This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ksanders
Participant
‎2022-08-01 01:34 PM
Jump to solution

Need to Upgrade from 1 gig copper to 10 gig fiber

Hello! 

     We need to upgrade an existing 5600 firewall cluster running R81 from 1 gig copper connections, to 10 gig fiber.   A CPAC-4-10F-B module has been purchased for each firewall.   My assumption is that we will need to do the following for each firewall...

Power Down the firewall.

Install the Module. 

Power on Firewall and login via GAIA.

Remove Configuration for each Eth interface and configure the new 10 gig interface to be identical to the old corresponding Eth interface.

 

 

If the name, IP, etc. are identical on the newly configured 10 gig interface... are any other configuration changes required?

1 Solution

Accepted Solutions
ksanders
Participant
‎2022-08-23 07:47 AM
Jump to solution

Okay here was the scenario...

Customer wanted to upgrade 2 of their existing 1 gig copper interfaces to a new 10 gig module.   We needed to migrate a DMZ and one of their ISP circuits from the 1 gig built in copper to the new 10 gig module.   We did the DMZ first since it was lowest risk..  Easy peasy... logged into GAIA on primary and secondary firewalls... removed interface configuration and disabled copper interface... configured new 10 gig port with identical configuration and plugged in the new fiber.  Did a get interfaces with topology in SmartConsole and done.  No issues, everything worked flawlessly.

Next we did the internet interface.   Followed the same procedure, but no internet.  (Oh Crap). Ended up needing to set the interface to the new interface on the ISP failover configuration in SmartConsole.   Whew!  One more issue though... VPN wasn't functioning as expected.   Checked out the logs and we had spoofing issues.   Needed to go into the new interface and add the VPN subnet to the ignore for spoofing.  Finally, everything was working as expected!

Lesson learned... a basic interface is just a reconfiguration in GAIA, move cables, get interfaces in Smartconsole, and done. 

An external interface doing ISP failover and providing VPN services... requires a little extra configuration in the SmartConsole. 

View solution in original post

0 Kudos
4 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-08-02 03:04 AM
Jump to solution

Can you please clarify a few things about your scenario:

1. Are you using the existing 1Gbps interfaces as Bonds (sk122032).

2. Are the existing 1Gbps ports on a NIC card being removed or the onboard/built-in ports?

CCSM R77/R80/ELITE
0 Kudos
ksanders
Participant
‎2022-08-16 01:25 PM
In response to Chris_Atkinson
Jump to solution

1. Some of the interfaces will be moved to 10 gig SFPs, and some will be 1 gig and swapped for 10 gig during a cutover with the ISP.

2.  The existing 1 gig connections are built in, and new connections will be moved to SFPs on a new module.

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-08-16 07:18 PM
In response to ksanders
Jump to solution

Since it's a cluster it may help to review sk57100 for removing / adding interfaces e.g. VLANs etc.

CCSM R77/R80/ELITE
0 Kudos
ksanders
Participant
‎2022-08-23 07:47 AM
Jump to solution

Okay here was the scenario...

Customer wanted to upgrade 2 of their existing 1 gig copper interfaces to a new 10 gig module.   We needed to migrate a DMZ and one of their ISP circuits from the 1 gig built in copper to the new 10 gig module.   We did the DMZ first since it was lowest risk..  Easy peasy... logged into GAIA on primary and secondary firewalls... removed interface configuration and disabled copper interface... configured new 10 gig port with identical configuration and plugged in the new fiber.  Did a get interfaces with topology in SmartConsole and done.  No issues, everything worked flawlessly.

Next we did the internet interface.   Followed the same procedure, but no internet.  (Oh Crap). Ended up needing to set the interface to the new interface on the ISP failover configuration in SmartConsole.   Whew!  One more issue though... VPN wasn't functioning as expected.   Checked out the logs and we had spoofing issues.   Needed to go into the new interface and add the VPN subnet to the ignore for spoofing.  Finally, everything was working as expected!

Lesson learned... a basic interface is just a reconfiguration in GAIA, move cables, get interfaces in Smartconsole, and done. 

An external interface doing ISP failover and providing VPN services... requires a little extra configuration in the SmartConsole. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events