topic Re: Change Management IP addresses in Cluster in General Topics

Change Management IP addresses in Cluster

Josh28 — Wed, 28 Oct 2020 10:21:20 GMT

Hi mates,

I have a question for you, just before the week-end 😀

A cluster was configured and sent the our Data Center using temporary non-routed management IP addresses, I don't know why...

So I'd like to change them with the good IP addresses before put them in production but I'm not sure of the good way to do it. I've looked on the documentation and here, but i'm still confused. I thought of the following:

using the console access, change the ip address on the Mgmt Interfaces of each gateway
add the necessary static route for the communication with the CMA
on the smartConsole, edit the object of the gateways and change the IP addresses
Change the IP address of the cluster objet
Get interface without topology and push the policy

Am I missing something, or maybe completely wrong on the procedure ? Worst case scenario I can fresh install the gateways as they are not in production, but I’d rather just change the ip addresses.

Thanks for your help, and have a good week-end.

Edit: the procedure above did the trick, I was able to change the IP addresses of the gateways. Just one thing, as the policy was already pushed on the gateway with the old ip addresses, the communication between the CMA and the gateway wasn't working with the new IPs, they were droped. A fw unloadlocal was necessary to be able to push the new topology and the policy again.

Re: Change Management IP addresses in Cluster

PhoneBoy — Fri, 16 Oct 2020 20:11:26 GMT

That seems like the right procedure to me.

Re: Change Management IP addresses in Cluster

HeikoAnkenbrand — Sat, 17 Oct 2020 17:17:41 GMT

That sounds very good.

If you have another gateway between your gateway you should modify the rules for communication between CMA and gateway. Read more here: R80.x - Ports Used for Communication by Various Check Point Modules

I would do the following before you changes the IP:

Gateway -> Snapshot
MDS -> mds_backup or Snapshot

Then you can rollback everything if necessary.

Re: Change Management IP addresses in Cluster

Josh28 — Tue, 20 Oct 2020 12:37:26 GMT

Hi,

thanks for your feedback. Just to let you know that it did the trick, I was able to change the management IP addresses thank you.

But I'm facing some strange issue now. I was going to upgrade both gateway (in R80.20, I know it should be at least 30 but it's not my decision. And a long story).

Anyway, it went well for the first gateway using a blink upgrade as I did for a few clusters lately. But for the second I get this message:

installer verify 1
Info: Initiating verify of blink_image_1.1_Check_Point_R80.20_T117_JHF_T173_SecurityGateway.tgz...
Interactive mode is enabled. Press CTRL + C to exit (this will not stop the operation)
Result: Verifier results Package: blink_image_1.1_Check_Point_R80.20_T117_JHF_T173_SecurityGateway.tgz Clean Install: Installation is allowed. Upgrade: The following results are not compatible with the package:
- Machine's configuration is 'StandAlone'
This image is valid only for Security Gateway upgrade

And I can't use it to upgrade... I guess my former coworker installed it in standalone mode. Do you know if this is something I can change easily or should I just fresh install everything ?

Thanks !

Re: Change Management IP addresses in Cluster

G_W_Albrecht — Tue, 20 Oct 2020 14:04:49 GMT

I would suggest to stay on the safe side with a fresh install !

Re: Change Management IP addresses in Cluster

Josh28 — Tue, 20 Oct 2020 16:28:33 GMT

Yep, but that's what I'd like to avoid ‌😁‌

What I can't understand, it's how the gateway can be in standalone mode, and in the same time managed by a management server, because I was able to add it on a CMA, configure ClusterXL, do the sic and push the policy etc... ‌🤔‌

Can I check somewhere the deployment type actually configured on the GWs ?

Thanks!

Re: Change Management IP addresses in Cluster

jimm — Fri, 08 Oct 2021 05:44:54 GMT

Did you have to re-establish SIC between management and each gateway? I asked Checkpoint how to change the management IPs in a pair of gateways in a cluster. Their advice was to delete the cluster, change the gateways one by one, and recreate the cluster. Seems excessive to me. I'd have expected to be able to just change the IPs on the gateways and on management (via SmartConsole), then re-establish SIC, then push policy.

Re: Change Management IP addresses in Cluster

G_W_Albrecht — Fri, 08 Oct 2021 09:22:37 GMT

This is possible using CLI, and you also can change it. But the command is not supported except when advised by TAC to use it !

My GW gives me:

# cpprod_util FwIsFirewallModule

# cpprod_util FwIsStandAlone

# cpprod_util FwIsFirewallMgmt

You could try the set command:

# cpprod_util FwSetStandAlone 0

Re: Change Management IP addresses in Cluster

JMB77 — Wed, 10 Nov 2021 17:00:36 GMT

i have a similar scenario - i have Management on one particular interface (internal) and i want to change the management to another existing Internal interface. All is routable.

i assume all i need to do is change the Management IP on the cluster nodes.

i wasn't sure if i needed to re-establish SIC on each cluster node - some forums have suggested you do and others have said no.

i was hoping to avoid having to do an fw unloadlocal and wiping the policy as that would trigger an outage to all services using that firewall.