asked on Checkpoint external IP change
Hi All
I am working with a number of checkpoint firewalls connected together over an IPSEC VPN.
We will be moving over to a new ISP soon so will need to change external IP address of the London firewall. Our security management server is located behind this gateway and is NATed through for policy push\fetch.
If I change the external IP of the london firewall (along with the IP the SMS is NATed to) will the policy push out to all other gateways ok and also will the VPN tunnels come up?
The process I was going to use is
1.connect to london firewall and change external IP address, gateway dns etc...and wire it into the new connection
2. open the smart dashboard and run a get interfaces with topology to download this new change, also change the gateway ip address if not already done.
3.modify nat rules to reflect new IP range.
4. push policy to london firewall first, then push to all other gateways
My main concern is that the VPN tunnels wont reestablish to London, or the policy wont push.
Has anyone ever done this or am I missing a step somewhere?
Thanks
Paul
I am working with a number of checkpoint firewalls connected together over an IPSEC VPN.
We will be moving over to a new ISP soon so will need to change external IP address of the London firewall. Our security management server is located behind this gateway and is NATed through for policy push\fetch.
If I change the external IP of the london firewall (along with the IP the SMS is NATed to) will the policy push out to all other gateways ok and also will the VPN tunnels come up?
The process I was going to use is
1.connect to london firewall and change external IP address, gateway dns etc...and wire it into the new connection
2. open the smart dashboard and run a get interfaces with topology to download this new change, also change the gateway ip address if not already done.
3.modify nat rules to reflect new IP range.
4. push policy to london firewall first, then push to all other gateways
My main concern is that the VPN tunnels wont reestablish to London, or the policy wont push.
Has anyone ever done this or am I missing a step somewhere?
Thanks
Paul
Hardware FirewallsSoftware FirewallsVPN
Last Comment
paulbelsham
ASKER
Hello Antonio
When you say I can have problems with the certificates do you mean the ones on the management server?
How would I go about renewing them?
When you say I can have problems with the certificates do you mean the ones on the management server?
How would I go about renewing them?
Yes, just the management server certificates. I'm using the R65, on this release it is at VPN setup screen.
ASKER
Do you mean the certificate on each individual firewall?
I dont see any certificates when I look at the properties of the management server.
I dont see any certificates when I look at the properties of the management server.
If you are using the internal IP on your certificates you don't need to renew it.
You should check/renew only the gateway that will have its IP changed (London, right?)
In the R65 Security Platform the gateway certificate management is located on the VPN setup (editing a gateway).
You should check/renew only the gateway that will have its IP changed (London, right?)
In the R65 Security Platform the gateway certificate management is located on the VPN setup (editing a gateway).
ASKER
I checked the certificates and they are registered to the firewalls internal IP so with that in mind I am guessing I wont need to reissue the cert.
If I have no SIC problems and the policy push works ok will the VPN tunnels come up with no problems?
If I have no SIC problems and the policy push works ok will the VPN tunnels come up with no problems?
If your cert is registered to the internal (private) IP it is OK.
SIC can be a issue. Ensure that you have the activation key of your managed devices.
Another think that came to my mind is the lisence. You must check if your lisence was issued using the private or the public IP. If it is using the public IP you must generate a new lisence file with the new IP. If you wish change it to use the private IP address, go ahead.
Covering these three points, the VPN will come up.
SIC can be a issue. Ensure that you have the activation key of your managed devices.
Another think that came to my mind is the lisence. You must check if your lisence was issued using the private or the public IP. If it is using the public IP you must generate a new lisence file with the new IP. If you wish change it to use the private IP address, go ahead.
Covering these three points, the VPN will come up.
ASKER
Excellent thanks Antonio
I checked the licenses and they're pointing to the internal IP as well which isn't changing so that should be ok.
Resetting the SIC on the gateways shouldn't be an issue but what do you mean by the "activation key of your managed devices" you dont mean the SIC password do you as that is only used once during initial connection?
I checked the licenses and they're pointing to the internal IP as well which isn't changing so that should be ok.
Resetting the SIC on the gateways shouldn't be an issue but what do you mean by the "activation key of your managed devices" you dont mean the SIC password do you as that is only used once during initial connection?
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
ok great.
Thanks very much Antonio
Thanks very much Antonio
You can have problens with your certificate too. Just renew it, changing the IP address.