CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 6 of 6

Thread: Migration from single gateway to cluster

  1. #1
    Join Date
    2010-08-18
    Posts
    3
    Rep Power
    0

    Default Migration from single gateway to cluster

    Hello all,

    I need help with preparing the steps that will need to take in order to migrate a single gateway to cluster of 2 machines.

    Currently we have a distributed environment with one virtual machine as management server and a physical HP server acting as gateway.

    The Gateway is running R77.20 and the management is running R77.30

    We are going to replace the old HP server with two new Gateway servers that will be in cluster mode.

    Here is what we plan of doing:
    1) Install the two new server with R77.30 gateway
    2) Clone the management machine to a new VM as backup
    3) Disconnect the old FW gateway from the switches
    4) Connect the two new gateway to the network switches
    5) In the management dashboard - delete the old gateway ( Can we do it while there is a policy with the old gateway configured ?)
    6) Create a new checkpoint cluster and add all the IP information
    7) Install the policy on all gateways

    ** In case of any issues - we will reconnect the old gateway - boot the old management server (from the VM clone) and install the policy

    Two more questions:
    a) Should i create and configure the cluster before setting it up in the smart dashboard?
    b) We have a Juniper switches that can cause issues on Multicast. Should i change the working status of the cluster from Multicast to Broadcast?

    Hope someone could help me here.
    Thanks.
    Guy

  2. #2
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    645
    Rep Power
    5

    Default Re: Migration from single gateway to cluster

    I would do it in two steps:
    - migrate mgmt. server
    - migrate security gateway

    Two more questions:
    a) Should i create and configure the cluster before setting it up in the smart dashboard?
    On the Gaia WEB UI or SSH, yes
    b) We have a Juniper switches that can cause issues on Multicast. Should i change the working status of the cluster from Multicast to Broadcast?
    If you previously had trouble with these SWs just use Broadcast.

  3. #3
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    15

    Default Re: Migration from single gateway to cluster

    Quote Originally Posted by gmiretzky View Post
    Here is what we plan of doing:
    1) Install the two new server with R77.30 gateway
    2) Clone the management machine to a new VM as backup
    Good to this point. If you have a separate management network (and you really do want one) or you can use different VIP addresses from the existing gateway, skip #3.

    3) Disconnect the old FW gateway from the switches
    4) Connect the two new gateway to the network switches
    5) In the management dashboard - delete the old gateway ( Can we do it while there is a policy with the old gateway configured ?)
    Yes but there is no need to at this point. If you did #3 the gateway is off line.

    6) Create a new checkpoint cluster and add all the IP information
    7) Install the policy on all gateways
    Use "Wizard mode" to add the cluster and gateways, less typos that way

    ** In case of any issues - we will reconnect the old gateway - boot the old management server (from the VM clone) and install the policy
    Probably no need to restore, unless you managed to hose the SMS somehow, just bring the new gateway back online, it will still have its policy.

    Two more questions:
    a) Should i create and configure the cluster before setting it up in the smart dashboard?
    b) We have a Juniper switches that can cause issues on Multicast. Should i change the working status of the cluster from Multicast to Broadcast?
    a. Not unless you are using VRRP for some reason. Just set the members as being part of a cluster in the first-time-wizard or from cpconfig.
    b. Yes, or change the switches.

    As I implied before, if you can use a different address for the VIPs than the existing gateway, both can be online, just make sure you have your static NATs installed only on one at a time. That way you can change the default route of anything w/o a static NAT to the new cluster and make sure everything is happy, then mode the statics over.

    If you cannot do that and have a private management network you can build everything out and swap cables when you are ready. Just remember the private network should not be clustered.

  4. #4
    Join Date
    2010-08-18
    Posts
    3
    Rep Power
    0

    Default Re: Migration from single gateway to cluster

    Hi,

    Many thanks for the great answer, it is most appreciated.

    I do have some more question about the process (which we are planning on running tomorrow ).

    5) In the management dashboard - delete the old gateway ( Can we do it while there is a policy with the old gateway configured ?)
    If i am going to use the IP of the "old" non cluster object as the VIP for the new cluster, can i have two object with the same IP? Should i not delete it?

    As part of the "IP / Object" handling mess, how should i go on handling the "install on" part ? Since all policy rules (and we are talking about ~2500 rules) have the "old" non clustered object as the installed on gateway.
    Will i need to manually change (or add) the new cluster object to all of them? I dont think this is something we will be able to do. Will it be automatically assigned to the new cluster object (since they have the same IP)?


    Edit -
    One more little question that almost slipped my mind.
    Can i "clone" all the gateway properties to the new gateway cluster? stuff like office mode / remote access / ISP redundancy / mobile access ... and much more (all the goodies checkpoint holds under gateway -> edit section) ?


    Best regards,
    Guy
    Last edited by gmiretzky; 2016-05-31 at 07:47.

  5. #5
    Join Date
    2010-08-18
    Posts
    3
    Rep Power
    0

    Default Re: Migration from single gateway to cluster

    Hi,

    Just wanted to add a small update.

    Well, We are still in the process of FW migration and it is not an easy and out-of-the-box solution as we first thought.

    We had to create a temporary isolated VLAN and add to it a cloned FW management machine and the two new FW servers, then we were able to work offline on the Management.
    We created the new FW cluster (running SIC between the two FW and the management) and changed all the rules to hold the new FW cluster (all the install on rules / NAT rules / VPN communities and etc' ). It has been a couple of days to make the configuration changes - during all this time we had two seperated management & FW (the old one - as live , and the new one running on isolated VLAN) which meant that every rule and every change we did to the live FW we had to copy to the isolated one.
    When we were ready, we run the switch. All we had to do it shutdown the ports of the old FW and un shut the ports of the new FW.
    Downtime was minimal - ~ 2 minutes.
    We had to run - vpn tu command - and reset all the site-to-site VPN and also reinstall policy on some seperate firewalls (since the FW management is also managing some other firewall machines)

    The first time we run the switch, we had to roll back the migration due to DHCP relay issues. When working with FW clusters, you need to configure the DHCP in a different way - when we retry it again, it took us 3 hours to set it up.

    Now we have only one more issue - remote access VPN.

    Seems that since we changed the FW, we are now unable to establish remote access VPN. When we try to connect, we are getting "Failed to load the virtual network adapter" error message.
    The only work around we found, is to create the VPN site again.
    Since this will affect all end users, this is a huge blocker, which we are trying to solve.
    But i think it will be on a seperate thread :)

    Final thought - migrate to a new FW cluster machine - really really a bad idea !

  6. #6
    Join Date
    2016-04-26
    Posts
    2
    Rep Power
    0

    Default Re: Migration from single gateway to cluster

    Thanks for sharing your post. I'm actually going to be performing the same shortly - although nothing to do with VSX.
    We run Open Servers which have been fine for 5+ years - now it's time to bring one site online from a single node to clustering (2 virtualised VMs on VMWare).
    My feeling is that, we would setup a Temp Mgmt IP for the new cluster (will be virtualised so we will have all the interfaces offline until cut over dates).
    Ensure we can do a policy push to the new firewall - if all is well then I'm assuming we can switch off the physical box. Enable the interfaces on the new cluster (perhaps one half of a node first - to ensure it's active).

    The other question I have is for another site we have an R77.30 Open Server cluster already.
    Although CheckPoint mentions same build/version - can we run say half a physical server node and half a virtual box in a cluster for a short period? (While we configure/update) the virtual FW instance? (Will clustering continue to work fine?)
    I don't want to add a third member to the existing cluster, the main goal here is to take offline the secondary member - and bring online the virtual FW as the new secondary member.

    Regards,
    John

Similar Threads

  1. Nokia single gateway to cluster upgrade
    By odyssey7027 in forum Installing And Upgrading
    Replies: 10
    Last Post: 2011-09-19, 03:23
  2. Nokia single gateway to cluster upgrade
    By odyssey7027 in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 0
    Last Post: 2011-07-20, 02:13
  3. Building a R70 HA cluster from a single R65 gateway
    By daz306td in forum Installing And Upgrading
    Replies: 8
    Last Post: 2010-06-21, 04:32
  4. Single Gateway to Cluster
    By LANWorx in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 1
    Last Post: 2009-06-20, 10:50
  5. Convert UTM-1 cluster to single gateway
    By chocko in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 0
    Last Post: 2008-10-29, 21:58

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •