topic Re: Changing ISP in Firewall and Security Management

Changing ISP

Fred_Katsumi — Thu, 25 Nov 2021 00:38:18 GMT

Hi,

I have a simple setup with 3 gateways (A, B and C) and 1 management server (M). M is behind A. SIC is established and all VPN tunnels have been up and working for years. M has a static NAT. I'm getting ready to change the ISP of A. Here are the steps I would take to do this.

Login to Gaia on A and update the network interface and the default gateway
Login to SmartConsole and edit the gateway object to update A's IP address, IPSec VPN, VPN Clients, etc.
Update M's NAT
Push policy

My thought is when I push the policy it would install on A but not the others because the trust will break because the B and C have no idea about the ISP change. Would I need to reset SIC on B and C or is there a way to avoid resetting?

Thank you

Fred

Re: Changing ISP

PhoneBoy — Mon, 29 Nov 2021 20:25:23 GMT

SIC is based on certificates, so changing IPs won't be an issue.
If the effective management IP changes for B and C, you'll need to push policy to them as well.

Re: Changing ISP

emmap — Tue, 30 Nov 2021 03:47:35 GMT

You should add a temp rule before you change IPs to ensure the gateways B anc C will accept traffic from the new M NAT IP. They would have an implied rule to accept traffic from the current NAT IP but would likely not accept a policy install from the new NAT IP.

Re: Changing ISP

Fred_Katsumi — Thu, 02 Dec 2021 17:20:54 GMT

Thank you for the pointers. I was able to complete this. As emmap suggested I created a dummy host with the new M NAT IP and created a rule to allow traffic. Installed the policy on all gateways. Then I made all the IP address changes to the gateway A and management M as I outlined above. With the temp rule in place, SIC never broke and I was able to push policy using the new ISP connection.