Create a Post
Showing results for 
Search instead for 
Did you mean: 

Open Server to Appliance

On  the weekend I will be migrating our production GW's from HP Open Server to Checkpoint Appliances.  They are setup as a cluster and have multiple NIC's currenlty.  On the appliances I have had configured pretty much the same other than I have had to setup vlan interfaces instead as there are not enough NIC ports (the cisco ports there will be connected to are trunks with the exception of Sync and External).

I have some ideas but I would be interested in hearing what other people think is the best way to proceed whilst minimising downtime.

3 Replies

Presumption: you have configured the appliances with all the configuration you need to do the job, also the FTW has run and appliances are ready to go.

First of all, are you planning to change the names of the gateways/cluster?

If not you're in luck, there some simple steps to do then, still take a service window to do them:

  1. begin with the backup member, move the cables over to the appliance (leave the HP running as is)
  2. reset SIC on the cluster member in the SmartConsole/Dashboard
  3. Get networking correct in cluster object
    1. R77.30: goto the topology page and do a get interface (without topology) this should replace the interface names and keep the IP's
    2. R80.10: Interface names are not set per member anymore.
  4. push policy (when moving in the same go from R77.30 to R80.10 set the version on the cluster to the new version) also untick the box in the policy install advanced options,"do not install when either of the gateways fails(or some text like that" 
  5. now both cluster members (1 HP and 1 Appliance) are set with the proper policy, however they will not sync!
  6. now comes the moment to switch over to the Appliance, all you will interrupt is all running sessions.

As you still have the HP running in the background you can easily rollback and if need even reconnect the other HP.

However if all works fine, move on and do the same with the other HP.

If you need to do all this remotely, you can use switchport enable/disable methods to disconnect the HP and connect the Appliance.

If you do need to move to new names, you can still do the same however there are some other steps you need to be aware of, when you create a new cluster (same IP's all over?) you will need to use some other commands on the commandline to disable the clustering untill you are ready to switch over.

If needed I can supply a list like the one above with the additional steps.

Regards, Maarten

Thanks.  Its pretty similar to what I had in mind so far.  The old servers and new appliances are both R80.10 and there is no name change.  What will look quite different through is the networking.  The new appliances will have their own switch ports setup with the exception of the internet facing link, sync and some inter DC links which will be swapped manually.

My run list is:-

  • cpstop on Passive HP Firewall
  • Swap internet and DC cables over to appliance 2 (Sync is crossover and already connected to other appliance)
  • Boot Appliance 2
  • Re-establish SIC from mgmt
  • Get interfaces (Which will be pretty different from the HP server in terms of  vlan interfaces rather than lots of physical NICs)
  • Push Policy (install on each selected GW independently ticked)
  • Test from appliance 2 (ping external etc.)
  • cpstop on Active HP Firewall
  • Test to make sure Appliance 2 is up and taking traffic
  • Swap internet and DC cables over to appliance 1 (Sync is crossover and already connected to other appliance)
  • Boot Appliance 1
  • Re-establish SIC from mgmt
  • Get interfaces
  • Push Policy (install on each selected GW independently ticked)
  • Test from appliance 1 (ping external etc.)
  • cphaprob stat to make sure Cluster XL is ok
  • Check Licensing is ok in Smart Update

Backout is :-

  • swap cables back to HP Firewall 1
  • cpstart
  • Re-establish SIC from mgmt
  • get interfaces
  • push policy
  • repeat above for HP Firewall 2
  • cphaprob stat to make sure Cluster XL is ok

Yep that sounds about the same, few remarks.

There is no option to select the gateways when installing the policy, but as you are using the same version you can just connect the sync cable between the 2 active cluster members and do a normal failover.

I just would not do the cpstop but stop the clustering only by using cphastop, this will stop only the clustering or usage of the VIP's.

Oh one other advice, if you do not already, start using Virtual Mac. 

Regards, Maarten
0 Kudos