- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- changing IP address on security gateway and SIC
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
changing IP address on security gateway and SIC
Hi,
I need to set up CHeckpoint GW as VPN edge for remote location and I am wondering if I set up community vpn between gateway and SMS and on the day of shipping the Gateway I will change IP address of WAN GW interface do I have to reestablish SIC or everything will be working out of the box ?
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SIC does indeed operate with certificates and cares not about the IP addresses involved, BUT there is an implied rule on the firewall that allows only the known IP address of the SMS to talk to the known IP addresses of the firewall for management traffic such as SIC and policy installs. If you change any elements of this you may run afoul of this implied rule, and be forced to perform a fw unloadlocal on the firewall for SIC to start working after an IP change.
To avoid this, create an temporary explicit rule at the top of your rulebase ahead of time and install it to the gateway *prior* to the WAN IP change:
Src: SMS (and/or SMS NAT address)
Dst: Any
Service: Any
Action: Accept
Once the WAN IP change is made and you successfully install policy to the gateway under the new config, the implied rule will be updated (assuming you correctly changed the firewall's WAN address on the firewall/cluster object) and this temporary explicit rule can be removed.
CET (Europe) Timezone Course Scheduled for July 1-2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SIC operates on certificates, so you should be fine.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
While this is true, the mention of VPNs concerns me a little. Traffic between the management server and the firewall cannot go over a VPN. The firewall needs to talk to the management server to bring a VPN up, and if the VPN needs to be up to talk to the management, it won't be able to.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With VPN you have traffic between two GWs, not the SMS - so if VPN Domain is defined correctly, it will work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Except the firewall has to fetch the CRL from the management. If that fails, the VPN won't come up. Thus, the remote firewall must be able to talk to the management server without the VPN.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will have to change the GW IP in Dashboard, of course...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SIC does indeed operate with certificates and cares not about the IP addresses involved, BUT there is an implied rule on the firewall that allows only the known IP address of the SMS to talk to the known IP addresses of the firewall for management traffic such as SIC and policy installs. If you change any elements of this you may run afoul of this implied rule, and be forced to perform a fw unloadlocal on the firewall for SIC to start working after an IP change.
To avoid this, create an temporary explicit rule at the top of your rulebase ahead of time and install it to the gateway *prior* to the WAN IP change:
Src: SMS (and/or SMS NAT address)
Dst: Any
Service: Any
Action: Accept
Once the WAN IP change is made and you successfully install policy to the gateway under the new config, the implied rule will be updated (assuming you correctly changed the firewall's WAN address on the firewall/cluster object) and this temporary explicit rule can be removed.
CET (Europe) Timezone Course Scheduled for July 1-2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can confirm you're 100% correct here, this is exactly what happens, because it happened to me 😊
