This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Josh28
Contributor
‎2020-10-16 07:54 AM
Jump to solution

Change Management IP addresses in Cluster

Hi mates,

I have a question for you, just before the week-end 😀

A cluster was configured and sent the our Data Center using temporary non-routed management IP addresses, I don't know why...

So I'd like to change them with the good IP addresses before put them in production but I'm not sure of the good way to do it. I've looked on the documentation and here, but i'm still confused. I thought of the following:

  • using the console access, change the ip address on the Mgmt Interfaces of each gateway
  • add the necessary static route for the communication with the CMA
  • on the smartConsole, edit the object of the gateways and change the IP addresses
  • Change the IP address of the cluster objet
  • Get interface without topology  and push the policy

Am I missing something, or maybe completely wrong on the procedure ? Worst case scenario I can fresh install the gateways as they are not in production, but I’d rather just change the ip addresses.

Thanks for your help, and have a good week-end.

 

Edit: the procedure above did the trick, I was able to change the IP addresses of the gateways. Just one thing, as the policy was already pushed on the gateway with the old ip addresses, the communication between the CMA and the gateway wasn't working with the new IPs, they were droped. A fw unloadlocal was necessary to be able to push the new topology and the policy again.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-10-16 01:11 PM
Jump to solution

That seems like the right procedure to me.

View solution in original post

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2020-10-16 01:11 PM
Jump to solution

That seems like the right procedure to me.

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2020-10-17 10:16 AM
Jump to solution

That sounds very good.

If you have another gateway between your gateway you should modify the rules for communication between CMA and gateway. Read more here: R80.x - Ports Used for Communication by Various Check Point Modules

I would do the following before you changes the IP:

Gateway -> Snapshot
MDS        -> mds_backup or Snapshot

Then you can rollback everything if necessary.

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Josh28
Contributor
‎2020-10-20 05:37 AM
In response to HeikoAnkenbrand
Jump to solution

Hi,

thanks for your feedback. Just to let you know that it did the trick, I was able to change the management IP addresses thank you.

But I'm facing some strange issue now. I was going to upgrade both gateway (in R80.20, I know it should be at least 30 but it's not my decision. And a long story).

Anyway, it went well for the first gateway using a blink upgrade as I did for a few clusters lately. But for the second I get this message:

installer verify 1
Info: Initiating verify of blink_image_1.1_Check_Point_R80.20_T117_JHF_T173_SecurityGateway.tgz...
Interactive mode is enabled. Press CTRL + C to exit (this will not stop the operation)
Result: Verifier results Package: blink_image_1.1_Check_Point_R80.20_T117_JHF_T173_SecurityGateway.tgz Clean Install: Installation is allowed. Upgrade: The following results are not compatible with the package:
- Machine's configuration is 'StandAlone'
This image is valid only for Security Gateway upgrade

And I can't use it to upgrade... I guess my former coworker installed it in standalone mode. Do you know if this is something I can change  easily or should I just fresh install everything ?

Thanks !

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-10-20 07:04 AM
In response to Josh28
Jump to solution

I would suggest to stay on the safe side with a fresh install !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Josh28
Contributor
‎2020-10-20 09:28 AM
In response to G_W_Albrecht
Jump to solution

Yep, but that's what I'd like to avoid ‌😁

What I can't understand, it's how the gateway can be in standalone mode, and in the same time managed by a management server, because I was able to add it on a CMA, configure ClusterXL, do the sic and push the policy etc... ‌🤔

Can I check somewhere the deployment type actually configured on the GWs ?

Thanks!

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2021-10-08 02:18 AM
In response to Josh28
Jump to solution

This is possible using CLI, and you also can change it. But the command is not supported except when advised by TAC to use it !

Click to Expand

My GW gives me:

# cpprod_util FwIsFirewallModule

1 

# cpprod_util FwIsStandAlone    

0 

# cpprod_util FwIsFirewallMgmt

0 

You could try the set command:

# cpprod_util FwSetStandAlone 0

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
jimm
Participant
‎2021-10-07 10:44 PM
Jump to solution

Did you have to re-establish SIC between management and each gateway? I asked Checkpoint how to change the management IPs in a pair of gateways in a cluster. Their advice was to delete the cluster, change the gateways one by one, and recreate the cluster. Seems excessive to me. I'd have expected to be able to just change the IPs on the gateways and on management (via SmartConsole), then re-establish SIC, then push policy.

0 Kudos
JMB77
Explorer
‎2021-11-10 09:00 AM
In response to jimm
Jump to solution

i have a similar scenario - i have Management on one particular interface (internal) and i want to change the management to another existing Internal interface. All is routable.

i assume all i need to do is change the Management IP on the cluster nodes.

i wasn't sure if i needed to re-establish SIC on each cluster node - some forums have suggested you do and others have said no.

i was hoping to avoid having to do an fw unloadlocal and wiping the policy as that would trigger an outage to all services using that firewall.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events