Link to home
Start Free TrialLog in
Avatar of paulbelsham
paulbelshamFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Checkpoint external IP change

Hi All
I am working with a number of checkpoint firewalls connected together over an IPSEC VPN.
We will be moving over to a new ISP soon so will need to change external IP address of the London firewall.  Our security management server is located behind this gateway and is NATed through for policy push\fetch.

If I change the external IP of the london firewall (along with the IP the SMS is NATed to) will the policy push out to all other gateways ok and also will the VPN tunnels come up?

The process I was going to use is
1.connect to london firewall and change external IP address, gateway dns etc...and wire it into the new connection
2. open the smart dashboard and run a get interfaces with topology to download this new change, also change the gateway ip address if not already done.
3.modify nat rules to reflect new IP range.
4. push policy to london firewall first, then push to all other gateways

My main concern is that the VPN tunnels wont reestablish to London, or the policy wont push.
Has anyone ever done this or am I missing a step somewhere?

Avatar of AntonioAlmeida
Flag of Brazil image

You can loose the Secure Internal Communication (SIC). If its happens you will need to setup SIC again then publish the policies (with the new gateway).

You can have problens with your certificate too. Just renew it, changing the IP address.
Avatar of paulbelsham


Hello Antonio
When you say I can have problems with the certificates do you mean the ones on the management server?
How would I go about renewing them?
Yes, just the management server certificates. I'm using the R65, on this release it is at VPN setup screen.
Do you mean the certificate on each individual firewall?
I dont see any certificates when I look at the properties of the management server.
If you are using the internal IP on your certificates you don't need to renew it.
You should check/renew only the gateway that will have its IP changed (London, right?)
In the R65 Security Platform the gateway certificate management is located on the VPN setup (editing a gateway).
I checked the certificates and they are registered to the firewalls internal IP so with that in mind I am guessing I wont need to reissue the cert.
If I have no SIC problems and the policy push works ok will the VPN tunnels come up with no problems?
If your cert is registered to the internal (private) IP it is OK.
SIC can be a issue. Ensure that you have the activation key of your managed devices.
Another think that came to my mind is the lisence. You must check if your lisence was issued using the private or the public IP. If it is using the public IP you must generate a new lisence file with the new IP. If you wish change it to use the private IP address, go ahead.

Covering these three points, the VPN will come up.
Excellent thanks Antonio
I checked the licenses and they're pointing to the internal IP as well which isn't changing so that should be ok.
Resetting the SIC on the gateways shouldn't be an issue but what do you mean by the "activation key of your managed devices" you dont mean the SIC password do you as that is only used once during initial connection?
Avatar of AntonioAlmeida
Flag of Brazil image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ok great.
Thanks very much Antonio