I am working with a number of checkpoint firewalls connected together over an IPSEC VPN.
We will be moving over to a new ISP soon so will need to change external IP address of the London firewall. Our security management server is located behind this gateway and is NATed through for policy push\fetch.
If I change the external IP of the london firewall (along with the IP the SMS is NATed to) will the policy push out to all other gateways ok and also will the VPN tunnels come up?
The process I was going to use is
1.connect to london firewall and change external IP address, gateway dns etc...and wire it into the new connection
2. open the smart dashboard and run a get interfaces with topology to download this new change, also change the gateway ip address if not already done.
3.modify nat rules to reflect new IP range.
4. push policy to london firewall first, then push to all other gateways
My main concern is that the VPN tunnels wont reestablish to London, or the policy wont push.
Has anyone ever done this or am I missing a step somewhere?
You can have problens with your certificate too. Just renew it, changing the IP address.