I'm not sure what this means: "since it shares same private subnet"
Can you give an example of the subnets involved? It sounds like you may be
saying that the internal network behind the custer and the internal network
behind the standalone are the same (example: both are 192.168.1.x/24). I
guess that means there is not a site-to-site VPN between them, which I
somehow assumed.
If that's correct and you can keep the SmartCenter IP address the same, I
can't see a problem. I am somewhat concerned that you licensed the internal
IP addresses of the firewall, though, since that can mess up VPN traffic.
Are you using central licensing?
What versions are the SmartCenter and enforcement modules on?
Ray
From: Alexander Simbun <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] managing an enforcement server externally
Date: Sun, 22 Jan 2006 08:54:41 +0800
Hi,
Licenses on both standalone enforcement server and the Cluster are binded
to their internal interfaces. At this moment, our SmartCenter is located
behind the Cluster and able to manage my another standalone enforcement
server remotely. I would like to move my SmartCenter from behind the
Cluster to behind the standalone enforcement server since it shares same
private subnet. So, am I able to manage the standalone enforcement once I
moved the SmartCenter in from the Cluster? Am I able to manage the Cluster,
once the SmartCenter is moved to behind the enforcement server? Please help
me as I'm really not sure on how to do the migration.
Regards,
Alex
Ray wrote:
It should just work, assuming you licensed the external IP address on
both. When SmartCenter is behind the enforcement module, it still needs a
route to the external interface IP to work properly.
We fought a problem when we first went to NG and split the enforcement
module from the management server (we were on 4.0 at the time). The new
SmartCenter had a router between it and the enforcement module and the
router was set to drop all traffic aimed at the external IP address of the
enforcement module, for whatever reason.
Since the SmartCenter was behind the enforcement module with the router
between them, it caused all kinds of problems. We couldn't push a policy,
we could read logs but it kept disconnecting, etc.
It sounds like you will changing the IP address of the SmartCenter from
"behind the cluster" to "behind the standalone". If you are using central
licensing, you will have to re-license the SmartCenter using the User
Center. If that's the only change, I don't think you'll have to change
anything with SIC.
Ray
From: Alexander Simbun <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: [FW-1] managing an enforcement server externally
Date: Fri, 20 Jan 2006 21:57:59 +0800
Hi all,
I have a question about managing an enforcement server externally and
later internally from one SmartCenter server. Currently, I have one
SmartCenter server which manage a Cluster and a standalone enforcement
server. The standalone enforcement located on different network and I had
configured my SmartCenter (located behind the Cluster) to manage my
external enforcement server. Everything is working smooth but I wonder,
let say if I want to move my the only SmartCenter server behind the
Cluster to my behind externally managed enforcement server, does it still
works? I mean, am I able to manage my standalone enforcement server and
Cluster after the move (migration)? Is there a way to do this?
Thanks very much.
Regards,
Alex
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
