This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ramakrishnan
Contributor
‎2023-03-21 11:05 AM

Moving VRRP to VSX ClusterXL

Dears, 

I am in process of migrating[Not upgrading] Checkpoint firewall from One Data Center to Another Data Center. Source DC has Checkpoint where VRRP has been configured. I want to plan those CP firewalls to another DC with ClusterXL [VSX firewalls]. 

With my limited knowledge of VRRP, there should be VMAC on VRRP IP will be burn[If I am not wrong there should be some calculation to arrive VMAC] where that will be learned in downstream switch, and downstream servers will have that  VIP as gateway. So the traffic flow hits the sw then fwd the packet to ACTIVE CP FW. Is my understanding correct?

On the other hand, in Cluster VSX all Cluster members will have the same IP address, [Note CLuster in HA mode] how MAC will learn how the server will reach out to ACTIVE cluster members. Admin guide document says Active member will do ARP response...

And How should I do this migration [VRRP IP to Cluster VSX] without changing the gateway at the server side? 

should I create a virtual interface on VSX cluster[my target DC fw] with that VRRP IP address? 

 

0 Kudos
6 Replies
Magnus-Holmberg
Advisor
Advisor
‎2023-03-21 08:06 PM

All your VSX cluster members will have diff IP. This for VS0

 

if you migrating a cluster to vsx, this cluster will be in one or more VS.

the VS only use one IP and the VS is only active on one box at the time.

i would recommend to run it in VSLS mode
if you run it in HA you can’t change VS instances without downtime. (Adding extra performance)

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
ramakrishnan
Contributor
‎2023-03-21 10:04 PM
In response to Magnus-Holmberg

Thanks Magnus for the response. 

So having said that, one side CP cluster running on VRRP [hece we have VRRP IP] other side we going to have VSX clusterXL on HA[cant decide on VSLS / HA now] so my questing is at the server side If dont want to perform any gateway change I can "reuse" same VRRP IP on the interface so that will be shared y all VSX members so active will respond to ARP req. 

so there will some momentry MAC updation will happen ? Please see attached overview diagram 

CP-FW.jpg
Preview file
107 KB
0 Kudos
ramakrishnan
Contributor
‎2023-03-22 08:16 PM
In response to ramakrishnan

Can anyone help me to validate attached approach method?

0 Kudos
ramakrishnan
Contributor
‎2023-04-05 10:01 PM
In response to Magnus-Holmberg

Dear All,

As  I explained in the diagram, would it be necessary to trigger traffic to gw IP address from server node? Typically when we configure IP address on VS interfaces (just re-using VRRP IP) there will be GARP will trigger that's the basic implementation design for an any L3 devices? Or only GARP will trigger at the time of failover between cluster?

0 Kudos
emmap
Employee
Employee
‎2023-04-05 10:51 PM
In response to ramakrishnan

A cluster failover will trigger a GARP, yes. When you move from the old gateway to the new VS, established connections will drop as out of state and need to be restarted, generally in all this process the ARPs take care of themselves. 

0 Kudos
ramakrishnan
Contributor
‎2023-04-06 07:13 AM
In response to emmap

So you mean to say that, when we move to Old VRRP to new VS clusterXL model, established connection will get dropped out do we need to do failover? in order to ARP table update? From downstream switch MAC table perspective need to re-initiate the connection?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top