This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Fred_Katsumi
Explorer
‎2021-11-24 04:38 PM

Changing ISP

Hi,

I have a simple setup with 3 gateways (A, B and C) and 1 management server (M).  M is behind A.  SIC is established and all VPN tunnels have been up and working for years.  M has a static NAT.  I'm getting ready to change the ISP of A.  Here are the steps I would take to do this.

  1. Login to Gaia on A and update the network interface and the default gateway
  2. Login to SmartConsole and edit the gateway object to update A's IP address, IPSec VPN, VPN Clients, etc.
  3. Update M's NAT
  4. Push policy

My thought is when I push the policy it would install on A but not the others because the trust will break because the B and C have no idea about the ISP change.  Would I need to reset SIC on B and C or is there a way to avoid resetting?

Thank you

Fred

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2021-11-29 12:25 PM

SIC is based on certificates, so changing IPs won't be an issue.
If the effective management IP changes for B and C, you'll need to push policy to them as well.

emmap
Employee
Employee
‎2021-11-29 07:47 PM

You should add a temp rule before you change IPs to ensure the gateways B anc C will accept traffic from the new M NAT IP. They would have an implied rule to accept traffic from the current NAT IP but would likely not accept a policy install from the new NAT IP.

Fred_Katsumi
Explorer
‎2021-12-02 09:20 AM
In response to emmap

Thank you for the pointers.  I was able to complete this.  As emmap suggested I created a dummy host with the new M NAT IP and created a rule to allow traffic.  Installed the policy on all gateways.  Then I made all the IP address changes to the gateway A and management M as I outlined above.  With the temp rule in place, SIC never broke and I was able to push policy using the new ISP connection.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events