topic Re: changing IP address on security gateway and SIC in Firewall and Security Management

changing IP address on security gateway and SIC

marcinw — Mon, 19 Apr 2021 09:37:35 GMT

Hi,

I need to set up CHeckpoint GW as VPN edge for remote location and I am wondering if I set up community vpn between gateway and SMS and on the day of shipping the Gateway I will change IP address of WAN GW interface do I have to reestablish SIC or everything will be working out of the box ?

Re: changing IP address on security gateway and SIC

vinceneil666 — Mon, 19 Apr 2021 10:33:55 GMT

SIC operates on certificates, so you should be fine.

Re: changing IP address on security gateway and SIC

Bob_Zimmerman — Mon, 19 Apr 2021 13:42:27 GMT

While this is true, the mention of VPNs concerns me a little. Traffic between the management server and the firewall cannot go over a VPN. The firewall needs to talk to the management server to bring a VPN up, and if the VPN needs to be up to talk to the management, it won't be able to.

Re: changing IP address on security gateway and SIC

G_W_Albrecht — Mon, 19 Apr 2021 13:47:08 GMT

You will have to change the GW IP in Dashboard, of course...

Re: changing IP address on security gateway and SIC

G_W_Albrecht — Mon, 19 Apr 2021 13:49:17 GMT

With VPN you have traffic between two GWs, not the SMS - so if VPN Domain is defined correctly, it will work.

Re: changing IP address on security gateway and SIC

Bob_Zimmerman — Mon, 19 Apr 2021 14:25:48 GMT

Except the firewall has to fetch the CRL from the management. If that fails, the VPN won't come up. Thus, the remote firewall must be able to talk to the management server without the VPN.

Re: changing IP address on security gateway and SIC

Timothy_Hall — Mon, 19 Apr 2021 14:49:03 GMT

SIC does indeed operate with certificates and cares not about the IP addresses involved, BUT there is an implied rule on the firewall that allows only the known IP address of the SMS to talk to the known IP addresses of the firewall for management traffic such as SIC and policy installs. If you change any elements of this you may run afoul of this implied rule, and be forced to perform a fw unloadlocal on the firewall for SIC to start working after an IP change.

To avoid this, create an temporary explicit rule at the top of your rulebase ahead of time and install it to the gateway *prior* to the WAN IP change:

Src: SMS (and/or SMS NAT address)

Dst: Any

Service: Any

Action: Accept

Once the WAN IP change is made and you successfully install policy to the gateway under the new config, the implied rule will be updated (assuming you correctly changed the firewall's WAN address on the firewall/cluster object) and this temporary explicit rule can be removed.

Re: changing IP address on security gateway and SIC

velo — Tue, 01 Oct 2024 08:37:03 GMT

I can confirm you're 100% correct here, this is exactly what happens, because it happened to me 😊