This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
BKYDCPSC
Participant
‎2019-11-27 04:59 PM

Managing gateways via Public IP.

Hi,

 

I have got myself confused.

 

I am currently managing gateways via private addresses ranges which are delivered over VPNs.

I have 1 central management, and it connects to all gateways on a private 192.168 address which is on the VPN domain. I know this is bad practice.

 

How do I go about managing the gateways via the public IP address and the external interface? Feel like I’m missing something very easy.

Reply
8 Replies
Danny
Champion
Champion
‎2019-11-27 10:28 PM

To which IP did you establish SIC to the gateways? Probably not the private IP.

0 Kudos
Reply
BKYDCPSC
Participant
‎2019-11-27 11:35 PM
In response to Danny

Unsure. Wasn’t myself that did the initial config. IP address of the cluster on the cluster object is the management address (192.168.xxx.xxx)

 

is it as easy as changing the object IP address to the public IP residing on that device?

0 Kudos
Reply
Chris_Atkinson
Employee++
Employee++
‎2019-11-27 11:42 PM
In response to BKYDCPSC

 

Also, what's the designated Mgmt interface set as in the GAiA Web UI / CLI of the Gateway currently?

0 Kudos
Reply
BKYDCPSC
Participant
‎2019-11-28 03:24 AM
In response to Chris_Atkinson

Private internal address
0 Kudos
Reply
Maarten_Sjouw
Champion
Champion
‎2019-11-28 12:31 AM
In response to BKYDCPSC

It is as simple as that, make sure your Management server (external) IP (on those gateways) routes towards the internet and that your gateways trust this IP as the management server.
We run a staging room here where we prep gateways before shipping them to the sites, all we do is make sure routing is adjusted on the gateway and the IP is adjusted in the object.
Next to that issue this command on the gateway:
set management interface eth1
Presuming eth1 is your internet Interface.
Regards, Maarten
0 Kudos
Reply
mdjmcnally
Advisor
‎2019-11-28 03:13 AM

All you should need to do is

 

1.) Check the Management Interface in Gaia, it should be the IP address that use for Management.

2.) Change the Object IP for the Gateway to be the Public IP

3.) https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... to exclude the Gateway IP from the VPN so that SSH/WebUI etc goes over the Internet not the VPN.

4.) Install Policy to Gateway

 

If needing to change the Management Interface then I find it best to do a reboot, so would suggest that whilst may not have downtime I would suggest that plan for some

0 Kudos
Reply
BKYDCPSC
Participant
‎2019-11-28 03:24 AM
In response to mdjmcnally

With regards to your first point with checking the IP of the management. 

 

Presumably you mean check to see if the management IP is the public? or not?

 

Could I have the mgmt interface on the private address, but change the cluster IP to the public?

0 Kudos
Reply
mdjmcnally
Advisor
‎2019-11-28 04:08 AM
In response to BKYDCPSC

You should have the interface that marked as Management in the Gaia Portal be the Interface that has the IP of the Check Point Object.

The Management Interface IP is the IP that the box identifies itself as.

It also updates the host entry for the localhostname to be the IP of the Management Interface.

You can get away with it and manually change the hostentry but I find it easier to set the Management Interface correctly so that it identifies that way properly.

Cluster IP doesn't matter as will be the Cluster Members IP that the Management Server talks too.  May just need to configure VPN Link Selection so that uses the Correct IP if isn't the Public IP on the Cluster.

0 Kudos
Reply