CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: Migration from standalone gateway to HA cluster pair

  1. #1
    Join Date
    2017-04-27
    Posts
    5
    Rep Power
    0

    Default Migration from standalone gateway to HA cluster pair

    Hi, I currently have a standalone 5600 appliance running 77.30 that I am planning to soon upgrade to R80.10 before beginning other work. I have a new 5600 appliance that I would like to incorporate with the existing to create a HA cluster pair. The new GW was shipped already with R80.10. Looking for documentation and I haven't found anything too helpful. What is the best or recommended path for performing this task? My environment is a multi domain management server using SmartConsole.

  2. #2
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,135
    Rep Power
    11

    Default Re: Migration from standalone gateway to HA cluster pair

    If you say you have a Multi Domain server, do you mean you have a R80.10 only or do you need to migrate both the management and the gateway to R80.10?
    How much down time is allowed?

    to give you some ideas when you have it all in 1 R80.10 management:
    • in the R80.10 management create a new cluster object and add the new 5600 to it, SIC it, make sure to assign a free IP to the cluster object.
    • set the clustering method to VRRP
    • in the cluster object assign all interfaces a free IP in each network it is connected to and add them to the topology
    • Assign the IP's currently on the active 5600 to the cluster interfaces
    • you should be able to push policy
    • when ready to migrate, disconnect the interfaces from the network or assign new IP's to each interface
    • set the clustering method to ClusterXL and change the Cluster IP to the IP of the old 5600 and push policy
    • get the other 5600 to R80.10 and add assign the new IP's to it, add them to the config and do a get interfaces from the smart console
    • now go to the cluster object and add a existing member and add the object of the old 5600
    • now your cluster is complete and you can push policy.


    Not all details are taken into account like ant spoofing but I hope you get the drift.
    The reason for setting the cluster to VRRP first is that it will not assign the Custer IP's to the member as with VRRP you assign them from clish, by switching back when you migrate it is all ready and assgined to go.
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

  3. #3
    Join Date
    2017-04-27
    Posts
    5
    Rep Power
    0

    Default Re: Migration from standalone gateway to HA cluster pair

    Thanks for the reply. To answer your questions, my management server is already R80.10 and existing single firewall is R77.30. I plan to upgrade the single firewall to R80.10 before doing anything else and the new firewall that I would like to introduce will be R80.10. My goal is to have a clustered HA pair in the end. Some downtime is expected and acceptable in this environment but as always I would like it to be as little as possible however, itís not a super critical environment.

  4. #4
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,135
    Rep Power
    11

    Default Re: Migration from standalone gateway to HA cluster pair

    When you first upgrade the current GW to R80.10 you will have 2 times downtime, when you first migrate to cluster you have one time downtime.
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

Similar Threads

  1. Migration from single gateway to cluster
    By gmiretzky in forum Check Point Firewall Administrator's Toolkit
    Replies: 5
    Last Post: 2016-12-05, 17:05
  2. Migrate Standalone Gateway to 2 NEW Gateways on Cluster
    By agfernandes in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 4
    Last Post: 2012-11-30, 14:27
  3. Migrating UTM 2070 HA Pair from Standalone to Dsitributed
    By sachden in forum Check Point UTM-1 Appliances
    Replies: 9
    Last Post: 2012-09-22, 12:26
  4. Cluster XL pair configs out of synch
    By leahrev in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 3
    Last Post: 2006-10-26, 02:51
  5. AS/Topology on a cluster pair?
    By hardhhhat in forum Miscellaneous
    Replies: 0
    Last Post: 2006-01-18, 07:44

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •