This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
marcinw
Contributor
‎2021-04-19 02:37 AM
Jump to solution

changing IP address on security gateway and SIC

Hi,

I need to set up CHeckpoint GW as VPN edge for remote location and I am wondering if I set up community vpn between gateway and SMS and on the day of shipping the Gateway I will change IP address of WAN GW interface do I have to reestablish SIC or everything will be working out of the box ?

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
MVP Gold
MVP Gold
‎2021-04-19 07:37 AM
In response to vinceneil666
Jump to solution

SIC does indeed operate with certificates and cares not about the IP addresses involved, BUT there is an implied rule on the firewall that allows only the known IP address of the SMS to talk to the known IP addresses of the firewall for management traffic such as SIC and policy installs.  If you change any elements of this you may run afoul of this implied rule, and be forced to perform a fw unloadlocal on the firewall for SIC to start working after an IP change. 

To avoid this, create an temporary explicit rule at the top of your rulebase ahead of time and install it to the gateway *prior* to the WAN IP change:

Src: SMS (and/or SMS NAT address)

Dst: Any

Service: Any

Action: Accept

Once the WAN IP change is made and you successfully install policy to the gateway under the new config, the implied rule will be updated (assuming you correctly changed the firewall's WAN address on the firewall/cluster object) and this temporary explicit rule can be removed.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

(1)
7 Replies
vinceneil666
Advisor
‎2021-04-19 03:33 AM
Jump to solution

SIC operates on certificates, so you should be fine.

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2021-04-19 06:42 AM
In response to vinceneil666
Jump to solution

While this is true, the mention of VPNs concerns me a little. Traffic between the management server and the firewall cannot go over a VPN. The firewall needs to talk to the management server to bring a VPN up, and if the VPN needs to be up to talk to the management, it won't be able to.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2021-04-19 06:49 AM
In response to Bob_Zimmerman
Jump to solution

With VPN you have traffic between two GWs, not the SMS - so if VPN Domain is defined correctly, it will work.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2021-04-19 07:25 AM
In response to G_W_Albrecht
Jump to solution

Except the firewall has to fetch the CRL from the management. If that fails, the VPN won't come up. Thus, the remote firewall must be able to talk to the management server without the VPN.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2021-04-19 06:47 AM
In response to vinceneil666
Jump to solution

You will have to change the GW IP in Dashboard, of course...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2021-04-19 07:37 AM
In response to vinceneil666
Jump to solution

SIC does indeed operate with certificates and cares not about the IP addresses involved, BUT there is an implied rule on the firewall that allows only the known IP address of the SMS to talk to the known IP addresses of the firewall for management traffic such as SIC and policy installs.  If you change any elements of this you may run afoul of this implied rule, and be forced to perform a fw unloadlocal on the firewall for SIC to start working after an IP change. 

To avoid this, create an temporary explicit rule at the top of your rulebase ahead of time and install it to the gateway *prior* to the WAN IP change:

Src: SMS (and/or SMS NAT address)

Dst: Any

Service: Any

Action: Accept

Once the WAN IP change is made and you successfully install policy to the gateway under the new config, the implied rule will be updated (assuming you correctly changed the firewall's WAN address on the firewall/cluster object) and this temporary explicit rule can be removed.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
(1)
velo
Collaborator
‎2024-10-01 01:37 AM
In response to Timothy_Hall
Jump to solution

I can confirm you're 100% correct here, this is exactly what happens, because it happened to me 😊

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events