click Add, and select New Cluster Member.

Establish SIC
Get interface without topology
Define a Sync interface

Install the policy on the cluster currently including member B only.
On the old firewall.

Disconnect all proposed cluster and Synchronization interfaces. New connections now open
through the cluster, instead of through computer 'A'.
Change the addresses of these interfaces to some other unique IP address which is on the
same subnet as computer B.
Connect each pair of interfaces of the same subnet using a dedicated network. Any hosts or
Security Gateways previously connected to the Security Gateway must now be connected to
both members, using a hub/switch.

Update the topology of the Security Gateway that you just added by clicking Get Topology without interface.
In the Cluster Members page, click Add and select "Add Security Gateway to Cluster"

Select the old firewall
In the "Edit Topology" page, determine the interface type.

Configure the Policy base. (VPN domain, rule base, NAT if needed)
Install the policy.

Best,
Andy

Are you a member of CheckMates?

Create ClusterXL from Single Firewall - Step