This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
DR_74
Collaborator
‎2024-04-26 03:17 PM

VSX hardware upgrade from 5600 to 7000

Hello

We are planning to change a VSX cluster running r81.10 on 2x5600 gateway with a new 7000 cluster running r81.20.

The actual cluster has only 3 VS (some IPSEC vpn) and some virtual switches.

The management server is already in r81 20.

We were thinking of building a new cluster in parallel with different IPs.

Then provisionning new VS with different names and dummy IPs the time to create them and to avoid conflict.

Finally attaching the existing policies to these new VS.

The migration would be to shutdown the interfaces on the legacy cluster, modify the IP addresses on the new VS with the ones of the older VS.

When migration is done, deleting the old cluster from the management

Does this look possible?

Thanks

Labels
7 Replies
the_rock
MVP Platinum
MVP Platinum
‎2024-04-26 03:19 PM

Im sure one of the VSX experts will confirm it for you, but to me, that all sounds logical.

Best,

Andy

Best,
Andy
0 Kudos
Mattias_Jansson
Collaborator
‎2024-04-27 02:21 AM

I have been using that method too. Works fine. I use the real ip adresses on the new vs’s but have all interfaces in shutdown on the switch. Then I shutdown the old vsx gateways for gratuitous arp to work. (Sometimes it dont). Then enable the interfaces on the new machines

Ruan_Kotze
MVP Gold
MVP Gold
‎2024-04-27 07:38 AM
In response to Mattias_Jansson

Just a quick note - you can "force" an arp update through the following commands:

arping -c 4 -A -I eth1 1.2.3.4

For Proxy ARP addresses you do it like so:

Expert# echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
Expert# arping -c 4 -A -I eth1 1.2.3.4

For every address the gateway is proxy arping for:

Expert# fw ctl arp | cut -d\( -f2 | cut -d\) -f1 | xargs -i -t arping -c 4 -A -I eth1 {}

Bob_Zimmerman
MVP Gold
MVP Gold
‎2024-04-27 02:32 PM
In response to Ruan_Kotze

If you add '-P 256' to the xargs invocation, it can run multiple instances (up to 256 with that exact string) of the called tool in parallel. In environments with a lot of proxy ARP entries, this can speed things up substantially.

0 Kudos
Vincent_Bacher
Leader Leader
Leader
‎2024-04-28 10:02 PM

Both provided solutions should do it.
We usually first setup hardware with different management IPs, configure them without VSes and then we prepare scripts to remove the VSes from one device and add them to the other devices.
But that effort would not be feasible running just few VSes.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-04-29 12:09 AM

That's the long way, but it'll work. Alternatively, you can look at using 'vsx_util reconfigure' to reuse all the existing stuff and push it out to the new gateways.

0 Kudos
Vincent_Bacher
Leader Leader
Leader
‎2024-04-29 01:08 AM
In response to emmap

This is what we usually do in our scripts 👍

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events