Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MiniNinja
Collaborator

separation/transfer of SMS and GW

Good afternoon.
Now there is a full-mesh vpn network on CheckPoint, but the current main SMS is located in another country (let's call it A) and manages all Checkpoint gateways. Communication with SMS via MPLS and via the Internet.
The separation of a part of the gateways and their transfer to the control of another SMS (in another location, let's call it B) is being considered.
I have an idea.:
1) deploy Secondary SMS to location B and connect it to the current one located in another country A.
2) Synchronize everything.
3) Make Secondary SMS active in the location of the Bar.
4) then, in some way, break the connection with another SMS in country A, say, disable MPLS or restrict connection.
5) you will probably have to deploy another SMS in location B with the same name as the former main SMS in country A and upgrade it to Primary.
5) Reinitialize SIC on gateways that require SMS connection in country A and possibly reinitialize SIC on gateways that will be connected to SMS in location B.

But I'm not sure about the result and the possibilities.
Maybe someone has asked such a task? what is the best way to perform such a separation-transferring part of the gateways to the new SMS?

0 Kudos
3 Replies
genisis__
Leader Leader
Leader

From the sounds of it, that should work, one other thing to consider is the ICA.  If you are running Checkpoint GWs that are being used by the same SMS and have VPNs between each other they, do need to contact the ICA for CRL retrieve, I think is something like every 24hrs.

Another thing you could also do is just export the database from one SMS and import into a new SMS  (recommend R81.20 with latest JHFA) and update the IP.  A re-sic should not be required if you ensure the hostname name remains the same and of course all the gateways can route this IP and the policies allow connectivity to this new IP.

0 Kudos
Bob_Zimmerman
Authority
Authority

Note: all of the options discussed so far leave all managements with exactly the same certificate authority. Depending on the reason for the split (is part of the company being sold to another company?), this may present a significant security risk.

0 Kudos
the_rock
Legend
Legend

I agree with all @genisis__ had said, but then again, there is no 100% guarantee it would work, but definitely makes sense.

Best.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events