This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Shakeeb
Explorer
‎2022-05-17 03:37 AM

Migration of existing Network Infra from Maestro set up to new 6400 HA Cluster

Hi All,

In my organization I need to deploy new Checkpoint HA Cluster (Active - Standby) for CP 6400 series by Decommissioning the existing setup where we have Maestro 175 in which two CP16000 FWs are attached.

The Challenge is that we have to use the existing IPs (demos ips mentioned here) which we are currently using in Maestro environment as

For Internal Network : int eth1-05 ipv4-address 192.168.10.1 mask-length 24

For External Network (Public IP) :int eth1-09 ipv4-address 192.168.20.1 mask-length 24

in the new CP6400 HA cluster as VIPs for Internal & External Network because the public IP which we are currently using in the Maestro env is white listed on client networks

We have to do this activity with the minimal downtime to disrupt the production environment.

The Strategy that I proposed for this activity is in the following manner.

Strategy for this Deployment:

At present current setup is in production stage so to minimize the downtime window we can approach this migration in the following manner.

Strategy.

Step 1:We will configure the IP addresses(Internal, External, Sync network) and other details on both CP6400 series Firewalls as given by the client in standalone manner.

Step2 : For creating the HA on CP 6400 we can follow the process.

  1. We connect both firewalls to a non-prod(Test -Env) switch in similar manner as we will do for the Prod Switch for Internal, External, Sync network.
  2. On Checkpoint Management Server we will do the following activities:

- Provide connectivity from the Checkpoint Management server to the new CP 6400 series setup so that we can build the HA.

- we will assign different VIPs for e.g Internal IP : 192.168.10.2./24 & External IP : 192.168.20.2/24 instead of using actual IP which are 192.168.10.1/24 & 192.168.20.1/24 and create HA cluster and test cluster status.

- Create the new policy(Policy B) with the same Rules as we have for the existing policy (Policy A) for the  Maestro on the same Mgmt server and install the policy (Policy B) for the new cluster of CP6400, test the policy status should be install successfully.

- After that we finally test the cluster and policy to ensure they are working fine.

- Finally we connect the new setup inline with the Prod-Network on the assigned designated port on Prod Switch and at the management server we change the VIP to the actual required IP which are  Internal IP : 192.168.10.1/24 & External IP : 192.168.20.1/24 in the cluster topology and install the policy again.

- Failover Plan : In case of any issue while doing this migration to avoid any long duration downtime we can rollback to the initial Maestro setup for that we need to keep them on connect them again to the Prod Env and install policies on mgmt. server.

 

Kindly assist by giving your valuable input for this strategy .

Thanks

0 Kudos
0 Replies