Who rated this post

Hi @fpaez ,

Apologies for not seeing this post sooner!  Here are the steps I have used for this procedure(also should not require new public IPs):

1.) Document all VCNs/subnets/etc for the current Standby member

                eth0 >

                eth1 >

                VCN >

                Frontend subnet >

                Backend subnet >

2.) Document all Gaia static routes

3.) Stop the Standby member

4.) Create new R80.40(or whatever the relevant target version is) firewall instance using upgraded shapes with same amount of OCPU's as existing and use Hardware-assisted SRIOV/VFIO networking

5.) Create backend interface and attach to appropriate VCN/subnet...check Gaia to make sure backend real IP is set on eth1...might need to be done manually

6.) Complete first-time configuration and apply same jumbo hotfix(if needed) as installed on Active cluster member

7.) Ensure that CoreXL instances match on both cluster members...update and reboot if needed

8.) Re-apply static routes to new firewall instance

9.) Add new firewall instance OCID to the proper OCI Dynamic Group so that cluster API calls will continue to work

10.) In SmartConsole, reset SIC on existing Standby member object and update IP address to match newly built firewall

11.) Establish SIC

12.) Update cluster topology - Network Management > Get Interfaces with Topology...ensure new firewall instance IP's are reflected

13.) Push policy and verify cluster state

14.) During maintenance window, test a failover

15.) Detach/attach licenses as needed

16.) Repeat above steps for remaining cluster member

Also recommend talking to your local Oracle engineer and Check Point architect.  Please reach out if you need further assistance or have questions.

Best Regards,

Jeff