Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
gm446
Contributor
Jump to solution

Replace a firewall

Hi ,

there is any step by step procedure o best practice to replace a gateway with a new model?

old gateway is 6600 with R80.40 and the plan is to replace it with 6900 with R80.40 / R81.10
the target is to preserve all the current states and configurations from the old firewall to the new firewall. the SMS is on other VM.
my plan is this procedure:

1. Backup old firewall and restore the backup on the new firewall.
2. Manually backup DHCP configuration file and IP Assignments file.
3. Upgrade new firewall to R81.10
4. Move the cables from the old firewall to the new firewall
5. Re-Establish SIC and edit gateway object propertie
6. Install Policy

what do you think about this plan? i missed any step?

Thank you in advance,

Yossi

 

0 Kudos
(1)
1 Solution

Accepted Solutions
the_rock
Legend
Legend

By the way, below link could be helpful to you, though its cluster related, but same method applies.

https://community.checkpoint.com/t5/Security-Gateways/Replace-Upgrade-Cluster/td-p/69216

Also, make sure to NOT backup/restore, as its different hardware. Do clish -c "show confirguration" /var/log/configfile.txt on current fw, make necessary changes to reflect interfaces/routes on new fw and then on the new fw, from clich, run load configuration /var/log/configfile.txt (just make sure its in /var/log dir or wherever you move it to).

Hope that helps.

Andy

View solution in original post

11 Replies
Chris_Atkinson
Employee Employee
Employee

For the backup restoration you should also consider the JHF version to be safe, similar with the version upgrade don't just deploy it with the base image rather also apply the latest recommended JHF.

CCSM R77/R80/ELITE
the_rock
Legend
Legend

Chris is right, consider latest recommended jumbo as well.

G_W_Albrecht
Legend Legend
Legend

Between step 1 and 2 you will have to perform FTW on appliance for basic config. Not sure if you need to remake SIC though...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
gm446
Contributor

Thank you very much for the insights. sure i forgot about the first time configuration wizard and the JHF version.

 

0 Kudos
the_rock
Legend
Legend

By the way, below link could be helpful to you, though its cluster related, but same method applies.

https://community.checkpoint.com/t5/Security-Gateways/Replace-Upgrade-Cluster/td-p/69216

Also, make sure to NOT backup/restore, as its different hardware. Do clish -c "show confirguration" /var/log/configfile.txt on current fw, make necessary changes to reflect interfaces/routes on new fw and then on the new fw, from clich, run load configuration /var/log/configfile.txt (just make sure its in /var/log dir or wherever you move it to).

Hope that helps.

Andy

G_W_Albrecht
Legend Legend
Legend

For the Also part:

As of https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

A Gaia backup, unlike a Gaia snapshot, can be restored on the same or a different appliance running the same Check Point Gaia OS version and hotfixes.

But:

  1. Do one of these:
    • Revert to a Gaia Snapshot - restores the Check Point version with all the setup details, including type (management/gateway) and installation of hotfixes.
    • Restore from a Gaia Backup - restores latest system configuration with all recent network and security configuration.
  2. Compare the output of Gaia Clish command "show configuration" to the saved configuration to verify that Gaia OS configuration was restored properly.

So you are partly right with a very good point indeed !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend

Let us know if any issues. I had done this few times successfully, so can definitely help you out if need be.

Good luck!!

0 Kudos
gm446
Contributor

Thank you all very much for the help.

i will update on the results

Yossi

0 Kudos
the_rock
Legend
Legend

Any time. Here comes my corny joke everyone is sick off..."For you, no charge, except iphone charge" ; - )

Andy

0 Kudos
the_rock
Legend
Legend

SIC is needed there, for sure.

0 Kudos
gm446
Contributor

thank you everybody,

the replacement was smooth and everything works as planned.

only issue was after the first install policy DHCP and Office Mode was not working, resolved with a reboot.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events