This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Si_Dunford
Participant
‎2025-09-30 04:09 AM
Jump to solution

Replacing R81.20 cluster with new R82 cluster

Hi,

I have a pair of 5800 gateway appliance running R81.20 in HA mode. These devices go end of hardware support today (30 Sep 25) and I have a pair of new 9400 appliances due to be delivered in the next few days.

I anticipated that the new devices will come with R82 and so I have pre-upgraded our management from R81.20 to R82 already.

I know that R82 and R81.20 appliances cannot sit in the same cluster and obviously cannot have the same HA or IP addresses as the existing devices, but what I cannot find is any documentation showing the best way to replace them.

This is how I am planning to approach this:

1. Build / Install the R82 gateways with a new management address (and adding them to firewall rules).

2. Configure interfaces and IP addresses the same as R81.20 counterparts, leaving them disabled.

3. Add routing tables and Proxy ARP the same as R81.20 counterparts.

4. Failover 81.20 to the Secondary

5. Shut down the R81.20 Primary

6. Reset SIC on the Primary host in the cluster object

7. Enable interfaces on R82 Primary.

8. Upgrade cluster object to R82 and rest/initialise SIC for Primary host.

9. Push policy to individual gateways (Should work on R82 and Fail on R81.20)

10. Failover to R82 Primary

11. Repeat steps 5, 6, 7 for Secondary appliance

12. Push policy to gateways 

I don't know what will happen in step 7-9 when I bring the R82 primary online. Will there be two devices trying to become ACTIVE?

In step 10 will I have to shut down R81.20 Secondary to get the failover to work properly?

I would like to hear your comments and advice on this.
(Thanks in advance)

 

 

 

0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Platinum
MVP Platinum
‎2025-09-30 05:51 AM
Jump to solution

I would just follow below process, had done it many times, never had an issue.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Replace-Upgrade-Cluster/td-p/69216

Best,
Andy

View solution in original post

7 Replies
the_rock
MVP Platinum
MVP Platinum
‎2025-09-30 05:51 AM
Jump to solution

I would just follow below process, had done it many times, never had an issue.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Replace-Upgrade-Cluster/td-p/69216

Best,
Andy
Si_Dunford
Participant
‎2025-09-30 07:16 AM
In response to the_rock
Jump to solution

Thanks, this is fairly similar to the approach I was planning... will report back when completed.

the_rock
MVP Platinum
MVP Platinum
‎2025-09-30 07:19 AM
In response to Si_Dunford
Jump to solution

Exactly! The best part is you dont need to worry about MVC feature, since its automatically enabled since R80.40

Andy

Best,
Andy
0 Kudos
vobryan
Explorer
‎2025-09-30 06:00 AM
Jump to solution

What a timely post! I am doing the exact same thing with the same old and new hardware as you in about a month.

I had to change some interface names because we are using more 10 gig interfaces and the old fw we used none.

Good luck to us both!

(1)
the_rock
MVP Platinum
MVP Platinum
‎2025-09-30 06:14 AM
In response to vobryan
Jump to solution

I found same process I linked worked well even for R82.

Andy

Best,
Andy
0 Kudos
Si_Dunford
Participant
‎2025-09-30 07:35 AM
In response to vobryan
Jump to solution

I don't have a delivery date for our replacement yet, but hope yours goes well...
We are moving up to 10G interfaces from 1G too, but in our case we bond them and add VLAN subinterfaces so the bond and the subinterface names will remain the same; only the bond members will be changing.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-09-30 07:39 AM
In response to Si_Dunford
Jump to solution

Just make sure if say sync interface would be different link/speed, something to keep in mind, as thats important.

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events