Hi All,
In my organization I need to deploy new Checkpoint HA Cluster (Active - Standby) for CP 6400 series by Decommissioning the existing setup where we have Maestro 175 in which two CP16000 FWs are attached.
The Challenge is that we have to use the existing IPs (demos ips mentioned here) which we are currently using in Maestro environment as
For Internal Network : int eth1-05 ipv4-address 192.168.10.1 mask-length 24
For External Network (Public IP) :int eth1-09 ipv4-address 192.168.20.1 mask-length 24
in the new CP6400 HA cluster as VIPs for Internal & External Network because the public IP which we are currently using in the Maestro env is white listed on client networks
We have to do this activity with the minimal downtime to disrupt the production environment.
The Strategy that I proposed for this activity is in the following manner.
Strategy for this Deployment:
At present current setup is in production stage so to minimize the downtime window we can approach this migration in the following manner.
Strategy.
Step 1:We will configure the IP addresses(Internal, External, Sync network) and other details on both CP6400 series Firewalls as given by the client in standalone manner.
Step2 : For creating the HA on CP 6400 we can follow the process.
- We connect both firewalls to a non-prod(Test -Env) switch in similar manner as we will do for the Prod Switch for Internal, External, Sync network.
- On Checkpoint Management Server we will do the following activities:
- Provide connectivity from the Checkpoint Management server to the new CP 6400 series setup so that we can build the HA.
- we will assign different VIPs for e.g Internal IP : 192.168.10.2./24 & External IP : 192.168.20.2/24 instead of using actual IP which are 192.168.10.1/24 & 192.168.20.1/24 and create HA cluster and test cluster status.
- Create the new policy(Policy B) with the same Rules as we have for the existing policy (Policy A) for the Maestro on the same Mgmt server and install the policy (Policy B) for the new cluster of CP6400, test the policy status should be install successfully.
- After that we finally test the cluster and policy to ensure they are working fine.
- Finally we connect the new setup inline with the Prod-Network on the assigned designated port on Prod Switch and at the management server we change the VIP to the actual required IP which are Internal IP : 192.168.10.1/24 & External IP : 192.168.20.1/24 in the cluster topology and install the policy again.
- Failover Plan : In case of any issue while doing this migration to avoid any long duration downtime we can rollback to the initial Maestro setup for that we need to keep them on connect them again to the Prod Env and install policies on mgmt. server.
Kindly assist by giving your valuable input for this strategy .
Thanks
