This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cmale
Explorer
‎2025-06-23 01:56 PM

Issues Replacing/Upgrading Appliances in H/A Cluster

I currently have two 6600s in a H/A cluster. I am replacing these two appliances with two 9100s. Below is my current plan of attack, but I run into issues and cannot establish SIC on the second appliance and DNS stops resolving (Step 7).

  1. Make sure FW-01 is active.
  2. Unplug cables from the standby 6600 (FW-02).
  3. Connect the cables to the new 9100 as the standby member with same settings as FW-02.
  4. Install SIC, change cluster version, and install policy removing the check box.
  5. Unplug cables from the active 6600 (FW-01).
    1. The 9100 (FW-02) becomes active. (DNS stops resolving at this point. I can reach internal and external IPs from the appliance itself while I am consoling in, but not from a laptop hardwired into the network).
  6. Connect the new 9100 with the same settings as FW-01.
  7. Install SIC, and install policy adding the check box.

SIC will not install on the second replacement. I have tried rebooting and running fw unloadlocal. DNS does not resolve at this point and I am forced to revert.

Attached is what I see in SC for the first replacement (FW-02).

Does anyone see anything glaringly obvious?

Preview file
24 KB
0 Kudos
10 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-06-24 01:02 AM

Do both the old and new cluster nodes have the same Version and Jumbo Take installed ? If not, you have to use MVC during change.

Also see here: 

https://community.checkpoint.com/t5/Security-Gateways/Replace-Upgrade-Cluster/m-p/69325#M5302

https://community.checkpoint.com/t5/Security-Gateways/Migrating-cluster-from-old-to-new-hardware/m-p...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
cmale
Explorer
‎2025-06-24 04:31 AM
In response to G_W_Albrecht

Same version, yes. I will have to double check the Jumbo Take. I did not mention that I plan to reuse IP addresses for the two appliances as well as hostnames. Those are already changed. I just plan to take down the standby, bring up the new replacement (with same IP and hostname). I am using the same cluster.

Thank you.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-06-24 11:09 AM
In response to cmale

That should be totally fine. As I mentioned in the other post where you initially asked about this issue, did you make sure 100% that routes are the same and sic port is communicating?

Andy

0 Kudos
cmale
Explorer
‎2025-06-24 11:43 AM
In response to the_rock

I will verify tomorrow evening during my scheduled maintenance window. One thing I did not double check are the interfaces and topology when I had the new appliances up, although I did set up everything in GAIA that way it was set up for the current 6600s. I will keep you posted.

These settings should carry over if I am using the same cluster as the 6600s, though, correct? Or would they change after I bring the 9100s up?

Thank you.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-06-24 12:10 PM
In response to cmale

Here is what I ALWAYS do with customers and never had a problem. So you generate clish config in a file, say for example from current fw in expert (say if its master, though name can be anything) -> clish -c "show configuration" > /var/log/masterfwconfig.txt

Get it off fw from winscp (you can enable ot by changing admin shell to bin bash with command chsh -s /bin/bash admin) and once you have the file downloaded, copy bits and pieces until donw to clish of new fw, just ommit parts say for mgmt interface, unless you have constant console to it, and you dont care for web UI access till its cutover. Then, manually download recommended jumbo from cp site, install it, reboot, then ENSURE config matches from existing to new fw by getting config file with same command and comparing the differences (you can do this in notepad++ or even compare it free download tool).

If this matches, there is no way you would have any problems, trust me. I had done this too many times not to be confident 100% in the process.

Andy

0 Kudos
cmale
Explorer
‎2025-06-24 12:41 PM
In response to the_rock

Thank you. I will give this a try.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-06-24 12:42 PM
In response to cmale

Please be free to message me directly if any issues, Im confident I can help you if you get stuck.

Andy

0 Kudos
garrod
Contributor
‎2025-06-24 11:18 PM

Hi,

Try to check from the CLI with cphaprob command. If no problem detected, mostly is the management cache unable to be cleared and not updating to the latest status from the gateway.

Or else, a deep configuration verification is required.

 

Regards,

CM

 

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-06-26 07:12 AM
In response to garrod

Hey mate,

How did it go last night? Did  not see email from you, though I stayed up till 1 am just in case you needed help, so hope no news is GOOD news? 🙂

Andy

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-06-26 08:44 AM
In response to the_rock

@cmale 

I REALLY would love to help you get this working, so since you got my contact, please message me when you try this again tonight. Or, if you are around later, say 2 pm or so, we can have quick zoom meeting to go over things.

Let me know your thoughts.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events