This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JoSec
Collaborator
2 weeks ago

Hardware Migration Procedure

We are migrating to a clustered pair of 15600 appliances with R81.10 to a clustered pair of 19100 appliances with R81.20. We followed a procedure of setting up the 19100s in a lab with an SMS server that had the production SMS database imported and we configure the appliances, pushed policy, did extensive testing such as failover, mock traffic to test internal and external access to make sure the config was correct and then did a cutover from the old to new appliances. On the night of the cutover, we ran into an issue for the first time ever following the above procedure which was that some updateable objects used in our policy were not processing traffic and management wants us to follow a different procedure since we had to fall back and they do not want this issue to happen again.

 

New Procedure (The appliances will be reset and configured)

  • Shutdown standby 15600 appliance.
  • Power 19100 standby appliance with the same config as the standby member that was powered off. Gaia preconfigured with routes, DNS, etc., CPUSE updated manually and patched manually.
  • Establish SIC, change cluster version in management , get cluster topology and push policy to 19100 gateways.
  • Test connectivity from standby by following the procedures below.
  • Verify logging to management
  • Ping external and internal hosts.
  • Verify updates to blades.
  • Verify license status has been updated.
  • Verify updateable object database is up to date.
  • Follow the above procedure for the second 19100. See questions below.

Any issues with the above procedure or anything to add or change? I would like to the failover to the standby 19100, run our complete connectivity tests before I power down the last 15600 and bring up the second 19100. Would I just run cphastop, cpstop or clusuterXL_admin down on the active 15600? Also, I will do a "get interfaces without topology" but will I run into an issue with different appliances defined in the same cluster? Thanks

5 Replies
the_rock
MVP Platinum
MVP Platinum
2 weeks ago

This is process I followed many times, never had an issue.

https://community.checkpoint.com/t5/Security-Gateways/Replace-Upgrade-Cluster/td-p/69216

Best,
Andy
JoSec
Collaborator
2 weeks ago
In response to the_rock

In regard to failover from the old primary appliance to the new appliance, there may be a preference for not powering it down until we validate the new appliance with extensive testing after the failover. Therefore, should I do a cpstop or will cphastop work to force new appliance from standby to primary instead of shutting down the old appliance.

0 Kudos
Vincent_Bacher
Leader Leader
Leader
2 weeks ago
In response to JoSec

You may shutdown the switch ports.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
AttiqRahman786
Contributor
Contributor
a week ago
In response to JoSec

you might have to use MVC (Multi-Version Cluster) in the guide it is to be used when the Gaia versions are different. in your case the hardware is also different. but I have tested it with different hardware as well. You might want to use the mvc command on the 19k appliance and see if the cluster is back online after the policy is pushed and the topology is fetched. this way you will have active/standby and no downtime when failing over to new member. 
otherwise you will have to shutdown the switch ports which will involve a small downtime. but if any issues on the new member, then it will take time to bring the old one back up.

I would suggest go with the same version on the 19k as well and upgrade once everything is stable, just to be on the safe side.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
a week ago
In response to AttiqRahman786

Thats recommended way, for sure.

Best,
Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events