Link to home
Start Free TrialLog in
Avatar of Silas
Silas

asked on

Checkpoint problem

I inherited a Checkpoint firewall that had an incorrect configuration.  If I go into Checkpoint configuration (where it pulls the ip from the hosts file) and view that ip address section, nothing appears.  I changed the external interface to the correct address, edited the hosts file, and tried to go into policy manager, but the firewall tells me the license is not registered to that address, and will not let me in!  I see that the license is registered to the public address and cannot be changed without being removed, re-registered, etc.  Is this the way it is suppossed to be?  Also, the authorized GUI client, is that suppossed to be an internal client, or the internal address of the firewall?  Help!
Avatar of geoffryn
geoffryn

Yes.  Checkpoint licenses are bound to the IP address or host name.  If you change the external address, yo uhave to get Checkpoint to re-issue the license.  The GUI client can be either on the trusted or untrusted side of the FW.  If you put it on the untrusted side, then you may need to create an allow rule for firewall control connections.  
Avatar of Silas

ASKER

Can the GUI client be on the same box as the firewall daemon/service?  If I cant't get into policy manager, how do I set the rule to access the firewall via a control connection?
Yes the GUI client can be on the firewall.  When you access the GUI client you are not accessing the firewall, but the Management station running on the firewall.  So as long as you can access the internal port of the firewall you should be able to open the gui using the internal interface IP address on the firewall
The authorized GUI client is the IP address of the remote computer that will access the Management station on the FIrewall using the GUI app.  In checkpoint the firewall creates a rule that allows all defined gui clients to pass traffic through to the Management station.  Which usually is the external address of the firewall.  You need to change everything back to the original external IP address and access it that way.  ignore what I said about using the internal address, I thought you were talking about something else.
Avatar of Silas

ASKER

After changing the external interface address I get a "no license for user interface... cannot connect to server" error.  Does this mean I have to re-register before I can even get back in (basically meaning that nothing can be changed in the firewall after the fact without having to deal with Checkpoint)?
ASKER CERTIFIED SOLUTION
Avatar of jwalsh88
jwalsh88

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Silas

ASKER

It is truly a stupid policy for Checkpoint to activate the license based on a public ip address -what if the ISP changes and the address range is altered?  I thin I will stick with Cisco products.
Avatar of Silas

ASKER

Jwalsh88: please see my other checkpoint question -I had another issue with licensing I need to solve.