Avatar of paulbelsham
Flag for United Kingdom of Great Britain and Northern Ireland asked on

Checkpoint external IP change

Hi All
I am working with a number of checkpoint firewalls connected together over an IPSEC VPN.
We will be moving over to a new ISP soon so will need to change external IP address of the London firewall.  Our security management server is located behind this gateway and is NATed through for policy push\fetch.

If I change the external IP of the london firewall (along with the IP the SMS is NATed to) will the policy push out to all other gateways ok and also will the VPN tunnels come up?

The process I was going to use is
1.connect to london firewall and change external IP address, gateway dns etc...and wire it into the new connection
2. open the smart dashboard and run a get interfaces with topology to download this new change, also change the gateway ip address if not already done.
3.modify nat rules to reflect new IP range.
4. push policy to london firewall first, then push to all other gateways

My main concern is that the VPN tunnels wont reestablish to London, or the policy wont push.
Has anyone ever done this or am I missing a step somewhere?

Hardware FirewallsSoftware FirewallsVPN

Avatar of undefined
Last Comment

8/22/2022 - Mon

You can loose the Secure Internal Communication (SIC). If its happens you will need to setup SIC again then publish the policies (with the new gateway).

You can have problens with your certificate too. Just renew it, changing the IP address.

Hello Antonio
When you say I can have problems with the certificates do you mean the ones on the management server?
How would I go about renewing them?

Yes, just the management server certificates. I'm using the R65, on this release it is at VPN setup screen.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy

Do you mean the certificate on each individual firewall?
I dont see any certificates when I look at the properties of the management server.

If you are using the internal IP on your certificates you don't need to renew it.
You should check/renew only the gateway that will have its IP changed (London, right?)
In the R65 Security Platform the gateway certificate management is located on the VPN setup (editing a gateway).

I checked the certificates and they are registered to the firewalls internal IP so with that in mind I am guessing I wont need to reissue the cert.
If I have no SIC problems and the policy push works ok will the VPN tunnels come up with no problems?
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.

If your cert is registered to the internal (private) IP it is OK.
SIC can be a issue. Ensure that you have the activation key of your managed devices.
Another think that came to my mind is the lisence. You must check if your lisence was issued using the private or the public IP. If it is using the public IP you must generate a new lisence file with the new IP. If you wish change it to use the private IP address, go ahead.

Covering these three points, the VPN will come up.

Excellent thanks Antonio
I checked the licenses and they're pointing to the internal IP as well which isn't changing so that should be ok.
Resetting the SIC on the gateways shouldn't be an issue but what do you mean by the "activation key of your managed devices" you dont mean the SIC password do you as that is only used once during initial connection?

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

ok great.
Thanks very much Antonio
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck