Thanks for the Reply.
I performed this last night without a hitch, just in case
anyone else
hits the same problem.
-Luke
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AMADEUS.US.CHECKPOINT.COM]
On Behalf Of chkp
tech
Sent: Tuesday, October 24, 2006 11:49 AM
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Changing VLAN tags on firewall
interfaces
I don't see anything wrong with this procedure, and while I
thought
about
it, I wondered if you should push the policy to both members
of the
cluster
or not. After discussing it with engineers around here, we
don't think
that
pushing the policy to both members would be a problem.
Let us know if you run into any problems =)
Jason
On 10/24/06, Marty, Luke <luke.martynwa.com> wrote:
>
> Good morning,
>
> I have a bit of a unique problem this morning. I have
a need to
change
> the VLAN id's of the inside and outside interfaces of a
HA pair of
> firewalls. This needs to be done with zero downtime.
Here's what I'm
> thinking of doing...
>
>
>
> 1) Login to the secondary(standby) firewall and
change the
> /etc/sysconfig/netconf.C and netconf.C.keep files to
reflect the new
> vlan IDs
>
> 2) Login to the SmartCenter, and edit the topology
of the
secondary
> cluster member to reflect the new interface names. Then
saving the
> policy.
>
> 3) Rebooting the secondary firewall
>
> 4) Logging in to the secondary firewall and
changing the
management
> interface to the new interface name.
>
> 5) Push policy on the pair
>
> 6) Making the switch changes to update the vlans
>
> 7) Running a cpstop on the primary firewall to
force the secondary
> to take over
>
> 8) Performing steps 1-5 on the other firewall
>
>
>
> I'm running NGX R60hfa03, HA new mode on Splat.
>
>
>
> Is this going to work? Has anyone done the same thing
and have a
better
> set of suggestions? Your insight is greatly
appreciated.
>
>
>
> Regards,
>
>
>
> -Luke
>
>
>
> Luke Marty
>
> Network Security Engineering
>
>
>
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|