Converting a Security Gateway to a ClusterXL Cluster

This section tells you how convert a Security Gateway to a ClusterXL cluster. The source Security Gateway becomes one of the members and you add one or more new members to the cluster. To help you identify the members of the new ClusterXL cluster, the procedures use these names:

• Standalone Computer - An existing computer that is configured as both a Security Gateway and a Security Management Server.
• Source Security Gateway - The physical Security Gateway that will be converted into a member of the new ClusterXL cluster.
• Source Member - The member created from the Source Security Gateway.
• New Member - A newly created cluster member. There can be more than one new member.

You must have sufficient available IP address for the source Security Gateway and new members. If not, see Configuring Cluster Addresses on Different Subnets.

Included Topics Converting a Standalone Deployment to ClusterXL. Creating the New Member Creating the ClusterXL Object In SmartDashboard, for Computer 'B' On Computer 'A' In SmartDashboard for Computer 'A'

Converting a Standalone Deployment to ClusterXL.

Before you can convert a Standalone Deployment to ClusterXL, you must first migrate the Security Gateway and the Security Management Server to two different computers. We recommend that you keep the existing Standalone Computer available until you complete and test the new ClusterXL environment.

Notes and Cautions:

• We recommend that you do the conversion during scheduled maintenance downtime.
• The new Security Management Server and Security Gateway must have the same version as the existing Standalone Computer. Do version upgrades and/or install hotfixes before you start the conversion process.
• We recommend that you keep the same interface IP addresses for your internal and external networks on the new Security Gateway. This can minimize the necessity to reconfigure gateway topologies.
• We recommend that you run cpinfo -z -o Standalone.cpinfo in the Expert Mode on the Standalone Computer and the new Security Management Server. This gives you "before" and "after" status and debugging information that can help resolve migration issues.

  Copy these files to another computer or external storage.

• For more detailed information about these procedures, see sk61681.

To prepare the Standalone Computer for migration:

1. Backup the Standalone Computer. Use one of the procedures included in the Backing Up section of the R77 Installation and Upgrade Guide. Copy the backup file to another computer or external storage.
2. Disconnect the Standalone Computer from the network.
3. Disable all Security Gateway functionality:
   1. Connect with SmartDashboard and open the Standalone Computer object.
   2. On the General Properties > Network Properties tab, clear all Software Blades including Firewall. Click OK to continue.
   3. Save the changes (Menu > File > Save).
   4. Go to Menu > Policy > Install Database.
   5. In the Install Database window, select the Standalone Computer object and click OK.

      This operation must complete successfully.

   6. Close SmartDashboard and all other SmartConsole clients.

To Export the Management Database:

1. Connect with the CLI to the Standalone Computer in the Expert mode.
2. Export the management databases:
   • On Gaia, SecurePlatform, Linux and IPSO, run:

     # cd $FWDIR/bin/upgrade_tools/

     # ./upgrade_export /var/<export_file_name>

   • On Windows, run:

     cd /d "%FWDIR%\bin\upgrade_tools\"

     upgrade_export C:\<export_file_name>

To Create the new Security Management Server:

Important - The new Security Management Server must have the same host name as the existing Standalone Computer.

1. Do a clean Security Management Server installation based on the procedures in the R77 Installation and Upgrade Guide. Make sure that you only select Management Server options.

   Make sure that you install all Hotfixes and plug-ins that were installed in the existing Standalone computer.

2. On Gaia, SecurePlatform, Linux and IPSO, close all of the Expert mode shells. Log into the regular shell.
3. Copy the exported database files to a temporary folder on the new Security Management Server.
4. Import the management databases:
   • From the Expert Mode on Gaia, SecurePlatform, Linux and IPSO, run:

     # cd $FWDIR/bin/upgrade_tools/

     # ./upgrade_import /<path_to>/<export_file_name>

   • On Windows, run:

     cd /d "%FWDIR%\bin\upgrade_tools\"

     upgrade_import C:\<path_to>\<export_file_name>

   Important - If the import fails with the Database migration between standalone and management only machines is not supported error, see sk61681 for a workaround.

5. Connect with SmartDashboard to the new Security Management Server and make sure that all settings are correct.
6. Close SmartDashboard and reboot the computer.

To Create the New Security Gateway:

1. Do a clean Security Gateway installation based on the procedures in the R77 Installation and Upgrade Guide. Make sure that you only select Network Security tab options.

   Make sure that you install all Hotfixes and plug-ins that were installed in the existing Standalone computer.

2. In SmartDashboard, create and configure the Security Gateway object.

   Make sure that you establish SIC trust.

3. Open SmartDashboard and install policy to this gateway.
4. Connect the systems to the network.
5. Thoroughly test and debug the deployment.

   Make sure that the rules for all Software Blades work correctly.

This Security Gateway will become the Source Member for the new ClusterXL cluster.

Creating the New Member

To create and configure a new cluster member:

1. Install a new Security Gateway.
2. Use the standard procedure to create a new cluster member.
3. Make sure that the cluster object definition and all applicable settings are the same as for the Source Security Gateway. For example:
   • Interface, topology and Anti-Spoofing definitions
   • Authentication types
   • IPsec VPN settings, including Link Selection
   • Office mode settings
   • Firewall rules settings
   • Software Blade selections and configuration

Creating the ClusterXL Object

To create the ClusterXL object:

1. In SmartDashboard, create a new cluster object.
2. Make sure that the cluster object definition and all applicable settings are the same as for the Source Security Gateway. For example:
   • Interface, topology and Anti-Spoofing definitions
   • Authentication types
   • IPsec VPN settings, including Link Selection
   • Office mode settings
   • Firewall rules settings
   • Software Blade selections and configuration
3. If you assign Office Mode IP address from a pool, create a new pool

In SmartDashboard, for Computer 'B'

1. Create a ClusterXL object.
2. In the Cluster Members page, click Add, and select New Cluster Member.
3. Connect to computer 'B', and define its topology.
4. Define the Synchronization networks for the cluster.
5. Define the cluster topology. To avoid reconfiguring network devices, the cluster IP addresses should be the same as the addresses of computer 'A', on its proposed cluster interfaces.
6. Install the policy on the cluster, currently including member 'B' only.

On Computer 'A'

1. Disconnect all proposed cluster and Synchronization interfaces. New connections now open through the cluster, instead of through computer 'A'.
2. Change the addresses of these interfaces to some other unique IP address which is on the same subnet as computer B.
3. Connect each pair of interfaces of the same subnet using a dedicated network. Any hosts or Security Gateways previously connected to the Security Gateway must now be connected to both members, using a hub/switch.

Note - It is possible to run synchronization across a WAN. For details, see Synchronizing Clusters over a Wide Area Network.

In SmartDashboard for Computer 'A'

1. Update the topology of Security Gateway A, either manually or by clicking Get Topology.

   If the IP address of the management interface was changed, the Get Topology action will fail. If this happens, manually change the main IP address in the Security Gateway object and save the policy prior to performing an automatic topology fetch.

2. In the Cluster Members page, click Add, and select Add Security Gateway to Cluster.
3. Select computer 'A' in the window.
4. In the Edit Topology page, determine which interface is a cluster interface, and which is an internal or an external interface.
5. Install the policy on the cluster.