Breaking the firewall cluster

[pop_alex]

Hi all,

I'm in the midst of preparing my firewall cluster for migration soon, but I'm not sure on how to break the cluster properly and moves it to a stand alone enforcement server with different configuration. To make it clear, I have two physical enforcement servers in a cluster group. Both running Check Point NG AI R55 and RainWall 3.2 SP5 software. The license is bind to the internal IPs. This cluster is managed by a management server. Can anyone give a good advice about this? Thanks very much.

[Peter]

What do you want to do exactly with your claster? Do you want to have two standalone firewalls with two different rulebases?

[Sergej]

Always ask Checkpoint partner for 2-3 evaluation licenses before migration. Each parten can generate 30-days trial licecses in a single click.

Use trial licenses while you ae doing migrations. Stabilize you IP addreses and configuration an move/regenerate you real usercenter licenses.

It is looks like you want to move from RainWall dual-IPS sollution to SPLAT. If you have nyw hardware for enforcement point install SPLAT, configure IP addreses on the interfaces, initialize SIC, add new FW object to the SmartSenter (is IP addreses of the interfaces do not conflict with exising IPs). Istall existing rylebase on the new enforcement point. Reconfigure routes on surrounded routers (to point to a new FW, but not to old Cluster virtual IP)
Disconect old cluster. Wayt for a week, make sure ewerything is OK. Delete old Cluster and all assotiated objects.

[pop_alex]

Quote:

Originally Posted by Peter

What do you want to do exactly with your claster? Do you want to have two standalone firewalls with two different rulebases?

No. Our network is currently undergoes a major revamp and I have to reconfigure our firewall cluster to adapt to a new IPs and replace the current QuadCard into the new Gig QuadCard. I have to do this stage-by-stage as I want to minimize the service interruption. That's why I have to break the cluster first and bring out the secondary firewall into new network. Once it is properly configured then I will bring in the primary firewall to join the new cluster in a new network.

[pop_alex]

Quote:

Originally Posted by Sergej

Always ask Checkpoint partner for 2-3 evaluation licenses before migration. Each parten can generate 30-days trial licecses in a single click.

Use trial licenses while you ae doing migrations. Stabilize you IP addreses and configuration an move/regenerate you real usercenter licenses.

It is looks like you want to move from RainWall dual-IPS sollution to SPLAT. If you have nyw hardware for enforcement point install SPLAT, configure IP addreses on the interfaces, initialize SIC, add new FW object to the SmartSenter (is IP addreses of the interfaces do not conflict with exising IPs). Istall existing rylebase on the new enforcement point. Reconfigure routes on surrounded routers (to point to a new FW, but not to old Cluster virtual IP)
Disconect old cluster. Wayt for a week, make sure ewerything is OK. Delete old Cluster and all assotiated objects.

Hi. Thanks for your advice but I'm not using SPLAT at this moment. The main objective is to migrate the cluster stage-by-stage from old network configuration into a new with minimal service interruption. I have to break the cluster and bring out the secondary enforcement server from the existing cluster into the new network. I have to reconfigure the secondary firewall with new IP assignments and replace the existing 10/100 Quadcard with 1GB QuadCard. Once done, then I creates an initial policies for the standalone firewall. All the servers behind the old firewall cluster are move to the new firewall, one-by-one. Once all have move in, the old primary firewall will be reconfigured (similar to the secondary firewall) and join with secondary firewall into a new firewall cluster.

Below is my plan:

1. Firewall (2nd) breaks from existing firewall cluster.
2. Firewall (2nd) upgrade with a new 1GB QuadCard and assigns with new legal IPs. Internal IPs are remains the same.
3. Connect Firewall (2nd) to the new network, thus it becomes a primary firewall. This mean firewall (2nd) will be firewall (1st).
4. There will be a 1 to 2 weeks stabilization and migration period for servers from old to a new firewall in new network.
5. Once all servers are migrated to new firewall, the old firewall (1st) will be reconfigure with new QuadCard upgrade and IPs assignment, consequently joins with the new firewall (1st) as a firewall cluster. The old firewall (1st) become firewall (2nd).
6. Once complete, a stabilization period starts.

What's you opinion about my plan?

[Peter]

I would not touch the cluster before the final stabilisation.

I would install a standalone firewall with minimal set of rules to filter the traffic during the period of transit. If you can finish your transit in 15 days you don't need a license for this firewall. If not - you should ask for trial license from a CheckPoint partner. After the transit period you can migrate your claster.
Like this you don't need to break your claster (it seems to be a delicate operation). If your rulebase is really complex and you need to use all of the rules during the transit time you can use cpmerge utility to export/import your objects and rulebase to the new firewall (unfortunately, you cannot export/import users and groups).
I think that the advantage of this solution is that you do not risk to damage neither your claster nor your SmartServer base.

[pop_alex]

Quote:

Originally Posted by Peter

I would not touch the cluster before the final stabilisation.

I would install a standalone firewall with minimal set of rules to filter the traffic during the period of transit. If you can finish your transit in 15 days you don't need a license for this firewall. If not - you should ask for trial license from a CheckPoint partner. After the transit period you can migrate your claster.
Like this you don't need to break your claster (it seems to be a delicate operation). If your rulebase is really complex and you need to use all of the rules during the transit time you can use cpmerge utility to export/import your objects and rulebase to the new firewall (unfortunately, you cannot export/import users and groups).
I think that the advantage of this solution is that you do not risk to damage neither your claster nor your SmartServer base.

Thanks for your advice, unfortunately I do not have a spare standalone machine for this and migrating firewall cluster from existing (old) network into a new one involves one crucial thing - IP addressing. Since we have a major network revamp which almost nearing to its completion, I have to change all existing public addresses on each servers into different IP addresses one-by-one. That's why I came up with the migration procedure stated in earlier discussion. Anyway, after I breaks the cluster, the secondary firewall will be reconfigured with new IPs and hostname and bring it online on different network.

[devigadhanaraj]

Quote:

Originally Posted by Peter

What do you want to do exactly with your claster? Do you want to have two standalone firewalls with two different rulebases?

Hi, how to set up the cluster environment.. how many m/cs i require.. and what should be installed in each one...how the communication is happening .. can u please explain..Thanks in advance

[pop_alex]

Quote:

Originally Posted by devigadhanaraj

Hi, how to set up the cluster environment.. how many m/cs i require.. and what should be installed in each one...how the communication is happening .. can u please explain..Thanks in advance

Emm... What do you mean by "m/cs" ?

[Sergej]

Briefly: cluster require at least 3 Servers: 2 enforcement plus 1 management. You can find more info in the documentation ClusterXL.pdf