Print Download PDF Send Feedback

Previous

Next

Converting a Security Gateway to a ClusterXL

This section tells you how convert a Security Gateway to a ClusterXL. The source Security Gateway becomes one of the members and you add one or more new members to the cluster. To help you identify the members of the new ClusterXL, the procedures use these names:

You must have sufficient available IP address for the source Security Gateway and new members. If not, see Configuring Cluster Addresses on Different Subnets.

Converting a Standalone Deployment to ClusterXL

Before you can convert a Standalone Deployment to ClusterXL, you must first migrate the Security Gateway and the Security Management Server to two different computers. We recommend that you keep the existing Standalone Computer available until you complete and test the new ClusterXL environment.

Notes and Cautions:

To prepare the Standalone Computer for migration:

  1. Backup the Standalone Computer. Use one of the procedures included in the Backing Up section of the R80.20 Installation and Upgrade Guide. Copy the backup file to another computer or external storage.
  2. Disconnect the Standalone Computer from the network.
  3. Disable all Security Gateway functionality:
    1. Connect with SmartConsole and open the Standalone Computer object.
    2. On the General Properties > Network Properties tab, clear all Software Blades including Firewall. Click OK to continue.
    3. Save the changes (Menu > File > Save).
    4. Go to Menu > Policy > Install Database.
    5. In the Install Database window, select the Standalone Computer object and click OK.

      This operation must complete successfully.

    6. Close SmartConsole and all other SmartConsole clients.

To Export the Management Database:

  1. Connect with the CLI to the Standalone Computer in the Expert mode.
  2. Export the management databases, run:

    # cd $FWDIR/bin/upgrade_tools/

    # ./upgrade_export /var/<export_file_name>

To Create the new Security Management Server:

Important - The new Security Management Server must have the same host name as the existing Standalone Computer.

  1. Do a clean Security Management Server installation based on the procedures in the R80.20 Installation and Upgrade Guide. Make sure that you only select Management Server options.

    Make sure that you install all Hotfixes and plug-ins that were installed in the existing Standalone computer.

  2. Close all of the Expert mode shells. Log into the regular shell.
  3. Copy the exported database files to a temporary folder on the new Security Management Server.
  4. Import the management databases, from the Expert mode, run:

    # cd $FWDIR/bin/upgrade_tools/

    # ./upgrade_import /<path_to>/<export_file_name>

    Important - If the import fails with the Database migration between standalone and management only machines is not supported error, see sk61681 for a workaround.

  5. Connect with SmartConsole to the new Security Management Server and make sure that all settings are correct.
  6. Close SmartConsole and reboot the computer.

To Create the New Security Gateway:

  1. Do a clean Security Gateway installation based on the procedures in the R80.20 Installation and Upgrade Guide.

    Make sure that you only select Network Security tab options.

    Make sure that you install all Hotfixes and plug-ins that were installed in the existing Standalone Computer.

  2. In SmartConsole, create and configure the Security Gateway object.

    Make sure that you establish SIC trust.

  3. In SmartConsole, install the Access Control Policy on this Security Gateway object.
  4. Connect the systems to the network.
  5. Thoroughly test and debug the deployment.

    Make sure that the rules for all Software Blades work correctly.

This Security Gateway will become the Source Member for the new ClusterXL cluster.

Creating the New Member

To create and configure a new Cluster Member:

  1. Install a new Security Gateway.
  2. Use the standard procedure to create a new Cluster Member.
  3. Make sure that the cluster object definition and all applicable settings are the same as for the Source Security Gateway. For example:
    • Interface, topology and Anti-Spoofing definitions
    • Authentication types
    • IPsec VPN settings, including Link Selection
    • Office mode settings
    • Firewall rules settings
    • Software Blade selections and configuration

Creating the ClusterXL Object

To create the ClusterXL object:

  1. In SmartConsole, create a new cluster object.
  2. Make sure that the cluster object definition and all applicable settings are the same as for the Source Security Gateway. For example:
    • Interface, topology and Anti-Spoofing definitions
    • Authentication types
    • IPsec VPN settings, including Link Selection
    • Office mode settings
    • Firewall rules settings
    • Software Blade selections and configuration
  3. If you assign Office Mode IP address from a pool, create a new pool

In SmartConsole, for Computer 'B'

  1. Create a ClusterXL object.
  2. In the Cluster Members page, click Add > Add Existing Gateway.
  3. Connect to computer 'B', and define its topology.
  4. Define the Synchronization networks for the cluster.
  5. Define the cluster topology. To avoid reconfiguring network devices, the cluster IP addresses should be on the same subnet as the IP addresses of computer 'A', on its proposed cluster interfaces.
  6. Install the Access Control Policy on this cluster object, currently including member 'B' only.

Preparing Computer 'A'

  1. Disconnect all proposed cluster and Synchronization interfaces. New connections now open through the cluster, instead of through computer 'A'.
  2. Change the addresses of these interfaces to some other unique IP address, which is on the same subnet as computer B.
  3. Connect each pair of interfaces of the same subnet using a dedicated network. Any hosts or Security Gateways previously connected to the Security Gateway must now be connected to both members, using a hub/switch.

    Note - It is possible to run synchronization across a WAN. For details, see Synchronizing Clusters over a Wide Area Network.

In SmartConsole, for Computer 'A'

  1. Update the topology of Security Gateway A, either manually or by clicking Get Interfaces.

    If the IP address of the management interface was changed, the Get Interfaces action will fail. If this happens, manually change the main IP address in the Security Gateway object and save the policy prior to performing an automatic topology fetch.

  2. In the Cluster Members page, click Add > Add Existing Gateway.
  3. Select computer 'A' in the window.
  4. In the Network Management page, determine which interface is a cluster interface, and which is an internal or an external interface.
  5. Install the Access Control Policy on this cluster object.