https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-connectivity-between-management-amp-gateway-over-vpn/m-p/241736#M46933 <P>Hi PhoneBoy,</P><P>Thanks for your reply , so senerio is simple that we have management in different location and gateway in other location they are working 81.10 version and we have to add the gateway with management checkpoint through ipsec.</P><P>&nbsp;</P> Thu, 20 Feb 2025 04:24:51 GMT AnkitBhandari 2025-02-20T04:24:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-connectivity-between-management-amp-gateway-over-vpn/m-p/241641#M46906 <P>Hi Friends,</P><P>I am facing a issue that we got a project&nbsp;to replace the existing check point firewall and place the new check point but check point management is on Delhi and check point getaway is on Pune. Exiting was ipsec connectivity between gateway and management so how will I replace the Exiting firewall without or without snapshot backup?</P> Wed, 19 Feb 2025 10:29:49 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-connectivity-between-management-amp-gateway-over-vpn/m-p/241641#M46906 AnkitBhandari 2025-02-19T10:29:49Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-connectivity-between-management-amp-gateway-over-vpn/m-p/241704#M46917 <P>More details about the existing environment are needed:</P> <UL> <LI>Appliances and Software versions used currently (version/JHF levels)</LI> <LI>Appliances you are adding/replacing</LI> <LI>A simple network diagram showing all components</LI> <LI>Confirming someone didn’t disable the various implied rules to force management traffic through VPN (easy enough to see with a tcpdump on the external interface when, say, pushing policy or when the remote gateway sends logs).</LI> </UL> <P>&nbsp;</P> Wed, 19 Feb 2025 16:14:40 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-connectivity-between-management-amp-gateway-over-vpn/m-p/241704#M46917 PhoneBoy 2025-02-19T16:14:40Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-connectivity-between-management-amp-gateway-over-vpn/m-p/241735#M46932 <P>In case like that, I would get show configuration fdrom existing gateway and copy "bits and pieces" to new fw clish config, as long as you make sure relevant interfaces match. Unless its same hardware, backup/restore method would not sadly work.&nbsp;</P> <P>Otherwise, you could technically try below method, though it was written for a cluster, but I did use it for single appliances as well.</P> <P>Andy</P> <P><A href="https://community.checkpoint.com/t5/Security-Gateways/Replace-Upgrade-Cluster/m-p/157228#M27268" target="_blank">Solved: Re: Replace/Upgrade Cluster - Check Point CheckMates</A></P> Thu, 20 Feb 2025 04:12:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-connectivity-between-management-amp-gateway-over-vpn/m-p/241735#M46932 the_rock 2025-02-20T04:12:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-connectivity-between-management-amp-gateway-over-vpn/m-p/241736#M46933 <P>Hi PhoneBoy,</P><P>Thanks for your reply , so senerio is simple that we have management in different location and gateway in other location they are working 81.10 version and we have to add the gateway with management checkpoint through ipsec.</P><P>&nbsp;</P> Thu, 20 Feb 2025 04:24:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-connectivity-between-management-amp-gateway-over-vpn/m-p/241736#M46933 AnkitBhandari 2025-02-20T04:24:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-connectivity-between-management-amp-gateway-over-vpn/m-p/241770#M46950 <P>Putting management traffic (which is already encrypted, FYI) through a VPN is not recommended as it requires editing implied rules and&nbsp;you can end up in a situation where it is impossible to manage your remote gateway if the VPN is down.<BR />The official procedure for doing this is in an internal SK (sk115215) that requires consultation with TAC.</P> <P>See also these public threads on CheckMates:</P> <UL> <LI><A href="https://community.checkpoint.com/t5/Management/Exclude-CPM-traffic-from-implied-rules/m-p/3934#M452" target="_blank">https://community.checkpoint.com/t5/Management/Exclude-CPM-traffic-from-implied-rules/m-p/3934#M452</A></LI> <LI><A href="https://community.checkpoint.com/t5/Management/Exclude-CPM-Traffic-from-Implied-Rules/m-p/9187#M1452" target="_blank">https://community.checkpoint.com/t5/Management/Exclude-CPM-Traffic-from-Implied-Rules/m-p/9187#M1452</A>&nbsp;</LI> </UL> Thu, 20 Feb 2025 12:48:12 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-connectivity-between-management-amp-gateway-over-vpn/m-p/241770#M46950 PhoneBoy 2025-02-20T12:48:12Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-connectivity-between-management-amp-gateway-over-vpn/m-p/241772#M46951 <P>I definitely misunderstood your question. Yes, what Phoneboy said is 100% correct.</P> <P>Andy</P> Thu, 20 Feb 2025 12:52:29 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-connectivity-between-management-amp-gateway-over-vpn/m-p/241772#M46951 the_rock 2025-02-20T12:52:29Z