Thank you! Am not sure what i should say about that, when i did take the CCSA course it was 3 days so way to short to actually cover everything and allow for labs, i think this playlist is like 40hours :D Good luck in taking the CCSA if you not already took it.
@@MagnusHolmberg-NetSec I completed the CCSA exam and course over a year ago now. However, i'm actually a network engineer, rather than a security engineer. In my previous position only 15% of my job was managing firewalls, so I forgot a lot of the tasks after awhile. When you dont use it you lose it as they say.
Hi Magnus, Just want to thank you personally for creating informative contents in TH-cam. I just want to check with you if the below steps are correct if I'm going to replace a cluster (2 FWs) with 2 new replacement units. 1. Do a snapshot on both existing FWs (FW01 - Active; FW02 - Standby) 2. Add the snapshots to the replacement units (FW-A; FW-B) 3. Remove the existing 'FW02 - Standby' from the Cluster. 4. Replace the 'FW02 - Standby' with the new FW-B. 5. Re-establish SIC then Push Policy. 6. Add the licenses. 7. Add the new FW-B to the Cluster. 8. Failover from the Active (old FW01) to the new FW-B 9. Remove the existing 'FW01 - Active' from the Cluster. 10. Replace the 'FW01 - Active' with the new FW-A. 11. Re-establish SIC then Push Policy. 12. Add the licenses. 13. Add the FW-A to the Cluster. 14. Do testing for connections
Hi, Thank you :) Is it the same hardware, meaning its like an RMA unit? or is there a diff in the physical hardware. because a snapshot takes a backup of everything more or less a copy of the disc. Or is the plan to actually do an upgrade with new better hardware? Snapshot Management The snapshot creates a binary image of the entire root (lv_current) disk partition. This includes Check Point products, configuration, and operating system. Starting in R77.10, exporting an image from one machine and importing that image on another machine of the same type is supported. The log partition is not included in the snapshot. Therefore, any locally stored FireWall logs will not be saved.
System Backup (and System Restore) System Backup can be used to backup current system configuration. A backup creates a compressed file that contains the Check Point configuration including the networking and operating system parameters, such as routing and interface configuration etc., but unlike a snapshot, it does not include the operating system, product binaries, and hotfixes.
Save Configuration (and Load Configuration) Allows saving Gaia OS configuration settings as a ready-to-run CLI script. This allows you review your current setup and quickly restore the Gaia OS configuration.
OK, i would not remove the node member from the cluster in smartconsole. It will be enough with just re-sic it. Then u dont need to fix the topology and such again :) I am normally abit careful so i try to avoid having the production VLAN active on the ports to the new member before i see that i can add it to the cluster, (meaning i normally have SYNC interface up) and then we normally use dedicated interfaces for mgmt. And honestly when it comes to small boxes (none VSX) i just reinstall them from scratch (with blink image) and add the configuration file, then i dont need to be worry that it will take over anything as the new box is not aware of the cluster ip. we try to not have any kind of special configuration on our boxes. Replacing a box then is done in a few min :)
Hello Magnus, Thaks you for creating informative Checkpoint Videoes to learn more, share the steps to replace failed cluster member RMA the same firewall in checkpoint firewall r80.20
Hi, Magnus. A query, how could I validate, what is the priority that has each of my teams that belong to the clusterxl I have configured? Is there any command to know the priority that has each of the teams? If I am working with the "Switch to higher priority Cluster Member" option, how can I validate, what is the priority of each Cluster Member? Because when I increase each Gateway, I only see the option "Increase priority, or Decrease priority", but I would like to know how to know which is the priority that each one of the devices have by default.
Hi, am not aware of any CLI command, so it’s not like VRRP or similar where u give the cluster node a number. I believe that the only place you can check it is within the GUI and the priority is top down in the cluster member list. “ If cluster object is configured as Switch to higher priority Cluster Member, it means that Cluster Member with the highest priority always has to be Active. Cluster Member with the highest priority is the Cluster Member that appears at the top of the list in Cluster object > Cluster Members pane. If the Cluster Member with the highest priority fails, cluster failover occurs. A peer Cluster Member in Standby state, with the next highest priority, becomes Active. If the Cluster Member with the highest priority recovers, cluster failover occurs again. The Cluster Member with the highest priority becomes Active again. The Cluster Member with the next highest priority that was Active, returns to the Standby state. “
Cluster XL active / active is supported in r80.40 “New ClusterXL mode: Active-Active ,supports running several cluster members in ACTIVE state, each member is a part of a separated routing domain and handles its own traffic, redundancy is kept during failover.” supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk160736&t=1621391102325
my recommendation is to do this with SNMP monitoring. You can also see the following post. community.checkpoint.com/t5/General-Topics/Monitoring-standby-member-in-a-cluster/td-p/25584
For sync keep in mind that you need to go in to smartconsole and make the topology and specify what should be sync interface, and what is cluster xl interfaces
hehe you mean like an official course completion certificate :) ? Sadly nothing that can be provided via youtube. I hope you did like the videos and learned something atleast :)
Hi Sir, I have few questions. Pls reply once u find time, 1. What are PNOTES ? Why is it needed and what it checks ? 2. In Load sharing (Active-Active) unicast mode, there is something called Pivot. What is Pivot meant by ? How it processes traffic like 30%(active) 70%(stand by). 3. Where do we see like Cluster control protocol is running between 2 members ? Can we see via CLI ? What are all the things CCP monitor ? 4. Any advanced troubleshooting or issues faced video for cluster xl ? 5. What is Secure XL ? Please provide detailed video or any link for understanding secure xl and it's troubleshooting part.
Not really CCSA stuff you are asking about ;) 1: Pnote are "problem notification" stuff that is monitored and if this is incorrect it will cause a failover. 2: Pivot is the member in the cluster that take decition on what cluster member should process traffic. sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ClusterXL_AdminGuide/Topics-CXLG/Load-Sharing-Modes.htm 3: chpaprob -a if will should you how the CCP is setup. 4: havn´t made any videos about that. 5: securexl is used to accelerate traffic, and diff traffic is manage in diff way. there are some great post in community that explains it in detail. community.checkpoint.com/t5/General-Topics/R81-x-Security-Gateway-Architecture-Logical-Packet-Flow/td-p/41747
@@MagnusHolmberg-NetSec Thanks for ur reply sir. Given article for 2nd point is superb. There is a clear explanation in regards to all. Only thing which still baffles me is how that decision is taken ? Is it based on some algorithm which only checkpoint knows ? Regarding 5th point for secure xl, I need complete explanation of it. U have given packet flow part of it, can u point to any article or video which explains secure xl in detail ??
Hehe ye i will try to make something about it. I promised to start with the MDS and VSX stuff under november. It will be abit more advance then CCSE as those products are actually not within the certification track för CCSE.
Another Excellent video mate! I have learned more off you than i did at the CCSA course! haha
Thank you!
Am not sure what i should say about that, when i did take the CCSA course it was 3 days so way to short to actually cover everything and allow for labs, i think this playlist is like 40hours :D
Good luck in taking the CCSA if you not already took it.
@@MagnusHolmberg-NetSec I completed the CCSA exam and course over a year ago now. However, i'm actually a network engineer, rather than a security engineer. In my previous position only 15% of my job was managing firewalls, so I forgot a lot of the tasks after awhile. When you dont use it you lose it as they say.
@@marcooconnor aha then videos is a great way to keep up to date :)
Thanks for the simplifying the concept
Thank you for watching all the videos Rizwan :)
Antispoofing in tomorrows video.
Hi Magnus,
Just want to thank you personally for creating informative contents in TH-cam.
I just want to check with you if the below steps are correct if I'm going to replace a cluster (2 FWs) with 2 new replacement units.
1. Do a snapshot on both existing FWs (FW01 - Active; FW02 - Standby)
2. Add the snapshots to the replacement units (FW-A; FW-B)
3. Remove the existing 'FW02 - Standby' from the Cluster.
4. Replace the 'FW02 - Standby' with the new FW-B.
5. Re-establish SIC then Push Policy.
6. Add the licenses.
7. Add the new FW-B to the Cluster.
8. Failover from the Active (old FW01) to the new FW-B
9. Remove the existing 'FW01 - Active' from the Cluster.
10. Replace the 'FW01 - Active' with the new FW-A.
11. Re-establish SIC then Push Policy.
12. Add the licenses.
13. Add the FW-A to the Cluster.
14. Do testing for connections
Hi,
Thank you :)
Is it the same hardware, meaning its like an RMA unit? or is there a diff in the physical hardware.
because a snapshot takes a backup of everything more or less a copy of the disc.
Or is the plan to actually do an upgrade with new better hardware?
Snapshot Management
The snapshot creates a binary image of the entire root (lv_current) disk partition. This includes Check Point products, configuration, and operating system.
Starting in R77.10, exporting an image from one machine and importing that image on another machine of the same type is supported.
The log partition is not included in the snapshot. Therefore, any locally stored FireWall logs will not be saved.
System Backup (and System Restore)
System Backup can be used to backup current system configuration. A backup creates a compressed file that contains the Check Point configuration including the networking and operating system parameters, such as routing and interface configuration etc., but unlike a snapshot, it does not include the operating system, product binaries, and hotfixes.
Save Configuration (and Load Configuration)
Allows saving Gaia OS configuration settings as a ready-to-run CLI script. This allows you review your current setup and quickly restore the Gaia OS configuration.
@@MagnusHolmberg-NetSec hi Magnus, I'm referring to same appliance or if RMA is being done 😊
OK, i would not remove the node member from the cluster in smartconsole.
It will be enough with just re-sic it.
Then u dont need to fix the topology and such again :)
I am normally abit careful so i try to avoid having the production VLAN active on the ports to the new member before i see that i can add it to the cluster, (meaning i normally have SYNC interface up) and then we normally use dedicated interfaces for mgmt.
And honestly when it comes to small boxes (none VSX) i just reinstall them from scratch (with blink image) and add the configuration file, then i dont need to be worry that it will take over anything as the new box is not aware of the cluster ip. we try to not have any kind of special configuration on our boxes.
Replacing a box then is done in a few min :)
Hello Magnus, Thaks you for creating informative Checkpoint Videoes to learn more, share the steps to replace failed cluster member RMA the same firewall in checkpoint firewall r80.20
Will do! most likely on R80.40 or higher as R80.30 and below is no longer supported.
Thanks Magnus !!
your welcome :)
Hi, Magnus.
A query, how could I validate, what is the priority that has each of my teams that belong to the clusterxl I have configured?
Is there any command to know the priority that has each of the teams?
If I am working with the "Switch to higher priority Cluster Member" option, how can I validate, what is the priority of each Cluster Member?
Because when I increase each Gateway, I only see the option "Increase priority, or Decrease priority", but I would like to know how to know which is the priority that each one of the devices have by default.
Hi, am not aware of any CLI command, so it’s not like VRRP or similar where u give the cluster node a number.
I believe that the only place you can check it is within the GUI and the priority is top down in the cluster member list.
“ If cluster object is configured as Switch to higher priority Cluster Member, it means that
Cluster Member with the highest priority always has to be Active.
Cluster Member with the highest priority is the Cluster Member that appears at the top of the list in Cluster object > Cluster Members pane.
If the Cluster Member with the highest priority fails, cluster failover occurs. A peer Cluster Member in Standby state, with the next highest priority, becomes Active.
If the Cluster Member with the highest priority recovers, cluster failover occurs again. The Cluster Member with the highest priority becomes Active again. The Cluster Member with the next highest priority that was Active, returns to the Standby state.
“
@Magnus Holmberg question: the failover is a LAN level? what happen with the internet connections?
failover is on the complete box, all interfaces, including towards internet
Magnus, I think you need to put your videos on CheckMates.
I have put 2 of them on checkmates, under how to videos.
I didn’t want to spam the forum with videos :) but maybe should post a few more of them
you are showing how the fail over work, but how did you set it up?
This video is part of a multistep serie, so just check the playlist and you will find the installation and setup.
I have a query.. Why Version above r80.10 doesn't support HA in active active mode?
Cluster XL active / active is supported in r80.40
“New ClusterXL mode: Active-Active ,supports running several cluster members in ACTIVE state, each member is a part of a separated routing domain and handles its own traffic, redundancy is kept during failover.”
supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk160736&t=1621391102325
Hi Magnus, How can I setup an email alert that notifies me each time my cluster does fail-over?
my recommendation is to do this with SNMP monitoring.
You can also see the following post.
community.checkpoint.com/t5/General-Topics/Monitoring-standby-member-in-a-cluster/td-p/25584
Hi bro. I finished the cluster. But it’s not sync config when I change on web. Can you help me
For sync keep in mind that you need to go in to smartconsole and make the topology and specify what should be sync interface, and what is cluster xl interfaces
Hi Magnus, completed the lab. Too bad youtube can't send the print.
hehe you mean like an official course completion certificate :) ?
Sadly nothing that can be provided via youtube.
I hope you did like the videos and learned something atleast :)
@@MagnusHolmberg-NetSec No, I just wanted to share with you the image of the configuration I made of SmartConsole with Manager and Gateways
Hi Sir, I have few questions. Pls reply once u find time,
1. What are PNOTES ? Why is it needed and what it checks ?
2. In Load sharing (Active-Active) unicast mode, there is something called Pivot. What is Pivot meant by ? How it processes traffic like 30%(active) 70%(stand by).
3. Where do we see like Cluster control protocol is running between 2 members ? Can we see via CLI ? What are all the things CCP monitor ?
4. Any advanced troubleshooting or issues faced video for cluster xl ?
5. What is Secure XL ? Please provide detailed video or any link for understanding secure xl and it's troubleshooting part.
Not really CCSA stuff you are asking about ;)
1: Pnote are "problem notification" stuff that is monitored and if this is incorrect it will cause a failover.
2: Pivot is the member in the cluster that take decition on what cluster member should process traffic.
sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ClusterXL_AdminGuide/Topics-CXLG/Load-Sharing-Modes.htm
3: chpaprob -a if will should you how the CCP is setup.
4: havn´t made any videos about that.
5: securexl is used to accelerate traffic, and diff traffic is manage in diff way.
there are some great post in community that explains it in detail.
community.checkpoint.com/t5/General-Topics/R81-x-Security-Gateway-Architecture-Logical-Packet-Flow/td-p/41747
@@MagnusHolmberg-NetSec Thanks for ur reply sir.
Given article for 2nd point is superb. There is a clear explanation in regards to all. Only thing which still baffles me is how that decision is taken ? Is it based on some algorithm which only checkpoint knows ?
Regarding 5th point for secure xl, I need complete explanation of it. U have given packet flow part of it, can u point to any article or video which explains secure xl in detail ??
@@vinodsrinivasan9077 supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk153832
sir request to you kindly make ccse full course lab in detail with troubleshooting.
Hehe ye i will try to make something about it.
I promised to start with the MDS and VSX stuff under november. It will be abit more advance then CCSE as those products are actually not within the certification track för CCSE.
@@MagnusHolmberg-NetSec thanks a lot sir..