Saturday, November 5, 2011

Check Point: How to setup UTM-1 high availability (step-by-step)

I came across a document I created for doing an UTM-1 install in an HA environment. I thought Id share it with you in case you ever needed help with the process. I created this so that I wouldnt forget how to do it, and its worked every time.
Steps to installing a HA for UTM-1

You need this info:
1. Get all IP info you need: What the VIP will be (same as the current physical IP) for DMZ, Internal, and External, etc. You also need the physical IPs for each UTM-1 (whats available that you can use, NOT for VIP).
2. You also need the management station hostname and domain name.
3. You need a screenshot of the smart update screen, for clarification.
4. You need DNS servers.
5. You need the next hop route for the default route.
6. You need any routes that are on the underlying OS, so that you can put them in on the UTM-1 system.
7. When onsite at the client, put the "upgrade_export" file on the existing Check Point box so that you can do an "upgrade_export" (to get the current config of the current system). The "upgrade_export" file has to be the same version you are going to. You can not use an "upgrade_export" from R60 when you are going to R65, etc. The location you will go to, to put the file on the existing box, is as follows: "cd $FWDIR/bin/upgrade_tools". You will need to be in expert mode. (You may want to rename the existing "upgrade_export" before you put the new one on the existing box). Then, to do the export, you type the following: "./upgrade_export ". You will ftp this exported file onto your laptop so that you can take it to the lab and do an import when you are ready to do the "upgrade_import" off the UTM-1.

**NOTE**: You will need several Eval Licenses since you are going to be changing IP addresses a few times during this process. 3 should be enough to do the complete install.

Install Instructions:
1. Install the first UTM-1 with the current IP info, etc that matches the management station IP of the current install. Verify the IP address is the one of the management station that you are putting on the UTM-1.
2. After the intial install, you will reboot the UTM-1.
3. When it comes back up, you will ssh into the UTM-1. It will be time to do the "upgrade_import" for the exported file you obtained from the existing check point (cd $FWDIR/bin/upgrade_tools). You will have to ftp the exported file to the new UTM. Import will look like this example:
"[Expert@utm1570]# ./upgrade_import cpbackup.tgz"
(**NOTE**: You need to copy the file from the directory you copied to (probably /home/admin to the $FWDIR/bin/upgrade_tools folder) to do the import.
4. After the import, reboot the UTM-1 and make sure everything works. Open Dashboard up and re-IP the "old" management station to a different IP address. (**NOTE**: You may have to go into the command line and define yourself as a GUI Client (option 3) by running "cpconfig".
5. At this point, you go into the WebUI and you go to "cluster" and create the cluster. It will reboot after you create this. Its one button to push.
6. You reboot and go into smart Dashboard, and the cluster configuration automatically comes up when you log in. Cancel this. The new Cluster will be there under the check point devices now. It will only show the one primary under the cluster at this time, since you have not started on the secondary yet.
7. ***NOTE*** Ok, here I had to go back and put the original IP address back on the cluster. When it created the cluster, it made the "old" management station into the new cluster.
8. Go into WebUI, and change the IPs to what you want the primary to be, all interfaces. This wont be the VIPs.
9. Logged into Dashboard, and first thing to do is to go and pull the topology in the cluster. Go into cluster (classic mode) -->topology --> "edit topology" and "get all members' topology"
10. Put the VIPs in for the cluster. Save this.
11. Replace ALL "old" check point stations with the "new" created check point station in the policy rules.
12. Delete the "old" check point out of the configuration.
13. In order to push policy, you are going to have to get the evaluation licenses to get it to work properly. It wont push until you get them in place.
14. Goto CP User Center, and create eval licenses. Go to Smart Update and attach them. Use the IP address of the physical box, not the VIP.
15. Go into Smart Update and attach the licenses.
16. Push policy to the primary UTM-1. When it pushes, start on the secondary UTM-1.

Secondary UTM-1:
1. Install the second UTM-1 and make it the secondary in the "cluster". Go ahead and connect the crossover cable on the SYNC interface.
2. Make sure you have the license ready for the secondary.
3. Once the install is done, reboot the secondary.
4. When it comes back up, go into Dashboard, and open up the cluster. Go into simple mode (wizard) and add the cluster in Dashboard.
5. Install policy to both UTM-1s.
6. Go into smart update and add the license.
7. Make sure you have deleted out all references to the old firewall.

do the primary first
import upgrade_export
make sure it works.
configure cluster on the primary
do the secondary utm.