Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AkosBakos
Leader Leader
Leader

Tool for VS migtaion to simple cluster

Hi Community,

I'm just wondering is there any tool for VS migration to a simple cluster?

Or do I need to do it manually? Especially the VPN configuration (PSKs, etc) would be interesting.

Any tips and tricks would be appreciated 🙂

Thanks in advance,

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
7 Replies
Bob_Zimmerman
Authority
Authority

The VPN config is stored on the management server. If the VS and the simple cluster are managed by the same management, there's no need to migrate any of that. Just add the new simple cluster to the VPN communities, and push the policy to it.

Same for rules.

Interfaces and routes can be a little complicated, but they mostly show up on the CLI of the VS. It's easy enough to copy all that and paste it into a different cluster. Only include the interfaces from the config which are actually used by the VS in question.

Cluster VIPs are in the cluster object, so you will need to add those in the management.

AkosBakos
Leader Leader
Leader

Hi Bob,

Thanks for the information. I hoped so, regarding the PSK-s etc. Thanks for the confim.

The rules etc. is clrear, this are stored on the MGMT.

BR

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
PhoneBoy
Admin
Admin

Unfortunately this requires a certain amount of manual work has VS objects and regular gateway objects are different.
With R82 and VSNext, every VS will be a regular gateway object with a configuration you can access and change via the Gaia WebUI/clish.

It doesn’t solve the immediate problem, but once you upgrade and migrate to VSNext, the process of migrating a VS to/from a physical gateway becomes a lot more straightforward.

AkosBakos
Leader Leader
Leader

Hi PhoneBoy,

The R82 is still far away, the problem needs inmediate solution as you mentioned.

During the migration we need to backup/snapshot of the entire VSX. (it has more than 3 VSs). The straightforward method is a snapshot. If we need to revert, in this case we need to revert the whole VSX gateway. I contains unnecessary risk from the other virtual systems point of view.

Is there any procedure to backup only an existing VS only for backup purposes? Only from one VS.

BR

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
PhoneBoy
Admin
Admin

Neither the gateway or the management contain the complete configuration for a single VS independent of each other.
This is why a backup of both management and gateway is required for any VSX backups per the best practice documentation: https://support.checkpoint.com/results/sk/sk100395

Again, this gets much easier in R82 with VSNext.
Meanwhile, I'll defer to someone with more expertise to capture the relevant information for a specific VS.
It will not be a simple backup/restore.

0 Kudos
AkosBakos
Leader Leader
Leader

Hi PhoneBoy,

Yes, I now the structure of the VSX environment, and the VSX GW ant the MGMT work in hand-in-hand. Lets's say, the larger part of the config is on the MGMT.

We have had a few migrations from simple cluster to VS, but the other way ( VS -> Simpla Cluster) a little bit unusual. Customers does not move this way usually.

We will build it in a LAB, and make almost all of the necessary steps for a successful migration on a demo.

R82 not an option at this moment. 

Br,

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
Arne_Boettger
Collaborator

Hello,

so to summarize, to me it seems like you are looking for a better backout-plan in case the migration does not work as expected. Your current plan is to delete the VS, and revert the Gateway/Management if something fails. That would not be my preferred way to do it.

You could test in Lab what happens if you just do a cpstop on the relevant VS, but I am not sure if you can delete a stopped VS or wether you had to start it again to delete it.

My preferred way would be to isolate the VS network-wise and, if everything works as expected, delete it after a week or so.

Isolation can work by removing all VLANs for this VS from the switchports your gateways are connected to. A warp interface to a VSwitch would be more difficult, there you could change the IP address or move it to another empty/dummy VSwitch.

Also keep in mind that by default, the highest and lowest VLAN on each BOND is monitored, so if your VS holds one of these, be prepared to see interfaces in problem state.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events