This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MtxMan
Contributor
‎2022-11-17 08:38 AM
Jump to solution

Create ClusterXL from Single Firewall - Step

Hi Checkmates,

i have an use case in my customer environment, so currently they use 5200 single for Perimeter and External firewall + smart-1 410.

and in this month, they will buy a new 2 firewall using 6200 for perimeter. so 5200 would use as clusterXL for external firewall.

 

does anyone has idea in the easiest way how to create clusterxl on 5200 when running single firewall at beginning? do i need to scratch/fresh install to do that? thanks!

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend
‎2022-11-18 05:03 AM
Jump to solution

Hey @MtxMan ,

As promised in my last reply, Im sending you steps TAC gave me almost 2 years ago when customer needed this done. Since it does not let me attach a file here, I pasted the actual link he sent us a reference (Version is R80.30, as thats what customer was on back then, but Im positive process is exactly the same for any version)

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_ClusterXL_AdminGuide/html_fr...

https://dl3.checkpoint.com/paid/48/4808360334cfd91e38eb192da36ea686/CP_R80.30_ClusterXL_AdminGuide.p...  (same doc, just in pdf format)

Below is exactly what TAC guy sent us and we followed it and worked fine. Its pretty much boils what @PhoneBoy described in layman terms.

Andy

Process:

The documentation mentions the Standalone deployment for those who have a Standalone firewall and would like to convert it to ClusterXL. In your situation, you can go straight to page 151. "Creating the ClusterXL Object"

Computer B refers to your new firewall and Computer A is your current firewall. 

Basically here are the steps: 

  1. Install and configure the new cluster member. (Computer B)
    1. make sure that the new firewall can talk to the old firewall and vice versa. 
    2. Configure the local configuration such as authentication server, hostname, static route, dynamic route etc.
  2. In the policy, remove any references to the old firewall.
  3. Create a new cluster object in SmartConsole.
    1. Configure the interfaces, Antispoofing, Office mode etc. 
      • The cluster VIP will be the old firewall local IP
  4. Open the Cluster object and in the "Cluster Members" page, click Add, and select New Cluster Member.
    1. Establish SIC
    2. Get interface without topology 
    3. Define a Sync interface 
  5. Install the policy on the cluster currently including member B only. 
  6. On the old firewall. 
    1. Disconnect all proposed cluster and Synchronization interfaces. New connections now open
      through the cluster, instead of through computer 'A'.
    2. Change the addresses of these interfaces to some other unique IP address which is on the
      same subnet as computer B.
    3. Connect each pair of interfaces of the same subnet using a dedicated network. Any hosts or
      Security Gateways previously connected to the Security Gateway must now be connected to
      both members, using a hub/switch.
  7. Update the topology of the Security Gateway that you just added by clicking Get Topology without interface.
  8. In the Cluster Members page, click Add and select "Add Security Gateway to Cluster" 
    1. Select the old firewall 
    2. In the "Edit Topology" page, determine the interface type. 
  9. Configure the Policy base. (VPN domain, rule base, NAT if needed)
  10. Install the policy. 

View solution in original post

0 Kudos
6 Replies
the_rock
Legend
Legend
‎2022-11-17 09:55 AM
Jump to solution

I believe below is an official process:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2022-11-17 03:49 PM
In response to the_rock
Jump to solution

Sounds like they already have external management.
You build the second gateway object, then create the cluster using the two existing gateways.
If you want to make the ClusterXL VIPs use the same IPs as the first gateway, then you should probably change it before creating the cluster object.

_Val_
Admin
Admin
‎2022-11-18 12:06 AM
In response to the_rock
Jump to solution

Nope, this one is to break StandAlone config and make it a distributed implementation. The topic starter is asking about how to replace a single GW with a cluster.

the_rock
Legend
Legend
‎2022-11-18 12:35 AM
In response to _Val_
Jump to solution

Yup, my bad. I think what @PhoneBoy wrote makes sense. I will see if I can find what TAC guy gave me last year for that for a customer who wanted to do the same.

Chris_Atkinson
Employee Employee
Employee
‎2022-11-17 03:55 PM
Jump to solution

If the firewall is changing role from external / internal this sounds like it would require changes & down time - what is the concern about starting from scratch here?

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend
‎2022-11-18 05:03 AM
Jump to solution

Hey @MtxMan ,

As promised in my last reply, Im sending you steps TAC gave me almost 2 years ago when customer needed this done. Since it does not let me attach a file here, I pasted the actual link he sent us a reference (Version is R80.30, as thats what customer was on back then, but Im positive process is exactly the same for any version)

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_ClusterXL_AdminGuide/html_fr...

https://dl3.checkpoint.com/paid/48/4808360334cfd91e38eb192da36ea686/CP_R80.30_ClusterXL_AdminGuide.p...  (same doc, just in pdf format)

Below is exactly what TAC guy sent us and we followed it and worked fine. Its pretty much boils what @PhoneBoy described in layman terms.

Andy

Process:

The documentation mentions the Standalone deployment for those who have a Standalone firewall and would like to convert it to ClusterXL. In your situation, you can go straight to page 151. "Creating the ClusterXL Object"

Computer B refers to your new firewall and Computer A is your current firewall. 

Basically here are the steps: 

  1. Install and configure the new cluster member. (Computer B)
    1. make sure that the new firewall can talk to the old firewall and vice versa. 
    2. Configure the local configuration such as authentication server, hostname, static route, dynamic route etc.
  2. In the policy, remove any references to the old firewall.
  3. Create a new cluster object in SmartConsole.
    1. Configure the interfaces, Antispoofing, Office mode etc. 
      • The cluster VIP will be the old firewall local IP
  4. Open the Cluster object and in the "Cluster Members" page, click Add, and select New Cluster Member.
    1. Establish SIC
    2. Get interface without topology 
    3. Define a Sync interface 
  5. Install the policy on the cluster currently including member B only. 
  6. On the old firewall. 
    1. Disconnect all proposed cluster and Synchronization interfaces. New connections now open
      through the cluster, instead of through computer 'A'.
    2. Change the addresses of these interfaces to some other unique IP address which is on the
      same subnet as computer B.
    3. Connect each pair of interfaces of the same subnet using a dedicated network. Any hosts or
      Security Gateways previously connected to the Security Gateway must now be connected to
      both members, using a hub/switch.
  7. Update the topology of the Security Gateway that you just added by clicking Get Topology without interface.
  8. In the Cluster Members page, click Add and select "Add Security Gateway to Cluster" 
    1. Select the old firewall 
    2. In the "Edit Topology" page, determine the interface type. 
  9. Configure the Policy base. (VPN domain, rule base, NAT if needed)
  10. Install the policy. 
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events