This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Calvin_Piggott
Contributor
‎2021-03-28 01:25 PM
Jump to solution

R80.40 Standalone to Distributed sk154033

Hello fellow members.

 

Would really appreciate your expert opinions on this matter.

 

Currently I'm tasked w/ converting an on-premise standalone R80.40 setup to a distributed management and Cluster-XL setup.

Let's call the current setup old-mgmt-gateway-01.

This also manages an Azure R80.10 CloudGuard IaaS instance, let's call this azure-cg-01.

There's a site to site VPN between old-mgmt-gateway-01 and azure-cg-01.

Remote VPN clients also connect to old-mgmt-gateway-01.

 

I'm proposing the following as per sk154033:

  • Secondary management server, let's call this new-mgmt.
  • New primary gateway only, let's call this new-gateway-01.
  • New secondary gateway only, let's call this new-gateway-02.
  • Cluster-XL object, let's call this new-clusterxl.

 

I've already achieved successful management HA sync.

 

Moving forward, I'm seeking clarity on the following:

  • Since VPN clients are presented w/ the gateway's certificate upon site creation and connection, wouldn't the name new-clusterxl break current Endpoint Security VPN site configuration? I would rather not use the old-mgmt-gateway-01 as the cluster object name.
  • Does the same hold true for site to site VPN w/ azure-cg-01?
  • Outbound HTTPS Inspection is currently enabled, so if the cluster object uses a name other than old-mgmt-gateway-01, does that require the gateway certificate to be regenerated?

If there are any other dependencies that you think I missed, do let me know.

 

Thank you,

Calvin.

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2021-03-28 06:29 PM
In response to Calvin_Piggott
Jump to solution

Right-click on one of the instances it is used in the policy and select Where Used.
You can see all the uses of the old object and replace specific instances of it with the new object.

Screen Shot 2021-03-28 at 6.27.18 PM.png

View solution in original post

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2021-03-28 05:03 PM
Jump to solution

You're creating a new gateway which means a new certificate will be created.
Clients will get prompted on first connection with the new fingerprint but after that, you should be ok.
For Site-to-Site VPN, you should be fine since the CA won’t change and what matters is the endpoints being able to validate the certificate and access the CRL.
Unless you want to regenerate the ICA with the new management server name.
For HTTPS Inspection, what matters is the CA key used for signing the certificates (different from the ICA).
Not sure where that’s stored offhand.

0 Kudos
Calvin_Piggott
Contributor
‎2021-03-28 05:35 PM
In response to PhoneBoy
Jump to solution

Thank you sir!

I don't think I'll go down the ICA regeneration road unless necessary.

 

One more thing that I realized is that with a security policy of just over 320 rules, the 'Install On' column has old-mgmt-gateway-01 and adding the gateway new-clusterxl means that I'll need to add it to those rules as well.

SK108538 looks like it will do the trick if I wanted replace, but I want to make it an addition.

Any tips?

Thanks

0 Kudos
PhoneBoy
Admin
Admin
‎2021-03-28 06:29 PM
In response to Calvin_Piggott
Jump to solution

Right-click on one of the instances it is used in the policy and select Where Used.
You can see all the uses of the old object and replace specific instances of it with the new object.

Screen Shot 2021-03-28 at 6.27.18 PM.png

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    Virtual

    Thu 02 May 2024 @ 05:00 PM (CEST)

    SASE Masters: Deploying Harmony SASE for a 6,000-Strong Workforce in a Single Weekend
    CheckMates Events