This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dehaasm
Collaborator
‎2023-01-17 02:52 AM

Change SMS and gateway management IP adress

We are planning to change the IP address of the SMS and management IP addresses on all gateways because the old management network is complex and we want to create a single firewall management network with all gateways and SMS. The idea is to create the new management network in parallel for ease of rollback.

To be able to do that we want to perform the following steps:

1) change the SMS IP address following this article, making sure the gateways <-> SMS comms are allowed, I believe it would be best to simply add interface in Gaia and then change it in Smartconsole (without loosing connectivity)

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

usign the command cpca_client lscert -kind SIC -stat Valid I confirm that most important ICA certs are valid until 2024

2) change the IP address on each gateway by adding a new interface in Gaia with the new management network and add to the topology.

One question here is do we need to define this new interface in Gaia interface settings there is a feature called set management interface, what does it actually do and is this required to change it?

Do we need to configure this new interface as private in Smartconsole so it wont perform any cluster link state monitoring on this management interface?

3) perform SIC reset on each gateway using this procedure (norestart) to be able to renew the ICA cert IP to the new management IP

I believe this would be the least impactful procedure to include all into the new network management subnet and would this renew the ICA certs?

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Thanks in advance.

 

0 Kudos
7 Replies
G_W_Albrecht
Legend
Legend
‎2023-01-17 03:04 AM

The most important thing about SMS is the IP used for central licensing, as changing that would force to do a re-licensing to the new SMS IP. 

The management interface in Gaia OS is used by Gaia First Time Configuration Wizard during initial installation and configuration. Better set the IF used for policy install to management IF - but it is not neccessary.

CCSE CCTE CCSM SMB Specialist
0 Kudos
dehaasm
Collaborator
‎2023-01-17 03:14 AM
In response to G_W_Albrecht

Hi yes i am aware about that, we need to add new licenses and attach all to the gateways but after changing this management IP this wont cause any outage on the gateways or does it?

Regarding the "set management IP" in Gaia I thought this was indeed just something unneeded, but would look pretty.

Regarding step 3 would that work to renew the ICA IP address instead of using sk103356 which causes interruption of services could you confirm that?

Coming back to the private interface this wont work we need clusterXL to route traffic trough it, please ignore.

0 Kudos
G_W_Albrecht
Legend
Legend
‎2023-01-17 03:40 AM
In response to dehaasm

Important points: 

- you will only need to re-license if you change or delete the SMS IP used for central licensing ! Otherwise, all centrally licensed CP  products are not changed at all, and you do not need to add new licenses and attach it to the gateways

- sk40993 tells us: Because the hostname (name of the Security Management Server) has not been changed, SIC communication should not be affected, as long as the routing is correct.

CCSE CCTE CCSM SMB Specialist
0 Kudos
dehaasm
Collaborator
‎2023-01-17 06:41 AM
In response to G_W_Albrecht

Hi yes ok got it for central licensing local wont be affected.

In the sk you refer to there is a note on SIC reset which is required after IP change because as far as I understood the reason behind that there is IP information stored on gateway, hence SIC reset is required, now my question is will this also change when we perform SIC reset without restart. If so that would be the preferred option/procedure.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Thanks again for the swift reply

0 Kudos
dehaasm
Collaborator
‎2023-01-17 06:41 AM
In response to dehaasm

this is needed to assure that ICA IP renewal would work properly, if you dont do that the renewal would fail according to TAC.

0 Kudos
G_W_Albrecht
Legend
Legend
‎2023-01-18 12:51 PM
In response to dehaasm

Yes, i think that is true. But not reboot, it is that CP processes are restarted causing outages.

CCSE CCTE CCSM SMB Specialist
0 Kudos
dehaasm
Collaborator
‎2023-01-19 01:42 AM
In response to G_W_Albrecht

According to the article please see note section.

Note - Restart of Check Point services on the Security Gateway / Cluster members is necessary to update the cache of processes that are running on the Management Server with the new SIC certificate details.

So I guess article sk86521 would not suffice to not restart CP processes?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events