Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Explorer

Change Management IP addresses in Cluster

Jump to solution

Hi mates,

I have a question for you, just before the week-end 😀

A cluster was configured and sent the our Data Center using temporary non-routed management IP addresses, I don't know why...

So I'd like to change them with the good IP addresses before put them in production but I'm not sure of the good way to do it. I've looked on the documentation and here, but i'm still confused. I thought of the following:

  • using the console access, change the ip address on the Mgmt Interfaces of each gateway
  • add the necessary static route for the communication with the CMA
  • on the smartConsole, edit the object of the gateways and change the IP addresses
  • Change the IP address of the cluster objet
  • Get interface without topology  and push the policy

Am I missing something, or maybe completely wrong on the procedure ? Worst case scenario I can fresh install the gateways as they are not in production, but I’d rather just change the ip addresses.

Thanks for your help, and have a good week-end.

 

Edit: the procedure above did the trick, I was able to change the IP addresses of the gateways. Just one thing, as the policy was already pushed on the gateway with the old ip addresses, the communication between the CMA and the gateway wasn't working with the new IPs, they were droped. A fw unloadlocal was necessary to be able to push the new topology and the policy again.

0 Kudos
Reply
1 Solution

Accepted Solutions
Highlighted
Admin
Admin

That seems like the right procedure to me.

View solution in original post

0 Kudos
Reply
5 Replies
Highlighted
Admin
Admin

That seems like the right procedure to me.

View solution in original post

0 Kudos
Reply
Highlighted

That sounds very good.

If you have another gateway between your gateway you should modify the rules for communication between CMA and gateway. Read more here: R80.x - Ports Used for Communication by Various Check Point Modules

I would do the following before you changes the IP:

Gateway -> Snapshot
MDS        -> mds_backup or Snapshot

Then you can rollback everything if necessary.

 

Tags (1)
0 Kudos
Reply
Highlighted
Explorer

Hi,

thanks for your feedback. Just to let you know that it did the trick, I was able to change the management IP addresses thank you.

But I'm facing some strange issue now. I was going to upgrade both gateway (in R80.20, I know it should be at least 30 but it's not my decision. And a long story).

Anyway, it went well for the first gateway using a blink upgrade as I did for a few clusters lately. But for the second I get this message:

installer verify 1
Info: Initiating verify of blink_image_1.1_Check_Point_R80.20_T117_JHF_T173_SecurityGateway.tgz...
Interactive mode is enabled. Press CTRL + C to exit (this will not stop the operation)
Result: Verifier results Package: blink_image_1.1_Check_Point_R80.20_T117_JHF_T173_SecurityGateway.tgz Clean Install: Installation is allowed. Upgrade: The following results are not compatible with the package:
- Machine's configuration is 'StandAlone'
This image is valid only for Security Gateway upgrade

And I can't use it to upgrade... I guess my former coworker installed it in standalone mode. Do you know if this is something I can change  easily or should I just fresh install everything ?

Thanks !

0 Kudos
Reply
Highlighted
Champion
Champion

I would suggest to stay on the safe side with a fresh install !

0 Kudos
Reply
Explorer

Yep, but that's what I'd like to avoid ‌😁

What I can't understand, it's how the gateway can be in standalone mode, and in the same time managed by a management server, because I was able to add it on a CMA, configure ClusterXL, do the sic and push the policy etc... ‌🤔

Can I check somewhere the deployment type actually configured on the GWs ?

Thanks!

0 Kudos
Reply