Good morning,
I have a bit of a unique problem this morning. I have a need to change
the VLAN id's of the inside and outside interfaces of a HA pair of
firewalls. This needs to be done with zero downtime. Here's what I'm
thinking of doing...
1) Login to the secondary(standby) firewall and change the
/etc/sysconfig/netconf.C and netconf.C.keep files to reflect the new
vlan IDs
2) Login to the SmartCenter, and edit the topology of the secondary
cluster member to reflect the new interface names. Then saving the
policy.
3) Rebooting the secondary firewall
4) Logging in to the secondary firewall and changing the management
interface to the new interface name.
5) Push policy on the pair
6) Making the switch changes to update the vlans
7) Running a cpstop on the primary firewall to force the secondary
to take over
8) Performing steps 1-5 on the other firewall
I'm running NGX R60hfa03, HA new mode on Splat.
Is this going to work? Has anyone done the same thing and have a better
set of suggestions? Your insight is greatly appreciated.
Regards,
-Luke
Luke Marty
Network Security Engineering
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
