This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kriminal73
Explorer
‎2024-01-24 01:13 PM

Issue during migrate old cluster to new on 

Hi to all,
I would like to replace my two Check Point 5100 with the 6200P I just purchased.
I installed the first 6200P, configured the network interfaces, connected the network cables of the standby node to the right interfaces, performed the SIC with management, modifying the cluster hardware from 5000 to 6000 (same R.81.20) and installed the policies.
Install policies works only without check mark "If installation fail do not install on that cluster" otherwise the installation fail.
The error refers some problem on the network interfaces that I can't identify, seem well configured.
I noticed that the "Sync" network interface ("Sync" on the 6200 and "eth1.7" on the 5100) is not marked as a trust interface on the 6200.
Could it be due to this? If so, how do I make it become a "trust"?
Thank you.
Regards

 

0 Kudos
8 Replies
the_rock
MVP Platinum
MVP Platinum
‎2024-01-24 02:57 PM

Great process to follow.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Replace-Upgrade-Cluster/td-p/69216

Best,
Andy
0 Kudos
Oliver_Fink
Advisor
Advisor
‎2024-01-25 06:21 AM

Did you change the topology in the cluster object (and install policy after that)? You have to do this if interface names change (e.g. "Sync" vs "eth1.7").

Kriminal73
Explorer
‎2024-01-25 06:42 AM
In response to Oliver_Fink

Yes, the topology was changed and the policies were installed without the "if fails" flag.

I'll have to try power off the working 5100 as suggested by the previous post, but I don't want to do it remotely.

I'll try it as soon as I get back to the office.

Thank you.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-01-25 07:01 AM
In response to Kriminal73

I see what @Oliver_Fink is saying, topology has to match, make sure to do "get interfaces WITHOUT topology". 

Andy

Best,
Andy
0 Kudos
Kriminal73
Explorer
‎2024-01-25 07:45 AM
In response to the_rock

Done.

Smart console tells me that all ports except the sync port have been changed (pencil icon).

I checked them one by one and didn't notice any changes.

After that I installed the policies with the flag "if fails.." with same results, if I remove the flag "if fails.." the policies are installed. 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-01-25 10:15 AM
In response to Kriminal73

Can you verify interfaces do match for new cluster?

Andy

Best,
Andy
0 Kudos
CheckPointerXL
Advisor
Advisor
‎2024-02-08 01:40 PM

Is the eth1.7 the lowest vlan on that trunk?

 

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ClusterXL_AdminGuide/Topics-...

0 Kudos
Kriminal73
Explorer
‎2024-02-08 11:33 PM
In response to CheckPointerXL

After powered off the 5100 the 6200P works like a charm without downtime.

No issue after the configuration of second 6200P, sync port it's now trusted and cluster xl working.

Thank you.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events