This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RemoteUser
Advisor
‎2025-06-27 06:29 AM

Change IP management cluster

Hi everyone,

We are planning to migrate our firewall management interface from an old subnet (e.g., 192.168.0.0/26) to a new one (e.g., 192.168.100.0/26), and I would like to ask for best practices to perform the change without losing connectivity to the firewall during the transition.

 Current situation:

  • Management interface is currently in 192.168.0.0/26
  • The new subnet will be 192.168.100.0/26, with:
    • .1 = VIP
    • .2 = FW1
    • .3 = FW2

Static routes will be updated accordingly:

All current static routes pointing to 192.168.0.X will be switched to point to the new IP 192.168.100.10.

 Question:

We identified two possible migration options, but we’re looking for advice on the safest path:

Option 1: Use a free physical interface (e.g., eth1-02)

  • If confirmed, we could reassign this port for the new management IP and swap routes once reachable

Option 2: Reuse the existing interface by switching port mode to trunk

  • Convert the switch port from access to trunk

Objective:Perform the migration with no loss of connectivity, particularly for remote management and routing.

If anyone has gone through a similar migration or has specific recommendations (including hidden gotchas), your input would be highly appreciated!

Thanks in advance!

 

0 Kudos
6 Replies
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-06-27 07:45 PM

Typically a separate interface would likely be the pick of these.

Do the gateways have a working LOM or OOB console connection, are you attempting the changes remotely?

 

CCSM R77/R80/ELITE
0 Kudos
RemoteUser
Advisor
‎2025-06-28 12:25 AM
In response to Chris_Atkinson

Hi @Chris_Atkinson 
So you prefer using a separate interface rather than a trunk from the switch site.
Yes, we’re planning to make the change remotely.
If we proceed with the separate interface, should we expect any downtime?

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-06-28 01:24 AM
In response to RemoteUser

There are details missing about your environment/ topology etc but converting the existing port to a trunk has a higher risk in my opinion.

CCSM R77/R80/ELITE
0 Kudos
RemoteUser
Advisor
‎2025-06-28 01:59 AM
In response to Chris_Atkinson

why it's higher risk? 

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-06-28 03:17 AM
In response to RemoteUser

It just is namely because your proposing to make changes to the very port used to access the device and currently it's a clustered interface. But perhaps you have all the necessary mitigations in place.

What other traffic flows leverage the existing interface is it the "internal" LAN side port for all traffic or dedicated to MGMT currently?

 

CCSM R77/R80/ELITE
0 Kudos
RemoteUser
Advisor
‎2025-06-30 12:59 AM
In response to Chris_Atkinson

If I wanted to use another interface as the Management one, would there be any downtime? (Also considering moving the old static routes from the old IP to the new IP)? Is there a procedure for this?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events