This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sam472
Participant
‎2025-05-29 12:33 PM
Jump to solution

Firewall gateway migration activity

We are in process of a firewall migration activity replacing 5800 gateways to 9400 . Currently 5800 is running on R81 and 9400 is out of box  R81.20 .

Want to know what will be the best approach to do this activity .

Below is my approach if any one can validate and guide will be helpful. 

 

1. Pre configure the gateway with interface and routes and configuration same as old gateway . 

2. In smart console from the existing cluster delete the old members gateway and add the new gateways establish SIC and get interfaces and push policy 

Labels
0 Kudos
3 Solutions

Accepted Solutions
Sam472
Participant
‎2025-05-30 07:51 AM
Jump to solution

Any one reply to this to add to this we have already created new cluster  with new gateway and tested out flow now we will add this gateway in the production cluster 

View solution in original post

0 Kudos
the_rock
Legend
Legend
‎2025-06-03 09:33 AM
Jump to solution

-remote with Sanil
-checked the config
-both mgmt and gateways are on R81.20
-discussed below:

https://community.checkpoint.com/t5/Security-Gateways/Replace-Upgrade-Cluster/m-p/69216#M5286

-advised best way to do this is NOT create new cluster object, but rather modify existing one to new version and hardware model, copy config from show configuration if IPs will be the same
and then establish SIC, get interfaces without topology and inbstall on first backup member, then do same for new one

provided Sanil with my info in case they need help, and also advised to turn on mvc by running cphaconf mvc on command from expert

View solution in original post

Sam472
Participant
‎2025-06-06 11:00 PM
Jump to solution

Thanks everyone for the valuable inputs and special appreciation to @the_rock  for assisting with a remote session to verify the setup

 

We have successfully completed the firewall migration activity with only 5 minutes of downtime during the second attempt.

 

🔧Challenges Faced & Our Approach:

1. Configuration Differences:

 

The bond interface details were different between the old and new gateways.

 

The old gateways were on R81, while the new ones were on R81.20.

 

2. First Cutover Attempt:

 

We removed the existing gateways from the cluster and added the new R81.20 gateways.

 

After fetching topology and entering VIP details, we attempted to push the policy.

 

The cluster object (still on R81) didn’t update properly after adding the new gateways and establishing SIC.

 

This caused policy installation to fail, leading us to roll back the activity.

 

3. Second Cutover Attempt:

 

We opted for a new cluster approach, considering the issues faced with the old R81 cluster.

 

Created a new cluster, pre-configured with:

 

Gateway topology

 

Static routes

 

NAT rules

 

Policy configuration

 

Successfully pushed policy to the new cluster.

 

🚀Final Cutover Steps:

Replaced the new cluster IP with the old IP (used as the default gateway behind Check Point).

 

Shut down old firewall and switch ports.

 

Enabled the new firewall ports.

 

Entered VIP details in SmartConsole in new cluster

 

Pushed the policy — everything worked smoothly.

 

View solution in original post

21 Replies
Sam472
Participant
‎2025-05-30 07:51 AM
Jump to solution

Any one reply to this to add to this we have already created new cluster  with new gateway and tested out flow now we will add this gateway in the production cluster 

0 Kudos
Lloyd_Braun
Advisor
‎2025-05-30 09:00 AM
In response to Sam472
Jump to solution

that should do it. you might inspect $FWDIR/boot/modules/fwkern.conf files to see if there are any relevant kernel parameter changes that were made in the old firewalls that you would still need in the new ones. Firewall Kernel Parameters

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2025-05-30 09:27 AM
In response to Sam472
Jump to solution

I also suggest using Prerequisites for Upgrading and Migrating of Security Gateways and Clusters - it includes a list of important files and folders

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Installation_and_Upgrade_Gui...

 

0 Kudos
the_rock
Legend
Legend
‎2025-05-30 10:48 AM
Jump to solution

Just follow below. I must have done this at least 10 times, never an issue.

Andy

 

https://community.checkpoint.com/t5/Security-Gateways/Replace-Upgrade-Cluster/m-p/69216#M5286

0 Kudos
Sam472
Participant
‎2025-05-31 11:12 PM
In response to the_rock
Jump to solution

Hii as per the guides I read if our cluster is version 81 we removed r81 gateways from cluster and added new r81.20 gateways done sic pulled network topology and when we try to install policy cluster object is not getting updated to r81.20 its still showing old r81 and policy getting failed saying mvc error

0 Kudos
the_rock
Legend
Legend
‎2025-06-01 04:56 AM
In response to Sam472
Jump to solution

Are you saying you tried that and it failed or you plan to do it that way?

Andy

0 Kudos
Sam472
Participant
‎2025-06-01 08:38 AM
In response to the_rock
Jump to solution

No I tried it and failed i was not able to install policy after adding new gateway in cluster it said mvc error it seems like r 81 not supports mvc 

0 Kudos
the_rock
Legend
Legend
‎2025-06-02 03:20 AM
In response to Sam472
Jump to solution

MVC was supported as of R80.40

0 Kudos
Sam472
Participant
‎2025-06-02 05:44 AM
In response to the_rock
Jump to solution

Ok but when we trying to install the policy cluster version was showing as r 81 it was not getting updated and was saying version error and policy getting failed in smartconsole after adding the new gateways I can see both the cluster and gateway object with r 81.20 but smartconsole it was still showing old r81 

0 Kudos
the_rock
Legend
Legend
‎2025-06-02 05:49 AM
In response to Sam472
Jump to solution

If you are allowed to do remote, Im happy to check for you. I have 45 mins now.

Andy

0 Kudos
_Val_
Admin
Admin
‎2025-06-02 03:17 AM
In response to Sam472
Jump to solution

You should be able to change the object version manually on the management side. 

0 Kudos
Sam472
Participant
‎2025-06-02 05:41 AM
In response to _Val_
Jump to solution

How to update even TAC was on call they were trying to update cluster object but not able to do and had to roll back as downtime was less 

0 Kudos
the_rock
Legend
Legend
‎2025-06-02 05:42 AM
In response to Sam472
Jump to solution

Im happy to try assist if you allow remote...Im in EST time zone, so Im sure we can figure something out, let me know.

Andy

0 Kudos
Sam472
Participant
‎2025-06-02 06:36 AM
In response to the_rock
Jump to solution

Yes that will be really helpful messaged you let us know can we connect tommorow once 

0 Kudos
the_rock
Legend
Legend
‎2025-06-02 06:37 AM
In response to Sam472
Jump to solution

Just responded.

0 Kudos
Sam472
Participant
‎2025-05-31 08:37 PM
Jump to solution

I have followed this poa and it didn't work My old cluster was in R81 we deleted the old gateway objects and added the new gateway object which is in  r81.20 and tried to install policy it failed saying cluster version miss match and cluster object was showing old r81 it was not getting updated to roll 81.20

0 Kudos
PhoneBoy
Admin
Admin
‎2025-06-02 01:22 PM
In response to Sam472
Jump to solution

The version in the gateway/cluster objects need to match the actual version installed on the gateway.
Did you install or upgrade to R81.20 on the relevant gateways?

0 Kudos
the_rock
Legend
Legend
‎2025-06-02 01:54 PM
In response to PhoneBoy
Jump to solution

I will do remote with @Sam472 tomorrow at 9.30 pm IST to see if we can sort this out, will update afterwards.

Andy

0 Kudos
the_rock
Legend
Legend
‎2025-06-03 09:33 AM
Jump to solution

-remote with Sanil
-checked the config
-both mgmt and gateways are on R81.20
-discussed below:

https://community.checkpoint.com/t5/Security-Gateways/Replace-Upgrade-Cluster/m-p/69216#M5286

-advised best way to do this is NOT create new cluster object, but rather modify existing one to new version and hardware model, copy config from show configuration if IPs will be the same
and then establish SIC, get interfaces without topology and inbstall on first backup member, then do same for new one

provided Sanil with my info in case they need help, and also advised to turn on mvc by running cphaconf mvc on command from expert

Sam472
Participant
‎2025-06-06 11:00 PM
Jump to solution

Thanks everyone for the valuable inputs and special appreciation to @the_rock  for assisting with a remote session to verify the setup

 

We have successfully completed the firewall migration activity with only 5 minutes of downtime during the second attempt.

 

🔧Challenges Faced & Our Approach:

1. Configuration Differences:

 

The bond interface details were different between the old and new gateways.

 

The old gateways were on R81, while the new ones were on R81.20.

 

2. First Cutover Attempt:

 

We removed the existing gateways from the cluster and added the new R81.20 gateways.

 

After fetching topology and entering VIP details, we attempted to push the policy.

 

The cluster object (still on R81) didn’t update properly after adding the new gateways and establishing SIC.

 

This caused policy installation to fail, leading us to roll back the activity.

 

3. Second Cutover Attempt:

 

We opted for a new cluster approach, considering the issues faced with the old R81 cluster.

 

Created a new cluster, pre-configured with:

 

Gateway topology

 

Static routes

 

NAT rules

 

Policy configuration

 

Successfully pushed policy to the new cluster.

 

🚀Final Cutover Steps:

Replaced the new cluster IP with the old IP (used as the default gateway behind Check Point).

 

Shut down old firewall and switch ports.

 

Enabled the new firewall ports.

 

Entered VIP details in SmartConsole in new cluster

 

Pushed the policy — everything worked smoothly.

 

the_rock
Legend
Legend
‎2025-06-07 04:48 AM
In response to Sam472
Jump to solution

GREAT job @Sam472 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events