CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 6 of 6

Thread: R75 Splat 32 bits to R77 Gaia 64 bits with machines changing

  1. #1
    Join Date
    2013-06-12
    Posts
    8
    Rep Power
    0

    Default R75 Splat 32 bits to R77 Gaia 64 bits with machines changing

    Hello guys,

    I'm planning for the next week to replace my old Open Server's Security Gateway ClusterXL under SPLAT 32 bits to GAIA 64 bits. Two new machines are already installed and configured under GAIA 77; ClusterXL functionality is enabled on them. the management server is already migrated to R77 too (under Windows). CCP protocol on existing Cluster is broadcast.

    I'd like to share with you my planned scenario for doing this:
    - integrate one of the new R77 machine into cluster from dashboard; verify communication via SIC, licenses, topology, and other stuff
    - change the Cluster version from R75 to R77
    - stop cluster on one of the old machine
    - push policies with the "For Gateways Clusters, install on all the members, if it fails do not install at all" option unchecked
    - verify that the remaining old R75 machine cluster status is "Active Attention"
    - verify that the newly inserted R77 gateway is on "Ready state"
    - run "cpstop" on the remaining old R75 machine cluster, forcing a failover toward new R77 machine
    - verify that all is working well, and inserting the second R77 machine into cluster

    Is it a good way to do that in your opinion ?

    Thanks in advance.

    Rodjeur

  2. #2
    Join Date
    2014-09-02
    Posts
    374
    Rep Power
    10

    Default Re: R75 Splat 32 bits to R77 Gaia 64 bits with machines changing

    Sounds like you've got it licked. Just don't expect sync between the R75 and R77.

    -E

  3. #3
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,252
    Rep Power
    16

    Default Re: R75 Splat 32 bits to R77 Gaia 64 bits with machines changing

    Looks good, couple of notes:

    1) Use R77.20 on the new boxes which is a very good release instead of R77 vanilla

    2) Because you won't be able to have a fully stateful failover (via the "fw fcu" command) when you first fail over onto the new R77.20 box, a great trick is to temporarily uncheck the "Drop out of state TCP connections" under Global Properties...Stateful Inspection for the duration of the cutover. (This would be just prior to step 4 in your proposed workflow) When connections start attempting to pass through the new member normally they would be dropped as "out of state". However when the box is unchecked the existing connections will be allowed to "resurrect" into the new firewall's state table and continue. This helps keep inevitably stupid applications from getting hung up and needing to be restarted/reset when their long-running connections (like SQL) get silently killed by the failover.

    Don't forget to recheck the box once the upgrade is complete! Very important!

  4. #4
    Join Date
    2013-06-12
    Posts
    8
    Rep Power
    0

    Default Re: R75 Splat 32 bits to R77 Gaia 64 bits with machines changing

    Ok, many thanks, I will manage my migration using your opinion.
    One question more, about our license: this one is until now established for 2 cores only, but on my new R77.20 gateways, we have 8 cores, and CoreXL activated with default configuration: can I attach the old license without consequence, or it will not work at all or just with 2 cores ? What about CoreXL ?

    Rodjeur

  5. #5
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    18

    Default Re: R75 Splat 32 bits to R77 Gaia 64 bits with machines changing

    Quote Originally Posted by rodjeur69 View Post
    Ok, many thanks, I will manage my migration using your opinion.
    One question more, about our license: this one is until now established for 2 cores only, but on my new R77.20 gateways, we have 8 cores, and CoreXL activated with default configuration: can I attach the old license without consequence, or it will not work at all or just with 2 cores ? What about CoreXL ?

    Rodjeur
    The Gateway will simply use 2 Cores of the 8 as you have a 2 Core License. If you want to use all 8 Cores the would need to upgrade to an 8 Core license. If you have working at the moment with an Eval then will use the 8 Cores, so when apply the 2 Core Production License will say that need to reboot as the number of cores changes.

    From my previous experience then TAC have tended to say that if only having 2 Cores then use SecureXL rather the CoreXL.

    Michael

  6. #6
    Join Date
    2013-06-12
    Posts
    8
    Rep Power
    0

    Default Re: R75 Splat 32 bits to R77 Gaia 64 bits with machines changing

    Quote Originally Posted by mcnallym View Post
    The Gateway will simply use 2 Cores of the 8 as you have a 2 Core License. If you want to use all 8 Cores the would need to upgrade to an 8 Core license. If you have working at the moment with an Eval then will use the 8 Cores, so when apply the 2 Core Production License will say that need to reboot as the number of cores changes.

    From my previous experience then TAC have tended to say that if only having 2 Cores then use SecureXL rather the CoreXL.

    Michael
    Thanks Michael, I think we'll upgrade our license to 8 cores.

    Rodjeur

Similar Threads

  1. Replies: 0
    Last Post: 2013-04-14, 10:39
  2. GAIA R65.46 64 bits with VRRP and multicast not working
    By cciesec2006 in forum Multicast Support
    Replies: 15
    Last Post: 2013-04-14, 09:48
  3. can not turn GAIA from 32 to 64 bits OS
    By cciesec2006 in forum Installing And Upgrading
    Replies: 7
    Last Post: 2013-03-05, 12:17
  4. [Checkpoint R71.30] VPN 64 Bits
    By dimarc in forum SecureClient/SecuRemote
    Replies: 15
    Last Post: 2011-04-19, 06:10
  5. enforce https with 3DES 168 bits encryption on SPLAT
    By cciesec2006 in forum Check Point SecurePlatform (SPLAT)
    Replies: 0
    Last Post: 2008-01-08, 12:07

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •