Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Michou
Explorer
Jump to solution

Migrate stand alone to cluster with new hardware

I currently have a 5200 (standalone on r81.10).

I am looking to utilize the same name/IP and replace this gateways with two 6500s on R81.10.

I just wanted to brain storm on the easiest way to accomplish this. 

Also, seems like this should be a common ask. Are there any Check Point guides for something like this?

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend

In that case, please follow below process that TAC gave me for customer that wanted to do EXACT same thing. Version makes no difference, so would not sweat about that.

Link to a document:

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_ClusterXL_AdminGuide/html_fr...

https://dl3.checkpoint.com/paid/48/4808360334cfd91e38eb192da36ea686/CP_R80.30_ClusterXL_AdminGuide.p...

 

The documentation mentions the Standalone deployment for those who have a Standalone firewall and would like to convert it to ClusterXL. In your situation, you can go straight to page 151. "Creating the ClusterXL Object"

Computer B refers to your new firewall and Computer A is your current firewall. 

Basically here are the steps: 

  1. Install and configure the new cluster member. (Computer B)
    1. make sure that the new firewall can talk to the old firewall and vice versa. 
    2. Configure the local configuration such as authentication server, hostname, static route, dynamic route etc.
  2. In the policy, remove any references to the old firewall.
  3. Create a new cluster object in SmartConsole.
    1. Configure the interfaces, Antispoofing, Office mode etc. 
      • The cluster VIP will be the old firewall local IP
  4. Open the Cluster object and in the "Cluster Members" page, click Add, and select New Cluster Member.
    1. Establish SIC
    2. Get interface without topology 
    3. Define a Sync interface 
  5. Install the policy on the cluster currently including member B only. 
  6. On the old firewall. 
    1. Disconnect all proposed cluster and Synchronization interfaces. New connections now open
      through the cluster, instead of through computer 'A'.
    2. Change the addresses of these interfaces to some other unique IP address which is on the
      same subnet as computer B.
    3. Connect each pair of interfaces of the same subnet using a dedicated network. Any hosts or
      Security Gateways previously connected to the Security Gateway must now be connected to
      both members, using a hub/switch.
  7. Update the topology of the Security Gateway that you just added by clicking Get Topology without interface.
  8. In the Cluster Members page, click Add and select "Add Security Gateway to Cluster" 
    1. Select the old firewall 
    2. In the "Edit Topology" page, determine the interface type. 
  9. Configure the Policy base. (VPN domain, rule base, NAT if needed)
  10. Install the policy. 

View solution in original post

0 Kudos
9 Replies
_Val_
Admin
Admin

Yes, this is a pretty common operation. 

Prepare the new cluster in the lab. You can either re-apply Gaia config or re-build it manually. Mind, interface names may be changing between the GWs.

Set up a service window, disconnect the management interfaces only from the old cluster, and connect to the new cluster members. Re-establish SIC, push policy, and re-cable the rest of the network. 

Should be straight forward.

0 Kudos
Blason_R
Leader
Leader

Indeed - Its a straight forward. Even further I used to setup a L3 switch and replicate the exact customer scenario. Establish SIC, policy push, license install everything same that I would do at customer place and then just plug the devices out and put the devices in. You are out of DC in flat 30 mins.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
G_W_Albrecht
Legend Legend
Legend

He has to deploy a new SMS from the StandAlone first, so not really easy...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Blason_R
Leader
Leader

Well here is the approach that I had taken and I use to take.

  1. Copy object_5_o.c file from management server.
  2. Find out/grep out IP addresses and/or object from that file.
  3. Create a linux script using management API for automatic creation of hosts on new mgmt server. This is pretty simple with bash scripting. 
  4. Then its just then creating a rules basis on those object and create a cluster object
  5. On isolated L3 switch create the L3 vlans and exact same IP addresses and networks for firewall/mgmt server.
  6. Connect the mgmt server with firewall establish SIC and installed policy.
  7. Then take a backup of that mgmt server or dbexport; put that on a production server and just a small downtime for firewalls installing firewalls in rack.
  8. Swap the cables and since SIC and policy is already installed even though  while booting up  if it does not find mgmt server.
  9. It will boot up with last successful install policy and process the traffic

 

Once the mgmt in network - Install the policy and install database.

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
Michou
Explorer

hi,

sorry, I misspoke.
When I say it's a stand alone, it's a single gateway. The smartcenter is already detached on a VM.

 

0 Kudos
the_rock
Legend
Legend

In that case, please follow below process that TAC gave me for customer that wanted to do EXACT same thing. Version makes no difference, so would not sweat about that.

Link to a document:

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_ClusterXL_AdminGuide/html_fr...

https://dl3.checkpoint.com/paid/48/4808360334cfd91e38eb192da36ea686/CP_R80.30_ClusterXL_AdminGuide.p...

 

The documentation mentions the Standalone deployment for those who have a Standalone firewall and would like to convert it to ClusterXL. In your situation, you can go straight to page 151. "Creating the ClusterXL Object"

Computer B refers to your new firewall and Computer A is your current firewall. 

Basically here are the steps: 

  1. Install and configure the new cluster member. (Computer B)
    1. make sure that the new firewall can talk to the old firewall and vice versa. 
    2. Configure the local configuration such as authentication server, hostname, static route, dynamic route etc.
  2. In the policy, remove any references to the old firewall.
  3. Create a new cluster object in SmartConsole.
    1. Configure the interfaces, Antispoofing, Office mode etc. 
      • The cluster VIP will be the old firewall local IP
  4. Open the Cluster object and in the "Cluster Members" page, click Add, and select New Cluster Member.
    1. Establish SIC
    2. Get interface without topology 
    3. Define a Sync interface 
  5. Install the policy on the cluster currently including member B only. 
  6. On the old firewall. 
    1. Disconnect all proposed cluster and Synchronization interfaces. New connections now open
      through the cluster, instead of through computer 'A'.
    2. Change the addresses of these interfaces to some other unique IP address which is on the
      same subnet as computer B.
    3. Connect each pair of interfaces of the same subnet using a dedicated network. Any hosts or
      Security Gateways previously connected to the Security Gateway must now be connected to
      both members, using a hub/switch.
  7. Update the topology of the Security Gateway that you just added by clicking Get Topology without interface.
  8. In the Cluster Members page, click Add and select "Add Security Gateway to Cluster" 
    1. Select the old firewall 
    2. In the "Edit Topology" page, determine the interface type. 
  9. Configure the Policy base. (VPN domain, rule base, NAT if needed)
  10. Install the policy. 
0 Kudos
the_rock
Legend
Legend

Btw, I would follow process I gave you, as I did it with 3 customers, never a single problem. TAC guy I worked with on it 2 years ago was AMAZING!

0 Kudos
Alex-
Leader Leader
Leader

sk154033: How to migrate R80.x standalone management environment to a distributed environment

Regardless of the title of the SK, this is also applicable for R81.10, assuming that by Standalone 5200 you mean what the Check Point terminology assumes.

the_rock
Legend
Legend

I read process @Blason_R gave and it definitely makes sense. The article @Alex- provided you is also what Im ware of as supported method.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events