Converting a Security Gateway to a ClusterXL
This section tells you how convert a Security Gateway to a ClusterXL. The source Security Gateway becomes one of the members and you add one or more new members to the cluster. To help you identify the members of the new ClusterXL, the procedures use these names:
- - An existing computer that is configured as both a Security Gateway and a Security Management Server.
- The physical Security Gateway that will be converted into a member of the new ClusterXL.
- - The member created from the .
- - A newly created Cluster Member. There can be more than one new Cluster Member.
You must have sufficient available IP address for the source Security Gateway and new members. If not, see Configuring Cluster Addresses on Different Subnets.
Converting a Standalone Deployment to ClusterXL
Before you can convert a Standalone Deployment to ClusterXL, you must first migrate the Security Gateway and the Security Management Server to two different computers. We recommend that you keep the existing Standalone Computer available until you complete and test the new ClusterXL environment.
Notes and Cautions:
To prepare the Standalone Computer for migration:
- Backup the Standalone Computer. Use one of the procedures included in the Backing Up section of the R80.30 Installation and Upgrade Guide. Copy the backup file to another computer or external storage.
- Disconnect the Standalone Computer from the network.
- Disable all Security Gateway functionality:
- Connect with SmartConsole and open the Standalone Computer object.
- On the > tab, clear all Software Blades including Firewall. Click to continue.
- Save the changes (> > ).
- Go to > > I.
- In the window, select the Standalone Computer object and click .
This operation must complete successfully.
- Close SmartConsole and all other SmartConsole clients.
To Export the Management Database:
- Connect with the CLI to the Standalone Computer in the Expert mode.
- Export the management databases, run:
# cd $FWDIR/bin/upgrade_tools/
# ./upgrade_export /var/<export_file_name>
To Create the new Security Management Server:
|
Important - The new Security Management Server must have the same host name as the existing Standalone Computer.
|
- Do a clean Security Management Server installation based on the procedures in the R80.30 Installation and Upgrade Guide. Make sure that you only select options.
Make sure that you install all Hotfixes and plug-ins that were installed in the existing Standalone computer.
- Close all of the Expert mode shells. Log into the regular shell.
- Copy the exported database files to a temporary folder on the new Security Management Server.
- Import the management databases, from the Expert mode, run:
# cd $FWDIR/bin/upgrade_tools/
# ./upgrade_import /<path_to>/<export_file_name>
Important - If the import fails with the error, see sk61681 for a workaround.
- Connect with SmartConsole to the new Security Management Server and make sure that all settings are correct.
- Close SmartConsole and reboot the computer.
To Create the New Security Gateway:
- Do a clean Security Gateway installation based on the procedures in the R80.30 Installation and Upgrade Guide.
Make sure that you only select tab options.
Make sure that you install all Hotfixes and plug-ins that were installed in the existing Standalone Computer.
- In SmartConsole, create and configure the Security Gateway object.
Make sure that you establish SIC trust.
- In SmartConsole, install the Access Control Policy on this Security Gateway object.
- Connect the systems to the network.
- Thoroughly test and debug the deployment.
Make sure that the rules for all Software Blades work correctly.
This Security Gateway will become the for the new ClusterXL cluster.
Creating the New Member
To create and configure a new Cluster Member:
- Install a new Security Gateway.
- Use the standard procedure to create a new Cluster Member.
- Make sure that the cluster object definition and all applicable settings are the same as for the . For example:
- Interface, topology and Anti-Spoofing definitions
- Authentication types
- IPsec VPN settings, including Link Selection
- Office mode settings
- Firewall rules settings
- Software Blade selections and configuration
Creating the ClusterXL Object
To create the ClusterXL object:
- In SmartConsole, create a new cluster object.
- Make sure that the cluster object definition and all applicable settings are the same as for the . For example:
- Interface, topology and Anti-Spoofing definitions
- Authentication types
- IPsec VPN settings, including Link Selection
- Office mode settings
- Firewall rules settings
- Software Blade selections and configuration
- If you assign Office Mode IP address from a pool, create a new pool
In SmartConsole, for Computer 'B'
- Create a ClusterXL object.
- In the page, click .
- Connect to computer 'B', and define its topology.
- Define the Synchronization networks for the cluster.
- Define the cluster topology. To avoid reconfiguring network devices, the cluster IP addresses should be on the same subnet as the IP addresses of computer 'A', on its proposed cluster interfaces.
- Install the Access Control Policy on this cluster object, currently including member 'B' only.
Preparing Computer 'A'
- Disconnect all proposed cluster and Synchronization interfaces. New connections now open through the cluster, instead of through computer 'A'.
- Change the addresses of these interfaces to some other unique IP address, which is on the same subnet as computer B.
- Connect each pair of interfaces of the same subnet using a dedicated network. Any hosts or Security Gateways previously connected to the Security Gateway must now be connected to both members, using a hub/switch.
Note - It is possible to run synchronization across a WAN. For details, see Synchronizing Clusters over a Wide Area Network.
In SmartConsole, for Computer 'A'
- Update the topology of Security Gateway A, either manually or by clicking .
If the IP address of the management interface was changed, the action will fail. If this happens, manually change the main IP address in the Security Gateway object and save the policy prior to performing an automatic topology fetch.
- In the page, click .
- Select computer 'A' in the window.
- In the page, determine which interface is a cluster interface, and which is an internal or an external interface.
- Install the Access Control Policy on this cluster object.