CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 7 of 7

Thread: Migrating from SPLAT to GAIA

  1. #1
    Join Date
    2013-06-12
    Posts
    8
    Rep Power
    0

    Default Migrating from SPLAT to GAIA

    Hello,

    I'm planning to upgrade my infrastructure from R70.20 to R75. We have two SPLAT Open Servers in ClusterXL HA (broadcast mode, because our switches don't support multicast) and a management server under Windows 2008 R2, already upgraded to R75.
    Instead of simply upgrading gateways, I plan to migrate gateways towards GAIA in order to have the benefits of 64 bits and VRRP for cluster.
    The question is: what is the best way to do that ? And is it possible to manage GAIA R75.45 with a security management server under R75 ?

    Any help would be appreciated...Thanks in advance !

    rodjeur

  2. #2
    Join Date
    2010-01-12
    Posts
    40
    Rep Power
    0

    Default Re: Migrating from SPLAT to GAIA

    You'll need at least R75.40 on the Management server so do this first. R75.40 will manage R75.45 but you lose some extra functionality on some blades, check Checkpoints support site for a list, however for standard FW/VPN it's fine.
    Personally I would install Gaia from scratch, you'll end up with a much cleaner install, more disk space etc. You'll have a slight outage as the Cluster won't Sync across the versions when swapping from the old active member on R70 to the new member on R75 but it's a small price to pay, active sessions will be Out of State and get dropped. When you setup the new Gaia box, you need to update the Cluster definition to R75.40/R75.45 (depending on Management server version), re-attach the license and install a policy with the option install on cluster members independently checked and the if it fails do not install unchecked (it will fail on the live R70 box). Also donít forget to set the cluster sync mode to broadcast after building the box.

  3. #3
    Join Date
    2006-12-04
    Posts
    1,316
    Rep Power
    16

    Default Re: Migrating from SPLAT to GAIA

    Quote Originally Posted by Somers View Post
    You'll have a slight outage as the Cluster won't Sync across the versions when swapping from the old active member on R70 to the new member on R75 but it's a small price to pay, active sessions will be Out of State and get dropped.
    1. Upgrade your management first to at least R75.45 - Try never use management with low version than firewall > it will prevent 1000 problems.

    2. Preffered way : new GAIA R75.45 installation from scratch.

    3. You can prevent this slight outstage if before installing policy on new GAIA Cluster member you just disable TCP stateful inspection. (Policy > Global Properties > Stateful inspection > uncheck *Drop out of state TCP packages*).
    (after upgrade of cluster you can and should change this settings back to enable Stateful inspection and reinstall policy.)

    This is my own *Absolut Zero downtime Cluster upgrade*.. (works since at least R55 till R76)
    Last edited by serlud; 2013-06-13 at 17:06.

  4. #4
    Join Date
    2013-06-12
    Posts
    8
    Rep Power
    0

    Default Re: Migrating from SPLAT to GAIA

    Thanks for your help, Somers. The problem is that I can't manage the current R70 gateways with a R75.40/45 management server, isn't it ?

  5. #5
    Join Date
    2010-01-12
    Posts
    40
    Rep Power
    0

    Default Re: Migrating from SPLAT to GAIA

    The Management server is backwards compatible, you'll have no issues managing R70 gateways (or R6X for that matter) from R75.40/45.

  6. #6
    Join Date
    2006-11-21
    Location
    Michigan
    Posts
    70
    Rep Power
    15

    Default Re: Migrating from SPLAT to GAIA

    If you plan on using 64-bit mode and clustering here's an issue we ran into the other day.

    One cluster member was moved to 64-bit and the other one (due to human error) was not. When the freshly rebooted 63-bit node came up the cluster did not form. Both nodes tried to be active and caused a bit of an outage. Scratched our heads for a bit and then moved the 32-bit node to 64-bit and everything was fine. This was ClusterXL and not VRRP so I'm not sure it will matter, all gateways and management boxes were on r75.4.

  7. #7
    Join Date
    2013-06-12
    Posts
    8
    Rep Power
    0

    Default Re: Migrating from SPLAT to GAIA

    Ok guys, thank you for your advices. I think I'll upgrade the management server in R75.45, and install GAIA on the gateways from scratch one after the other...

    Best regards,

    Rodjeur

Similar Threads

  1. Migrating Smartcenter from Windows to SPLAT
    By nrkumar in forum Check Point Firewall Administrator's Toolkit
    Replies: 2
    Last Post: 2012-03-05, 09:53
  2. migrating from Windows to SPLAT
    By clarkeyi in forum SmartDashboard
    Replies: 2
    Last Post: 2012-02-27, 06:35
  3. Migrating static routes from IPSO to SPLAT
    By twistedmetal in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 12
    Last Post: 2010-08-13, 07:03
  4. Migrating static routes from IPSO to SPLAT
    By twistedmetal in forum Check Point SecurePlatform (SPLAT)
    Replies: 0
    Last Post: 2009-03-05, 17:52
  5. Migrating Splat Network settings
    By polevoym in forum Installing And Upgrading
    Replies: 1
    Last Post: 2009-01-15, 17:22

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •