Meraki

Community

Replacing Checkpoint FW with MX105

navysubvet
Here to help
‎Jun 18 2023 3:27 AM
‎Jun 18 2023 3:27 AM

Replacing Checkpoint FW with MX105

   Replacing existing FW wirh MX105. Inherited a 100% remote project that has Meraki devices already connected (all still on default vlan 1), but MX has same public IP as legacy FW, and already has the same L3 vlan SVIs & DHCP configured. How can I test connectivity to Active Directory, etc with this setup? I'd prefer to readdress the Meraki gear (and remove the SVIs), but I'm afraid of losing connectivity to the Meraki devices. There's also an MS switch, that's connected to a legacy Catalyst 3750. Is there any way to run bot FWs parallel, and still be able to reach some of the internal resources?

12 Replies 12
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 18 2023 3:50 AM
‎Jun 18 2023 3:50 AM

It's kind of complicated, because you'll need to put the MX on the network one way or another, so in order not to cause any problems, my suggestion is to do the tests in a maintenance window.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
navysubvet
Here to help
‎Jul 12 2023 1:33 AM
‎Jul 12 2023 1:33 AM

I have a connection from each legacy Cisco device, to another Meraki switch, but it allows me trunk only vlan 1. When I add other vlans, I lose connectivity

0 Kudos
In response to navysubvet
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 12 2023 3:25 AM
‎Jul 12 2023 3:25 AM

Without a detailed topology it's almost impossible to help you.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
navysubvet
Here to help
‎Jul 12 2023 4:02 AM
‎Jul 12 2023 4:02 AM

I understand, but basically trying to route all traffic thru Meraki, but leave Cisco switches connected and move over slowly

 

Legacy/Existing: Non-Meraki FW (L3)>Cisco core and access switches (all layer 2).

New Environment: Meraki MX (Layer3)>Meraki  access switches (all layer2)

 

Both environments accessible but isolated (have one uplink between the 2). MX has separate public IP (same subnet). Trying to migrate without taking down existing, and do as much pre-config work as possible. Meraki can't access current Lan resources (AD, etc)

0 Kudos
In response to navysubvet
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 12 2023 4:08 AM
‎Jul 12 2023 4:08 AM

But if it's isolated, how do you want to access the servers? That is, you need to have at least one link between the existing Firewall and the MX to create the routes. Considering that the current Firewall is the gateway of the network, otherwise the link must be with the Switch Core.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
cmr
Kind of a big deal
Kind of a big deal
‎Jun 18 2023 4:17 AM
‎Jun 18 2023 4:17 AM

If you don't have maintenance windows, you could put the MX behind the Checkpoint and migrate controls one at a time, or alongside if you have enough spare public IPs (this is what we do when changing edge firewall vendors).  You can easily migrate inbound services this way, but outbound is still generally a cut-over.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
navysubvet
Here to help
‎Jun 18 2023 7:12 AM
‎Jun 18 2023 7:12 AM

Thanks for the input, Guys. I don't have a maintenance window, as this is an entire town and all its government resources. Also with me not being on site, I have to be even more cautious...

0 Kudos
In response to cmr
navysubvet
Here to help
‎Jun 27 2023 1:20 AM
‎Jun 27 2023 1:20 AM

I'm considering getting everything migrated to the new Meraki switches first, but leaving the CP firewall in place. Once stable, then carefully adding the MX. How do I stand up the MX at the same time, but without interrupting. Can I do a passthrough or possibly VPN between the firewalls? I was able to change the MX to a different public IP (same subnet as the CP fw)

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 18 2023 1:09 PM
‎Jun 18 2023 1:09 PM

>Is there any way to run bot FWs parallel, and still be able to reach some of the internal resources?

 

Not unless you are prepared to change the internal IP addressing and migrate all the devices from the old to the new system.

0 Kudos
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Jun 18 2023 3:19 PM
‎Jun 18 2023 3:19 PM

Seems odd that if this system is so critical there is no redundancy or allowance for maintenance windows...

 

It sounds like you might have to fly this one by the seat of your pants. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
MerryAki
Building a reputation
‎Jun 19 2023 6:16 AM
‎Jun 19 2023 6:16 AM

It might also be possible to collect the data on the check point appliance using custom scripts etc.
Afterwards you get an overview about the config and can figure out how to migrate it. 

I mean, when dealing with DHCP reservations, thats obvious, you might need to reformat a csv. 
But: when dealing with security and protocol stuff each vendor has its own ideas.
Have a look at the checkpoint community: https://community.checkpoint.com/t5/Management/Script-to-run-migrate-export-backup/td-p/23512

0 Kudos
navysubvet
Here to help
‎Jun 21 2023 8:40 AM
‎Jun 21 2023 8:40 AM

Does anyone have a sort of "migration checklist" they can share? I'm just trying to avoid overlooking something

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.