This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Joe_Kanaszka
Advisor
‎2025-01-06 06:19 AM
Jump to solution

Interface cleanup before migrating to new appliances

Good morning and Happy New Year!

We are currently running a (2) node R81.20 cluster - (active / standby) on a pair of 5100 appliances.

We are going to migrate our exact configuration / rule sets to a new pair of 9100s following the below post:

https://community.checkpoint.com/t5/Security-Gateways/Replace-Upgrade-Cluster/m-p/69251#M5294

 

Before I do the migration, I'd like to cleanup the interfaces on my existing 5100s so I can build out the new appliances with the updated/correct interfaces.

For instance, my eth1 and eth2 had been used for my two external ISP connections. 

We configured a third ISP to replace the ISP on eth2.  Due to port constraints, we configured this third ISP interface on the interface labeled as "Mgmt".

Our actual interface that we use for management is eth4 - one of our internal LAN interfaces.

We re-configured ISP Redundancy to use interfaces eth1 (Primary) and Mgmt (Backup).  (This works as it should).

We have since turned off the service for the old ISP that was on eth2, but the "cable" is still connected to the eth2 port.  The "Link Status" is "Down" on both cluster nodes.

 

See below screenshot of one of my 5100 cluster nodes:

Screenshot 2025-01-06 085929.jpg

 

Before I build out the new 9100s, I'd like to delete the "Old ISP" from the eth2 interface and move my new  Backup ISP interface currently on Mgmt to eth2.

Then when I configure my new 9100s, I can start with the "cleaned up" interfaces configuration.

 

How best to go about this?

I'm guessing step 1 is reconfigure the interfaces on the "Standby" node first.  Make all the changes in the Gaia portal.

After this step I'm not sure how best to proceed...

Thanks guys!

 

Edit - 

Thank you both Andy and Akos for your assistance!

0 Kudos
2 Solutions

Accepted Solutions
the_rock
MVP Gold
MVP Gold
‎2025-01-06 07:06 AM
Jump to solution

Hey brother,

I would definitely remove backup interfaces first, save, then master, save, update topology in smart console (interfaces WITHOUT topology that is).

Take backups first!

Andy

Best,
Andy

View solution in original post

(1)
AkosBakos
MVP Silver
MVP Silver
‎2025-01-06 07:26 AM
Jump to solution

Hi!

First I suggest you to do it in smaller eg. in a LAB environment. Thats gives you confidence.

If I understood correct (from a little pieces of info)

Q: Before I build out the new 9100s, I'd like to delete the "Old ISP" from the eth2 interface and move my new  Backup ISP interface currently on Mgmt to eth2.

Here is the exact steps how to add or remove Interface from a Cluster.

https://support.checkpoint.com/results/sk/sk57100

  1. put the standby member to down
  2. You need to remove the ClusterIP-s first -> to achieve this delete the IF in the SmartConsole -> then policy install. Only after this change anything on GAIA portal.
  3. If you do this, the old ISP stopped working immediately, but eth2 will released.

This would be the goal?

Akos

 

 

 

 

----------------
\m/_(>_<)_\m/

View solution in original post

(1)
10 Replies
the_rock
MVP Gold
MVP Gold
‎2025-01-06 07:06 AM
Jump to solution

Hey brother,

I would definitely remove backup interfaces first, save, then master, save, update topology in smart console (interfaces WITHOUT topology that is).

Take backups first!

Andy

Best,
Andy
(1)
Joe_Kanaszka
Advisor
‎2025-01-06 09:52 AM
In response to the_rock
Jump to solution

Thanks Andy!  Please see my response to Akos.

I may not have explained myself well the first post.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-01-06 09:54 AM
In response to Joe_Kanaszka
Jump to solution

K, read it, that makes sense to me, yeah. Just make sure the IP addresses are NOT referenced anywhere else before removing.

Andy

Best,
Andy
(1)
the_rock
MVP Gold
MVP Gold
‎2025-01-06 11:03 AM
In response to Joe_Kanaszka
Jump to solution

Forgot to add, maybe do snapshots too if you can.

Andy

Best,
Andy
the_rock
MVP Gold
MVP Gold
‎2025-01-07 03:27 PM
In response to Joe_Kanaszka
Jump to solution

Hey Joe,

Forgot to mention something kind of important, though you may not have to do any of this, but better confirm. Whenever I deal with things like this, I always verify afterwards in guidbedit that whatever is supposed to be removed is gone there as well.

Just a suggestion.

Best,

Andy

Best,
Andy
0 Kudos
AkosBakos
MVP Silver
MVP Silver
‎2025-01-06 07:26 AM
Jump to solution

Hi!

First I suggest you to do it in smaller eg. in a LAB environment. Thats gives you confidence.

If I understood correct (from a little pieces of info)

Q: Before I build out the new 9100s, I'd like to delete the "Old ISP" from the eth2 interface and move my new  Backup ISP interface currently on Mgmt to eth2.

Here is the exact steps how to add or remove Interface from a Cluster.

https://support.checkpoint.com/results/sk/sk57100

  1. put the standby member to down
  2. You need to remove the ClusterIP-s first -> to achieve this delete the IF in the SmartConsole -> then policy install. Only after this change anything on GAIA portal.
  3. If you do this, the old ISP stopped working immediately, but eth2 will released.

This would be the goal?

Akos

 

 

 

 

----------------
\m/_(>_<)_\m/
(1)
the_rock
MVP Gold
MVP Gold
‎2025-01-06 07:30 AM
In response to AkosBakos
Jump to solution

Good reference sk!

Andy

Best,
Andy
0 Kudos
Joe_Kanaszka
Advisor
‎2025-01-06 09:51 AM
In response to AkosBakos
Jump to solution

Good afternoon Akos and thank you!

What I would like to do is this:

Remove old physical IP and cluster IP from eth2 from both nodes.  This interface is currently not being used.

Move my backup ISP connection curently on "Mgmt" to eth2 on both nodes.

 

After I'm done I should have both of my external ISP connections on eth1 and eth2 on both nodes.  The current Mgmt will not be used for "Management".

eth4 will continue to be my local LAN & Management interface.

 

Does this make sense?  So I'm deleting two interfaces: Mgmt & eth2, and then re-configuring eth2 with the same IP that was on Mgmt.

   

 

 

 

0 Kudos
AkosBakos
MVP Silver
MVP Silver
‎2025-01-06 11:05 AM
In response to Joe_Kanaszka
Jump to solution

Hi K,

If you want to remove the Virtual IP of a Cluster IF,  the only way is to delete te if in the SmartConsole, then push policy. Don't forget it, trust me, I know. I can't highlight it enough 🙂

Put the standby member to DOWN state to avoid of unwanted cluster flapping. (with #clusterXL_admin down) 

And The holy triumvirate: snapshot, system backup, save configurtaion.

Akos

 

 

 

----------------
\m/_(>_<)_\m/
(1)
the_rock
MVP Gold
MVP Gold
‎2025-01-06 11:07 AM
In response to AkosBakos
Jump to solution

Yes, super important!

Best,
Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events