- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Replace/Upgrade Cluster
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Replace/Upgrade Cluster
I currently have two 4800s in a cluster on R80.10. I am looking to utilize the same cluster name/configuration and replace these gateways with two 6500s on R80.30. I just wanted to brain storm on the easiest way to accomplish this.
Also, seems like this should be a common ask. Are there any Check Point guides for something like this?
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[4800 A] -> active
[4800 B] -> standby
1. [4800 B] Poweroff the R80.10 the standby cluster member (4800 B)
2. [6500 B] Connect to R80.30 new member and configure interfaces and routes,... with the same settings from the old [4800 B].
3. Install SIC, add license, change cluster version, fix cluster member topology, install policy on gateway [6500 B] (remove flag "if fails")
Note: The member with the lower CCP version (GAIA version) remains active [4800 A].
4. [4800 A] Poweroff the R80.10 appliance (4800 A)
Note: Now you're losing all your sessions and the [6500 B] should become active. If the number of cores (under CoreXL) is the same, you can do a fcu if necessary. This synchronized the sessions on both gateways.
5. If possible delete all ARP entries on all participating routers in real time.
6. (6500 A) Connect to R80.30 new second member and configure interfaces and routes,... with the same settings from the old [4800 A]
7. Install SIC, add license, fix cluster member topology, install policy on both new gateways (add flag "if fails")
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
More or less I followed Heiko's steps. Check if the new firewall model is using different interface names like mentioned above.
Going back to my notes.
- Make sure FW-01 is active
- Power off the standby 4800 (FW-02)
- Connect the new 6500 standby member with same settings as FW-02
- Install SIC, add license, change cluster version, fix cluster topology, install policy removing the check box.
- Check sync/HA
- Verify license with cplic print
- Power off the active 4800
- The 6500 should become active
- Connect the new 6500 with the same settings as FW-01
- Install SIC, add license, fix cluster topology, install policy adding the check box.
- Change sync/HA to new “sync” interface
- Verify license with cplic print
- Install Threat Policy
- Check if receiving logs
- Create cloning group
- Test cluster failover
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From what I recall, there was no downtime.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you tolerate downtime?
If so, shut down old gateways, move name's/IP's to new ones, re-SIC, change your hardware and OS version/type and push policy. Throw in a ARP table clear command as necessary.
If you can't tolerate downtime, then maybe a Connectivity Upgrade? Though, the document doesn't note that a 80.10->80.30 upgrade is possible, yet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[4800 A] -> active
[4800 B] -> standby
1. [4800 B] Poweroff the R80.10 the standby cluster member (4800 B)
2. [6500 B] Connect to R80.30 new member and configure interfaces and routes,... with the same settings from the old [4800 B].
3. Install SIC, add license, change cluster version, fix cluster member topology, install policy on gateway [6500 B] (remove flag "if fails")
Note: The member with the lower CCP version (GAIA version) remains active [4800 A].
4. [4800 A] Poweroff the R80.10 appliance (4800 A)
Note: Now you're losing all your sessions and the [6500 B] should become active. If the number of cores (under CoreXL) is the same, you can do a fcu if necessary. This synchronized the sessions on both gateways.
5. If possible delete all ARP entries on all participating routers in real time.
6. (6500 A) Connect to R80.30 new second member and configure interfaces and routes,... with the same settings from the old [4800 A]
7. Install SIC, add license, fix cluster member topology, install policy on both new gateways (add flag "if fails")
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interface names may not match between the 4800 and the 6000 Appliance so will need to update the Interface Names on the Cluster and Member so that match the name of the interface on the 6000 appliance as opposed to what named on the 4800.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As mentioned in a previous post, the only difference I see in interface name/topology is the 6500s have a new interface named "sync".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Backups are for restoration to the same model appliance, ie 4800 to 4800.
From SK
Restore is only allowed using the same appliance model on the source and target computers.
Providing you make sure that is on the same version of code ie not upgrading
then you could save a config file on the 4800 and import onto the 6500 but should be the same version.
This will get the Gaia OS config only. Any Check Point tweaks will still have to do manually.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
We have 4400 clusterXL active/standby running R80.40, the management is running as separate VM also R80.40, since I only have 5 interfaces so I go with a pair model 3600. The steps should be the same as Kevin Orrison? however my came with R81.10 do you think I should upgrade my Management gateway VM from R80.40 to R81.10?
Also for step 3 said remove old FW-02 or Stand-by and put in new FW and configure it? On the new FW using console port cable, I can configure the network topology, DNS, TIME server, Static routes offline before I connect to replace the stand-by FW-02?
How do I register the new pair Firewall to your site for support?
Thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Usually I don't like to perform multiple changes at the same time, so depending on how critical is your firewall I would revert 3600 to R80.40 (easy to do via Gaia web), migrate the cluster and do upgrade to R81.10 during another maintenance window.
As for configuring the new gateways, console cable is not necessary. You just connect to management port and configure there. Unless I misunderstood your question.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have similar problem by upgrading from 4200 clusterXL to pair of 3600, just want to make sure the Cluster topology configuration here what I have:
My current 4200 had 4ports ethernet modules shown as Mgmt, Eth1, Eth2, Eth3 for on board, Eth1-01, Eth1-02, Eth1-03, and Eth1-04 but I only use two ports on the add-on NIC module shown below:
ClusterXL (pair 4200) With a 3600 to replace 4200 Standby show ports
Mgmt Mgmt
Eth1 Eth1
Eth2 Eth2
Eth3 Eth3
Eth1-01 ---- how/where to map-----------> Eth4
Eth1-02 ---- how/where to map-----------> Eth5
Also after fix all the topology network and establish SIC trust, can I push the fw policy? My current SMS, and 4200 ClusterXL gateway running R80.40 with jumbo hotfix 180, so I reverse both 3600 appliances from R81 to R80.40 with Jumbo hotfix 180 as well. What is the best way to make Standby 3600 becomes Active?
Thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kevin,
like Tommy mentioned, preconfigure the new nodes with the same configuration ( IPs, VLANs, routing etc. )
Maybee you can too preconfigure new switchports, connect the new gateways and have ports shutdown.
In a maintenance schedule you have to disable the old switchports, enable the new one, reset SIC and change version and appliance type in the cluster object.
I think a zero downtime upgrade is not possible, because of the different architecture and CPU of 4800 and 6xxx appliances.
Wolfgang
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The installation and upgrade guide from Check Point, per version, is a very comprehensive and complete guide.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Separate management. Unless I missed something, I don't really see something that covers the scenario I described.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All in one (management+gw) or dist. installation?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Providing using the same Certificates for VPN and ICA etc then should be good to go still. If using the same Object then these should all remain the same.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks so much for all the replies to my question! My replacement went very well!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Kevin_Orrison
Hope you are well,
Can you confirm which method did you use that where suggested by HeikoAnkenbrand, Tommy_Forest or Wolfgang?
Can you share any notes on the steps used for the process with me?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
More or less I followed Heiko's steps. Check if the new firewall model is using different interface names like mentioned above.
Going back to my notes.
- Make sure FW-01 is active
- Power off the standby 4800 (FW-02)
- Connect the new 6500 standby member with same settings as FW-02
- Install SIC, add license, change cluster version, fix cluster topology, install policy removing the check box.
- Check sync/HA
- Verify license with cplic print
- Power off the active 4800
- The 6500 should become active
- Connect the new 6500 with the same settings as FW-01
- Install SIC, add license, fix cluster topology, install policy adding the check box.
- Change sync/HA to new “sync” interface
- Verify license with cplic print
- Install Threat Policy
- Check if receiving logs
- Create cloning group
- Test cluster failover
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Kevin_Orrison many thanks for your reply and sharing your notes. I'm currently doing mounting a Lab, in advanced can you confirm regarding "add license" shall the license be only on the SMS (MGM) server running on VM and also on the gateways? In my understanding since is deployed in a distributed way is a Central license, i have to admit the licensing its been a little confusing if you can explain i would appreciate brother!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do all my licenses as "central licenses". So register the gateway license with the IP of your management server. I usually download the license file from the user center and upload to SmartUpdate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Kevin_Orrison Perfect very good explanation. Did the method above with the steps did you have downtime?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From what I recall, there was no downtime.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Kevin_Orrison I recently followed the process and everything worked perfectly and the best without no downtime. Thank you all for the help and HAPPY NEW YEAR!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Can you recall how you did step "fix cluster member topology" ?
I am changing HW from 21400 (R80.20) to 7000 (R81.10) and of course all interface names / numbers are different.
Only this part is a bit "scarry" for me as I have never did exactly that. What I am going to get on Cluster object in SmartConsole?
Everything else I already pre-configured and I am ready for HW swap - but only "fix cluster topology" is confusing me.
Any screenshots would be very welcome !!!
Thanks in advance!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you probably already migrated your cluster, but in case others would stumble on the same question, here is the screenshot where you have to adjust your interface names to align with new hardware.