This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
constant69
Contributor
‎2025-07-10 08:23 AM
Jump to solution

Replace a cluster of 15400 appliance by a cluster of 9700 appliance

Hello,

We are currently planning to replace a cluster of 15400 appliances by a cluster of 9700 appliances.

I’m looking the best and easiest way to accomplish this.

 

the Go-live day, I plan to replace one member at a time, to have no downtime. The cluster will have one 15400 member and one 9700 member.  Is this something you would comfortably recommend during few minutes?

 

Here is the detailed action plan I will follow

  • Preparation in lab
    • From 15400 appliance in production (In R81.20), export gaia configuration (e.g Config_15400)
    • From 9700 appliance in lab (In R81.20)
      • Install R81.20
      • Export the export gaia configuration (e.g Config_9700)
      • Then adjust the 9700 configuration file using the content of the 15400 file, for example by changing interface names and system settings (hostname, DNS, NTP, backup config, etc…). This should produce, for example, the file "config_9700_new". Then, import the "config_9700_new" file onto the 9700 appliances.
      • Change SIC on the both appliance
    • From the Management, establish the SIC to both gateways and change the model
    • Install the policy
  • Go-live day (Production deployment day) with Appliance_1_15400 is active and Appliance_2_15400 is passive
    • Poweroff the standby 15400 appliance (Appliance_2_15400)
    • Connect the new 9700 appliance with the same settings as Appliance_2_15400
    • At this stage, on smartconsole
      • Install SIC and licence
      • Install access policy removing the check box
    • Check the state of cluster on the both member (Appliance_1_15400 is active and Appliance_2_9700 is passive)
    • Poweroff the active 15400 appliance (Appliance_1_15400): Appliance_2_9700 should become active
    • Connect the another 9700 appliance (Appliance_1_9700) with the same settings as Appliance_1_15400
    • At this stage, on smartconsole
      • Install SIC and licence
      • Change hardware model
      • Install access policy
    • Check the state of cluster on the both member (as preemption is disable, Appliance_2_9700 is active and Appliance_1_9700 is passive)
    • Install Threat Policy
    • Check if receiving logs
    • Test cluster failover

 

In advance, thank for your feedback

Regards

Labels
0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Gold
MVP Gold
‎2025-07-10 08:29 AM
Jump to solution

Hey,

I know this is not an official CP process, but I had done it 10+ times, never had a problem.

https://community.checkpoint.com/t5/Security-Gateways/Replace-Upgrade-Cluster/td-p/69216

Make sure if version on new cluster is different, enable MVC, just confirm by running cphaprob mvc command.

Andy

Best,
Andy

View solution in original post

0 Kudos
3 Replies
the_rock
MVP Gold
MVP Gold
‎2025-07-10 08:29 AM
Jump to solution

Hey,

I know this is not an official CP process, but I had done it 10+ times, never had a problem.

https://community.checkpoint.com/t5/Security-Gateways/Replace-Upgrade-Cluster/td-p/69216

Make sure if version on new cluster is different, enable MVC, just confirm by running cphaprob mvc command.

Andy

Best,
Andy
0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-07-10 08:44 AM
In response to the_rock
Jump to solution

Officially not supported to have a cluster with different hardware/CPU.

Note the SecureXL mode is also different between these models.

CCSM R77/R80/ELITE
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-07-10 08:52 AM
In response to Chris_Atkinson
Jump to solution

Not sure if its officially supported, but it 100% works.

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events