Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Erik_Dahle
Explorer

Convert VS in VSX to physical firewall

Hi

I'm planning to migrate a VS from a VSX cluster running vsls, to a physical firewall.

This should pretty much be straight forward.

I'm planning to clean up all the routes, so no routes longer have "Propagate route to adjacent devices" ticked.

Moving the rulebase and routes to the new firewall is under control.

However, how do I disable the VS before I bring the new physical firewall online? I can't find anything regarding that in the documentation. 

I can obviously delete the VS, but I'm keen on having an easy way to roll back the change if anything should go wrong. 

You can't use cpstop to stop a particular VS, or am I wrong?

How about changing the IP-address for the VS, any caveats doing this?

I'm open for other suggestions, thanks!

0 Kudos
6 Replies
peter_schumache
Collaborator

I would create a DB revision BEFORE deleting the VS. Then delete the VS in SmartCenter and boot your new physical fw.

If your need a rollback, restore the previous DB revision.

0 Kudos
Oliver_Fink
Advisor
Advisor

sk65420: Database Revision Control is not supported for VSX objects

Maybe you have some more information than I do. But I would not dare to use database revisions in conjunction with VSX.

0 Kudos
Danny
Champion Champion
Champion

If your security management is running on ESXi, simply create a VMware snapshot prior to your VS migration to have a fallback in case you need it.

0 Kudos
Maarten_Sjouw
Champion
Champion

Always keep in mind to run cpstop before you create the snapshot!

Regards, Maarten
0 Kudos
Danny
Champion Champion
Champion

I even recommend shutting down the management system before creating a VMware snapshot.

0 Kudos
Maarten_Sjouw
Champion
Champion

First of all, database revisions are not supported on VSX.

Are your interfaces on the VS on physical interfaces or are they all on trunks? For the latter there is a simple way to disable you VS, just change the vlan numbers to nonexisting numbers. for the other interfaces just change 1 octet of the IP, this way you just disable all the communication to/from this VS.

A while back I had to do a similar job, but then the other way around. Replace an older ASA by a VS.

I had to revert and due to the relatively small changes this was an easy 2 minute job.

Don't forget that the changes are not complete until you push policy!!

Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events