Quote:
| Originally Posted by Peter I would not touch the cluster before the final stabilisation.
I would install a standalone firewall with minimal set of rules to filter the traffic during the period of transit. If you can finish your transit in 15 days you don't need a license for this firewall. If not - you should ask for trial license from a CheckPoint partner. After the transit period you can migrate your claster.
Like this you don't need to break your claster (it seems to be a delicate operation). If your rulebase is really complex and you need to use all of the rules during the transit time you can use cpmerge utility to export/import your objects and rulebase to the new firewall (unfortunately, you cannot export/import users and groups).
I think that the advantage of this solution is that you do not risk to damage neither your claster nor your SmartServer base. |
Thanks for your advice, unfortunately I do not have a spare standalone machine for this and migrating firewall cluster from existing (old) network into a new one involves one crucial thing - IP addressing. Since we have a major network revamp which almost nearing to its completion, I have to change all existing public addresses on each servers into different IP addresses one-by-one. That's why I came up with the migration procedure stated in earlier discussion. Anyway, after I breaks the cluster, the secondary firewall will be reconfigured with new IPs and hostname and bring it online on different network.