Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kevin_Orrison
Collaborator
Jump to solution

Replace/Upgrade Cluster

I currently have two 4800s in a cluster on R80.10. I am looking to utilize the same cluster name/configuration and replace these gateways with two 6500s on R80.30. I just wanted to brain storm on the easiest way to accomplish this. 

Also, seems like this should be a common ask. Are there any Check Point guides for something like this?

3 Solutions

Accepted Solutions
HeikoAnkenbrand
Champion
Champion
When you start, the systems should have the following status:

[4800 A] -> active

[4800 B] -> standby

 

1. [4800 B] Poweroff the R80.10 the standby cluster member (4800 B)

2. [6500 B] Connect to R80.30 new member and configure interfaces and routes,... with the same settings from the old [4800 B]. 

3. Install SIC, add license, change cluster version, fix cluster member topology, install policy on gateway [6500 B] (remove flag "if fails") 

     Note: The member with the lower CCP version (GAIA version) remains active [4800 A]. 

4. [4800 A] Poweroff the R80.10 appliance (4800 A)

     Note: Now you're losing all your sessions and the [6500  B] should become active. If the number of cores (under CoreXL) is the same, you can do a fcu if necessary. This   synchronized the sessions on both gateways.

5. If possible delete all ARP entries on all participating routers in real time.

6. (6500 A) Connect to R80.30 new second member and configure interfaces and routes,... with the same settings from the old [4800 A] 

7. Install SIC, add license, fix cluster member topology, install policy on both new gateways (add flag "if fails")

View solution in original post

Kevin_Orrison
Collaborator

More or less I followed Heiko's steps. Check if the new firewall model is using different interface names like mentioned above.

Going back to my notes.

  1. Make sure FW-01 is active
  2. Power off the standby 4800 (FW-02)
  3. Connect the new 6500 standby member with same settings as FW-02
  4. Install SIC, add license, change cluster version, fix cluster topology, install policy removing the check box.
    1. Check sync/HA
    2. Verify license with cplic print
  5. Power off the active 4800
    1. The 6500 should become active
  6. Connect the new 6500 with the same settings as FW-01
  7. Install SIC, add license, fix cluster topology, install policy adding the check box.
    1. Change sync/HA to new “sync” interface
    2. Verify license with cplic print
  8. Install Threat Policy
  9. Check if receiving logs
  10. Create cloning group
  11. Test cluster failover

 

View solution in original post

Kevin_Orrison
Collaborator

From what I recall, there was no downtime.

View solution in original post

29 Replies
Tommy_Forrest
Advisor

Can you tolerate downtime?

If so, shut down old gateways, move name's/IP's to new ones, re-SIC, change your hardware and OS version/type and push policy.  Throw in a ARP table clear command as necessary.

 

If you can't tolerate downtime, then maybe a Connectivity Upgrade?  Though, the document doesn't note that a 80.10->80.30 upgrade is possible, yet.

https://dl3.checkpoint.com/paid/c8/c87af75dc02bd9852017cdfc763b923f/CP_Cluster_ConnectivityUpgrade_B...

 

HeikoAnkenbrand
Champion
Champion
When you start, the systems should have the following status:

[4800 A] -> active

[4800 B] -> standby

 

1. [4800 B] Poweroff the R80.10 the standby cluster member (4800 B)

2. [6500 B] Connect to R80.30 new member and configure interfaces and routes,... with the same settings from the old [4800 B]. 

3. Install SIC, add license, change cluster version, fix cluster member topology, install policy on gateway [6500 B] (remove flag "if fails") 

     Note: The member with the lower CCP version (GAIA version) remains active [4800 A]. 

4. [4800 A] Poweroff the R80.10 appliance (4800 A)

     Note: Now you're losing all your sessions and the [6500  B] should become active. If the number of cores (under CoreXL) is the same, you can do a fcu if necessary. This   synchronized the sessions on both gateways.

5. If possible delete all ARP entries on all participating routers in real time.

6. (6500 A) Connect to R80.30 new second member and configure interfaces and routes,... with the same settings from the old [4800 A] 

7. Install SIC, add license, fix cluster member topology, install policy on both new gateways (add flag "if fails")

Kevin_Orrison
Collaborator
Thanks for all the replies. What exactly do you mean about the "fix cluster member topology" step?
0 Kudos
mdjmcnally
Advisor

Interface names may not match between the 4800 and the 6000 Appliance so will need to update the Interface Names on the Cluster and Member so that match the name of the interface on the 6000 appliance as opposed to what named on the 4800.

Kevin_Orrison
Collaborator
Gotcha.
0 Kudos
Kevin_Orrison
Collaborator
Could I restore a backup of each 4800 into the 6500s? Just checking for faster configuration. Since this is a cluster, the current 4800s are in a cloning group too. Or should I look at using the "Load configuration" CLI utility?

As mentioned in a previous post, the only difference I see in interface name/topology is the 6500s have a new interface named "sync".
0 Kudos
mdjmcnally
Advisor

Backups are for restoration to the same model appliance, ie 4800 to 4800.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

From SK

Restore is only allowed using the same appliance model on the source and target computers.

 

Providing you make sure that is on the same version of code ie not upgrading

then you could save a config file on the 4800 and import onto the 6500 but should be the same version.

This will get the Gaia OS config only.  Any Check Point tweaks will still have to do manually.

 

 

0 Kudos
hle2001
Explorer

Hi all,

We have 4400 clusterXL active/standby running R80.40, the management is running as separate VM also R80.40, since I only have 5 interfaces so I go with a pair model 3600. The steps should be the same as Kevin Orrison? however my came with R81.10 do you think I should upgrade my Management gateway VM from R80.40 to R81.10?

 

Also for step 3 said remove old FW-02 or Stand-by and put in new FW and configure it? On the new FW using console port cable, I can configure the network topology, DNS, TIME server, Static routes offline before I connect to replace the stand-by FW-02?

How do I register the new pair Firewall to your site for support? 

Thank you.                                               

0 Kudos
abihsot__
Advisor

Usually I don't like to perform multiple changes at the same time, so depending on how critical is your firewall I would revert 3600 to R80.40 (easy to do via Gaia web), migrate the cluster and do upgrade to R81.10 during another maintenance window.

As for configuring the new gateways, console cable is not necessary. You just connect to management port and configure there. Unless I misunderstood your question.

0 Kudos
hle2001
Explorer

Hi,

I have similar problem by upgrading from 4200 clusterXL to pair of 3600, just want to make sure the Cluster topology configuration here what I have:

My current 4200 had 4ports ethernet modules shown as Mgmt, Eth1, Eth2, Eth3 for on board, Eth1-01, Eth1-02, Eth1-03, and Eth1-04 but I only use two ports on the add-on NIC module shown below:

 

ClusterXL (pair 4200)                      With a 3600 to replace 4200 Standby show ports

Mgmt                                                                    Mgmt

Eth1                                                                       Eth1

Eth2                                                                       Eth2

Eth3                                                                       Eth3

Eth1-01 ---- how/where to map----------->   Eth4

Eth1-02 ---- how/where to map----------->   Eth5

Also after fix all the topology network and establish SIC trust, can I push the fw policy? My current SMS, and 4200 ClusterXL gateway running R80.40 with jumbo hotfix 180, so I reverse both 3600 appliances from R81 to R80.40 with Jumbo hotfix 180 as well.  What is the best way to make Standby 3600 becomes Active?

Thank you.

0 Kudos
Wolfgang
Mentor
Mentor

Kevin,

like Tommy mentioned, preconfigure the new nodes with the same configuration ( IPs, VLANs, routing etc. )

Maybee you can too preconfigure new switchports, connect the new gateways and have ports shutdown.

In a maintenance schedule you have to disable the old switchports, enable the new one, reset SIC and change version and appliance type in the cluster object.

I think a zero downtime upgrade is not possible, because of the different architecture and CPU of 4800 and 6xxx appliances.

Wolfgang

Maarten_Sjouw
Champion
Champion
Is management on the gateways or do you have a separate management server?
The installation and upgrade guide from Check Point, per version, is a very comprehensive and complete guide.
Regards, Maarten
0 Kudos
Kevin_Orrison
Collaborator

Separate management. Unless I missed something, I don't really see something that covers the scenario I described.

0 Kudos
Pascal_Greditor
Explorer

All in one (management+gw) or dist. installation?

0 Kudos
Kevin_Orrison
Collaborator
Distributed.
0 Kudos
Kevin_Orrison
Collaborator
Changing the topic a little bit. The only other hiccup I can think of is this cluster has Remote Access VPN using the SSL Network Extender, primarily. Does anyone have any experience on how this kind of HW replacement will access Remote Access? Anything to look out for?
0 Kudos
mdjmcnally
Advisor

Providing using the same Certificates for VPN and ICA etc then should be good to go still.  If using the same Object then these should all remain the same.

Kevin_Orrison
Collaborator
OK, that's what I figured. Yah, that's all staying the same.
0 Kudos
Kevin_Orrison
Collaborator
Can anyone speak to their experience with this type of replacement and upgrading the SNX client? If force update is off, would the R80.10 client connect to an R80.30 gateway? Would you just grab the .msi files off the R80.30 gateway to push out to clients?
0 Kudos
Kevin_Orrison
Collaborator

Thanks so much for all the replies to my question! My replacement went very well!

K_montalvo
Advisor

Hello @Kevin_Orrison 

Hope you are well,

Can you confirm which method did you use that where suggested by HeikoAnkenbrand, Tommy_Forest or Wolfgang?

Can you share any notes on the steps used for the process with me?

Thanks!

0 Kudos
Kevin_Orrison
Collaborator

More or less I followed Heiko's steps. Check if the new firewall model is using different interface names like mentioned above.

Going back to my notes.

  1. Make sure FW-01 is active
  2. Power off the standby 4800 (FW-02)
  3. Connect the new 6500 standby member with same settings as FW-02
  4. Install SIC, add license, change cluster version, fix cluster topology, install policy removing the check box.
    1. Check sync/HA
    2. Verify license with cplic print
  5. Power off the active 4800
    1. The 6500 should become active
  6. Connect the new 6500 with the same settings as FW-01
  7. Install SIC, add license, fix cluster topology, install policy adding the check box.
    1. Change sync/HA to new “sync” interface
    2. Verify license with cplic print
  8. Install Threat Policy
  9. Check if receiving logs
  10. Create cloning group
  11. Test cluster failover

 

K_montalvo
Advisor

Hello @Kevin_Orrison many thanks for your reply and sharing your notes. I'm currently doing mounting a Lab, in advanced can you confirm regarding "add license"  shall the license be only on the SMS (MGM) server running on VM and also on the gateways? In my understanding since is deployed in a distributed way is a Central license, i have to admit the licensing its been a little confusing if you can explain i would appreciate brother!

0 Kudos
Kevin_Orrison
Collaborator

I do all my licenses as "central licenses". So register the gateway license with the IP of your management server. I usually download the license file from the user center and upload to SmartUpdate.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

K_montalvo
Advisor

@Kevin_Orrison Perfect very good explanation. Did the method above with the steps did you have downtime?

0 Kudos
Kevin_Orrison
Collaborator

From what I recall, there was no downtime.

K_montalvo
Advisor

@Kevin_Orrison I recently followed the process and everything worked perfectly and the best without no downtime. Thank you all for the help and HAPPY NEW YEAR!

0 Kudos
ld3d
Participant

Hello,

Can you recall how you did step "fix cluster member topology" ?

I am changing HW from 21400 (R80.20) to 7000 (R81.10) and of course all interface names / numbers are different.

Only this part is a bit "scarry" for me as I have never did exactly that.  What I am going to get on Cluster object in SmartConsole?

Everything else I already pre-configured and I am ready for HW swap - but only "fix cluster topology"  is confusing me.

Any screenshots would be very welcome !!!

Thanks in advance!

0 Kudos
abihsot__
Advisor

you probably already migrated your cluster, but in case others would stumble on the same question, here is the screenshot where you have to adjust your interface names to align with new hardware.

0 Kudos