This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
BKYDCPSC
Participant
‎2019-11-27 04:59 PM

Managing gateways via Public IP.

Hi,

 

I have got myself confused.

 

I am currently managing gateways via private addresses ranges which are delivered over VPNs.

I have 1 central management, and it connects to all gateways on a private 192.168 address which is on the VPN domain. I know this is bad practice.

 

How do I go about managing the gateways via the public IP address and the external interface? Feel like I’m missing something very easy.

8 Replies
Danny
MVP Platinum
MVP Platinum
‎2019-11-27 10:28 PM

To which IP did you establish SIC to the gateways? Probably not the private IP.

0 Kudos
BKYDCPSC
Participant
‎2019-11-27 11:35 PM
In response to Danny

Unsure. Wasn’t myself that did the initial config. IP address of the cluster on the cluster object is the management address (192.168.xxx.xxx)

 

is it as easy as changing the object IP address to the public IP residing on that device?

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2019-11-27 11:42 PM
In response to BKYDCPSC

 

Also, what's the designated Mgmt interface set as in the GAiA Web UI / CLI of the Gateway currently?

CCSM R77/R80/ELITE
0 Kudos
BKYDCPSC
Participant
‎2019-11-28 03:24 AM
In response to Chris_Atkinson

Private internal address
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-11-28 12:31 AM
In response to BKYDCPSC

It is as simple as that, make sure your Management server (external) IP (on those gateways) routes towards the internet and that your gateways trust this IP as the management server.
We run a staging room here where we prep gateways before shipping them to the sites, all we do is make sure routing is adjusted on the gateway and the IP is adjusted in the object.
Next to that issue this command on the gateway:
set management interface eth1
Presuming eth1 is your internet Interface.
Regards, Maarten
0 Kudos
mdjmcnally
Advisor
‎2019-11-28 03:13 AM

All you should need to do is

 

1.) Check the Management Interface in Gaia, it should be the IP address that use for Management.

2.) Change the Object IP for the Gateway to be the Public IP

3.) https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... to exclude the Gateway IP from the VPN so that SSH/WebUI etc goes over the Internet not the VPN.

4.) Install Policy to Gateway

 

If needing to change the Management Interface then I find it best to do a reboot, so would suggest that whilst may not have downtime I would suggest that plan for some

0 Kudos
BKYDCPSC
Participant
‎2019-11-28 03:24 AM
In response to mdjmcnally

With regards to your first point with checking the IP of the management. 

 

Presumably you mean check to see if the management IP is the public? or not?

 

Could I have the mgmt interface on the private address, but change the cluster IP to the public?

0 Kudos
mdjmcnally
Advisor
‎2019-11-28 04:08 AM
In response to BKYDCPSC

You should have the interface that marked as Management in the Gaia Portal be the Interface that has the IP of the Check Point Object.

The Management Interface IP is the IP that the box identifies itself as.

It also updates the host entry for the localhostname to be the IP of the Management Interface.

You can get away with it and manually change the hostentry but I find it easier to set the Management Interface correctly so that it identifies that way properly.

Cluster IP doesn't matter as will be the Cluster Members IP that the Management Server talks too.  May just need to configure VPN Link Selection so that uses the Correct IP if isn't the Public IP on the Cluster.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events