This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AkiYa
Contributor
‎2024-02-06 04:52 AM
Jump to solution

Modify cluster IP address

Hi guys,

I'm in the process of changing the current ISP to another one with two external connections (main+backup), and I'm wondering if I can simply modify the IP of the cluster members/VIP in the SmartConsole in order to use the new main IPs and get rid of the old configurations.

I configured the new main IPs on both members (Gaia), added the new default external route and configured ISP redundancy on the cluster; Then I set the new main ISP as a priority and now I can correctly go out using the new IP.
(for now the new backup line IPs are not configured).

The problem is that the cluster and its members are set with the old public IPs.

Since the main new line is already configured, is it possible to just change the IP in the SmartConsole firewall objects, re-establish the SIC, renew the VPN certificate and install the policy?

If it's possible then I can simply replace the old IPs with the new line backups and have the new redundant configuration, but I ask you if this is a supported scenario or I'll have to do something else.

Thanks in advance

0 Kudos
2 Solutions

Accepted Solutions
AmirArama
Employee
Employee
‎2024-02-06 08:12 AM
Jump to solution

Hi,
for the reference please mention GW platform & version.

if i understand you correctly, the remaining configuration of the OLD IPs are at the MAIN IP in the the main tab of cluster object. and in the cluster members tab which used for the SIC, is that correct?
you also mentioned that in the gaia you removed the old IP addresses, does that mean the now you don't have working SIC ?

in general, yes, you will need to replace one cluster member IP in the cluster members tab, reset the SIC from gw side and then SMC side. (start with the standby) if succeed, do that on the other (active) member. 

once you have working SIC to both members with the new IP, you will need to change the main IP on the main tab.
you may be asked to adjust the VPN Link selection configuration, once changing main IP.

Install the policy on that cluster and on it's VPN peers if exist.

if the cluster is remote, it's good practice to make sure someone is available at that site with direct console access to the GWs in case needed (such as losing connectivity). and of course do that on a maintenance window as you might have down time.

View solution in original post

0 Kudos
AkiYa
Contributor
‎2024-03-01 09:00 AM
In response to the_rock
Jump to solution

For the sake of knowledge and for future viewers, this is what I did:

 

- engaged a local IT guy to prepare a laptop connected via hotspot and Teamviewer so that I could reach the firewalls from within the network -> this has been CRUCIAL since I lost the connectivity once changed the SIC on the firewall, since it does a cpstop/cpstart and basically blocked the traffic from outside...

- configured the second default route on the nodes (both set to metric "None")
- cpconfig on standby node, reset SIC, it restarts the services, "fw unloadlocal" to reset the policy locally
- changed the IP of the node on SmartConsole, reset SIC, Initialize with new password -> connected

- same for the active node

- changed the cluster VIP

- I didn't Get the topology, just modified the IPs of the changed interfaces+VIP

- renewed the VPN certificate to match the new VIP

- installed the policy on the cluster and other clusters in the VPN community

Everything works!

Thanks all

View solution in original post

6 Replies
AmirArama
Employee
Employee
‎2024-02-06 08:12 AM
Jump to solution

Hi,
for the reference please mention GW platform & version.

if i understand you correctly, the remaining configuration of the OLD IPs are at the MAIN IP in the the main tab of cluster object. and in the cluster members tab which used for the SIC, is that correct?
you also mentioned that in the gaia you removed the old IP addresses, does that mean the now you don't have working SIC ?

in general, yes, you will need to replace one cluster member IP in the cluster members tab, reset the SIC from gw side and then SMC side. (start with the standby) if succeed, do that on the other (active) member. 

once you have working SIC to both members with the new IP, you will need to change the main IP on the main tab.
you may be asked to adjust the VPN Link selection configuration, once changing main IP.

Install the policy on that cluster and on it's VPN peers if exist.

if the cluster is remote, it's good practice to make sure someone is available at that site with direct console access to the GWs in case needed (such as losing connectivity). and of course do that on a maintenance window as you might have down time.

0 Kudos
AkiYa
Contributor
‎2024-02-26 06:21 AM
In response to AmirArama
Jump to solution

Sorry for the late reply,

yes the IP of the cluster and its nodes are in the old provider pool, so I need to replace these with the new IPs of the new provider.

The cluster is still working (and the SIC is ok) because I didn't remove the old provider IPs neither ceased the contract, and there is still their route on Gaia.
Basically I'm already using the new provider as primary, but the secondary line IPs which I have to get rid of are the ones configured in the SmartConsole.

Of course I've asked the local IT guy to be available in case of disaster 🙂

@the_rock: thank you for the tip, I will assure to get the interfaces without topology and configure them manually

Thank you all!

GW: 3600 on R81.10
0 Kudos
the_rock
Legend
Legend
‎2024-02-26 06:24 AM
In response to AkiYa
Jump to solution

You are very welcome 🙂

Yes, thats super IMPORTANT...always do get interfaces WITHOUT topology, as otherwise, if you do with topology, it will override everything...

Sorry, not typing in caps lock or yelling, just stressing its IMPORTANT haha ; - )

Best @AkiYa 

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-02-06 09:34 AM
Jump to solution

I agree with @AmirArama 100%. Last time I helped someone with this while back, I demanded (for the lack of the better term lol), for someone to be on site, because who wants a nightmare scenario God forbid you lose access and no one can connect to the firewall.

Btw, I would assure that once IPs are changed, you update the interfaces without topology and confirm as well proper routing is in place.

Best,

Andy

the_rock
Legend
Legend
‎2024-02-06 03:48 PM
Jump to solution

Forgot to stress one statement I made, its super IMPORTANT when you do what we mentioned, you get interfaces WITHOUT topology from the cluster object, otherwise, it will default topology to initial settings and if you dont know what its supposed to be, then it will be problem. Mind you, you can always revert the policy to previous state, but why risk it, better do things right the first time.

Best,

Andy

0 Kudos
AkiYa
Contributor
‎2024-03-01 09:00 AM
In response to the_rock
Jump to solution

For the sake of knowledge and for future viewers, this is what I did:

 

- engaged a local IT guy to prepare a laptop connected via hotspot and Teamviewer so that I could reach the firewalls from within the network -> this has been CRUCIAL since I lost the connectivity once changed the SIC on the firewall, since it does a cpstop/cpstart and basically blocked the traffic from outside...

- configured the second default route on the nodes (both set to metric "None")
- cpconfig on standby node, reset SIC, it restarts the services, "fw unloadlocal" to reset the policy locally
- changed the IP of the node on SmartConsole, reset SIC, Initialize with new password -> connected

- same for the active node

- changed the cluster VIP

- I didn't Get the topology, just modified the IPs of the changed interfaces+VIP

- renewed the VPN certificate to match the new VIP

- installed the policy on the cluster and other clusters in the VPN community

Everything works!

Thanks all

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events