This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
XBensemhoun
Employee
Employee
‎2018-03-01 08:17 AM
Jump to solution

How to change Security Gateway name ?

Hi,

For some reasons we may need to change the name of a Security Gateway.

I was wondering how to do exactly and what type of outage we could face on each steps.

Lets say that we have 100+ firewalls around the world, members of some VPN Communities (not based on PSK but certificates) ; their names are based on a site code as other local IT devices and because occasionally equipment are moved to another building : we need to change their names.

Changing the IP address is not a problem ; but changing the name, that's another thing.

I see six places in which we must change the name :

  • SmartConsole (the firewall object itself)
  • Operating System
    • hostname (no outage at all, using "set hostname ****" clish command)
    • host name entry : we must take care of it as Check Point process cannot start if they are not able to understand the corresponding IP of the firewall name ; use "show host names" clish command)
  • And for three certificates : WebUI portal, IPSec and SIC

For SmartConsole : I don't know how to change it except creating a new firewall object as the previous one.

=> Q : is there an alternative ?

For certificates:

  • WebUI do not cause a real traffic outage but we have to take care of RemoteAccess users if the Security Gateway is used as VPN EndPoint Gateway ;
  • For IPSec : the certificate will be created at the creation of the firewall object or can be created again on the "Repository of Certificates Available to the Gateway" but during the time the new certificate is not pushed on other firewalls IPSec tunnels based on certificate are down
  • Thanks to the Best of CheckMates CLI I know now that we can reset a SIC even without restarting firewall process (sk86521) ;

Does anybody know exactly how to do or has experienced the process ?

Thanks all in advance,

Information Security enthusiast, CISSP, CCSP
1 Solution

Accepted Solutions
Maarten_Sjouw
Champion
Champion
‎2019-10-30 03:40 PM
Jump to solution

When you want to change the name of the gateway in SmartConsole and for the VPN certificate, you need to do a SIC reset, NOT initialize the SIC yet, first remove the gateway from the IP-SEC community, disable IP-SEC blade click OK, then rename the gateway object and now initialize the SIC. Then you can enable IP-SEC blade again and the new VPN certificate is created, then add the gateway to the VPN community again.
Regards, Maarten

View solution in original post

6 Replies
Alejandro_Mont1
Collaborator
‎2018-03-01 10:47 AM
Jump to solution

As I understand it there is no way to change the gateway name as the SIC certificate is tied to the object (clicking on the object shows you the SIC name). I think you are correct, you will need to recreate the gateway objects and reset SIC. As you mentioned VPN tunnels there is another layer of complexity here: let's say you have 2 gateways, A and B that use certificates for tunnel establishment. You go through and rename A in Dashboard and reset SIC. If you then only install policy to gateway A, the VPN tunnel to B will go down as A is now using a different certificate than B expects. You will need to also install policy to B and any other gateways in that community or else the tunnels will not come up. As they need to renegotiate you may also observe some sort of outage.

If you did this gateway by gateway you would need to install policy to all gateways participating in VPN tunnels each time you reset SIC. I'd probably segment by community. Create the new gateway objects without establishing SIC, add them into relevant rules and communities and remove references to the old names from said communities. Then reset SIC to all of them and install policy to that group. Complexity is increased if you have gateways in multiple communities.

Just my 2 cents as that's how I'd probably do it. 

XBensemhoun
Employee
Employee
‎2018-03-02 07:01 AM
In response to Alejandro_Mont1
Jump to solution

Well, another thing, about CA:

  • do other VPN Gateways are able to establish VPN tunnels with the renamed Gateway because they share the same CA ?
  • or is it really impossible to establish before installing policies on all other members of VPN Community ?
Information Security enthusiast, CISSP, CCSP
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-03-02 01:50 AM
Jump to solution

Old certificate must be removed: sk89100 / sk115394.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
XBensemhoun
Employee
Employee
‎2018-03-02 06:57 AM
In response to G_W_Albrecht
Jump to solution

OK ; so we have sk89100 and sk115394‌ for changing IPSec VPN certificate which is used for ‌ and for some other blades.

Impacts if we change hostname and not defaultCert are:

  • for admin access (CLI is theBestWay Smiley Happy)
  • Browser-Authentication TS Agent and blades as they could use the
Information Security enthusiast, CISSP, CCSP
0 Kudos
JasonDC
Participant
‎2019-10-30 12:49 PM
Jump to solution

Wouldn't it be easier to throw an ISO at the gateway and refresh it?  Sounds like a lot of work to change on the gateway instead of rebuilding it from a clean state and modifying policy.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-10-30 03:40 PM
Jump to solution

When you want to change the name of the gateway in SmartConsole and for the VPN certificate, you need to do a SIC reset, NOT initialize the SIC yet, first remove the gateway from the IP-SEC community, disable IP-SEC blade click OK, then rename the gateway object and now initialize the SIC. Then you can enable IP-SEC blade again and the new VPN certificate is created, then add the gateway to the VPN community again.
Regards, Maarten

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events