Migration - New Hardware - Same license

[alexchag]

Hi!

We have two FW-1 w/ VPN-1 R55 NG Firewall Cluster and we want to migrate it to the new Nokia boxes we've just bought.

The point is that our environment is too complex and we need to have both environment (the old and the new one) running simultaneously within 4 months.

Is that possible? Can we use the existing license for both environment?
It does not make sense to buy new CP licenses just for this short time.

Thanks in advance!


Alex
Sao Paulo, Brazil

[lammbo]

You have 2 firewalls in a single cluster (active/passive?) or you have 2 clusters?

Where is Management and logging?

Are you just replacing the hardware, or are you also upgrading to an NGX version (R6x) in the process? 4 months - really???

[alexchag]

Hi lammbo!

We have two clusters (ClusterXL).
Currently they're running R55 and will be upgraded to R62 on the new environment.

Thanks.

[dantro]

That would be possible if you are setting up a new SCS as well.
Just keep your running NG environment as it is and migrate your NG licenses to NGX. Set up the new environment using the NGX licenses. That should be running quite well if you are planning it correctly.

Best regards,
Danny Trommer
CCSA/CCSE/CCSE+

[lammbo]

OK, you have possibilities then! Please understand I'm trying to keep this very generic, but you should get an idea of what is possible.

Do you have a separate SmartCenter? If so, that would be ideal. (I'll get back to this later)

Here are some options for you to consider:
CP Licenses, once in file format, can be attached and re-attached at any time as long as your version and IPs are unchanged. Make backups of all of your license files on your current system because you will be upgrading them and they will not work on the older version.

Now that you're safe on the current version you're running, you can start your upgrades on your new hardware.

Total System at once:
Get a backup of your current DB if you plan on upgrading.
Go to the CP usercenter and upgrade your licenses to NGX and download them all.
Follow all the documentation to install R62, configure/upgrade your new hardware in a standalone environment and apply the NGX versions of the licenses.
Your old systems will continue to work in production while you build all of your new stuff offline (in a lab?).



1 gateway at a time (if you have separate SmartCenter):

Build new SmartCenter (Upgrade DB method or from scratch)
Replace SmartCenter (same IP, etc.)
Reset/Re-establish SIC with older/existing gateways
Push policy to gateways
Keep new server or go back to old, based on success or failure

Build new gateways offline (Interfaces, routes, etc.)
Take the passive gateway in live cluster down and bring up the new box (NO SYNC CABLE - it won't work anyway)
In SmartCenter, change the version to the correct one (R62 you say) for the new gateways
Reset/Re-establish SIC on passive node
Push policy (it will only be pushed to the newer R62 gateway since you changed what version it is in SmartCenter)
Shutdown the old primary node and start your testing - Assuming you got it right, all of your site to site tunnels and all that should be OK. You always have the option to go back this way should a step fail.
If satisfied, bring up your new primary node, do SIC, push policy, attach SYNC cable and then reboot whichever box you put in first to test HA. Depending on your SPLAT cluster settings, it should fail to node 1 and not go back once node 2 is completed with reboot.

Repeat with other pair of gateways


If properly executed, you can have everything replaced with little to no downtime. I love HA! Clusters rule!