This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
tmorgan
Contributor
‎2024-04-05 01:54 PM

Changing Public IP Address on Gateway

So I have a customer I am working with at the moment where their ISP is forcing a public IP address change. The plan is essentially to move anything public facing away from using the IP towards DNS entries. This works perfectly with everything apart from the VPN client.

We have followed the below SK this afternoon so that the VPN client will not lock itself to the IP address and will instead resolve the DNS entry each time the client connects. However looking around on Check Mates it looks like this article doesn't work?! Even if you follow this the client will still lock itself down to a specific IP address once the site is configured.

https://support.checkpoint.com/results/sk/sk103440

Has anybody else ever managed to find a simple way to handle this requirement? I am getting to the point I am going to build a second gateway in the cloud. Migrate all users to this gateway, change the IP address and then move them back. This seems a crazy approach but every other suggestion seems to imply giving users admin rights and let them run scripts to reconfigure the VPN agent. this just wont fly with the customer; it must be a seamless experience for the end users.

PS: I really have to ask, does anybody know why the client configured to ignore the DNS entry it is given, this just seems to defy all common sense?

0 Kudos
2 Replies
the_rock
Legend
Legend
‎2024-04-05 02:57 PM

There is no "simple" way to do this really, because you have to ensure routing is good, external IP is accessible to the clients, sic communication, etc. As far as that sk, I had done it before and it does work fine, you just need to make sure dns records indeed match.

Andy

JozkoMrkvicka
Mentor
Mentor
‎2024-04-06 01:05 AM

Did you check using "nslookup" if DNS (FQDN) is really changed on client's computer? Are dedicated DNS servers used on client's workstation which AAA entries are not updated ?

Did you check if parameters needed to be modified in sk103440 are really fetched from the affected gateway during creation of VPN site (check also trac.defaults file on client's end).

Is affected gateway running latest software with latest Jumbo Take ?

Is VPN client on client side the latest recommended by Check Point ?

If so, it must be a bug and TAC should be contacted.

It doesnt make sense to use fixed IP, known during first site creation, once VPN site was configured to use DNS (FQDN). Every connection/update/creation must first do nslookup and resolve correct IP address.

Kind regards,
Jozko Mrkvicka
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events