Interface names may not match between the 4800 and the 6000 Appliance so will need to update the Interface Names on the Cluster and Member so that match the name of the interface on the 6000 appliance as opposed to what named on the 4800.

Backups are for restoration to the same model appliance, ie 4800 to 4800.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

From SK

Restore is only allowed using the same appliance model on the source and target computers.

Providing you make sure that is on the same version of code ie not upgrading

then you could save a config file on the 4800 and import onto the 6500 but should be the same version.

This will get the Gaia OS config only.  Any Check Point tweaks will still have to do manually.

Hi all,

We have 4400 clusterXL active/standby running R80.40, the management is running as separate VM also R80.40, since I only have 5 interfaces so I go with a pair model 3600. The steps should be the same as Kevin Orrison? however my came with R81.10 do you think I should upgrade my Management gateway VM from R80.40 to R81.10?

Also for step 3 said remove old FW-02 or Stand-by and put in new FW and configure it? On the new FW using console port cable, I can configure the network topology, DNS, TIME server, Static routes offline before I connect to replace the stand-by FW-02?

How do I register the new pair Firewall to your site for support? 

Thank you.                                               

Usually I don't like to perform multiple changes at the same time, so depending on how critical is your firewall I would revert 3600 to R80.40 (easy to do via Gaia web), migrate the cluster and do upgrade to R81.10 during another maintenance window.

As for configuring the new gateways, console cable is not necessary. You just connect to management port and configure there. Unless I misunderstood your question.

Hi,

I have similar problem by upgrading from 4200 clusterXL to pair of 3600, just want to make sure the Cluster topology configuration here what I have:

My current 4200 had 4ports ethernet modules shown as Mgmt, Eth1, Eth2, Eth3 for on board, Eth1-01, Eth1-02, Eth1-03, and Eth1-04 but I only use two ports on the add-on NIC module shown below:

ClusterXL (pair 4200)                      With a 3600 to replace 4200 Standby show ports

Mgmt                                                                    Mgmt

Eth1                                                                       Eth1

Eth2                                                                       Eth2

Eth3                                                                       Eth3

Eth1-01 ---- how/where to map----------->   Eth4

Eth1-02 ---- how/where to map----------->   Eth5

Also after fix all the topology network and establish SIC trust, can I push the fw policy? My current SMS, and 4200 ClusterXL gateway running R80.40 with jumbo hotfix 180, so I reverse both 3600 appliances from R81 to R80.40 with Jumbo hotfix 180 as well.  What is the best way to make Standby 3600 becomes Active?

Thank you.

Separate management. Unless I missed something, I don't really see something that covers the scenario I described.

Providing using the same Certificates for VPN and ICA etc then should be good to go still.  If using the same Object then these should all remain the same.

Hello @Kevin_Orrison 

Hope you are well,

Can you confirm which method did you use that where suggested by HeikoAnkenbrand, Tommy_Forest or Wolfgang?

Can you share any notes on the steps used for the process with me?

Thanks!

Hello @Kevin_Orrison many thanks for your reply and sharing your notes. I'm currently doing mounting a Lab, in advanced can you confirm regarding "add license"  shall the license be only on the SMS (MGM) server running on VM and also on the gateways? In my understanding since is deployed in a distributed way is a Central license, i have to admit the licensing its been a little confusing if you can explain i would appreciate brother!

I do all my licenses as "central licenses". So register the gateway license with the IP of your management server. I usually download the license file from the user center and upload to SmartUpdate.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

@Kevin_Orrison Perfect very good explanation. Did the method above with the steps did you have downtime?

@Kevin_Orrison I recently followed the process and everything worked perfectly and the best without no downtime. Thank you all for the help and HAPPY NEW YEAR!

I know this is a few years late, but I came across your post as I am trying to upgrade my own cluster. We currently have two 6600s and are replacing them with two 9100s. 

My plan very closely matches your plan, but I am having issues establishing SIC on the second appliance, which would be step 7. I have zero issues up until this point. The first replacement appliance establishes SIC with zero issues. I even failover without trouble. But, when I take the second original appliance offline, I lose all DNS resolution. I have been banging my head on the table trying to figure out what the issue is. I have a feeling it has something to do with SIC not establishing on the second replacement.

Any experiences with this?

Wait, you lose DNS when taking the last 6600 offline even though one of the 9100s is currently active? Any other symptoms? What specifically happens when you try to establish SIC on the second 9100? Have you checked the password? Is the second 9100 on "InitialPolicy"? If not, you'll want to reset SIC using cpconfig. Does the second 9100 have all the necessary config from it's 6600 counterpart? It might be faster to just put in a TAC case.