CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 10 of 10

Thread: Security Gateway Convert to Cluster

  1. #1
    Join Date
    2017-04-20
    Posts
    4
    Rep Power
    0

    Default Security Gateway Convert to Cluster

    Hi,

    I have checkpoint 77.30 environment with one firewall appliance and one management appliance.

    i'm planning to install another firewall and configure both firewalls into cluster.

    how can i join existing 77.30 standalone firewall to cluster?

    clusterxl is not enabled on exiting firewall.

  2. #2
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    938
    Rep Power
    12

    Default Re: Security Gateway Convert to Cluster

    Quote Originally Posted by ranga1983 View Post
    Hi,

    I have checkpoint 77.30 environment with one firewall appliance and one management appliance.

    i'm planning to install another firewall and configure both firewalls into cluster.

    how can i join existing 77.30 standalone firewall to cluster?

    clusterxl is not enabled on existing firewall.
    Standalone usually means MGMT and GW on the same machine. If you have them on separate ones, then yes. Depending on clustering options you want to use, VRRP or ClusterXL needs to be enabled
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  3. #3
    Join Date
    2017-04-20
    Posts
    4
    Rep Power
    0

    Default Re: Security Gateway Convert to Cluster

    What would be the best way to achieve this.
    Is there any SK article for this?

  4. #4
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,306
    Rep Power
    14

    Default Re: Security Gateway Convert to Cluster

    Refer to the ClusterXL Admin Guide.
    Basically you're already at Step 1 given that you have one gateway configured.
    You would need to set up the second gateway and then create the cluster object.
    If you want to use the current gateway IPs for the cluster IPs, you'll need to re-IP the current gateway (both in the OS and the gateway) before starting.
    http://phoneboy.com
    Unless otherwise noted, views expressed are my own

  5. #5
    Join Date
    2017-04-20
    Posts
    4
    Rep Power
    0

    Default Re: Security Gateway Convert to Cluster

    when doing that, how do we configure existing NAT entries?
    Do I need to configure PROXY arps for all static NAT entries?

    My plan is as below.
    -enable cluster XL on existing firewall
    -remove firewall object from existing policies and NAT entries
    -configure the second firewall and enable cluster xl
    -create a cluster
    -add a cluster to firewall rules and NAT entries

    in the existing firewall, there are around 100 policy rules and a lot of NAT rules.

    I would like to know whether it's ok to proceed as above plan.

    Thank You,
    Ranga

  6. #6
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,306
    Rep Power
    14

    Default Re: Security Gateway Convert to Cluster

    If you have proxy ARPs on your current gateway, they will also need to be configured on the secondary.
    However, you will change the MAC address to match that of the Cluster MAC, which will be different.
    That said, why aren't you using the "Automatic ARP Configuration" in Global Properties > NAT, which generally works and won't require creating Proxy ARPs at all?

    The rest of the steps seem ok to me.
    http://phoneboy.com
    Unless otherwise noted, views expressed are my own

  7. #7
    Join Date
    2017-04-27
    Location
    Brazil
    Posts
    2
    Rep Power
    0

    Default Re: Security Gateway Convert to Cluster

    Hello all,

    I have the same problem.....

    What i have:

    2 Appliances Checkpoint 2200

    What was my scenario:

    I had 1 Checkpoint Configured as Primary Master Cluster and with the Management installed, all my production and smart center was centralized in this box.

    What i need:

    To put the secondary box on a new ClusterXL for redundancy. Primary / Standby.

    What i did:

    I did a hard reset on the secondary box, i configured on initial wizard as a secondary cluster member, so i did the primary SIC, went to SmartDashboard for the primary box and created a new cluster xl, putting the secondary box as a member and applying the production policy (installed on primary box) on the cluster.

    Whats my problem:

    I need to migrate the primary box (that is my smartcenter too) from standalone to the Cluster configured.

    My question is:

    1) If i create a standalone smart center to manage the to box (a Linux VM) and export and import the configuration from my actual smart center (running on production box) is better? Im thinking with this i can migrate the production to cluster (secondary box) and i will can reset the primary box and then, input it on the cluster.

    2) Convert the primary box (actually as Checkpoint Gateway with Management) to a anything that i can to put into the cluster. It is possible? My preocupation is if i lose the primary box, i lose the management for the entire cluster, this is not occur if i follow the step 1.

    Can you help me with this? There is another option that be better to my scenario?

    Thanks!

  8. #8
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,306
    Rep Power
    14

    Default Re: Security Gateway Convert to Cluster

    It's not supported to run one cluster member as FW + Management and another as Firewall only.
    You should either:

    • Migrate to distributed management first as described in sk61681 and then add the second cluster member. Note this will require purchasing a separate management license.
    • Use Full HA, where you run Firewall + Management on both cluster members. Note this is only supported on Check Point appliances (not open servers). Refer to sk69627.
    http://phoneboy.com
    Unless otherwise noted, views expressed are my own

  9. #9
    Join Date
    2017-04-27
    Location
    Brazil
    Posts
    2
    Rep Power
    0

    Default Re: Security Gateway Convert to Cluster

    Quote Originally Posted by PhoneBoy View Post
    It's not supported to run one cluster member as FW + Management and another as Firewall only.
    You should either:

    • Migrate to distributed management first as described in sk61681 and then add the second cluster member. Note this will require purchasing a separate management license.
    • Use Full HA, where you run Firewall + Management on both cluster members. Note this is only supported on Check Point appliances (not open servers). Refer to sk69627.

    Thks @PhoneBoy!

    If i choose the second option, the Full HA is a Active / Active Cluster? I need the management license for both boxes? I Think that i have only one management license.

    Other option, i have other ClusterXL that was configured properly by me, where are two appliances in ClusterXL and only one has management. The problem that i described here its because the primary box was configured as standalone firewall.
    Last edited by savioalmeida; 2017-04-28 at 14:27.

  10. #10
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,306
    Rep Power
    14

    Default Re: Security Gateway Convert to Cluster

    A cluster can either have management on BOTH firewalls (and must be licensed on both) or you need to use separate management.
    Appliances produced from 2012 onward include a local management license (the UTM-1/Power-1/IP appliances don't include one)
    Full HA is High Availability (not Active Active), as the name implies.
    http://phoneboy.com
    Unless otherwise noted, views expressed are my own

Similar Threads

  1. Convert externally managed Check Point gateway to internally
    By slowfood27 in forum SmartDashboard
    Replies: 4
    Last Post: 2017-04-18, 03:47
  2. DR: Convert cluster to single node
    By belvdr in forum Check Point Disaster Recovery
    Replies: 2
    Last Post: 2009-10-22, 23:27
  3. Convert UTM-1 cluster to single gateway
    By chocko in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 0
    Last Post: 2008-10-29, 21:58
  4. Replies: 0
    Last Post: 2008-02-01, 22:19
  5. How to convert an existing FW to a A-S Cluster using Nokia VRRP?
    By eyunghans in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 1
    Last Post: 2007-12-13, 14:47

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •