We help IT Professionals succeed at work.

Checkpoint external IP change

2,521 Views
Last Modified: 2012-05-11
Hi All
I am working with a number of checkpoint firewalls connected together over an IPSEC VPN.
We will be moving over to a new ISP soon so will need to change external IP address of the London firewall.  Our security management server is located behind this gateway and is NATed through for policy push\fetch.

If I change the external IP of the london firewall (along with the IP the SMS is NATed to) will the policy push out to all other gateways ok and also will the VPN tunnels come up?

The process I was going to use is
1.connect to london firewall and change external IP address, gateway dns etc...and wire it into the new connection
2. open the smart dashboard and run a get interfaces with topology to download this new change, also change the gateway ip address if not already done.
3.modify nat rules to reflect new IP range.
4. push policy to london firewall first, then push to all other gateways

My main concern is that the VPN tunnels wont reestablish to London, or the policy wont push.
Has anyone ever done this or am I missing a step somewhere?

Thanks
Paul
Comment
Watch Question

You can loose the Secure Internal Communication (SIC). If its happens you will need to setup SIC again then publish the policies (with the new gateway).

You can have problens with your certificate too. Just renew it, changing the IP address.

Author

Commented:
Hello Antonio
When you say I can have problems with the certificates do you mean the ones on the management server?
How would I go about renewing them?
Yes, just the management server certificates. I'm using the R65, on this release it is at VPN setup screen.

Author

Commented:
Do you mean the certificate on each individual firewall?
I dont see any certificates when I look at the properties of the management server.
If you are using the internal IP on your certificates you don't need to renew it.
You should check/renew only the gateway that will have its IP changed (London, right?)
In the R65 Security Platform the gateway certificate management is located on the VPN setup (editing a gateway).

Author

Commented:
I checked the certificates and they are registered to the firewalls internal IP so with that in mind I am guessing I wont need to reissue the cert.
If I have no SIC problems and the policy push works ok will the VPN tunnels come up with no problems?
If your cert is registered to the internal (private) IP it is OK.
SIC can be a issue. Ensure that you have the activation key of your managed devices.
Another think that came to my mind is the lisence. You must check if your lisence was issued using the private or the public IP. If it is using the public IP you must generate a new lisence file with the new IP. If you wish change it to use the private IP address, go ahead.

Covering these three points, the VPN will come up.

Author

Commented:
Excellent thanks Antonio
I checked the licenses and they're pointing to the internal IP as well which isn't changing so that should be ok.
Resetting the SIC on the gateways shouldn't be an issue but what do you mean by the "activation key of your managed devices" you dont mean the SIC password do you as that is only used once during initial connection?
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
ok great.
Thanks very much Antonio

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.