Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Iron

Managing gateways via Public IP.

Hi,

 

I have got myself confused.

 

I am currently managing gateways via private addresses ranges which are delivered over VPNs.

I have 1 central management, and it connects to all gateways on a private 192.168 address which is on the VPN domain. I know this is bad practice.

 

How do I go about managing the gateways via the public IP address and the external interface? Feel like I’m missing something very easy.

8 Replies
Highlighted
Pearl

To which IP did you establish SIC to the gateways? Probably not the private IP.

0 Kudos
Highlighted
Iron

Unsure. Wasn’t myself that did the initial config. IP address of the cluster on the cluster object is the management address (192.168.xxx.xxx)

 

is it as easy as changing the object IP address to the public IP residing on that device?

0 Kudos
Highlighted
Employee++
Employee++

 

Also, what's the designated Mgmt interface set as in the GAiA Web UI / CLI of the Gateway currently?

0 Kudos
Highlighted
Iron

Private internal address
0 Kudos
Highlighted

It is as simple as that, make sure your Management server (external) IP (on those gateways) routes towards the internet and that your gateways trust this IP as the management server.
We run a staging room here where we prep gateways before shipping them to the sites, all we do is make sure routing is adjusted on the gateway and the IP is adjusted in the object.
Next to that issue this command on the gateway:
set management interface eth1
Presuming eth1 is your internet Interface.
Regards, Maarten
0 Kudos
Highlighted
Silver

All you should need to do is

 

1.) Check the Management Interface in Gaia, it should be the IP address that use for Management.

2.) Change the Object IP for the Gateway to be the Public IP

3.) https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... to exclude the Gateway IP from the VPN so that SSH/WebUI etc goes over the Internet not the VPN.

4.) Install Policy to Gateway

 

If needing to change the Management Interface then I find it best to do a reboot, so would suggest that whilst may not have downtime I would suggest that plan for some

0 Kudos
Iron

With regards to your first point with checking the IP of the management. 

 

Presumably you mean check to see if the management IP is the public? or not?

 

Could I have the mgmt interface on the private address, but change the cluster IP to the public?

0 Kudos
Highlighted
Silver

You should have the interface that marked as Management in the Gaia Portal be the Interface that has the IP of the Check Point Object.

The Management Interface IP is the IP that the box identifies itself as.

It also updates the host entry for the localhostname to be the IP of the Management Interface.

You can get away with it and manually change the hostentry but I find it easier to set the Management Interface correctly so that it identifies that way properly.

Cluster IP doesn't matter as will be the Cluster Members IP that the Management Server talks too.  May just need to configure VPN Link Selection so that uses the Correct IP if isn't the Public IP on the Cluster.

0 Kudos