Upgrading from AI R55 to NGx R65

[cciesec2006]

I am asking for advice from gurus in this list:

Current situation:
I have about 23 SPLAT firewalls (8 pairs of Active/Active Cluster
Unicast mode and 7 standalone firewalls). All of the firewalls
are running NG with AI R55 with HFA_17. Verizon manages all of
these firewalls via a single CMA inside a Provider-1. In addition
to that, all the firewalls are sending logs to a CLM (inside
the Verizon MLM) and we also have a standalone log server that
receiving the logs as well.

In the next six months, I will be migrating everything over to
NGx R65 with HFA_02. The firewalls will be IBM 3650 servers
running SPLAT. Verizon will be managing these firewalls with NGx
R65 with HFA_02 CMA as well. We will be looking at migrating
about 4 firewalls per week for a total of about 5 weeks for the
whole thing to be migrated over to NGx R65 environment.

Problems:
We will not be cutting everything over to NGx R65 at once. It
will be a gradual process, 5 weeks. I've been tasked to come
up with a plan for a smooth transition. We do NOT want to
do an in-line upgrade of CMA R55 to R65 nor we want to have
NGx R65 CMA managing NG R55 enforcement modules.

Here is what I will propose:
1- take CMA files in NG with AI R55 and migrate it into a new
CMA in NGx R65 infrastructure. The new CMA in NGx R65 will have
a different IP address than the CMA in NG w/ AI R55,

2- perform CMA migration as recommeded by Checkpoint on the CMA
in NGx R65. Change the IP address of the CLM and the standalone
log server with the new CLM and standalone log server NGx R65
IP address,

3- shutdown the NG w/ AI R55 firewalls that we will migrate
that evening. That will be done by disabling the switchport
on the R55 enforcement modules,

4- perform SIC between the new NGx R65 firewalls with the CMA
NGx R65,

5- push the policy to the new firewalls,

6- Verify connectivity and make sure everything works just as
well as before the upgrade,


I think with what I propose, if something happen, I can safely
rollback to the old R55 environment without having to touch
anything on the R55 environment. If I have to rollback, I just
have shutdown the R65 enforcement modules and re-enable
the switchport of the R55 firewalls. After 4 weeks, we will
be completely on NGx R65 environment.

I think this approach will ensure minimal downtime during the
upgrade and will ensure rollback if things go wrong without
touching the existing R55 infrastructure.

Please provide comments!!! Thanks in advance.

[eduardw]

Hi

Are you using local or central licence on the fw. When using central licenses then you need to upgrade the license to the newer version and also have to change the ip address of the licence.
When using a new ip for the new cma you also have to have a new license for it.
You wrote that you don’t want to use the R65-cma for managing the “old” r55 firewall, then you have to make sure that when after you build the R65-cma, all policy changes on the “old” r55 policies also have to be applied on the save policy on the r65-cma.
When you have vpn’s and use shared secrets, check of the shared secrets are also in place on the new r65-cma.

Eduard

[cciesec2006]

"local or central licence on the fw"

Everything in NGx R65 will be centralized. The CMA and new R65 enforcement modules will have new NGx license.

"When using a new ip for the new cma you also have to have a new license for it."

Obviously.

"You wrote that you don’t want to use the R65-cma for managing the “old” r55 firewall, then you have to make sure that when after you build the R65-cma, all policy changes on the “old” r55 policies also have to be applied on the save policy on the r65-cma."

The CMA migration will take care of this.

"When you have vpn’s and use shared secrets, check of the shared secrets are also in place on the new r65-cma."

it does. I've done several NG FP3 to NGx migration at my previous job. The
pre-share secret and SIC get migrated over to. However, we do NOT
use the firewalls for terminating VPNs for this project. Therefore, this is
not needed.

[borek]

Yes, the proposed orded of mirating the NG environment to NGX is assured by the fact that you can roll-back the enforcement modules whenever you want (only by swithing the ports).

The fact you're running all the modules and Smart Center on SPLAT and you're gonna upgrade it to SPLAT makes the upgrade process more easier in the sense of possible upgrade problems. I've experienced several cross-platform upgrades (Solaris -> SPLAT) where the upgrade wasn't successful at all or some weird errors showed up like by the recent upgrade where on the Smartcenter doesn't work User Database (all modifications, user creation etc are then ignored after the policy installation).

Keep us informed about the progress cciesec2006.

Borek