This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Arthur_DENIS1
Advisor
Advisor
‎2020-07-30 03:16 AM

VSX hardware replacment

Hi,

I need you advise about one of my coming migration.

I have currently 1 VSX cluster running version R80.20 under 12600 appliance, and we planned to replace the hardware with 7000.
Current interfaces used 10Gb directly on the config, and now we want to use 2Gb under bond interface for each VS.

My idea is this:
- deploy new boxes with GAIA settings (interfaces, bond, users, DNS, routing for VS0, backups, licenses etc)
- integrate into management
- create all VS/vlan with other unused IP
- assign same policy package for actual and new VS

Day of the migration:
- unplug actual box
- use VSX provisionning tool to replace all temporary IP on new boxes by actual one

Could you please give me you're thinking about this plan? Any better ideas?

 

Thanks,
Arthur

0 Kudos
5 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-07-30 07:59 AM

I would ask TAC, backed by the local CP SE you should receive any help you need from there. VSX is a complicated product so i would be extreme carefull here...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Arthur_DENIS1
Advisor
Advisor
‎2020-07-31 02:39 AM
In response to G_W_Albrecht

Indeed, I'm already in liase with my local SE, but get another idea and feedback from previous migration is already great to have 🙂

0 Kudos
Magnus-Holmberg
MVP Silver
MVP Silver
‎2020-07-31 04:50 AM

First of all we connect the new VSX to MAIN01 so all the configuration can be done and box is up and ready for production.

When we do hardware replacement we more or less copy paste with help of VSX provisioning.
We create the VS the same with all IP and everything but we dont allow the VLAN on the bond interfaces in the switches.
Communicate with the VSX over VS0 so you are able to push policys etc.
(We have VS0 on dedicated interface)

Before cut over we normally turn off statefull inspection.
2-3 hours before the cutover we "freeze" the mgmt station and move all VPN communities etc.
The only as we see it is that we need to generate a massive amount of eval licenses to put on the CMA as we use DMN VSX licens in all CMA.
During migration its "only" to remove the VLAN on the trunks to old boxes and add the VLAN on the trunk to the new boxes.

Regards,
Magnus

https://www.youtube.com/c/MagnusHolmberg-NetSec
Michal_Gans
Contributor
Contributor
‎2020-07-31 05:17 AM

I would suggest to designate new IPs for new VSX mng inf and configured whole boxes before migration day (all inf expect mng unpluged). 

So whole migration take only to unplug old box and plug new ones.

 

We used this scenario many times and it make around 2 mins of downtime.

Arthur_DENIS1
Advisor
Advisor
‎2020-08-03 06:23 AM
In response to Michal_Gans

Thanks, seems great !

Only 2 min of downtime would be amazing 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events