Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
BKYDCPSC
Participant

Managing gateways via Public IP.

Hi,

 

I have got myself confused.

 

I am currently managing gateways via private addresses ranges which are delivered over VPNs.

I have 1 central management, and it connects to all gateways on a private 192.168 address which is on the VPN domain. I know this is bad practice.

 

How do I go about managing the gateways via the public IP address and the external interface? Feel like I’m missing something very easy.

8 Replies
Danny
Champion Champion
Champion

To which IP did you establish SIC to the gateways? Probably not the private IP.

0 Kudos
BKYDCPSC
Participant

Unsure. Wasn’t myself that did the initial config. IP address of the cluster on the cluster object is the management address (192.168.xxx.xxx)

 

is it as easy as changing the object IP address to the public IP residing on that device?

0 Kudos
Chris_Atkinson
Employee Employee
Employee

 

Also, what's the designated Mgmt interface set as in the GAiA Web UI / CLI of the Gateway currently?

CCSM R77/R80/ELITE
0 Kudos
BKYDCPSC
Participant

Private internal address
0 Kudos
Maarten_Sjouw
Champion
Champion

It is as simple as that, make sure your Management server (external) IP (on those gateways) routes towards the internet and that your gateways trust this IP as the management server.
We run a staging room here where we prep gateways before shipping them to the sites, all we do is make sure routing is adjusted on the gateway and the IP is adjusted in the object.
Next to that issue this command on the gateway:
set management interface eth1
Presuming eth1 is your internet Interface.
Regards, Maarten
0 Kudos
mdjmcnally
Advisor

All you should need to do is

 

1.) Check the Management Interface in Gaia, it should be the IP address that use for Management.

2.) Change the Object IP for the Gateway to be the Public IP

3.) https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... to exclude the Gateway IP from the VPN so that SSH/WebUI etc goes over the Internet not the VPN.

4.) Install Policy to Gateway

 

If needing to change the Management Interface then I find it best to do a reboot, so would suggest that whilst may not have downtime I would suggest that plan for some

0 Kudos
BKYDCPSC
Participant

With regards to your first point with checking the IP of the management. 

 

Presumably you mean check to see if the management IP is the public? or not?

 

Could I have the mgmt interface on the private address, but change the cluster IP to the public?

0 Kudos
mdjmcnally
Advisor

You should have the interface that marked as Management in the Gaia Portal be the Interface that has the IP of the Check Point Object.

The Management Interface IP is the IP that the box identifies itself as.

It also updates the host entry for the localhostname to be the IP of the Management Interface.

You can get away with it and manually change the hostentry but I find it easier to set the Management Interface correctly so that it identifies that way properly.

Cluster IP doesn't matter as will be the Cluster Members IP that the Management Server talks too.  May just need to configure VPN Link Selection so that uses the Correct IP if isn't the Public IP on the Cluster.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events