This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
reybanger
Explorer
9 hours ago

Checkpoint Gateway with Dynamic Public IP from ISP

Hello Checkmates,

I have a gateway, that has a private IP address assigned on the EXT interface, and the ISP is providing a dynamic, public IP address.

I have been trying to establish SIC with the gateway selecting "Dynamic Address" checkbox and that worked just fine. When establishing SIC I provided current IP. Gateway connected to my management server and I was able to install policy successfuly.

 

However, as soon as the ISP public IP changes, the SmartConsole is not reflecting that. 
cp_conf sic state is showing:
Trust State: Trust established

I can properly telnet to the management server on 256, 257, 18191 etc.
When I reboot the gateway, I can see there is some kind of error related to masters file:

Fetching FW1 Security Policy From: X.X.X.X 

Failed to fetch policy from masters in masters file

I checked the masters file and I can properly see the public IP of my management server. 

I have checked the DAIP FAQ Article, but could not find anything related to this problem. 

Do you have any idea on what has to be done to make it work ? 
Thank you,

Rey 

0 Kudos
5 Replies
Vincent_Bacher
MVP Silver
MVP Silver
9 hours ago

Once the IP changes the sic certificate gets invalid because it’s assigned to the old ip. 
is this a spark device? If yes I would suggest using a ddns service and then use the fqdn. I think ddns is still supported on spark I would say this should work.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
reybanger
Explorer
8 hours ago
In response to Vincent_Bacher

Hello,

Hmm, but in the guide it nowhere says to use FQDNs. This is a 3000 series gateway, gaia device. I don't want to use FQDNs. 
As per this: https://support.checkpoint.com/results/sk/sk167473 point 2, management server should be able to update it's database once gateway is fetching the policy. 

But I see the error in the policy fetch, as per my initial post. 


Best regards,

Rey 

0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
8 hours ago
In response to reybanger

Fair enough.

Maybe this still applies and helps?

https://community.checkpoint.com/t5/General-Topics/centrally-manage-a-DAIP-gateway/td-p/9343

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
PhoneBoy
Admin
Admin
3 hours ago

I believe there's an option in cpconfig that must be enabled if the gateway is DAIP (or at least there used to be).
Also, is there another firewall between your management server and the DAIP gateway?
Possible the relevant traffic is being blocked there, which should show in the logs.

0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
3 hours ago
In response to PhoneBoy

I don’t have such an option in mind and don’t see anything in the docu

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_PerformanceTuning_AdminGuide/Conte...

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events