CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E


Results 1 to 3 of 3

Thread: Cluster Replacement

  1. #1
    Join Date
    Rep Power

    Default Cluster Replacement

    Hello guys
    I havent been able to find an answer to my pretty basic question. I have a cluster of 2 ip 690, that I have to replace by a cluster of 2 21400 fw. I was planning on building this 2ndary cluster aside of the main one, with new admin ip addresses, but keeping the same upper and lower ip addresses, and activating network interfaces the day of the switch off.
    One colleague told me that as both clusters will have the same topology, I wouldn't be able to push my configuration on it.

    I haven't got the possibility to test that in a lab, so i was wondering if any of you had already tried that kind of method to replace firewalls.



  2. #2
    Join Date
    Rep Power

    Default Re: Cluster Replacement

    You wouldn't WANT to push policy to the new Cluster as if using the same IP for the Cluster would suddenly have two Clusters on the Network with the same Cluster IP.

    Personally what I would do is

    1.) Build the New 21400 Appliances with the same IP addresses, and Names.
    2.) Update the Cluster Information with the correct OS and Appliance Model, and Software Version, Cluster Type etc
    3.) Update the Topology in the Cluster to reflect the change of Interface names
    4.) Power Off the backup IP690
    5.) On the Secondary Cluster Member Object reset SIC Dashboard
    6.) Establish SIC with the 21400 that is Secondary Cluster Member, connect it into the network as well.
    7.) Install Policy to Cluster , make sure you disable the check where says if fails on one do not install. This will then install to the Secondary Cluster but fail on the Primary Unit
    8.) Disable / Remove Primary IP690 from Network
    9.) This should force the 21400 to become active
    10.) Test Connectivity through 21400
    11.) Install second 21400 and establish SIC etc, Install Policy to Cluster

  3. #3
    Join Date
    Rep Power

    Default Re: Cluster Replacement

    Thank you for your answer mister.
    In fact, what I wanted to know was: is it possible to create the new cluster with different management addresses, but same topology on other interfaces (we'll activate network interfaces linked to the new fw the day we'll switch to the 21400 cluster), and be able to push my configuration on both clusters.


Similar Threads

  1. Need VPN-1 Replacement Recomendations
    By roveer in forum Check Point UTM-1 Appliances
    Replies: 0
    Last Post: 2013-08-14, 02:11
  2. Smart Center Replacement
    By DelPieroGB in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 8
    Last Post: 2010-03-10, 21:07
  3. UTM-1 hardware replacement?
    By tuberider in forum Check Point UTM-1 Appliances
    Replies: 4
    Last Post: 2009-09-30, 20:34
  4. Replacement of Nokia IP390
    By Clon32 in forum Installing And Upgrading
    Replies: 5
    Last Post: 2007-09-28, 08:09
  5. Windows Management Server Replacement
    By Richter in forum Installing And Upgrading
    Replies: 5
    Last Post: 2006-12-07, 14:44

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts