This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dehaasm
Collaborator
2 weeks ago

migrating from ClusterXL to ElasticXL new cluster

Just wanted your heads on for a migration scenario from existing cluster using ClusterXL to new cluster using ElasticXL as-is.

I am aware that we need to perform a fresh install on the new gateways and enable elasticXL, use a new management IP and add the second cluster via Gaia (global), use dedicated sync interface.

I am wondering how to migrate the existing SMS policy to the new ElasticXL cluster;

-I would assume that all ClusterXL virtual IP should be configured on the global Gaia portal as it would only have a single IP for each interface/vlan.

-migrate all other gaia configuration to the new ElasticXL (excluding network interfaces), like NTP, DNS, RADIUS, admins.

-what about the network topology on the SMS policy of the existing ClusterXL, should we duplicate the policy and basically rebuilt the network topology to match the ElasticXL topology (which i assume to be with those internal links like Maestro)

With above we should be able to install the policy on the new ElasticXL cluster, someone here any advise to make this migration as smooth as possible? Any tips and tricks please share.

 

 

Labels
0 Kudos
12 Replies
the_rock
MVP Platinum
MVP Platinum
2 weeks ago

Im positive @HeikoAnkenbrand or @emmap would know. I know there is a tool for it that was discussed recently, but since its not public yet, no idea if it would actually include policy migration.

Best,
Andy
0 Kudos
genisis__
MVP Silver
MVP Silver
2 weeks ago
In response to the_rock

Last I heard it was on the road map, but its not there yet... If you have a HA pair then it may be cleaner to just rebuild..better still if your migrating to new cluster build that as ElasticXL.
You should be able to use Proxmox / VMWare to go through the scenrios in a controlled way first.

I was told that Proxmox is now formally supported

0 Kudos
HeikoAnkenbrand
MVP Platinum
MVP Platinum
2 weeks ago
In response to the_rock

Hi @dehaasm,

You can find more on this topic in this article:
Converting Tool - ClusterXL to ElasticXL  

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
the_rock
MVP Platinum
MVP Platinum
2 weeks ago
In response to HeikoAnkenbrand

Its not publicly available yet, is it @HeikoAnkenbrand ?

Best,
Andy
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
2 weeks ago
In response to the_rock

There is no tool yet and it sounds like in this case we're moving to new hardware as well, so the tool would not apply as it is for migrating an existing cluster between cluster models. 

In this case @dehaasm you have it about right, you need to build a new gateway object to represent your new EXL cluster in your mgmt server. What used to be VIPs on your CXL will now be IPs on EXL interfaces. If you can do a new mgmt IP then you can host them side by side in the management server - it's ok that all the other interface IPs will overlap as long as the mgmt IP and the name are different. You can install the same policy to both clusters, just make sure you add the new one to anywhere in the rulebase it needs to go.

0 Kudos
dehaasm
Collaborator
2 weeks ago
In response to emmap

Yes indeed and i was thinking to temporarily use separate IP addresses for each bond vlan interface to be able to validate the new connectivity/cabling to the new elasticXL cluster. I believe the ElasticXL only works with bond interfaces as well as the standard SYNC and MGMT interface. Then later when policy is installed put the correct IP addresses and swap over from old to new hardware.

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
2 weeks ago
In response to dehaasm

EXL works with solo interfaces or bonds, there's no specific requirement there. Bonds can be nice to set up in case you want to expand the link capacity in future but there's no hard requirement to use them. Temporary IPs for testing is a good idea.

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
2 weeks ago

Note SecureXL isn't a clustering mechanism and is still relevant regardless of ClusterXL vs ElasticXL.

CCSM R77/R80/ELITE
the_rock
MVP Platinum
MVP Platinum
2 weeks ago
In response to Chris_Atkinson

Thats really good to know, Chris.

Best,
Andy
0 Kudos
dehaasm
Collaborator
2 weeks ago
In response to Chris_Atkinson

i meant clusterXL i corrected

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
2 weeks ago

The new CCSE R82 class features a final lab exercise that involves converting from a ClusterXL HA cluster to a new ElasticXL cluster.  It is a manual process that involves replicating the Gaia configuration, creating a new ElasticXL cluster object, replacing it everywhere the old ClusterXL HA object was, and then deleting the old object.  Obviously, running "Where Used" on the old ClusterXL HA object helps with this process; however, at some point, a "Replace" button started appearing on this screen, which makes object substitution in the config much easier.  Once that button is clicked, a pick-list then appears for the object replacement:

whereused.png

 

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
the_rock
MVP Platinum
MVP Platinum
2 weeks ago
In response to Timothy_Hall

Nice!

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events