This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
L3on
Participant
‎2025-01-28 02:05 AM
Jump to solution

Smart-1 Cloud with onPrem Gateways (replacing existing edge 3rd-party firewalls)

Hello everyone, 

I'm trying to setup an OnPrem cluster with Smart-1 Cloud management. 

Quantum Security Gateways version: R81.20 JHF Take 89 

I've followed the "Quantum Smart-1 Cloud Admin Guide" to connect the gateways. 
I 've managed to create the cluster in Smart Console, connect the gateways to Smart-1 Cloud and establish SIC successfully. 

A bit about the topology. 
I need to replace the existing 3rd-Party edge firewalls. I have to use the same IP addresses for the external and internal interfaces as the existing firewalls (apart from the MGMT). 
In the attached topology picture we see the Checkpoint Gateway Cluster connected only to the management network (as only the MGMT IPs are unique). 

Currently I have default route via the MGMT interfaces. So the MaaS Tunnels have been established via the MGMT interfaces (temporarily set as external during initial setup). 
All interfaces are physically disconnected apart form the MGMT interfaces.
Please find attached the screenshot with the Network Management picture of the cluster. 

One strange thing is that the Cluster member IPs have not been automatically changed to the maas_tunnel IPs. However, everything seems to be working fine. 

During the migration phase, I plan to change the default route of the Gateways (as well as some other specific routes) so that the Gateways reach the Internet via the edge router (outside interface). 

 

My QUESTION is: will the MaaS_Tunnels be re-established via the external interfaces? 
Should I consider NAT before the default route change? The outside interface of the Gateways use public IPs. 
I also have the option "Hide internal networks behind the Gateway's external IP" disabled. 
Should I also change the IP of the cluster from private to the public IP? 


I'd appreciate your input in this.. 
I'm at your disposal for any clarification. 

 

Preview file
66 KB
Preview file
143 KB
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2025-01-28 06:39 AM
Jump to solution

As long as the gateways can reach out via port 443 to our cloud, the IP which they appear to come from shouldn't matter.
Having said that, if you're changing the interfaces/routing, it's possible a cprestart or similar may be needed.
In case there are issues after doing so, check the troubleshooting steps here: https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Check-Point-SmartCloud-Admin-... 

View solution in original post

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2025-01-28 06:39 AM
Jump to solution

As long as the gateways can reach out via port 443 to our cloud, the IP which they appear to come from shouldn't matter.
Having said that, if you're changing the interfaces/routing, it's possible a cprestart or similar may be needed.
In case there are issues after doing so, check the troubleshooting steps here: https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Check-Point-SmartCloud-Admin-... 

0 Kudos
L3on
Participant
‎2025-01-28 07:08 AM
In response to PhoneBoy
Jump to solution

Thank you for your prompt response! 
I'll try 'cpstop'/'cpstart' and keep you posted.. 

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-01-28 07:23 AM
In response to L3on
Jump to solution

You could also call CP TAC to be on standby during the migration in case anything goes wrong!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
L3on
Participant
‎2025-01-31 07:32 AM
In response to PhoneBoy
Jump to solution

No service restart was required. 
As soon as the gateways were able to get DNS & Internet Access after the default route change, the tunnels got re-established straightaway! 

the_rock
MVP Platinum
MVP Platinum
‎2025-01-31 07:35 AM
In response to L3on
Jump to solution

Great job!

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-01-28 10:14 AM
Jump to solution

What does maas_tunnel show from fw ifconfig command? Also, what is the status in S1C portal for the gateways?

Andy

When all works, below is what you would see when running maas status command from the fw:

maas status
MaaS Status: Enabled
MaaS Tunnel State: Up
MaaS domain-name: *****************.maas.checkpoint.com
Connected to Infinity Portal: https://cloudinfra-gw-us.portal.checkpoint.com
Gateway IP for MaaS Communication: 100.64.0.1

Best,
Andy
0 Kudos
L3on
Participant
‎2025-01-29 12:07 AM
In response to the_rock
Jump to solution

Thank you for your response! 

Please find attached the screenshot from S1C Portal. 


Interfaces on GWY#01:  

[Expert@CheckPoint01:0]# ifconfig

Mgmt        Link encap:Ethernet  HWaddr 00:1C:7F:C3:CA:78

            inet addr:10.1.6.52  Bcast:10.1.6.255  Mask:255.255.255.0

            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

            RX packets:1929565 errors:0 dropped:0 overruns:0 frame:0

            TX packets:1864370 errors:0 dropped:0 overruns:0 carrier:0

            collisions:0 txqueuelen:1000

            RX bytes:357377407 (340.8 MiB)  TX bytes:235796941 (224.8 MiB)

 

Mgmt:1      Link encap:Ethernet  HWaddr 00:1C:7F:C3:CA:78

            inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0

            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

 

Sync        Link encap:Ethernet  HWaddr 00:1C:7F:C3:CA:77

            inet addr:169.254.22.1  Bcast:169.254.22.3  Mask:255.255.255.252

            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

            RX packets:17609446 errors:0 dropped:0 overruns:0 frame:0

            TX packets:17114981 errors:0 dropped:0 overruns:0 carrier:0

            collisions:0 txqueuelen:1000

            RX bytes:3216375377 (2.9 GiB)  TX bytes:2179704654 (2.0 GiB)

 

eth1        Link encap:Ethernet  HWaddr 00:1C:7F:C3:CA:6F

            inet addr:172.16.0.2  Bcast:172.16.0.255  Mask:255.255.255.0

            UP BROADCAST MULTICAST  MTU:1500  Metric:1

            RX packets:1978574 errors:0 dropped:0 overruns:0 frame:0

            TX packets:156032 errors:0 dropped:0 overruns:0 carrier:0

            collisions:0 txqueuelen:1000

            RX bytes:263979275 (251.7 MiB)  TX bytes:18522867 (17.6 MiB)

 

eth2        Link encap:Ethernet  HWaddr 00:1C:7F:C3:CA:71

            inet addr:192.168.68.2  Bcast:192.168.71.255  Mask:255.255.248.0

            UP BROADCAST MULTICAST  MTU:1500  Metric:1

            RX packets:12185 errors:0 dropped:0 overruns:0 frame:0

            TX packets:13020 errors:0 dropped:0 overruns:0 carrier:0

            collisions:0 txqueuelen:1000

            RX bytes:2636284 (2.5 MiB)  TX bytes:1271910 (1.2 MiB)

 

eth7        Link encap:Ethernet  HWaddr 00:1C:7F:C3:CA:74

            inet addr:10.5.208.3  Bcast:10.5.223.255  Mask:255.255.240.0

            UP BROADCAST MULTICAST  MTU:1500  Metric:1

            RX packets:6112 errors:0 dropped:0 overruns:0 frame:0

            TX packets:12960 errors:0 dropped:0 overruns:0 carrier:0

            collisions:0 txqueuelen:1000

            RX bytes:734518 (717.3 KiB)  TX bytes:1258796 (1.2 MiB)

 

eth8        Link encap:Ethernet  HWaddr 00:1C:7F:C3:CA:76

            inet addr:195.x.x.251  Bcast:195.x.x.255  Mask:255.255.255.0

            UP BROADCAST MULTICAST  MTU:1500  Metric:1

            RX packets:301594 errors:0 dropped:0 overruns:0 frame:0

            TX packets:148139 errors:0 dropped:0 overruns:0 carrier:0

            collisions:0 txqueuelen:1000

            RX bytes:47032214 (44.8 MiB)  TX bytes:85654052 (81.6 MiB)

 

lo          Link encap:Local Loopback  Media:unknown(auto)

            inet addr:127.0.0.1  Mask:255.0.0.0

            UP LOOPBACK NOTRAILERS RUNNING NOARP ALLMULTI MULTICAST DYNAMIC  MTU:65536  Metric:1

            RX packets:1499240 errors:0 dropped:0 overruns:0 frame:0

            TX packets:1499240 errors:0 dropped:0 overruns:0 carrier:0

            collisions:0 txqueuelen:1000

            RX bytes:484885542 (462.4 MiB)  TX bytes:484885542 (462.4 MiB)

 

maas_tunnel Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

            inet addr:100.100.x.91  P-t-P:100.64.0.52  Mask:255.255.255.0

            UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

            RX packets:122876 errors:0 dropped:0 overruns:0 frame:0

            TX packets:106544 errors:0 dropped:0 overruns:0 carrier:0

            collisions:0 txqueuelen:500

            RX bytes:59780882 (57.0 MiB)  TX bytes:110292654 (105.1 MiB)

 

'maas status' output from GWY#01: 

[Expert@CheckPoint01:0]# maas status

MaaS Status: Enabled

MaaS Tunnel State: Up

MaaS domain-name: ******************.maas.checkpoint.com

Connected to Infinity Portal: https://cloudinfra-gw.portal.checkpoint.com

Gateway IP for MaaS Communication: 100.100.x.91

Preview file
51 KB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events