- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Replacing Checkpoint FW with MX105
Replacing existing FW wirh MX105. Inherited a 100% remote project that has Meraki devices already connected (all still on default vlan 1), but MX has same public IP as legacy FW, and already has the same L3 vlan SVIs & DHCP configured. How can I test connectivity to Active Directory, etc with this setup? I'd prefer to readdress the Meraki gear (and remove the SVIs), but I'm afraid of losing connectivity to the Meraki devices. There's also an MS switch, that's connected to a legacy Catalyst 3750. Is there any way to run bot FWs parallel, and still be able to reach some of the internal resources?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's kind of complicated, because you'll need to put the MX on the network one way or another, so in order not to cause any problems, my suggestion is to do the tests in a maintenance window.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a connection from each legacy Cisco device, to another Meraki switch, but it allows me trunk only vlan 1. When I add other vlans, I lose connectivity
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Without a detailed topology it's almost impossible to help you.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I understand, but basically trying to route all traffic thru Meraki, but leave Cisco switches connected and move over slowly
Legacy/Existing: Non-Meraki FW (L3)>Cisco core and access switches (all layer 2).
New Environment: Meraki MX (Layer3)>Meraki access switches (all layer2)
Both environments accessible but isolated (have one uplink between the 2). MX has separate public IP (same subnet). Trying to migrate without taking down existing, and do as much pre-config work as possible. Meraki can't access current Lan resources (AD, etc)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But if it's isolated, how do you want to access the servers? That is, you need to have at least one link between the existing Firewall and the MX to create the routes. Considering that the current Firewall is the gateway of the network, otherwise the link must be with the Switch Core.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you don't have maintenance windows, you could put the MX behind the Checkpoint and migrate controls one at a time, or alongside if you have enough spare public IPs (this is what we do when changing edge firewall vendors). You can easily migrate inbound services this way, but outbound is still generally a cut-over.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the input, Guys. I don't have a maintenance window, as this is an entire town and all its government resources. Also with me not being on site, I have to be even more cautious...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm considering getting everything migrated to the new Meraki switches first, but leaving the CP firewall in place. Once stable, then carefully adding the MX. How do I stand up the MX at the same time, but without interrupting. Can I do a passthrough or possibly VPN between the firewalls? I was able to change the MX to a different public IP (same subnet as the CP fw)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
>Is there any way to run bot FWs parallel, and still be able to reach some of the internal resources?
Not unless you are prepared to change the internal IP addressing and migrate all the devices from the old to the new system.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Seems odd that if this system is so critical there is no redundancy or allowance for maintenance windows...
It sounds like you might have to fly this one by the seat of your pants.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It might also be possible to collect the data on the check point appliance using custom scripts etc.
Afterwards you get an overview about the config and can figure out how to migrate it.
I mean, when dealing with DHCP reservations, thats obvious, you might need to reformat a csv.
But: when dealing with security and protocol stuff each vendor has its own ideas.
Have a look at the checkpoint community: https://community.checkpoint.com/t5/Management/Script-to-run-migrate-export-backup/td-p/23512
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does anyone have a sort of "migration checklist" they can share? I'm just trying to avoid overlooking something
