This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MiniNinja
Collaborator
‎2024-03-23 12:57 AM

separation/transfer of SMS and GW

Good afternoon.
Now there is a full-mesh vpn network on CheckPoint, but the current main SMS is located in another country (let's call it A) and manages all Checkpoint gateways. Communication with SMS via MPLS and via the Internet.
The separation of a part of the gateways and their transfer to the control of another SMS (in another location, let's call it B) is being considered.
I have an idea.:
1) deploy Secondary SMS to location B and connect it to the current one located in another country A.
2) Synchronize everything.
3) Make Secondary SMS active in the location of the Bar.
4) then, in some way, break the connection with another SMS in country A, say, disable MPLS or restrict connection.
5) you will probably have to deploy another SMS in location B with the same name as the former main SMS in country A and upgrade it to Primary.
5) Reinitialize SIC on gateways that require SMS connection in country A and possibly reinitialize SIC on gateways that will be connected to SMS in location B.

But I'm not sure about the result and the possibilities.
Maybe someone has asked such a task? what is the best way to perform such a separation-transferring part of the gateways to the new SMS?

0 Kudos
3 Replies
genisis__
Leader Leader
Leader
‎2024-03-23 01:50 AM

From the sounds of it, that should work, one other thing to consider is the ICA.  If you are running Checkpoint GWs that are being used by the same SMS and have VPNs between each other they, do need to contact the ICA for CRL retrieve, I think is something like every 24hrs.

Another thing you could also do is just export the database from one SMS and import into a new SMS  (recommend R81.20 with latest JHFA) and update the IP.  A re-sic should not be required if you ensure the hostname name remains the same and of course all the gateways can route this IP and the policies allow connectivity to this new IP.

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2024-03-24 09:09 AM
In response to genisis__

Note: all of the options discussed so far leave all managements with exactly the same certificate authority. Depending on the reason for the split (is part of the company being sold to another company?), this may present a significant security risk.

0 Kudos
the_rock
Legend
Legend
‎2024-03-23 09:59 AM

I agree with all @genisis__ had said, but then again, there is no 100% guarantee it would work, but definitely makes sense.

Best.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events