Checkpoint R77.30 to R80.10 Upgrade in Azure

Ok, if you are reading this, you already know that it is not as simple as running CPUSE to upgrade from Checkpoint R77.30 to R80.10 in Microsoft Azure. In fact, its not even supported in Microsoft Azure (or any public cloud). Checkpoint’s preferred approach is an in-parallel upgrade and migration of services across. Wow, ok so while this reduces risk considerably it really depends how complex your Azure and Checkpoint deployment is. In the recent in-parallel upgrade we did for a client this change was almost a mini project.

Things to consider:

Azure complexities, the client had 10 VNETs with over 20 different routing tables. This meant ensuring that the Checkpoint cluster SPN had contributor rights to all resource groups containing routes to the Cluster. Checkpoint’s new test script is very useful to ensure you have all this covered

Checkpoint functionality used, in this instance, FW, VPN, URL and APP Control were used. You can clone policies, assuming your old and new cluster are managed by the same Security Manager which makes this process a lot simpler, however the VPN functionality needs to be carefully considered. When we cutover to the new firewall cluster in a change window, the VPN from On-Prem to the Azure hosted Checkpoint cluster had issues, ranging from SA’s timing out and the VPN being completely down to not all subnets being encrypted, the classic and unhelpful “no valid SA error”. Essentially after hours of troubleshooting this turned out to be issues with the interface and link selection causing IKE negotiation issues. Even though this was configured as per the Checkpoint reference architecture (i’m not mad, i’m just very disappointed). We reverted to using a link selection profile we had deployed on another R77.30 Azure deployment successfully, reset the IKE and IPSec SAs using vpn tu and hey presto a successful in-parallel upgrade.

What we took away from this experience was a very detailed runbook and test plan to ensure we captured all the VNETs and user defined routes that required changing and testing services hosted in different VNETs and subnets to ensure all subnets were routable across the VPN.

The only benefit of this saga was the ease to rollback to the original checkpoint cluster if necessary as very few changes had been performed on it during cutover.

Published by alexfray

View all posts by alexfray

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

News

01/07/19

Awarded contract with the Welsh Revenue Authority to provide cloud network services and consultancy.

04/06/19

Awarded contract with Capgemini to provide Zscaler consultancy.

27/02/19

We specialize in Zscaler Internet and Private Access design, implementation and support. All engineers are Zscaler certified (ZCCA-IA | ZCCA-PA | ZCTA)

17/01/19

We are now a supplier on the ADIRA framework for the Welsh public sector.

21/10/18

We are at Zenith Live 18 this week checking out new Zscaler features and roadmap as well as testing SD-WAN integration with Cisco Viptela and Riverbed. #zenithlive18

01/10/18

We are now a Crown Commercial Service supplier under the Digital Outcomes and Specialists 3 framework.

26/06/18

Training – We provided knowledge transfer and training of Zscaler Internet Access and Private Access services to the organisation’s insourced IT team.

Checkpoint R77.30 to R80.10 Upgrade in Azure

Share this:

Like this:

Related

Published by alexfray

Leave a Reply Cancel reply