• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 322
  • Last Modified:

Change of ISP, what to do?

I am a newbie to firewall configuration. We are using a nokia firewall with checkpoint NG version. recently, we change our ISP and thus need to update our firewall with the new ISP network setting. Does anyone knows:

1.  what type of data to change in the firewall?
2. Do I need to enter the IP of my router?
3. I check the current setting in checkpoint and all I find is the external IP address of the firewall. There is not mention of router IP. where to find it?
4. Do i need to assign a new external IP address previded by the new ISP to my firewall?
5. Do i need to enter other information like subnet, gateway, pri dns and sec dns in the firewall?

Thanks.
0
simonlai
Asked:
simonlai
  • 7
  • 7
1 Solution
 
Keith AlabasterCommented:
1. You may not need to change anything on your firewall. If the router is handling all redirection, this may be the only place that would need changes.  ie the External router IP will need to be associated with the IP range/address &subnet given to you by the new ISP.

2. Yes. The ISP will give you a new IP address/subnet or range to use. One of these needs to be assigned to your external router interface.

3. As per point 1.

4. No, not by the sound of it. You can tell though by comparing the external IP address of the firewall with the external IP address of the router. Are they on the same network ID and subnet mask? If yes, then all of the addresses mentioned so far (external firewall IP, internal router and external router) will need to be changed accordingly. If no, then there is no need to change any address for the firewall itself.

5. Changes you MAY need to make.
On your internal DNS, you may need to change your forwarders to the new ISP's DNS servers.
If you have any objects in the Checkpoint firewall that reference the existing ISP addresses, these will need changing accordingly.
The default gateway on your router may need its IP address changing to the new ISP's default gateway.
If you host your own mail server or web server internally, you will need to get any A records such as www etc and your MX records for email delivery amended so that they point to the new external router IP address.

Regards

Keith
0
 
simonlaiAuthor Commented:
Hi Keith,

Thanks for your reply. Can I also check on the following:

1. The new ISP is providing me with it's own router, i can't change anything in it.
2. I was given a range of IP address to use, does that means that i can choose anyone for my external firewall IP? They has also assign one of the IP for the router.
3. with regards to your pt4 above, the current external IP and subnet of the firewall is different from the external IP n subnet of the new router. Does that means that i need to change it to the one as assigned by the new ISP?
4. you mention in pt5 above that i need to change the forwarder in my DNS to the new ISP DNS server, do you know where to go about doing that?
5. My email server is hosted internally. where do i key in the A record mentioned above?

Thanks and regards
Simon
0
 
Keith AlabasterCommented:
1. Point noted; fair enough.
2. If they have given a range of IP's for you to use, pick one of the useable group and this will need to go the external interface of your firewall with the relevant subnet mask. The default gateway will be the address that is assigned to the ISP's router.
3. See point 2.
4. Open the dns manager on the server that hosts your internal DNS. 9There may be more than one but only you will know that). DNS manager is found in start - administrative tools - DNS from the start menu.
open the DNS manager
Right-click your server and select properties.
Select the forwarders tab
Change the IP's to your new ISP's dns server ip addresses.

5. Who hosts your external DNS? It will be this organisation you need to contact. You need to change 1 record.
a) the A record for your mail server (it will now have a new ip address, the one you have placed on the outside of your firewall probably).
b) The MX record actually won't need changing as it will still be the same FQDN  ie yourmailderver.yourdomain.com
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
simonlaiAuthor Commented:
Hi Keith,

I can't test your answer yet as i cannot down the connection at the moment, but thanks a lot for your answer. You r really a great help. appreciate it.
0
 
Keith AlabasterCommented:
You are welcome. If we can help further when the time comes, you know where we are :)

Regards
K
0
 
simonlaiAuthor Commented:
Keith,

this is very urgent, can I check if you are familiar with nokia checkpoint firewall? I have change some setting and now I can't ping the firewall from any of my server
0
 
Keith AlabasterCommented:
Whats the problem?
What have you changed?
0
 
simonlaiAuthor Commented:
Hi there, I have a nokia IP350 firewall, in which I change some setting from the web-based Voyager which are as follows:

1. change the IP interface for one the the port
2. add in a static route
3. change the "host address assignment" IP

After changing, I did a reboot of the firewall.

now I can't ping the firewall from my servers. I can't use voyager to change back the settings, Can u help urgently? Thanks alot.
0
 
simonlaiAuthor Commented:
I can use telnet to logon into the firewall, but i m stuck there...
0
 
simonlaiAuthor Commented:
I can ping the rest of the server from the firewall, not the reverse. Is there anyway to revert back the changes?
0
 
Keith AlabasterCommented:
You rebooted the firewall? Did you test all the connectivity first?

I am assuming that nothing on the INSIDE of the network has changed. The fact that you can ping servers on the inside means at least that traffic is flowing correctly.

What is the static route that you have added?
I have to say that now is not the best time to explain to me that this is a hosted site and not a site that is local to you...

Can you rdp onto any of the servers?
0
 
Keith AlabasterCommented:
Also, has the ISP allowed all the ports through their new router?
0
 
simonlaiAuthor Commented:
Hi Keith,

I have solved the problem, i think one of the rule is blocking access. I have cleared and revert back to the old setting. But have still not change the new ISP setting. Anyway, that can wait. Thanks again.

I can sleep in peace tonight.. haha
0
 
Keith AlabasterCommented:
:) lol
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now