Hey @MtxMan ,
As promised in my last reply, Im sending you steps TAC gave me almost 2 years ago when customer needed this done. Since it does not let me attach a file here, I pasted the actual link he sent us a reference (Version is R80.30, as thats what customer was on back then, but Im positive process is exactly the same for any version)
https://dl3.checkpoint.com/paid/48/4808360334cfd91e38eb192da36ea686/CP_R80.30_ClusterXL_AdminGuide.p... (same doc, just in pdf format)
Below is exactly what TAC guy sent us and we followed it and worked fine. Its pretty much boils what @PhoneBoy described in layman terms.
The documentation mentions the Standalone deployment for those who have a Standalone firewall and would like to convert it to ClusterXL. In your situation, you can go straight to page 151. "Creating the ClusterXL Object"
Computer B refers to your new firewall and Computer A is your current firewall.
Basically here are the steps:
- Install and configure the new cluster member. (Computer B)
- make sure that the new firewall can talk to the old firewall and vice versa.
- Configure the local configuration such as authentication server, hostname, static route, dynamic route etc.
- In the policy, remove any references to the old firewall.
- Create a new cluster object in SmartConsole.
- Configure the interfaces, Antispoofing, Office mode etc.
Open the Cluster object and in the "Cluster Members" page, click Add, and select New Cluster Member.
- The cluster VIP will be the old firewall local IP
Install the policy on the cluster currently including member B only.
On the old firewall.
- Establish SIC
- Get interface without topology
- Define a Sync interface
Update the topology of the Security Gateway that you just added by clicking Get Topology without interface.
In the Cluster Members page, click Add and select "Add Security Gateway to Cluster"
- Disconnect all proposed cluster and Synchronization interfaces. New connections now open
through the cluster, instead of through computer 'A'.
- Change the addresses of these interfaces to some other unique IP address which is on the
same subnet as computer B.
- Connect each pair of interfaces of the same subnet using a dedicated network. Any hosts or
Security Gateways previously connected to the Security Gateway must now be connected to
both members, using a hub/switch.
Configure the Policy base. (VPN domain, rule base, NAT if needed)
Install the policy.
- Select the old firewall
- In the "Edit Topology" page, determine the interface type.