Re: [FW-1] managing an enforcement server externally

[Alexander Simbun]

Hmmm... The more I try to explain...the more confusion there are. Ok ok. 
Let me get straight to the point. Yes, you're right! Both network behind 
the Cluster and the standalone firewall are the same but they are not 
connected on each other (separate network). Am not using VPN at all 
here. I'm using central licensing. The main objective is to move the 
SmartCenter behind the Cluster to behind the standalone firewall which 
also the same private network as at the Cluster. I'm not going to change 
the SmartCenter's IP address at this moment. Once I move it, am I still 
able to manage Cluster at the same time the standalone firewall without 
any reconfiguration?

Thanks again.
Ray wrote:

I'm not sure what this means: "since it shares same private subnet"

Can you give an example of the subnets involved? It sounds like you 
may be saying that the internal network behind the custer and the 
internal network behind the standalone are the same (example: both are 
192.168.1.x/24). I guess that means there is not a site-to-site VPN 
between them, which I somehow assumed.

If that's correct and you can keep the SmartCenter IP address the 
same, I can't see a problem. I am somewhat concerned that you licensed 
the internal IP addresses of the firewall, though, since that can mess 
up VPN traffic.

Are you using central licensing?

What versions are the SmartCenter and enforcement modules on?

Ray

From: Alexander Simbun <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1              
<FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM>
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] managing an enforcement server externally
Date: Sun, 22 Jan 2006 08:54:41 +0800

Hi,

Licenses on both standalone enforcement server and the Cluster are 
binded to their internal interfaces. At this moment, our SmartCenter 
is located behind the Cluster and able to manage my another 
standalone enforcement server remotely. I would like to move my 
SmartCenter from behind the Cluster to behind the standalone 
enforcement server since it shares same private subnet. So, am I able 
to manage the standalone enforcement once I moved the SmartCenter in 
from the Cluster? Am I able to manage the Cluster, once the 
SmartCenter is moved to behind the enforcement server? Please help me 
as I'm really not sure on how to do the migration.

Regards,

Alex



Ray wrote:

It should just work, assuming you licensed the external IP address 
on both. When SmartCenter is behind the enforcement module, it still 
needs a route to the external interface IP to work properly.

We fought a problem when we first went to NG and split the 
enforcement module from the management server (we were on 4.0 at the 
time). The new SmartCenter had a router between it and the 
enforcement module and the router was set to drop all traffic aimed 
at the external IP address of the enforcement module, for whatever 
reason.

Since the SmartCenter was behind the enforcement module with the 
router between them, it caused all kinds of problems. We couldn't 
push a policy, we could read logs but it kept disconnecting, etc.

It sounds like you will changing the IP address of the SmartCenter 
from "behind the cluster" to "behind the standalone". If you are 
using central licensing, you will have to re-license the SmartCenter 
using the User Center. If that's the only change, I don't think 
you'll have to change anything with SIC.

Ray

From: Alexander Simbun <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1              
<FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM>
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] managing an enforcement server externally
Date: Fri, 20 Jan 2006 21:57:59 +0800

Hi all,

I have a question about managing an enforcement server externally 
and later internally from one SmartCenter server. Currently, I have 
one SmartCenter server which manage a Cluster and a standalone 
enforcement server. The standalone enforcement located on different 
network and I had configured my SmartCenter (located behind the 
Cluster) to manage my external enforcement server. Everything is 
working smooth but I wonder, let say if I want to move my the only 
SmartCenter server behind the Cluster to my behind externally 
managed enforcement server, does it still works? I mean, am I able 
to manage my standalone enforcement server and Cluster after the 
move (migration)? Is there a way to do this?

Thanks very much.

Regards,

Alex


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================