 | ||
 Migrating gateways (R62 splat -> R62 splat) | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2007-02-05 | |||
| |||
 Migrating gateways (R62 splat -> R62 splat) Hello, For various reasons, I need to migrate my R62 splat gateway to another server. I plan to use upgrade_export/import and cut over one evening. I'll use the same sysconfig everywhere possible. My question is with regards to VPN. With this method, shouldn't the certificate be moved over? I want to avoid having the users re-create their VPN site. When I migrated from R55 standalone to R62 distributed, my users all had to re-create their VPN site, which became a pain because I had to do most of this work. Many thanks  |
| 2007-02-05 | |||
| |||
| Re: Migrating gateways (R62 splat -> R62 splat) In a distributed environment. If you are just upgrading hardware for enforcement points (replacement: IPs names the same) then nothing changes. Nobody will know anything changed but you, except for the downtime. I have swapped out hardware many times this way, but you don't need upgrade_export for enforcement points. All you need is the TFTP backup file restored to the replacement hardware. I just replaced two management servers (distributed environment, one 3 days ago and one tonight) and used upgrade export upgrade import with no problems. Maybe 20 minute downtime for each. John |
| 2007-02-06 | |||
| |||
| Re: Migrating gateways (R62 splat -> R62 splat) Just watch out with SPLAT on enforcement points... I remember someone say the order is determined (SPLAT) by MAC. So with new hardware the interface order physical order of ports may be different. Just test the box to determine if the ports are the same as the box you will be replacing. While the new box is disconnected from the network... connect each interface to a standalone switch and see what interface comes up using the console commands. John |
| 2007-02-07 | |||
| |||
| Re: Migrating gateways (R62 splat -> R62 splat) If the topology is in a different order, will that make a difference when swapping the gateways? Difference being my concern in the first question, of whether the users will feel the affect or not... Thanks! |
| 2007-02-07 | |||
| |||
| Re: Migrating gateways (R62 splat -> R62 splat) Which interface assigned to which network doesn't matter to clients only to the anti-spoofing on the gateway itself. All the client cares about is what IP address it talks to and what is in the VPN domain. |
| 2007-02-07 | |||
| |||
| Re: Migrating gateways (R62 splat -> R62 splat) Thanks Jim. So do you guys know how I could have avoided the SecureClient reconfiguration when I migrated from R55 standalone -> R62 distributed? I actually used the steps that are on an FAQ on this site. The standalone was turned into the pri. SC server and a new gateway was put into place |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
