This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AnkitBhandari
Explorer
Wednesday
Jump to solution

Checkpoint connectivity between management & gateway over vpn

Hi Friends,

I am facing a issue that we got a project to replace the existing check point firewall and place the new check point but check point management is on Delhi and check point getaway is on Pune. Exiting was ipsec connectivity between gateway and management so how will I replace the Exiting firewall without or without snapshot backup?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
yesterday
In response to AnkitBhandari
Jump to solution

Putting management traffic (which is already encrypted, FYI) through a VPN is not recommended as it requires editing implied rules and you can end up in a situation where it is impossible to manage your remote gateway if the VPN is down.
The official procedure for doing this is in an internal SK (sk115215) that requires consultation with TAC.

See also these public threads on CheckMates:

View solution in original post

5 Replies
PhoneBoy
Admin
Admin
Wednesday
Jump to solution

More details about the existing environment are needed:

  • Appliances and Software versions used currently (version/JHF levels)
  • Appliances you are adding/replacing
  • A simple network diagram showing all components
  • Confirming someone didn’t disable the various implied rules to force management traffic through VPN (easy enough to see with a tcpdump on the external interface when, say, pushing policy or when the remote gateway sends logs).

 

0 Kudos
AnkitBhandari
Explorer
Wednesday
In response to PhoneBoy
Jump to solution

Hi PhoneBoy,

Thanks for your reply , so senerio is simple that we have management in different location and gateway in other location they are working 81.10 version and we have to add the gateway with management checkpoint through ipsec.

 

0 Kudos
PhoneBoy
Admin
Admin
yesterday
In response to AnkitBhandari
Jump to solution

Putting management traffic (which is already encrypted, FYI) through a VPN is not recommended as it requires editing implied rules and you can end up in a situation where it is impossible to manage your remote gateway if the VPN is down.
The official procedure for doing this is in an internal SK (sk115215) that requires consultation with TAC.

See also these public threads on CheckMates:

the_rock
Legend
Legend
yesterday
In response to AnkitBhandari
Jump to solution

I definitely misunderstood your question. Yes, what Phoneboy said is 100% correct.

Andy

0 Kudos
the_rock
Legend
Legend
Wednesday
Jump to solution

In case like that, I would get show configuration fdrom existing gateway and copy "bits and pieces" to new fw clish config, as long as you make sure relevant interfaces match. Unless its same hardware, backup/restore method would not sadly work. 

Otherwise, you could technically try below method, though it was written for a cluster, but I did use it for single appliances as well.

Andy

Solved: Re: Replace/Upgrade Cluster - Check Point CheckMates

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events